2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'scanned' results SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Mar 2015 - "'Lou Ann Davis Indus Precision Mfg scanned' pretending to come from user <louann@ indusmfg .com> with a zip attachment is another one from the current bot runs... The email looks like:
    –
     Thank you,
    Lou Ann Davis
    Office Administrator
    Indus Precision Mfg., Inc.
    www .indusmfg .com
    Main: (845)268-0782
    Fax: (845)268-2106

26 March 2015 : Random zip name : Extracts to: scan.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427372574/
___

Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Mar 2015 - "'Yarde Metals Invoice' pretending to come from email.invoice <email.invoice@ yarde .com> with  a zip attachment is another one from the current bot runs... The email looks like:
     Thank you for your order.
    Attached is your original invoice. If you would
    like to pay for
    your order with a wire transfer please contact Angela Palmer
    at 860-406-6311 for bank details.
    Friendly reminder:
    Yarde Metals terms
    are 1/2% 10, Net 30. We appreciate your prompt payment.

26 March 2015: random  zip name: Extracts to:  221324.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427380401/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
46.160.125.167: https://www.virustot...67/information/
91.194.239.126: https://www.virustot...26/information/
93.123.40.17: https://www.virustot...17/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

BoA 'Over Limit' Spam
- http://threattrack.t...over-limit-spam
Mar 26, 2015 - "Subjects Seen
    Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file

Malicious File Name and MD5:
    report_77076291400.scr (6B6E3D3FDE233FE75F64B517F2351D97)

.
___

Steam Codes and Countdowns - 'something for nothing'
- https://blog.malware...and-countdowns/
March 26, 2015 - "... 'something for nothing' makes a reappearance in the land of -gaming- with a twist designed to get would-be winners sending messages to their online friends as fast as they possibly can. The site we’re going to examine is located at: steamcode(dot)org
... which claims they have $20 Steam Codes to give away, as the “We’re the people who give away free $20 Steam Codes!” makes clear on the frontpage. We could have an interesting philosophical debate about when free means free, but we could also just chalk it up as “free, as long as you send some links and fill in a bunch of stuff”. Here’s the nicely designed frontpage:
> https://blog.malware...5/03/stmcd1.jpg
Clicking the button reveals two things – a tantalizing glimpse of half a code, and the reveal that you must share a link with 15 people in 45 minutes or else the code will expire. If you don’t have Under Pressure on your playlist, you might want to go dig it out now:
> https://blog.malware...5/03/stmcd2.jpg
Sites don’t normally place a timer on link sending, because not many people immediately whip out a list of likely candidates to start spamming when confronted with a rapidly diminishing timer. Indeed, start quickfiring identikit messages to all and sundry and you may find more than a few of them either think you’ve been hacked or turned into a spambot for the day. Should the required amount of referrals be reached, the end result is a selection of survey pages for the would-be $20 code recipient... There’s -no- guarantee the full code will be released even with a completed survey – the only person who has anything to lose in this situation is the individual filling in whatever forms are presented, working on the basis that they’re simply hoping the website will hand over a code at the end of the process. Freebie sites offering up items such as vouchers, gift cards and game codes typically resort to surveys at some point in the chain – it’s just how they roll. Displaying a portion of the code and adding in a time sensitive instruction to send URLs to all and sundry focuses on the “So near, yet so far” pressure point, and is a great way to ensure people desperate for free game codes start yelling “How high?” before jumping."
 

 

Edited by AplusWebMaster, 26 March 2015 - 10:42 AM.

[AplusWebMaster]

FYI...

Fake ebill Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 Mar 2015 - "'UK Fuels ebill for ISO Week 201512' pretending to come from invoices@ ebillinvoice .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Week-201512.png

27 March 2015 : 22328_201512.doc
Current Virus total detections: 3/57* | 2/56** | 2/57*** | 3/57****
... So far I have seen 4 versions of this malware, but previous campaigns over the last few weeks have delivered 2, 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427446840/

** https://www.virustot...sis/1427447362/

*** https://www.virustot...sis/1427447494/

**** https://www.virustot...sis/1427447285/
___

Fake 'NASA MSBA' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 - "'NASA MSBA 27th, 2015' pretending to come from MSBA <NVDB@ nasa .gov> with a zip attachment is another one from the current bot runs... The email looks like:
    Good Afternoon.
    MSFC has posted the upcoming MSBA 27th event on NAIS and
    Fed Biz Ops (Solicitation No.: SB-85515).
    NAIS Posting:
    Please click on
    Mod. 1 Posting.
    Attached is the MSBA Agenda.
    Please join us for this event!

27 March 2015: Random  zip name: Extracts to: MSFC.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427455905/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
UDP communications
23.99.222.162: https://www.virustot...62/information/
___

Fake 'ADP Payroll Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 "'ADP Payroll Invoice for week ending 03/27/2015' pretending to come from user <run.payroll.invoice@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Your ADP Payroll invoice for last week is attached for your review. If
    you have any questions regarding this invoice, please contact your ADP
    service team at the number provided on the invoice for assistance.
     Thank you for choosing ADP Payroll.
     Important: Please do not respond to this message. It comes from an
    unattended mailbox.

27 March 2015: random attachment zip name: Extracts to: ADP.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427467488/
___

Fake 'Information Request' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 - "'Information Request' pretending to come from Nicksen Stone <sale20@ thrivigor .com> with a zip attachment is another one from the current bot runs...
     Hello,
     We specialize in designing and manufacturing high quality metal and
    plastic parts suitable for electronic,industrial,agricultural and
    various applications.
    If you need any parts please feel free to send us drawing or sample for
    free quotes. Thank you.
     With Kind Regards,
    Nicksen Stone, Director
     Ningbo Efforteam Machinery Co.,Ltd
    Phone: +86-13777 101 355

27 March 2015: Random attachment zip name: Extracts to: Information.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427472615/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
66.147.244.169: https://www.virustot...69/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
 

 

Edited by AplusWebMaster, 27 March 2015 - 11:06 AM.

[AplusWebMaster]

FYI...

Fake 'Vistaprint Invoice' SPAM - pdf malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'Vistaprint VAT Invoice' (random number) pretending to come from Vistaprint <VistaPrint-cc@ vistaprint .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...VAT-Invoice.png

30 March 2015: Random Attachment zip name: Extracts to:  Invoice_1.exe
Current Virus total detections: 1/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427714331/
___

Fake 'ADP invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'ADP invoice for week ending 30/03/2015' pretending to come from  Wilbert.Downs@ adp .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...week-ending.png

30 March 2015: invoice_285699291.zip: Extracts to: invoice_285699291.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427728309/
___

Fake 'PDF SWIFT TT COPY' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'PDF SWIFT TT COPY' pretending to come from soumiya@ ulckuwait .com with a zip attachment is another one from the current bot runs... The email looks like:
    Hello,
    Regarding payments for the outstanding, our accounting department have
    approved immediate payment to your accounts.
    Please attached is the Payment confirmation slip ,Kindly help reply
    urgently to  confirm to us
    Best Regards,
    Kosta Curic
    EVRO – TURS DOO
    Po?e?ka 80, Beograd, Srbija
    Jenneth Setu
    Purchase Manager

30 March 2015: Payment Confirmation pdf.zip: Extracts to:  Payment Confirmation pdf.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427732925/
___

Fake 'Quotation' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'Quotation qzVNVm: (random characters)' pretending to come from Mark Kemsley <mark.kemsley@ energy-solutions .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...3/quotation.png

30 March 2015 : random Attachment zip name: Extracts to: Quotation.exe
Current Virus total detections: 5/50* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427738877/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
79.133.196.204: https://www.virustot...04/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
 

 

Edited by AplusWebMaster, 30 March 2015 - 02:19 PM.

[AplusWebMaster]

FYI...

Fake 'PO' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Your PO: SP14619' pretending to come from Sam S. <sales@ alicorp .com> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...-PO-SP14619.png

31 March 2015 : APIPO1.doc - Current Virus total detections: 3/52* | 5/57**
...  at least one of the macros downloads http ://probagep.sandbox.proserver .hu/54/78.exe (Virus Total***)... previous campaigns over the last few weeks have delivered 2 or 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427789087/

** https://www.virustot...sis/1427789118/

*** https://www.virustot...sis/1427788227/

- http://blog.dynamoo....4619-sam-s.html
31 Mar 2015
... Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165
95.163.121.178 "
___

Fake 'Latest Docs' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Your Latest Documents from RS Components' coming from random names at random companies from  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-Components.png

31 March 2015: G-A7835690138927462557376-1.doc - Current Virus total detections: 0/56*
... only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427798514/

- http://blog.dynamoo....our-latest.html
31 Mar 2015
... Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169 "
___

Fake 'Passport Copy' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "FW: Passport copy pretending to come from salim@ humdsolicitors .co.uk with what is supposed to be a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ssport-copy.png

31 March 2015 : passport.doc ...

- http://blog.dynamoo....sport-copy.html
31 Mar 2015 - "This fake legal spam comes with a malicious attachment. It appears to be a forwarded message from a solicitors office, but it is just a simple forgery... The attachment is named passport.doc. It is exactly the -same- malicious payload as the one used in this spam run earlier today*, and it drops the Dridex banking trojan on the victim's PC."
* http://blog.dynamoo....4619-sam-s.html
___

Fake 'Debit Note' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Debit Note [random numbers]' information attached to this email coming from random name and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely -blank- body...

31 March 2015 : random name .doc - Current Virus total detections: 0/56* | 0/56** | 0/56*** ..."
* https://www.virustot...sis/1427808913/

** https://www.virustot...sis/1427807988/

*** https://www.virustot...sis/1427808948/

- http://blog.dynamoo....note-12345.html
31 Mar 2015 - "This fake financial spam comes with a malicious attachment. There is -no- body text... The executable downloaded is identical to the one used in this spam run* also taking place today. The payload is the Dridex banking trojan."
* http://blog.dynamoo....our-latest.html
___

Fake 'Your returns label' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
31 Mar 2015 - "'CollectPlus :: Your returns label' pretending to come from info <info@ collectplus .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...turns-label.png

31 March 2015 : Random Attachment zip name: Extracts to:  Reference.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427800182/
___

World Back Up Day ...
- https://blog.malware...e-safety-first/
Mar 31, 2015 - "If your response to the question “When did you last back up?” is something to do with parking your car, then you should really take note of World Back Up Day*...
* http://www.worldbackupday.com/en/
According to the World Back Up Day statistics:
• 30% of people have never backed up their data.
• 113 phones are stolen / lost every minute (Ouch. You may want to invest in some remote wipe technology too).
• 29% of data deletion disasters are caused by accident..."
 

 

Edited by AplusWebMaster, 31 March 2015 - 03:37 PM.

[AplusWebMaster]

FYI...

Fake 'Tax Refund' SPAM - malware
- http://blog.dynamoo....ion-office.html
1 Apr 2015 - "This fake tax notification spam leads to malware hosted on Cubby.
    From:    Australian Taxation Office [noreply@ ato .gov .au]
    Date:    1 April 2015 at 00:51
    Subject:    Australian Taxation Office - Refund Notification
    IMPORTANT NOTIFICATION
    Australian Taxation Office - 31/03/2015
    After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.
    To view/download your tax notification please click here or follow the link below :
    https ://www .ato .gov .au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003
    Laurence Thayer, Tax Refund Department Australian Taxation Office

The names and the numbers -change- from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent .com (e.g. https ://www .cubbyusercontent .com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download. In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57*. Automated analysis tools... show that it downloads components from:
ebuyswap .co.uk/mandoc/muz3.rtf
eastmountinc .com/mandoc/muz3.rtf
It then attempts to phone home to:
141.105.141.87:13819/3103us13/HOME/41/7/4/
That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip .dyndns .org. Although this is benign, monitoring for it can be a good indicator of infection. These URL requests are typical of the Upatre downloader. According to the Malwr report it drops another binary jydemnr66.exe with a detection rate of 11/55** plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.
Recommended blocklist:
141.105.140.0/22
ebuyswap .co.uk
eastmountinc .com "
* https://www.virustot...sis/1427874847/

** https://www.virustot...sis/1427876163/
___

Fake 'Delivery Note' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Apr 2015 - "'CIH Delivery Note 0051037484' pretending to come from Batchuser BATCHUSER <ecommsupport@ cihgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD

1 April 2015 :CIH Delivery Note 0051037484.doc
Current Virus total detections: 0/56* | 0/56** | 0/56*** | 0/56****
So far I have seen 4 versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427875359/

** https://www.virustot...sis/1427875359/

*** https://www.virustot...sis/1427875320/

**** https://www.virustot...sis/1427875511/

- http://blog.dynamoo....-batchuser.html
1 Apr 2015 - "The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment...
Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249 "
___

Fake 'Sales_Order' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Apr 2015 - "'Sales_Order_6100152' pretending to come from Hazel Gough <hazel.gough@ kosnic .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...der_6100152.png

1 April 2015 : Sales_Order_6100152.doc ... same malware although renamed as today’s CIH Delivery Note 0051037484 – word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Fake 'Unpaid Invoice' SPAM - vbs malware
- http://myonlinesecur...rs-vbs-malware/
1 Apr 2015 - "'Unpaid Invoice [ID:99846] or This is your Remittance Advice [ID:98943]' (all random ID numbers) coming from -random- email addresses, persons and companies with a zip attachment is another one from the current bot runs... The attachments on these are so tiny at less than 1kb in size, that users will be easily fooled into thinking that they are harmless. The zips contain an encoded vbs script... The email body is totally -blank- ...

1 April 2015: Random Attachment zip name: Extracts to: 83JHE76328475243920_1a.doc.vbs
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427886418/

- http://blog.dynamoo....oice-09876.html
1 Apr 2015 - "... has -no- body text and comes from random senders... It has a ZIP attachment which contains... a malicious VBS script... very similar to the VBA macro used in this spam run yesterday:
> http://blog.dynamoo....our-latest.html
This binary has a detection rate of 4/55*..."
* https://www.virustot...sis/1427886150/
... Behavioural information
TCP connections
188.120.225.17: https://www.virustot...17/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/
___

Fake 'Remittance' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Apr 2015 - "'Your Remittance Advice NB PRIVATE EQUITY PARTNERS LTD'  (the company name is totally random but matches the name in the body) coming from random email addresses from  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The attachment name matches the advice in the body and looks like:

    Dear sir or Madam,
     Please find attached a remittance advice (ZL147QNXM.doc) for your information.
    Should you need any further information, please do not hesitate to contact us.
     Best regards
    NB PRIVATE EQUITY PARTNERS LTD

1 April 2015 : ZL147QNXM.doc - Current Virus total detections: 1/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1427895461/

- http://blog.dynamoo....nce-advice.html
1 Apr 2015 - "... Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78 "
___

Fake 'o/s invoices' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
1 Apr 2015 - "'Van Sweringen o/s invoices' pretending to come from Lisa Anderson <landerson@ homewatchcaregivers .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Outstanding invoices attached!
    Thank you!
    Lisa
    Lisa J. Anderson/Office Manager
    Homewatch CareGivers of
    23811 Chagrin Blvd. Suite 114
    Beachwood, OH 44122 ...

1 Ap[ril 2015: 6100_NULGE.zip : Extracts to:  en_en.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427902354/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/<<<
94.23.6.64: https://www.virustot...64/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/<<<
___

Xtube Exploit leads to Cryptowall Malware
- https://blog.malware...towall-malware/
31 Mar 2015 - "We wrote about the adult site xtube .com being compromised -redirecting- visitors to a landing page for the Neutrino Exploit kit last week*... The malware that dropped from the exploit was found here** and was called xtube.exe... All user files are encrypted using “RSA-2048″ encryption. In order to pay the -ransom- victims are instructed to visit paytoc4gtpn5cz12.torconnectpay .com. A separate address is also provided over the tor network:
> https://blog.malware...ELP_DECRYPT.png
... 'always good to remember that highly ranked websites (including adult content) are a prime target for hackers due to the traffic they get..."
* https://blog.malware...ia-neutrino-ek/

** https://www.virustot...e1357/analysis/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustot...84/information/
93.185.106.78: https://www.virustot...78/information/

- http://blog.trendmic...ds-for-1q-2015/
April 1, 2015 - "Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were -not- limited to that region; Turkey, Italy, and France were also affected by this malware. We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware. These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price..."
(More detail at the trendmicro URL above.)
 

:ph34r: :ph34r:  <_<

Edited by AplusWebMaster, 01 April 2015 - 12:57 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
2 Apr 2015 - "'Invoice Attached' pretending to come from Kayel Brewery Supplies <sales@ kayel .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-Attached.png

23 April 2015 : I32230.doc - Current Virus total detections: 2/57* | 2/56**
... at least one of the macros downloads http ://WORKSPACECEGLARSKI .COM/025/42.exe ... 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1427962106/

** https://www.virustot...sis/1427962238/
___

Fake 'P.O.' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
2 Apr 2015 - "'Purchase Order 4390' pretending to come from Sales R-Tech <sales@ r-techwelding .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...90-1024x738.png

2 April 2015 : Purchase Order 4390.doc* ... same malware and download locations as today’s other macro malware downloaders Invoice Attached Kayel Brewery Supplies Gary Laker – word doc or excel xls spreadsheet malware* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Fake 'Purchase Invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
2 Apr 2015 - "'[426168]( random) Medico-Legal Report Expert Purchase Invoice' pretending to come from case <case@ dasmedical .co.uk> with a zip attachment is another one from the current bot runs... The email looks like:
     Please find the attached documents
     1. The expert Purchase Invoice.

2 April 2015: 426168_Y8b4fBMdb_551D0159.F9F84862@ ....co.uk.zip: Extracts to: invoice.exe
Current Virus total detections: 2/56* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427967925/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
199.189.85.156: https://www.virustot...56/information/
___

Fake 'bank invoice' SPAM - malware
- http://blog.dynamoo....lsterbanki.html
2 Apr 2015 - "This fake banking email leads to malware.
    From:    invoice@bankline.ulsterbank.ie [invoice@ bankline .ulsterbank.ie]
    Date:    2 April 2015 at 11:46
    Subject:    Outstanding invoice
    Dear [victim],
    Please find the attached copy invoice which is showing as unpaid on our ledger.
    To download your invoice please click here
    I would be grateful if you could look into this matter and advise on an expected payment date .
    Courtney Mason
    Credit Control
    Tel: 0845 300 2952

The link in the email leads to a download location at hightail .com (the sample I saw downloaded from https ://www.hightail .com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.
The executable has a VirusTotal detection rate of 3/57* and has characteristics that identify it as Upatre. Automated analysis tools... show that it downloads additional components from:
eduardohaiek .com/images/wicon1.png
edrzambrano .com.ve/images/wicon1.png
It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:
http ://141.105.141.87 :13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57**. This is probably the Dyre banking trojan.
Recommended blocklist:
141.105.140.0/22
eduardohaiek .com
edrzambrano .com
MD5s:
4c666564c1db6312b9f05b940c46fa9a
876900768e06c3df75714d471c192cc6 "
* https://www.virustot...sis/1427971860/

** https://www.virustot...sis/1427972349/
___

Fake 'scanned docs' SPAM - malware
- http://blog.dynamoo....ument-from.html
2 Apr 2015 - "These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.
From:    Cindy Pate [Caroline.dfd@ flexmail .eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]
Reply to: HP-Scanner@ flexmail .eu
Model:KX-240NGZDC
Location: 1st Floor Office
File Format: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document...

I have seen three different malicious attachments with low detection rates... which appear to contain one of two macros... which download a further component from one of the following locations:
http ://93.158.117.163 :8080/bz1gs9/kansp.jpg
http ://78.47.87.131 :8080/bz1gs9/kansp.jpg
Those servers are almost definitely malicious in other ways, the IPs are allocated to:
93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)
This is then saved as %TEMP%\sdfsdffff.exe ... Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.
Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131 ..."
___

Fake 'Snap on Tools invoice copies' SPAM - malware
- http://blog.dynamoo....es-snap-on.html
2 Apr 2015 - "This -fake- invoice does not come from Snap On Tools, but is instead a simple forgery.
    From:    Allen, Claire [Claire.Allen@ snapon .com]
    Date:    24 February 2015 at 14:41
    Subject:    Copy invoices Snap on Tools Ltd
    Good Afternoon
    Attached are the copy invoices that you requested.
    Regards
    Claire
    Your message is ready to be sent with the following file or link attachments:
    SKETTDCCSMF14122514571 ...

... attachment SKETTDCCSMF14122514571.doc which contains this malicious macro... which downloads a further component from:
http ://ws6btg41m.homepage. t-online .de/025/42.exe
This executable has a detection rate of 5/57*. Various automated analyses... show attempted communications to the following IPs:
91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)
According to this Malwr report it drops another version of the downloader called edg1.exe [VT 4/57**] and a malicious Dridex DLL [VT 2/57***].
Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227 ..."
* https://www.virustot...sis/1427978113/

** https://www.virustot...sis/1427979096/

*** https://www.virustot...sis/1427979103/
 

 

Edited by AplusWebMaster, 02 April 2015 - 10:42 AM.

[AplusWebMaster]

FYI...

Fake 'Scanned Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
3 Apr 2015 - "'Scanned Invoice [89412268] from FLYBE GROUP PLC' pretending to come from Warren Horn <Moses.3a@ tcl. net .in> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Location: 1st Floor Office
     File Extension: DOC (Medium)
    Resolution: 300dpi x 300dpi
     Attached file is scanned document in DOC format.
    Warren Horn , FLYBE GROUP PLC

3 April 2015: 89412268.doc - Current Virus total detections: 0/56*
This downloads http ://75.150.62.121 :8080/bz1gs9/kansp1.jpg and then renames it to %temp%\dfsdfff.exe and runs without any further user interaction (VirusTotal**) ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1428054150/

** https://www.virustot...sis/1428057630/
... Behavioural information
TCP connections
151.252.48.36: https://www.virustot...36/information/
185.35.77.12: https://www.virustot...12/information/
199.201.121.169: https://www.virustot...69/information/
193.255.201.86: https://www.virustot...86/information/
188.226.129.49: https://www.virustot...49/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/

75.150.62.121: https://www.virustot...21/information/
___

Fake 'calcs attachments' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Apr 2015 - "'All American C&E/ Nardin' pretending to come from office <office@ energycalcs .net> with a zip attachment is another one from the current bot runs... The email looks like:
     Your completed calcs are attached.
    The first attachment is your Manual J&S Load calcs.
    The second is your Form 405-10 Energy code compliance calc.
    If you have any questions, feel free to call.
    Thank you so much for your business!
    Ed Wolfe- Office Manager
    Energycalcs.net, Inc ...

3 April 2015: Random Attachment zip name: Extracts to:  iDocs.exe
Current Virus total detections: 4/56* . The attachment with this  All American C&E/ Nardin email is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428054460/
 

 

Edited by AplusWebMaster, 03 April 2015 - 06:17 AM.

[AplusWebMaster]

FYI...

Fake Barclays SPAM – PDF malware
- http://myonlinesecur...-pdf-malware-3/
6 Apr 2015 - "'Barclays – Important Update, read carefully!' pretending to come from Barclays Online Bank <security-update@ Barclays. co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...d-carefully.png

6 April 2015: Form.zip: Extracts to:  Form.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428321955/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustot...70/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

- http://threattrack.t...ant-update-spam
Apr 6, 2015
 

 

Edited by AplusWebMaster, 06 April 2015 - 09:43 PM.

[AplusWebMaster]

FYI...

Fake 'EBOLA INFO' SPAM - malicious attachment
- http://blog.dynamoo....nformation.html
7 Apr 2015 - "This fake medical email contains a malicious attachment...
    From:    noreply@ ggc-ooh .net
    Reply-To:    noreply@ ggc-ooh .net
    Date:    7 April 2015 at 08:58
    Subject:    EBOLA INFORMATION
    This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ ggc-ooh .net
    PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.
    THANK YOU.

Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro...  which is contains a lot of girls names as variables ... When decoded the macro downloads a component from:
http ://deosiibude .de/deosiibude.de/220/68.exe
VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools... show it phoning home to the following IPs...:
37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)
85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)
According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.
Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18
MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E "
___

Fake 'Invoice Maid of London' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 Apr 2015 - "'March 2015 Invoice' pretending to come from Accounts @ Maid of London <accounts@ maidoflondon .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...d-of-London.png

7 April 2015 : March invoice 811.doc - Current Virus total detections: 0/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1428403055/
___

Fake 'legal claim' SPAM - malicious attachment
- http://blog.dynamoo....has-issued.html
7 Apr 2015 - "This fake legal spam comes with a malicious attachment:
    From:    Isiah Mosley [Rosella.e6@ customer .7starnet .com]
    Date:    7 April 2015 at 14:09
    Subject:    Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]
    Schroders,Isiah Mosley

The company name is randomly chosen. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro... Along with an alternate macro, I can see download locations from:
http ://185.39.149.178 /aszxmy/image04.gif
http ://148.251.87.253 /aszxmy/image04.gif
For the record, 185.39.149.178 is OOO A.S.R.in Russia and 148.251.87.253 is Hetzner in Germany. The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56*. Automated analysis tools... show the malware phoning home to:
151.252.48.36 (Vautron Serverhousing, Germany)
According to the Malwr report, it drops a DLL with a detection rate of 2/56* which is most likely a Dridex DLL.
Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178
MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0"
* https://www.virustot...a0281/analysis/
___

Fake 'Chase Card Services' SPAM – malware
- http://myonlinesecur...ayment-malware/
7 Apr 2015 - "'Thank you for scheduling your online payment' pretending to come from Chase Card Services <no-reply@ alertsp .chase .com> with a zip attachment is another one from the current bot runs...
  Dear Thank you for scheduling your recent credit card payment as an attachment. Your payment in the amount of 3898.96 will be credited to your credit card account (CREDIT CARD) ending in 2143 on 04/07/2015.
Now that you’re making your payment online, are you aware of all the convenient ways you can manage your account online?
    See statements – Choose to stop receiving paper statements, and see up to six years of your statements online.
    See automatic payments – Set up monthly payments to be made automatically.
    Transfer a balance – Transfer a balance to your credit card account.
    Go to Personalized Alerts – Schedule Alerts to remind you of key account activity.
You can also see past payments you’ve made online by logging on to www.chase.com/creditcards and clicking “See/cancel payments” under “I’d like to …”
If you have questions, please call the Customer Service number on the back of your credit card.
Thanks again for using online payments.
Sincerely,
Cardmember Services ...

7 April 2015: payment-2143-wiqr_BSFMN.zip: Extracts to:  payment.exe
Current Virus total detections: 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF or image file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428417618/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
162.252.57.88: https://www.virustot...88/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
 

   

Edited by AplusWebMaster, 07 April 2015 - 09:56 AM.

[AplusWebMaster]

FYI...

- http://krebsonsecuri...is-defacements/
Apr 7, 2015

Fake Government Websites ...
- https://www.us-cert....rnment-Websites
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has released an alert that warns consumers of fraudulent government-services websites that mimic legitimate ones. Scam operators lure consumers to these -fraudulent- websites in order to steal their personal identifiable information (PII) and collect fees for services that are never delivered. US-CERT encourages users to review the IC3 Alert* for details and refer to the US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* http://www.ic3.gov/m...5/150407-2.aspx
Apr 7, 2015
** https://www.us-cert....s/tips/ST04-014
Apr 7, 2015
___

Web Site Defacements ...
- https://www.us-cert....ite-Defacements
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has issued an alert addressing recently perpetrated Web site defacements. The defacements advertise themselves as associated with the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). However, FBI assesses that the perpetrators are -not- actually associated with this group. The perpetrators exploit WordPress content management system (CMS) vulnerabilities, leading to disruptive and costly effects. Users and administrators are encouraged to review the IC3 Alert* for details and refer to the US-CERT Alert TA13-024A** for information on CMS security."
* http://www.ic3.gov/m...5/150407-1.aspx
Apr 7, 2015
** http://www.us-cert.g...lerts/TA13-024A
Apr 7, 2015
___

Fake 'UNPAID INVOICES' SPAM - malicious attachment
- http://blog.dynamoo....ices-wayne.html
8 Apr 2015 - "This -fake- invoice spam is not from Orion Plastics but is instead a simple forgery with a malicious attachment.
    From:    Wayne Moore [wayne44118@ orionplastics .net]
    Date:    8 April 2015 at 09:03
    Subject:    TWO UNPAID INVOICES
    4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
    INVOICE # 029911  DATED 1/7/15 FOR $840.80
    INVOICE # 030042  DATED 1/30/15 FOR $937.00
    PLEASE ADVISE WHEN  YOU SENT CHECK AND TO WHAT ADDRESS
    I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT
    REGARDS-WAYNE

In this case the email was -malformed- and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56*. Extracting the document revealed this malicious macro... which downloads an additional component from:
http ://fzsv .de/11/004.exe
There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54**. Automated analysis tools... shows it phoning home to the following IPs:
37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)
The Malwr report shows it attempting to connect to a couple of Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:
90.84.136.185
184.25.56.220
According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57**.
Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46
MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877 "
* https://www.virustot...sis/1428485931/

** https://www.virustot...sis/1428485937/
___

Fake 'BACS Transfer' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Apr 2015 - "'BACS Transfer : Remittance for JSAG783GBP' pretending to come from random names and  email addresses at natwest .com with a zip attachment is another one from the current bot runs... The email which has random amounts looks like:

    We have arranged a BACS transfer to your bank for the following amount : 4278.00
    Please find details attached.

8 April 2015: BACS_Transfer_AQ004719.zip : Extracts to:  BACS_Transfer_AQ004719.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428491113/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
66.7.216.61: https://www.virustot...61/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Password Re-activation' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Apr 2015 - "'Bankline ROI – Password Re-activation Form' pretending to come from various names and email addresses @rbs .co .uk with a zip attachment is another one from the current bot runs... The email looks like:
    Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.
    Fax to 1850 262125 or alternatively you may wish to email the completed document, by attaching it to an email and sending it to banklineadministration@ rbs .co .uk
    On receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email.
    <<Bankline_Password_reset_3978322.pdf>>
    Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.
    Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.
    If you are the sole Standard Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in a Standard Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.
    If you require any further assistance then please do not hesitate to contact us on 1850 245140 and one of our associates will be happy to assist you.
    Regards
    Bankline Product Support ...

Same malware payload, although -renamed- as Bankline_Password_reset_0319234.zip (random numbers) as today’s NatWest attempt BACS Transfer : Remittance for JSAG783GBP – fake PDF malware* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
___

Fake 'Invoice' SPAM - malicious doc/xls
- http://blog.dynamoo....mpany-name.html
8 Apr 2015 - "This -Dridex- spam takes a slightly different approach from other recent ones. Instead of -attaching- a malicious Office document, it downloads it from a compromised server instead. The example I saw read:
    From:    Mitchel Levy
    Date:    8 April 2015 at 13:45
    Subject:    Invoice from MOTHERCARE
    Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.
    Download your invoice here.
    Thanks for attention. We appreciate your business.
    If you have any queries, please do not hesitate to contact us.
    Mitchel Levy, MOTHERCARE

The link in the email has an address using the domain afinanceei .com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example: http ://victimbfe .afinanceei .com/victim@ victim .domain/
This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:
> https://4.bp.blogspo...dex-landing.png
... The link in the email downloads a file from:
http ://31.24.30.12 /api/Invoice.xls
At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http ://31.24.30.12 /api/ shows a -fake- page pretending to be from Australian retailer Kogan:
> https://4.bp.blogspo.../fake-kogan.png
As you might guess, Invoice.xls contains a malicious macro... but the real action is some data hidden in the spreadsheet itself... it instructs the computer to download a malicious binary from:
http ://46.30.43.102 /cves/kase.jpg
This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC. This binary has a VirusTotal detection rate of 6/57*. Automated analysis tools... show it communicating with the following IPs:
109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)
In addition there are some Akamai IPs which look benign...
184.25.56.212
184.25.56.205
2.22.234.90
According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack:
> http://blog.dynamoo....ices-wayne.html
Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12
MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478 "
* https://www.virustot...sis/1428499086/
 

 

Edited by AplusWebMaster, 08 April 2015 - 11:37 AM.

[AplusWebMaster]

FYI...

Fake 'Credit card transaction' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
9 Apr 2015 - "'Credit card transaction' pretending to come from Matthews, Tina <tina@ royalcarson .com> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...transaction.png

9 April 2015: 20150326094147512.doc - Current Virus total detections: 0/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1428569272/

- http://blog.dynamoo....thews-tina.html
9 Apr 2015
"...Tina Matthews
... Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24 ..."
___

Fake 'sorry you had a problem' SPAM – malware
- http://myonlinesecur...rchase-malware/
9 Apr 2015 - "'We’re sorry you had a problem with your purchase' coming from random email addresses with  a zip attachment is another one from the current bot runs... There are lots of different subjects with this malware spam run today. They include:
    we’re issuing you a refund
    a full refund
    We’re sorry you had a problem with your purchase
    The refund include original shipping
    a payment reminder
    RE: direct debit payment
    direct debit payment
    invoice
    NEW Payment reminder ...
The email looks like:

    'We issued you a full refund of 161.18 on Apr 09, 2015 The refund includes the purchase price plus original shipping.
    Decision:
    This case has been decided in your favor.
    We’re sorry you had a problem with your purchase, and we’re issuing you a refund for this case.'

-Or-

    'Hello, Payment Reminder: your invoice 62169289 dated 07.04.2015 in the amount 573.96'

All the emails have different amounts  and various dates. The attachment names vary. So far I have seen refund_shipping_DOC.xml.exe and invoice.92004711.2015.04.08.doc.exe ...
9 April 2015: refund_shipping_DOC.xml.zip: Extracts to: refund_shipping_DOC.xml.exe
Current Virus total detections: 1/57* - This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428567172/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Trade Confirmation' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Apr 2015 - "'Your Trade Confirmation(s) are Available' pretending to come from noreply@ masteryconnect .com with a zip attachment is another one from the current bot runs... The email looks like:

Please review the attached RFI, Submittal cheatsheet – this update reflects latest changes from RVA.

9 April 2015 : view kklvyg.zip: Extracts to:  view.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428583433/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Fake 'Mail Out Report' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Apr 2015 - "'Mail Out Report Attached' pretending to come from Alert ARC Reports <zen179397@ zen .co .uk> with a zip attachment is another one from the current bot runs... The email looks like:

    From Securitas, please do not reply to this e-mail as it is auto generated.
    For any problems please e-mail derry.andrews@ securitas .co .uk

9 April 2015: Q100219366_Mail Out Report.zip: Extracts to: Q100219366_Mail Out Report.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428580032/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
208.91.198.171: https://www.virustot...71/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Voicemail' SPAM –  wav malware
- http://myonlinesecur...ke-wav-malware/
9 Apr 2015 - "'New message in mailbox 301***200' pretending to come from Voipfone Voicemail <voicemail@ voipfone .co .uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...in-mailbox..png

9 April 2015: msg0005.wav.zip : Extracts to:   msg0005.wav.exe
Current Virus total detections: 2/47* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( voice) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428582133/
... Behavioural information
UDP communications
23.99.222.162: https://www.virustot...62/information/
___

Fake 'incoming wire' – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Apr 2015 - "'Unknown incoming wire pretending to come from random names @metrobankonline .co.uk with a zip attachment is another one from the current bot runs... The email looks like:
     The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
    EFT Amount:                       60,200.00 GBP
    Remitted From: SSA TREAS 310 MISC PAY
    Designated for:                       UNKNOWN
    Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
    If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
    Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00, April 09, 2015.
    Thank you...

9 April 2015: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428584776/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
149.255.58.7: https://www.virustot....7/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Fake 'disneyinteractive' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Apr 2015 - "'yearly Report' pretending to come from apps@ e.disneyinteractive .com with a zip attachment is another one from the current bot runs... The email looks like:

    Annual Report as an attachment

9 April 2015: Annual #Thu, 09 Apr 2015 18_14_02 +0100.cab: Extracts to: Report.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428598594/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
104.156.59.86: https://www.virustot...86/information/
___

Namailu .com SPAM
- http://blog.dynamoo....lucom-spam.html
9 Apr 2015 - "This -spam- has been appearing in my inbox for several days now:
From:    Shana Felton [9k7bf-2976014268@serv .craigslist .org]
Date:    9 April 2015 at 19:10
Subject:    New commitment invitation - [redacted]
Sarah Smith
Hi Namailu User,
You have a commitment invitation from Sarah Smith. To view your commitment invitation please follow this link:
View Invitation
Copyright © 2015, Namailu Online Ltd...
    
Clicking through the link leads to https ://www .namailu .com/Smith.Sarah.206
> https://4.bp.blogspo...00/namailu1.jpg
Obviously we are led to believe that the girl in the picture is sending the message:
> https://3.bp.blogspo...5448322.png.jpg
Reverse image search comes up with -no- matches, unusually. Goodness knows how many people there are called "Sarah Smith" in New Zealand. Probably quite a lot.The spam messages come from a range of IPs that are also used to spam out promotional material for a site called dirtyemojis .com (using a redirector of dirtyemojis .ru). The spam is sent from a range of Chinese IP addresses... In each case the "From" address is -fake- ... A quick search of the body text of the message shows that it has been spammed out quite widely... this clueless approach does -not- bode well for a site that deals in highly personal data and my personal opinion would be to give this particular outfit a very wide berth."
___

Fake 'eFax'message SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Apr 2015 - "'eFax message from “Anna” – 2 page(s), Caller-ID: 1- 920-530-9136' pretending to come from eFax <no-replay@ efax .com> with a zip attachment is another one from the current bot runs... The email looks like:

Logo_eFax     
    JOIN THE eFax COMMUNITY
    Facebook         twitter         google+         youtube
border1
You have a new eFax message. To view your message, see your fax attached or login here.
Fax Details
Caller Id:
Received:
Type:
Number of pages:
Reference #:
920-530-9136
Wed, 08 Apr 2015 18:43:01 +0100
Attached in pdf
2
atl_did9-SK6dCw_1X4W21v_3tk3rGIT
With eFax, did you know you can:
•     Send faxes from your desktop or mobile device
•     Sign and edit faxes with no printing required
•     Send large files by email (up to 1 GB)
Learn more >>
Thank you for using eFax!
Sincerely,
The eFax Team
P.S. Want more solutions to help your business?
Test drive our cloud services from j2 Global with a Free Trial today!
border2
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
© 2015 j2 Cloud Services, Inc. All rights reserved.
eFax is a registered trademark of j2 Cloud Services, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.

8 April 2015: SK6dCw 1X4W21v 3tk3rGIT.zip: Extracts to: chase.exe
Current Virus total detections: 5/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428511349/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
67.222.12.237: https://www.virustot...37/information/
109.237.134.22: https://www.virustot...22/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

Fake 'Chase Card For your account' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Apr 2015 - "'Chase Card For your account' ending pretending to come from Chase <dont@ alertsp .chase .com> with a zip attachment is another one from the current bot runs... Other subjects in this chase card spam malware run are:
    Hi Customer
    For your account ending ...
The email looks like:
 
If you are having trouble viewing this message, please click here.  E-mail Security Information.
    CHASE     
GET ITEMIZED & ORGANIZED
1. Log on to www .chase .com/creditcards.
At the bottom of you statement page, click "year end summary" link.
View,print, or save your summary.
ACTIVATE ALERTS
GO PAPERLESS
Dear Customer,
For your credit card ending in: 0093Your 2015 Year End Summary is now attached and ready for you to view. If you have additional accounts that qualify for a year end summary, you will be notified shortly when they are available.
This year’s summary includes eight categories to provide detail about how you use your card. We hope you find this summary helpful as you prepare your taxes and set your budget for 2016.
See all your transactions by category:
Categories
Sincerely,
sig
Deb Walden
Executive Vice President
Customer Experience
Chase Card Services
spacer
GET YOUR FREE SUMMARY - GO NOW

8 April 2015: Chase_Chase Card_information.zip: Extracts to: Chase_Chase Card_information.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...."
* https://www.virustot...sis/1428505049/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
67.222.12.237: https://www.virustot...37/information/
109.237.134.22: https://www.virustot...22/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/
 

  

Edited by AplusWebMaster, 09 April 2015 - 03:48 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice Payment Confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Apr 2015 - "'Invoice Payment Confirmation' pretending to come from WEBHOSTING UK <billing@ webhosting .uk .com> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email looks like:

Screenshot: http://myonlinesecur...onfirmation.png

10 April 2015 : WHUK2009-160824.doc - Current Virus total detections: 4/57*
... which downloads Dridex from [DO NOT CLICK] architectureetenvironnement .ma/762/532  which is saved as %temp%\miron3.6.exe (virus total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1428669374/

** https://www.virustot...sis/1428673121/
... Behavioural information
TCP connections
37.140.199.100: https://www.virustot...00/information/
90.84.59.66: https://www.virustot...66/information/
185.35.77.250: https://www.virustot...50/information/
94.23.173.233: https://www.virustot...33/information/
94.23.171.198: https://www.virustot...98/information/
87.236.215.151: https://www.virustot...51/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Receipt Request' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Apr 2015 - "'Your Receipt Request' pretending to come from McMaster-Carr <la.sales@ mcmaster .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Hi ,
     I attached the receipts you requested.
    Annette

10 April 2015 : Receipts.doc - Current Virus total detections: 4/57*
This is exactly the same malware as the other office macro malware spreading today WEBHOSTING UK Invoice Payment Confirmation* – word doc or excel xls spreadsheet malware..."
* http://myonlinesecur...dsheet-malware/
 

 

[AplusWebMaster]

FYI...

VBS Malware tied to Attacks on French TV Station TV5Monde
- http://blog.trendmic...-media-attacks/
Apr 11, 2015 - "... we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India... this malware is available in underground forums and can be used by anyone. This particular malware can be used as a backdoor into the affected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind KJWORM and BLADABINDI are the same. Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used used by NJWORM). These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region... The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time), when 11 of their channels went off the air... TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published. It should be noted that the technical background of this attack is not yet clear. However, the -RAT- generator is currently available in several hacker forums and can be used by any threat actor... one does not need a lot of technical skill to use it..."
 

[AplusWebMaster]

FYI...

Fake 'tax return' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Apr 2015 - "'Your tax return was incorrectly filled out' pretending to come from user <chak.noris@ tax .gov> with a zip attachment is another one from the current bot runs... The email looks like:

    Attention: Owner/ Manager
     We would like to inform you that you have made mistakes while completing
    the last tax form application (ID: 0054206036751) .
    Please follow the advice of our tax specialists:
    http ://clinicaasera .org/FAX.MESSAGE-DATA-STORAGE/incoming-new_message.html
    Please amend the mistakes and send the corrected tax return to your tax
    agent as soon as possible.
    Yours sincerely

13 April 2015: new-message.zip: Extracts to: new-message.exe
Current Virus total detections: 2/57* . This 'Your tax return was incorrectly filled out' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428931605/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
5.141.22.43: https://www.virustot...43/information/
217.160.235.239: https://www.virustot...39/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

Fake 'inTuit Payroll' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Apr 2015 - "'Payroll Received by Intuit' pretending to come from Intuit Payroll Services <IntuitPayrollServices@ payrollservices .intuit .com> with a zip attachment is another one from the current bot runs... The email looks like:

    Dear, info
    We received your payroll on April 13, 2015 at 09:06 AM EST.
    Attached is a copy of your Remittance. Please click on the attachment in order to view it.
    Please note the deadlines and status instructions below:
    If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the date received or on your paycheck date, whichever is later.
    If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking days from the date received or on your paycheck date, whichever is later.
    YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
    Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
    Intuit must receive your payroll by 5 p.m., two banking days before your paycheck date or your employees will not be paid on time.
    Intuit does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Sincerely,
    Intuit Payroll Services ...

13 April 2015: payroll_report_08222014.zip: Extracts to: payroll_report_08222014.exe
Current Virus total detections: 6/57* . This 'Payroll Received by Intuit' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428945209/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
27.121.64.159: https://www.virustot...59/information/
5.141.22.43: https://www.virustot...43/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Another '419' Spam/Scam
- https://blog.malware...vault-419-spam/
Apr 13, 2015 - "Every now and then a 419 scammer dredges up an old scam mail, gives it a bit of spit and polish then sends it back out into the wild. The “International Reconciliation and Logistics Vault” has been a subject for 419 attempts* for a number of years now, though the typical format of these missives tends to be more like this one. Indeed, here it comes again:
> https://blog.malware...gisticsspam.jpg
... Should you receive this one, feel free to send it right to the trash..."
* https://en.wikipedia.../wiki/419_scams
 

  

Edited by AplusWebMaster, 13 April 2015 - 06:12 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....ren-varker.html
15 Apr 2015 - "This fake invoice has a malicious attachment:

    From: Kairen Varker [mailto:kvarker@ notifications .kashflow .com] On Behalf Of Kairen Varker
    Sent: Tuesday, April 14, 2015 9:26 AM
    Subject: Invoice from
    I have made the changes need and the site is now mobile ready . Invoice is attached

In this case the attachment is called Invoice-83230.xls which is currently undetected* by AV vendors. It contains this malicious macro... which downloads a component from the following location (although there are probably more than this):
http ://925balibeads .com/94/053.exe
This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57**. Automated analysis tools... show the malware phoning home to:
78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)
The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57***.
Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228
MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995 "
* https://www.virustot...sis/1428998998/

** https://www.virustot...sis/1428998395/

*** https://www.virustot...sis/1428999812/

- http://myonlinesecur...dsheet-malware/
14 Apr 2015
> https://www.virustot...sis/1428997086/
___

Fake 'Account reconcilation' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
14 Apr 2015 - "'Account reconcilation statement' from [random company] [random characters] – coming  from random names and email addresses with a zip file attachment that extracts to a malicious word doc and an image of a sales chart is another one from the current bot runs...

Screenshot: http://myonlinesecur...om_version1.png

... Where you can see the name of the alleged sender matches the name in the body of the email and the random characters in the subject match the attachment zip name. Once you extract the content of the zip you get a folder on the computer that is simply named as a number  2 or 8 or 9 etc. opening the folder gives you a malicious word doc and an image of a sales chart like one of these, that are intended to help convince you of the genuine nature of the word doc and entice you to open it and get infected:
> http://myonlinesecur...tion-images.jpg
...
> http://myonlinesecur...isual-graph.jpg
...
> http://myonlinesecur...4/sales-cmp.jpg
... 4 April 2015 : documentation.doc / vs74_stats.doc / cmp static.doc
Current Virus total detections: 0/56* | 0/56** | 0/56***  . So far I have examined 3 different versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429005163/

** https://www.virustot...sis/1429005436/

*** https://www.virustot...sis/1429005436/
___

Fake 'HM Revenue' SPAM - doc/xls malware
- http://myonlinesecur...ke-pdf-malware/
14 Apr 2015 - "'CIS Online submission received by HM Revenue and Customs' pretending to come from helpdesk@ ir-efile .gov .uk with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...and-Customs.png

14 April 2015: Returns_Report.zip: Extracts to:  Returns_Report.exe
Current Virus total detections: 5/57* . This 'CIS Online submission received by HM Revenue and Customs' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...."
* https://www.virustot...sis/1429017381/
___

Fake 'Credit Release' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Apr 2015 - "'RE: Credit Release Request' pretending to come from Bank <tim.redmon@ hsbc .com> ( random names @ hsbc .com) with  a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ase-Request.png

14 April 2015: banP_.zip: Extracts to:   banк.exe
Current Virus total detections: 6/57* . This RE: Credit Release Request is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429017978/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustot...24/information/
90.84.60.97: https://www.virustot...97/information/
5.141.22.43: https://www.virustot...43/information/
___

Fake 'Auto Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
14 Apr 2015 - "'INVOICE BI653133' pretending to come from websales(random number)@autonetplus .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Account: 1164
    From: DORSET AUTO SPARES BLANDFORD
    The following are attached to this email:
    IBI653133.XLS

14 April 2015 : IBI653133.XLS
Current Virus total detections: 0/56* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429017301/
___

CoinVault ransomware: Retrieve data without paying the criminals
- http://net-security....ews.php?id=3017
14.04.2015 - "Victims of the CoinVault ransomware have a chance to retrieve their data -without-  having to pay the criminals, thanks to a repository of decryption keys and a -decryption- application made available online by Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Netherlands’ police:
> https://noransom.kaspersky.com/
CoinVault ransomware has been around for a while, encrypting victims’ files and demanding Bitcoins to unlock them. In order to help victims recover from an attack, the NHTCU and the Netherlands’ National Prosecutors Office obtained a database from a CoinVault command & control sever. This server contained Initialization Vectors (IVs), Keys and private Bitcoin wallets and helped to create the special repository of decryption keys. As the investigation is ongoing, new keys will be added when available. “We have uploaded a huge number of keys onto the site. If we do not currently have records for a particular Bitcoin wallet, you can check again in the near future, because together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information,” - says Jornt van der Wiel, Security Researcher at Kaspersky Lab. CoinVault has infected more than 1,000 Windows-based machines in over 20 countries, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Victims have also been registered in Belgium, Austria, Switzerland, Norway, Sweden, Luxemburg, Denmark, Slovakia, Slovenia, Spain, Italy, Hungary, Ireland, Croatia, Russia, Canada, Israel, the United Arab Emirates, China, Indonesia, Thailand, South Africa, Australia, New Zealand, Panama, the Dominican Republic, and Mexico."
___

Fake 'USPS' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Apr 2015 - "'USPS – Fail to deliver your package' pretending to come from USPS <no-reply@ usps .gov> with  a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...our-package.png

14 April 2015: USPS2335999.zip: Extracts to: USPS04142015.scr
Current Virus total detections: 7/55* . This 'USPS – Fail to deliver your package' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429034017/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustot...24/information/
90.84.60.64: https://www.virustot...64/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
 

 

Edited by AplusWebMaster, 14 April 2015 - 01:36 PM.