2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Statement' SPAM - doc malware
- http://myonlinesecur...ke-pdf-malware/
9 Mar 2015 - "'Statement from MARKETING & TECHNOLOGY GROUP, INC. pretending to come from TECHNOLOGY GROUP <rwilborn@ mtgmediagroup .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer :
Your statement is attached. Please remit payment at your
earliest convenience.
Thank you for your business – we appreciate it very
much.
Sincerely,
MARKETING & TECHNOLOGY GROUP, INC

9 March 2015: docs2015.zip: Extracts to:  docs2015.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425899308/
___

Fake 'Credit Application' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Mar 2015 - "'Emailing: Serv-Ware Credit Application.pdf' with a zip attachment pretending to come from clint@ servware .com is another one from the current bot runs... The email looks like:
—
Thanks,
Clint Winstead
Manager
Serv-Ware Products
clint@ servware .com
phone: 800.768.5953
fax   : 800.976.1299 ...

9 March 2015: Serv-WareCreditApplication.zip: Extracts to: Serv-WareCreditApplication.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425915088/
... Behavioural information
TCP connections
75.127.114.162: https://www.virustot...62/information/
UDP communications
77.72.174.163: https://www.virustot...63/information/
77.72.174.162: https://www.virustot...62/information/
___

Paypal PHISH
- http://myonlinesecur...ow‏-phishing/
8 Mar 2015 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
    Confirmation of Order
    your PayPal account is limited – take action now‏

Screenshot: http://myonlinesecur...-action-now.png

This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
 

 

Edited by AplusWebMaster, 09 March 2015 - 10:24 AM.

[AplusWebMaster]

FYI...

Fake 'PMQ agreement' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 Mar 2015 - "'2015 PMQ agreement' pretending to come from linda@ pmq .com with a zip attachment is another one from the current bot runs... The email looks like:
HI
I have Not received your signed contract for the 2015 ad campaign. If you would please sign and return.
Thank you
Linda
—
Watch our 2015 PMQ Media Kit here ...
PMQ Pizza Magazine
Linda Green / Co-Publisher
(662)234-5481 ext 121 / linda.pmq@ gmail .com
cell (662)801-5495
PMQ Pizza Magazine Office: 662-234-5481 x121 / Fax: 662-234-0665
605 Edison Street, Oxford, MS 38655 ...
Don’t forget to renew your subscription to the magazine at ...

10 March 2015 : American_Wholesale.zip: Extracts to: American_Wholesale.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425997192/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
95.181.53.78: https://www.virustot...78/information/
122.155.1.42: https://www.virustot...42/information/
77.85.204.114: https://www.virustot...14/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
208.91.197.54: https://www.virustot...54/information/
173.194.71.127: https://www.virustot...27/information/
___

Apple Watch Giveaway Spam Clocks In on Twitter
- https://blog.malware...-in-on-twitter/
Mar 10, 2015 - "Twitter users should be aware that mentioning the new Apple Watch could result in -spam- headed their way:
> https://blog.malware...3/watchspm0.jpg
... The so-called Apple Giveaways profile says the following in its Bio space:
> https://blog.malware...3/watchspm6.jpg
It may sound promising, but what follows is a semi-exhausting jaunt around a couple of different websites with instructions to follow along the way... What we do end up with is a wall of text on a Facebook page with some very specific hoops to jump through in order to obtain the watch... they claim they’ll direct message within 72 hours with a “confirmation link”. The creation date for the website is listed as March 9th, and the Whois details are hidden behind a Whoisguard so there’s no way to know who you’re sending your information to... this seems like a long shot in terms of “winning” the incredibly expensive watch..."
 

 

Edited by AplusWebMaster, 10 March 2015 - 12:39 PM.

[AplusWebMaster]

FYI...

Fake 'Tax rebate' SPAM – doc or xls malware
- http://myonlinesecur...dsheet-malware/
11 Mar 2015 - "'Your Tax rebate' pretending to come from HMRC Revenue&Customs with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
HM revenue
Dear ...
After the last yearly computations of your financial functioning we have defined that you
have the right to obtain a tax rebate of 934.80.
Please confirm the tax rebate claim and permit us have
6-9 days so that we execute it.
A rebate can be postponed for a variety of reasons.
For instance confirming unfounded data or applying
not in time.
To access the form for your tax rebate, view the report attached. Document Reference: (983EMI).
Regards,
HM Revenue Service. We apologize for the inconvenience...

The malware payload with this template is same as today’s "Your Remittance Advice [FPAEEKBYQU] – Word doc malware"* . So far I am only seeing 1 version of this malware..."
* http://myonlinesecur...rd-doc-malware/

- http://blog.dynamoo....nce-advice.html
11 Mar 2015
"... Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177 "
___

Fake 'Remittance' SPAM - doc or xml malware
- http://myonlinesecur...rd-doc-malware/
11 Mar 2015 - "'Your Remittance Advice [FPAEEKBYQU] (random characters)' coming from random names and email addresses with a malicious word doc or xml attachment is another one from the current bot runs... The email looks like:
Good Morning,
Please find attached the BACS Remittance Advice for payment made by FORUM ENERGY.
Please note this may show on your account as a payment reference of FPANJRCXFM.
Kind Regards
Marilyn Aguilar
Accounts Payable

11 March 2015 : Rem_7656CN.xml - Current Virus total detections: 2/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426068203/
___

Fake blank body SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
11 Mar 2015 - "'inv.09.03' pretending to come from Jora Service <jora.service@ yahoo .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally empty-body with just the attachment.

11 March 2015 : INV 86-09.03.2015.doc - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
* https://www.virustot...sis/1426067908/
___

Fake 'admin.scanner' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
11 Mar 2015 - "'Message from RNP0026735991E2' pretending to come from admin.scanner@ <your own email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    This E-mail was sent from “RNP0026735991E2″ (MP C305).
     Scan Date: 11.03.2015 08:57:25 (+0100)
    Queries to: admin.scanner@ ...

11 March 2015 : 201503071457.xls - Current Virus total detections: 0/56*
This looks like it is the same malware payload as today’s 'inv.09.03 Jora Service' – word doc or excel xls spreadsheet malware**..."
* https://www.virustot...sis/1426068752/

** http://myonlinesecur...dsheet-malware/

- http://blog.dynamoo....ssage-from.html
11 Mar 2015
"... Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159 "
___

Fake 'Rate Increase' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Mar 2015 - "'Please' pretending to come from Phoenix <phoenix@ pnjinternational .com> with a zip attachment is another one from the current bot runs... The email looks like:
Good Afternoon,
Please find attached notice regarding carriers pre-filing for an additional General Rate Increase for effective date of April 9, 2015. Please note, we are advising you of this filing in order to comply with FMC regulations. However, we feel it is unlikely that the carriers will be successful in implementing this increase, especially since the March 9th GRI has already been postponed to March 17th.  We will continue to keep you updated as we receive additional information pertaining to these filed rate increases.
Phoenix Zhang-Shin
Director
P & J International Ltd
Calverley House, 55 Calverley Road
Tunbridge Wells, Kent, UK TN1 2TU ...

11 March 2015: documents-id323.zip: Extracts to: documents-id323.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426081018/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustot...70/information/
95.181.53.78: https://www.virustot...78/information/
209.126.254.152: https://www.virustot...52/information/
185.30.40.44: https://www.virustot...44/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
74.125.204.127: https://www.virustot...27/information/
___

Fake Voicemail SPAM - malicious attachment
- http://blog.dynamoo....il-message.html
11 Mar 2015 - "When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
     From:     Voicemail admin@ victimdomain
    Date:     11/03/2015 11:48
    Subject:     Voicemail Message (07813297716) From:07813297716
    IP Office Voicemail redirected message
    Attachment: MSG00311.WAV.ZIP

The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57*. According to the Malwr report, it pulls down another executable and some config files from:
http ://wqg64j0ei .homepage.t-online .de/data/log.exe
http ://cosmeticvet .su/conlib.php
This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicious macros rather than EXE-in-ZIP attacks.
The executable it drops has a detection rate of 2/54**... Malwr reports ... show a further component download from:
http ://muscleshop15 .ru/js/jre.exe
http ://test1.thienduongweb .com/js/jre.exe
This component has a detection rate of 5/57***. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57**** which is the same Dridex binary we've been seeing all day. Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
... Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159 "
* https://www.virustot...sis/1426091260/

** https://www.virustot...sis/1426091556/

*** https://www.virustot...sis/1426092316/

**** https://www.virustot...sis/1426093429/
 

 

Edited by AplusWebMaster, 11 March 2015 - 01:30 PM.

[AplusWebMaster]

FYI...

Fake Invoice SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
12 Mar 2015 - "'Invoice [random numbers] for payment to <random company>' coming from random names and companies  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a totally blank-body and just a word or excel attachment with a random name...

11 March  2015 : 6780MHH.doc - Current Virus total detections: 0/56*
... which connects to & downloads https ://92.63.88.102 /api/gb1.exe which in turn is saved as %temp%\dsfsdfsdf.exe (virus total**). So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426151513/

** https://www.virustot...sis/1426156982/
... Behavioural information
TCP connections
95.163.121.33: https://www.virustot...33/information/

92.63.88.102: https://www.virustot...02/information/

- http://blog.dynamoo....234xyz-for.html
12 March 2015
"...Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24 "
___

Fake Voicemail SPAM - malware
- http://myonlinesecur...e-mail-malware/
12 Mar 2015 - "'You have received a voice mail' pretending to come from Voicemail Report <no-reply@ voicemail-delivery .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-voice-mail.png

12 March 2015: VOICE8411-263-481.zip: Extracts to:  VOICE8411-263-481.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper sound file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426165959/
___

Facebook Worm variant leverages Multiple Cloud Services
- https://blog.malware...cloud-services/
Mar 12, 2015 - "... We came across a worm that we think belongs to the -Kilim- family and whose purpose is to compromise a user and spread via Facebook. The lure is the promise of pornographic material that comes as what appears to be a video file named Videos_New.mp4_2942281629029.exe, which in reality is a malicious program. Once infected, the victim spreads the worm to all of his contacts and groups that he belongs to... The bad guys have built a multi-layer redirection architecture that uses the ow.ly URL shortener, Amazon Web Services and Box.com cloud storage.
> https://blog.malware...015/03/flow.png
... We identified three domains involved in the configuration and update mechanism for the worm:
- videomasars .healthcare | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
- porschealacam .com | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
- hahahahaa .com | Enom, whoisguard Protected, Panama |AS13335 CLOUDFLARENET
... This is a malicious file (Trojan) hosted on the popular cloud storage Box. Malwarebytes Anti-Malware detects it as Trojan.Agent.ED (VirusTotal link*). This binary is responsible for downloading additional resources (the worm component) from another resource (porschealacam .com). Here we find a malicious Chrome extension (VirusTotal link**) and additional binaries (scvhost.exe*** and son.exe****). Additional code is retrieve by the piece of malware (perhaps in case the user does not have the Chrome browser) from a third site, hahahahaa .com, to spread the worm via Facebook ... a rogue Chrome extension is injected but that is not all. The malware also creates a shortcut for Chrome that actually launches a malicious app in the browser directly to the Facebook website... In this ‘modified’ browser, attackers have full control to capture all user activity but also to restrict certain features. For example, they have disabled the extensions page that once can normally access by typing chrome://extensions/, possibly in an attempt to -not- let the user disable or remove the malicious extension. Clearly, the crooks behind this Facebook worm have gone to great lengths to anonymize themselves but also to go around browser protection by creating their own booby-trapped version.
We have reported the various URLs to their respective owners and some have already been shutdown. However, we still urge caution before clicking on any link that promises free prizes or sensational items. Once again the bad guys are leveraging human nature and while we do not know how many people fell for this threat, we can guess that it most likely affected a significant number of Facebook users."
(More detail at the malwarebytes URL above.)
* https://www.virustot...sis/1426093312/

** https://www.virustot...sis/1426051972/

*** https://www.virustot...sis/1426093308/

**** https://www.virustot...sis/1426093310/

91.121.114.211: https://www.virustot...11/information/
 

 

Edited by AplusWebMaster, 12 March 2015 - 03:11 PM.

[AplusWebMaster]

FYI...

Malware targets home networks/router
- https://isc.sans.edu...l?storyid=19463
2015-03-13 - "Malware researchers at Trend Micro* have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to C&C before deleting itself. TROJ_VICEPASS.A** pretends to be an Adobe Flash update, once it's run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If it  succeeds, the malware will scan the network for connected devices. The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11 - this IP range is hard-coded. Once the scans finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a C&C server via HTTP protocol. After sending the results to the Command and Control server (C&C), it will delete itself from the victim’s computer... Such type of malware infection can be avoided using very basic security techniques such as downloading updated software from trusted sources only and changing the default password."
* http://blog.trendmic...r-home-network/
Mar 9, 2015 - "... We recently came across one malware, detected as TROJ_VICEPASS.A**, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer:
Infection chain:
> http://blog.trendmic...3/vicepass1.png
Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update...
Site hosting fake Adobe Flash update:
> http://blog.trendmic...3/vicepass2.png
Fake Flash update:
> http://blog.trendmic...3/vicepass3.png
Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices... The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:
    Find router IP address – start
    Searching in 192.168.0.0 – 192.168.0.11
    [0] connect to 192.168. 0.0
    URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’
    …. (skip)
    Find router IP address – end
We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers..."
(More detail at the trendmicro URLs include usernames and passwords.)
** http://www.trendmicr...troj_vicepass.a
___

Fake Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
13 Mar 2015 - "'Penta Foods Invoice: 2262004' pretending to come from cc446@ pentafoods .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find attached invoice : 2262004
    Any queries please contact us.
   —
    Automated mail message produced by DbMail.
    Registered to Penta Foods, License MBA2009357.

13 March 2015 : R-1179776.doc  - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426236749/

- http://blog.dynamoo....om-invoice.html
13 Mar 2015
"... Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12 "
___

More Fake Invoice SPAM - malware
- http://blog.dynamoo....032015-for.html
13 March 2015 - "There is a -series- of malware spams in progress in the following format:
Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC

Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run[1] yesterday and one new one with zero detections* which contains (a) malicious macro, which downloads another component from:
http ://95.163.121.186 /api/gbb1.exe
This is saved as %TEMP%\GHjkdfg.exe ... this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53** and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood. The binary also drops a malicious Dridex DLL with a detection rate of 5/56***. This is the same DLL as used in this spam run[2] earlier today.
Recommended blocklist:
95.163.121.0/24 "
* https://www.virustot...sis/1426257108/

** https://www.virustot...sis/1426254512/

*** https://www.virustot...sis/1426257698/

1] http://blog.dynamoo....234xyz-for.html

2] http://blog.dynamoo....om-invoice.html

95.163.121.186: https://www.virustot...86/information/

95.163.121.33: https://www.virustot...33/information/
___

Upatre update: infection chain and affected countries
- http://blogs.technet...-countries.aspx
12 Mar 2015 - "... Detection rates for these countries is as follows:
> http://www.microsoft...UpatreTable.jpg "
 

 

Edited by AplusWebMaster, 14 March 2015 - 03:05 PM.

[AplusWebMaster]

FYI...

Quttera - false positives everywhere
- http://blog.dynamoo....-positives.html
14 Mar 2015 - "By chance, I found out that my blog had been blacklisted by Quttera[1]. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also blocks industry-leading sites such as Cisco*, VMWare, Sophos, MITRE, AVG and Phishtank...
* https://1.bp.blogspo...o-blacklist.png
... Now, you can ask Quttera to unblacklist your site for -free- by raising a ticket[2] but the most prominent link leads to a paid service for £60/year. Hmmm.
> https://4.bp.blogspo...600/quttera.png
I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site. I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments..."
1] http://www.quttera.com/

2] https://helpdesk.quttera.com/open.php
 

Edited by AplusWebMaster, 14 March 2015 - 02:31 PM.

[AplusWebMaster]

FYI..

Fake Invoice SPAM - PDF malware
- http://myonlinesecur...n-sons-malware/
16 Mar 2015 - "'CREDIT 89371' pretending to come from JamesKernohanandSons <jkernohans62244@ hotmail .com> with a zip attachment is supposed to be another one from the current bot runs...
Screenshot: http://myonlinesecur...REDIT-89371.png

... Update: ... the attached word doc is malicious... It connects to 212.143.213.133 /content/js/bin.exe (Virus Total*)... Further update: ... some copies of this email have the -same- malware attachment as Attached invoice from CMP – fake PDF malware**..."
* https://www.virustot...sis/1426502722/

212.143.213.133: https://www.virustot...33/information/

** http://myonlinesecur...ke-pdf-malware/
16 Mar 2015 - "'Attached invoice from CMP' pretending to come from noreply@ cmpireland .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecur...ce-from-CMP.png

16 March 2015: ICI151586.PDF.ZIP: Extracts to: INVOICE_89371.PDF.exe - Current Virus total detections: 9/57*
Update: Also getting word doc attachments - ICI151586.DOC - Current Virus total detections: 2/57**
(... same malware payload as CREDIT 89371 James Kernohan & Sons – malware... Confirmed as -same- payload although from a different download location 03740b7.netsolhost .com/js/bin.exe which is saved as %temp%\lUtsca32.exe (virus total***) . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426499520/

** https://www.virustot...sis/1426502121/

*** https://www.virustot...sis/1426503751/

208.91.197.128: https://www.virustot...28/information/
___

Fake 'Receipt' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Mar 2015 - "'Successful Receipt of Online Submission for Reference 5071910' [random reference numbers] pretending to come from noreply@ hmrc .gov .uk with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nce-5071910.png

16 March 2015: Ref_5071910.zip: Extracts to: Ref_AN004LO87.scr
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426509399/
___

Fake 'Outstanding Invoices' SPAM - doc malware
- http://myonlinesecur...dsheet-malware/
16 Mar 2015 - "'Outstanding invoices – 672751 February' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Sirs,
     Kindly find attached our reminder and copy of the relevant invoices.
    Looking forward to receive your prompt payment and thank you in advance.
     Kind regards
    Tania Sosa

16 March 2015 : 672751.doc - Current Virus total detections: 0/56*
... previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426514043/
 

 

Edited by AplusWebMaster, 16 March 2015 - 08:29 AM.

[AplusWebMaster]

FYI...

Fake Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 Mar 2015 - "'Invoice from Linsen Parts Ltd pretending to come from  Linsen Parts UK Ltd <mark62618@ linsenparts .co.uk> ( random numbers after mark) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...n-Parts-Ltd.png

17 March  2015 : Invoice-3709.doc  Current Virus total detections: 2/57* | 2/57** | 2/57***  which downloads from piotrkochanski .cba.pl/js/bin.exe (and other locations) and is a dridex banking Trojan (VirusTotal)[4].
I am  seeing 3 versions of this malware, but previous campaigns over the last few weeks have delivered 3, 4 or even more  different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426579380/

** https://www.virustot...sis/1426579237/

*** https://www.virustot...sis/1426580404/

4] https://www.virustot...sis/1426578803/
... Behavioural information
TCP connections
78.129.153.12: https://www.virustot...12/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'Payment confirmation' SPAM - doc / xls malware
- http://myonlinesecur...dsheet-malware/
17 Mar 2015 - "'Payment confirmation ABL104' ( random numbers) coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Other subjects in today’s spam run with malicious word macro docs are:
    Transaction confirmation ZLZ240 ( random numbers)
    Confirmation for payment NZV088 ( random numbers)
    RE:Confirmation for payment OXP504  ( random numbers)
    RE:Transaction confirmation YVD711
This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus...

Screenshot: http://myonlinesecur...onfirmation.png

17 March 2015 : ABL104.doc - Current Virus total detections: 2/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426590334/
___

Fake 'Admin Exchange' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 Mar 2015 - "'Administrator – Exchange Email' pretending to come from you and your domain  Administrator@ ron .schorr ... with a zip attachment is another one from the current bot runs... The email pretends to come from the person it is addressed to and from your own email domain so looks like:
    ron.schorr,
     This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.
     Thank you,
    Administrator ...

17 March 2015: Exchange.zip: Extracts to:  Exchange.scr - Current Virus total detections:  5/52*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426607993/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
109.230.131.95: https://www.virustot...95/information/
213.186.33.82: https://www.virustot...82/information/
UDP communications
77.72.174.167: https://www.virustot...67/information/
77.72.174.166: https://www.virustot...66/information/
___

Fake Wells Fargo SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 Mar 2015 - "'FW: Customer account docs' pretending to come from Carrie L. Tolstedt <Carrie.Tolstedt@ wellsfargo .com> with link to a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ccount-docs.png

17 March 2015: SignedDocuments.zip: Extracts to: SignedDocuments.scr
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426610474/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
109.230.131.95: https://www.virustot...95/information/
198.23.48.157: https://www.virustot...57/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
77.72.169.165: https://www.virustot...65/information/
77.72.169.164: https://www.virustot...64/information/
 

 

Edited by AplusWebMaster, 17 March 2015 - 02:02 PM.

[AplusWebMaster]

FYI...

HMRC Tax Refund - Phish ...
- http://myonlinesecur...ation-phishing/
18 Mar 2015 - "'Tax Refund Notification' is an email pretending to come from HM Revenue & Customs. One of the major common subjects in a phishing attempt is Tax returns, where especially in UK, you need to submit your Tax Return online before 31st December each year. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... The original email looks like this, and of course at this time of year (or anytime of year) we all need a few extra pennies and the offer of a tax refund is always welcome. It will NEVER be a genuine email from HMRC so don’t ever fill in the html ( webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine HMRC website. That is also false. This particular email has the entire content in an image and clicking anywhere on the image leads you to http ://taxrefundid778318ok.uleconstruction .com/ which in turn sends you on to http ://refund-hmrc.uk-6159368de39251d7a-login.id-107sbtd9cbhsbtd5d80a13c0db1f546757jnq9j5754675752240566.isteksut .com/IlOyTgNjFrGtHtEwVo/indexx.php
Both urls could easily be mistaken for genuine tax refund sites when you don’t take care and only look at the first part of the url & not the entire url... If you follow the link you see a webpage looking like this where they want your email address, name and date of birth.
> http://myonlinesecur...HMRC_phish1.png
They then pretend to do a search based on your name and email. Then you get sent on to the nitty gritty where they want all your banking and credit information. This obviously was created by a non UK person because the UK uses post codes & not zip codes, which should be an immediate alarm bell to somebody getting this far:
> http://myonlinesecur...-tax-refund.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fake 'Confirmation' SPAM – doc / xls malware
- http://myonlinesecur...dsheet-malware/
18 Mar 2015 - "'NWN Media Ltd Confirmation of Booking' pretending to come from  della.richards4732@ nwn. co.uk <della.richards@ nwn. co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-of-Booking.png

18 March 2015 : NWN Confirmation Letter.doc - Current Virus total detections: 3/57* | 3/57**
One version of this malicious macro tries to download deosiibude .de/js/bin.exe (... this is currently offline and most probably removed by its host). Other download sites are www .asociacecasin .com/js/bin.exe and pmmarkt .de/js/bin.exe both downloading same malware which is saved as %temp%\frexobj86.exe ( Virus Total***). So far I am only seeing 2 versions of this malware, but previous campaigns over the last few weeks have delivered 3, 4 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426671991/

** https://www.virustot...sis/1426671176/

*** https://www.virustot...sis/1426674582/

- http://blog.dynamoo....of-booking.html
18 Mar 2015
"... Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24 "
___

Fake 'unpaid invoice' SPAM - doc / xls malware
- http://myonlinesecur...dsheet-malware/
18 Mar 2015 - "'February unpaid invoice notification' pretending to come from numerous email addresses and names  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Alternative subjects seen today so far are:
    February unpaid invoice notification
    January unpaid invoice notification
    December unpaid invoice notification
This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a totally-blank-body with a randomly named word XML doc attachment...

18 March 2015 : 43GEB594.doc - Current Virus total detections: 0/57* | 0/57** |0/57***
So far I am seeing multiple versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426679613/

** https://www.virustot...sis/1426679518/

*** https://www.virustot...sis/1426679965/

- http://blog.dynamoo....id-invoice.html
18 Mar 2015
"... Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244 "
___

Fake 'Gateway gov' SPAM - zip/doc/rtf malware
- http://blog.dynamoo....tewaygovuk.html
18 Mar 2015 - "This spam leads to a malicious ZIP file hosted either on Dropbox or Cubby.
    From:    Gateway .gov .uk
    Date:    18 March 2015 at 13:19
    Subject:    Your online Gateway .gov .uk Submission
    Electronic Submission Gateway
    Thank you for your submission for the Government Gateway.
   The Government Gateway is the UK's centralized registration service for e-Government services.
    To view/download your form to the Government Gateway please visit ...
    This is an automatically generated email. Please do not reply as the email address is not
    monitored for received mail.
    gov .uk - the best place to find government services and information - Opens in new window
    The best place to find government services and information

The link leads to an archive file Avis_De_Paiement.zip which in turn contains a malicious binary Avis_De_Paiement.scr which has a VirusTotal detection rate of 16/57*. ThreatExpert and Comodo CAMAS report that it downloads components from the following locations:
canabrake .com .mx/css/doc11.rtf
straphael .org .uk/youth2000_files/doc11.rtf
My sources indicate that this most likely phones home to 109.230.131.95 (Vsevnet Ltd. Russia) which is a known bad IP that I recommend -blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan."
* https://www.virustot...sis/1426693801/
___

Fake JP Morgan SPAM - malicious attachment
- http://myonlinesecur...ke-pdf-malware/
18 Mar 2015 - "'Carrie L. Tolstedt FW: Customer account docs. pretending to come from JP Morgan Access <Carrie.Tolstedt@ jpmorgan .com> with link to a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-J-P-Morgan.png

The link in the email goes once again to a cubby user content site...
17 March 2015: SignedDocuments.zip: Extracts to: SignedDocuments.scr
Current Virus total detections: 3/56*  which is same malware although renamed as today’s Australia Post Track Advice Notification: Consignment RYR3602120 – fake PDF malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...
* https://www.virustot...sis/1426610474/

** http://myonlinesecur...ke-pdf-malware/

- http://blog.dynamoo....gan-access.html
18 Mar 2015 - "... Carrie L Tolstedt is a real executive... at Wells Fargo*. The lady in the picture is another Wells Fargo employee entirely**...."
* https://www.wellsfar...ficers/tolstedt
** http://www.americanb....html?csite=fsm

109.230.131.95: https://www.virustot...95/information/
 

 

Edited by AplusWebMaster, 18 March 2015 - 07:09 PM.

[AplusWebMaster]

FYI...

Fake Fax SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
19 Mar 2015 - "'Fax from +4921154767199 Pages: 1' pretending to come from  faxtastic! <fax@ faxtastic .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    You have received a new fax. To view it, please open the attachment.
     Did you know we now send? Visit www .faxtastic .co.uk for more details.
     Regards,
     faxtastic Support Team

19 March 2015 : 2015031714240625332.xls - Current Virus total detections: 2/57* | 2/57**  at least one of these malicious macros is contacting meostore .net/js/bin.exe to download the dridex banking Trojan. (VirusTotal***). There will be other download locations... So far I am only seeing 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426754021/

** https://www.virustot...sis/1426753958/

*** https://www.virustot...sis/1426753820/
... Behavioural information
TCP connections
95.163.121.200: https://www.virustot...00/information/
___

Fake 'Order' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
19 Mar 2015 - "'Marflow Your Sales Order' pretending to come from sales@ marflow .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Your order acknowledgment is attached.
     Please check carefully and advise us of any issues.
     Best regards
     Marflow

19 March 2015 : 611866.xls - Current Virus total detections: 2/57* | 2/57**
Although these are -different- macros to the earlier XLS spam macro run today, they appear to be contacting the -same- sites and downloading the same dridex malware Fax from +4921154767199 Pages: 1 – word doc or excel xls spreadsheet malware:
> http://myonlinesecur...dsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426760344/

** https://www.virustot...sis/1426760388/

- http://blog.dynamoo....wcouk-your.html
19 March 2015
"... Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201 "
___

Fake Solicitors Debt SPAM - malicious attachment
- http://blog.dynamoo....itors-debt.html
19 Mar 2015 - "This spam has a malicious attachment.
    Date:    19 March 2015 at 12:52
    Subject:    Aspiring Solicitors Debt Collection
    Aspiring Solicitors
    Ref : 195404544
    Date : 02.10.2014
    Dear Sir, Madam
    Re: Our Client Bank of Scotland PLC
    Account Number:77666612
    Balance:       2,345.00
    We are instructed by Bank of Scotland PLC in relation to the above matter.
    You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.
    Court Fees  GBP 245.00
    Solicitors Costs  GBP 750.00
    Cheques or Postal Orders should be  made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
    We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
    If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings...

Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5..."

- http://myonlinesecur...dsheet-malware/
19 Mar 2015
Screenshot: http://myonlinesecur...-Collection.png
> https://www.virustot...sis/1426773553/
0 / 57
___

More Fake Invoice SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
19 Mar 2015 - "A whole series of emails with multiple subjects all having random numbers including:
     Invoice ID:77f5451 in attachment
    Your February Invoice ID:58a0834
These all come from multiple random addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The emails all have a completely-empty body.

19 March2015 : 58a0834.doc - Current Virus total detections: 0/57*
These look very similar to Aspiring Solicitors Debt Collection – word doc or excel xls spreadsheet malware:
> http://myonlinesecur...dsheet-malware/
The same warning must apply and opening the malicious doc will infect you, even with macros disabled... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426778947/
0 / 57

- http://blog.dynamoo....7654321-in.html
19 Mar 2015 - "... contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the -same- as the one used in this attack*..."
* http://blog.dynamoo....itors-debt.html
___

BoA Phish seeks personal data ...
- https://blog.malware...l-data-bonanza/
Mar 19, 2015 - "If you’re a Bank of America customer you’ll want to avoid this phishing URL, located at 74.208.43.206 /html/E-Alert(Dot)html:
> https://blog.malware...5/03/boaph1.jpg
The site says:
"We need you to verify your account information for your online banking to be re-activated"
...and asks visitors to “click-the-download-button to receive your verification file”, then open it in their browser. As it turns out, “downloading the file” means “visit another webpage”:
Alertfb .pw /site/IrregularActivityFile(dot)html
The above site takes those eager to hand over personal information to the cleaners – there’s a wide variety of data harvested including Online ID and passcode, name, DOB, social security number, drivers license number, email address and password. That’s not all – there’s also 3 security questions and payment information / address to complete the carefully laid out steps... That’s a lot of info to hand over to scammers, and anybody who thinks they may have been caught by something similar to the above should contact their bank immediately. Some of the images on the website are apparently broken and none of the URLs look remotely like legitimate BoA URLs so that will hopefully deter a few would be banking disasters. While in the process of drafting this blog we’ve noticed the second site which asks for the bulk of the banking customer information is being -flagged- by Chrome for phishing, so hopefully that will help to reduce the potential victim pool still further. We’ll update the post as we test with different browsers, but for now watch what you click and be very cautious should you see either of the two URLs pop up in an unsolicited email…"
74.208.43.206: https://www.virustot...06/information/

104.219.184.113: https://www.virustot...13/information/
 

 

Edited by AplusWebMaster, 19 March 2015 - 12:37 PM.

[AplusWebMaster]

FYI...

CryptoWall 3.0 Ransomware partners with FAREIT spyware
- http://blog.trendmic...fareit-spyware/
Mar 19, 2015 - "... CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below*, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF.
* http://blog.trendmic...rypWall3-11.jpg
... it will connect to two URLs to download “.JPG” files. But don’t be fooled by the extension — this is an old technique which may bypass poorly designed intrusion detection systems (IDS) by disguising malware as an image file... The JS file will execute the files after a successful download... TROJ_CRYPWAL.YOI will create a new instance of explorer.exe to gain local admin privilege, provided that the victim has admin rights — which is a common setup. Using a legitimate system process like explorer.exe could help the malware bypass scanners that use whitelisting. It will create a new instance of svchost.exe with -k netsvcs arguments which will perform the C&C communication and file encryption. This also gives the malware system service privileges... After receiving the RSA public key for file encryption from its C&C server, as the private key to be used for decryption is stored in the server, it will start encrypting the files with certain file extensions. Targeted files include documents, databases, emails, images, audio, video, and source codes. After encrypting a file using RSA-2048 encryption algorithm, it will append a random file extension to the original file name, and add the “HELP_DECRYPT” files to the directory affected. After its encryption routine, it will open the “HELP_DECRYPT” files to show the victim the dreaded ransom note:
> http://blog.trendmic...CrypWall3-5.jpg
TSPY_FAREIT.YOI  is executed alongside TROJ_CRYPWAL.YOI. While the victim is distracted by CryptoWall’s -extortion- the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets... this is the first time we’ve seen crypto-ransomware team up with spyware. This just shows that the cybercriminals are getting greedier. They are no longer content with the revenue they get from their ransom, around US$500 — which -doubles- after a certain period of time has lapsed:
Ransom fee increases:
> http://blog.trendmic...CrypWall3-6.jpg
...  the threat actors are using an “old business model” as their back-up plan. Even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information. Based on feedback from the Smart Protection Network, the region most affected by CryptoWall 3.0 is Australia/New Zealand, followed by North America and Europe:
Regions affected by CryptoWall 3.0:
> http://blog.trendmic...CrypWall3-7.jpg
Users can protect their important data by regularly backing up their files. They can implement the 3-2-1 rule** for their files. Of course, for threats like crypto-ransomware and spyware, other safety practices are advised... users should -never- open attachments from unknown or unverified senders... ignore or -delete- from unknown senders..."
** http://blog.trendmic...the-3-2-1-rule/
"... The accepted rule for backup best practices is the three-two-one rule. It can be summarized as: if you’re backing something up, you should have:
• At least three copies,
• In two different formats,
• with one of those copies off-site..."
 

 

[AplusWebMaster]

FYI...

Something evil on 85.143.216.102 and 94.242.205.101
- http://blog.dynamoo....216102-and.html
20 Mar 2015 - "... I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report*] being reached via 85.143.216.102 (AirISP, Russia) [VT report**]. Whatever it is, it is using subdomains from -hijacked- GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs... For practical purposes though I recommend you block traffic to the IPs rather than the domains.
Recommended blocklist:
85.143.216.102
94.242.205.101 "
* https://www.virustot...01/information/

** https://www.virustot...02/information/

1] http://pastebin.com/MWhk2qy8

2] http://pastebin.com/XdBKFtP8
___

Nuclear EK leverages Flash CVE-2015-0336
- https://blog.malware...-vulnerability/
Mar 19, 2015 - "... Malwarebytes Anti-Exploit* users are already protected against this threat... Adobe has confirmed that a variant of CVE-2015-0336 is being exploited 'in-the-wild'. CVE-2015-0336 was -resolved- in Flash Player 17.0.0.134 (see APSB15-05​**)..."
* http://www.malwareby...rg/antiexploit/

** https://helpx.adobe..../apsb15-05.html

> https://web.nvd.nist...d=CVE-2015-0336- 9.3 (HIGH)
___

How Victims Are Redirected to IT Support Scareware Sites
- https://isc.sans.edu...l?storyid=19487
2015-03-20 - "In the classic version of tech support scams, the fake technician initiated an unsolicited phone call to the victim. Now the awareness for this scheme has increased, scammers shifted tactics. Their latest approaches involve convincing the potential victim to be the one calling the impostor. I've seen this accomplished in two ways:
• Scammers use bots to respond to Twitter users who mention PC problems or malware. The bots search for the appropriate keyboards and send messages that include a phone number of a tech support firm. I described this approach when exploring how scammers prescreen potential victims.
• Scammers set up scareware websites that are designed to fool people into thinking their PC is infected, compelling visitors to call the fake tech support organization... Let’s take a look a domain redirection variation of this scam below.
In the following example, the victim visited a link that was once associated with a legitimate website: 25yearsofprogramming .com. The owner of the domain appears to have allowed its registration to expire in early 2014. At that point, the domain was transferred to Name Management Group, according to DomainTools Whois records... Name Management Group seems to own over 13,000 domains (according to DomainTools Whois records), including numerous domains that DomainTools classifies as -malicious- ... (Don't visit these domains.)
- Landing on the Fake Malware Warning Site:
Visiting the once-legitimate URL a few days ago landed the victim on a scammy scareware page, designed to persuade the person to contact "Microsoft Certified Live Technicians" at the specified toll-free phone number. The site employed social engineering techniques employed by rogue antivirus tools. Such schemes present victims with fake virus warnings, designed to scare people into submission. The site in our example also played an auditory message, exclaiming:
"This is a Windows system warning! This is a Windows system warning! If you are hearing this warning message, the security of your Windows system has been compromised. Your Windows computer and data might be at risk because of adwares, spywares and malicious pop-ups! Your bank details, credit card information, email accounts, Facebook account, private photos and other sensitive files may be compromised. Please call the number mentioned now to resolve this issue."
To see and hear what the victim experienced... watch it on YouTube:
-
... The companies behind these servers, as well as the firm presently controlling 25yearsofprogramming .com are probably receiving referral fees for role in the redirection scheme. There's much to explore regarding the domain names, systems and companies involved in the schemes outlined above... If you decide to explore any of these systems, do so from an isolated laboratory environment. Also, if you encounter a tech support scam, please register it with our database of such incidents:
- https://isc.sans.edu...rtfakecall.html "
(More detail at the isc diary URL at the top of this post.)
___

Who Develops Code for IT Support Scareware Websites?
- https://isc.sans.edu...l?storyid=19489
2015-03-20
- https://isc.sans.edu...rt-l3-large.png
___

The Manipulative Nature and Mechanics of Visitor Survey Scams
- https://zeltser.com/...r-survey-scams/
March 18, 2015
- Lenny Zeltser
___

Fake pictures SPAM - malware
- https://www.virustot...sis/1426864158/
20 Mar 2015 - "'American Wholesale Pictures' pretending to come from Tod <tod@ awrco .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Hi,
    Sorry for the delay I just received these this morning.
    Here are the pictures of the panels that you requested.
    Thank you,
    Adam
    Office
    Manager
    American Wholesale Co.
    Phone: 216-426-8882
    Fax: 216-426-8883 ...

20 March 2015: 084-16475-4999.zip: Extracts to: img.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426864158/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
108.174.149.222: https://www.virustot...22/information/
46.249.3.66: https://www.virustot...66/information/
 

 

Edited by AplusWebMaster, 20 March 2015 - 12:37 PM.

[AplusWebMaster]

FYI...

Fake 'Statement' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Mar 2015 - "'Retailer Statement for 19745' (random numbers) pretending to come from user <tod@ awrco .com> with a zip attachment is another one from the current bot runs... The email which has random attachment numbers looks like:
HI,
document as an attachment

23 March 2015 : 587-19745-2563.zip: Extracts to:  document.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427123035/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
217.19.14.37: https://www.virustot...37/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'approval' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Mar 2015 - "'12/31(1/1) approve' pretending to come from Laurie Liggett <lliggett@ niemannfoods .com> with a zip attachment is another one from the current bot runs... The email looks like:

    Your message is ready to be sent with the following file attachment.
     Laurie Liggett
    Buying Office Administrator
    Niemann Foods,
    Inc.

23 March 2015: 705-87633#5042.zip: Extracts to: pic.exe
Current Virus total detections: 1/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427128006/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
94.126.48.158: https://www.virustot...58/information/
46.249.3.66: https://www.virustot...66/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
 

 

Edited by AplusWebMaster, 23 March 2015 - 01:34 PM.

[AplusWebMaster]

FYI...

Fake Resume SPAM - JavaScript malware
- http://myonlinesecur...ke-pdf-malware/
24 Mar 2015 - "'Resume Bobbie Rocha' pretending to come from Bobbie <BobbieRocha@ businesscommerce .com> with a zip attachment is another one from the current bot runs... The email looks like:
     My name is Bobbie Rocha, attached is my resume.
    I look forward to hearing back from you.
     Thank you,
    Bobbie

24 March 2015: Resume Bobbie Rocha.zip: Extracts to: Resume Bobbie Rocha.js
Current Virus total detections: 12/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427180393/
___

Fake Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
24 Mar 2015 - "'Mary Watkins Ely Design Group Invoice' pretending to come from  Mary Watkins <mary@ elydesigngroup .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hi,
    As promised!
    Mary Watkins
    Office Manager
    Ely Design Group

25 February 2015 : S22C-6e15031710060.doc - Current Virus total detections: 2/55* | 2/55**
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1427186619/

** https://www.virustot...sis/1427186436/

- http://blog.dynamoo....ry-watkins.html
24 Mar 2015 - "This spam email message does not come from Ely Design Group, but is in fact just a simple forgery. Ely Design Group's systems have not been compromised in any way. This email comes with a malicious attachment:
     From:    Mary Watkins [mary@ elydesigngroup .co.uk]
    Date:    24 March 2015 at 07:23
    Subject:    Invoice
    Hi,
    As promised!
    Mary Watkins
    Office Manager
    Ely Design Group

Attached is a Word document named S22C-6e15031710060.doc which has a low detection rate of 2/57* which contains this malicious macro which then downloads a component from the following location:
http ://dogordie .de/js/bin.exe
The file is saved as %TEMP%\PALmisc2.5.2.exe and has a VirusTotal detection rate of 6/57**.
Automated analysis tools... indicate that the binary crashes in those test environments. although whether or not it will work on a live PC is another matter. The payload (if it works) is almost definitely the Dridex banking trojan."
* https://www.virustot...sis/1427189692/

** https://www.virustot...sis/1427189707/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustot...11/information/

dogordie .de: 81.169.145.156: https://www.virustot...56/information/
___

Fake 'Thank you' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Mar 2015 - "'Robinson IGA project Thank you for your business' pretending to come from user <elezaveta@ enewall .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ur-business.png

24 March 2015 : 23807905.zip: Extracts to: doc.exe - Current Virus total detections: 2/56*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427194478/
... Behavioural information
TCP connections
134.249.63.46: https://www.virustot...46/information/
46.249.3.66: https://www.virustot...66/information/
___

Recent Malware Outbreaks
- http://www.senderbas...static/malware/
Last Updated: 2015/03/24 10:59 UTC

Top Malware Senders
- http://www.senderbas.../malware/#tab=1
Last Updated: 2015/03/24 10:03 UTC
___

Fake 'Payment To Skype' - PayPal phish...
- http://myonlinesecur...aypal-phishing/
24 Mar 2015 - "'New Payment To Skype INC' pretending to come from Pay Pal <lordjohn74@ hotmail .co.uk> is one of the latest phish attempts to steal your Paypal account and your Bank, credit card and personal details... don’t click-the-link in the email...

Screenshot: http://myonlinesecur...o-Skype-Inc.png

... the link (takes you to) a webpage looking like:
> http://myonlinesecur...-1-1024x500.png
... the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur...pal-login-2.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

The RATS are free...
- http://www.symantec....e-it-out-gutter
23 Mar 2015 - "... Remote access Trojans, otherwise known as RATs, are nothing new and they frequently grab their fair share of security-related news headlines. Commonly used in both targeted and non-targeted attacks, and even on mobile devices, RATs are a popular tool among cybercriminals; whether for financial gain, espionage, or for something more creepy. Some RATs are more common than others, such as the infamous Blackshades (W32.Shadesrat), PlugX (Backdoor.Korplug), Poison Ivy (Backdoor.Darkmoon), or many others that have made a name for themselves in the cybercriminal underground. However, every once in a while a new RAT tries to emerge out of the unknown and “make it” just like its more common cousins... human nature’s love of cheap or, better yet, free stuff is helping this RAT in its efforts to hit the big time but potentially at a cost to the developer... RATs sold on underground forums can vary in price, ranging anywhere from US$25 to $250. In recent years the security community has seen plenty of new RATs come and go but where things always get dirty is when a cracked version of a RAT is leaked online for free. When this happens, usage of the RAT increases; cybercriminals are (arguably) human after all and love to get things for free... It seems that every time the author tries to develop and improve NanoCore, one of the customers invariably ends up -leaking- a copy of it for free. This surely has to be a major disincentive for the original developer but they seem to possess endless optimism and persist to create new versions with enhanced capabilities, maybe in the hope that eventually enough customers will pay...
Top ten countries affected by Trojan.Nancrat (Jan 2014 to March 2015):
> http://www.symantec....1/Figure3_1.png
... The RAT is being distributed through malicious emails... targeted emails are being sent to energy companies in Asia and the Middle East and the cybercriminals behind the attack are spoofing the email address of a legitimate oil company in South Korea. Attached to the email is a malicious RTF file that exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158*) and drops Trojan.Nancrat... The cracked versions of NanoCore are now not only available on the dark web but also on the visible web. That means it’s not just the more experienced cybercriminals who can easily access this malware for free, but also script kiddies eager to start their cybercriminal careers. The more the NanoCore malware is used and is visible on the underground, the higher the chances that one day it may end up just as well-known as some of the notorious RATs that have come before it..."
* http://www.securityf...2911/references
___

Google warns of OS-trusted but unauthorised digital certificates
Maintaining digital certificate security
- http://googleonlines...e-security.html
March 23, 2015 - "... Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate..."

Firefox 37 ...
Revoking Trust in one CNNIC Intermediate Certificate
- https://blog.mozilla...te-certificate/
Mar 23, 2015 - "... to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37..."
- https://wiki.mozilla...coming_Releases
"... Firefox 37... RELEASE week of March 31, 2015."
 

 

Edited by AplusWebMaster, 24 March 2015 - 03:58 PM.

[AplusWebMaster]

FYI...

Fake 'Payment' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
25 Mar 2015 - "'Payment 1142' pretending to come from James Dudley <James.Dudley@ hitec .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Payment sheet attached.
    James
    T    01353 624023
    F    01353 624043
    E    james.dudley@ hitec .co.uk
    Hitec Ltd
    23 Regal Drive
    Soham
    Ely
    Cambs
    CB7 5BE
    This message has been scanned for viruses and malicious content by Green Duck SpamLab

25 February 2015 : Payment 1142.doc - Current Virus total detections: 2/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427270267/

- http://blog.dynamoo....mes-dudley.html
25 Mar 2015 - "This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.

    From:    James Dudley [James.Dudley@ hitec .co.uk]
    Date:    25 March 2015 at 09:38
    Subject:    Payment 1142
    Payment sheet attached.
    James
    T    01353 624023
    F    01353 624043
    Hitec Ltd
    23 Regal Drive
    Soham
    Ely
    Cambs
    CB7 5BE
    This message has been scanned for viruses and malicious content by Green Duck SpamLab

I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57*. It contains this malicious macro... which attempts to download a component from:
http ://madasi.homepage .t-online .de/dbcfg/32.exe
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57**. Automated analysis of this binary is pending, but is so far inconclusive...
MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf
UPDATE: this interesting new tool from Payload Security[1] gives some insight as to what the malware does. In particular, it phones home to:
50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)
Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24 "
* https://www.virustot...sis/1427293393/

** https://www.virustot...sis/1427293399/

1] https://www.hybrid-a...environmentId=1
___

Fake Citi SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Mar 2015 - "'Citi Merchant Services statements – 05721901-6080' ( random numbers) pretending to come from user <noreply@ efsnb-archive .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Attached is your Merchant Statement. It is secured so that only an
    authorized recipient can open it. To open, click on the attachment.
    In order to view
    the attached PDF file, you need Adobe Acrobat Reader Version 8.0
    installed.
    Click on the following link:
    <http ://www.adobe .com/products/acrobat/readstep2.html> to complete a free
    install or re-install if you have an older version.
    Visit Microsoft’s self
    help website at www .microsoft .com or contact your ISP if you do not
    receive the  attachment.
    Delivering your statements directly to your desktop is just one
    more way we’ve increased the speed of business. Thanks again for
    choosing CTS Holdings, LLC as your merchant processor. CTS Holdings, LLC, you can
    count on us!
    This is a post-only mailing. Please do not respond. To change
    preferences please contact Customer Service at 1-800-238-7675.

25 March 2015 : random zip name : Extracts to: Merchant.exe - Current Virus total detections: 6/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427293896/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
134.249.63.46: https://www.virustot...46/information/

- http://threattrack.t...8/citibank-spam
Mar 25, 2015
Malicious File Name and MD5:
Merchant.exe (4007601E07343ADD409490F572F97D46)
Tagged: Citibank, Upatre
___

Fake 'Invoice ID' SPAM - malicious attachment
- http://blog.dynamoo....12ab34-123.html
25 Mar 2015 - "This terse spam has a malicious attachment:
    From:    Gerry Carpenter
    Date:    25 March 2015 at 12:58
    Subject:    Invoice ID:34bf33
    123

There is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has -zero- detections*. Unlike most recent document-based attacks, this does -not- contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.
> https://1.bp.blogspo...0/excel-ole.png
Automated analysis doesn't show very much, but it does show the screenshots [1] [2]... the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56**, and the Payload Security report shows it communicating with the following IPs:
92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
The payload is most likely Dridex.
Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175
MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088 "
* https://www.virustot...sis/1427298940/

** https://www.virustot...sis/1427296948/

1] https://www.hybrid-a...environmentId=1

2] https://malwr.com/an...TQwNDcxMDBkZjc/
___

Fake 'ACH failure' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Mar 2015 - "'ACH technical failure' pretending to come from The Electronic Payments Association <June.Parks@ nacha .org> [random names nacha .org] at with a link to a zip attachment is another one from the current bot runs... Other subjects in this series of spam malicious emails on the nacha theme are:
    Transaction system failure
    ACH transfer error
    ACH technical failure
    Your transfer failed due to technical failure ...
The email looks like:

    ACH PAYMENT REJECTED
    The ACH Payment (ID: 53213740992857), recently sent from your savings account (by you or any other person), was REJECTED by other financial institution.
    Rejection Reason: See details in the report below
    Payment Report: report_53213740992857.pdf (Adobe Reader PDF)
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    2014 NACHA – The Electronic Payments Association

The link once again goes to a cubby user content site...
25 March 2015: Secure_Message.zip: Extracts to: Secure_Message.exe
Current Virus total detections: 11/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427301251/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
134.249.63.46: https://www.virustot...46/information/
___

Fake DHL SPAM - malware
- http://myonlinesecur...ipment-malware/
25 Mar 2015 - "'DHL AWB# 34 5673 0015 / shipment' pretending to come from DHL Express <info@ dhl .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    The following 1 piece(s) have been sent by a Customer via DHL Express on 22-03-2015 via AWB# 34 5673 0015
    Find attached Scanned copy of the shipping documents and more information about the parcel and confirm if the address is correct for shipment.
    Thank you.

25 March 2015: DOCUMENTS.zip: Extracts to:  DOCUMENTS.exe - Current Virus total detections: 7/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427286243/
... Behavioural information
TCP connections
66.171.248.172: https://www.virustot...72/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'Notice to appear in Court' SPAM - malicious attachment
- http://blog.dynamoo....-notice-to.html
24 Mar 2015 - "These two emails come with a malicious attachment:
    From:    County Court [lester.hicks@ whw0095 .whservidor .com]
    Date:    24 March 2015 at 16:45
    Subject:    AERO, Notice to Appear
    This is to inform you to appear in the Court on the March 31 for your case hearing.
    Please, prepare all the documents relating to the case and bring them to Court on the specified date.
    Note: The case may be heard by the judge in your absence if you do not come.
    You can review complete details of the Court Notice in the attachment.
    Yours faithfully,
    Lester Hicks,
    Court Secretary.
    -------------
    From:    District Court [cody.bowman@ p3nw8sh177 .shr.prod.phx3 .secureserver .net]
    Date:    24 March 2015 at 16:44
    Subject:    AERO, Notice to appear in Court #0000310657
    Dear Aero,
    This is to inform you to appear in the Court on the March 28 for your case hearing.
    You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
    Note: If you do not come, the case will be heard in your absence.
    You can review complete details of the Court Notice in the attachment.
    Sincerely,
    Cody Bowman,
    District Clerk.

In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57*]... and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57**]... respectively. These scripts attempt to download malicious code... Details in the download locations vary, but are in the format:
ilarf .net/document.php?rnd=1161&id=
gurutravel .co .nz/document.php?rnd=3022&id=
This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57*** and 4/56****. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything. The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports... indicate badness on at least the following IPs:
176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25
I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24. I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus[5] software.
MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee "
* https://www.virustot...sis/1427221635/

** https://www.virustot...sis/1427221612/

*** https://www.virustot...sis/1427222714/

**** https://www.virustot...sis/1427223237/

5] http://www.microsoft...e:Win32/Trapwot
 

Edited by AplusWebMaster, 26 March 2015 - 05:34 AM.