2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecu...-bank-messages/
31 Aug 2017 - "... imitating NatWest Bank and using the same look-a-like domain as yesterday’s version[1]... using a slightly different email message. They have even re-used the same domains to deliver the actual payload, but with different file names.
[1] https://myonlinesecu...banking-trojan/
An email with the subject of 'Customer message' pretending to come from NatWest bank but actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 1 and 599...

Screenshot: https://myonlinesecu...mer-message.png

natwest112543798124_21454.doc - Current Virus total detections 5/58*. Payload Security**.
This malware file downloads from
 http ://campuslinne .com/maquette2/nataresonodor.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ubqwyc.exe (VirusTotal 15/65***). An alternative download location is
 http ://campusassas .com/imagesv1/nataresonodor.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks identical to yesterday’s but with a different document name:
> https://myonlinesecu...087_352_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1504181231/
natwest112543798124_21454.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
193.227.248.241
216.239.32.21
67.21.84.23
216.58.209.228
216.58.209.238
66.85.27.170

*** https://www.virustot...b6ddd/analysis/
Ubqwyc.exe

campuslinne .com: 193.227.248.241: https://www.virustot...41/information/
> https://www.virustot...7bf64/analysis/

campusassas .com: 193.227.248.241
> https://www.virustot...0dd87/analysis/
___

Fake 'Important Documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
31 Aug 2017 - "An email with the subject of 'Important – New Account Documents' pretending to come from Santander Bank  but actually coming from a look-a-like domain Santander <account.documents@ santanderdoc .co.uk> or Santander <account.documents@ santandersec .co.uk> with a malicious word doc attachment is another spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...t-Documents.png

Account_Documents_31082017.doc - Current Virus total detections 10/58*. Payload Security**.
This malware file downloads from
 http ://evaluator-expert .ro/sergio.png which of course is -not- an image file but a renamed .exe file that gets renamed to bicprcv.exe (VirusTotal 17/64***).
An alternative download location is
 http ://www.events4u .cz/sergio.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...1082017_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...3a505/analysis/
Account_Documents_31082017.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
93.114.64.118
146.255.36.1
194.87.238.42
66.85.27.170
216.58.209.228
216.58.209.238

*** https://www.virustot...65987/analysis/
bicprcv.exe

evaluator-expert .ro: 93.114.64.118: https://www.virustot...18/information/
> https://www.virustot...099bb/analysis/

events4u .cz: 93.185.102.11: https://www.virustot...11/information/
> https://www.virustot...6d3f8/analysis/
 

 

Edited by AplusWebMaster, 31 August 2017 - 02:59 PM.

[AplusWebMaster]

FYI...

Fake 'Dropbox' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
31 Aug 2017 10:03 pm - "We are seeing a run of a very different Locky delivery email tonight. This only seems to work properly in Google Chrome, Firefox gives a simple download file box and  Internet Explorer gives error messages on clicking the  “click here” link. This means that Internet Explorer users will be safe from this attack, but Google Chrome and Firefox users could be infected if they aren’t careful. The email pretends to be from -Dropbox- asking you to 'verify your email address to continue' the sign up...

Screenshot: https://myonlinesecu...ail-address.png

Win.JSFontlib09.js - Current Virus total detections 22/58*. Payload Security** |
Locky Binary (VirusTotal 17/65***)
There appear to be -hundreds- of different links-in-these-emails that go to -compromised- sites pretending to be Dropbox. They all however have the -same- few links to actually download the .js malware file...
The link in this particular example went to
 http ://jakuboweb .com/dropbox.html but each email I received (so far 300+) has a multitude of different links.
Following the link in the email leads to a page looking like this, which is -different- in each commonly used browser. Lets start with Internet Explorer which gives an error on pressing “click here”:
> https://myonlinesecu..._dropbox_IE.png
... Firefox which gives a file download prompt:
> https://myonlinesecu..._dropbox_FF.png
... Google Chrome which displays the lure... telling you that The “HoeflerText” font was not found. The web page you are trying to load is displayed incorrectly, as it uses the “HoeflerText” font. To fix the error and display the next, you have to update the “Chrome Font Pack”:
> https://myonlinesecu...pbox_chrome.png
The link from chrome went to
 http ://gclubrace .info/json.php whereas the links from the other 2 versions went to
 http ://dippydado .net/json.php all of which downloaded the -same- Win.JSFontlib09.js ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...c4a37/analysis/
Win.JSFontlib09.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
202.169.44.143
46.183.165.45
216.58.209.228
216.58.209.238

*** https://www.virustot...sis/1504207421/
pGDIWEKDHD2.exe

jakuboweb .com: 149.7.99.14: https://www.virustot...14/information/
> https://www.virustot...ebb0a/analysis/

gclubrace .info: Could not find an IP address for this domain name...

dippydado .net: Could not find an IP address for this domain name...
___

RIG exploit kit > 'Princess' ransomware
- https://blog.malware...ess-ransomware/
Aug 31, 2017 - "We have identified a new drive-by-download campaign that distributes the Princess-ransomware (AKA PrincessLocker), leveraging -compromised-websites-and the RIG-exploit-kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads... We are not so accustomed to witnessing compromised websites pushing exploit kits... some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from -legitimate- publishers and -malvertising- ... we observed an -iframe-injection- which redirected from the -hacked- site to a temporary gate...
Indicators of compromise:
RIG EK gate: 185.198.164.152
RIG EK IP address: 188.225.84.28 ..."
(More detail at the malwarebytes URL above.)
 

  

Edited by AplusWebMaster, 01 September 2017 - 09:58 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
4 Sep 2017 - "... Locky downloader... an email with the subject of 'Invoice INV-000379' from Property Lagoon Limited for Gleneagles Equestrian Centre (random numbers) pretending to come from a random name that matches the name in the email body but appearing to come from  messaging-service@ post.xero .com...

Screenshot: https://myonlinesecu...rian-Centre.png

Invoice INV-000379.7z: Extracts to: INV-000626.vbs - Current Virus total detections 13/59*. Payload Security**
Locky download (VirusTotal ***). These all have a 7z attachment and a link-in-email-body to download the zip. The invoice amounts are random as well.... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504521374/
INV-000626.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
clubdeautores .es: 91.121.165.214

*** https://www.virustot...sis/1504516547/
BSmIimqLX.exe
___

Fake 'Invoice' SPAM - delivers Globeimposter ransomware
- https://myonlinesecu...ter-ransomware/
4 Sep 2017 - "... an email with the subject of '45653946 – True Telecom Invoice for August 2017' (random numbers)  pretending to come from billing@ true-telecom .com. This is coming via the Necurs botnet but instead of delivering Locky today, this 2nd malspam run is delivering Globeimposter ransomware... In the same way that today’s earlier malspam run that delivered Locky ransomware[1], these have a-link-in-the-body to download the zip and a zip (7z) attachment as well...
1] https://myonlinesecu...cky-ransomware/

Screenshot: https://myonlinesecu...August-2017.png

2017-08-45653946-Bill.7z: 2017-08-41840179-Bill.vbs - Current Virus total detections 8/57*. Payload Security**
Another version (VirusTotal 10/58***) | (Payload Security[4]) | downloaded & xor’d binary - VirusTotal 18/64[5] | Payload Security[6]...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504533698/
2017-08-41840179-Bill.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
world-tour2000 .com: 103.53.172.3
naturofind .org: 85.192.177.103
www.world-tour2000 .com: 103.53.172.3
proyectogambia .com: 87.106.65.247

*** https://www.virustot...64b3b/analysis/
2017-08-92918095-Bill.vbs

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
49.50.240.107

5] https://www.virustot...56f47/analysis/
zojzoefi.exe

6] https://www.hybrid-a...vironmentId=100
___

Fake 'Incoming Docs' SPAM - delivers Trickbot
- https://myonlinesecu...ivers-trickbot/
4 Sep 2017 - "An email with the subject of 'Important: Incoming BACs Documents' pretending to come from NatWest Bank but actually coming from a look-a-like domain Natwest <message@ natwestbacs .co.uk> or Natwest <message@ natwestbacs .com> with a password protected malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...fed-NatWest.png

SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** | JoeSandBox***
This malware file downloads from
 http ://6-express .ch/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to execute.exe (VirusTotal [4]). An alternative download location is
 http ://checkpointsystems .de/ser.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...t_bacs_docs.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1493724795/
SecureMessage.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://jbxcloud.joe...s/355644/1/html

4] https://www.virustot...sis/1504524050/
ser.png

6-express .ch: 77.236.96.52: https://www.virustot...52/information/
> https://www.virustot...5429f/analysis/

checkpointsystems .de: 87.106.183.214: https://www.virustot...14/information/
___

Locky ransomware campaign
- https://www.helpnets...rns-new-tricks/
Sep 1, 2017 - "... the newest variant adds the .lukitus extension to the encrypted files:
> https://www.helpnets...ky-appriver.jpg
... AppRiver researchers explained*. The malware arrives in inboxes attached to emails with vague subject lines like “please print”, “documents”, “scans”, “images”, and so on, And, unfortunately for those who get infected, there are no publicly shared methods to reverse this Locky strain. The crooks behind this malware campaign are asking 0.5 Bitcoin to deliver the decryption key..."

* https://blog.apprive...tacks-increase/
Aug 30, 2017 - "... In the past 24 hours we have seen over 23-million-messages sent in this attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017... a massive malicious email campaign began attempting to reach their inboxes. A large spike in malware traffic began this morning just after 7 am CST... The emails utilized one of the following subject lines:
    please print
    documents
    photo
    images
    scans
    pictures
Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file..."
> https://blog.apprive...eat-ransomware/
 

   

Edited by AplusWebMaster, 04 September 2017 - 09:45 AM.

[AplusWebMaster]

FYI...

Fake 'Scanning' SPAM - delivers Locky
- https://myonlinesecu...redgroup-co-uk/
5 Sep 2017 - "... Locky downloader... an email with the subject of 'Scanning' pretending to come from random names @ tayloredgroup .co.uk... These have a -link-in-the-body- of the email to download the malware as well as an email attachment. The link does -NOT- go to Dropbox but another compromised website, however the link is not correctly formed in this example so won’t open and gives warning in Outlook:
 http ://dna-sequencing .org/MSG000-00090.7z

Screenshot: https://myonlinesecu...lored_group.png

SCNMSG00002704.7z: Extracts to: Invoice INV-000518.vbs - Current Virus total detections 13/59*.
Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504602932/

** https://www.hybrid-a...vironmentId=100
DNS Requests
pamplonarecados .com: 5.2.88.79: https://www.virustot...79/information/

dna-sequencing .org: 66.36.160.119: https://www.virustot...19/information/
> https://www.virustot...e53fd/analysis/
MSG000-00090.7z

tayloredgroup .co.uk: 85.233.160.151: https://www.virustot...51/information/
> https://www.virustot...a074b/analysis/
__

> http://blog.dynamoo....ding-to-be.html
5 Sep 2017 - "This -spam- email pretends to be from tayloredgroup .co.uk but it is just a simple -forgery-
leading to Locky ransomware. There is -both- a malicious attachment and -link- in the body text. The name of the sender varies.
    Subject:       Scanning
    From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
    Date:       Thu, May 18, 2017 8:26 pm
    https ://dropbox .com/file/9A30AA
    Jeanette Randels DipFA
    Taylored Group
    26 City Business Centre
    Hyde Street
    Winchester
    SO23 7TA
    Members of the CAERUS Capital Group
    www .tayloredgroup .co.uk
    Office Number: 01962 826870
    Mobile: 07915 612277
    email: Jeanette.Randels@ tayloredgroup .co.uk
    Taylored Financial Planning is a trading style of Jonathan & Carole
    Taylor who are an appointed representative of Caerus Financial Limited...

Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.
Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6] shows -Locky-  ransomware attempting to phone home to the following locations:
91.234.35.170 /imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75 /imageload.cgi (McHost.ru / VDSINA, Russia)
McHost is such a well-known purveyor of toxic-carp*** that I recommend you block -all- of their ranges (plus I guess the related VDSINA ones), or even block-the-entire Webzilla AS35415**. You can find a list of the network ranges here**. Also thehost .ua also has a lot of carp***** and I would lean towards blocking-whole-network-ranges****.
Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24 "
1] https://www.virustot...sis/1504604787/
Invoice INV-000614.vbs

2] https://www.virustot...sis/1504604894/
MSG000-00090.vbs

3] https://malwr.com/an...zQxMDg3ZDY1OWU/
Hosts
193.227.248.241

4] https://malwr.com/an...mVmNWZkZmQyZjI/
Hosts
109.234.35.75
91.234.35.170

5] https://www.hybrid-a...vironmentId=100
DNS Requests
193.227.248.241

6] https://www.hybrid-a...vironmentId=100
DNS Requests
5.2.88.79

* http://blog.dynamoo....search?q=mchost

** https://bgp.he.net/AS35415#_prefixes

*** http://blog.dynamoo....?q=Valeriyovuch

**** https://bgp.he.net/AS56485#_prefixes
___

Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
5 Sep 2017 - "... an email with the subject of 'OnePosting Invoice Ready to View' pretending to come from SPECTUR LIMITED <members@ onenewpost .com>. This eventually delivers Dridex banking Trojan... set up by criminals to spread malware and imitate oneposting .com. onenewpost .com was registered on 4th September 2017 by a Chinese entity and is currently hosted on OVH...

Screenshot: https://myonlinesecu...ady-to-View.png

The -link-in-the-body- of the email goes to a -compromised- or fraudulently set up OneDrive for business /SharePoint site...
 https ://royalpay-my.sharepoint .com/personal/jamie_costello_royalpay_com_au/_layouts/15/guestaccess.aspx?docid=0b0e5809caadd404ab8e21e3a7322f232&authkey=AfQzKtINqI58J1P-xlw10eg  
which downloads a zip containing a.js file...
N2398210.zip: Extracts to: IN2398210.js - Current Virus total detections 6/58*. Payload Security**
 downloaded Dridex (VirusTotal 32/64***) (I can’t easily determine the actual download location of the Dridex payload. It does come from -another- compromised or fraudulent SharePoint site)... it appears that onenewpost .com is a domain set up by criminals to spread malware... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it...
* https://www.virustot...sis/1504580504/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...e98c3/analysis/
MTXCLU.DLL

onenewpost .com: 188.165.209.31: https://www.virustot...31/information/

royalpay-my.sharepoint .com: 13.107.6.151: https://www.virustot...51/information/
 

 

Edited by AplusWebMaster, 05 September 2017 - 01:32 PM.

[AplusWebMaster]

FYI...

Fake 'eBay invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
6 Sep 2017 - "... Locky downloader... an email with the subject of 'Your invoice for eBay purchases (83998749832384616#)' [random numbers]  pretending to come from eBay <ebay@ ebay .us>. We are also seeing these pretending to come from all the other main English speaking eBay domains:
    ebay@ ebay .com.au
    ebay@ ebay .co.uk
    ebay@ ebay .com ...

Screenshot: https://myonlinesecu...49832384616.png

eBay_Invoice_3476.js - Current Virus total detections 7/59*. Payload Security** | Downloads:
  http ://homecarpetshopping .com/bxxomjv.exe (VirusTotal 13/61***)... The link-in-the-email body goes to one of numerous compromised sites. In this case it went to
  http ://littleulearning .com/invoive.html
where it downloads an eBay_Invoice_####.js file from
 http ://letoftheckhosa .info/invoicing.php  
All of the compromised sites in these emails will download or try to download from this address. That creates a randomly numbered eBay_Invoice_.js file. The first 5 or 6 attempts gave me a 0 byte empty file until a working one was delivered... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504698237/
eBay_Invoice_3476.js

** https://www.hybrid-a...vironmentId=100
DNS Requests
195.123.218.58
91.234.137.145
91.215.186.147
208.79.200.218
62.149.161.147

*** https://www.virustot...sis/1504698766/
bxxomjv[1].exe

homecarpetshopping .com: 208.79.200.218: https://www.virustot...18/information/
> https://www.virustot...cfb8b/analysis/

littleulearning .com: 66.36.166.87: https://www.virustot...87/information/
> https://www.virustot...5ad0d/analysis/

letoftheckhosa .info: 47.88.55.29: https://www.virustot...29/information/
> https://www.virustot...f742b/analysis/
___

Fake 'Virgin Media bill' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
6 Sep 2017 - "... an email with the subject of 'Your Virgin Media bill is ready' pretending to come from Virgin Media <webteam@ virginmediaconnections .com> which delivers Dridex banking trojan...

Screenshot: https://myonlinesecu...-media-Bill.png

Virgin Media bill.zip: Extracts to: Virgin Media bill.js - Current Virus total detections 2/59*
Payload Security** | Dridex Payload VirusTotal 14/65*** | Payload Security[4] ... the criminals sending these have registered a look-a-like domain virginmediaconnections .com on 5th September 2017 using eranet .com as registrar and hosted on OVH 176.31.244.44. They are sending these emails from a whole-range-of-IP-addresses that pass email authentication for the -fake- domain virginmediaconnections .com...
The link-in-the-email goes to a compromised or fraudulently set up OneDrive for business/ SharePoint site where  a zip file containing a .js file is downloaded. That eventually contacts  http ://cabinetcharpentier .fr/css/style.png (which is -not- a png but a renamed .exe file) to download the Dridex banking Trojan...
 https ://kobaltsystemsptyltd-my.sharepoint .com/personal/karen_kobaltsystems_com_au/_layouts/15/guestaccess.aspx?docid=1a0c9ac9effc046b6840207579a616453&authkey=AVRvpElPwHq48OG2zdkLMk8 ...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504695675/
Virgin Media bill.js

** https://www.hybrid-a...vironmentId=100
DNS Requests
91.216.107.90

*** https://www.virustot...sis/1504696253/
FFCa9j9ru.exe

4] https://www.hybrid-a...vironmentId=100

176.31.244.44: https://www.virustot...44/information/

cabinetcharpentier .fr: 91.216.107.90: https://www.virustot...90/information/
> https://www.virustot...6d071/analysis/

kobaltsystemsptyltd-my.sharepoint .com: 13.107.6.151: https://www.virustot...51/information/
 

   

Edited by AplusWebMaster, 06 September 2017 - 08:06 AM.

[AplusWebMaster]

FYI...

Fake 'FreeFax' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
7 Sep 2017 - "... Locky downloader... an email with the subject of 'FreeFax From:1707075536' (random numbers) pretending to come from fax@ freefaxtoemail .net...

Screenshot: https://myonlinesecu...-1707075536.png

Fax_Message_7932180645.js - Current Virus total detections 12/59*. Payload Security** downloads from
  http ://universodeljuguete .com/eusukll.exe (VirusTotal 15/65[3]) (Payload Security[4])...
This current series of downloaders have links-in-the-body of the email to numerous different -compromised-  websites. This particular one went to
 http ://coopstella .net/fax.html where there is an -iframe- that downloads the js file from
 http ://leypart .su/fax.php where a randomly numbered Fax_Message_####.js file is created and downloaded...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504782496/
Fax_Message_7932180645.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.127.190.141
62.109.12.221
47.88.55.29
98.124.251.75
98.124.252.66

3] https://www.virustot...sis/1504784148/
eusukll.exe

4] https://www.hybrid-a...vironmentId=100

universodeljuguete .com: 94.127.190.141: https://www.virustot...41/information/

coopstella .net: 185.58.7.72: https://www.virustot...72/information/

leypart .su: > https://check-host.n...host=leypart.su- ??
 

  

Edited by AplusWebMaster, 07 September 2017 - 03:08 PM.

[AplusWebMaster]

FYI...

Fake 'Amazon' SPAM - delivers Trickbot
- https://myonlinesecu...eliver-malware/
12 Sep 2017 - "... coming from the Necurs botnet is an email with the subject of 'Your Amazon.co.uk order 172-3041149-3373628 has been dispatched' (random numbers) pretending to come from Amazon .co.uk <auto-shipping@ amazon .co.uk>...
UPDATE: found download site and it is Trickbot again...

Screenshot: https://myonlinesecu...tched-email.png

The fake Amazon website looks like this. The Sign In button does go to a genuine Amazon .co.uk sign in page:
> https://myonlinesecu...oader-_site.png
Update: ... 'found a download location
 http ://storiteller .com/3f3geuf.exe (VirusTotal 11/59*) (Payload Security**)... 'not certain if actually running the .js file will deliver the payload or whether the malware devs have messed up.
Further update: I am also being told about some versions downloading Locky via
 http ://ruisi .fr/ddokslf.exe (VirusTotal 10/65[3]) (Payload Security[4])... 'really difficult to work out the  payloads, when the .js files are created on the fly... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1505211474/
ORDER-467-3587106-1645978.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.80.201.25
47.88.55.29

3] https://www.virustot...sis/1505213071/
3f3geuf.exe

4] https://www.hybrid-a...vironmentId=100

storiteller .com: 82.80.201.25: https://www.virustot...25/information/
> https://www.virustot...3c80a/analysis/

ruisi .fr: 195.154.227.5: https://www.virustot....5/information/
> https://www.virustot...e26e9/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - Necurs botnet delivers malware
- https://myonlinesecu...eliver-malware/
14 Sep 2017 - "... sent from the Necurs botnet is a typical generic spam email with the subject of 'Copy of Invoice 487391' (random numbers) pretending to come from Customer Service <service@ randomdomain .tld>. There is -no- attachment with these today, just a link-in-the-email body to a variety of -compromised- sites. The link will always go to <site name>/invoice .html which uses an -iframe- to download a random numbered invoice.js from
 http ://wittinhohemmo .net/invoice.php (this site has been used in this malware campaign for at least 1 week now). The js file is different to the ones we have been seeing so far this week, they are much smaller (about 5kb) and using trivially obfuscated reverse strings to “hide” the download sites...

Screenshot: https://myonlinesecu...oice-487391.png

Sites I found are:
 http ://multila .com/HJGFjhece3.exe
 http ://vereouvir .pt/HJGFjhece3.exe
They use email addresses and subjects that will entice a user to read the email and follow the link.
Invoice-671398.js - Current Virus total detections 9/58*. Payload Security**
 HJGFjhece3.exe (VirusTotal 10/63[3]) (Payload Security[4]). I cannot work out if this is Trickbot or Locky today so far. The behaviour so far seen doesn’t exactly match either malware. It might be damaged or not working properly or some sort of anti-sandbox /VM protection to it. My gut feeling is -Trickbot- based on similar behaviour over the last few days when run in a sandbox or VM... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1505376478/
Invoice-290134.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.74.203.14
47.89.254.1
80.172.241.21

3] https://www.virustot...sis/1505377027/
2193.exe

4] https://www.hybrid-a...vironmentId=100

wittinhohemmo .net: 47.89.254.1: https://www.virustot...10/information/
> https://www.virustot...4a393/analysis/

multila .com: 203.74.203.14: https://www.virustot...14/information/
> https://www.virustot...9fdbf/analysis/

vereouvir .pt: 80.172.241.21: https://www.virustot...21/information/
> https://www.virustot...285de/analysis/
___

FTC probes Equifax hack...
- https://www.reuters....n-idUSKCN1BP1VX
Sep 14, 2017 - "The U.S. Federal Trade Commission said on Thursday it was investigating Equifax Inc’s (EFX.N) massive data breach, a rare public confirmation... Confirming what many cyber security experts expected, Equifax said late on Wednesday that hackers used a flaw in its open-source Struts software, distributed by the nonprofit Apache Software Foundation, to break into its systems. A patch for the vulnerability was issued in March, two -months- before Equifax said hackers began siphoning data..."
> https://www.reuters..../overview/EFX.N

- https://www.reuters....k-idUSKCN1BP0CB
Sep 14, 2017 - "Credit reporting company Equifax Inc blamed a web server vulnerability in its open-source software, called 'Apache Struts'*, for the recent data breach that compromised personal details of as many as 143 million U.S. consumers. The massive data breach had exposed valuable information to hackers between mid-May and July... Cyber security experts said it was among the largest hacks ever recorded and was particularly troubling due to the richness of the information exposed - names, birthdays, addresses and Social Security and driver’s license numbers. Equifax said it is determining with the assistance of an independent cybersecurity firm what exact information was compromised during the data breach..."
* https://cwiki.apache...splay/WW/S2-045
Mar 19, 2017
> https://cwiki.apache...splay/WW/S2-046
Mar 20, 2017

> https://cwiki.apache...urity Bulletins

> https://nvd.nist.gov...l/CVE-2017-5638
CVSS v3 Base Score: 10.0 Critical ...
Last Modified: 03/10/2017

> http://blog.talosint...-exploited.html
Mar 8, 2017
___

Phishing Scams Related to Equifax Data Breach
- https://www.us-cert....fax-Data-Breach
Sep 14, 2017 | Last revised: Sep 18, 2017
 

    

Edited by AplusWebMaster, 20 September 2017 - 05:48 PM.

[AplusWebMaster]

FYI...

CCleaner 5.33 compromised...
- https://www.helpnets...oored-ccleaner/
Sep 18, 2017 -  "... Piriform – the company that develops CCleaner and which has been recently acquired by AV maker Avast – has confirmed* that the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud were affected..."
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
* https://www.piriform...t-windows-users
Sep 18, 2017 -  "We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had-been-compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download**. We apologize and are taking extra measures to ensure this does not happen again..."
** https://www.piriform...wnload/standard

- http://blog.talosint...es-malware.html
Sep 18, 2017 -  "... Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode-on-top of the installation of CCleaner... Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities..."
Indicators of Compromise (IOCs):
... IP Addresses
216[.]126[.]225[.]148 "

216.126.225.148: https://www.virustot...5d3a8/analysis/
___

Fake 'Revised invoice' SPAM - delivers malware
- https://myonlinesecu...-r24-extension/
18 Sep 2017 - "... an email with the subject of 'Re: Revised invoice' pretending to come from Sales <Sales@ machinery .com>... it comes with an .r24 extension which is completely unknown to windows. Examining the file in a hex editor shows it has a PK header which means it is a compressed (zip) file. Simply renaming the extension to .zip will allow the contents to be extracted and examined...

Screenshot: https://myonlinesecu...sed-invoice.png

New Invoice.r24 (VirusTotal 9/62*): Extracts to: New Invoice.com - Current Virus total detections 15/65**
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1505723811/
New Invoice.r24

** https://www.virustot...sis/1505723863/
New Invoice.com

*** https://www.hybrid-a...vironmentId=100
___

Fake 'Status of invoice' SPAM - leads to Locky
- http://blog.dynamoo....ce-with-7z.html
18 Sep 2017 - "This spam leads to Locky ransomware:
    Subject:       Status of invoice
    From:       "Rosella Setter" ordering@ [redacted]
    Date:       Mon, September 18, 2017 9:30 am
    Hello,
    Could you please let me know the status of the attached invoice? I
    appreciate your help!
    Best regards,
    Rosella Setter
    Tel: 206-575-8068 x 100
    Fax: 206-575-8094
    *NEW*   Ordering@[redacted].com
    * Kindly note we will be closed Monday in observance of Labor Day *

The name of the sender varies. Attached is a .7z archive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename... Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:
yildizmakina74 .com/87thiuh3gfDGS?
miliaraic .ru/p66/87thiuh3gfDGS?
lanzensberger .de/87thiuh3gfDGS?
web-ch-team .ch/87thiuh3gfDGS?
abelfaria .pt/87thiuh3gfDGS?
An executable is dropped with a detection rate of 19/64[5] which Hybrid Analysis[6] shows is phoning home to:
91.191.184.158 /imageload.cgi (Monte Telecom, Estonia)
195.123.218.226 /imageload.cgi (Layer 6, Bulgaria)
.7z files are popular with the bad guys pushing -Locky- at the moment. Blocking them at your mail perimiter may help.
Recommended blocklist:
195.123.218.226
91.191.184.158 "
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
85.95.237.29
195.123.218.226
91.191.184.158

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
194.150.248.56
91.191.184.158
195.123.218.226

3] https://malwr.com/an...zZjNjJjMmViYzQ/
5121669985.vbs

4] https://malwr.com/an...WE5NGJjZDA1ZmM/
25860394240.vbs

5] https://www.virustot...7c8a7/analysis/
CJgBjTI.exe

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.191.184.158
195.123.218.226
216.58.209.228

85.95.237.29: https://www.virustot...29/information/

195.123.218.226: https://www.virustot...26/information/

91.191.184.158: https://www.virustot...58/information/
 

  

Edited by AplusWebMaster, 19 September 2017 - 07:58 AM.

[AplusWebMaster]

FYI...

Fake 'Order' SPAM - delivers Locky ykcol
- https://myonlinesecu...rs-locky-ykcol/
19 Sep 2017 - "... Locky downloader... an email with the subject of 'HERBALIFE Order Number: 6N01000137' (random numbers) pretending to come from Herbalife <svc_apacnts_8169@ herbalife .com> (random numbers as well). Today’s version continues to use the 'ykcol' extension for encrypted files...

Screenshot: https://myonlinesecu...-6N01000137.png

6N01000137_1.7z: Extracts to: 6N01005710.vbs - Current Virus total detections 16/55*. Payload Security**
 | downloads an encrypted txt file which is converted by the script to vtifOYBP.exe (VirusTotal 30/64***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
DNS Requests
isiquest1 .com - 178.33.107.201 - OVH, SAS - France
Contacted Hosts
178.33.107.201: https://www.virustot...01/information/
> https://www.virustot...a3c34/analysis/

*** https://www.virustot...727f8/analysis/
JGHldb03m
 

  

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - delivering Locky
- https://myonlinesecu...re-again-today/
20 Sep 2017 - "... Locky downloaders... an email with the subject of 'Status of invoice A2178050-11' (random numbers) pretending to come from random names with a from address of ordering@ random companies. The subjects all start with 'Status of invoice A217' with 4 extra digits, then 2 digits...

Screenshot: https://myonlinesecu...A2178050-11.png

A2178050-11.rar: Extracts to: 20080920_757068.vbs - Current Virus total detections*. Payload Security**.
Downloads
 http ://mariamandrioli .com/RSkfsNR7? which is an executable file....
Frequently these are encrypted -txt- files that need converting to the .exe (VirusTotal 16/65[3])
Payload Security[4]). Other download sites for the malware binary include:
 http ://ryterorrephat .info/af/RSkfsNR7
 http ://hard-grooves .com/RSkfsNR7?
Other sites and a -different- locky binary - details have been posted by Racco42[5]on pastebin[6]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
108.59.87.148

3] https://www.virustot...sis/1505896879/
RSkfsNR7.exe

4] https://www.hybrid-a...vironmentId=100

5] https://twitter.com/...423167092629504

6] https://pastebin.com/F5K6BKQX

mariamandrioli .com: 108.59.87.148: https://www.virustot...48/information/
> https://www.virustot...3fdcd/analysis/

ryterorrephat .info: 54.187.116.55: https://www.virustot...55/information/
> https://www.virustot...3b343/analysis/

hard-grooves .com: 54.187.116.55: https://www.virustot...55/information/
 

   

[AplusWebMaster]

FYI...

Fake 'Amazon Invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
21 Sep 2017 - "... Locky downloaders... an email with the subject of 'Invoice RE-2017-09-21-00102' (random last 6 digits) pretending to come from Amazon Marketplace <uJLHsSYOYmvOX@ marketplace.amazon .co.uk> (random characters before the @)...

Screenshot: https://myonlinesecu...-downloader.png

RE-2017-09-21-00102.7z: Extracts to: RE-2017-09-21-00273.vbs - Current Virus total detections 14/58*:
Payload Security** | Downloads
 http ://accuflowfloors .com/IUGiwe8? which is a txt file that is -renamed- to nVtcNP.exe (VirusTotal 22/63***)
Other download sites inside this VBS file are:
 fulcar .info/p66/IUGiwe8 and
 afradem .com/IUGiwe8? - There will be dozens of others in other versions...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1505983662/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
65.182.174.12

*** https://www.virustot...sis/1505984851/
TnipmOahC.exe

accuflowfloors .com: 65.182.174.12: https://www.virustot...12/information/
> https://www.virustot...c8c18/analysis/

fulcar .info: https://check-host.n...ost=fulcar.info
[ http://blog.dynamoo....2017-09-21.html
21 Sep 2017
Comment: ... This will be the Necurs botnet. IPs will be all over the place... blocking .7z files would probably not cause much a problem, these are commonly used for Locky right at the moment. ]

afradem .com: 178.255.99.134: https://www.virustot...34/information/
___

'CCleaner' Command and Control - follow up ...
- http://blog.talosint...c2-concern.html
Sep 20, 2017 - "Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application*. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files. In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized -secondary- payloads...
* http://blog.talosint...es-malware.html
... These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from -backups- or -reimage- systems to ensure that they completely remove not only the backdoored version of CCleaner but -also- any other malware that may be resident on the system...
Conclusion: Supply chain attacks seem to be increasing in velocity and complexity. It's imperative that as security companies we take these attacks seriously. Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim's best interests. Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time. When advanced adversaries are in play, this is especially true. They have been known to craft attacks that avoid detection by specific companies through successful reconnaissance techniques. In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks..."
(More detail at the talosintelligence URL above.)

- https://www.helpnets...romise-targets/
Sep 21, 2017
>> https://www.helpnets...m/tag/ccleaner/

- https://blog.avast.c...r-investigation
Sep 21, 2017

> https://www.askwoody...ests-maybe-not/
Sep 21, 2017
> https://www.ghacks.n...oad-discovered/
Sep 21, 2017
 

  

Edited by AplusWebMaster, 21 September 2017 - 11:52 AM.

[AplusWebMaster]

FYI...

Fake 'Forskolin' SPAM - using spoofed email addresses
- https://myonlinesecu...mail-addresses/
22 Sep 2017 - "... malspam campaign again today pushing the crappy, scummy, useless 'Forskolin weight loss' junk... Some subjects in the original emails include (there are hundreds of variants): These pretend to be Facebook notifications about missed private messages or pending notifications:
    You photos that will be deleted in 1 days
    You have notification that will be removed in 5 hours
     For You new message that will be removed in 6 days
    Private message that will be deleted in 3 hours
    You friend that will be deleted in 5 hours
    You have notification that will be deleted in 7 days

The Hotmail emails look like:
- https://myonlinesecu...jects_email.png

The original emails look like these:
- https://myonlinesecu...9/support_3.png

- https://myonlinesecu...9/support_2.png

- https://myonlinesecu...9/support_1.png

The links go to a multitude of -compromised- sites but all eventually end today on
  http ://weight4forlossdiet-4tmz .world/en/caus/forskolin/?bhu=8mczFswKd5ZrUCttf15dChmqRGCWobCch
 (with a different random reference number) where you see a page looking like this:
> https://myonlinesecu...htloss-scam.png
This shows the importance of having correct authentication set up on your email server with DMARC* reporting, so you know when your email address is being spoofed and used in a mass malspam campaign:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/hotmail_dmarc_rejects2.png  

* https://myonlinesecu...ould-use-dmarc/ "

weight4forlossdiet-4tmz .world: 192.254.79.249: https://www.virustot...49/information/
> https://www.virustot...6ec06/analysis/
 

  

[AplusWebMaster]

FYI...

Fake 'BL copy' SPAM - RTF exploit delivers malware
- https://myonlinesecu...eliver-malware/
24 Sep 2017 - "An email with the subject of 'Fwd: BL copy' coming from pedro.estaba@ cindu .com.ve with a malicious word doc attachment delivers malware using the RTF exploit CVE-2017-0199. The word doc is actually a RTF doc. It is highly likely that recipients will get a similar email with different senders and email body content, imitating various innocent companies. These download -multiple- different malwares.
> https://nvd.nist.gov...l/CVE-2017-0199
Last Modified: 04/12/2017
CVSS v2 Base Score: 9.3 HIGH

Screenshot: https://myonlinesecu.../09/BL-copy.png

The  CVE-2017-0199 exploit was plugged in all supported versions of Microsoft Office back in April 2017, with additional fixes in subsequent Security updates including September 2017. If you have not applied the patches, then simply opening or even just -previewing- these word docs in your email client or windows explorer might be enough to infect you...

export.doc - Current Virus total detections 24/59[1]. Payload Security[2]. Both Payload Security and manual analysis shows a download of an HTA file from
 http ://birsekermasali .com/hta/docs.hta (VirusTotal 15/59[3]) (Payload Security[4]) which contains encoded / encrypted commands to download
 http ://birsekermasali .com/js/boss/payment.exe which is giving a 404.
I decided to dig around a bit on the open directories on birsekermasali .com and see what I could find. Trying
 http ://birsekermasali .com/js/boss/ gave me a password required prompt, but trying the
 http ://birsekermasali .com/hta/ gave me -2- additional -HTA- files:

allfiles.hta (VirusTotal 6/58[5]) (Payload Security[6]) which downloads
 http ://birsekermasali .com/js/boss/invoices.exe (VirusTotal 38/65[7]) (Payload Security[8])
kelly.hta (VirusTotal 14/59[9]) (Payload Security[10]) Which downloads
 http ://birsekermasali .com/js/kels/docs.exe (VirusTotal 46/65[11]) (Payload Security[12]) which in turn downloads
 http ://birsekermasali .com/js/kels/dates.exe (VirusTotal 41/59[13]) (Payload Security[14])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1506187514/

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.115.14

3] https://www.virustot...sis/1506231952/
docs[1].hta

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.115.14
74.125.206.106
162.221.190.147
209.9.53.57
69.172.201.153
198.54.116.113
213.167.231.2
112.175.232.227
23.227.38.64
121.127.250.125

5] https://www.virustot...sis/1506234023/
allfiles.hta

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.115.14
74.125.206.106
162.221.190.147
209.9.53.57
69.172.201.153
198.54.116.113
213.167.231.2
112.175.232.227
23.227.38.64
121.127.250.125

7] https://www.virustot...sis/1506170974/

8] https://www.hybrid-a...vironmentId=100

9] https://www.virustot...sis/1506234037/
kelly.hta

10] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.115.14
198.54.115.96

11] https://www.virustot...sis/1506035556/
output.112274294.txt

12] https://www.hybrid-a...vironmentId=100

13] https://www.virustot...sis/1506118256/

14] https://www.hybrid-a...vironmentId=100

birsekermasali .com: 192.185.115.14: https://www.virustot...14/information/
> https://www.virustot...003a3/analysis/
> https://www.virustot...e7cbc/analysis/
 

  

[AplusWebMaster]

FYI...

Fake 'Voice Message' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
25 Sep 2017 - "... Locky ransomware.... They are sticking with 'Voice Message' theme again today. It is an email with the subject of 'Message from 02031136950' (random phone number) pretending to come from server@ random number.um .broadviewnet .net. They all come from 'Message Server' and the email address is server@ random number.um .broadviewnet .net...

Screenshot: https://myonlinesecu...02031136950.png

Voice Message(02031136950.7z: Extracts to: Voice Message(02090039814).vbs - Current Virus total detections 10/58*. Payload Security**. These -vbs- files download from a large number of -compromised- sites. This example contacts
 asheardontheradiogreens .com/YTkjdJH7w1
 tertrodefordown .info/af/YTkjdJH7w1
 artplast .uz/YTkjdJH7w1?
where a txt file is downloaded. The file is a actually a renamed.exe file (VirusTotal 17/65***). With these if there is a ? at the end of a URL, you get a renamed.txt file. If there is no ? you get an .exe that has no extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506322168/
Voice Message(02090039814).vbs

** https://www.hybrid-a...vironmentId=100
199.30.241.139

*** https://www.virustot...sis/1506322258/
YTkjdJH7w1.txt

asheardontheradiogreens .com: 199.30.241.139: https://www.virustot...39/information/
> https://www.virustot...205d7/analysis/

tertrodefordown .info: 49.51.36.73: https://www.virustot...73/information/
> https://www.virustot...b0c52/analysis/

artplast .uz: 62.209.133.18: https://www.virustot...18/information/
> https://www.virustot...af65d/analysis/
 

   

Edited by AplusWebMaster, 25 September 2017 - 10:54 AM.