FYI...
Fake HMRC "VAT Return" SPAM
- http://blog.dynamoo....eturn-spam.html
6 Feb 2014 - "This -fake- HMRC spam comes with a malicious attachment:
Date: Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]
From: "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
Subject: Successful Receipt of Online Submission for Reference 3608005
Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100 and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free...
... this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50*. Automated analysis tools... show an encrypted file** being downloaded from:
[donotclick]wahidexpress .com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc
Recommended blocklist:
182.18.188.191
wahidexpress .com
bsitacademy .com
* https://www.virustot...sis/1391686048/
** http://blog.crysys.h...enc-encryption/
Update: A -second- version of the email is circulating with the following body text:
The submission for reference 485/GB1392709 was successfully received and was not
processed.
Check attached copy for more information.
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
___
Fake "TNT UK Limited " SPAM - zero detections
- http://blog.dynamoo....-with-zero.html
6 Feb 2014 - This -fake- TNT spam comes with a malicious attachment that is currently not detected by any AV vendors.
Date: Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]
From: TNT COURIER SERVICE [tracking@ tnt .co .uk]
Subject: TNT UK Limited - Package tracking 798950432737
Your package have been picked up and is ready for dispatch.
Connote # : 798950432737
Service Type : Export Non Documents - Intl
Shipped on : 05 Feb 14 00:00
Order No : 2819122
Status : Driver's Return Description : Wrong Address
Service Options: You are required to select a service option below.
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 798950432737
The options, together with their associated conditions...
Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41*. Despite the zero detection rate, there is plenty of badness going on... including downloads of an encrypted file from the following locations:
[donotclick]newz24x .com/wp-content/uploads/2014/02/pdf.enc
[donotclick]oilwellme .com/images/banners/pdf.enc
The Malwr report** indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x .com is hosted. Take care with these if you are thinking about blocking them.
Recommended blocklist:
182.18.151.160
newz24x .com
oilwellme .com "
* https://www.virustot...sis/1391684255/
** https://malwr.com/an...WUxZGU3YTljNDk/
___
Visa/MasterCard Important Notification Spam
- http://threattrack.t...tification-spam
Feb 6, 2014 - "Subjects Seen:
ATTN: Important notification for a Visa / MasterCard holder!
Typical e-mail details:
Dear <email name>, Your Bank debit card has been temporarily blocked
We’ve detected unusual activity on your Bank debit card . Your debit card has been temporarily blocked, please fill document in attachment and contact us
Malicious File Name and MD5:
<email name>_Account_Report_7552804B13.zip (F08171CEF69EFD04CFC0F525ABD862FD)
PDF_Account_Details_User_543857394652798346597456987235986498756234798573280945-4353452345-32453245324532-45.pdf.exe (A1E61D4628E8381F47CE2E8424410A39
Screenshot: https://31.media.tum...l4t81r6pupn.png
Tagged: Visa, MasterCard, Tepfer
___
Swedish newssite compromised - Fake AV
- http://bartblaze.blo...ompromised.html
Feb 6, 2014 - "... a Swedish and well-visited newssite, AftonBladet (http ://www .aftonbladet .se), was -compromised- and serving visitors a fake antivirus or rogueware. There are two possibilities as to the cause:
- A (rotating) ad where malicious Javascript was injected
- AftonBladet itself had malicious Javascript injected
Whoever the cause, the injected script may have been as simple as:
document.write('< script src=http ://http ://www .aftonbladet .se/article/mal.php'); When trying to reproduce, it appeared it already was cleaned up, fast actions there...
File: svc-ddrs.exe
Image icon: https://lh3.ggpht.co...6Ok/s1600/1.png
Size: 1084416 bytes
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: be886eb66cc39b0bbf3b237b476633a5
SHA1: 36c3671f37f414ad6e0954e094a1a7bd0dcc34fc
ssdeep: 24576:M2xJbbGmTvmN9BfQ0lc4Bt4Xsk2QkibF5BOWe8JH0:M6bb3MQ0lc434n2Qhh5kWe8JU
Date: 0x52F1C3E1 [Wed Feb 5 04:53:53 2014 UTC]
EP: 0x5a8090 UPX1 1/3 [SUSPICIOUS]
CRC: Claimed: 0x0, Actual: 0x10eeb0 [SUSPICIOUS]
Packers: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
VirusTotal: https://www.virustot...d2dd0/analysis/
Anubis: http://anubis.isecla...ae2&format=html
When executing the sample: Windows Efficiency Master:
> https://lh3.ggpht.co...600/fakeav2.PNG
Fake scanning results:
> https://lh3.ggpht.co...1600/FakeAV.PNG
Besides dropping the usual EXE file in the %appdata% folder, it also drops a data.sec file with predefined scanning results (all fake obviously). Here's a pastebin with the contents of data.sec: http://pastebin.com/DCtDWEbi
It also performs the usual actions:
- Usual blocking of EXE and other files
- Usual blocking of browser like Internet Explorer
- Callback to 93.115.86.197 C&C
- Stops several antivirus services and prevents them from running
- Reboots initially to stop certain logging and monitoring tools
- Uses mshta.exe (which executes HTML application files) for the usual payment screen
- Packed with UPX, so fairly easy to unpack
- Connects to http ://checkip .dyndns .org/ to determine -your- IP
This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same... an excellent post on this family, which you can read here:
> http://blog.0x3a.com...ly-their-active
Prevention: In this case, no exploit -nor Java/Adobe, nor browser- was used. Only Javascript was injected. Install an antivirus and antimalware product and keep it up-to-date & running. Use NoScript in Firefox or NotScripts in Chrome. -Block- the above IP...
Disinfection: Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware. If you are having issues doing this, reboot your machine in Safe Mode and remove the malware..."
___
Payroll Report Spam
- http://threattrack.t...oll-report-spam
Feb 5, 2014 - "Subjects Seen:
Jan Report
Typical e-mail details:
Hello ,
Please find attached reports for this year for checking.
Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission.
Kind regards
Wilton
Payroll Manager
Malicious File Name and MD5:
January.zip (F261B2109FD733559191CCCB7DEC79F8)
January.scr (811AD8F76AD489BAF15DB72306BD9F34)
Screenshot: https://31.media.tum...xUm21r6pupn.png
Tagged: Payroll, Upatre
___
Fake "Payment Fund" SPAM - Wire.Transfer.rar attachment
- http://blog.dynamoo....ransferrar.html
5 Feb 2014 - "It's rare to see malware with a .RAR attachment, but this is one of those unusual beasts..
From: Alison George allison.george@ transferduc .nl
Date: 5 February 2014 22:41
Subject: Payment Fund
ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
to your bank confirmed by the FedWire.
Transaction ID: 99076900
Date: 2/3/2014
Transfer Origination: Fedline
Please review the attached copy of transaction report,
Federal Reserve Financial Services
Creating Nationwide Solutions for Your Payment Needs
20th Street and Constitution Avenue N.W.
Washington, D.C. 20551
Attached is a file Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind. The VirusTotal detection rate is 7/50* but most automated analysis tools seem to be having problems with the executable, so perhaps it is hardened against analysis or is simply corrupt. The ThreatExpert report (for some reason -not- showing in their database right now) has the following details:
Submission Summary:
Submission details:
Submission received: 5 February 2014, 04:39:38 PM
Processing time: 6 min 0 sec
Submitted sample:
File MD5: 0x12F1265162AAD712C271DAC6A9B5E564
Filesize: 248,320 bytes
Summary of the findings:
What's been found Severity Level
Creates a startup registry entry.
Technical Details:
Memory Modifications
There was a new process created in the system:
Process Name Process Filename Main Module Size
server.exe %Temp%\server.exe 57,344 bytes
Registry Modifications
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
so that %Temp%\server.exe runs every time Windows starts
[HKEY_CURRENT_USER\Environment]
SEE_MASK_NOZONECHECKS = "1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
5PmM1jWi05 = "%AppData%\y183imD2\java.exe.lnk"
babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
so that %Temp%\server.exe runs every time Windows starts
Other details
To mark the presence in the system, the following Mutex object was created:
babe8364d0b44de2ea6e4bcccd70281e "
* https://www.virustot...sis/1391640427/
Edited by AplusWebMaster, 06 February 2014 - 06:40 PM.
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
