2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'BACs documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
7 Jul 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from Royal Bank of Scotland but actually coming from a look-a-like domain <Secure.Delivery@ rbsdocs .co.uk> with a -link- to a malicious zip attachment containing a .js file... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine Bank domains. Normally there are 3 or 4 newly registered domains that -imitate- the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today:
    rbsdocs .co.uk > 160.153.162.130
As usual they are registered via Godaddy as registrar and hosted by Godaddy on ip 160.153.162.130 but the emails are being sent via host Europe 85.93.88.125...

Screenshot: https://myonlinesecu...cs_trickbot.png

Rbs_Account_BACs.js - Current Virus total detections 1/57*. Payload Security** shows a download from
 http ://mutfakdolabisitesi .com/grandsergiostalls.png  which of course is -not- an image file but a renamed .exe file that gets renamed to qkY5ijY.exe and autorun (VirusTotal 12/64***)... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1499423876/
Rbs_Account_BACs.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.235.11.61
50.19.227.215
37.120.182.208
78.47.139.102

*** https://www.virustot...sis/1499422646/

mutfakdolabisitesi .com: 46.235.11.61: https://www.virustot...61/information/
> https://www.virustot...eb157/analysis/

rbsdocs .co.uk: 160.153.162.130: https://www.virustot...30/information/
> https://www.virustot...8dfec/analysis/
___

'Facebook Lottery' - Scam
- https://myonlinesecu...k-lottery-scam/
7 Jul 2017 - "'Oh look I have won the Facebook Lottery', or might have done if there actually was such a thing. Unfortunately it is all a big scam. If you were unwise enough to reply, all you would get is a request for a sum of money for Post & packing and the transfer fee for the money. To make it more attractive than usual, apart from the just over $1m money they are giving you a Facebook cap, tee shirt and wallet, 'Wow! how exciting!'. To show how clueless or how they don’t filter or check email addresses they send to, this was sent to a spam-trap-email address...

Screenshot: https://myonlinesecu...ook-lottery.png

Email Headers:
124.153.79.193 - mailgw.notvday .in...
188.207.76.172 - static.kpn .net...
 

   

Edited by AplusWebMaster, 07 July 2017 - 02:55 PM.

[AplusWebMaster]

FYI...

Fake 'Delivery Status' SPAM - delivers ransomware
- https://myonlinesecu...ounce-messages/
10 July 2017 - "We were notified of a new ransomware version* last night. This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a -fake- 'Delivery Status Notification, failed to deliver' email bounce message. The .js file in the email attachment is a PowerShell -script- and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent 'UPS failed to deliver'** nemucod ransomware versions...
* https://twitter.com/...136470910562304

** https://myonlinesecu...kovter-payload/

Screenshot: https://myonlinesecu...are_email-1.png

There is also a section in the script... causes a fake pop up message making the victim think that the file isn’t running properly:
> https://myonlinesecu...not_found-1.png

After the file has run and encrypted your files, you get a message left called _README-Encrypted-Files .html:
> https://myonlinesecu...omware_note.jpg

As well as encrypting the usual image, music, video and document files this also encrypts databases files, email, and very unusually many executable file types. It also encrypts your bitcoin wallet and other similar financial files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1499666506/
Readable Msg-j8k5b798d4.js

2] https://www.reverse....vironmentId=100
Readable Msg-j8k5b798d4.js

The sender domain is also the C2 http ://joelosteel .gdn/pi.php currently hosted by digitalocean .com on  165.227.1.206 ..."

joelosteel .gdn: 165.227.1.206: https://www.virustot...06/information/
> https://www.virustot...6e150/analysis/
___

Fake 'Secure Communication' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
10 Jul 2017 - "An email with the subject of 'Secure Communication' pretending to come from HM Revenue & Customs but actually coming from a look-alike-domain < Secure.Communication@ hrmccommunication .co.uk > with a malicious word doc attachment... delivering Trickbot banking Trojan... a very important site involved in today’s campaign with images being hosted on www .libdemvoice .org/wp-content/uploads/2012/06/HMRC-logo-300×102.jpg... they have been hosting an HMRC logo since 2012...

Screenshot: https://myonlinesecu...mrc_10_july.png

HMRC3909308823743.doc - Current Virus total detections 6/57*. Payload Security** shows a download from one of these 2 locations:
 http ://pilotosvalencia .com/grazlocksa34.png -or- http ://ridderbos .info/grazlocksa34.png
which of course is -not- an image file but a renamed .exe file that gets renamed to Sonqa.exe and
autorun (VirusTotal 10/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499682599/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.217.4
107.22.214.64
93.99.68.140
195.133.197.179

*** https://www.virustot...8c9cf/analysis/

pilotosvalencia .com: 81.169.217.4: https://www.virustot....4/information/
> https://www.virustot...1a61a/analysis/

ridderbos .info: 84.38.226.82: https://www.virustot...82/information/
> https://www.virustot...5e526/analysis/

libdemvoice .org: 104.28.31.9: https://www.virustot....9/information/
104.28.30.9: https://www.virustot....9/information/
 

   

Edited by AplusWebMaster, 10 July 2017 - 06:30 AM.

[AplusWebMaster]

FYI...

JAVA_ADWIND - Trend Micro telemetry
> http://blog.trendmic...an-adwind-jrat/
July 11, 2017 - "... our telemetry for JAVA_ADWIND... the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware...
JAVA_ADWIND detections from January to June, 2017:
> https://blog.trendmi...wind-spam-1.jpg
... a Java EXE, dynamic-link library (DLL) and 7-Zip installer will be fetched from a domain that we uncovered to be a file-sharing platform abused by the spam operators:
    hxxps ://nup[.]pw/DJojQE[.]7z
    hxxp ://nup[.]pw/e2BXtK[.]exe
    hxxps ://nup[.]pw/9aHiCq[.]dll ...
... it appears to have the capability to check for the infected system’s internet access. It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be -abused- to evade static analysis from traditional antivirus (AV) solutions...
Indicators of Compromise:
Files and URLs related to Adwind/jRAT:
    hxxp ://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php
    hxxp ://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif
    hxxps ://nup[.]pw/e2BXtK[.]exe
    hxxps ://nup[.]pw/Qcaq5e[.]jar ..."

nup .pw: 149.210.145.237: https://www.virustot...37/information/
> https://www.virustot...a6033/analysis/

employersfinder .com: 198.38.91.121: https://www.virustot...21/information/
> https://www.virustot...59e9e/analysis/

ccb-ba .adv.br: 50.116.112.205: https://www.virustot...05/information/
> https://www.virustot...30c44/analysis/
 

   

Edited by AplusWebMaster, 11 July 2017 - 03:43 PM.

[AplusWebMaster]

FYI...

Fake 'Confidential Documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
13 July 2017 - "An email with the subject of 'Confidential Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsconfidential .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ments-email.png

... they are asking you to insert an authorisation code or password... (but) there is -no- option in this word doc to do that. The word doc looks like:
> https://myonlinesecu...otected_doc.png

Protected.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
 http ://armor-conduite .com/geroi.png which of course is -not- an image file but a renamed .exe file that gets renamed to Tizpvu.exe and autorun (VirusTotal 9/63***). An alternative download location is
 http ://kgshrestha .com.np/geroi.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499942591/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustot...sis/1499942505/

armor-conduite .com: 193.227.248.241: https://www.virustot...41/information/
> https://www.virustot...ee1d6/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustot...84/information/
> https://www.virustot...ffcb1/analysis/
 

  

[AplusWebMaster]

FYI...

Fake 'Secure message' SPAM - delivers Trickbot
- https://myonlinesecu...ivers-trickbot/
14 Jul 2017 - "An email with the subject of 'Secure email message. pretending to come from Sage Invoice but actually coming from a look-a-like domain <noreply@ sage-invoice .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ted-invoice.png

The word doc looks like:
> https://myonlinesecu...Invoice_doc.png

SageInvoice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
 http ://ridderbos .info/sergiano.png which of course is -not- an image file but a renamed .exe file that gets renamed to Pmkzc.exe and autorun (VirusTotal 8/61***)... An alternative download location is
 http ://kgshrestha .com.np/sergiano.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1500038647/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustot...sis/1493725297/

ridderbos .info: 84.38.226.82: https://www.virustot...82/information/
> https://www.virustot...9cb3b/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustot...84/information/
> https://www.virustot...b4263/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'payment slip' SPAM - delivers malware
- https://myonlinesecu...-a-jrat-trojan/
18 Jul 2017 - "... an email with the subject of 'payment slip' ... pretending to come from random companies, names and email addresses with an ACE attachment (ACE files are a sort of zip file that normally needs special software to extract. Windows and winzip do not natively extract them) which delivers some malware... it has some indications of fareit Trojan. This also has a jrat java.jar file attachment...

Screenshot: https://myonlinesecu...ayment-slip.png

> Attachments: bank detailes copy.xls.ace -and- TT COPY MBUNDU  GISA 740,236 USD.jar

bank detailes copy.xls.ace: Extracts to: bank detailes copy.xls.exe - Current Virus total detections 6/63*
 Payload Security**

TT COPY MBUNDU GISA 740,236 USD.jar - Current Virus total detections 2/59[3]. Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1500351301/

** https://www.hybrid-a...vironmentId=100
HTTP Traffic
104.69.49.57

3] https://www.virustot...e7698/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
174.127.99.198
 

   

Edited by AplusWebMaster, 18 July 2017 - 06:04 AM.

[AplusWebMaster]

FYI...

Fake blank-subject SPAM - downloads Trickbot
- https://myonlinesecu...ubject-noreply/
18 July 2017 - "... Trickbot downloaders... from noreply@ random email addresses (all spoofed). Has a -blank- subject line and a zip attachment containing a VBS file...

Screenshot: https://myonlinesecu...t_vbs_email.png

doc00042714507507789135.zip extracts to: doc000799723147922720821.vbs - Current Virus total detections 9/57*.
Payload Security* shows a download of an encrypted text file from
 http ://pluzcoll .com/56evcxv? which is converted to nbVXsSxirbe.exe (VirusTotal 31/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1500373606/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
210.1.58.190
107.20.242.236

*** https://www.virustot...f838c/analysis/

pluzcoll .com: 210.1.58.190: https://www.virustot...90/information/
> https://www.virustot...19e51/analysis/
___

Fake 'Invoices' SPAM - deliver Trickbot
- https://myonlinesecu...banking-trojan/
19 July 2017 - "... pdf attachments that drops a malicious macro enabled word doc that delivers Trickbot...
today we have seen 3 different campaigns and subjects all eventually leading to the same Trickbot payload..."
___

Fake 'RFQ' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
19 July 2017 - "... emails containing java adwind or Java Jacksbot attachments...
Screenshot: https://myonlinesecu...nery-Co-Ltd.png..."
___

Bots - searching for Keys & Config Files
- https://isc.sans.edu/diary/22630
2017-07-19 - "... yesterday, I found a -bot- searching for... interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically leave juicy data amongst the HTML files... Each file was searched with a different combination of lower/upper case characters... This file could contain references to hidden applications (This is interesting to know for an attacker)..."
(More detail at the isc URL above.)
___

 

'Cloud' - Data Leak results from Amazon AWS Configuration Error

> http://www.darkreadi.../d/d-id/1329382

7/18/2017 - "A data leak at Dow Jones & Co. exposed the personal information of millions of customers after a public cloud configuration error. This marks the fifth major public cloud leak in the past several months after similar incidents affected Verizon, the WWE, US voter records, and Scottrade. This mistake compromised millions of customers' names, account information, physical and email addresses, and last four digits of credit card numbers. It also affected 1.6 million entries in Dow Jones Risk and Compliance, a collection of databases used by financial companies for compliance with anti-money laundering regulations. All of this information was left exposed in an Amazon Web Services S3 bucket, which had its permission settings configured to let any AWS Authenticated User download data using the bucket's URL. Amazon defines "authenticated user" as anyone who has a free AWS account, meaning the data was available to more than one million users... Dow Jones has confirmed 2.2 million people were exposed. Based on the repository's size and composition, Upguard "conservatively estimates" up to four million people could have been affected, though it states* duplicated subscriptions may account for some of the difference. The publisher has "no reason to believe" any of the data was stolen..."

* https://www.upguard....-leak-dow-jones

 

  

Edited by AplusWebMaster, 19 July 2017 - 12:30 PM.

[AplusWebMaster]

FYI...

Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
20 July 2017 - "... Trickbot malspams... an email with the subject of 'eFax message from 8473365403' – 1 page(s), Caller-ID: 44-020-3136-4931 pretending to come from eFax but actually coming from a look-a-like domain <message@ efax-download .com> with a malicious word doc attachment... they are registered via Godaddy as registrar hosted on 160.153.16.19 and the emails are sent via AS8972 Host Europe GmbH 85.93.88.109. These are registered with what are obviously -fake- details...

Screenshot: https://myonlinesecu..._spam_email.png

... The -link- in the email body goes to
 https ://efax-download .com/pdx_did13-1498223940-14407456340-60
where you see page like this with-a-link to download the actual malware binary
 https ://efax-download .com/14407456340-60.zip. extracting to 14407456340-60.exe
The page tries initially to automatically download 14407456340-60.pdf.exe (VirusTotal 3/64*).
Payload Security[2]...
> https://myonlinesecu...ax-download.png

DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1500552776/
14407456340-60.pdf.exe

** https://www.hybrid-a...vironmentId=100

efax-download .com: 160.153.16.19: https://www.virustot...19/information/
> https://www.virustot...c7ed5/analysis/
___

Fake various subjects SPAM - deliver Trickbot, fake flashplayer
- https://myonlinesecu...stebin-adverts/
20 July 2017 - "... Trickbot banking Trojan campaign comes in an email with varying subjects including:
    paper
    doc
    scan
    invoice
    documents
    Scanned Document
    receipt
    order
They are all coming from random girls names at random email addresses. There is a zip attachment containing a VBS file...
Download sites found so far are listed on:
- https://pastebin.com/MGAVB1uz// Thanks to Racco42*

* https://twitter.com/Racco42
> Beware - for some reason the pastebin link is giving me -diverts- to a scumware site trying to download a -fake-flashplayer-hta-file (VirusTotal 17/58[1]) (Payload Security [2])
https ://uubeilisthoopla .net/85123457821940/be74be7a58e47c2837f71295a31d1533/24c3df3c0fe3c937281c3d8d7427e1da.html
  which downloads
 https ://uubeilisthoopla .net/85123457821940/1500548202679984/FlashPlayer.jse
(VirusTotal 4/58[3]) (Payload Security [4])...
1]  https://www.virustot...sis/1500548514/
FlashPlayer.hta

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
209.126.113.203

3] https://www.virustot...sis/1500549163/
FlashPlayer.jse

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
209.126.113.203
192.35.177.195

uubeilisthoopla .net: 209.126.113.203: https://www.virustot...03/information/
> https://www.virustot...20942/analysis/
 

  

Edited by AplusWebMaster, 21 July 2017 - 04:19 AM.

[AplusWebMaster]

FYI...

Fake 'Voice Message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
21 Jul 2017 - "... coming via the Necurs -botnet- is an email with the subject of 'Voice Message Attached from 01258895166' – name unavailable [random numbered]  pretending to come from vm@ unlimitedhorizon .co.uk with a zip attachment...

Screenshot: https://myonlinesecu...ted-horizon.png

01258895166_6382218_592164.zip: Extracts to: 01258861149_20170411_185381.wsf
Current Virus total detections 2/58*. Payload Security** shows a download from
 http ://avocats-france-maroc .com/sdfgdsg1? which gave a js file (VirusTotal 7/57[3]) (Payload Security[4]) which contacts a list-of-sites and should download an encrypted text file which is converted by the js file to the Trickbot binary. However, Payload Security[4] couldn’t get anything. The sites I can see in -this- js file are:
  aprendersalsa .com/nhg67r? – artegraf .org/nhg67r? – asheardontheradiogreens .com/nhg67r?
asuntomaailma .com/nhg67r?... It will probably be similar to an earlier Trickbot version...
Thanks to Racco42[5] who has found the download sites and payload - PasteBin[6].
> Caution: we have been seeing fake flashplayer downloads & diverts via malicious ads on pastebin...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1500641858/
01258861149_20170411_185381.wsf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
158.69.133.237

3] https://www.virustot...sis/1500641867/
sdfgdsg1.js

4] https://www.hybrid-a...vironmentId=100

5] https://twitter.com/...392692761284608

6] Updated > https://t.co/eD7MtOxind

avocats-france-maroc .com: 158.69.133.237: https://www.virustot...37/information/
> https://www.virustot...7d9e6/analysis/

aprendersalsa .com: 207.7.94.54: https://www.virustot...54/information/
> https://www.virustot...5646f/analysis/

artegraf .org: 185.58.7.72: https://www.virustot...72/information/

asheardontheradiogreens .com: 199.30.241.139: https://www.virustot...39/information/
> https://www.virustot...82dc5/analysis/

asuntomaailma .com: 185.55.85.4: https://www.virustot....4/information/
___

Malicious Chrome extensions / Facebook fraud - more
- https://www.helpnets...tealthy-botnet/
July 21, 2017 - "ESET* researchers have unearthed a botnet of some 500,000 infected machines engaged mostly in ad-related fraud by using malicious Chrome extensions, but also Facebook fraud and brute-forcing Joomla and WordPress websites..."
* https://www.welivese...tly-since-2012/
20 Jul 2017 - "... a huge botnet that they monetize mainly by installing malicious browser extensions** that perform ad injection and click fraud. However, they don’t stop there. The malicious Windows services they install enable them to execute anything on the infected host. We’ve seen them being used to send a fully featured backdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and WordPress administrator panels in an attempt to compromise and potentially resell them.
Figure 1 shows the full Stantinko threat from the infection vector to the final persistent services and related plugins:
> https://www.welivese...ics-blog-01.png
... Stantinko stands out in the way it circumvents antivirus detection and thwarts reverse engineering efforts to determine if it exhibits malicious behavior. To do so, its authors make sure multiple parts are needed to conduct a complete analysis. There are always -two- components involved: a loader and an encrypted component. The malicious code is -concealed- in the encrypted component that resides either on the disk or in-the-Windows-Registry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed. Moreover, Stantinko has a powerful resilience mechanism. After a successful compromise, the victim’s machine has two malicious Windows services installed, which are launched at system startup. Each service has the ability to reinstall the other in case one of them is deleted from the system. Thus, to successfully uninstall this threat, both services must be deleted at the same time. Otherwise, the C&C server can send a new version of the deleted service that isn’t detected yet or that contains a new configuration..."
** https://www.helpnets...stantinko-1.jpg
(More detail at the welivesecurity URL above.)

(IOC's): https://github.com/e...aster/stantinko
 

   

Edited by AplusWebMaster, 21 July 2017 - 03:23 PM.

[AplusWebMaster]

FYI...

Weather .com, Fusion expose Data via Google Groups Config Error
> http://www.darkreadi.../d/d-id/1329449
7/24/2017 - "Major companies have publicly exposed messages containing sensitive information due to a user-controlled configuration error in Google Groups. Researchers at RedLock Cloud Security Intelligence (CSI) discovered Google Groups belonging to hundreds of companies inadvertently exposed personally identifiable information (PII) including customer names, passwords, email and home addresses, salary compensation details, and sales pipeline data. Internal messages also exposed business strategies, which could create competitive risk if in the wrong hands, explains RedLock*...
* https://blog.redlock...isconfiguration
The Weather Company, the IBM-owned operator of weather .com and intellicast .com, is among the companies affected. Fusion Media Group, parent company of Gizmodo, The Onion, Jezebel, Lifehacker, and other properties made the same mistake... The companies that leaked data accidentally chose the sharing setting 'public on the Internet', which enabled -anyone- on the Web to access -all- information contained in their messages. RedLock advises all companies using Google Groups to ensure 'private' is the sharing setting** for 'Outside this domain-access to groups'.  RedLock's CSI team routinely checks various cloud infrastructure tools for threat vectors, and monitors publicly available data to detect misconfigurations that could cause security incidents..."
** https://blog.redlock...oupsSetting.png
___

Petya decryptor for old versions released
- https://blog.malware...sions-released/
Last updated: July 25, 2017 - "Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project... Based on the released key, we prepared a decryptor that is capable of unlocking all the legitimate versions of Petya...
WARNING: During our tests we found that in some cases Petya may -hang- during decryption, or cause some other problems potentially -damaging- to your data. That’s why, before any decryption attempts, we recommend you to make an additional backup...
It -cannot- help the victims of pirated Petyas, like PetrWrap or EternalPetya (aka NotPetya)..."
(More detail at the malwarebytes URL above.)

Related:
- https://blog.malware...-piece-package/

- https://blog.malware...malware-author/
 

  

Edited by AplusWebMaster, 25 July 2017 - 01:20 PM.

[AplusWebMaster]

FYI...

Fake 'No Subject' SPAM - delivers Trickbot
- https://myonlinesecu...stage-download/
26 Jul 2017 - "Another Trickbot campaign overnight... Pretends to be a bill coming from notifications@ in.telstra .com.au.... You get a wsf file in zip to start with. That has a hardcoded single site in the file. That downloads a .js file which has 4 or sometimes 5 hardcoded urls which download an encrypted txt file that is converted by the js file to a working Trickbot binary. The name & reference number in the email is random...

Screenshot: https://myonlinesecu...lstra_email.png

May-July2017.zip: Extracts to: QPX_ 18941124638_411385.wsf - Current Virus total detections 4/57*.
Payload Security** downloads from dodawanie .com/?1 (or one of the other stage 2 sites listed in this pastebin[3]
(VirusTotal 5/577[4]) (Payload Security[5]) which -cannot- examine the file because it is seen as txt. However that  downloads of an encrypted file from one of the stage 3 sites listed in this pastebin report[6] which is converted by the script to an .exe file (VirusTotal 17/63[7]) (Payload Security[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501020013/
QPX_ 18941124638_411385.wsf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
74.125.104.72
185.23.21.13

3] https://pastebin.com/RvHqTC7y

4] https://www.virustot...sis/1501026192/

5] https://www.hybrid-a...vironmentId=100

6] https://pastebin.com/RvHqTC7y

7] https://www.virustot...sis/1501041870/
C.exe

8] https://www.reverse....vironmentId=100
Contacted Hosts
216.58.198.196
216.58.198.206

dodawanie .com: 185.23.21.13: https://www.virustot...13/information/
> https://www.virustot...30a84/analysis/
___

Fake 'Account secure documents' SPAM - delivers Trickbot
- https://myonlinesecu...ivers-trickbot/
26 Jul 2017 - "An email with the subject of 'Account secure documents' pretending to come from HSBC but actually coming from a look-alike-domain <noreply@ hsbcdocs .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan ...

Screenshot: https://myonlinesecu...ments_email.png

The word doc looks like:
> https://myonlinesecu...tAdvice_doc.png

PaymentAdvice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
  https ://kartautoeskola .com/test/images/logo.png  which is -not- an image file but a renamed .exe file
that gets -renamed- to warrantyingresalesdioxide.exe and autorun (VirusTotal 1/63***) Payload Security[4]...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501070044/
PaymentAdvice.doc

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1501067853/
vaqqamsxhmfqdrakdrchnwhcd.exe

4] https://www.hybrid-a...vironmentId=100

kartautoeskola .com: 69.160.38.3: https://www.virustot....3/information/
> https://www.virustot...cfe4b/analysis/
___

BEC attacks more costly than Ransomware...
- http://www.darkreadi.../d/d-id/1329414
7/20/2017 - "... cybercriminals walked away with $5.3 billion from business email compromise (BEC) attacks compared with $1 billion for ransomware over a three-year stretch, according to Cisco's 2017 Midyear Cybersecurity Report released*...
* https://engage2deman...security_report
... Cisco's Martino says targeted cybersecurity -education- for employees can help prevent users from falling for BEC -and- ransomware attacks. The finance department could especially benefit from security training on phishing campaigns, so when the bogus-email comes across the transit of the CEO asking for a funds transfer it can be detected... Regular software patching also is crucial. When spam-laden-malware hits or ransomware attacks similar to WannaCry surfaces, the impact can be minimized... a balanced defensive and offensive posture, with not just firewalls and antivirus but -also- including measures to hunt down possible attacks through data collection and analysis..."
 

  

Edited by AplusWebMaster, 26 July 2017 - 11:24 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice notification' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
27 Jul 2017 - "An email with the subject of 'Invoice notification with id number: 40533' pretending to come from random senders with a link-in-the-email to a malicious word doc delivers... malware... possibly Emotet banking Trojan...

Screenshot: https://myonlinesecu...umber-40533.png

GOCNX8263762.doc - Current Virus total detections 7/57*. Payload Security** shows a download from one of the sites listed below where a random named .exe is delivered (VirusTotal 13/62[/3]) (Payload Security[4]).
The delivery sites are all compromised sites:
 http ://petruchio .org/zbmcicj/
 http ://danjtec .it/ldcgtgkew/
 http ://radiosmile .hu/q/
 http ://ihealthcoach .net/paqdauulaq/
 http ://btsound .com/erepr/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501132650/
URQTN6370102.doc

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1501134465/

4] https://www.hybrid-a...vironmentId=100

petruchio .org: 64.90.44.242: https://www.virustot...42/information/
> https://www.virustot...8ad51/analysis/

danjtec .it: 5.135.157.47: https://www.virustot...47/information/
> https://www.virustot...7e8d0/analysis/

radiosmile .hu: 92.61.114.191: https://www.virustot...91/information/
> https://www.virustot...60d5f/analysis/

ihealthcoach .net: 66.59.64.111: https://www.virustot...11/information/
> https://www.virustot...da823/analysis/

btsound .com: 74.220.199.25: https://www.virustot...25/information/
> https://www.virustot...1b72d/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - leads to malware/Trojan
- https://myonlinesecu...coded-sections/
31 July 2017 - "Following on from THIS* -fake- invoice email is a -newer- version with a different word doc at the end of the link-in-the-email. Today’s email with the subject of 're: Invoice 622806' pretending to come from  senders with a known connection to the recipient. The link-in-the-email leads to a malicious word doc that eventually delivers Emotet/Geodo banking Trojan...
* https://myonlinesecu...livers-malware/

Screenshot: https://myonlinesecu...oice-622806.png

ZDFRRI208.doc - Current Virus total detections 1/58[1]. Payload Security[2] doesn’t show any download... Twitter contacts Malwarehunterteam[3] and Antelox[4] have found some of the associated download urls and payload...
Theses word docs are using various tricks that make it difficult for the online sandboxes to decode/analyse, find the download sites and download the eventual payload. The url so far found is
 http ://macsys.ca/ZQRZCy/ but... there are others.
1] https://www.virustot...sis/1501480309/
BNCKKK930.doc

2] https://www.hybrid-a...vironmentId=100

3] https://twitter.com/...913205047590913

4] https://twitter.com/...914028246638592

Update: another contact[5] has found the complete list[5a] (pastebin[6])
    http ://macsys .ca/ZQRZCy/ > 216.177.130.19
    http ://paulplusa .com/jUiYKJFIuj/ > 216.97.239.25
    http ://josephconst .com/cByNSVwsK/ > 67.228.48.40
    http ://cs-skiluj.sanfre .eu/PSArDr/ > 185.5.98.24
    http ://itdoctor .ca/jgaeQ/ > 67.205.112.177

5] https://twitter.com/...922001647894528

5a] https://twitter.com/...918128627597315

6] https://pastebin.com/Cdvat2Bp

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
> https://www.hybrid-a...vironmentId=100
Contacted Hosts
207.210.245.164
___

Fake 'Receipt' SPAM - delivers ransomware
- https://myonlinesecu...obe-ransomware/
31 July 2017 - "... malware downloaders pretending to be a 'payment receipt' -or- a 'receipt' is an email with the subject of 'Receipt 21426' coming or pretending to come from donotreply@ random email addresses with a zip attachment containing a .vbs file that delivers globe ransomware. The zip name corresponds with the subject line. There are a mass of subject lines today. Some of the patterns include:
    Receipt#83396
    Receipt 21426
    Payment-421
    Payment Receipt 222
    Payment Receipt#97481
    Payment Receipt_8812
    Receipt-351
    Payment Receipt_03950 ...
One of the emails looks like:
From: donotreply@ blueprintrecruitment .co.uk
Date: Mon 31/07/2017 11:15
Subject:  Receipt 21426
Attachment: P21426.zip
[Body content:]
    Attached is the copy of your payment receipt.

P21426.zip: Extracts to: 20172.2017-07-31_75.20.68.vbs - Current Virus total detections 7/58*. Payload Security**  shows a download of a txt file from
 http ://koewege .de/98wugf56? > 81.169.145.77
which is simply renamed by the script to a random named .exe file (VirusTotal 14/64[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501499651/
20172.2017-07-31_75.20.68.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.145.77

3] https://www.virustot...sis/1501501469/

4] https://www.hybrid-a...vironmentId=100
Associated URLs: http ://okdomvrn .ru/98wugf56?
okdomvrn .ru: 92.53.96.9: https://www.virustot....9/information/
> https://www.virustot...380ed/analysis/
 

    

Edited by AplusWebMaster, 01 August 2017 - 07:11 AM.

[AplusWebMaster]

FYI...

Fake 'secure message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
1 Aug 2017 - "An email with the subject of 'You have a new secure message waiting' pretending to come from Santander but actually coming from a look-alike-domain Santander <pleasedonotreply@ -santandersecuremessage- .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...age-waiting.png

SecureMessage.doc - Current Virus total detections 5/58* Payload Security** shows a download from
  http ://lexpertpret .com/fr/nologo.png which of course is -not- an image file but a renamed .exe file that gets renamed to ywbltmn.exe and autorun (VirusTotal 16/63[3]) (Payload Security[4]). An alternative download location is
  https ://hvsglobal .co.uk/image/nologo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501605462/
SecureMessage.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
146.255.36.1
69.247.60.183
46.105.250.84
91.206.4.216

3] https://www.virustot...sis/1501604882/
ywbltmn.exe

4] https://www.hybrid-a...vironmentId=100

lexpertpret .com: 216.138.226.110: https://www.virustot...10/information/
> https://www.virustot...5c217/analysis/

hvsglobal .co.uk: 192.185.37.229: https://www.virustot...29/information/
> https://www.virustot...eea4b/analysis/
___

Fake 'Voicemail' SPAM - delivers Trojan
- https://myonlinesecu...banking-trojan/
1 Aug 2017 - "... an email with the subject of 'Voicemail From 845-551-#### at 9:35AM' pretending to come from Microsoft Voice <MSVoice@ your own email domain> downloads Emotet banking Trojan...

Screenshot: https://myonlinesecu...66-at-935AM.png

VM97358238_20170801.zip: Extracts to: VM9742814303_20170801.vbs Current Virus total detections 16/55*
Payload Security**. Manual analysis of the vbs file shows these download sites hardcoded in a base64 encoding with a bit of extra nonsense padding to try to hide them (there will be loads of other sites in other vbs files attached to a -different- version of this)
 showyourdeal .com/JHghjHy6? > 143.95.99.159
 89tg7gjkkhhprottity .com/af/JHghjHy6 > 91.214.114.154
 mybutterhalf .com/JHghjHy6? > 208.91.198.170
 dreamoneday .com/JHghjHy6? > 103.21.58.181
These are downloaded as txt files but are simply renamed .exe files (VirusTotal 16/55[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

3] https://www.virustot...sis/1480616575/
-6dt874p53077.js

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

Update: it appears that this is more likely to be Globeimposter ransomware* not Emotet. It looks like I was mislead by initial detections on VirusTotal and the delivery method.
* https://twitter.com/...613372889399296
2nd Update 2 August 2017: This campaign has continued on and off all night (UK time) with a slight change to the zip file names. From exactly midnight UK time last night the last part of the zip name ( the date) changed from VM#######_20170801.zip to VM#######_20170802.zip. Looking through a few of the nearly 600 I received, it looks like the download sites are the -same- as many of the sites in yesterday’s (and earlier) Trickbot and  globeimposter campaigns that I didn’t report on because of other real world commitments. A list of sites can be seen in VT comments**. Just change /98wugf56 to /JHghjHy6 (quite a few sites are live using the latest file name format).
** https://www.virustot...1fa27/analysis/
 

  

Edited by AplusWebMaster, 02 August 2017 - 04:18 AM.

[AplusWebMaster]

FYI...

Fake 'Online Bill' SPAM - delivers malware
- https://myonlinesecu...banking-trojan/
2 Aug 2017 - "... malspam campaign pretending to be a 'Vodafone bill'. These started earlier this morning with links-in-the-email to a compromised or fraudulently set up SharePoint business site that soon stopped delivering the malware payloads. They then quickly switched to a whole host of other compromised sites to host the word doc that is the first stage in the malware download process. This is definitely a dyre based banking Trojan and might be Dridex or might be Trickbot...

Screenshot: https://myonlinesecu...ady-to-view.png

Bill_02082017.doc - Current Virus total detections 21/59*. Payload Security** downloads an encrypted txt file from one of these 3 sites (may be more in other macros so far not examined):
  http ://ortaokuldayiz .com/82yyfh3 > 94.73.148.130
  http ://trredfcjrottrdtwwq .net/af/82yyfh3 > 54.214.108.57
  http ://eoliko .com/82yyfh3 > 5.100.152.26
which is converted by the script to sultan8.exe (VirusTotal 16/63[3]) (Payload Security[/4])...
Eset Ireland did mention this one earlier today:
> https://blog.eset.ie...trojan-malware/
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...59eb8/analysis/
Bill_02082017.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.73.148.130
37.120.182.208
191.7.30.30
194.87.102.119
172.97.69.140

3] https://www.virustot...65b22/analysis/
82yyfh3.exe

4] https://www.hybrid-a...vironmentId=100
Filename: 82yyfh3
 

   

Edited by AplusWebMaster, 02 August 2017 - 01:20 PM.