2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://blog.dynamoo....ving-water.html
15 Apr 2015 - "This -fake- invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.

    From: Natalie [mailto:accounts@living-water.co.uk]
    Sent: Wednesday, April 15, 2015 9:43 AM
    Subject: Invoice from Living Water
    Dear Customer  :
    Your invoice is attached.  Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Living Water
    0203 139 9051

In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55*. This contains a malicious macro... which downloads a file from the following location:
http ://adlitipcenaze .com/353/654.exe
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currently has a detection rate of 6/57**. Automated analysis tools... show attempted connections to the following IPs:
89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100
MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328
* https://www.virustot...sis/1429086775/

** https://www.virustot...sis/1429086792/

*** https://www.virustot...sis/1429088210/


- http://myonlinesecur...dsheet-malware/
15 Apr 2015
> https://www.virustot...sis/1429086260/
___

Fake 'info' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Apr 2015 - "'RE: info' pretending to come from user <michael@ mwrk .co .za> with a zip attachment is another one from the current bot runs...The email looks like:

    Always choose a reliable partner.
    We are those who can offer the best financial proposal to you.
    We can find the best solution to solve your specific problem.
    Details see the attachment.

15 April 2015: New doc(43).zip : Extracts to: partner.exe
Current Virus total detections: 2/57* . This 'RE: info' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429093267/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustot...24/information/
88.221.15.80: https://www.virustot...80/information/
5.141.22.43: https://www.virustot...43/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
 

 

Edited by AplusWebMaster, 15 April 2015 - 10:02 AM.

[AplusWebMaster]

FYI...

Fake 'Receipt' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Apr 2015 - "'RECEIPT' pretending to come from  Carmen Rodriguez <crodriguez@ hswcorp .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Thank you for your business.
     Carmen Rodriguez
    Administrative Assistant

16 April 2015 : 58173841.doc | Current Virus total detections: 3/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1429173650/
___

Fake ACH SPAM - Malware
- http://blog.dynamoo....tification.html
16, Apr 2015 - "This -fake- ACH spam leads to malware:
    From:    aileen.alberts@ [redacted]
    Date:    16 April 2015 at 15:55
    Subject:    Decisive notification about your Automated Clearing House payment
    The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.
    Rejected ACH payment
    Automated Clearing House transfer Case #     L669461617
    Transaction Total     27504.02 US Dollars
    Email     [redacted]
    Reason of Termination     Download full details
    Please visit the link provided at the top to see more information about this problem.

The link in the email goes to a download location at dropbox .com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro... it is rather different from other offerings. From what I can tell, it downloads an encrypted file... from:
sundsvallsrk .nu/tmp/1623782.txt -or-
hpg .se/tmp/1623782.txt
And some sort of executable from Dropbox with a detection rate of 3/57*. Automated analysis tools are inconclusive at the moment... although the Payload Security report[1] does show several dropped files including two malicious scripts... Of note is that one of the scripts downloads what looks like a PNG from:
savepic .su/5540444.png
For now, I would recommend blocking traffic to
sundsvallsrk .nu
hpg .se
savepic .su "

1] https://www.hybrid-a...environmentId=2

* https://www.virustot...sis/1429197445/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'IRS tax refund' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Apr 2015 - "'Payment confirmation for tax refund request # 3098-2344342' pretending to come from Internal Revenue Service <office@ irs .gov> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...und-request.png
"... Payment method : Wire transfer..."

16 April 2015 : confimation_3098-2344342.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429207628/

- http://www.irs.gov/t...pics/tc152.html
"There are -three- options for receiving your federal individual income tax refund:
- The fastest way is by direct deposit (electronic funds transfer) into your checking or savings account, including an individual retirement arrangement (IRA);
- By purchase of U.S. Series I Savings Bonds; or
- By paper check sent to the address listed on your return..."
... 'Wire Transfer' is -not- an option.
___

SCAM lures Facebook Users with “Hot Video”, Drops Trojan
- https://blog.malware...o-drops-trojan/
Apr 16, 2015 - "... as more and more users are creating, sharing, and viewing videos on Facebook now more than ever, we can also expect online criminals to jump in on the bandwagon and attempt to get some of the attention, too... if you see an interesting post on your feed carrying a link to a supposed video that, once visited looks similar to the screenshot below, know that you’re no longer on Facebook but on an imitation page located at http ://storage [dot]googleapis[dot]com/yvideos/video2[dot]html:
> https://blog.malware.../fake-fb-yt.png
The individual or group behind this scam has abused Google’s free online file storage service to house the HTML page that has mimicked Facebook’s interface. This method has been a long-time practice of phishers who use free such services like Dropbox and Google Drive in their campaigns. Once you hit the Play button, an error message appears on top, saying that Flash Player is required to view the video. A file named youtube.scr is downloaded instead:
> https://blog.malware...ke-fb-yt-dl.png
... This file lacks the sophistication to detect virtual environments, so one can easily test it against any free, online sandbox—in this case, I used this one from Payload Security — to see how badly it behaves on a system once executed. Malwarebytes Anti-Malware (MBAM) detects* youtube.scr as Trojan.Ransom.AHK."
* https://www.virustot...sis/1429127928/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Business Support Giveaway - 419 Scam
- https://blog.malware...eaway-419-scam/
Apr 15 - "... we can’t get too excited, because it’s just a fresh run of a 419 scam which has been in circulation in similar forms for about a year or two:
> https://blog.malware...04/unfound1.jpg
... Not the most watertight of scams when your gameplan is effectively “We’re all about solving global problems and saving the world in times of disaster...” Of course, most recipients probably don’t own a bank or a gold-plated yacht and may well throw reason out the window in favour of hitting the -reply- button. As with all mails of this type, the only thing you’re going to get is some identity fraud, financial loss and the possibility of turning yourself into a money mule. It certainly isn’t worth responding to the senders, so feel free to -delete- it and advise any recipients you know to do the same thing. This is one piece of business support you can definitely do without."
 

Edited by AplusWebMaster, 16 April 2015 - 02:39 PM.

[AplusWebMaster]

FYI...

 

Fake 'Credit Card Statement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 Apr 2015 - "'Credit Card Statement' pretending to come from Julie Mckenzie <julie38@ swift-cut .co .uk> ( random numbers after Julie) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...d-Statement.png

17 April 2015 : C Swift Credit Card.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429265218/

- http://blog.dynamoo....e-mckenzie.html
17 Apr 2015
"... Attached is a file C Swift Credit Card.doc which comes in at least -four- different versions, all of which are malicious and all of which have a macro... These macros download a file from one of the following locations:
http ://oolagives .com/24/733.exe
http ://derekthedp .com/24/733.exe
http ://sempersleep .com/24/733.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54* (identified clearly as a Dridex component). Automated analysis... shows that it attempts to communicate with:
46.36.219.32 (FastVPS, Estonia)
I recommend that you -block- traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53**."
* https://www.virustot...sis/1429294915/
... Behavioural information
TCP connections
46.36.219.32: https://www.virustot...32/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

** https://www.virustot...sis/1429295949/
___

Fake 'Conference' SCAM
- http://blog.dynamoo....ays-summit.html
17 Apr 2015 - "This spam email forms part of a Conference Scam*:
* http://www.theatlant...r-visas/280445/

    From:    United Nations Summit [no_replytoold@ live .com]
    Reply-To:    unitednation .unt@gmail .com
    Date:    16 April 2015 at 17:59
    Subject:    Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),
    Dear Invitee, Nonprofit/NGO Colleague,
    UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.
    Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.
    The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel...

...  Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." There is -no- hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then -vanish- with your money. There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a -fake- hotel website to make the scam more credible.
Avoid."
___

Flash EK strikes again via Google’s DoubleClick
- https://blog.malware...es-doubleclick/
Apr 16, 2015 - "A few days ago, we blogged about a -malvertising- attack on the HuffingtonPost website* via a major ad network which took advantage of a vulnerability in Flash Player... another major attack was also being carried on around the same time, most likely by the same gang. Working with ClarityAd, we quickly confirmed the malicious activity around 04/11 which showed a well-known ad network (merchenta) with direct ties to Google’s DoubleClick being caught in a large malvertising incident. The latest malvertising attack was carried through merchenta, a company that provides a platform for ad exchange and direct integrations with top publishers. They boast a 28 -billion- monthly impressions for the US alone and work directly with top tier ad networks such as Google’s DoubleClick. The criminals posed as an advertiser, infiltrated the platform via a third party and managed to house a malicious advert directly on merchanta’s ad platform which was fed into Google’s DoubleClick channels. Within minutes, the booby trapped ad had a 95% reach in USA, Europe & UK exposing a huge number of people worldwide:
> https://blog.malware...4/merchenta.png
Although DoubleClick is 'not directly responsible' for loading the malicious ad, it starts the chain of trust with the publisher, which unfortunately has little control over the subsequent transactions taking place:
> https://blog.malware.../04/newflow.png
... this malicious SWF had -zero- detection on VirusTotal** when it was first submitted... All ad networks have been informed, but the attack did last for a few days most likely infecting a significant number of people. This latest example is yet another reminder of one of the big weaknesses with online advertising. Ad networks rely on third parties and the chain of trust can easily be broken when -one- rogue actor joins in... These crooks essentially pose as working for a fortune 500 company and submit a clean advert. The ad network is very interested because that will be a big customer and so they make sure to accommodate the client as much as they can. The advert still goes through quality assurance and security tests before finally getting ready for prime time. Right before that happens, the rogue advertiser sends a new version of the ad (with only a minor change they claim) and the ad network, not wanting to lose a client, skips the checks that were already done. It turns out that the new version of the ad is malicious and yet has -full- clearance to be displayed via major networks. This is just one of the many tricks rogue advertisers will use to insert themselves in the chain..."
* https://blog.malware...all-ransomware/
Apr 13, 2015

** https://www.virustot...sis/1429069586/
File name: merchenta-flash-malware.swf
Detection ratio: 0/57
 

  

Edited by AplusWebMaster, 17 April 2015 - 09:08 PM.

[AplusWebMaster]

FYI...

Fake 'Pending payment' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
20 Apr 2015 - "'Pending payment' pretending to come from Hector Malvido <handyman1181@ hotmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ing-payment.png

20 April 2015 : filename-1.doc - Current Virus total detections: 2/57* | 3/50**
... So far I have seen 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429523984/

** https://www.virustot...sis/1429523284/

- http://blog.dynamoo....or-malvido.html
20 Apr 2015
"...  filename-1.doc (3/57* detection by AV vendors)...
...  %TEMP%\grant8i.exe - VirusTotal detection rate of 5/57**
... Dridex DLL with a 3/57*** detection rate...
Recommended blocklist:
89.28.83.228
MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e "
* https://www.virustot...sis/1429525562/

** https://www.virustot...sis/1429525576/

*** https://www.virustot...sis/1429526728/
___

Fake 'HSBC credit card' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Apr 2015 - "'HSBC credit card balance – new credit terms' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    Dear client,
    We are pleased to inform you that our bank is ready to offer you a bank
    loan. We would like to ask you to open the Attachment to this letter and
    read the terms.
     HSBC ...

These all have random attachment names. The name of the pretend sender matches the attachment zip name. Some I have seen are:
    mark.zip
    info.zip
    john.shank.zip
These extract to names like monkey.exe had.exe blya.exe fable.exe
20 April 2015: random zip name : Extracts to: random file name
Current Virus total detections: 3/55* | 3/55** | 3/55*** . This 'HSBC credit card balance – new credit terms' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429531817/

** https://www.virustot...sis/1429531906/

*** https://www.virustot...sis/1429531906/
___

UPS Spam
- http://threattrack.t...231653/ups-spam
Apr 20, 2015 - "Subjects Seen
    Status update for tracking# 25768265
Typical e-mail details:
    Dear customer,
    Unfortunately we were not able to deliver the package sent to you on 29 Nov 2014 because your delivery address does not exist.
    Please download and print out the following shipping invoice and collect your package at the nearest UPS office :
    wwwapps .ups. com/WebTracking/track.aspx?trk=25768265&action=download_pdf_invoice
    Thank you for choosing UPS 

Malicious URLs
    baloomedia .com/wp-content/plugins/cached_data/label_0420.zip
Malicious File Name and MD5:
    label_420.pif (ed9b821c16763450cc8e807528030bc4)

Tagged: UPS, Dyreza

176.126.200.42: https://www.virustot...42/information/
___

Fiesta EK spreads Crypto-Ransomware ...
- http://blog.trendmic...ho-is-affected/
Apr 20 2015 - "... no great surprise to see the Fiesta exploit kit being used to deliver crypto-ransomware. The choice of exploits delivered is broadly in line with other exploit kits. Flash, Internet Explorer, Adobe Reader/Acrobat, and Silverlight are all targeted:
Exploits used by Fiesta:
> https://blog.trendmi...sta-crypto9.png
... after March 19, we noticed a -change- in the malware payloads delivered to victims. Before that date, crypto-ransomware was being delivered to end users. Aside from encrypting the user’s files, this particular variant terminates some running processes (Process Explorer, Task Manager, the Command Prompt, Regedit, and Msconfig) so that it cannot be terminated by the user easily:
Screenshot of crypto-ransomware:
> https://blog.trendmi...sta-crypto2.png
After March 19, Fiesta served up a threat best known from previous years: fake antivirus. Again, it disables some common system tools such as Task Manager, Process Explorer, and Internet Explorer, so that this -fake- antivirus cannot be easily shut down. It’s not clear why the attackers chose to return to this older kind of threat:
Screenshot of fake antivirus:
> https://blog.trendmi...sta-crypto3.png
... Best practices: The first step to -defend- against these attacks is: keep software up-to-date. By removing the vulnerabilities that an exploit kit targets, users can prevent themselves from becoming the next victims of these attacks..."
 

  

Edited by AplusWebMaster, 20 April 2015 - 12:36 PM.

[AplusWebMaster]

FYI...

Fake 'E-Ticket' SPAM – javascript malware
- http://myonlinesecur...script-malware/
21 Apr 2015 - "'E-Ticket 7694892' pretending to come from E-Ticket <online@ ticket .com> with a link to a zip attachment is another one from the current bot runs... The email looks like:

    This is your e-ticket receipt.
    SEAT / 30A/ZONE 3
    DATE / TIME 7 MAY, 2014, 09:19 AM
    ARRIVING / Tulsa
    ST / OK
    REF / KE.7818 BAG / 4PC
    TOTAL PRICE / 438.16 USD
    FORM OF PAYMENT / CC
    Download E-Ticket 7694892
    Yours sincerely,
    American Airlines E-Ticket services.

21 April 2015: E-Ticket 7694892.zip: Extracts to: E-Ticket 7694892.js
Current Virus total detections: 9/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429584330/
___

Fake 'invoice' SPAM - malicious doc attachment
- http://blog.dynamoo....ce-i413136.html
21 Apr 2015 - "This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
    From: Lichelle Ebner [mailto:Lichelle5938@ lagrinding .co .uk]
    Sent: Tuesday, April 21, 2015 9:55 AM
    Subject: LAG invoice I413136
    Dear Accounts Payable,
    Attached is a copy of invoice  I413136 .The items were shipped.  Please feel free to contact me if you have any questions or cannot read the attachment.
   Thank you for your business.
    Sincerely,
    Lichelle Ebner
    L. A. Grinding Company
    Ph. (818) 846-9134
    FAX (818)846-1786

So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57* and which contains this malicious macro... in turn this downloads a component from:
http ://eternitymobiles .com/25/144.exe
..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56**. Automated analysis tools... show that it attempts to communicate with a familiar IP:
89.28.83.228 (StarNet SLR, Moldova)
According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56***.
Recommended blocklist:
89.28.83.228 ..."
* https://www.virustot...sis/1429609465/

** https://www.virustot...sis/1429609471/

*** https://www.virustot...sis/1429610872/
___

Fake 'Admin Exchange' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Apr 2015 - "'Administrator – Exchange Email id3405629' pretending to come from Administrator@ no-reply <Administrator@ your domain > with a zip attachment is another one from the current bot runs... The email looks like:

    no-reply,
    This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.  
    To open the attachment (Exchange_id3405629.zip) please use the following password: Ujh6JZ2mHN
    Thank you,
    Administrator

Note: the address it pretends to come from will be your own email domain and the link in the email will appear to be your own web site or domain.
21 April 2015: Exchange_id3405629.zip: Extracts to: Exchange.exe
Current Virus total detections: 1/54*  NOTE: we are also seeing the same malware payload coming in as a -fake- fax, and with the subject of Internal ONLY . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429610427/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustot...44/information/

- http://threattrack.t...inistrator-spam
Apr 21, 2015
Tagged: Exchange, Dyreza
___

Fake 'new my info' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Apr 2015 - "'new my info' pretending to come from random names and email addresses with a zip attachment that is named after the alleged sender is another one from the current bot runs... The email looks like:

    Hello! I have found some interesting information that you might need!
    Check out the attached file!
     Bicicletes Nadal Oliver, S.L.
    Passeig Ferrocarril, 61
    07500 Manacor (Mallorca)
    Illes Balears
    Tel.971-843358 ...

21 April 2015: warehouseop02.zip: Extracts to:  Alla.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429618876/
___

Dridex re-directing to Malicious Dropbox hosted file via Google
- https://isc.sans.edu...l?storyid=19609
2015-04-21 - "... this malware may use Google Analytics to count how many people opened the file, but I haven't confirmed that. Google -redirects- are however used to obscure the destination... Google will show a note that the user was redirected, but the file will download right away. It will not open, and the user will have to open it to enable the Macro to execute (DON'T)... Word document... example I received:
> https://isc.sans.edu... 8_26_43 AM.png
... Virustotal only shows 4 "hits" out of 57* AV tools tested for this binary:
(More detail at the ISC URL above.)
*  https://www.virustot...sis/1429631351/
File name: ACH transaction0336.doc
 

 

Edited by AplusWebMaster, 21 April 2015 - 03:22 PM.

[AplusWebMaster]

FYI...

Fake 'voice message' SPAM – fake wav malware
- http://myonlinesecur...ke-wav-malware/
22 Apr 2015 - "New voice message in mailbox' pretending to come from Voipfone Voicemail <voicemail@ voipfone .co .uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-in-mailbox.png

22 April 2015: WAV0004291.wav.zip: Extracts to: WAV0004291.wav.exe
Current Virus total detections: 3/52* . This 'New voice message in mailbox' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429691927/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
22 Apr 2015 - "'New Invoice ID:SI19779D' from [random company] pretending to come from [random name] using random names at random email addresses with a link to a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nwave_email.png

Note: I received this as a bounced return to thespykiller. I can categorically state that it was never sent from thespykiller domain. The bad guys -spoof- email addresses to pretend to send from all the time. 99.9% of the time the alleged sending domain has -never- been hacked and they just pretend to send from that domain. I have since received several different versions from loads of random companies. The invoice number is also random is all cases.
22 April 2015 : SI19779D.docm - Current Virus total detections: 0/55*
So far I am only seeing 1 version of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429707780/
___

HSBC Payment Advice Spam
- http://threattrack.t...ent-advice-spam
Apr 22, 2015 - "Subjects Seen:
    Payment Advice - Advice Ref:[GB007112] / CHAPS credits
Typical e-mail details:
    Sir/Madam,
    Please download document from server, payment advice is issued at the request of our customer. The advice is for your reference only.
    Download link:
    bilbaopisos .es/HSBC_BANK-DATA/new_secure.html
    Yours faithfully,
    Global Payments and Cash Management
    HSBC

Malicious URLs
    bilbaopisos .es/HSBC_BANK-DATA/new_secure.html
Malicious File Name and MD5:
    new_secure_payment.exe (c290126e419ff58678c3e490d89d7343)

Screenshot: https://41.media.tum...1r6pupn_500.png

Tagged: HSBC, Upatre

bilbaopisos .es: 216.119.143.194: https://www.virustot...94/information/

- http://blog.mxlab.eu...ous-javascript/
Apr 23, 2015
wadv.com .br: 54.191.242.215: https://www.virustot...15/information/

> https://www.virustot...9ac0b/analysis/
___

Fake 'New document' SPAM - malware
- http://blog.dynamoo....ument-with.html
22 Apr 2015 - "I have only seen one sample of this -spam- so far, it is likely that other variants use different company names:
    From:    Tamika Cortez
    Date:    22 April 2015 at 14:33
    Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated
    New report with ID:G27427P was generated by our system. Please follow the link below to get your report.
    Download report ID:G27427P
    Best regards ,Tamika Cortez
    RESTAURANT GROUP PLC

In this case, the link in the email goes to: http ://igruv.tourstogo .us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC
..which includes the -victim's- email address in the URL. In turn, this -redirects- to:
http ://igruv.tourstogo .us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs  
As the name suggests, this is a VBScript (VT 1/56*), in this case it is lightly obfuscated... and it initiates a download from:
http ://185.91.175.183/ sas/evzxce.exe
..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57**. Automated analysis tools... show network connections to the following IPs:
144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)
...  it drops a Dridex DLL with a detection rate of 3/57***.
Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18 ..."
* https://www.virustot...sis/1429710473/

** https://www.virustot...sis/1429710529/

*** https://www.virustot...sis/1429711770/
___

IRS Spam
- http://threattrack.t...679123/irs-spam
Apr 21, 2015 - "Subjects Seen
    Your FED TAX payment (ID:X3ZIRS507273813) was Rejected
Typical e-mail details:
    *** PLEASE DO NOT RESPOND TO THIS EMAIL ***
    Your federal Tax payment (ID: X3ZIRS507273813), recently sent from your  checking account was returned by the your financial institution.
    For more information, please download attached notification. (Security Adobe PDF file)
    Transaction Number: X3ZIRS507273813}
    Payment Amount: $ 5478.41
    Transaction status: Rejected                                                  
    ACH Trace Number: 8888888888                
    Transaction Type: ACH Debit Payment-DDA       
    Internal Revenue Service
    Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Malicious File Name and MD5:
    FEDERAL_tax_notify.exe (344afdc58ad6d110f1b3f8dbdbb86576)

Screenshot: https://40.media.tum...1r6pupn_500.png

Tagged: IRS, Ruckgov
 

  

Edited by AplusWebMaster, 23 April 2015 - 05:01 AM.

[AplusWebMaster]

FYI...

Fake 'Refund on Order' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
23 Apr 2015 - "'Refund on order 204-2374256-3787503' pretending to come from Amazon .co.uk <payments-messages@ amazon .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...256-3787503.png

23 April 2015 : 204-2374256-3787503-credit-note.doc - Current Virus total detections: 4/54*
... the malicious macro inside this example downloads myshland .com/42/335.exe which is saved and run as %Temp%\pierre5.exe (Virus Total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429773545/

** https://www.virustot...sis/1429775442/

- http://blog.dynamoo....-order-204.html
23 Apr 2015
... Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70 ..."
___

Fake 'Annual report' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Apr 2015 - "'Annual report' pretending to come from olivia <olivia@ cdc .co.uk> with a zip attachment is another one from the current bot runs...The email looks like:
    Hi,
    Annual report sent to you, maybe yours.
    CDC Consulting
    Algyr le parc
    119 BL de la Bataille de Stalingrad
    69100 Villeurbanne

23 April 2015: Annual report.zip: Extracts to: Luk22.exe
Current Virus total detections: 4/56* . This Annual report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429792521/
... Behavioural information
TCP connections
23.253.254.67: https://www.virustot...67/information/
81.7.109.65: https://www.virustot...65/information/
95.80.123.41: https://www.virustot...41/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/

- http://threattrack.t...ual-report-spam
Apr 23, 2015
Tagged: Annual Report, Upatre, Dyreza
___

eFax Spam
- http://threattrack.t...79183/efax-spam
Apr 23, 2015 - "Subjects Seen:
    You have a new eFax from 977-374-7446 - 4 pages
Typical e-mail details:
    eFax Message [Caller-ID: 977-374-7446]
    You have received a 3 pages fax on Thu, 23 Apr 2015 08:20:40 -0600 .
    You can view your eFax online, in PDF format, by visiting :
    efax .com/documents/view_fax.aspx?utm_source=eFax&fax_type=doc&caller_id=977-374-7446
    * This fax’s reference # is 50184025

Malicious URLs
    91.194.254.239/fax_33663232.pdf.zip
Malicious File Name and MD5:
    pdf_fax_33663232.pif (fe6e9444534f34f735fa94eb7c526207)

Screenshot: https://36.media.tum...1r6pupn_500.png

91.194.254.239: https://www.virustot...39/information/

Tagged: eFax, Dyreza
 

 

Edited by AplusWebMaster, 23 April 2015 - 12:50 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - malicious PDF attachment
- http://myonlinesecur...ox-pdf-malware/
24 Apr 2015 - "'Invoice 519658' pretending to come from Colin Fox <colin@nofss .co .uk> with a PDF attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded -scripts- that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages... this evil pdf when opened in Adobe reader drops a word document containing macros, so DO NOT SAVE OR OPEN THIS PDF FILE: Just -delete- the email and any attachment as soon as it appears in your inbox. There appear to be several different versions of the PDF malware dropper although all are named the same and every copy that I have seen is the same file size (23kb) The malicious Macro inside the dropped word document (VirusTotal*) from one of the malicious PDF downloads and executes -> http ://bepminhchi .com/83/61.exe (virus total**)... Adobe reader in recent versions has 'Protected view' automatically -enabled- and unless you press the button to enable all features, you will be safe from this attack...
> http://myonlinesecur...tected-view.png
If you do enable all features, then you have a second chance to protect yourself, by pressing either cancel or never allow opening files of this type on the pop up warning. Pressing allow WILL almost certainly automatically open the word doc and run the malicious macro so infecting you. Make sure Adobe reader ( or any other PDF reader software) is updated to the -latest- version to protect you. Older versions are vulnerable to these attacks. If using Adobe make sure you -uncheck- any additional offerings of security scans/Google chrome or toolbars that it wants to include in the download:
> http://myonlinesecur...015/04/doc4.png

Screenshot: http://myonlinesecur...oice-519658.png

24 April 2015: Sales Invoice 519658.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429860267/

** https://www.virustot...sis/1429860321/
... Behavioural information
TCP connections
185.12.95.191: https://www.virustot...91/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

*** https://www.virustot...sis/1429858901/

bepminhchi .com: 115.146.126.39: https://www.virustot...39/information/

- http://blog.dynamoo....nnofsscouk.html
24 Apr 2015
... Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228 "
___

Fake 'Western Order' SPAM - malicious attachment
- http://blog.dynamoo....well-nigel.html
24 Apr 2015 - "The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:

Screenshot: https://4.bp.blogspo...-enterprise.png

So far I have only seen one sample Western Order.doc [VT 4/57*] which contains a malicious macro... which is functionally identical to the one used in this spam run** which was also happening this morning."
* https://www.virustot...sis/1429871852/

** http://blog.dynamoo....nnofsscouk.html

- http://myonlinesecur...dsheet-malware/
24 Apr 2015
Screenshot: http://myonlinesecur...stern-Order.png
"... same dridex malware that was dropped by today’s earlier malware run 'Invoice 519658 Colin Fox' – PDF malware*..."
* http://myonlinesecur...ox-pdf-malware/
___

Fake 'invoice for car repairs' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Apr 2015 - "'invoice for car #' random numbers coming from random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    hi,
    The invoice for car repairs.
     Gruss, Claus
     Claus Leykauf
    Galgengasse 14
    91257 Pegnitz
    Germany
    tel.: +49 (0) 9241 724785
    fax: +49 (0) 9241 724786
    mobile: +49 (0) 172 8801123 ...

24 April 2015: ed0j5av43xs04bk #19641661.zip: Extracts to: car-repairs.exe
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429872340/
___

Fake 'You win green card' – malware attachment
- http://myonlinesecur...n-card-malware/
24 Apr 2015 - "'You win green card' pretending to come from USA Green > <random email addresses> with a zip attachment is another one from the current bot runs... The email looks like:

    Your requested report is attached here. USA.

24 April 2015: green_card_usa_483273289748923749823798.zip: Extracts to:   green_card_usa_483273289748923749823798.exe
Current Virus total detections: 5/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429873777/
___

Fileless Malware ...
- http://blog.trendmic...ed-in-the-wild/
Updated April 22, 2015 - "... It’s no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats. A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM of being installed in target computer’s hard drive. POWELIKS* is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry... Another example of fileless malware is “Phasebot,” which we found being peddled in websites that sell malware and other malicious online tools by the supposed malware creator. We detect Phasebot as TROJ_PHASE.A. Phasebot contains -both- rootkit and fileless execution capabilities. We noticed that this malware had the same features as Solarbot**, an old bot that was first seen in the wild around late 2013. This is made more evident when we compared the sites that sold the two malware(s)... Compared to Solarbot, Phasebot places a distinct emphasis on stealth and evasion mechanisms. It -encrypts- its communications to its C&C server by using random passwords each time it connects to the server. The malware was designed to check if the following programs are installed in the affected system:
.NET Framework Version 3.5
 Windows PowerShell
... Both of these programs are integrated into current versions of Windows. After verifying that the affected system have these programs, Phasebot creates the following registry key where the encrypted shell code will be written:
 HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{Bot GUID}
... Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims. (And not coincidentally, the targeted .NET framework version 3.5 is also found in Windows 7 and higher)... It’s highly possible that they will not limit themselves to simply using the Windows registry to hide their malware... The emergence of fileless malware can be a serious threat to users who are not familiar with this type of infection. Users are often advised to look for suspicious files or folders, but -not- in places like the Windows registry, which is used for fileless infection... Because fileless malware are hard to detect, they’re also difficult to remove. Much like rootkits, the location of the malware makes detection and deletion more difficult than the typical malware infection..."
* https://www.trendmic...TROJ_POWELIKS.A

** http://www.infosecur...jans-share-dna/
 

 

Edited by AplusWebMaster, 24 April 2015 - 01:44 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....om-invoice.html
27 Apr 2015 - "This fake invoice email does -not- come from Booking .com but is a simple forgery with a malicious attachment.
    From:    invoice@ booking .com
    Date:    27 April 2015 at 08:55
    Subject:    [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015
    Dear customer,
    Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.
    If you have any questions, please contact our Credit Control Department at telephone number
    +44 (0)208 612 8210 (e-mail:  ).
    Thank you for working with Booking .com.

The only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57*. This contains a malicious macro... which downloads a component from the following location:
http ://voipconcerns .com/62/927.exe
There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57***..."
* https://www.virustot...sis/1430122282/

** https://www.virustot...sis/1430122455/

*** https://www.virustot...sis/1430123480/

185.12.95.191: https://www.virustot...91/information/

voipconcerns .com: 174.37.237.228: https://www.virustot...28/information/

- http://myonlinesecur...dsheet-malware/
27 April 2015 - " invoice-1501383360.doc - Current Virus total detections: 3/56*
... which connects to and downloads tom-lebaric .com/62/927.exe which is saved as %Temp%\zigma2.4.exe and automatically run ( VirusTotal*)..."
* https://www.virustot...sis/1430121196/

tom-lebaric .com: 176.223.208.22: https://www.virustot...22/information/
___

Fake 'Hello' SPAM - malware attached
- http://myonlinesecur...ke-pdf-malware/
27 Apr 2015 - "An email saying 'Hello! Can you please check the Attachment that I have sent? I need your help' with the subject of 'HI your name@ your domain' coming from random email addresses with  a zip attachment is another one from the current bot runs...The email looks like:

    Hello! Can you please check the Attachment that I have sent? I need your help.
    Thanks
    Rob Robichaud
    Hub City Auto Paints and Supplies Ltd.
    A Division of Autochoice Parts & Paints
    CSR
    153 Loftus St
    Moncton, NB ...

Each email has a random named attachment that is named after your email address. All extract to different named files with different #
27 April 2015: derek- #52256657.zip: Extracts to: LOG.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430135783/
... Behavioural information
TCP connections
176.106.122.31: https://www.virustot...31/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/
___

Fake 'Your account #513457796162 has been blocked' SPAM – malware attachment
- http://myonlinesecur...locked-malware/
27 April 2015 - "'Your account #513457796162 has been blocked' pretending to come from Pauletta Stile with a zip attachment is another one from the current bot runs... The email looks like:

    Your account #513457796162 was blocked for violation of our TOS.
    Please see attached.
    Pauletta Stile
    Langenbacherstr. 25 57586 Weitefeld
    GERMANY
    +49 2743 80 70
    Weitefeld
    +49 2743 00 03 56

I have only received 1 copy of this malware so far. The last time a similar one was spammed out, we saw them coming form random email addresses with random subject numbers and attachment numbers.
27 April 2015: 513457796162.zip: Extracts to: 513457796162.scr
Current Virus total detections: 1/31*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an Excel spreadsheet instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430140877/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustot...44/information/

- http://threattrack.t...nt-blocked-spam
April 27, 2015
Tagged: Account Blocked, dalexis
___

Incoming Fax Spam
- http://threattrack.t...coming-fax-spam
Apr 27, 2015 - "Subjects Seen
    Incoming Fax
Typical e-mail details:
    INCOMING FAX REPORT
    *********************************************************
    Date/Time: Mon, 27 Apr 2015 08:08:50 -0800
    Speed: 4985bps
    Connection time: 05:08
    Pages: 5
    Resolution: Normal
    Remote ID: 638-493-5566
    Line number: 9
    DTMF/DID:
    Description: Internal only
    To download / view please download attached file
    *********************************************************

Malicious File Name and MD5:
    IncomingFax.exe (784f8d6818cd23dd18c8f059a6b5d3d5)

Screenshot: https://40.media.tum...1r6pupn_500.png

Tagged: Fax, Dyreza
___

Fake 'Invoice 215042210' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 Apr 2015 - "'Invoice 215042210 from FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.' pretending to come from “FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.” <replyTo@ quickbooks .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Dear Customer :
    Your invoice is attached. Please remit payment at your earliest
    convenience.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.

27 April 2015 : Inv_215042210_from_FRONT_RANGE_WHOLESALE_RESTAURANT_SUPPLIES_INC._5316.doc
Current Virus total detections: 2/57* which connects to and downloads 91.194.254.240 /us274/file.exe which in turn is saved as %Temp%\rramcgaq.exe and automatically runs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430143720/

91.194.254.240: https://www.virustot...40/information/
 

 

Edited by AplusWebMaster, 27 April 2015 - 03:05 PM.

[AplusWebMaster]

FYI...

Fake 'Privacy Policy' SPAM – malware
- http://myonlinesecur...butors-malware/
28 April 2015 - "An email in garbled English about a database of contributors and their Privacy Policy with a subject of 'RE: Hello' pretending to come from Chanda <faucibus.id@ aliquet .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Hello!
    Dear user! We consider a database of contributors and we found that we have signed with you our “Privacy Policy” and that we have an updated CV. We will be audited in the near future, and we need to update the record. For this reason, is attached to this e-mail confidentiality agreement that we pray thee firm and return them by email or fax as soon as possible. We also need you, please send us your resume updated for inclusion in the database. If you have any questions, please contact me.
    With great respect !

28 April 2015: Privacy Policy.zip: Extracts to: Privacy Policy.doc.scr
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will pretend to be a word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430201347/
... Behavioural information
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

Fake 'INVOICE PD' SPAM - malicious attachment
- http://blog.dynamoo....-will-comm.html
28 April 2015 - "This malicious spam does not come from Will Communications but is instead a simple -forgery- with a malicious attachment.
    From:    richard will [contactwill@ hotmail .com]
    Date:    28 April 2015 at 09:05
    Subject:    INVOICE PD Will Comm
    Thank-you for your payment!
    Richard Will
    Will Communications, Inc.
    richard@ willcommunications .com

The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56* and it contains this malicious macro... In this case, the macro downloads a component from:
http ://massachusettsselfstorage .com/62/927.exe
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53**. There may well be other documents that download from -other- locations, but the binary will be the same in all cases. Automated analysis tools... show that it attempts to communicate with the following IP:
185.12.95.191 (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56***."
* https://www.virustot...sis/1430209748/

** https://www.virustot...sis/1430209765/

*** https://www.virustot...sis/1430210575/

massachusettsselfstorage .com: 209.114.42.129: https://www.virustot...29/information/

- http://myonlinesecur...dsheet-malware/
28 April 2015 : Orion_PD_INV_12138.doc - Current Virus total detections: 4/54* downloads & executes http ://muebleseviajan .com/62/927.exe ..."
* https://www.virustot...sis/1430207999/

muebleseviajan .com: 185.14.56.96: https://www.virustot...96/information/
___

Bad Actor using Fiesta exploit kit
- https://isc.sans.edu...l?storyid=19631
2015-04-28 - "... a criminal group using the Fiesta exploit kit (EK) to infect Windows computers... The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain.  I'm calling this group the "BizCN gate actor" because all its gate domains are registered through Chinese registrar www .bizcn .com, and they all reside on a -single- IP address... Earlier this month, the BizCN gate actor changed its gate IP to 136.243.227.9 [3].  We're currently seeing the gate lead to Fiesta EK on 205.234.186.114. Below is a flow chart for the infection chain:
> https://isc.sans.edu...ry-image-01.jpg
... Passive DNS on 136.243.227.9 shows at least 100 domains registered through www .bizcn .com hosted on this IP address. Each domain is paired with a -compromised-  website... Since their information is now public through this diary entry, the actor will likely change the gate's IP address and domains again. Unless there's a drastic change in their pattern of operations, this BizCN gate actor will be found relatively soon after any upcoming changes..."
3] http://urlquery.net/...q=136.243.227.9

205.234.186.114: https://www.virustot...14/information/

136.243.227.9: https://www.virustot....9/information/
___

Fake 'NatWest' SPAM – chm malware
- http://myonlinesecur...43-chm-malware/
28 Apr 2015 - "'NatWest Secure Message' pretending to come from NatWest .co.uk <secure.message@ natwest .com> with a zip attachment that extracts to a malicious chm (windows help file) is another one from the current bot runs... The email looks like:
    You have received a secure message.
    Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.  
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3532.
    First time users – will need to register after opening the attachment...

There is also a separate set of emails being spammed out with the -same- malware attachment with a subject of 'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com>...
Please check attached file(s) for your latest account documents regarding your online account.
Russel Whitlock
Level III Account Management Officer
817-267-1542 office
817-573-8940 cell
Russel.Whitlock@ jpmorgan .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
2015 JPMorgan Chase & Co...

All of these use random names at the relevant banks...
Update: there is a second set of these being spammed out with a plain chm attachment that is -not-  inside a zip. Outlook (and some other email clients) block chm files by default so you will be protected from automatically opening or running this.
Todays Date: SecureMessage.zip: Extracts to: SecureMessage.chm
Current Virus total detections: 1/53* . The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430217439/
SecureMessage.chm
___

Fake 'BACS payment' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a  zip attachment is another one from the current bot runs... The email looks like:
    Please find downloaded notification of your BACS payment from Essex County Council.  
    If you require further information please refer to the contact details in the attached document.
    BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
    Paramat 60
    85 rue des jacobins
    60740 Saint maximin
    Tel : 03.44.66.03.47

28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430219199/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustot...45/information/
81.7.109.65: https://www.virustot...65/information/
188.255.252.242: https://www.virustot...42/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Fake 'Email Locked' SPAM - contains trojan
- http://blog.mxlab.eu...ontains-trojan/
Apr 28, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “[Issue 243061763D7F320] Account #735811402519 Temporarily Locked”. Different spoofed addresses are used a from email address and with each email, the content and the attached trojan is -different- to avoid detection by virus engines. Some examples:
    Dear user,
    We detect unauthorized Login Attempts to your ID #735811402519 from other IP Address.
    Please re-confirm your identity. See attached docs for full information.
    Evie Maccarter
    King Yvonne M Dr
    70 Exhibition Street, Kentville, NS B4N 4K9
    CANADA
    902-602-7131

The attached file 735811402519.zip contains the 102 kB large file 735811402519.scr. The trojan is known as UDS:DangerousObject.Multi.Generic, Heur.I or Trojan.Win32.Qudamah.Gen.3. At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1430215524/
___

Scammy Nepal earthquake donation requests
- https://isc.sans.edu...l?storyid=19635
2015-04-28 - "... like after every major hurricane or earthquake, the miscreants around the globe are currently scurrying to set up their -fake- charities and web pages, in order to solicit donations. The people of Nepal certainly can use our help and generosity to deal with the aftermath of the April 25 earthquake, but let's make sure the money actually ends up there. For our readers in the US, USAID.gov maintains a list of charities that they work with in Nepal at http://www.usaid.gov/nepal-earthquake.. but note how even USAID adds a disclaimer to be on the lookout for scams!..."
 

  

Edited by AplusWebMaster, 28 April 2015 - 10:27 AM.

[AplusWebMaster]

FYI...

Fake 'pictures' SPAM - malware
- http://myonlinesecur...ctures-malware/
29 Apr 2015 - "An email saying 'Here are some pictures' with a subject of 'RE: Hello' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    Hello!
    Here are some pictures !!
    See you later!

29 April 2015: in_my_home.zip: Extracts to: in_my_home.scr
Current Virus total detections: 7/55*. Automatic analysis at MALWR show it to be a Zeus banking Trojan. Creates a windows hook that monitors keyboard input (keylogger), creates Zeus (Banking Trojan) mutexes, mutex: MPSWabDataAccessMutex, creates an Alternate Data Stream (ADS) file: C:\WINDOWS\system32\commtui2.exe:Zone.Identifier, Installs itself for autorun at Windows startup... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430289254/
___

JavaScript malware
- http://myonlinesecur...script-malware/
29 Apr 2015 - "JavaScript malware is a different way of spreading malware. We have been seeing a steady increase in a different form of malware spreading. The bad guys are sending javascript files inside a zip or at the end of a link. We have seen several different email templates for this method ranging from:

- E-Ticket 7694892 pretending to come from E-Ticket <online@ ticket .com>
> http://myonlinesecur...script-malware/

- Order 595775 which contains a simple email reading something like “Good Day! Find Order 595775 attached Thank you Jim Olsen” These also come in as -fake- invoices with random numbers and random names and senders. You normally find the name in body of email matches the name of the alleged sender.

These particular js files (JavaScript malware) download & install a cryptowall 3.0 malware which will encrypt all your files on the computer and prevent access to them. There is absolutely -no- fix once you are infected so it is essential to have a full working backup and make sure it is stored off the computer. These cryptowall Trojans are -network- aware and will -encrypt- -all- -network- disks and external hard discs as well as the computer hard disc.
All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. -Don’t- try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking-the-link in the email to see what is happening... The basic rule is NEVER open -any- attachment to an email, unless you are expecting it..."

- http://blogs.cisco.c.../cryptowall-3-0
___

Fake 'HBSC credit' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 Apr 2015 - "'New credit terms from HSBC' coming from random names at random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
     Sir/Madam,
    We are pleased to inform you that our bank is ready to offer you a bank loan.
    We would like to ask you to open the Attachment to this letter and read the terms.
    Yours faithfully,
    Global Payments and Cash Management
    HSBC

29 April 2015: mail2.zip: Extracts to: Payment.exe
Current Virus total detections: 1/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430307499/
___

Fake 'BACS payment' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a zip attachment is another one from the current bot runs... The email looks like:
    Please find downloaded notification of your BACS payment from Essex County Council.  
    If you require further information please refer to the contact details in the attached document.
    BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
    Paramat 60
    85 rue des jacobins
    60740 Saint maximin
    Tel : 03.44.66.03.47

28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430219199/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustot...45/information/
81.7.109.65: https://www.virustot...65/information/
188.255.252.242: https://www.virustot...42/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Incoming MMS Spam
- http://threattrack.t...coming-mms-spam
Apr 29, 2015 - "Subjects Seen
    Incoming mms from +07452136643
Typical e-mail details:
    No.: +07452136643
    Size: 8971
    ID: OHB.45598A07E.7385
    Filename: OHB.45598A07E.7385.cab
    Billie Souto

Malicious File Name and MD5:
    OHB.45598A07E.7385.scr (d2843ca1919e48c16c98673210e0c3d2)

Screenshot: https://41.media.tum...1r6pupn_500.png

Tagged: MMS, ctb locker
___

Fake Chinese domain SCAMs
- http://blog.dynamoo....rycom-scam.html
29 Apr 2015 - "This spam email is actually part of a long-running Chinese scam.
    From:    Jim Bing [jim.bing@ cnwebregistry .cn]
    Date:    29 April 2015 at 14:27
    Subject:    Re:"[redacted]"
    Dear CEO,
    (If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)
    We are a Network Service Company which is the domain name registration center in Shanghai, China.
    We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?
    Best Regards,
    Jim
    General Manager

Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a -rogue- Chinese domain registrar to get you to buy -overpriced- and -worthless- domains. In this case the spam mentions the domain cnwebregistry .cn, but chinaygregistry .com is also on the same server and will be similarly fraudulent. This video I made a while ago explains the scam in more detail..."
(Video @ the dynamoo URL above.)
 

 

Edited by AplusWebMaster, 29 April 2015 - 10:22 AM.

[AplusWebMaster]

FYI...

Fake 'Telephone order' SPAM -  malicious doc attachment
- http://blog.dynamoo....-mcdonnell.html
30 Apr 2015 - "This fake financial email is not from Gas Cylinders UK but is instead a simple -forgery- with a malicious attachment.
    From:    Rebecca McDonnell [rebecca@ gascylindersuk .co .uk]
    Date:    30 April 2015 at 09:54
    Subject:    Telephone order form
    Telephone order form attached
    Regards,
    Rebecca McDonnell
    Business Administrator
    340a Haydock Lane, Haydock Industrial Estate,
    St Helens, Merseyside, WA11 9UY
    DDI:  01744 304338
    Fax: 01942 275 312 ...

There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56* and contained this malicious macro... which downloaded a component from the following location:
http ://morristonrfcmalechoir .org/143/368.exe
This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56**. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:
212.227.89.182 (1&1, Germany)
The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55***."
* https://www.virustot...sis/1430390792/

** https://www.virustot...sis/1430390534/

*** https://www.virustot...sis/1430392218/


- http://myonlinesecur...dsheet-malware/
30 Apr 2015
Screenshot: http://myonlinesecur...-order-form.png

30 April 2015 : TELEPHONE PURCHASE ORDER FORM.doc - Current Virus total detections: 4/55*
... which downloads and runs nishatdairy .com/143/368.exe which is saved as %Temp%\serebok3.exe and autoruns (virus Total**)..."
* https://www.virustot...sis/1430379008/

** https://www.virustot...sis/1430379609/
___

Fake 'Statement' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Apr 2015 - "'Statement of Account 5905779365764954' (random number) coming from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...79365764954.png

30 April 2015 : random name : Extracts to: statement.exe | Account_info.exe | Docs_23131445.exe
Current Virus total detections: 1/55* |1/55** | 1/55*** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430384002/

** https://www.virustot...sis/1430384014/

*** https://www.virustot...sis/1430384178/
___

Fake 'Amended Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
30 Apr 2015 - "'Attached Amended Invoice 115784 Re D/N 103674. 9/4/15' pretending to come from  accounts@ procterscheeses .co.uk with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email body is totally -blank-. This contains exactly the -same- malware as today’s earlier spam run of malicious word docs Telephone order form – Rebecca McDonnell — word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Nepal Earthquake Disaster - Email Scams
- https://www.us-cert....ter-Email-Scams
April 30, 2015 - "... potential email scams regarding the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for -fraudulent- charitable organizations commonly appear after these types of natural disasters..."
 

 

Edited by AplusWebMaster, 30 April 2015 - 08:25 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - doc/xls malware attached
- http://myonlinesecur...dsheet-malware/
1 May 2015 - "'Berendsen UK Ltd Invoice 60022446 344' pretending to come from donotreply@ berendsen .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...0022446-344.png

1 May 2015 : IRN001610_60022446_I_01_01.doc - Current Virus total detections: 2/56*
... which connects to & download laurelwoodvirginia .com/654/46.exe which is saved as %temp%\serebok5.exe and -autorun- on your computer (virus Total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430472222/

** https://www.virustot...sis/1430476073/
... Behavioural information
TCP connections
212.227.89.182: https://www.virustot...82/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

laurelwoodvirginia .com: 66.175.58.9: https://www.virustot....9/information/
___

Fake 'Claim' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 May 2015 - "'Copy of claim passed for consideration to HM Courts Ref: [random numbers] from [random companies]' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like this, but be aware that every email will have a -different- random claim number and -different- company listed as the claimant:

    SOVEREIGN MINES OF AFRICA PLC has issued the claim against you and passed for consideration to HM Courts Ref:[EK8013GUH].The claim was read, and passed to the second reading. For these or other notarial acts, or the legalising of documents, please contact  SOVEREIGN MINES OF AFRICA PLC as soon as posible.

So far I have seen:
- Copy of claim passed for consideration to HM Courts Ref:[EK8013GUH] from SOVEREIGN MINES OF AFRICA PLC
- Copy of claim passed for consideration to HM Courts Ref:[UK1751MQV] from FALKLAND OIL & GAS
- Copy of claim passed for consideration to HM Courts Ref:[EI6841DHZ] from BREEDON AGGREGATES LTD
- Copy of claim passed for consideration to HM Courts Ref:[BB1620VDT] from WILLIAM HILL PLC
- Copy of claim passed for consideration to HM Courts Ref:[FZ8349DFN] from GAZPROM OAO
- Copy of claim passed for consideration to HM Courts Ref:[WY4077WQJ] from Hardy Amies Ltd
- Copy of claim passed for consideration to HM Courts Ref:[GX0331SJB] from Nathaniel Lichfield and Partners
25 February 2015 : EI6841DHZ.doc | EK8013GUH.doc |  UK1751MQV.doc
Current Virus total detections: 0/56* | 0/56** | 0/56***
... at least one of these macros downloads from pastebin .com/download.php?i=XEKaxHCg and  verifed. acgfamilyoffices .com/ebn/logo.jpg (so far I have not been able to get the content but am still trying)..."
* https://www.virustot...sis/1430477322/

** https://www.virustot...sis/1430477337/

*** https://www.virustot...sis/1430477346/

- http://blog.mxlab.eu...ious-word-file/
May 1, 2015
> https://www.virustot...sis/1430480904/
File name: ZI2444LQN.doc
Detection ratio: 0/56
___

Fake 'Delivery confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 May 2015 - "'Delivery confirmation form for purchase BW91149JYA [random numbers]' from 30/04/15 coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Please fill out the attached form and return it to us.
    Best regards, Antonia Lang

The name in the body of the email matches the alleged sender. The purchase number in the subject matches the attachment name. The malware payload is exactly the -same- as the payload in today’s earlier spam run of malicious word docs 'Copy of claim passed for consideration to HM Courts Ref:...' – word doc or excel xls spreadsheet malware*. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
 

  

Edited by AplusWebMaster, 02 May 2015 - 06:52 AM.

[AplusWebMaster]

FYI...

Fake 'Unaccepted account' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 May 2015 - "An email coming from random senders and random email addresses with subjects of  'Holded account notification' or 'Unaccepted account caution' or similar vaguely banking related subjects with a zip attachment is another one from the current bot runs... Some subjects seen with this series of spam emails are:
    Blocked bank operation report
    Holded account notification
    Unaccepted account caution
    Rejected operation warning
    Blocked transaction warning
Some attachment names are:
    block_warning_information.zip
    nullfication_alert_details.zip
    rejection_message_data.zip
    rejection_notification_form.zip
    invalidation_alert_document.zip
The email looks like:
    Be noted that your depositis rejected.
    Please see the report for detailed information.
    Susan Morgan
    Account Security Department
-Or-
    Be adviced that your payment not accepted.
    Please see the document for detailed information.
     Mary Roberts
    Senior Manager
-Or-
    We inform you that your fund not accepted.
    Please look the document for detailed information.
    Jane Jones
    Senior Manager

4 May : block_warning_information.zip | nullfication_alert_details.zip
Extracts to:  block_warning_report.exe | abrogation_warning_information.exe
Current Virus total detections: 1/55* | 1/55** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...0bbc1/analysis/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustot...45/information/
91.211.17.201: https://www.virustot...01/information/
38.124.60.223: https://www.virustot...23/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/

** https://www.virustot...sis/1430748957/
... Behavioural information
TCP connections
104.130.28.231: https://www.virustot...31/information/
91.211.17.201: https://www.virustot...01/information/
38.124.60.223: https://www.virustot...23/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/

- https://isc.sans.edu...l?storyid=19657
2015-05-05
___

ACH Spam
- http://threattrack.t...846488/ach-spam
May 4, 2015 - "Subjects Seen:
    ACH Approval Letter
Typical e-mail details:
    The Automated Clearing House (ACH) application for your company has been processed and the payer unit number assigned is 029762. This number identifies to the Federal Reserve Bank of Cleveland the account to be debited and is required input in the “ABI ACH Payment Authorization Input Record.” It is the responsibility of the payer to use the correct payer unit number in every transaction in which statements are paid via ACH.
    You may begin paying statements via ACH.  If you are a Customhouse broker who is using ACH for the first time, please contact your ABI client representative to request that your ABI records be updated to permit ACH filing. If you are already using ACH for other importer statement transmissions, you do not need to contact your ABI client representative. If you are a new ABI importer, please contact your ABI client representative to ensure that the appropriate ABI records are updated to permit you to transmit entry summaries, which will be filed under ACH...
    If you have any questions, you may contact ACH Help Desk at (317) 298-1200, extension 1098.
    Sincerely,
    Cindi Miller, Chief
    Collections Refunds and Analysis Branch
    Revenue Division
    Thank You,
    Kirsten Anderson

Malicious File Name and MD5:
    ACH_Import_Information.scr (bc7bb730e98fcde7044251784e0d8ceb)

Tagged: ACH, Upatre
___

Macro Malware: Old Tricks still Work ...
- http://blog.trendmic...ll-work-part-1/
May 4, 2015 - "Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters:
Microsoft Word security warning for macros:
> https://blog.trendmi...04/Figure01.jpg
... We’ve already seen signs of macro malware in the threat landscape a year ago with the W97M_SHELLHIDE.A and TSPY_ZBOT.DOCM combination. At first, we thought that it was just a chance encounter but, as covered in our recent report on BARTALEX, the method of distributing malware through the misuse of macros has borne the likes of DRIDEX, ROVNIX and VAWTRAK into computer systems from the latter part of 2014 up to this year. What’s more, we noticed that this resurgence of macro malware has a single area of focus: enterprises. Enterprises were heavily affected by a spam outbreak involving macro malware. We saw that macro malware detections in Q1 2015 drove huge numbers:
Q1 2015 MS Word and Excel malware detections:
> https://blog.trendmi...04/Figure-2.jpg
This data is based on feedback from Trend Micro’s Smart Protection Network, representing files that have been detected on endpoints. The following conclusions can be drawn:
- The two common malware families seen are W97M_MARKER and W2KM_DLOADR.
- You can see X2KM_DLOADR detections around the start of February.
- A couple more significant ones like W2KM_DOXMAL and W2KM_MONALIS started showing up on the 2nd week of March
- Finally, W2KM_BARTALEX started picking up middle of February and was seen up to the last week of March... The macro code was instrumental in dropping the .DLL file that instated the malware, GHOLE. Targeted attack campaigns would usually use vulnerabilities that had been determined to be effective on a target, or even zero-day vulnerabilities. This operation, however, had taken a much easier route of using the tired, old method of traditional malware. If you take the methods employed by GHOLE, ZBOT, DRIDEX, ROVNIX and VAWTRAK, we’ve all seen them in the past – as well as macro malware and email-borne threats... the right time has come and known threats are repackaged with old methods, resulting to what we now determine to be equally effective..."
___

Fiesta EK wreaks havoc on popular Torrent Site
- https://blog.malware...r-torrent-site/
May 4, 2015 - "... Beside the illegal nature of the act in some countries, many sites that index torrents are filled with aggressive ads and pop ups often tricking the user to run programs and other junk that they don’t need. To get the actual content you were looking for is often a battle that could end with some unwanted toolbars added to your browser, or worse, malware. Such is the case with popular Torrent index SubTorrents .com, a very popular Torrent in Spain and Latin America... Users trying to download their favourite TV show may end up getting more than they were looking for. Upon browsing the site, a malicious -redirection- silently loads the Fiesta exploit kit and associated malware payload. Fortunately, Malwarebytes Anti-Exploit users were shielded from this threat... Given the large amounts of ads on the site, it would have been fair to suspect a malvertising issue, but this was not the case here. Rather, the site itself has been -compromised- and serves a well hidden iframe... the author had some fun trying to make things a little more complicated. Rather than directly inserting a malicious iframe (to the exploit kit landing), they chose to build it on the fly by retrieving the content from an external .js... The exploit kit is Fiesta EK and we noticed a new format, where semi colons are now commas... Downloading illegal Torrents is dangerous business. On top of fake files that waste your time and bandwidth, users have to navigate through a sea of misleading ads and pop ups. They may end up saving a few bucks off that latest movie but could also risk a lot more, like getting a nasty malware infection. Ransomware being so prevalent these days could mean that all of user’s files, including those movies and songs could be encrypted and held for ransom. Regardless, it is important to stay safe from such attacks by keeping your computer up-to-date..."
(More detail at the malwarebytes URL above.)
 

  

Edited by AplusWebMaster, 05 May 2015 - 05:13 AM.

[AplusWebMaster]

FYI...

Fake 'INVOICE' SPAM - doc/xls malware attached
- http://myonlinesecur...dsheet-malware/
5 May, 2015 - "'Ref: DW95009KSG [random characters] from 05/05/15 for review' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email contains an image of an invoice downloaded from a website looks like:

Screenshot: http://myonlinesecur...ew-1024x686.png

If you have your email client set to read in plain text only, then you get an email which just reads as pure garbled junk text.
5 May 2015 : DW95009KSG.doc - Current Virus total detections: 0/56* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430822826/
___

Smartphone Apps secretly connect to User Tracking and Ad Sites
Security researchers have developed an automated system for detecting Android apps that secretly connect to ad sites and user tracking sites.
- http://www.technolog...g-and-ad-sites/
May 1, 2015 MIT - "There are essentially two starkly different environments in which to download apps. The first is Apple’s app store, which carefully vets apps before allowing only those deemed fit to appear. The second is the Google Play store, which is more -open- because Google exercises a lighter touch in vetting apps, only excluding those that are obviously malicious. But because Google Play is more open, the apps it offers span a much wider quality range. Many connect to ad-related sites and tracking sites while some connect to much more dubious sites that are associated with malware. But here’s the problem — this activity often takes place without the owner being aware of what is going on. That’s something that most smartphone users would be appalled to discover — if only they were able to... In total, the apps connect to a mind-boggling 250,000 different urls across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific... Most users of these apps will have little, if any, knowledge of this kind of behavior..."
(More detail at the technologyreview URL above.)
 

  

Edited by AplusWebMaster, 05 May 2015 - 08:30 AM.