2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
5 Jun 2017 - "... emails with random numbered -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice' pretending to come from a random first name Holmes at random email addresses but the body of the email imitates John Miller Ltd...

Screenshot: https://myonlinesecu...ler_-Holmes.png

... the PDF actually having some content that makes it almost look real:
> https://myonlinesecu..._129303_pdf.png

A4 Inv_Crd 21297.pdf - Current Virus total detections 9/56*. Payload Security**
 drops Invoice_129302.docm (VirusTotal 8/59[3]) (Payload Security[4]) downloads an encrypted txt file from
 http ://spaceonline .in\8yfh4gfff which is converted by the script to miniramon8.exe (VirusTotal 13/61[5])...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496654801/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177

3] https://www.virustot...sis/1496654938/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177

5] https://www.virustot...85e97/analysis/

spaceonline .in: 111.118.212.86: https://www.virustot...86/information/
> https://www.virustot...c915b/analysis/
___

- http://blog.dynamoo....ed-invoice.html
5 Jun 2017 - "This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does -not- match the company being spoofed, and varies from message to message.

Screenshot: https://3.bp.blogspo...john-miller.png

The attachment currently has a detection rate of about 9/56*. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis** shows the malicious file downloading a component from cartus-imprimanta .ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other -variants- possibly exist. A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61***. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:
192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)
The payload is not clear at this time, but it will be nothing good.
Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177 "
* https://virustotal.c...sis/1496654625/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
176.126.200.56
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177

*** https://virustotal.c...sis/1496655625/

cartus-imprimanta .ro: 176.126.200.56: https://www.virustot...56/information/
> https://www.virustot...70dc3/analysis/
___

'WakeMed' Phish
REAL 'WakeMed': http://www.wakemed.org/contact-us
Raleigh, NC 27610

FAKE/Phish: https://myonlinesecu...pt-at-phishing/
5 June 2017

Screenshot: https://myonlinesecu...ERVICE-DESK.png

"... If you follow the link you see a  very badly designed webpage, complete with spelling errors, obviously created by a non English speaker, looking like this:
(from: http ://itupdat.tripod .com/)
> https://myonlinesecu...ripod_phish.png

... the spam -email- is a -compromised-  (may be spoofed) Canadian Nova Scotia Department of Education address... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

itupdat.tripod .com: 209.202.252.101: https://www.virustot...01/information/
> https://www.virustot...0ddb7/analysis/

ccrsb .ca: 142.227.247.226: https://www.virustot...26/information/
___

Police dismantle crime network - online payment SCAMS
- https://www.helpnets...-crime-network/
June 5, 2017 - "The Polish National Police, working in close cooperation with its law enforcement counterparts in Croatia, Germany, Romania and Sweden, alongside Europol’s European Cybercrime Centre (EC3), have smashed a Polish organised crime network suspected of online payment scams and money laundering... Operation MOTO on 29-31 May 2017 resulted in 9 arrests including the criminal network’s masterminds, as well as 25 house searches in Poland. The perpetrators were advertising online cars as well as construction or agricultural machinery/vehicles, but never delivered the advertised goods to interested buyers, despite having received advance fee payments..."
 

   

Edited by AplusWebMaster, 05 June 2017 - 01:47 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - pdf attachments drop malware
- https://myonlinesecu...anking-malware/
7 Jun 2017 - "...  emails with -pdf- attachments that drop a malicious macro enabled word doc... email with the subject of '32_Invoice_2220' (random numbers at start and end of invoice) pretending to come from random names and email addresses that delivers what looks like either Dridex or Emotet banking malware...

Screenshot: https://myonlinesecu...aff_invoice.png

001_8951.pdf - Current Virus total detections 12/54*: Payload Security** drops 690UICEBVOFF735.docm
... downloads an encrypted txt file from
 http ://micolon .de/7gyb3ds which is converted by the script to krivokor8.exe
(VirusTotal 8/61[3]) (Payload Security[4])...
* https://www.virustot...sis/1496825964/
001_0673.pdf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.145.167
37.120.182.208
194.87.234.99
192.157.238.15
185.23.113.100
178.33.146.207

3] https://www.virustot...3d40c/analysis/
krivokor8 - Copy.exe

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.218.206.69

The -macros- in this example are very different to the ones we have previously seen. There are 3 hardcoded (slightly obfuscated) download sites in -each- macro (The first I examined had these 3):
micolon .de/7gyb3ds
essentialnulidtro .com/af/7gyb3ds
suskunst .dk/7gyb3ds
Thanks to Racco42[5], -other- download sites found include:
5] https://twitter.com/...384811301834752
http ://adproautomation .in/7gyb3ds
http ://camberwellroofing .com.au/7gyb3ds
http ://caperlea .com/7gyb3ds
http ://choralia .net/7gyb3ds
http ://chqm168 .com/7gyb3ds
http ://essentialnulidtro .com/af/7gyb3ds
http ://luxcasa .pt/7gyb3ds
http ://micolon .de/7gyb3ds
http ://musee-champollion .fr/7gyb3ds
http ://mytraveltrip .in/7gyb3ds
http ://saheser .net/7gyb3ds
http ://sanftes-reiten .de/7gyb3ds
http ://shopf3 .com/7gyb3ds
http ://shreekamothe .com/7gyb3ds
http ://spocom .de/7gyb3ds
http ://sumbermakmur .com/7gyb3ds
http ://surgideals .com/7gyb3ds
http ://suskunst .dk/7gyb3ds
http ://sutek-industry .com/7gyb3ds
http ://svagin .dk/7gyb3ds
http ://xinding .com/7gyb3ds ...
... Malware IP's: https://pastebin.com/arUi7B1H
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake blank/empty SPAM - delivers Trickbot
- https://myonlinesecu...-delivery-lure/
7 Jun 2017 - "... an email with a blank/empty subject as well as a completely empty email body pretending to come from random senders with a malicious word doc attachment delivers Trickbot... One of the email looks like:
From: random senders
Date: Wed 07/06/2017 13:15
Subject: none
Attachment: SCAN_0636.doc

Body content: Totally Blank/Empty

SCAN_0636.doc - Current Virus total detections 12/59*. Payload Security** downloads an encrypted txt file from
 http ://beursgays .com\7gyb3ds
Still delivering the same krivokor8.exe (VirusTotal 9/61[3]) (Payload Security[4]) which is Trickbot banking Trojan.
So far We have found these additional sites:
 essentialnulidtro .com\af\7gyb3ds
 martos .pt\7gyb3ds
 castvinyl .ru\7gyb3ds ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496837651/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.237.37.40
50.19.227.215
185.86.150.185

3] https://www.virustot...3d40c/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.218.206.69

beursgays .com: 178.237.37.40: https://www.virustot...40/information/
> https://www.virustot...3e378/analysis/

essentialnulidtro .com: 119.28.85.128: https://www.virustot...28/information/
> https://www.virustot...21088/analysis/

martos .pt: 91.198.47.86: https://www.virustot...86/information/
> https://www.virustot...2aefd/analysis/

castvinyl .ru: 89.111.176.244: https://www.virustot...44/information/
> https://www.virustot...f690f/analysis/
___

Fake 'Message' SPAM - delivers ransomware
- https://myonlinesecu...ber-ransomware/
7 Jun 2017 - "... using 'Message from KM_C224e'... using the same subject and email template but with a zip attachment containing an .exe file... pretends to come from copier @ your-own-email-domain... Confirmed: this is JAFF ransomware...

Screenshot: https://myonlinesecu...zip-version.png

SKM_C224e03215953284.zip: Extracts to: SKM_C224e9930.exe - Current Virus total detections 12/61*
Payload Security** | MALWR***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496843658/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
52.15.162.35

*** https://malwr.com/an...GQxZTI4NzZlOTM/
Hosts
52.15.162.35: https://www.virustot...35/information/
> https://www.virustot...1b9a6/analysis/
___

Office365 - Phish
- https://myonlinesecu...uired-phishing/
7 Jun 2017 - "... pretends to be a message from Microsoft Office365 saying 'your mailbox is full'...

Screenshot: https://myonlinesecu...shing-email.png

-If- you follow the link in the email, you first get sent to:
 http ://ronaldsinkwell .com.br/js/Office365/Secure/ where you get an immediate -redirection- ... and you see a webpage looking like this:
 http ://www .ftc-network .com/js/Microsoft/Office365/ :
> https://myonlinesecu...65_phishing.png

... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

ronaldsinkwell .com.br: 192.185.214.91: https://www.virustot...91/information/
> https://www.virustot...aff52/analysis/

ftc-network .com: 103.13.240.186: https://www.virustot...86/information/
> https://www.virustot...d1b26/analysis/
 

   

Edited by AplusWebMaster, 07 June 2017 - 12:44 PM.

[AplusWebMaster]

FYI...

Fake 'eFax' SPAM - delivers smoke/sharik/dofoil and Trickbot
- https://myonlinesecu...l-and-trickbot/
7 June 2017 - "An email with the subject of 'eFax message from 0300 200 3835' – 2 pages pretending to come from efax but actually coming from a look-alike-domain eFax <message@ mail.efaxcorporate254 .top> with a malicious word doc attachment...
mail.efaxcorporate254 .top was registered on 5 June 2017 via publicdomainregistry .com using what are obviously -fake- details and hosted on a Russian server 185.186.141.227. Other -variants- of the domain are hosted on other IPs in the '109.248.200.0 – 109.248.203.255′ and ‘185.186.140.0 – 185.186.143.255’ ranges. Other -variants- of this were registered between 1st and 5th June 2017...

Screenshot: https://myonlinesecu...835-2-pages.png

FAX_20170607_1496754696_302.doc - Current Virus total detections 7/57* Payload Security** shows a download from
  http ://5.149.250.240 /jun7.exe gets -renamed- to Pvmzgo.exe and autorun (VirusTotal 35/61[3]) Payload Security[4]. The malware on http ://5.149.250.240 is being updated at frequent intervals (currently still using jun7.exe) but I have seen 2 different versions since I originally posted... VirusTotal 10/59[5] 14/61[6] Payload Security[7]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496851706/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.149.250.240
185.159.128.150

3] https://www.virustot...87736/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
95.101.187.176
185.159.128.150

5] https://www.virustot...sis/1496866638/
jun7_exe

6] https://www.virustot...sis/1496899315/
jun7.exe

7] https://www.hybrid-a...vironmentId=100
Contacted Hosts
212.227.91.231
193.104.215.58
185.159.128.150

> Update 8 June 2017: -another- run of same email...
fax_20170608_96784512_336.doc - Current Virus total detections 5/55[8]. Payload Security[9] shows a download from
  http ://185.81.113.94 /jun8.exe gets -renamed- to Gqkdau.exe and autorun
(VirusTotal 14/61[10]) Payload Security[11]...
8] https://www.virustot...sis/1496913428/

9] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.81.113.94
185.159.128.150
192.150.16.117

10] https://www.virustot...sis/1496924193/
jun8.exe

11] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.81.113.94: https://www.virustot...94/information/
> https://www.virustot...b40e6/analysis/
185.81.113.94 /jun8.exe
___

More Fake 'eFax' SPAM - delivers malware via ole rtf exploit
- https://myonlinesecu...le-rtf-exploit/
8 Jun 2017 - "Another -fake- eFax email... subject of 'eFax message from 116 – 921 – 1271' – 5 pages  pretending to come from eFax Inc <noreply@ efax .com> with a zip attachment containing a malicious word doc...

Screenshot: https://myonlinesecu...271-5-pages.png

QSVN19945204621.zip extracts to pxsmnxd.doc - Current Virus total detections 11/57*. Payload Security**...
... 'found an embedded ole object in the rtf file. It will be using a recent rtf exploit... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496924661/
pxsmnxd.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.196.42.122: https://www.virustot...22/information/
> https://www.virustot...9a263/analysis/
 

   

Edited by AplusWebMaster, 08 June 2017 - 02:10 PM.

[AplusWebMaster]

FYI...

Fake 'Credit Note' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
9 Jun 2017 - "... an email with the subject of 'Copy Credit Note' coming or pretending to come from Anna Mills anna.mills@ random email addresses with a semi-random named zip attachment which contains another zip file which delivers a wsf file eventually delivering what looks like emotet banking Trojan...

Screenshot: https://myonlinesecu.../anna_mills.png

1763904.zip extracts to AA-213-RR.zip: Extracts to: AA-213-RR.wsf - Current Virus total detections 11/55*
Payload Security** shows a download of an encrypted file from
 http ://sellitni .com/hjgf677??RqtfrQRDh=FirlRSoaCC  which is converted by the script to emsjwIjFro1.exe
(VirusTotal 22/61[3]) which suggests it might be emotet banking malware (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496999598/
AA-213-RR.wsf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.165.220.204: https://www.virustot...04/information/
> https://www.virustot...6be34/analysis/

3] https://www.virustot...f0ba0/analysis/

4] https://www.hybrid-a...vironmentId=100
 

   

Edited by AplusWebMaster, 09 June 2017 - 07:17 AM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - delivers malware
- https://myonlinesecu...sing-wsf-files/
12 Jun 2017 - "... an email with the subject of 'Invoice PIS0120650' (random numbers) coming or pretending to come from NoReplyMailbox @ random companies, names and email addresses with a zip attachment which matches the subject  that contains another zip file, containing a WSF file which eventually delivers what looks like it will turn out to be either Dridex or Trickbot banking Trojan...

Screenshot: https://myonlinesecu...-PIS0120650.png

InvoicePIS0120650.zip: extracts to  LZTFBQLX6G.zip which Extracts to: LZTFBQLX6G.wsf
Current Virus total detections 12/56*. Payload Security** shows a download of an encrypted file from
 http ://ythongye .com/8yhf2ui? which is converted by the script to wvHyIX1.exe
(VirusTotal 19/60[3]) Payload Security[4]...  found 4 -different- WSF files amongst the 150 zips received:
LZTFBQLX6G.wsf - Current Virus total detections 12/56[5]
IZ7JAG6.wsf - Current Virus total detections 11/55[6]
MVUN1W9FO1.wsf - Current Virus total detections 14/56[7]
TOTAHZEQT.wsf - Current Virus total detections 14/56[8]
Manual examination of the various WSF scripting files received shows these download Locations for the malware
(obfuscated in the WSF file using base64 encoding & extra padding):
78tguyc876wwirglmltm .net/af/8yhf2ui > 119.28.85.128
e67tfgc4uybfbnfmd .org/af/8yhf2ui > 119.28.85.128
sacrecoeur.bravepages .com/8yhf2ui? > 66.219.202.10
ythongye .com/8yhf2ui? > 103.249.108.128
sheekchilly .com/8yhf2ui? > 103.21.59.174
lamartechnical .com/8yhf2ui? > 216.97.233.44
syrianchristiancentre .org/8yhf2ui? > 103.21.58.130
skveselka .wz.cz/8yhf2ui > 185.64.219.7
svadba-tamada .de/8yhf2ui > 81.169.145.148
aacom .pl/8yhf2ui? > 193.239.206.248
smartzaa .com/8yhf2ui? > 103.21.58.252
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1497289622/
LZTFBQLX6G.wsf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.249.108.128

3] https://www.virustot...43277/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.249.108.128

5] https://www.virustot...sis/1497289622/

6] https://www.virustot...sis/1497281678/

7] https://www.virustot...sis/1497294665/

8] https://www.virustot...sis/1497294745/
 

   

Edited by AplusWebMaster, 12 June 2017 - 03:13 PM.

[AplusWebMaster]

FYI...

Fake 'Emailing' SPAM - delivers pdf malware
- https://myonlinesecu...eliver-malware/
14 Jun 2017 - "... an email with the subject of 'Emailing: 288639672' (random numbers) pretending to come from random names and email address that delivers some sort of malware. Over the last couple of weeks these have switched between Jaff ransomware, Dridex banking Trojans and Trickbot banking Trojan...

Screenshot: https://myonlinesecu...g-288639672.png

288639672.pdf Current Virus total detections 11/56*. Payload Security** drops 000049764694.xlsm
(VirusTotal 11/56[3]) (Payload Security[4]). JoeSandbox[5]: downloads an encrypted txt file from
 http ://mailblust .com\98tf77b which is converted by the script to fungedsp8.exe (VirusTotal 8/60[6])..
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
mailblust .com\98tf77b > 162.251.85.92
78tguyc876wwirglmltm .net\af\98tf77b > 119.28.85.128
randomessstioprottoy .net\af\98tf77b > 119.28.85.128
3456group .com\98tf77b > 69.49.96.24
... Other sites found so far have been posted HERE:
- https://twitter.com/...943588412653568
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1497432816/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.251.85.92

3] https://www.virustot...sis/1497432816/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.251.85.92

5] https://jbxcloud.joe...s/291764/1/html

6] https://www.virustot...sis/1497433869/
___

'Google Drive' - Phish
- https://myonlinesecu...-phishing-scam/
14 Jun 2017 - "...  phishing attempts for email credentials... pretends to be a message saying 'log in to Google Drive' to get some documents that have been sent to you...

Screenshot: https://myonlinesecu...ve-phishing.png

If you follow the link (all are identical) you see a webpage looking like this:
 https ://www.mealcare .ca/gdrive/drive/drive/auth/view/share/ - but it is HTTPS so it is “safe“. That is nothing you give to the criminal can be intercepted, so your email log in details can’t be stolen by another criminal on the way. Remember a green padlock HTTPS does NOT mean the site is safe. All it means is secure from easy interception between your computer and that site:
> https://myonlinesecu...ogle_phish1.png

After you select 'click here' on this identical copy of the Google drive page (if you are not looking at the url bar) you get:
> https://myonlinesecu...ogle_phish2.png

After you input your details you get sent to a 404 not found page on Morgan Stanley website. I can only assume the phisher tried to link originally to a genuine pdf on Morgan Stanley who quickly removed it:
> https://myonlinesecu...stanley_404.png..."

mealcare .ca: 77.104.162.117: https://www.virustot...17/information/
> https://www.virustot...c8939/analysis/
 

   

Edited by AplusWebMaster, 14 June 2017 - 11:48 AM.

[AplusWebMaster]

FYI...

Fake 'Moneygram' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
15 Jun 2017 - "... a slightly different subject and email content to previous ones... These have a genuine PDF attachment with a -link- in it that downloads a zip containing the malware. The link goes to
 https ://www.domingosdandreaimoveis .com.br/wp-admin/images/Moneygram.transactions.12thJune.2017.zip
which is almost certainly a compromised wordpress site...

Screenshot: https://myonlinesecu...h-June-2017.png

The pdf looks like:
> https://myonlinesecu...chedule_pdf.png

Moneygram.transactions.12thJune.2017.jar (474kb) - Current Virus total detections 21/55*. Payload Security**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1497502711/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.120.144.148

domingosdandreaimoveis .com.br: 187.45.187.122: https://www.virustot...10/information/
 

   

[AplusWebMaster]

FYI...

Fake Email account notice – Phish
... 'Your Mailbox Will Be Terminated'
- https://myonlinesecu...il-credentials/
16 Jun 2017 - "We see lots of phishing attempts for email credentials. This one is slightly different...

Screenshot: https://myonlinesecu...ler.co_.uk-.png

If you follow the link you see a webpage looking like this:
 https ://deadsocial .com//media/email_updatep1/login.php?userid=ans@ thespykiller .co.uk
(you can put any email address at the end of the link & get the same page with email already filled in).
The red countdown continues to decrease in time while the page is open:
> https://myonlinesecu...mail_update.png

... After you input your email address and password, you get told 'incorrect details' and forwarded to an almost identical looking page where you can put it in again and it does that on a continual loop:
> https://myonlinesecu...ail_update2.png

... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

deadsocial .com: 184.154.216.243: https://www.virustot...43/information/
> https://www.virustot...b24c7/analysis/
 

  

Edited by AplusWebMaster, 17 June 2017 - 06:28 AM.

[AplusWebMaster]

FYI...

Fake DHL SPAM - delivers malware
- https://myonlinesecu...livers-malware/
20 Jun 2017 - "An email with the subject of 'Commercial Invoice' pretending to come from export@ dhl-invoice .com with a malicious Excel XLS spreadsheet attachment delivers some sort of malware... I am being told that -other- subjects in this malspam run -spoofing- DHL include: 'DHL Commercial Invoice' and 'DHL poforma invoice'. There appear to be several different -spoofed- senders @dhl-invoice .com...

Screenshot: https://myonlinesecu...lspam-email.png

dhl_commercial_invoice_.xls - Current Virus total detections 5/55*. Payload Security** shows a download from
 http ://travel-taxi .net/test/edf.exe (VirusTotal 51/62[3]), (Payload Security[4]).
Other download locations -embedded- in other versions of the macro include
 http ://okinawa35 .net/m/iop.exe
The XLS file looks like:
> https://myonlinesecu...invoice_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1497948303/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
202.218.50.130

3] https://www.virustot...fe217/analysis/

4] https://www.hybrid-a...vironmentId=100

travel-taxi .net: 203.183.93.149: https://www.virustot...49/information/
> https://www.virustot...fc1d5/analysis/

okinawa35 .net: 202.218.50.130: https://www.virustot...30/information/
> https://www.virustot...3fd1c/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecu...invoice-emails/
21 Jun 2017 - "... an email with the subject of 'Copy of Invoice 79898702' coming or pretending to come from  noreply@ random email addresses with a semi-random named zip attachment in the format of 79898702.zip (random 8 digits). The zip matches the subject... Whether this is a permanent return to Locky or a one off, I don’t know... Locky has vanished for while before & returned. It is also very unusual for Locky to come as an executable file inside a zip...

Screenshot: https://myonlinesecu...ce-79898702.png

79898702.zip: extracts to INV-09837592.zip which in turn Extracts to: INV-09837592.exe
Current Virus total detections 10/60*. Payload Security**. None of the sandboxes are showing any encrypting activity or the usual Locky signs, so it looks like a -new- version with protections against analysis. We only know it is Locky because one of the analysts[1] extracted the Locky payload from the memory while running this file (Virustotal 39/60***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...f9cd8/analysis/
INV-09837592.exe

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1498057764/
_005C0000.mem

1] https://twitter.com/...544503720247296

- http://blog.talosint...y-campaign.html
June 21, 2017 - "... The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems*. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky... we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam... it's always risky clicking-on-links or opening -attachments- in strange email messages..."
> https://1.bp.blogspo...1600/image3.jpg
___

Fake 'Receipt to print' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
21 Jun 2017 - "... an email with the subject of 'Receipt to print' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers some malware... Earlier WSF files today delivered Trickbot banking Trojan...

Screenshot: https://myonlinesecu...pt-to-print.png

Receipt_6706.zip: extracts to archive0124.zip which extracts to: 0923.wsf
Current Virus total detections 11/57*. Payload Security** shows a download of an encrypted file from
 http ://tag27 .com/08345ug? which is converted by the script to IeEOifS6.exe (VirusTotal 11/57***).
Manual examination and basic decoding of the WSF file shows these download locations:
tag27 .com/08345ug? > 162.210.102.220
78tguyc876wwirglmltm .net/af/08345ug > 119.28.86.18
malamalamak9 .net/08345ug? > 74.122.121.8
randomessstioprottoy .net/af/08345ug > 119.28.86.18
shreveporttradingantiques .com/08345ug? > 74.220.215.225 ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1498051603/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.210.102.220
119.28.86.18
74.122.121.8

*** https://www.virustot...sis/1480617465/
 

   

Edited by AplusWebMaster, 22 June 2017 - 07:14 AM.

[AplusWebMaster]

FYI...

Fake 'INVOICE' SPAM - delivers malware
- https://myonlinesecu...eliver-malware/
26 Jun 2017 - "An email with the subject of '*CONFIRM ORDER AND REVISE INVOICE*' pretending to come from admin@ random company with a malicious word doc attachment. This word doc is actually an RTF file that uses what looks like the CVE-2017-0199 exploit...

Screenshot: https://myonlinesecu...ISE-INVOICE.png

Order Ref-22550.doc - Current Virus total detections 16/56*. Neither MALWR nor JoeSandbox could get any malicious content from it. Payload Security is still -down- this morning for maintenance that was hoped to be done over the weekend.
Update: after a bit of manual editing & investigating I was able to find the download location:
  https ://dev.null .vg/OtoGQj9.hta (VirusTotal 13/56**) ( MALWR***) which should deliver
  http ://allafrance .com/ziko.exe but is currently giving me a 404... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1498451330/
Order Ref-22550.doc

** https://www.virustot...sis/1498457573/
OtoGQj9.hta

*** https://malwr.com/an...mYzMjAzNjBkNjY/

dev.null .vg: 104.27.187.29: https://www.virustot...29/information/
> https://www.virustot...09263/analysis/
104.27.186.29: https://www.virustot...29/information/
> https://www.virustot...09263/analysis/

allafrance .com: 85.14.171.25: https://www.virustot...25/information/
> https://www.virustot...7eb4e/analysis/
___

Fake 'invoice' SPAM - links to malware doc file
- https://myonlinesecu...eliver-malware/
26 Jun 2017 - "... An email with the subject of 'Cust # 880767-00057' [redacted] pretending to come from Jackie Fill <vs1.kirchdorf@ eduhi .at> (probably random senders) with a -link- that downloads a malicious word doc. The subject and the link that appears in body of the email has the recipients name in it but the actual link doesn’t. The link in this case went to
 http ://facyl .com.br/Invoices-payments-and-questions-JBQHL-933-907247/ where it downloaded a macro enabled word doc (the link is very slow & does time out)...

Screenshot: https://myonlinesecu...80767-00057.png

Invoice-NUVKHC-227-980463.doc - Current Virus total detections 9/56*... Joesandbox** shows connections to numerous sites where a malicious file is downloaded using PowerShell, including:
 http ://carbeyondstore .com/cianrft/ > 72.52.246.64
 http ://motorgirlstv .com/kdm/ > 202.191.62.208
 http ://nonieuro .com/xauqt/ > 216.104.189.202
 http ://pxpgraphics .com/espzyurt/ > 69.65.3.206
 http ://studiogif .com.br/jedtvuziky/ > 192.185.216.153
Eventually giving an .exe file (VirusTotal 10/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1498480442/

** https://jbxcloud.joe...s/297919/1/html

*** https://www.virustot...sis/1498478920/

facyl .com.br: 187.45.187.130: https://www.virustot...30/information/
> https://www.virustot...b44e5/analysis/
 

   

Edited by AplusWebMaster, 27 June 2017 - 06:05 AM.

[AplusWebMaster]

FYI...

Fake 'Fattura' SPAM - delivers xls attachment malware
- https://myonlinesecu...anking-trojans/
27 Jun 2017 - "An email with the subject of 'Fattura n.9171 del 27/06/17' pretending to come from random Italian email addresses with an Excel XLS spreadsheet attachment...
Update: I am 100% assured* that this is Trickbot banking Trojan...
* https://twitter.com/...680802136707073

Screenshot: https://myonlinesecu...ra_it_spam1.png

Attachment: https://myonlinesecu...ra_it_spam2.png

The xls file looks like this, with the instructions to 'enable content' in Italian. They obviously hope that the victim will 'enable content & macros' to see the washed out invoice details in full detail:
> https://myonlinesecu...invoice-xls.png

FATTURA num. 6655 del 27-=.xls - Current Virus total detections 6/56[1]. Payload Security[2] shows a download from
 https ://3eee22abda47 .faith/nvidia4.dvr (VirusTotal 11/61[3])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...c9395/analysis/
1_FATTURA num. 5999 del 27-06-2017.xls

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.173.218.138

3] https://www.virustot...619f8/analysis/
nvidia4.dvr

3eee22abda47 .faith: 46.173.218.138: https://www.virustot...38/information/
> https://www.virustot...feca1/analysis/
___

Protect Your Cloud - from Ransomware
> http://www.darkreadi.../d/d-id/1329221
6/27/2017
___

Multiple Petya Ransomware Infections Reported
- https://www.us-cert....ctions-Reported
June 27, 2017

- http://blog.talosint...re-variant.html
June 27, 2017 - "... a new malware variant has surfaced..."

- https://www.helpnets...tya-ransomware/
June 27, 2017

- http://www.reuters.c...k-idUSKBN19I1TD
Jun 27, 2017 | 4:35pm EDT

- http://www.telegraph...-cyber-attack1/
27 June 2017 • 8:50pm GMT
 

   

Edited by AplusWebMaster, 27 June 2017 - 02:50 PM.

[AplusWebMaster]

FYI...

Fake 'UPS cannot deliver' SPAM - delivers ransomware
- https://myonlinesecu...kovter-payload/
29 Jun 2017 - "The 'UPS failed to deliver' messages have come back... it looks like the Kovter gang have taken advantage of the Petya outbreak to add to the mix. They have updated the nemucod ransomware version to make it, on first look, impossible to decrypt at this time without paying the ransom. Thanks to Michael Gillespie* a well known anti-ransomware campaigner for his assistance and pointing me in the right direction about the new nemucod ransomware version...
* https://twitter.com/demonslay335
If you get infected by this or any other ransomware please check out the ID Ransomware service** which will help to identify what ransomware you have been affected by and offer suggestions for decryption...
** https://id-ransomwar...m.com/index.php

The emails are the same as usual (you only have to look through this blog and search for UPS[1] or FedEx[2] or USPS[/3]... hundreds of different examples and subjects)...
1] https://myonlinesecurity.co.uk/?s=UPS

2] https://myonlinesecu....co.uk/?s=fedex

3] https://myonlinesecurity.co.uk/?s=usps

Screenshot: https://myonlinesecu..._to_deliver.png

... there is a difference in the .js files that are coming in the (attachment) zips... The initial js looks very similar to previous but has much longer vars (var zemk) that is used to download the other files...
Showing a high level of encryption that at this time appears unable to be decrypted without paying the ransom.
This ransom note (or something similar with different links) gets displayed on the victim’s desktop:
>> https://myonlinesecu...nstructions.jpg

The original js downloads 3 files - 1 is Kovter as usual, the second is unknown and there is a massive 6.7mb php interpreter. The 2nd file won’t run without the php interpreter. It looks like it also belongs to PHP and both php files together are needed to run the downloaded php counter files to encrypt the computer...
4] https://www.hybrid-a...vironmentId=100
Contacted Hosts (406)

5] https://jbxcloud.joe...s/300085/1/html
UPS-Delivery-005156577.doc.js

6]https://www.virustot...sis/1498629470/
UPS-Delivery-005156577.doc.js
Detection ratio: 9/55

... The Kovter download looks like it works separately to the ransomware but might actually be involved somewhere along the line:
7] https://www.virustot...sis/1498630707/
da40c167cd75d.png
Detection ratio: 25/62

8] https://www.hybrid-a...vironmentId=100
Contacted Hosts (398)

... Sites involved in this campaign found so far this week:
resedaplumbing .com > 166.62.58.18
modx.mbalet .ru> 95.163.101.104
artdecorfashion .com > 107.180.0.125
eventbon .nl > 109.106.167.212
elita5 .md > 217.26.160.15
goldwingclub .ru > 62.109.17.210
www .gloszp .pl > 87.98.239.19
natiwa .com > 115.84.178.83
desinano .com.ar > 190.183.59.228
amis-spb .ru > 77.222.61.227
perdasbasalti .it > 94.23.64.3
120.109.32.72: https://www.virustot...72/information/
calendar-del .ru > 77.222.61.227
indexsa.com .ar > 190.183.59.228 ..."
___

'Blank Slate' - malspam campaign -ransomware-
- https://isc.sans.edu...g strong/22570/
Last Updated: 2017-06-29 - "'Blank Slate' is the nickname for a malicious spam (malspam) campaign pushing
-ransomware- targeting Windows hosts... Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign. Today's Blank Slate malspam was pushing Cerber and GlobeImposter ransomware... -fake- Chrome pages sent victims zip archives containing malicious .js files designed to infect Windows hosts with ransomware... potential -victims- must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations..."
(More detail at the isc URL above.)
___

- https://www.bitdefen...pages|goldeneye
Update 6/28 08.00 GMT+3 - "There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction..."
 

  

Edited by AplusWebMaster, 29 June 2017 - 02:17 PM.

[AplusWebMaster]

FYI...

Fake 'Documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
5 Jul 2017 - "An email with the subject of 'Important Account Documents' pretending to come from Lloyds bank but actually coming from a look-a-like domain Lloyds Bank Documents <no-reply@ lloydsbankdocs .co.uk> with a malicious word doc attachment... So far we have only found 1 site sending these today:
  lloydsbankdocs .co.uk
As usual they are registered via Godaddy as registrar and the emails are sent via IP 37.46.192.51 which doesn’t have any identifying details except AS47869 Netrouting in Netherlands...

Screenshot: https://myonlinesecu...t-Documents.png

The word doc looks like:
> https://myonlinesecu...ccount-docs.png

AccountDocs.doc - Current Virus total detections 7/57*. Payload Security** shows a download from
 http ://pilotosvalencia .com/sergollinhols.png which of course is -not- an image file but a -renamed- .exe file that gets renamed to fsrtat.exe and autorun (VirusTotal 14/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...a43f6/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.217.4
167.114.174.158
197.248.210.150

*** https://www.virustot...70a11/analysis/
___

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
5 July 2017 - "... delivering banking Trojans is an email with the subject of 'Customer message' pretending to come from 'Nat West Bank' but actually coming from a series of look alike domains - NatWest Bank Plc <alert@ natwest-serv478 .ml> with a malicious word doc attachment... criminals sending these have registered various domains that look-like-genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate-the-bank or some message sending service... we have found 6 but it is highly likely there could be hundreds, because they are -free- domains that don’t need any checkable registration details:
    natwest-serv478 .ml > 81.133.163.165
    natwest-serv347 .ml > 185.100.68.185
    natwest-serv305 .ml > 72.21.246.90
    natwest-serv303 .ml > 47.42.101.137
    natwest-serv505 .ml > 98.191.98.153
    natwest-serv490 .ml > 128.95.65.99
These are registered via freenom .com as registrar and the emails are sent via a series of what are most likely compromised email accounts or mail servers:
> https://myonlinesecu...p_spam_list.png

Screenshot: https://myonlinesecu...mer-message.png

The word doc looks like:
> https://myonlinesecu...ment283_doc.png

message_payment283.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
  http ://armor-conduite .com/34steamballons.png which of course is -not- an image file but a renamed .exe file that gets renamed to nabvwhy.exe and autorun (VirusTotal 16/62***) which is a slightly different -Trickbot- payload... An alternative download location is
 http ://teracom .co.id/34steamballons.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499266638/
message_payment283.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
202.169.44.149
94.42.91.27

*** https://www.virustot...8ff7f/analysis/
nabvwhy.exe

armor-conduite .com: 193.227.248.241: https://www.virustot...41/information/
> https://www.virustot...62e47/analysis/

teracom .co.id: 202.169.44.149: https://www.virustot...49/information/
> https://www.virustot...add04/analysis/
___

'AdGholas' malvertising ...
- https://blog.malware...ware-outbreaks/
July 5, 2017 - "... other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific -malvertising- gang of the moment, dubbed 'AdGholas'... A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the -malvertising- operators are able to quickly roll out and activate a -fake- advertising infrastructure for a few days before getting banned...
> https://blog.malware...17/06/certs.png
... We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of -redirect- is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity...
IOCs:
AdGholas:
expert-essays[.]com
jet-travels[.]com
5.34.180.73
162.255.119.165
Astrum Exploit Kit:
uniy[.]clamotten[.]com
comm[.]clamotten[.]com
comp[.]computer-tutor[.]info
lexy[.]computer-tutor[.]info
sior[.]ccnacertification[.]info
kvely[.]our-health[.]us
nuent[.]mughalplastic[.]com
mtive[.]linksaffpixel[.]com
cons[.]pathpixel[.]com
sumer[.]pathlinkaff[.]com
nsruc[.]ah7xb[.]com
ction[.]ah7xb[.]com
nstru[.]onlytechtalks[.]com
const[.]linksaffpixel[.]com
quely[.]onlytechtalks[.]com
coneq[.]modweave[.]com
94.156.174.11 ..."
(More detail at the malwarebytes URL above.)
___

Fake 'invoice' SPAM - delivers java adwind malware
- https://myonlinesecu...ng-java-adwind/
4 Jul 2017 - "... fake 'invoices' rather then their more usual method of fake 'MoneyGram' or 'Western Union money transfer' reports or updates...

Screenshot: https://myonlinesecu...ue-invoices.png

Payment Dunmore 27.26.170001.jar (566kb) - Current Virus total detections 12/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499145423/

** https://malwr.com/an...TBiNWE0NmNlNGE/
 

  

Edited by AplusWebMaster, 05 July 2017 - 12:46 PM.

[AplusWebMaster]

FYI...

Fake 'wire request' SPAM - delivers banking trojan
- https://myonlinesecu...banking-trojan/
6 Jul 2017 - "An email with the subject of 'The wire request is unsuccessful!' pretending to come from Billing Support using random senders & email addresses with a malicious word doc attachment delivers Chthonic banking trojan...

Screenshot: https://myonlinesecu...ing-support.png

printed_ty_0717.doc - Current Virus total detections 12/58*. Payload Security** shows a download from
 http ://185.117.73.105 /bofasup.exe (VirusTotal 13/57***)... alternative doc detections [1] [2]. Other download locations include: (there are 3 download locations hard coded in the macro):
 http ://185.45.192.116 /bofasup.exe
 http ://185.117.72.251 /bofasup.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499318502/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...ee397/analysis/
bofasup.exe

1] https://www.virustot...a3968/analysis/
printed_copy_da_0717.doc
Detection ratio: 13/57
 
2] https://www.virustot...sis/1499319821/
copy_wt_0717.doc
Detection ratio: 11/57
___

Fake 'eFax' SPAM - malicious doc/xls attachment
- https://myonlinesecu...livers-malware/
6 Jul 2017 - "... spoofed eFax message from 1 month ago[1], the same gang are using a similar range of fake e-faxcorporatexxx.top domains to send these malspam emails. Today’s comes  with the usual typical subject of 'eFax message from “0300 200 3822” – 2 page(s)' coming from eFax <message@ e-faxcorporate102 .top> with a malicious word doc attachment which delivers some sort of malware...
1] https://myonlinesecu...l-and-trickbot/

Screenshot: https://myonlinesecu...7/efax_nest.png

The word doc looks like:
> https://myonlinesecu...agedoc_nest.png

SecureMessage.doc - Current Virus total detections 6/57*... Joesandbox** shows a download from
 http ://5.149.252.155 /parcelon13.exe (VirusTotal 15/63***)...
This email attachment contains what appears to be a genuine word doc -or- Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499264264/
SecureMessage.doc

** https://jbxcloud.joe...s/304760/1/html

*** https://www.virustot...sis/1499306577/

e-faxcorporate102 .top: 46.8.221.104: https://www.virustot...04/information/
 

   

Edited by AplusWebMaster, 06 July 2017 - 04:54 AM.