2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'eFax and Virgin Media' SPAM - deliver Dridex
- https://myonlinesecu...d-virgin-media/
26 Sep 2017 - "... Dridex Banking Trojans being delivered via malspam emails... The 2 that I have looked at so far are:
     'Your Virgin Media bill is ready' coming from Virgin Media <webteam@ virginmedia.smebusinesslink .com>'
     'Corporate eFax message' from “Unknown” – 4 page(s), Caller-ID: 44-161-261-1924 coming from eFax Corporate <message@ efax.inboundcop .com>
... the criminals sending these have registered look-a-like or plausible domains: they are actually using subdomains of these domains that make a recipient think that the emails are coming from a “proper” message sending service... The emails are just about identical to those on these 2 pages with the dates and amounts changed:
    smebusinesslink .com on 24th September 2017 using eranet .com as registrar and hosted on OVH 188.165.217.40
> https://myonlinesecu...l-and-trickbot/
    inboundcop .com on 24th September 2017 using eranet .com as registrar and hosted on OVH 188.165.232.177 ...
> https://myonlinesecu...l-and-trickbot/

They are sending these emails from a whole range of IP addresses (all tracking back to various subdomains of the 2 main -fraudulent- domains) under the control of these criminals that pass email authentication for the -fake- domains:
46.105.101.20
46.105.101.72
46.105.101.110
54.36.192.0/24
94.23.32.95
188.165.217.40
188.165.217.44
188.165.200.80
188.165.215.105
188.165.215.115
188.165.239.123
188.165.232.177
188.165.217.228
... The emails are just about identical to those on these 2 pages with the dates and amounts changed:
> 'Virgin Media Your Virgin Media bill is ready' ... and 'e Fax' ...
The link in the email goes to a -compromised- or fraudulently-set-up OneDrive for business/SharePoint site where a zip file containing a .js file is downloaded...

The virgin site is:
 https ://grllen-my.sharepoint .com/personal/misaacs_grllen_com_au/_layouts/15/guestaccess.aspx?docid=0f577514318c64d3a83fdc412856063e6&authkey=AZhzom6O9TOyFzZv4HUJ6zM
 where a .js file is downloaded. That downloads 46.105.102.161 /PDF/Virginmedia_bill_25_09_2017_3 .pdf
 an innocent PDF file of a -genuine- Virgin media bill and displays that while at the same time downloads the Dridex banking Trojan in the background (I cannot determine the actual download location of the Dridex Trojan from the reports)
Virginmedia_bill_25_09_2017_3.zip: Extracts to: Virginmedia_bill_25_09_2017_3.js
Current Virus total detections 4/58[1]. Payload Security[2] | Dridex Payload - VirusTotal 13/61[3]|
Payload Security[4] |

The eFax site is:
 https ://ucg1-my.sharepoint .com/personal/janet_lau_ucg_co_nz/_layouts/15/guestaccess.aspx?docid=0eab92172e4fb424093bc21e476a6a698&authkey=AT_9AE00prV_R0aRf9HYOtg
 where another js file is downloaded. That also downloads an innocent PDF file from
  188.165.193.38 /PDF/FAX_20170925_1401908954_6.pdf
  saying it all about the Rural Payments agency and displays that while at the same time downloads the
-Dridex- banking Trojan in the background (I cannot determine the actual download location of the Dridex Trojan from the reports)...:
FAX_20170925_1401908954_6.zip: Extracts to: FAX_20170925_1401908954_6.js  
Current Virus total detections 7/59[5]: Payload Security[6] | Dridex Payload - VirusTotal 13/61[7] |
Payload Security[8] |
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1506415697/
Virginmedia_bill_25_09_2017_3.js

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.105.102.161
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40

3] https://www.virustot...sis/1506415824/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40

5] https://www.virustot...sis/1506418921/
FAX_20170925_1401908954_6.js

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
104.146.230.59
188.165.193.38
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40

7] https://www.virustot...sis/1506415824/

8] https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.203.123.102
193.218.145.101
162.243.137.50
87.106.219.40

grllen-my.sharepoint .com: 13.107.6.151: https://www.virustot...51/information/

ucg1-my.sharepoint .com: 13.107.6.151

188.165.217.40: https://www.virustot...40/information/

188.165.232.177: https://www.virustot...77/information/
 

   

Edited by AplusWebMaster, 26 September 2017 - 08:15 AM.

[AplusWebMaster]

FYI...

Fake 'UPS' SPAM - tries to deliver malware
- https://myonlinesecu...eliver-malware/
27 Sep 2017 - "... malware downloaders... an email with the subject of 'UPS Ship Notification, Tracking Number 1Z51322Y3483221007' (random numbers) pretending to come from UPS Quantum View <pkginfo26@ ups .com> (random pkginfo numbers)...

Screenshot: https://myonlinesecu...Y3483221007.png
... following the link gives you a webpage looking like one of these screenshots pressing login does different things or -nothing- depending on the site:
> https://myonlinesecu...PS_tracking.png

This is a slightly more complicated infection chain that usual. There are -dozens- of different sites in the emails -hidden- behind the shipment details link. A lot of them don’t do anything except display a -fake- UPS website. Some however are connecting via an -iframe- to download
 http ://rateventrithathen .info/track.php which gave me TRACK-1Z68725Y5236890147.js
Current Virus total detections 2/59*. Payload Security** | Joe Security***
Neither online sandbox retrieved any payload, whether the sites are blocked or the JS is VM aware is unknown... The basic rule is NEVER open any attachment or link in email, unless you are expecting it..."
* https://www.virustot...sis/1506504272/
TRACK-1Z68725Y5236890147.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
49.51.36.73

*** https://jbxcloud.joe...s/378185/1/html

rateventrithathen .info: 49.51.36.73: https://www.virustot...73/information/
> https://www.virustot...764cf/analysis/
___

Email credential phish...
- https://myonlinesecu...-invoice-scams/
27 Sep 2017 - "... seeing a series of “attacks” using Adobe as the lure. So far I have seen 2 different ones...

Screenshot:
1] https://myonlinesecu...ement-email.png
This email has a genuine PDF attachment with a link to http ://bit .ly/2wTMuYg which will -redirect- you to
 http ://cloudy-exch .pw/invoice/update.HTML. There is a warning on the bit.ly page that alerts to it being a phishing or malware site but will -still- allow you to visit the page by clicking-the-link:
> https://myonlinesecu...atement_pdf.png
... However downloading the html file will open in Firefox only on the computer.
The page looks like this:
> https://myonlinesecu..._text_adobe.png
... where -if- you enter any details and press submit, you are redirected to  https ://drive.google .com/file/d/0BxKSeHpNweSsWldNaGpUMDlHWW8/view
... where you see this -fake- statement:
> https://myonlinesecu...oogle_drive.png

The next -phishing-scam- works right out of the box with no effort:
2] https://myonlinesecu...oice-Urgent.png
This PDF attachment looks like:
> https://myonlinesecu...w-Order_pdf.png
Where -if- you follow the link you go to
 https ://app-onlinedoc.000webhostapp .com/Inv-47654345584.php?code=2000500 where you see:
> https://myonlinesecu..._adobe_scam.png
Entering details tries to -redirect- you to
 http ://alliancecr .com/skd/xendr.php , Where I get a 404 page not found (a quick look up shows the site registered by Godaddy in 2001, The DNS is managed by Cloudflare and there is no site found, so it is highly likely that Cloudflare have null routed the DNS already)... A quick look at the source code of the 000webhost page shows that it appears to try to send the information via Googlemail... Update: within minutes of reporting the 000webhost site, it was taken down. That is fast abuse response. I wish all webhosts were so quick and efficient..."

cloudy-exch .pw: 185.158.249.100: https://www.virustot...00/information/
> https://www.virustot...837b8/analysis/
 
app-onlinedoc.000webhostapp .com: 145.14.145.6: https://www.virustot....6/information/

alliancecr .com: Could not find an IP address for this domain name...
___

JavaScript and Stealer DLL Variant in New Attacks
- http://blog.talosint...n7-stealer.html
Sep 27, 2017 - "... a newly discovered -RTF- document family that is being leveraged by the FIN7 group (also known as the Carbanak gang) which is a financially-motivated group targeting the financial, hospitality, and medical industries. This document is used in -phishing- campaigns to execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms. The document contains messages enticing the user to click on an embedded object that executes scripts which are used to infect the system with an information stealing malware variant. This malware is then used to steal passwords from popular browsers and mail clients which are sent to remote nodes that are accessible to the attackers... The dropper variant that we encountered makes use of an LNK file to execute wscript.exe with the beginning of the JavaScript chain from a word document object...
Command and Control IPs"
104.232.34.36: https://www.virustot...36/information/
5.149.253.126: https://www.virustot...26/information/
185.180.197.20: https://www.virustot...20/information/
195.54.162.79: https://www.virustot...79/information/
31.148.219.18: https://www.virustot...18/information/
(More detail at the talosintelligence URL above.)
 

   

Edited by AplusWebMaster, 27 September 2017 - 01:21 PM.

[AplusWebMaster]

FYI...

Fake 'Scan xxx' SPAM - Necurs sent Locky/Trickbot
- https://myonlinesecu...ion-techniques/
28 Sep 2017 - "... malware downloaders coming from the necurs botnet... email with the subject of 'Emailing: Scan0253' (random numbers)  pretending to come from random names at your-own-email-address or company domain. Today they have changed delivery method and will give either Locky Ransomware or Trickbot banking Trojan depending on your IP address and country of origin...

Screenshot: https://myonlinesecu...ivery-email.png

Scan0253.7z: Extracts to: Scan0277.vbs - Current Virus total detections 11/59*. Payload Security** |
In this particular VBS example there were 6 hard coded urls
“geeks-online .de/9hciunery8g?”,
”freevillemusic .com/9hciunery8g?” (VirusTotal 9/65[3]) (Payload Security[4]) Looks like Trickbot
“anarakdesert .com/LUYTbjnrf?”,
”americanbulldogradio .com/LUYTbjnrf?”
”sherylbro .net/p66/LUYTbjnrf” (VirusTotal 20/65[5]) (Payload Security[6]) This one is Locky
“poemsan .info/p66/d8743fgh” - Also Locky but a different file hash (VirusTotal 39/64[7]) (Payload Security[8])
The lookup services used are : “https ://ipinfo .io/json”,
”http ://www.geoplugin .net/json.gp”,
”http ://freegeoip .net/json/”
Update: thanks to Racco42[9] we have full list of currently known URLs posted on Pastebin[10]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506589221/
Scan0277.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.239.38.21
178.237.36.10
205.204.66.82

3] https://www.virustot...sis/1506589359/

4] https://www.hybrid-a...vironmentId=100

5] https://www.virustot...sis/1506589526/

6] https://www.hybrid-a...vironmentId=100

7] https://www.virustot...sis/1506591639/

8] https://www.hybrid-a...vironmentId=100

9] https://twitter.com/...339950015373312

10] https://pastebin.com/ahfN337m

> http://blog.dynamoo....n0xxx-from.html
28 Sep 2017 - "This -fake- 'document scan' delivers different malware depending on the victim's location...
... All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block -or- strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too."
 

   

Edited by AplusWebMaster, 28 September 2017 - 05:57 AM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - deliver Locky/Trickbot
- https://myonlinesecu...-large-js-file/
29 Sep 2017 - "... Locky downloaders... an email with a blank/empty subject pretending to come from random names and email addresses. The body content pretends to be an 'invoice' notification. There are -no- attachments with these emails but a link-in-the-email-body goes to various -compromised- sites to download a .js file. As far as I can tell the actual Locky payload is -embedded- inside the .js file. For some strange reason the js file is named voicemsg_random numbers.js which would indicate that this was intended or has also been used in a voice message scam attempt to deliver Locky as well. The other strange thing in this campaign is the url in the body. All the ones I received are broken and start with 'ttp://' but looking at the mailscanner they look normal with a -complete- html on my server they look -normal- with a complete html and start with the proper 'http://'...

Screenshot: https://myonlinesecu...ank-subject.png

voicemsg_088436.js - 410.7 KB (420558 bytes) - Current Virus total detections 5/59*. Payload Security**
| drops 1102.exe 298.0 KB (305152 bytes) - VirusTotal 14/65[3] - Payload Security[4].
Nothing is actually detecting these as -Locky- Ransomware and in fact some AV on VirusTotal detect as
-Cerber- Ransomware. I am only calling these Locky based on the
 moroplinghaptan .info/eroorrrs post request (giving a 404) shown in the Payload Security report. This has been a strong Indicator-of-Compromise (IOC) for Locky recently.
> Update: I am reliably informed that it depends on your IP address and location what malware you get. You will either get -Locky- Ransomware or -Trickbot- banking Trojan embedded inside the .js file.
Some of the download sites in the emails include:
 http ://resortphotographics .com/invoice.html
 http ://somallc .com/invoice.html
 http ://pinkyardflamingos .com/invoice.html
 http ://agregate-cariera .ro/invoice.html
 http ://sgtenterprises .com/invoice.html
 http ://weloveflowers .co.uk/invoice.html
They all use an -iframe- to actually download from
 http ://moroplinghaptan .info/offjsjs/ - This site has been used in a later Locky campaign today that was spoofing voicemessages...
The basic rule is NEVER open any attachment or -link- an email, unless you are expecting it..."
* https://www.virustot...sis/1506691940/
voicemsg_088436.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
49.51.133.167
216.58.213.174

3] https://www.virustot...sis/1506692289/
1102.exe

4] https://www.hybrid-a...vironmentId=100

moroplinghaptan .info: 49.51.133.167: https://www.virustot...67/information/
> https://www.virustot...ba588/analysis/
___

Fake 'Office 365 invoice' - delivers Locky
- https://myonlinesecu...cky-ransomware/
29 Sep 2017 - "The 3rd version I have seen today... Locky downloaders has gone back to a traditional zip (7z)  attachment containing a vbs file. This is an email pretending to be an 'Office 365 Invoice' with the subject of 'Invoice' pretending to come from the -same-name- that is in the recipient field. Random names & email addresses...

Screenshot: https://myonlinesecu...nvoice_O365.png

604173.7z: Extracts to: Invoice_930546166795.vbs - Current Virus total detections 10/58*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506683968/

** https://www.virustot...sis/1506683968/
Contacted Hosts
185.57.172.213: https://www.virustot...13/information/
___

Fake 'order' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
29 Sep 2017 - "...  malware today, all using -different- or unusual delivery methods. This next example is about an order confirmation. The attachment is a .uue attachment. Winzip says it can open .UUE files but only extracted a -garbled- encrypted/encoded txt file. Universal extractor extracted a working .exe file...

Screenshot: https://myonlinesecu...order_email.png

order290917.uue: (virusTotal 4/58*) - Extracts to: order290917.exe - Current Virus total detections 14/64**
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506681970/
order290917.uue

** https://www.virustot...sis/1506696900/
order290917.exe

*** https://www.hybrid-a...vironmentId=100
 

   

Edited by AplusWebMaster, 29 September 2017 - 12:59 PM.

[AplusWebMaster]

FYI...

Fake 'order' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
2 Oct 2017 - "An email with the subject of 'Fwd: Re: Order' pretending to come from info@ anashin .am with a malicious word doc attachment delivers malware...

Screenshot: https://myonlinesecu...7_doc_email.png

Order0210177.doc - Current Virus total detections 15/58*. Payload Security** downloads
 http ://birsekermasali .com/hta/gen.hta (VirusTotal 15/57[3]) (Payload Security[4]) which in turn downloads
 http ://birsekermasali .com/css_files/gen/quote.exe (VirusTotal 25/66[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506949614/
Order0210177.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
192.185.115.14

3] https://www.virustot...sis/1506968237/
gen.hta

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.115.14
198.187.29.143

5] https://www.virustot...sis/1506967286/
quote.exe

6] https://www.hybrid-a...vironmentId=100

birsekermasali .com: 192.185.115.14: https://www.virustot...14/information/
> https://www.virustot...c43f3/analysis/

> https://www.virustot...26ef3/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'FedEx' SPAM - leads to info stealer
- https://isc.sans.edu/diary/rss/22888
2017-10-03 - "... On Monday 2017-10-02, I ran across malicious spam (malspam) pushing Formbook, an information stealer. Arbor Networks has a good article about Formbook here:
> https://www.arbornet...k-form-grabber/
... The email is disguised as a 'FedEx delivery notice'. It has a-link-to-a-compromised-website that's hosting malware. The link points to a supposed document for this fake delivery:
> https://isc.sans.edu...ry-image-01.jpg
Clicking on-the-link (DON'T) returned a RAR archive. The RAR archive contains a Windows executable that's poorly-disguised as some sort of receipt... indicators seen during the infection from Formbook malspam on Monday 2017-10-02:
Email:
    Date/Time:  2017-11-02 at 14:23 UTC
    Subject:  Re: Alert: FedEx OFFICE Delivery® ... 17-10-02, at 07:22:11 AM BA
    From:  "DOCUMENT2017" <gifcos@ tutanota.com>
    Link from the email:  hxxps ://superiorleather .co.uk/Receipt.r22
Traffic seen when retrieving the RAR archive:
    185.46.121.66 [1] port 443 - superiorleather .co.uk - GET /Receipt.r22 ...
1] 185.46.121.66: https://www.virustot...66/information/
> https://www.virustot...c6369/analysis/
Post-infection traffic:
    47.90.52.201 port 80 - www .shucancan .com - GET /ch/?id=[80 character ID string]
    52.87.61.120 port 80 - www .ias39 .com - GET /ch/?id=[80 character ID string]
    66.206.43.242 port 80 - www .fairwaytablet .com - GET /ch/?id=[80 character ID string]
    103.38.43.236 port 80 - www .chunsujiayuan .com - GET /ch/?id=[80 character ID string]
    104.250.134.156 port 80 - www .ebjouv .info - GET /ch/?id=[80 character ID string]
    104.31.80.135 port 80 - www .dailyredherald .com - GET /ch/?id=[80 character ID string]
    153.92.6.50 port 80 - www .beykozevdenevenakliyatci .com - GET /ch/?id=[80 character ID string]
    162.242.173.39 port 80 - www .238thrift .com - GET /ch/?id=[80 character ID string]
    180.178.39.66 port 80 - www .et551 .com - GET /ch/?id=[80 character ID string]
    195.154.21.65 port 80 - www .lesjardinsdemilady .com - GET /ch/?id=[80 character ID string]
    198.54.114.238 port 80 - www .prfitvxnfe .info - GET /ch/?id=[80 character ID string]
    199.34.228.59 port 80 - www .craigjrspestservice .com - GET /ch/?id=[80 character ID string]

    162.242.173.39 port 80 - www .238thrift .com - POST /ch/
    198.54.114.238 port 80 - www .prfitvxnfe .info - POST /ch/ "
(More detail @ the isc URL above.)

> http://www.malware-t...0/03/index.html
___

Fake 'Shipping' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
3 Oct 2017 - "... an email with the subject of 'Re: Shipping arrangement process' pretending to come from Valero .com but coming  from Anna Brugt <dhen.ordonez@ ritetrend .com.ph>...

Screenshot: https://myonlinesecu...ent-process.png

There is a-link-in-the-email body to
 http ://www.oysterpublicschool .com//hy/reciept/_outputC9E322F.exe which gives a 404,
 but there is also a RAR attachment with a file of the same name. It is highly likely that other versions of this email will have a different download link, that might be active.

_outputC9E322F.rar: Extracts to: _outputC9E322F.exe - Current Virus total detections 15/66*. Payload Security**
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1507051011/
_outputC9E322F.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
109.169.89.11

oysterpublicschool .com: 192.185.115.66: https://www.virustot...66/information/
___

Fake 'Cash Statement' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
3 Oct 2017 - ... Malware downloaders... an email with the subject of 'Cash Statement of Account 10/03/2017'  coming from Front Desk <reception@ st-timsrc .org>...

Screenshot: https://myonlinesecu...-10-03-2017.png

The email has a pdf attachment with a link to
 https ://goo .gl/4tzM3b which redirects to
 http ://uae-moneyremit .top/plugins/cfare.html where you seen a page like this asking you to install a plugin to view the page:
> https://myonlinesecu...ugin_needed.png

Pressing install will download
 https ://www.dropbox .com/s/piw5k38lytremqz/firefoxplugin_install.exe (VirusTotal 13/64*) (Payload Security**)

We have had a series of these emails recently (28 September 2017) was DAY END CASH PAYMENT REPORT AS ON 28/09/2017 which delivered fxplugin_install.exe (VirusTotal 44/65[3]) (Payload Security[4]) which was netwire RAT...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1507058018/
firefoxplugin_install.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.206.227.248

3] https://www.virustot...sis/1506917666/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
85.159.233.23
 

   

Edited by AplusWebMaster, 03 October 2017 - 02:10 PM.

[AplusWebMaster]

FYI...

Fake 'Copy of invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
4 Oct 2017 - "... Locky downloaders... an email with the subject of 'Copy of invoice A5165059014. Please find your invoice attached' pretending to come from online@ screwfix .com...

Screenshot: https://myonlinesecu...ce-attached.png

InvoiceA5165059014.7z: Extracts to: Invoice558727316499528791952132.vbs - Current Virus total detections 6/59*
Payload Security** downloads from one of these hard coded locations in this vbs. (There will be numerous others):
“spazioireos .it/8etyfh3ni?”,
”derainlay .info/p66/8etyfh3ni”,
”turfschiploge .nl/8etyfh3ni?” (VirusTotal 16/65[3])...

 

> Update: current list of known download sites PASTEBIN( a ) thanks to Racco42( b )
a ) https://pastebin.com/ajXf4k0f
b ) https://twitter.com/Racco42

The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1507106667/
Invoice558727316499528791952132.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.29.205.233

3] https://www.virustot...sis/1507107227/

spazioireos .it: 81.29.205.233: https://www.virustot...33/information/

derainlay .info:  https://en.wikipedia.../wiki/Fast_flux

turfschiploge .nl: 46.235.43.11: https://www.virustot...11/information/
___

Fake 'Payment Confirmation' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
4 Oct 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments or
-links- to download them. I have previously mentioned many of these HERE[1]...
1] https://myonlinesecu.../?s=java adwind

Screenshot: https://myonlinesecu...onfirmation.png

Xpress Money Payment Confirmation.jar (462kb) - Current Virus total detections 16/62*. Payload Security**...
All the links-in-the-email (including the -image- of an XLS file) go to the-same-url (guaranteed to be a compromised site), where the all the site content is now about QTUM, a -bitcoin- exchange. I have been seeing several compromised malware delivery sites recently with all their content changed to the QTUM content) to download a zip file:
 http ://restaurantelburladero .com/Xpress Money Payment Confirmation.z (.z is a file extension that many unzipping utilities will extract from, although not commonly used)... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1507035357/
Scan 2017100323 114727.xls Here.JAR

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.209.238

restaurantelburladero .com: 5.2.88.79: https://www.virustot...79/information/
> https://www.virustot...1fc97/analysis/
___

'Dnsmasq' - multiple vulnerabilities
> https://www.helpnets.../dnsmasq-flaws/
Oct 3, 2017
> https://www.kb.cert.org/vuls/id/973527
2 Oct 2017
> http://www.securityt....com/id/1039474
Oct 2 2017
 

   

Edited by AplusWebMaster, 04 October 2017 - 01:14 PM.

[AplusWebMaster]

FYI...

Fake 'Payment Advice' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
5 Oct 2017 - "An email with the subject of 'Important – Payment Advice' pretending to come from HSBC but actually coming from a look-a-like domain HSBC <no-reply@ hsbcpaymentadvice .com> or HSBC <no-reply@ hsbcadvice .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... there is a slight formatting problem in Outlook, where the emails arrive with a -blank- body. Reading in plain text or using view source, shows the content...

Screenshot: https://myonlinesecu...dvice_-HSBC.png

SecureMessage.doc - Current Virus total detections 10/59*. Payload Security**
This malware file downloads from
 http ://diga-consult .de/ser1004.png which of course is -not- an image file but a renamed .exe file that gets renamed to aqdccc.exE (VirusTotal 13/65***). An alternative download location is
 http ://hill-familie .de/ser1004.png
This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...oc_4_Oct_17.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1507166812/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
87.106.222.158
64.182.208.181
194.87.92.191

*** https://www.virustot...sis/1507170157/
ser1004.png

diga-consult .de: 87.106.222.158: https://www.virustot...58/information/
> https://www.virustot...18c0e/analysis/

hill-familie .de: 148.251.5.116: https://www.virustot...16/information/
> https://www.virustot...27ff4/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Payment history' SPAM - delivers Locky
- https://myonlinesecu...d-of-zip-files/
6 Oct 2017 - "... Locky downloaders... an email with the subject of 'Payment history' pretending to come from accounts @ random email addresses and companies.... encoding the files today and the so called 7z attachment is actually a base64 file that needs decoding to get the 7z file, before extracting the VBS...

Screenshot: https://myonlinesecu...locky-email.png

62046_Remittance.7z: decoded from base 64 and Extracts to: 872042 Remittance.vbs
Current Virus total detections 9/60*. Payload Security**
This particular VBS has these URLs hardcoded (there will be loads of others)
 "asheardontheradiogreens .com/uywtfgh36?”,
 ”thedarkpvp .net/p66/uywtfgh36″
 ”2-wave .com/uywtfgh36?” (virusTotal 14/66[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1507281470/
872042 Remittance.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.213.142
74.125.160.39
199.30.241.139
91.142.170.187
209.54.62.81

3] https://www.virustot...sis/1507281734/
freSUUFBdtY.exe

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.223.106.227

asheardontheradiogreens .com: 199.30.241.139: https://www.virustot...39/information/

thedarkpvp .net: https://en.wikipedia.../wiki/Fast_flux

2-wave .com: 209.54.62.81: https://www.virustot...81/information/
 

   

Edited by AplusWebMaster, 06 October 2017 - 07:59 AM.

[AplusWebMaster]

FYI...

Fake 'Remittance Advice' SPAM - delivers Locky
- https://myonlinesecu...t-working-zips/
9 Oct 2017 - "... Locky downloaders... the same email as last Friday* with the subject of 'Your Remittance Advice' pretending to come from accounts @ random email addresses and companies...
* https://myonlinesecu...d-of-zip-files/

Screenshot: https://myonlinesecu...locky-email.png

43699 Remittance.7z: decoded from base 64 and Extracts to: Invoice IP8729962.vbs
Current Virus total detections 6/59*. Payload Security** | This particular VBS has these URLs hardcoded (there will be loads of others)
“anderlaw .com/8734gf3hf?”,
”scottfranch .org/p66/8734gf3hf”,
”cagliaricity .it/8734gf3hf?” (virusTotal 13/65***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1507542515/
Invoice IP8729962.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
98.124.251.69

*** https://www.virustot...sis/1507543011/
MEyrCrdQK.exe

anderlaw .com: 98.124.251.69: https://www.virustot...69/information/
> https://www.virustot...a23e9/analysis/

scottfranch .org: https://en.wikipedia.../wiki/Fast_flux

cagliaricity .it: 95.110.196.214: https://www.virustot...14/information/
> https://www.virustot...bc176/analysis/
 

   

Edited by AplusWebMaster, 09 October 2017 - 05:56 AM.

[AplusWebMaster]

FYI...

'FormBook' malware...
- https://www.helpnets...rmbook-malware/
Oct 10, 2017 - "Information stealing FormBook malware is being lobbed at defense contractors, manufacturers and firms in the aerospace sector in the US and South Korea... The malware is delivered via high-volume spam campaigns and email attachments that take the form of:
- DOC/XLS files loaded with malicious macros that initiate the download of FormBook payloads
- Archive files containing FormBook executable files
- PDFs containing links to the tny .im URL-shortening service, which point to FormBook executables hosted on a staging server.
> https://www.helpnets...ok-industry.jpg
... The emails are made to look like they are coming from FedEx and DHL (with the PDF attachment), as emails delivering invoices, price quotations or purchase orders (with the malicious-macros-carrying Office files), and payment confirmations and purchase orders (archive files containing malicious executables)..."

> https://www.fireeye....-campaigns.html
Oct 05, 2017

clicks-track .info: 188.209.52.47: https://www.virustot...47/information/
> https://www.virustot...65654/analysis/
 

   

Edited by AplusWebMaster, 10 October 2017 - 07:49 AM.

[AplusWebMaster]

FYI...

Fake 'Amazon' SPAM - delivers banking trojan
- https://myonlinesecu...banking-trojan/
11 Oct 2017 - "... malware scammers are imitating Amazon Associates to deliver their malware. An email with the subject of coming from 'Amazon Associates Network' <erikam1@ umbc .edu> with a malicious word doc or Excel XLS spreadsheet attachment delivers Cthonic banking trojan. These are coming via a -compromised- umbc .edu email account. All the sites in the malware delivery chain are -compromised- sites...

Screenshot: https://myonlinesecu...twork-email.png

The link-in-the-email goes to a broken link
  ttps ://www.angelbasar .de/skin/form.php it should be
 https ://www.angelbasar .de/skin/form.php where it downloads Your account, statement.docm
Current Virus total detections 5/61*. Payload Security** Where you can see the same screenshots as described yesterday where the content only appears after enabling and allowing macros to run. This malware doc downloads from
 http ://shirtlounge .eu/skin/priv8.exe (VirusTotal 50/62[3]) (Payload Security[4]) Cthonic banking trojan...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1507708534/
bddca74a4da71137b8f780ff9c959a54_doc

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...fe217/analysis/
A.exe

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
104.238.186.189
87.98.175.85
5.9.49.12
144.76.133.38
49.51.33.103
93.170.96.235
85.159.213.210
37.187.16.17
31.3.135.232
62.113.203.55
62.113.203.99

angelbasar .de: 82.165.238.218: https://www.virustot...18/information/
> https://www.virustot...14e3a/analysis/

shirtlounge .eu: 85.214.130.213: https://www.virustot...13/information/
> https://www.virustot...4fd4c/analysis/
 

   

[AplusWebMaster]

FYI...

Equifax website hacked again - redirects to fake Flash update
- https://arstechnica....e-flash-update/
10/12/2017 - "In May credit reporting service Equifax's website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday the site was compromised again, this time to deliver -fraudulent- Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers. Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp :centerbluray .info that looked like this:
> https://cdn.arstechn...first-flash.jpg
... he encountered the -bogus- Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit... The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry* shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security** shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes[3] flagged the centerbluray .info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults .com. In the hour this post was being reported and written, Abrams was unable to reproduce the -redirects- leading to the malicious download. It's possible Equifax has cleaned up its site. It's also possible the attackers have shut down for the night and have the ability to return at will to visit still worse misfortunes on visitors. Equifax representatives didn't respond to an e-mail that included a link to the video and sought comment for this post."
* https://www.virustot...sis/1506995209/
MediaDownloaderIron.exe

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...51cc7/analysis/

centerbluray .info: Could not find an IP address for this domain name...

newcyclevaults .com: Could not find an IP address for this domain name...
 

   

[AplusWebMaster]

FYI...

Fake 'MoneyGram' SPAM - delivers java trojan
- https://myonlinesecu...rs-java-trojan/
27 Oct 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...
The link-in-the-email goes to a zip file which doesn’t extract. However if you rename the zip to .rar it does...

Screenshot: https://myonlinesecu...ction-Query.png

The link-in-the-email goes to
 http ://analab .it/TransactionQuery_10-16-2017.zip which is actually a .rar file that needs to be renamed to .rar to extract it.
TransactionQuery_10-16-2017.jar (307kb) - Current Virus total detections 19/58*. Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...c5185/analysis/
TransactionQuery_10-16-2017.jar

** https://www.hybrid-a...vironmentId=100
DNS Requests
46.183.223.33: https://www.virustot...33/information/

analab .it: 62.149.205.46: https://www.virustot...46/information/
> https://www.virustot...c7ff2/analysis/
___

FBI press releases
> https://www.fbi.gov/news/pressrel

10.17.2017: Twelve People Indicted Installing Credit-Card Skimmers on Gas Pumps in Five States and Stealing Account Information from Thousands

10.17.2017: Two Women, Including Former Associate Dean of Caldwell University, Admit Defrauding Veterans’ G.I. Bill

10.17.2017: Doctor Admits Billing Medicare, Other Insurers $3 Million for Therapy Services Performed by Unqualified Personnel

10.17.2017: New York Man Sentenced to 43 Months in Prison for Robbing Bergen County, New Jersey Bank
 

   

Edited by AplusWebMaster, 17 October 2017 - 02:42 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers Locky or Trickbot
- https://myonlinesecu...ky-or-trickbot/
18 Oct 2017 - "... downloaders from the Necurs botnet that deliver Locky ransomware or Trickbot banking trojan... I saw a few twitter links leading to this post on Bleeping Computer[1] saying that Locky (Necurs Downloaders) will take screenshots of the “victim’s” computer and send back error messages to base... Todays is an email pretending to come from invoicing@ random names and email addresses, with a subject like 'Invoice 009863361 10.18.2017' where the numbers are random with a blank/empty body...
One of the emails looks like:
From: Invoicing <Invoicing@ random name>
Date: Wed 18/10/2017 10:27
Subject: Invoice 009863361 10.18.2017
Attachment: Invoice 009863361 10.18.2017.7z
Body content:
    totally empty blank

1] https://www.bleeping...runtime-errors/
Oct 17, 2017
> https://www.symantec...ee-your-desktop
17 Oct 2017 - "... Beware of strangers offering fake invoices..."

Invoice 009863361 10.18.2017.7z: Extracts to: Invoice 364776483 10.18.2017.vbs
Current Virus total detections 10/56[2]. Payload Security [3]| JoeSandbox[4].
Thanks to various Twitter contacts (my grateful thanks to them all for their hard work and expert knowledge) we have some downloads sites delivering Locky ransomware using USA IP numbers - VirusTotal 17/56[5]. Payload Security[6] from these locations:
dbatee .gr/niv785yg
goliathstoneindustries .com/niv785yg
3overpar .com/niv785yg
pciholog .ru/niv785yg
disfrance .net/p66/niv785yg
Joesandbox was given a different binary (sandbox pcap) that is a totally different size (VirusTotal 17/66[7]) (Payload Security[8]) it looks like the file must have been cut off during download. Using a different UK IP number, one researcher was given Trickbot banking trojan (VirusTotal 21/66[9]) (Payload Security[10]) from:
envi-herzog .de/iuty56g
pac-provider .com/iuty56g
pesonamas .co.id/iuty56g
disfrance .net/p66/iuty56g
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
2] https://www.virustot...sis/1508316046/
Invoice 364776483 10.18.2017.vbs

3] https://www.hybrid-a...vironmentId=100
DNS Requests
49.51.134.78
Contacted Hosts
49.51.134.78

4] https://jbxcloud.joe...s/390019/1/html

5] https://www.virustot...fe484/analysis/

6] https://www.hybrid-a...vironmentId=100

7] https://www.virustot...fe484/analysis/

8] https://www.hybrid-a...vironmentId=100

9] https://www.virustot...1564b/analysis/

10] https://www.hybrid-a...vironmentId=100
 

   

Edited by AplusWebMaster, 18 October 2017 - 01:49 PM.