2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Secure Email' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
3 Aug 2017 - "An email with the subject of 'Nationwide Secure Email – Secured Message' pretending to come from Nationwide but actually coming from a look-a-like domain <secured@ nationwidesecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... Today’s example of the spoofed domain is nationwidesecure .co.uk 184.168.221.37  ip-184-168-221-37 .ip.secureserver .net...

The word doc attachment looks like this and tells you to use the non existent passphrase to open it. The blue moving circle makes you think that you need to enable the content & macros to see the hidden secure content.
DO NOT enable the macros or content. You WILL be infected:
> https://myonlinesecu...-Secure_doc.png

Secure.doc - Current Virus total detections 7/58*. Payload Security** shows a download from
 http ://catterydelacanaille .be/logo.png which of course is -not- an image file but a renamed .exe file
that gets renamed to tyltl.exe and autorun (VirusTotal 15/65[3]). An alternative download location is
 http ://carriereiserphotography .com/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501756792/
Secure.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.255.9.40
37.120.182.208
185.30.144.205

3] https://www.virustot...sis/1501755791/
tyltl.exe

catterydelacanaille .be: 89.255.9.40: https://www.virustot...40/information/
> https://www.virustot...44ba2/analysis/

carriereiserphotography .com: 72.32.177.50: https://www.virustot...50/information/
> https://www.virustot...b9dce/analysis/
___

'Payment copy' - Phish
- https://myonlinesecu...il-credentials/
3 Aug 2017 - "... phishing attempts for email credentials. This one is slightly different than many others and surprisingly creative from the phisher. It pretends to be a message saying to 'download a payment copy and please ship the goods' they have ordered...

Screenshot: https://myonlinesecu...ishing-scam.png

If you follow the link inside the email you see a webpage looking like this:
 http ://clcktoviewnow.a-acheter .org/  which contains an -Iframe- to
 http ://www.pensiunea-ciobanelu .ro/view-ttcpy/
which actually displays the phishing attempt:
> https://myonlinesecu...s_pensiunea.png

After you input your email address and password, you get told “Please wait download will start in a minute”. It never does, there is no download of anything, whether malware or a genuine “fake” invoice or payment receipt  and this is simply a phishing -scam- to get your email account credentials:
> https://myonlinesecu..._pensiunea2.png

... these emails use Social engineering tricks to persuade you to open the attachments or follow links in emails..."

clcktoviewnow.a-acheter .org: 85.14.138.114: https://www.virustot...14/information/
> https://www.virustot...2319e/analysis/

pensiunea-ciobanelu .ro: 89.40.32.15: https://www.virustot...15/information/
> https://www.virustot...18c36/analysis/
 

   

Edited by AplusWebMaster, 03 August 2017 - 06:01 AM.

[AplusWebMaster]

FYI...

Fake 'Beneficiary’s Details' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
14 Aug 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... 'previously mentioned many of these HERE*. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically...
* https://myonlinesecu.../?s=java adwind

Screenshot: https://myonlinesecu...12602119326.png

The link in the email body goes to
 http ://karizma-co .com/wp-admin/user/Beneficiary%27s Details.R01 (VirusTotal 0/65[1]) (almost certainly a compromised WordPress website) where a zip file is downloaded.
Beneficiary’s Details.zip - Extracts to Beneficiary’s Details.jar (478kb) - Current Virus total detections 1/59[2]
Payload Security[3]... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustot...sis/1502700304/

2] https://www.virustot...sis/1502679993/
Xpressmoney Global network.jar

3] https://www.hybrid-a...vironmentId=100
File Details:
Beneficiary's Details.jar

karizma-co .com: 5.189.185.178: https://www.virustot...78/information/
___

Fake 'Secure Email' SPAM - delivers trickbot
- https://myonlinesecu...ivers-trickbot/
14 Aug 2017 - "An email with the subject of 'You have a Santander Secure Email' pretending to come from Santander Bank but actually coming from a look-a-like domain <message@ santanderdocs .co.uk> with an html attachment which downloads a  malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is
santanderdocs .co.uk: 160.153.162.141: https://www.virustot...41/information/
> https://www.virustot...1ffb3/analysis/

I don’t have an actual email. The information was forwarded to me and only has the basic details with -no- email body content. The email looks like:
From: Santander  <message@santanderdocs .co.uk>
Date: 14 August 2017 20:12
Subject: You have a Santander Secure Email
Attachment: SecureDoc.html

Screenshot of word doc: Beware of the -login- in the word doc. It is only there to persuade the recipient to enable content which allows the macros-to-run and infect you. Do NOT follow those instructions:
> https://myonlinesecu...r_SecureDoc.png

SecureDoc.doc - Current Virus total detections 3/58*. Payload Security**. This malware file downloads from
 http ://cfigueras .com/armanistand.png which of course is -not- an image file but a renamed .exe file that gets renamed to Cqgcf.exe (VirusTotal 10/64[3]). An alternative download location is
 http ://centromiosalud .es/armanistand.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1502715405/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.255.225.215
158.69.26.138
46.160.165.31

3] https://www.virustot...sis/1502713865/

cfigueras .com: 51.254.83.173: https://www.virustot...73/information/
> https://www.virustot...ff174/analysis/

centromiosalud .es: 178.255.225.215: https://www.virustot...15/information/
> https://www.virustot...fd183/analysis/
 

  

Edited by AplusWebMaster, 14 August 2017 - 03:23 PM.

[AplusWebMaster]

FYI...

Fake 'eFax' SPAM - delivers trickbot
- https://myonlinesecu...banking-trojan/
15 Aug 2017 - "An email with the subject of 'eFax' pretending to come from eFax but actually coming from a look-a-like domain eFax <noreply@ faxdocuments120 .ml> with a malicious word doc attachment is today’s latest spoof of a well known company, messaging service, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ocuments120.png

The word doc looks like:
> https://myonlinesecu...53_2425_doc.png

efax42542153_2425.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
 http ://cfigueras .com/nothing44.png which of course is -not- an image file but a renamed .exe file that gets renamed to Qhdizwg.exe and autorun (VirusTotal 14/64***). An alternative download location is
 http ://cfai66 .fr/nothing44.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1502883132/
efax42542153_2425.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
51.254.83.173
158.69.26.138
185.141.26.86
185.40.20.42

*** https://www.virustot...sis/1502881050/
Qhdizwg.exe

cfigueras .com: 51.254.83.173: https://www.virustot...73/information/
> https://www.virustot...c777e/analysis/

cfai66 .fr: 87.252.5.144: https://www.virustot...44/information/
> https://www.virustot...57f20/analysis/
___

Locky ransomware returns - two new "flavors"
- https://blog.malware...wo-new-flavors/
Aug 16, 2017 - "We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware... From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random] .htm“. Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus .html“... Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script:
> https://blog.malware...cus_MalSpam.png
... The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should
-never- assume Locky is gone simply because it’s not active at a particular given time..."
(More detail at the first malwarebytes URL above.)
___

Paypal phish - fake verification
- https://isc.sans.edu/diary/22726
2017-08-16 - "They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new -fake- pages almost daily. Sometimes, the web server isn’t properly configured and the source code is publicly available... I presume that the kit is related to a spam campaign but I did not get the initial email. Based on the quality of the kit, I suspect the email to be properly written. As usual, it starts with the classic Paypal login page:
- https://isc.sans.edu...-20170816-1.png
Then a fake verification page is displayed to warn the victim that a check of the account must be performed. Note that the values are hard coded:
- https://isc.sans.edu...-20170816-2.png
The next steps ask the victim to enter his/her details, including banking details:
- https://isc.sans.edu...-20170816-4.png
Graphically, the different pages are very clean and use components from the Paypal website to reproduce a look and feel very close to the official pages... There is also a second check of the IP address included in the PHP code. If a valid IP address or User-Agent is detected, an HTTP error 404 (page not found) is returned... When the verification screens are displayed to the victim, fields are prefilled with the extracted information from Paypal. This is really evil! All fields are also validated to prevent garbage and increase the change to capture real data. Depending on the card number that the victim provided, a next screen is presented to fill bank details. Based on the source code, three countries are targeted: US, CA and UK. Depending on the bank, specific forms are displayed to request valid connection details... At the end of the “verification process”, an email is sent to the attacker with all the victim's details. The destination is a gmail .com account... If most phishing kits remain simple and can be easily spotted by the victims, some of them are really well developed and harder-to-catch, especially if the URL used is nicely chosen and distributed via HTTPS. This kit was huge with more than 300 files in a 1.8MB ZIP file. Take care!"
 

   

Edited by AplusWebMaster, 16 August 2017 - 01:37 PM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
17 Aug 2017 - "... an email with the subject of 'Your Xero Invoice INV-0855485' coming from subscription.notifications@ xeronet .org which uses -compromised- sharepoint aka onedrive for business accounts to deliver Dridex banking Trojan...

Screenshot: https://myonlinesecu...INV-0855485.png

The -link- in the body of the email is to
 https ://lakesambel-my.sharepoint .com/personal/contact_caravanparkbeechworth_com_au/_layouts/15/guestaccess.aspx?docid=03b4b6316d9ca4fa48971a9101a38b364&authkey=Afo8hRz5LV65-XWim02sZtg
where a zip file containing a .js file is downloaded.

Xero Invoice.zip: Extracts to: Xero Invoice.js - Current Virus total detections 20/57[1]. Payload Security[2]
This malware downloads from
 https ://stakks-my.sharepoint .com/personal/accounts_stakks_com_au/_layouts/15/guestaccess.aspx?docid=0426cc21c900f4425bfd868cf0a9bc836&authkey=AdVBGQCO-SGtytiexhgUfw8
to deliver documents.xero which is -renamed- to Y739Ayh.exe (VirusTotal 34/65[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustot...sis/1502950371/

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
13.107.6.151
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229

3] https://www.virustot...c0aea/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229

lakesambel-my.sharepoint .com: 13.107.6.151: https://www.virustot...51/information/

stakks-my.sharepoint .com: 13.107.6.151
___

Fake 'Outstanding invoices' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
17 Aug 2017 - "An email with the subject of 'Outstanding invoices email 1 of 2' pretending to come from random names and email addresses with a malicious word doc attachment delivers Locky Ransomware...

Screenshot: https://myonlinesecu...mail-1-of-2.png

056757.doc - Current Virus total detections 15/58*. Payload Security**.
This malware downloads from
 http ://campingtossa .com/87wifhFsdf (VirusTotal 23/63***).
There will be dozens if not hundreds of other downloads sites in different versions of these word docs...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1502969190/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.93.73.211
212.109.220.109

*** https://www.virustot...sis/1502969865/
87wifhFsdf.exe

campingtossa .com: 188.93.73.211: https://www.virustot...11/information/
 

   

Edited by AplusWebMaster, 17 August 2017 - 06:36 AM.

[AplusWebMaster]

FYI...

Fake 'order' SPAM - links deliver malware
- https://myonlinesecu...livers-malware/
18 Aug 2017 - "... an email with the subject of 'Your order no 8194788 (random numbers) has been processed' coming from random names @ creatingkindly .com which delivers some sort of malware... These pretend to be an order confirmation for cotton material from a -random- name shop with a -fake- address...

Screenshot: https://myonlinesecu...n-processed.png

The email has a -link- in the body to
 http ://michellesteve .com/victim_name/8194788.php?recipient-id=bzmqkpohrma&=282193283842&395981697844=760611824 which downloads document.zip:  which Extracts to: document.lnk
- Current Virus total detections 6/55[1]. Payload Security[2].
An alternative email had the -link- to
 http ://letsgetvisibility .com/victim_name/6290807.php?id-ee=ycttmymbp&=vdfq&jxkhgrs=vddrhdu
which currently gives me a 404 on the entire domain although it does have registration details from 2015.
This malware downloads from
 http ://otp.forgetmenotbeading .com/valid.bin which is -renamed- by the script to combo.exe
(VirusTotal 8/61[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it... -Never- attempt to open a zip directly from your email, that is a guaranteed way to get infected... just delete the unexpected zip and not risk any infection..."
1] https://www.virustot...sis/1503034822/
document.zip

2] https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1503034808/
valid.bin

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
65.55.50.189
185.117.73.5

creatingkindly .com: 50.63.202.38: https://www.virustot...38/information/

michellesteve .com: 185.61.152.60: https://www.virustot...60/information/

letsgetvisibility .com: A temporary error occurred during the lookup...

[Corrected to:] otp.forgetmenotbeading .com: 185.183.97.141:  https://www.virustot...7607e/analysis/
___

Cloud: User Account Attacks jumped 300% since 2016
... Most of these Microsoft user account compromises can be attributed to weak, guessable passwords and poor password management...
- http://www.darkreadi.../d/d-id/1329666
8/17/2017 - "... 'One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites', the report* states... Attackers -frequently- compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning..."
* http://download.micr...t_Volume_22.pdf
 

   

Edited by AplusWebMaster, 18 August 2017 - 09:38 AM.

[AplusWebMaster]

FYI...

Fake 'please print' 'images etc' SPAM - delivers Cerber
- http://blog.dynamoo....images-etc.html
21 Aug 2017 - "I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

    Subject:       images
    From:       "Sophia Passmore" [Sophia5555@victimdomain .tld]
    Date:       Fri, May 12, 2017 7:18 pm

    *Sophia Passmore*
--
    Subject:       please print
    From:       "Roberta Pethick" [Roberta5555@victimdomain .tld]
    Date:       Fri, May 12, 2017 7:18 pm

    *Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58*. Both samples contained a malicious Javascript named 20170821_08914700.js ...
Automated analysis [1] [2] shows a download from the following locations:
gel-batterien-agm-batterien .de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh .info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]
The Hybrid Analysis report[1] shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64[3].
Recommended blocklist:
46.4.91.144
119.28.100.249 "
* https://virustotal.c...ee573/detection
??

1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.4.91.144
119.28.100.249
216.58.206.228

2] https://malwr.com/an...mVmMTJlNjg3Y2M/
Hosts
46.4.91.144
119.28.100.249

3] https://www.virustot...a234c/analysis/
___

Fake 'O2 Bill' SPAM - delivers Emotet banking Trojan
- https://myonlinesecu...banking-trojan/
21 Aug 2017 - "... an email with the subject of 'My O2 Business – Your O2 Bill is ready' – (recipient’s name) coming from random senders which delivers Emotet banking Trojan. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in -all- the campaigns...

Screenshot: https://myonlinesecu.../08/O2_bill.png

Update 22 August 2017: a new malspam run this morning with a slightly changed subject 'Your O2 bill is ready' – (recipient name) still coming from random senders but pretending to come from 'O2 bill'. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in all the campaigns...
Screenshot: https://myonlinesecu.../08/O2_bill.png

The link in the email is to various sites where a word doc is downloaded. Some sites include:
http ://ekomer .es/HPRKFQZXAP5465294/ > 5.145.175.240
http ://eyelife .org/Rech-59081174958/ > 188.65.115.132
http ://cruisecapital .co.uk/gescanntes-Dokument-38085714326/ > 173.236.152.205
http ://theglobetrotters .org/Rechnung-55894642722/ > 69.195.116.213
http ://bryntel .com/JWYFPGLBMH8935758/ > 50.87.66.150
http ://itgrammatics .com/VMZJSGJXBS6464519/ > 178.159.253.100
http ://atitmedia .com/RIVTDJLDUW6513072/ > 109.104.86.127
http ://bytesoftware .com.br/FXXIGOFTER8590131/ > 216.172.172.168
http ://hapmag .com/VVHMVGTRCP7428957/ > 143.95.238.54
http ://marianamengote .com/RLDXAIYKZD2314573/ > 173.254.28.19
The word doc when opened [ and -if- you are unwise enough to enable macros ] will drop an encoded/obfuscated  PowerShell script that has several obfuscated hard coded URLs inside it which download the actual Emotet banking Trojan. These do need quite a bit of decoding to get to the payload.
Some of today’s Urls are:
http ://ohleronline .com/qnhvqLeGds/ > Could not find an IP address for this domain name.
http ://wilsondesign .com.au/EmOYzciXN/ > 192.232.203.190
http ://effectiveit .com.au/zrMwJInVT/ > 175.107.174.7
http ://portseven .com.br/AEVHV/ > 67.23.238.138
http ://nubodyofdallas .com/FwJSgvPKF/ > 74.124.198.22
... The basic rule is NEVER open any attachment -or- link ln an email, unless you are expecting it...
Analysis reports: Note the binaries update at frequent intervals during the day (time of the malware campaign) so you will get -different- versions/file hashes from those mentioned here."
Word Doc: > https://www.virustot...ec54e/analysis/
Rech-03674886877.doc
O2 bill - 000952128372.doc

> https://www.hybrid-a...vironmentId=100

Dropped binary: > https://www.virustot...sis/1503320867/
nvidiamath.exe

> https://www.virustot...sis/1503333837/
vHsZK.exe

> https://www.hybrid-a...vironmentId=100
Contacted Hosts
104.236.252.178
storagewmi.exe

> https://www.hybrid-a...vironmentId=100
HTTP Traffic
104.236.252.178
 

   

Edited by AplusWebMaster, 22 August 2017 - 03:53 AM.

[AplusWebMaster]

FYI...

Fake 'Voicemail Service' SPAM - delivers ransomware
- http://blog.dynamoo....il-service.html
22 Aug 2017 - "This -fake- voicemail leads to malware:
    Subject:       [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
    From:       "Voicemail Service" [pbx@ local]
    Date:       Tue, August 22, 2017 10:37 am
    To:       "Evelyn Medina"
    Priority:       Normal
    Dear user:
            just wanted to let you know you were just left a 0:53 long message (number 46)
    in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
    so you might want to check it when you get a chance.  Thanks!
                                    --Voicemail Service

The numbers and details -vary- from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js...
The script has a VirusTotal detection rate of 14/59*.
According to automated analysis [1] [2] the script reaches out to the following URLs:
5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]
A -ransomware- component is dropped (probably Locky) with a detection rate of 16/64[3]."
* https://virustotal.c...ae059/detection
??

1] https://malwr.com/an...WE0OWUxNGZkMTA/
msg6355.js
Hosts
91.234.195.48
5.196.99.239

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.209.238
91.234.195.48
5.188.63.30

3] https://www.virustot...cd38f/analysis/
jbfr387

> https://myonlinesecu...delivers-locky/
22 Aug 2017 - "... an email with the subject of '[PBX]: New message 10 in mailbox 101 from 100GOFEDEX' <7820413853> pretending to come from 'Voicemail Service' <pbx@ local>... The new message number, mailbox number, gofedex number and telephone number are all random. All of these are being sent to Evelyn Medina <random_name@ recipient_domain .tld>...

Screenshot: https://myonlinesecu...x-voicemail.png

msg0575.rar: Extracts to: msg0575.js - Current Virus total detections 16/55*. Payload Security** delivers
bURnweP2.exe VirusTotal 16/65***...
There are literally hundreds of sites listed in the different versions of js files - when one of the other researchers uploads a list of today’s sites, I will edit this post to link to it...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
File Details
msg4975.js
Contacted Hosts
37.247.123.33
94.242.59.239
5.196.99.239

*** https://www.virustot...cd38f/analysis/
jbfr387[1].3164.dr
___

Fake 'Payments request' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
22 Aug 2017 - "An email with the subject of 'Payments request' pretending to come from HSBC but actually coming from a look-a-like domain <message@ hsbc-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is hsbc-mail .co.uk 89.233.106.146. As usual they are registered via Godaddy as registrar and the emails are being sent via sent 89.233.106.146 AS35017 Swiftway Sp. z o.o...

Screenshot: https://myonlinesecu...nts-request.png

Word doc looks like: https://myonlinesecu...cuments_doc.png

PaymentDocuments.doc - Current Virus total detections 3/59*. Payload Security**. This malware file downloads from
 http ://pfsmoney .com/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to vgjqlt.exe and autorun (VirusTotal 13/65***).
An alternative download location is
 http ://panda .biz/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...a3167/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.191.25.102
37.120.182.208
194.87.144.16
172.93.37.143

*** https://www.virustot...sis/1503394753/

pfsmoney .com: 162.144.12.198: https://www.virustot...98/information/
> https://www.virustot...901b0/analysis/

panda .biz: 192.64.147.215: https://www.virustot...15/information/
___

Fake 'Purchase Order' SPAM - delivers nanocore RAT
- https://myonlinesecu...s-nanocore-rat/
22 Aug 2017 - "... an email with the subject of 'Purchase Order' coming from Angelika Rodriguez  <zales@ municipiodepaute .gob.ec>[1] which delivers what is probably a nanocore RAT (it matches yara sigs for that malware)...
1] http://www.reputatio...29.250&d=gob.ec

Screenshot: https://myonlinesecu...chase-order.png

Purchase_Order_List_Aug.zip: Extracts to: Purchase_Order_List_Aug.exe - Current Virus total detections 12/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503426139/
Purchase_Order_List_Aug.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
174.127.99.135
 

   

Edited by AplusWebMaster, 22 August 2017 - 01:35 PM.

[AplusWebMaster]

FYI...

Fake 'purchase order' SPAM - delivers malware
- https://myonlinesecu...vering-malware/
23 Aug 2017 - "... an email with the subject of 'RFQ072017' coming from Stafford Shawn <staffordshawn1@ yahoo .com> (possibly random senders) but definitely coming via Yahoo email network with a zip attachment containing a file that pretends to be a pdf file but is an .exe file... All detections on VirusTotal are heuristic or generic detections but it is quite well detected.
Update: I am reliably informed it is nanocore RAT 1.2.2.0...

Screenshot: https://myonlinesecu...8/RFQ072017.png

SCAN_PO#20170823.PDF.z: Extracts to: SCAN_PO#20170823.PDF.z.exe - Current Virus total detections 23/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503458477/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.12.45.79
___

Fake 'Ref' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
23 Aug 2017 - "An email with the subject of 'Ref: 72381821' pretending to come from Barclays Bank but actually coming from a look-a-like domain Barclays <message@ barclaysmail .co.uk> -or- Barclays <message@ barclays-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are barclaysmail .co.uk 46.21.147.128 AS35017 Swiftway Sp. z o.o. and barclays-mail .co.uk 85.93.88.35  malta2333.startdedicated .net AS8972 Host Europe GmbH...

Screenshot: https://myonlinesecu...clays-email.png

Ref72381821.doc - Current Virus total detections 4/58*. Payload Security**... This malware file downloads from
 http ://eva-wagner .net/picture_library/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to hgfudf.exe and autorun (VirusTotal 18/63***). An alternative download location is
 http ://eva-poldi .at/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503484026/
attachment20170823-17020-5y3sht.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.138.14.149
37.120.182.208
51.254.164.249
188.165.62.11

*** https://www.virustot...1e212/analysis/
hgfudf.exe

eva-wagner .net: 148.251.26.133: https://www.virustot...33/information/
> https://www.virustot...2b542/analysis/

eva-poldi .at: 62.138.14.149: https://www.virustot...49/information/
> https://www.virustot...6d639/analysis/
___

Fake 'Fax' SPAM - delivers Locky
- https://myonlinesecu...-email-malspam/
22 Aug 2017 - "... series of Locky downloaders... an email with the subject of 'Fax from: (01242) 856225' [random numbers] pretending to come from Free Fax to Email <freefaxtoemail@ random email domain>...

Screenshot: https://myonlinesecu...1242-856225.png

Fax278044344f0dd0b.rar: Extracts to: Fax1423519vc18e7c3.js - Current Virus total detections 16/55*
Payload Security** - delivers /REjhb54 (VirusTotal ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.169.226.106
82.118.17.218
5.196.99.239

*** https://www.virustot...a2471/detection
??
 

   

Edited by AplusWebMaster, 23 August 2017 - 09:33 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - leads to Locky
- http://blog.dynamoo....ce-copy-of.html
23 Aug 2017 - "This fairly generic spam leads to Locky ransomware:
    Subject:       Copy of Invoice 3206
    From:       "Customer Service"
    Date:       Wed, August 23, 2017 9:12 pm
    Please download file containing your order information.
    If you have any further questions regarding your invoice, please call Customer Service.
    Please do not reply directly to this automatically generated e-mail message.
    Thank you.
    Customer Service Department

A -link-in-the-email- downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis* has seen it all before. The download EXE (VT 21/64**) script POSTS to 5.196.99.239 /imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler*** last year, so I would recommend blocking all traffic to 5.196.99.0/24."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
212.89.16.143
46.183.165.45
62.109.16.214
5.196.99.239
216.58.204.132
216.58.204.142

** https://www.virustot...d6cd1/analysis/

*** https://pastebin.com/D5pXvR1W
 

   

[AplusWebMaster]

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
24 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from Bank of America but actually coming from a look-a-like domain Bank of America <message@ bofamsg .com> or Bank of America <message@ bofa-msg .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ssage_email.png

SecureMessage.doc - Current Virus total detections 7/58*. Payload Security**. This malware file downloads from
 http ://esp .jp/serca.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aoitas.exe (VirusTotal ***). An alternative download location is
 http ://enyahoikuen .com/serca.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...41ffa/analysis/
SecureMessage.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
121.50.42.51
78.47.139.102
195.133.197.70
79.124.78.81

*** https://www.virustot...74c77/analysis/
serca.png

esp .jp: 121.50.42.51: https://www.virustot...51/information/
> https://www.virustot...73f3a/analysis/

enyahoikuen .com: 202.231.207.151: https://www.virustot...51/information/
> https://www.virustot...e4cd1/analysis/
___

Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecu...y-fake-bt-bill/
24 Aug 2017 - "... Locky downloader... an email with the subject of 'New BT Bill' pretending to come from BT Business <btbusiness@ bttconnect .com> with a-link-in-the-body- of the email to download a zip file...

Screenshot: https://myonlinesecu...cky_BT-bill.png

bill-201708.zip: Extracts to: bill-201708.exe - Current Virus total detections 19/65*. Payload Security**.
Currently all the copies I am seeing (hundreds of them) have -2- download links in the email body:
 http ://kabbionionsesions .net/af/bill-201708.rar -and- http ://metoristrontgui .info/af/bill-201708.zip
-both- domains have been spreading Locky all day. The downloads are extremely slow but I eventually got the zip version. Also several emails with
 http ://kabbionionsesions .net/af/download.php (currently 404) and
 http ://kabbionionsesions .net/af/bill-201708.7z (also 404)...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1503597867/
bill-201708.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.179.190.31
216.58.206.228
216.58.206.238

kabbionionsesions .net: 47.89.246.2: https://www.virustot....2/information/
> https://www.virustot...c68bd/analysis/
 

   

Edited by AplusWebMaster, 24 August 2017 - 01:09 PM.

[AplusWebMaster]

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
25 Aug 2017 - "An email with the subject of 'You have a new secure Message' pretending to come from Lloyds Bank  but actually coming from a look-a-like domain Lloyds Bank <message@ lloydsbankmsg .com> or Lloyds Bank <message@ lloydsbank-msg .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are lloydsbankmsg .com 46.21.147.242 and lloydsbank-msg .com 109.235.52.44 ...

Screenshot: https://myonlinesecu...ssage-email.png

The word doc looks like:
> https://myonlinesecu...Message_doc.png

EncryptedMessage.doc - Current Virus total detections 6/58*. Payload Security**. This malware file downloads from
 http ://fabianpfau .de/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to lnmflgf.exe (VirusTotal 13/65***). An alternative download location is
 http ://evakrause .nl/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503657342/
EncryptedMessage.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
176.28.13.220
216.239.32.21
131.153.40.196

*** https://www.virustot...sis/1503658322/
lnmflgf.exe

fabianpfau .de: 176.28.13.220: https://www.virustot...20/information/
> https://www.virustot...694d1/analysis/

evakrause .nl: 94.126.70.16: https://www.virustot...16/information/
> https://www.virustot...34f8c/analysis/
___

Fake 'Sage invoice' SPAM - leads to Locky
- http://blog.dynamoo....bscription.html
25 Aug 2017 - "This -fake- Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much[1] by the bad guys is a bit of a mystery.
[1] http://blog.dynamoo.com/search?q=sage

Screenshot: https://1.bp.blogspo.../s1600/sage.png

The link-in-the-email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.
helpmatheogrow .com/SINV0709.rar
hendrikvankerkhove .be/SINV0709.rar
heinverwer .nl/SINV0709.rar
help .ads .gov.ba/SINV0709.rar
harvia .uz/SINV0709.rar
The RAR file itself contains a malicious VBS script... with a detection rate of 19/56*, which attempts to download another component from:
go-coo .jp/HygHGF
hausgerhard .com/HygHGF
hausgadum .de/HygHGF
bromesterionod .net/af/HygHGF
hartwig-mau .de/HygHGF
hecam .de/HygHGF
haboosh-law .com/HygHGF
hbwconsultants .nl/HygHGF
hansstock .de/HygHGF
heimatverein-menne .de/HygHGF
Automated analysis of the file [1] [2] shows a dropped binary with a 39/64** detection rate, POSTing to 46.183.165.45 /imageload.cgi (Reg.Ru, Russia)
Recommended blocklist:
46.183.165.45 "
* https://virustotal.c...a9b2c/analysis/
bill-201708.exe

1] https://malwr.com/an...TQyMTEzNDU0MWY/
SINV0709.vbs
Hosts
203.183.65.225
46.183.165.45

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.183.65.225
46.183.165.45

** https://www.virustot...cc86e/analysis/
bill-201708.exe

... Fake 'Sage invoice' variant - delivers Locky
> https://myonlinesecu...cky-ransomware/
24 Aug 2017

Screenshot: https://myonlinesecu...ce-is-ready.png

> https://www.virustot...sis/1503606828/
SINV0709.vbs
15/57

SINV0711.docm - Current Virus total detections *. Payload Security**...

* https://www.virustot...sis/1503602547/
SINV0711.docm
9/59

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.169.35.187
185.179.190.31

help.ads .gov.ba: 80.65.162.70: https://www.virustot...70/information/
> https://www.virustot...48ebb/analysis/

hausverwaltungfrankfurt .de: 83.169.35.187: https://www.virustot...87/information/
> https://www.virustot...4699b/analysis/
___

Fake 'Voicemail' SPAM -  leads to Locky
- http://blog.dynamoo....ervice-new.html
25 Aug 2017 - "The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.
Subject: New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From:       "Voicemail Service" [vmservice@ victimdomain .tdl]
Date:       Fri, August 25, 2017 12:36 pm
Dear user:
just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance.  Thanks!
                                --Voicemail Service

Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too... The VBS script is similar to this* (variable names seem to change mostly) with a detection rate of about 15/59**. Hybrid Analysis*** shows it dropping a Locky executable with a 18/65[4] detection rate which phones home to 46.17.44.153 /imageload.cgi (Baxnet, Russia) which I recommend that you block."
* https://pastebin.com/UK2MYHct

** https://virustotal.c...70b55/analysis/
20170825_ID904754594.vbs

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.208.206
92.51.164.62
185.179.190.31
46.17.44.153
216.58.213.132
216.58.206.238
95.141.44.61

4] https://www.virustot...5c251/analysis/
UYGgfhRDSaa
 

   

Edited by AplusWebMaster, 25 August 2017 - 09:19 AM.

[AplusWebMaster]

FYI...

Fake 'DHL' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
26 Aug 2017 - "... an email with the subject of 'DHL GLOBAL FREIGHT CONSIGNMENT FORM' coming from DHL GLOBAL WORLD WIDE AGENT <deddi@ karebet-group .com> with an .ace attachment delivers malware... returns are coming back from several antivirus companies describing this as .Win32.SpyEyes[1]...
1] https://www.microsof...an:Win32/Spyeye

Screenshot: https://myonlinesecu...GNMENT-FORM.png

DHL GLOBAL Consignment form……………………………..ace: Extracts to: Purchase order.exe
Current Virus total detections 17/65*. Payload Security**. This drops a modified version of itself as win32.exe (VirusTotal 17/64***) it also contacts
 http :// 98.142.221.58/~comsgautopart/.regedit/mail/home/gate.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503723385/
Purchase order.exe

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1503723627/
win32.exe

98.142.221.58: https://www.virustot...58/information/
___

Fake 'Purchase Contract' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
26 Aug 2017

Screenshot: https://myonlinesecu...f-PO30-PO31.png

Doc Purchase Contract of PO30PO31.jar (547kb) - Current Virus total detections *. Payload Security**...

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503773842/
Doc Purchase Contract of PO30PO31.jar

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.178.43.16
 

   

Edited by AplusWebMaster, 27 August 2017 - 06:58 AM.

[AplusWebMaster]

FYI...

Defray - New Ransomware targets Education and Healthcare
> https://www.helpnets...ware-delivered/
Aug 28, 2017

>> https://www.darkread.../d/d-id/1329725
8/25/2017

> https://www.proofpoi...hcare-verticals
Aug 24, 2017 - "... distribution of Defray has several notable characteristics:
    Defray is currently being spread via Microsoft Word document attachments in email
    The campaigns are as small as several messages each
    The lures are custom crafted to appeal to the intended set of potential victims
    The recipients are individuals or distribution lists, e.g., group@ and websupport@
    Geographic targeting is in the UK and US
    Vertical targeting varies by campaign and is narrow and selective
On August 22, Proofpoint researchers detected an email campaign targeted primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable... Defray may cause other general havoc on the system by -disabling- startup recovery and -deleting- volume shadow copies. On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers. We have not observed the same behavior on Windows XP..."
Indicators of Compromise (IOCs) [ ... more listed at the proofpoint URL above. ]
C&C IP
145.14.145.115: https://www.virustot...15/information/
___

Potential Hurricane Harvey Phishing Scams
- https://www.us-cert....-Phishing-Scams
Aug 28, 2017 - "US-CERT warns users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters..."
 

   

Edited by AplusWebMaster, 28 August 2017 - 02:38 PM.

[AplusWebMaster]

FYI...

Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
29 Aug 2017 - "... Locky downloader... email has the subject of 'Overdue BT bill' pretending to come from random names at your-own-email-address...

Screenshot: https://myonlinesecu...due-BT-bill.png

Scan_201708293861.zip: Extracts to: scan_201708292366.zip which eventually extracts to  scan_201708292366.vbs - Current Virus total detections 11/59*. Payload Security**... first attachment I chose leads to a site giving a 404 so the results are very good. Another attachment gives better results
(VirusTotal 0/58***) where another researcher has filled in all then blanks in the comments[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503998928/
scan_201708292366.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.2.195.144

*** https://www.virustot...sis/1503999225/

4] https://twitter.com/...465569965973504

> https://www.virustot...sis/1503999480/
9/65
___

Fake 'scan' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
29 Aug 2017 - "... Locky downloader... an email with the subject of 'You have received a scan from AT Management' pretending to come from Scan @ AT Management <scan_754@ atmanagement .co.uk> [random numbers after the scan_]. All these are being addressed to Accounts: <name@ victiomdomain .tld>...

Screenshot: https://myonlinesecu...-Management.png

... same sites, file names and payload as today’s earlier ^malspam run^ delivering Locky ransomware:
> https://myonlinesecu...cky-ransomware/

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Amazon phish...
- https://myonlinesecu...ishing-attempt/
29 Aug 2017 - "We see a lot of Amazon phishing attempts. This one is quite different to the usual ones we see. Although there are a lot of Amazon sellers, the chances of a mass malspam like this one actually  being received by a seller is quite small compared with the more usual 'payment review' or 'your account was signed into from an unknown computer' or similar scams.
'You sold an item' pretending to come from Amazon <selleramazon@ reply.amazon .com> is one of the latest phish attempts to steal your Amazon Account and your Bank details. This one only wants your Amazon log in details and bank details. Many of them are also designed to specifically steal your email and other log in details as well...

Screenshot: https://myonlinesecu...old_an_item.png

The link-in-the-email goes to:
 https ://www.google .co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0ahUKEwiO9aOs-vvVAhXBZFAKHY3XCYgQFghJMAc&url=http%3A%2F%2Fwww.almatulum.com%2Fcontact-2%2F&usg=AFQjCNFdrv7025EsAfzW8QKj40lSrovIbA
which redirects to:
https ://directele .net/user_guide/documentation/amazon.co.uk/Amazon-Sign-In.htm?adenlankenadransakbnizwetmilrtuniietnnudbenwdiaateaaleeaallilaadmusmdzmnlelubbaalamzsnaittsndakaweiuidaawnamdlerendeuedimnailtrdtaknzeaanmleni4493782410

If you follow the link you see a webpage looking like:
> https://myonlinesecu...rectele_net.png

When you fill in your user name and password you get a page looking like this, asking for your bank sort code and bank-account-number. I am not quite sure what they can do with this on its own without passwords or bank login details. However knowing that quite a high proportion of users do re-use login details and passwords on multiple sites, it is not beyond the realms of possibility that your Amazon account, email log in and bank log in all -share- a password:
> https://myonlinesecu...ctele_net_1.png

You then get -redirected- to the genuine Amazon suite for your country..."

directele .net: 166.62.73.164: https://www.virustot...64/information/
> https://www.virustot...b1909/analysis/
 

   

Edited by AplusWebMaster, 29 August 2017 - 10:14 AM.

[AplusWebMaster]

FYI...

Fake 'Emailing Payment' SPAM - delivers Locky
- https://myonlinesecu...201708-malspam/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'Emailing: Payment_201708-838 [the “Emailing: Payment_201708-” stays consistent but the final 3 to 5 digits are random] pretending to come from random names at your-own-email-address or company-domain-addresses to another random name at your-own-domain...

Screenshot: https://myonlinesecu..._201708-838.png

Payment_201708-838.7z: Extracts to: Payment_201708-2866.jse - Current Virus total detections 14/59*.
Payload Security**. Locky payload: (VirusTotal 31/65***).
Another researcher has posted already about this one with several links to download sites and C2 IP numbers:
> https://hazmalware.w...cky-ransomware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1504067419/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.90.36.32
46.183.165.45
74.125.206.106
8.250.3.254
74.125.206.106

*** https://www.virustot...e7886/analysis/
CuuDxa1.exe

146.120.110.46: https://www.virustot...46/information/
> https://www.virustot...d3b58/analysis/

46.183.165.45: https://www.virustot...45/information/
> https://www.virustot...05f58/analysis/
___

Fake 'E-invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'E-invoice for your order #6377810026' [random numbers] pretending to come from do_not_reply@ random Apple email addresses.... the addresses I have seen include:
    do_not_reply@ eu.apple .com
    do_not_reply@ asia .apple.com
    do_not_reply@us .apple .com ...

Screenshot: https://myonlinesecu...-6377810026.png

9891613510.7z: Extracts to: 9891611187.vbs - Current Virus total detections 10/59*. Payload Security**.
Locky Binary (VirusTotal 17/65***). These droppers have gone back to the old way of downloading Locky from the remote server, by downloading an encrypted text file that needs to be decoded by the script... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1504086697/
9891611187.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
66.36.173.159
146.120.110.46

*** https://www.virustot...sis/1504087141/
hJBoTJ.exe
___

Fake 'Secure email message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
30 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from NatWest bank but  actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 501 and 599 - .ml domains are -free- domains administered by freenom .com... I am seeing domains ranging from servicemessage501 .ml to servicemessage599 .ml all being hosted on -different- IP numbers & ranges all appearing to be -compromised- ISP IP numbers from major ISPs in UK, Europe & USA...

Screenshot: https://myonlinesecu...emessage_ml.png

The word doc looks like:
> https://myonlinesecu...087_352_doc.png

natwest1753465723087_352.doc - Current Virus total detections 6/58*. Payload Security**.
This malware file downloads from
 http ://campuslinne .com/pages/kasaragarban.png which of course is -not- an image file but a renamed .exe file that gets renamed to Buqtjkk.exe (VirusTotal 12/64***). An alternative download location is
 http ://campusassas .com/fonction/kasaragarban.png
This email attachment contains a genuine word doc with a macro script that when run will infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...18d51/analysis/
natwest1753465723087_352.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
193.227.248.241
158.69.26.138
178.156.202.206

*** https://www.virustot...102c5/analysis/
kasaragarban.png

campuslinne .com: 193.227.248.241: https://www.virustot...41/information/
> https://www.virustot...2740d/analysis/

campusassas .com: 193.227.248.241
> https://www.virustot...ee05c/analysis/
___

Fake 'BT OneBill' SPAM - leads to Dridex
- https://myonlinesecu...banking-trojan/
30 Aug 2017 - "An email with the subject of 'Your latest BT OneBill is available now' pretending to come from BT but actually coming from a different domain ebilling4business@ btdnet .com that can just about be mistaken for a genuine BT email address is today’s latest spoof of a well-known company, bank or public authority delivering Dridex banking Trojan... Today’s example of the spoofed domains are, as usual, registered via eranet .com as registrar. This was registered on 29 August 2017 by the criminals:
    btdnet .com hosted on 54.36.30.168 OVH
This particular email was sent from IP 54.36.30.230 but a quick look up of the domain details show that these criminals have also set a-whole-range of IP addresses to be able to send these emails and pass authentication checks:
91.121.174.196
54.36.30.0/24
94.23.212.72
54.36.30.0/24
188.165.227.13
54.36.30.0/24
94.23.208.20
54.36.30.0/24
176.31.240.50
54.36.30.0/24
37.59.50.201 ...

Screenshot: https://myonlinesecu...ailable-now.png

The -link-in-the-email goes to a compromised or fraudulently set up SharePoint AKA onedrive for business address:
 https ://mccabelawyers-my.sharepoint .com/personal/g_macneill_swslawyers_com_au/_layouts/15/guestaccess.aspx?docid=0cc833a8ff3b4411a986bfb04282f2ffb&authkey=AVpD74OXseK7zr4gaxr_UBE
which downloads the zip file containing the .js file that eventually delivers Dridex.

BT OneBill.zip extracts to: BT OneBill.js - Current Virus total detections 7/58*. Payload Security**.
This downloads Dridex banking Trojan but I am unable to determine the actual download site
(VirusTotal 17/64[3])... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504105031/
BT_OneBill.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
13.107.6.151
185.203.118.198
31.31.77.229
178.62.199.166
144.76.62.10

3] https://www.virustot...e587c/analysis/
SdVoAfj.exe
___

Fake 'Sage' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
30 Aug 2017 - "An email with the subject of 'Your Sage subscription invoice is Due' pretending to come from Sage but actually coming from a look-a-like domain SAGE UK <message@ sagemailsupport14 .top> with a malicious word doc attachment is another one of today’s spoofs of a well-known company, bank or public authority... I am being told is it a smokeloader[1] which downloads a variety of -other- malware...
1] https://twitter.com/...979668239761408
... Today’s example of the spoofed domains are:
    sagemailsupport14 .top hosted on 82.202.233.14 AS49505 OOO Network of data-centers Selectel
I have discovered a-whole-range of -fake- sagemailsupport## .top domains on this network. So far I can find sagemailsupport10 .top -to- sagemailsupport110-.top hosted on the corresponding IP address -range- between 82.202.233.10 and 82.202.233.110 all having an rdns set properly and pass email authentication...
[ 82.202.233.* ]

Screenshot: https://myonlinesecu...oice-is-Due.png

INV0293083017.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
 http ://5.149.252.152 /r37.exe (VirusTotal 16/64[3]) (Payload Security[/4]). An alternative download location is
 http ://200.7.98.51 /r37.exe
This email attachment contains a genuine word doc [i]with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...3083017_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1504103297/
INV0293083017.doc

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1504116823/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
2.20.202.119
217.23.8.41

5.149.252.152: https://www.virustot...52/information/
> https://www.virustot...ff56e/analysis/

200.7.98.51: https://www.virustot...51/information/
> https://www.virustot...12409/analysis/
 

   

Edited by AplusWebMaster, 30 August 2017 - 02:46 PM.