2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'SEPA' SPAM - malware attachment
- http://myonlinesecur...ayment-malware/
6 May 2015 - "'Urgent notice about your SEPA Payment' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    The SWIFT transaction, recently initiated from your company”s online banking account, was aborted by the Electronic Payments Association.
    Aborted transfer
    SWIFT Processing Case ID     G10536592
    Transaction Amount     38058.65 Pounds sterling
    E-mail     info@thespykiller .co .uk
    Reason of rejection     View details
    Please click the address given at the top to see the statement with all details about this case.
-or-
    The online transaction, recently sent from your company”s checking account, was cancelled by the other financial institution.
    Rejected transfer
    Transaction Case ID     R89716531
    Total     21696.96 GBP
    Billing E-mail     amy@hedgehoghelp .co .uk
    Reason for rejection     View details
    Please click the address you can find above to open the MS Word document with the full info about this problem.

There are dozens if not -hundreds- of different -dropbox- links with this series of spam emails. It is very likely that each one will have a different sha256# so the detections on VirusTotal might well be incorrect.
6 May 2015: online Payment6688.zip : Extracts to: Rejected SWIFT Transaction.doc Word Document_86535.scr Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430902669/
___

Fake 'Invoice 37333' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
6 May 2015 - "'Invoice 37333 from CONTRACT SECURITY SERVICES LIMITED' pretending to come from accounts3 <accounts3@ contractsecurity .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...CES-LIMITED.png

6 May 2015 : Inv_37333_from_CONTRACT_SECURITY_SERVICES_LTD_3000.doc
Current Virus total detections: 2/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430904557/
___

Fake 'Check your requisite' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
6 May 2015 - "'Check your requisite' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

     Good morning
    Could You please check your requisite details under the contract #4HZKYN

The contract number in the body of the email matches the zip attachment name.
6 May 2015: QmXFW4.zip: Extracts to:  invalidation_invoice_report.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430906359/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustot...45/information/
91.211.17.201: https://www.virustot...01/information/
184.164.97.239: https://www.virustot...39/information/
90.84.60.97: https://www.virustot...97/information/
UDP communications
23.99.222.162: https://www.virustot...62/information/
___

Fake 'Transport' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
6 May 2015 - "Email from 'Transport for London' pretending to come from noresponse@ cclondon .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-for-London.png

6 May 2015 : AP0210780545.doc - Current Virus total detections: 2/57*
... which downloads from volpefurniture .com/111/46.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430908758/

** https://www.virustot...sis/1430909515/
... Behavioural information
TCP connections
62.152.36.90: https://www.virustot...90/information/
90.84.60.97: https://www.virustot...97/information/

volpefurniture .com: 192.254.142.34: https://www.virustot...34/information/

- http://blog.dynamoo....nsport-for.html
6 May 2015
... Recommended blocklist:
62.152.36.90
89.28.83.228
185.12.95.191
185.15.185.201 ..."
___

ADP Invoice Spam
- http://threattrack.t...dp-invoice-spam
May 6, 2015 - "Subjects Seen:
    ADP invoice for week ending 05/06/2015
Typical e-mail details:
    Your most recent ADP invoice is attached for your review.
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Thank you for choosing ADP for your business solutions.
    Important: Please do not respond to this message. It comes from an unattended mailbox.

Malicious File Name and MD5:
    invoice_400119471.exe (222ddd63ab85f03ff344c4328e58896c)

Tagged: ADP, Upatre
___

IRS e-Help Desk Spam
- http://threattrack.t...-help-desk-spam
May 6, 2015 - "Subjects Seen:
    E-mail Receipt Confirmation - Ticket#SD0180867
Typical e-mail details:
    The IRS e-help Desk has received your email on 05/06/15. A case has been opened in response to your question or issue.
    Your case ID is : SD0180867
    Details about this case has been attached.
    If additional contact is necessary, please reference this case ID.
    You will receive a reply within two business days.
    Thank you for contacting the IRS e-help Desk.

Malicious File Name and MD5:
    SD743299.exe (222ddd63ab85f03ff344c4328e58896c)

Tagged: IRS, Upatre
 

 

Edited by AplusWebMaster, 06 May 2015 - 02:01 PM.

[AplusWebMaster]

FYI...

Fake 'order' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 May 2015 - "'You order form:[XY12469DMM] from 06/05/15 recived; MYTRAH ENERGY LTD' ... with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

We have received your order form [XY12469DMM]  and we thank you very much. Our sales department informs us that they are able to dispatch your stock by the end of next week following your packing instructions.
 As agreed, we have arranged transport. We are sending herewith a copy of our pro-forma invoice.
 The consignment will be sent as soon as the bank informs us that the sum is available. We hope you will be satisfied with the fulfilment of this order and that it will be the beginning of a business relationship to our mutual benefit.
Best regards, Hallie Foreman
MYTRAH ENERGY LTD

7May 2015 : XY12469DMM.doc - Current Virus total detections: 0/56*
The malicious macro in this example tries to connect to pastebin .com/download.php?i=VTd9HVkz where it downloads an encrypted/encoded text file which in turn is used to contact http ://91.226.93.14/stat/get.php and downloads test.exe (VirusTotal**). This also attempts to download an image from savepic .org/7260406.jpg... why or what purpose this is used for except to try to persuade you that the file is innocent. This image is of an orthodox Jewish man, but yesterday’s malicious word docs tried to use an image of the Russian President Vladimir Vladimirovich Putin...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430990065/

** https://www.virustot...sis/1430990250/
... Behavioural information
TCP connections
46.36.217.227: https://www.virustot...27/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

91.226.93.14: https://www.virustot...14/information/
___

Fake 'invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 May 2015 - "'Your invoice from Price & Company 01537833 REP' pretending to come from focus@ price-regency .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email looks like:

    Attached is your invoice 01537833.

7 May 2015 : 01537833.doc - Current Virus total detections: 2/52*
... which tries to connect to hmcomercial .com.br/75/47.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430990459/
___

Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 May 2015 - "'Payslip for period end date 30/04/2015' pretending to come from noreply@ fermanagh .gov .uk with a zip attachment is another one from the current bot runs... The email when it arrives working looks like:

    Dear administrator
    Please find attached your payslip for period end 30/04/2015
    Payroll Section
    ————

7 May 2015: payslip.zip: Extracts to: payslip.exe
Current Virus total detections: 0/58 (virus Total currently down so will update later)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake 'Credit Note' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 May 2015 - "'Credit Note' pretending to come from sales@ scspackaging .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Thank you very much for getting in touch.
     Please find credit attached.
    Apologies for any inconvenience, we hope this covers everything.
     If you have any queries please don’t hesitate to get in touch.
     Thank you
    Regards
     SCS

7 May 2015: Credit Note.doc ... -same- malware payload as today’s earlier malicious word docs 'Your invoice from Price & Company 01537833 REP – word doc or excel xls spreadsheet malware'* although the copy I saw used a -different- download location. There are numerous different download locations around... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Lloyds Bank Spam
- http://threattrack.t...loyds-bank-spam
May 7, 2015 - "Subjects Seen:
    Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 7262921/
Typical e-mail details:
    Please find attached our document pack for the above customer. Once completed please return via email to the below address.
    If you have any queries relating to the above feel free to contact us at
    MN2Lloydsbanking@ lloydsbanking .com

Malicious File Name and MD5:
    ReportonTitle770415.1Final 1.exe (8178ad46a72c44cdb9a6146f0952d5bf)

Tagged: Lloyds Bank, Upatre
___

Malvertising strikes dozens of top adult sites
- https://blog.malware...op-adult-sites/
May 7, 2015 - "We have been observing a very large malvertising campaign affecting dozens of top adult sites over the past week. All these attacks have a common element, a Flash based infection via a rogue advertiser abusing the AdXpansion ad network... this particular campaign is quite noticeable due to the number of sites affected and their popularity. According to stats from SimilarWeb .com, these adult portals account for a combined 250+ million monthly visits.
    drtuber .com 60.2 M
    nuvid .com 46.5 M
    hardsextube .com 43.7 M
    justporno .tv 32.5 M
    alphaporno .com 24.9 M
    eroprofile .com 18 M
    pornerbros .com 16.6 M
    pichunter .com 6.6 M
    iceporn .com 6.4 M
    tubewolf .com 6.2 M
    winporn .com 5.4 M
As we have seen lately, more and more malvertising attacks are self-contained. The same fraudulent Flash advert is also used as the exploit, making it much more streamlined and sometimes hard to pinpoint. The advert displaying sexual enhancement drugs, is loaded with malicious code that will immediately attempt to exploit the visitor, regardless of whether they click on the ad or not... The bogus advert can exploit Flash Player up until version 17.0.0.134, released less than two months ago... The malware payload may vary but could result in multiple different malicious binaries dropped via a Neutrino-like EK (credit Kafeine*)..."
* http://malware.dontn...700134-and.html
"... As spotted by FireEye on 2015-04-17**, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player (17.0.0.169)..."
** https://www.fireeye....exploiting.html
Apr 18 2015
___

Rombertik malware ...
- https://blog.malware...bout-rombertik/
May 6, 2015 - "... What’s mostly uncommon about Rombertik is that, unlike much of the other malware in circulation today, Rombertik will -trash- the user’s hard drive if certain hash values don’t line up. This is an uncommon practice in malware, although it does happen on occasion. Recall that the malware involved in the Sony Pictures hack of last year did the same thing, and even earlier attacks were happening against banks in South Korea that did the same thing... Unlike those examples though, Rombertik doesn’t appear to be a state-sponsored malware. Instead, it mostly appears in phishing messages and other spam which will fall into the hands of everyday users. Much like everyday malware, most of Rombertik’s actions aren’t too unique. When looking at the picture depicting Rombertik’s course of action*, its noted the malware performs a lot of the same techniques seen in malware over the last several years; things like creating “excessive activity” to blow up procmon logs or having the binary overwrite itself in memory with unpacked code (Run PE) isn’t anything new in the world of malware.
* https://blogs.cisco....ise-flow-wm.png
... In the case of Rombertik, the malware writes random bytes to memory many times before proceeding execution. This would be something that conventional malware sandboxes don’t account for, and therefore would be considered an anti-sandbox technique... For the full report on Rombertik by Talos, click here**."
** http://blogs.cisco.c...talos/rombertik
May 4, 2015 - "... Rombertik is a complex piece of malware with several layers of obfuscation and anti-analysis functionality that is ultimately designed to steal user data.  Good security practices, such as making sure anti-virus software is installed and kept up-to-date, -not- clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users. However, a defense in depth approach that covers the entire attack continuum can help identify malware and assist in remediation in the event that an attacker finds a way to evade detection initially..."

- https://atlas.arbor.net/briefs/
May 7, 2015 - "... Rombertik was the subject of recent reports. This new version employs numerous methods to -evade- sandbox forensics, including an attempt to overwrite the MBR if it believes it is being analyzed in memory. A recent spearphishing campaign against Taiwanese government officials targeted the victims through a common consumer grade messaging application. Regardless of the types of applications in use (enterprise or BYOD), attackers will leverage any possible vector in their attempts to fulfill campaign objectives..."
 

 

Edited by AplusWebMaster, 11 May 2015 - 04:30 PM.

[AplusWebMaster]

FYI...

Fake 'Scanned tickets' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
8 May 2015 - "'Scanned tickets' pretending to come from Rebecca De Mulder <milestoneholdings@ yahoo .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Afternoon
    Attached are the tickets  you have requested
    Kinds Regards kath
    Milestone Holdings
    Tel:   01676 541133
    Mob: 07976 440015

08 May 2015: scan0079.xls - Current Virus total detections: 3/56*
Automatic analysis has not detected any network activity or malware download so far. Once we have full details of other analysis we will update this.
Update: manual analysis gives http ://wesleychristianschool .org/43/83.exe as the download location
(VirusTotal**). Note with these there will be -numerous- different macros with different download locations all giving the -same- actual malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431073205/

** https://www.virustot...sis/1431074156/
... Behavioural information
TCP connections
62.152.36.90: https://www.virustot...90/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
23.99.222.162: https://www.virustot...62/information/

wesleychristianschool .org: 192.185.166.117: https://www.virustot...17/information/
___

PayPal Phish ...
- https://blog.malware...-phishing-scam/
May 8, 2015 - "There’s a “Your account has been limited” email in circulation, targeting users of PayPal. The mail, which (bizarrely) claims to come from servicesATapple .com, claims that the account needs to be unlocked by confirming the potential victim’s identity.
> https://blog.malware...015/05/ppl1.jpg
The Email reads as follows:
Your Account PayPal Has Been Limited !
Dear Customer,
To get back into your PayPal account, you'll need to confirm your identity.
It's easy:
Click on the link below or copy and past the link into your browser.
Confirm that you're the owner of the account, and then follow the instructions.

The link leads to a .ma URL, which is the country code for Morocco:
confirm-identity(dot)me(dot)ma
The page is currently offline, but there’s a collection of related websites with similar URLs as per this VirusTotal page*.
* 72.55.165.59: https://www.virustot...59/information/
Some of these have been taken down, a few are still live so it’s probable there are multiple email campaigns leading to each of the -fake- sites... In -all- cases, delete the mail and don’t click on the URLs which aren’t official PayPal domains or secured with https (occasionally phish pages use https, but they’re pretty rare)..."
___

Word Macro Spam
- http://threattrack.t...word-macro-spam
May 8, 2015 - "Subjects Seen:
    #3zLT5
    #LvaX6
    ID: MrYSk
Typical e-mail details:
    Sent from my ipad

Malicious File Name and MD5:
    99HOaFRD.doc (6162c6b0abc8cab50b9d7c55d71e08fe)

Tagged: Word doc Macro, Upatre, iPad, dyre
___

Ad Network Compromised, Users Victimized by Nuclear Exploit Kit
- http://blog.trendmic...ar-exploit-kit/
May 7, 2015 - "MadAdsMedia, a US-based web advertising network, was -compromised- by cybercriminals to lead the visitors of sites that use their advertising platform to Adobe Flash exploits delivered by the Nuclear Exploit Kit. Up to 12,500 users per day may have been affected by this threat; three countries account for more than half of the hits: Japan, the United States, and Australia.
This attack was first seen in April, although at relatively low traffic levels. The number of users at risk grew significantly as May started, with the peak of 12,500 daily affected users reached on May 2:
> https://blog.trendmi.../05/MadAds1.jpg
We initially thought that this was another case of malvertising, but later found evidence that said otherwise. Normal malvertising attacks involve the -redirect- being triggered from the advertisement payload registered by the attacker. This was not evident in the MadAdsMedia case... We found in our investigation that the URL didn’t always serve JavaScript code, and instead would sometimes redirect to the Nuclear Exploit Kit server... This led us to the conclusion that the server used by the ad network to save the JavaScript library was compromised to redirect website visitors to the exploit kit. MadAdsMedia serves a variety of websites globally, and several of the affected sites appear to be related to anime and manga. The Flash exploits in use are targeting CVE-2015-0359*, a vulnerability that was patched only in April of this year. Some users may still be running -older- versions of Flash and thus be at risk. The Flash exploits are being delivered by the Nuclear Exploit Kit, a kit that has been constantly updated to add new Flash exploits and has been tied to crypto-ransomware... Attacks like these highlight the importance for ad networks to keep their infrastructure secure from attacks. Making sure that web servers and applications are secure will help ensure the protection of the business and their customers. End users, on the other hand, are advised to keep popular web plugins up to date. Users with the latest versions of Adobe Flash would not have been at risk. Monthly Adobe updates are released at approximately the same time as Patch Tuesday (the second Tuesday of each month); this would be a good time for users to perform what is, in effect, preventive maintenance on their machines..."
* https://web.nvd.nist...d=CVE-2015-0359
Last revised: 04/22/2015 - "Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x -before- 17.0.0.169 on Windows and OS X and -before- 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors..."
 

  

Edited by AplusWebMaster, 09 May 2015 - 12:39 PM.

[AplusWebMaster]

FYI...

Fake 'Fax' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 May 2015 - "'Patio furniture- Levy, Port St. Lucie' coming from random email addresses and random names with a zip attachment is another one from the current bot runs... The email looks like:
    Attention:
    Please see attached letter. I await your immediate response.
    Thank you,
    Anne Levy

11 May 2015: ONE example PutkTvy9XAf.zip: Extracts to: Fax_wqe32rq2vgwb_data.exe
Current Virus total detections: 0/56*. All the attachments have random names and extract to random names and numbers but all appear to start with -fax- so far today. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431341851/
___

Fake 'Water Line' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 May 2015 "'Huntsman Way Water Line' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
     HI,
    Was a pleasure talking with you again this morning.
    Find attached the quote you requested for your bid.
    Please contact us if you have any questions.
    Have a great day!
    Respectfully,
    Steve Geissen
    Estimating / Outside Sales (Beaumont / Lufkin)
    O:(409)813-2796 F:(409)813-2623 M:(409)363-3038 ...

11 May 2015: 8fs77CjN2XXh.zip: Extracts to:  Invoice_w543245345_4323.exe
Current Virus total detections: 3/56* . Another version as these appear to be random sizes and contents  N3dQrS51H469.zip extracts to Fax_11112436_4323.exe  
Current Virus total detections: 8/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431355859/

** https://www.virustot...sis/1431358936/
... Behavioural information
TCP connections
104.130.28.231: https://www.virustot...31/information/
91.211.17.201: https://www.virustot...01/information/
67.219.166.113: https://www.virustot...13/information/
88.221.14.249: https://www.virustot...49/information/
___

Fake 'Payment details' SPAM - doc malware attachment
- http://blog.dynamoo....s-and-copy.html
11 May 2015 - "... using the analysis of an anonymous source (thank you)..
    From:    Kristina Preston [Kerry.df@ qslp .com]
    Date:    11 May 2015 at 12:56
    Subject:    Payment details and copy of purchase [TU9012PM-UKY]
    Dear [redacted]
    On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.
    Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
    Kristina Preston
    Brewin Dolphin

The names and references -change- between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments... source has analysed that this downloads a VBS file from Pastebin... which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia). This binary has a detection rate of 2/56* and according to automated analysis tools... it communicates with:
46.36.217.227 (FastVPS, Estonia)
It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56**.
Recommended blocklist:
46.36.217.227
91.226.93.14 "
* https://www.virustot...sis/1431349548/
... Behavioural information
TCP connections
46.36.217.227: https://www.virustot...27/information/
88.221.14.249: https://www.virustot...49/information/

** https://www.virustot...1def8/analysis/

- http://blog.mxlab.eu...ious-word-file/
May 11, 2015
- https://www.virustot...66762/analysis/
Detection ratio: 1/56
Analysis date: 2015-05-11 14:33:59 UTC
___

Fake 'Fiserv' SPAM - zip malware attached
- http://blog.mxlab.eu...-upatre-trojan/
May 11, 2015 - "... intercepted a new trojan distribution campaign by email with the subject 'Fiserv Secure Email Notification – 8715217'. This email is sent from the -spoofed- address “Fiserv Secure Notification <secure.notification@ fiserv .com>” and has the following body:
    You have received a secure message
    Read your secure message by opening the attachment, SecureFile.zip.
    The attached file contains the encrypted message that you have received.
    To read the encrypted message, complete the following steps:
    – Double-click the encrypted message file attachment to download the file to your computer.
    – Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
    To access from a mobile device, forward this message to mobile@ res .fiserv .com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.362.9972.
    2000-2015 Fiserv Secure Systems, Inc. All rights reserved.

The attached file SecureFile8715217.zip contains the 37 kB large file SecureFile.exe. The trojan is known as Virus.Win32.Heur.c, W32/Upatre.E3.gen!Eldorado, UDS:DangerousObject.Multi.Generic or Trojan.Win32.Qudamah.Gen.5. At the time of writing, 8 of the 56 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...a45f6/analysis/
File name: SecureFile.vxe
Detection ratio: 9/56
Analysis date: 2015-05-11 15:01:00 UTC
____

"Breaking Bad" themed ransomware - Fake PDF attachment ...
- http://net-security....ews.php?id=3035
11.05.2015 - "A new type of ransomware is targeting Australian users, and its creators have decided to have some fun and express their love for the popular US TV show 'Breaking Bad' while trying to 'earn' some money:
> http://www.net-secur...os-11052015.jpg
It encrypts the usual assortment of file types - images, documents, audio and video files, archive and database files - with a random Advanced Encryption Standard (AES) key, which is then encrypted with an RSA public key. 'The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. This zip archive contains a malicious file called PENALTY.VBS, which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file' Symantec researchers shared:
> http://www.symantec....ware-found-wild
.
>> http://www.symantec....-050723-5132-99
The crooks ask for the -ransom- to be paid in Bitcoin, and instruct victims on how to do this via a legitimate YouTube tutorial... the malware can be pretty damaging. The best protection against this type of destructive malicious software is to back up important files regularly."

>> http://www.symantec....e-how-stay-safe
__

Xerox Fax Spam
- http://threattrack.t.../xerox-fax-spam
May 11, 2015 - "Subjects Seen:
    You have received a new fax
Typical e-mail details:
    You have received fax from XEROX23685428 at <email domain>
    Scan date: Mon, 11 May 2015 15:40:57 +0100
    Number of page(s): 29
    Resolution: 400x400 DPI
    Name: Fax3516091

Malicious File Name and MD5:
    IncomingFax.exe (c6c2d72f2b36e854f51ff92680969918)

Tagged: Xerox, Upatre
___

Compromised .gov redirects to Apple ID Phish
- https://blog.malware...apple-id-phish/
May 11 2015 - "... a .gov .vn URL which was redirecting to a -phishing- expedition for Apple IDs... the email which sported a particularly French flavour:
> https://blog.malware...applephish1.jpg
... victim was sent to: skintesting(dot)com(dot)au/components/com_mailto/views/sent/tmpl/auth/
which looked like yet another compromised domain, asking for Apple login credentials:
> https://blog.malware...applephish3.jpg
... A .gov site is always going to be a juicy target for scammers so it’s crucial Admins keep everything patched and up to date – tracking back to where and how an attacker got in can be a long, arduous process. As for Apple ID owners, always -verify- you’re on the correct page before entering login details. Unless you specifically asked Apple to send you a link for some reason (a password reset, for example) then you should -avoid- random URLs sent your way*..."
* https://www.apple.co...pleid/security/

skintesting .com .au: 192.185.109.233: https://www.virustot...33/information/
 

  

Edited by AplusWebMaster, 11 May 2015 - 11:58 AM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
12 May 2015 - "'Copy of your 123-reg invoice ( 123-015309323 )' pretending to come from no-reply@ 123-reg .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-015309323-.png

12 May 2015 : 123-reg-invoice.doc - Current Virus total detections: 5/57*
... this particular macro downloads greenmchina .com/432/77.exe (virus Total**) other macros will download the same malware from other locations... Other download locations so far are:
http ://hydrocapital .com/432/77.exe
http ://fosteringmemories .com/432/77.exe
http ://k-insects .com/432/77.exe
http ://andrewachsen .com/432/77.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431420411/

** https://www.virustot...sis/1431420983/
... Behavioural information
TCP connections
37.143.15.116: https://www.virustot...16/information/
5.178.43.49: https://www.virustot...49/information/

- http://blog.dynamoo....ur-123-reg.html
12 May 2015
"... Recommended blocklist:
37.143.15.116
62.152.36.90
89.28.83.228
185.15.185.201 "
___

Fake 'contract' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 May 2015 - "'CITY OF PORT Arthur – STORM SEWER Project' coming from random names and random email addrrsses with a zip attachment is another one from the current bot runs... The email looks like:
    Please see attachment for contract.  Please sign and return.
    Thanks
    Fred Stepp – Office Manager
    McInnis Construction, Inc.,
    675 South 4th Street
    Silsbee, Texas 77656
    email: fred@ mcinnisprojects .com
    Phone: 409-385-5767
    Fax: 409-385-2483

12 May 2015: m7Tfq4u1cS5i.zip: Extracts to:  contract_DGSASGQ34G_erwr.exe
Current Virus total detections: 23/55*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431424842/
___

Fake 'Outstanding Invoices' SPAM - malicious attachment
- http://blog.dynamoo....g-invoices.html
12 May 2015 - "This -spam- comes with random senders and reference numbers, but in all cases includes a malicious attachment:
    From:    Debbie Barrett
    Date:    12 May 2015 at 11:14
    Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]
    Dear anthony,
    Kindly find attached our reminder and copy of the relevant invoices.
    Looking forward to receive your prompt payment and thank you in advance.
    Kind regards

The attachment name combines the recipient's email address with the -fake- reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools* manages to analyse it though, showing several steps in the infection chain. First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu
Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.**
This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56***. There are several different attachments... Recommended blocklist:
92.63.88.0/24
46.36.217.227 "
* https://www.hybrid-a...environmentId=4

** https://www.virustot...sis/1431431603/

*** https://www.virustot...sis/1431432524/
___

Australian Tax Office Spam
- http://threattrack.t...tax-office-spam
May 12, 2015 - "Subjects Seen:
    Australian Taxation Office - Refund Notification
Typical e-mail details:
    IMPORTANT NOTIFICATION
    Australian Taxation Office - 12/05/2015
    After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 0736.22 AUD.
    For more details please follow the steps bellow :
    - Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
    - Select the location into which you want to download the file and choose Save.
    - Unzip the attached file.
    Iris Simmons,
    Tax Refund Department
    Australian Taxation Office

Malicious File Name and MD5:
    ATO_TAX_724491.exe (3da854cd500c3cb5b86df19e151503cc)

Tagged: ATO, Upatre
 

  

Edited by AplusWebMaster, 12 May 2015 - 08:22 AM.

[AplusWebMaster]

FYI...

Fake 'WhatsApp audio letter' SPAM – mp3 malware
- http://myonlinesecur...ke-mp3-malware/
13 May 2015 - "'You just accepted an audio letter! v8p' pretending to come from WhatsApp with  a zip attachment is another one from the current bot runs... The email looks like:

     Savion Dale

13 May 2015:  72katheryne.zip : Extracts to:   montag.mp3  _______________________________________.exe
Current Virus total detections:15/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper mp3 file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431496654/
___

Fake 'PAYMENT ACCOUNT DETAILS' SPAM - malware
- http://myonlinesecur...-67000-malware/
13 May 2015 - "'PAYMENT ACCOUNT DETAILS CONFIRMATION OF $67,000' pretending to come from jimmy cliff <jimmycliff2015@ hotmail .com> (email headers show that this does appear to be coming via Hotmail, so we have to assume a hacked/compromised Hotmail account) with a zip attachment is another one from the current bot runs... The email looks like:
    Dear Sir
    Please, confirm your bank details in your invoice before we proceed with
    your payment to avoid mistakes that can lead to delay.
    Best Regards,
    Afraa Shaymaa Maloof
    PURHASING MANAGER
    mediondirect INT.
    708 N VALLEY ST STE C
    ANAHEIM CA 92801-3837

Todays Date: BANK DETAILS.zip (1,288,813 bytes): Extracts to: PO#0001BH04_20_15.zip
... which in turn extracts to  PO#0001BH04_20_15.exe - Current Virus total detections: 21/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431502495/
___

Fake 'Invoice #00044105' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
13 May 2015 - "'Invoice #00044105; From Deluxebase Ltd' pretending to come from Anna <anna@ deluxebase .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hello
    Thank you for your order which has been dispatched, please find an invoice for the goods attached.
    Please contact us immediately if you are unable to detach or download your Invoice.
    As a valued customer we look forward to your continued business.
    Regards
    Accounts Department
    Deluxebase Ltd ...

13 May 2015 : ESale.doc - Current Virus total detections: 5/55*
... which downloads sundialcompass .com/58/39.exe (VirusTotal**) other versions of these macros will deliver a download form other locations. They will all be the same malware.
Other download locations so far discovered are:
http ://fundacionsidom .com .ar/58/39.exe | http ://cartermccrary .com/58/39.exe |
http ://clin .cn/58/39.exe ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431505840/

** https://www.virustot...sis/1431506138/
... Behavioural information
TCP connections
37.143.15.116: https://www.virustot...16/information/
88.221.14.249: https://www.virustot...49/information/
___

Fake 'INVOICE No.517-01' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 May 2015 - "'INVOICE No. 517-01 FOR WORK AT CRYSTAL BEACH' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    in the attachment

13 May 2015: OX6qoPp98h48.zip: Extracts to: scan_32r23rf234gt34_3424ef.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431513162/
___

Fake 'Financial info' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
13 May 2015 - "An email with the subject of 'Financial information' or 'Important information' or 'Need your attention, Important notice' coming from random names and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment that is named after the email recipient is another one from the current bot runs... The email looks like:
    Good morning
    Please find attached a remittance advice, relating to a payment made to you.
    Many thanks
    Regards,
    Madeline Mosley
    Seniour Finance Assistant
-Or-
    Good Afternoon,
    We have received a payment from you for the sum of £ 670.  Please would you provide me with a remittance, in order for me to reconcile the statement.
    I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1515  less the £3254.00 received making a total outstanding of £ 845.  We would very much appreciate settlement of this.
    As previously mentioned, we changed entity to a limited company on 1st December 2014.  We are keen to close all the old accounts down, for both tax and year end reasons.  We would be very grateful in your assistance in settling the outstanding.
    If you need any copy invoices please do not hesitate to contact us
    Regards,
    Victoria Barnett
-Or-
    Good Afternoon,
    Please see attached the copy of the remittance.
    Please can you send a revised statement so we can settle any outstanding balances.
    Kind Regards,
    Ingrid Hammond      

13 May 2015: ron.schorr_AD8441271C40.doc | xerox.device1_D9A263380D.doc
Current Virus total detections: 0/56* | 0/56**  both macros eventually download 91.226.93.110/bt/get1.php which is saved as crypted.120.exe (virus Total***) after going through a download from pastebin which gives the download location in encoded form... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431512840/

** https://www.virustot...sis/1431512565/

*** https://www.virustot...sis/1431512119/
... Behavioural information
TCP connections
159.253.20.116: https://www.virustot...16/information/
88.221.15.80: https://www.virustot...80/information/

91.226.93.110: https://www.virustot...10/information/

- http://blog.dynamoo....-need-your.html
13 May 2015
"... Recommended blocklist:
46.36.217.227
91.226.93.110 "
___

Fake 'ACH' SPAM - PDF malware
- http://myonlinesecur...-pdf-malware-2/
13 May 2015 - "'ACH – Bank account information form' pretending to come from Kris Longoria <Kris.Longoria@ jpmchase .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please fill out and return the attached ACH form along with a copy of a voided check.
    Kris Longoria,
    JPMorgan Chase
    GRE Project Accounting
    Vendor Management & Bid/Supervisor...

13 May 2015: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
Current Virus total detections: 9/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431533270/
___

Fake 'Bond Alternative' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 May 2015 - "'Surety Bond Alternative coming from random names and email addresses with a random named zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Alternative.png

12 May 2015: XwJ4IR8V0F1ar.zip: Extracts to:  invoice_ghrt6h65h_fwefw3.exe
Current Virus total detections: 2/56* (one example only, all these have different sha256 # and a random selection of file names). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431536544/
___

Dyre Botnet using malicious Word Macros
- http://www.threattra...ft-word-macros/
May 11, 2015 - "The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document -macros- instead of the usual executable types, such as .exe files contained in a .zip. Dyre’s Hedsen spambot*, responsible for the bulk of Upatre emails we’ve been tracking, now uses a template to send infected-macro Word files as spam attachments in hopes that the end user will click the attached .doc file and infect their system. This is a noticeable change in behavior for this particular spambot. As always, users should -disable- Macros in Office documents, and avoid the temptation to open suspicious attachments..."
> http://www.threattra...15/05/Macro.jpg

* http://www.threattra...ificates-https/
"...  Dyre was increasing its target range and altering the type of spambots it uses..."

** http://www.threattra...-more-websites/
 

 

Edited by AplusWebMaster, 13 May 2015 - 02:49 PM.

[AplusWebMaster]

FYI...

Fake 'Self Bill' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
15 May 2015 - "'Self Bill SB026336 Attached' pretending to come from Reliance Scrap Metal <enquiries@ reliancescrapmetal .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please Find Enclosed Self Bill Number SB026336 Dated 07/05/2015
     C Phillips
    enquiries@ reliancescrapmetal .com

15 May 2015 : Attachment.doc - Current Virus total detections: 0/56* which downloads bwsherwood .com/34/140.exe (VirusTotal**). There will be other download locations... All locations will deliver the same malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431678745/

** https://www.virustot...sis/1431677370/
... Behavioural information
TCP connections
151.236.216.254: https://www.virustot...54/information/
88.221.15.80: https://www.virustot...80/information/

bwsherwood .com: 69.49.101.51: https://www.virustot...51/information/
___

Fake email Invoices April 2015 with attached malicious Word file
- http://blog.mxlab.eu...ious-word-file/
May 15, 2015 - "... intercepted a new trojan distribution campaign by email with the subjects like:
Financial information: Invoices April 2015
Important notice: Invoices April 2015
Important information: Invoices April 2015
Need your attention: Invoices April 2015
This email is sent from the -spoofed- address and has the following body:
    Congratulations
    Hope you are well
    Please find attached the statement that matches back to your invoices.
    Can you please sign and return.
    Robin Wolfe

    Dear Sir/Madam,
    I trust this email finds you well,
    Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.
    Best Regards,
    Sophia Watts
    Accounts Receivables

    Good morning
    Hi,
    Please find attached a recharge invoice for your broadband.
    Many thanks,
    Tabatha Murphy

The 49kB large attached file is named veizaioj_87B9A16BB5.doc (characters will vary) is a malicious Word file with embedded macro that will download -other- malware on the system. The Word file is labelled as Malware!9f6e by 1 of the 57 AV engines at Virus Total*..."
* https://www.virustot...38314/analysis/
___

Cyberattack on Penn State said to have come from China
- http://www.reuters.c...N0Y66PD20150515
May 15, 2015 - "Pennsylvania State University said on Friday that -two- cyberattacks at its College of Engineering, including one in 2012 that originated in China, compromised servers containing information on about 18,000 people. Penn State, a major developer of technology for the U.S. Navy, said there was no evidence that research or personal data such as social security or credit card numbers had been stolen. Cybersecurity firm Mandiant has confirmed that at least one of the two attacks was carried out by a "threat actor" based in China, Penn State said. The source of the other attack is still being investigated. Penn State was alerted about a breach by the Federal Bureau of Investigation in November, Penn State executive vice president Nicholas Jones said in a statement. Mandiant, the forensic unit of FireEye Inc, discovered the 2012 breach during the investigation. Penn State's Applied Research Laboratory spends more than $100 million a year on research, with most of the funding coming from the U.S. Navy..."
- http://it.slashdot.o...na-based-attack
May 15, 2015 - "Penn State's College of Engineering has disconnected its network* from the Internet in response to two sophisticated cyberattacks – one from a what the university called a "threat actor based in China" – in an attempt to recover all infected systems. The university said there was no indication that research data or personal information was stolen in the attacks, though usernames and passwords -had- been compromised.*"
* http://news.psu.edu/...e-sophisticated

- http://arstechnica.c...ious-intrusion/
May 15, 2015
___

Unknown hacks attack German parliament data network
- http://www.reuters.c...N0Y63P720150515
May 15, 2015 - "Unknown hackers have attacked the German Bundestag lower house of parliament's computer system, a parliamentary spokeswoman said on Friday. German news magazine Der Spiegel's online edition had earlier said that the internal data network had been subject to an attack. It said experts had noticed several days ago that unknown attackers had tried to get into the data network. At almost the same time experts from Germany's domestic intelligence agency (BfV) at the government's cyber defence centre noticed the spying attempt and warned the Bundestag administration, the report said. 'There was an attack on the Bundestag's IT system', parliamentary spokeswoman Eva Haacke said, giving no further details. 'Experts from the Bundestag and the BSI (the German Federal Office for Information Security) are working on it'. In January, German government websites, including Chancellor Angela Merkel's page, were hacked in an attack claimed by a group demanding Berlin end support for the Ukrainian government, shortly before their leaders were to meet."
- http://www.reuters.c...N0Y70HH20150516
May 16, 2015 - "The German Bundestag lower house of parliament is trying to repair its computer system after a hacking attack but there are no indications yet that hackers accessed information, a parliamentary spokeswoman said on Saturday. The Bundestag is analysing what happened and experts from the Bundestag administration and the BSI (the German Federal Office for Information Security) are working to repair the system, the spokeswoman said..."
___

Chinese snoops hid Malware commands On MS TechNet
- http://www.forbes.co...microsoft-site/
May 14, 2015 - "Hackers often try to hide their tracks and ensure their illicit operation is never taken down by hosting pieces of their infrastructure on websites owned by legitimate companies. Usually that’s Twitter, Facebook, Google or other huge, publicly-editable and accessible services. According to security firm FireEye*, Chinese digital spies chose an ideal yet risky target for storing slices of their command and control functions: TechNet, a Microsoft site dedicated to security and IT support. Though TechNet itself was not compromised, the so-called APT17 hackers left encoded IP addresses used to send updates and commands to the group’s ‘BLACKCFFEE’ malware** in legitimate Microsoft TechNet profile pages and forum threads. The encoding would have made it more difficult to determine the true domain used by the attackers. FireEye and Microsoft worked to block the attackers’ accounts from accessing their profiles, whilst blocking the malicious activity stemming from the site.
** https://a248.e.akama...at-11.18.58.png
The APT17 crew, which had previously used search engines Google and Bing to store their command and control domains, but abusing Microsoft’s TechNet was especially smart, as most businesses rely on using Microsoft services every day. Blocking them would probably cease business operations. “Even with knowledge and detection, blocking traffic to Microsoft sites is impossible to do as every business needs access to their site. Hiding in plain sight is becoming more and more popular as it’s both hard to find and impossible to block,” said Jason Steer, chief security strategist for FireEye in EMEA. “This evolution of technique really is the response from hackers to keep one step ahead of law enforcement agencies. As hackers realised law enforcement can track back, they have had to evolve their tools and techniques from plain text instructions on an IP address in China, to encoding instructions, to using popular websites to ensure their network remains up for as long as possible and undetected for as long as possible.” The APT17 crew have a penchant for playing with western tech companies. FireEye believes they were responsible for the hit on security firm Bit9 in 2013. They also targeted US government entities, the defense industry, law firms, information technology companies and mining organisations."
* https://www.fireeye....plain_sigh.html
May 14, 2015
> https://www.fireeye....t17-graphic.jpg

- https://atlas.arbor....ndex#-181898354
May 14, 2015
> http://www.net-secur...ews.php?id=3038
 

 

Edited by AplusWebMaster, 19 May 2015 - 07:26 AM.

[AplusWebMaster]

FYI...

Fake 'Amazon Order' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
18 May 2015 - "'Order Details 89920-02119-38881-73110' pretending to come from Amazon .co .uk <order@ anazon .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Amazon... does -not- send word doc or pdf attachments to emails so this is obviously a spoof designed to either infect you or steal information...

Screenshot: http://myonlinesecur...38881-73110.png

18 May 2015 : ORD-89920-02119-38881-73110.doc - Current Virus total detections: 3/57*
... which downloads infraredme .com/556/455.exe (Virus Total**). There will be other download locations but they all deliver the same Dridex banking Trojan malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431938632/

** https://www.virustot...sis/1431939201/
... Behavioural information
TCP connections
185.15.185.201: https://www.virustot...01/information/
88.221.15.80: https://www.virustot...80/information/

infraredme .com: 64.29.151.221: https://www.virustot...21/information/
___

Fake 'picture message' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
18 May 2015 - "An email saying 'Here’s a picture message you’ve been sent from 07711888963' with -no- subject pretending to come from +447711862559@mediamessaging .o2 .co .uk (random phone numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...07711888963.png

18 May 2015: PM8963.doc - Current Virus total detections: 3/57**
... the -same- malware downloader and downloading the -same- Dridex banking Trojan as today’s other word doc malware Amazon .co .uk Order Details 89920-02119-38881-73110 – word doc or excel xls spreadsheet malware* ..."
* http://myonlinesecur...dsheet-malware/
** https://www.virustot...sis/1431940970/
___

Fake multiple Invoice SPAM -  malicious attachments
- http://blog.dynamoo....-stands-in.html
18 May 2015 - "This -fake- financial spam run is similar to this one last week*, and comes with a malicious attachment.

     From:    Aida Curry
    Date:    18 May 2015 at 11:40
    Subject:    Your reasoning stands in need
    Good Afternoon,
    We have attained a reimbursement from you for the draft of £ 2909. Please would you secure me with a remittance, in order for me to reconcile the statement.
    I will be sending you a pronouncing of outstanding invoices tomorrow, the entire quantum of outstanding is £ 5893 less the 1 draft received making a whole outstanding of £ 2984. We would very much appreciate settlement of this.
    As previously mentioned we reversed to a limited company on 1st December 2014. We are desire to conclude all the old checks down, for both tax and year end reasons. We would be very grateful in your assistance in eliciting the outstanding.
    If you need any application of bills please do not hesitate to contact us
    Regards,
    Aida Curry
    -------------------
    From:    Cornelius Douglas
    Date:    18 May 2015 at 11:39
    Subject:    Your reasoning stands in need
    Good morning
    Please find attached   a remittance advice, relating to a outpayment made to you.
    Many thanks
    Regards,
    Cornelius Douglas
    Seniour Finance Assistant
    -------------------
    From:    Jewell Shepard
    Date:    18 May 2015 at 11:37
    Subject:    Have a need in your thought
    Please, see the attached similar of the remittance.
    Please, can you remit a revised pronouncing so we can settle any outstanding balances.
    Kind Regards,
    Jewell Shepard

Subjects spotted so far are:
In want of your concern
Your reasoning stands in need
Have a need in your thought
Vital announcement 561335
Your advertence stands in need
Grand advert 482209
Important notice 540897
In want of your regarding
In want of your concern
Your reasoning stands in need
Wish to know your thought
Your cognizance is in great necessity
Need your consideration
   There seem to be several different attachments, but for the sake of simplicity I have looked at just one. The Hybrid Analysis report shows this this is a MIME attachment that downloads and executes a script from pastebin[.]com/download.php?i=C5KGsRX3 which in turn downloads a malicious executable from  193.26.217[.]220:80/bt/get3.php (Servachok LTD, Russia) which is saved as crypted.120.exe. This executable has a VirusTotal detection rate of 4/57**. The Malwr and Hybrid Analysis reports indicates traffic to 5.63.154.228 (Reg.Ru, Russia) and also shows a dropped Dridex DLL with a detection rate of 3/57***."
Recommended blocklist:
5.63.154.228
193.26.217.220 "
* http://blog.dynamoo....-need-your.html

** https://www.virustot...sis/1431946975/

*** https://www.virustot...sis/1431947900/

- http://myonlinesecur...dsheet-malware/
18 May 2015
> https://www.virustot...sis/1431950899/
... Behavioural information
TCP connections
178.255.83.2: https://www.virustot....2/information/
88.221.15.80: https://www.virustot...80/information/
___

VENOM vulnerability
- https://blogs.oracle...t_cve_2015_3456
May 15, 2015 - "Oracle just released Security Alert CVE-2015-3456* to address the recently publicly disclosed VENOM vulnerability, which affects various virtualization platforms. This vulnerability results from a buffer overflow in the QEMU's virtual Floppy Disk Controller (FDC). While the vulnerability is not remotely exploitable without authentication, its successful exploitation could provide the malicious attacker, who has privileges to access the FDC on a guest operating system, with the ability to completely take over the targeted host system. As a result, a successful exploitation of the vulnerability can allow a malicious attacker with the ability to escape the confine of the virtual environment for which he/she had privileges for... Oracle has decided to issue this Security Alert based on a number of factors, including the potential impact of a successful exploitation of this vulnerability, the amount of detailed information publicly available about this flaw, and initial reports of exploit code already “in the wild.” Oracle further recommends that customers apply the relevant fixes as soon as they become available...
The list of Oracle products that may be affected by this vulnerability is published at:
- http://www.oracle.co...56-2542653.html "

- https://isc.sans.edu...l?storyid=19701
2015-05-16 - "... This vulnerability is important because it has the potential to affect a significant portion of the virtualization platforms that are in common use today, but there is no reason to panic.
* The vulnerability cannot be compromised remotely, nor is it possible to remotely scan for this vulnerability.
* In order for the attacker to even attempt to exploit the vulnerability they need to have shell level access as an administrator level to a virtualized guest.
* While a proof of concept exists that exploits the vulnerability, nobody has demonstrated any practical use of the exploit.
* Patches are available for all affected virtualization platforms..."

* https://web.nvd.nist...d=CVE-2015-3456
Last revised: 05/14/2015
7.7 - (HIGH)
 

 

Edited by AplusWebMaster, 18 May 2015 - 07:23 AM.

[AplusWebMaster]

FYI...

Fake 'PO :5182015' SPAM - zipped malware
- http://myonlinesecur...182015-malware/
19 May 2015 - "'PO :5182015'  pretending to come from shuiling <shuilingroup .com > with a zip attachment is another one from the current bot runs... The email looks like:
     Please kindly find the attached file for the new Order we want to place in your esteem company
    Kindly send your proforma invoice with your banking information, so that we will start with the needful
    Thanks and regards
    ATTILIO PASCUCCI
    ATTEX S.R.L.
    VIA ADIGE, 4 – 22070 LUISAGO – CO (ITALY)
    TEL. 0039 031 921648 – FAX 0039 031 3540133
       REG. IMPRESE COMO – COD.FISC. – PARTITA IVA: 01542400138

19 May 2015: PO 5182015.zip: Extracts to: PO 5182015.exe
Current Virus total detections:  15/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431986200/
... Behavioural information
TCP connections
186.202.127.118: https://www.virustot...18/information/
77.88.21.11: https://www.virustot...11/information/
93.158.134.3: https://www.virustot....3/information/
___

Fake 'Tax Refund' Phish ...
- http://myonlinesecur...efund-phishing/
19 May 2015 - "An email received with a subject of 'Lloyds Bank Refund' -or- 'refund' -or- '2014 Tax Refund' pretending to come from Lloyds Bank. Some of  of the major common subjects in a phishing attempt are Tax returns or Bank refunds, especially in UK, you need to submit your Tax Return online. This one only wants your personal bank log in details...

Screenshot: http://myonlinesecur...efund-phish.png

If you are unwise enough to follow the link you see a webpage looking like the genuine Lloyds log in page, look carefully at the -url- in the top bar and you can see it isn’t Lloyds at all but a -fake- site:
- http://myonlinesecur...sh_webpage1.png
If you still haven’t realised that it is a -phishing- attempt and give them your username & password, you will be sent to the next page which asks for your memorable information. You then get -bounced- on to the genuine Lloyds Bank site. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fake 'Tax increase alert' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 May 2015 - "'Tax increase alert' -or- 'adjustment guidance' are 2 of the subjects that appear in a whole series of mal-spam emails with the basic subject of VAT increases or changes that are being spammed out. They come with a random named zip attachment coming from random senders and random email addresses is another one from the current bot runs... The name of the alleged sender does NOT match the name in the body of the email. Some of the subjects seen in this series of mal-spam emails are:
Tax increase alert, adjustment guidance, adjustment report, adjustment notice, change guidance, Custom increase notification, Custom change alert, Duties increase notification, Toll increase notification, Tax change reminder, Levy increase guidance, Duties adjustment alert, change notification, Toll change report and loads of other similar variations on this tax theme... The email looks like:
    We inform you that VAT increases from Wednesday.
    View the document below.
    Remeber that levy values to be settled to the treasury are going to be reevaluated.
     Susan Lewis
    Senior Consultant
-Or-
    Be noted that VAT doubles until Wednesday.
    Observe the act enclosed.
    Do not forget that tax amounts to be paid to the state will be reestimated.
     Rebecca Morgan
-Or-
    Tax Consultant
    Be noted that VAT increases on Friday.
    Observe the file below.
    Note that tax amounts to be paid to the treasury will be reevaluated.
     Rebecca Nelson
    Chief accountant
-Or-
    Please be informed that VAT alters until Tuesday.
    Observe the file attached.
    Remeber that sums to be paid to the state are going to be reevaluated.
     Susan Jackson
    Tax authority

19 May 2015: Doc#844931.zip: Extracts to: fax2_info.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432035348/
___

Fake 'eFax msg' SPAM - malware links
- http://blog.dynamoo....ion-office.html
19 May 2015 - "Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?
    From:    Australian Taxation Office [noreply @ ato .gov .au]
    Date:    19 May 2015 at 12:48
    Subject:    eFax message - 2 page(s)
    Fax Message [Caller-ID: 408-342-0521]
    You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.
    * The reference number for this fax is
    min2_did16-0884196800-3877504043-49.
    View this fax using your PDF reader...

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile .com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr. This executable has a detection rate of 5/57*. Automated analysis tools... shows that it downloads a further component from:
http ://employmentrisk .com/images/1405uk77.exe
In turn, this has a detection rate of 4/57** and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).
Recommended blocklist:
employmentrisk .com
194.28.190.183 "
* https://www.virustot...sis/1432038054/

** https://www.virustot...sis/1432038513/

employmentrisk .com: 74.116.2.117: https://www.virustot...17/information/

storage-ec2-24.sharefile .com: 52.0.190.130: https://www.virustot...30/information/

eFax Corporate Spam
- http://threattrack.t...-corporate-spam
May 19, 2015 - "Subjects Seen:
    eFax message - 3 page(s)
Typical e-mail details:
    Fax Message [Caller-ID: 626-271-6819]
    You have received a 3 pages fax at 2015-05-19 08:18:18 AM EST.
    * The reference number for this fax is
    min2_did48-5711163227-0231815252-98.
    View this fax using your PDF reader.

Screenshot: https://40.media.tum...1r6pupn_500.png

Malicious URLs
    storage-usw-8.sharefile.com/download.ashx?dt=dtba0aacb3cd344005be90d949470aa333&h=9Ueg3YdEIMuDH72YnA29c7h2EL7zh355nI387gxb7Kc%3d

Malicious File Name and MD5:
    Fax_00491175.scr (a6aa82995f4cb2bd29cdddedd3572461)

Tagged: eFax, Upatre
___

Bad taste left in Angler EK by MBAE
- https://blog.malware...arebytes-users/
May 19, 2015 - "... as discovered by Kafeine*, the latest version of Angler EK... also checks to see if either Malwarebytes Anti-Malware or Anti-Exploit are installed on the target system... If Malwarebytes software is installed, then the exploit kit will silently exit and not even attempt to launch further exploits or malware..."
* http://malware.dontn...q=CVE-2013-7331

Malwarebytes Anti Exploit - Free: https://www.malwareb...rg/antiexploit/
___

How much money do cyber crooks collect via crypto ransomware?
- http://net-security....ews.php?id=3042
19.05.2015 - "FireEye researchers* have calculated that the cybercriminals wielding TeslaCrypt and AlphaCrypt have managed to extort $76,522 from 163 victims in only two months..."
* https://www.fireeye....t_followin.html
___

Bitly Imitation leads to Malware...
- https://blog.malware...lware-download/
May 18, 2015 - "URL shortening services can be a marketing person’s and social media buff’s best friend. However, they can become a worry for users who are conscious about the security of their systems and personal information. Not only do these services trim down the character count of a URL while monitoring clicks, online -criminals- also use such services to mask malicious URLs. Among the URL shorteners available online, Bitly remains one of the three most popular brands, alongside Goo.gl and Ow.ly. Although the bit.ly URL has been in service since 2008, we’re only beginning to see several -bogus- iterations of it being used in the wild. We’ve seen a number of accounts on YouTube and others sharing various links to game cracks from the imitation Bitly URL, btly[DOT]pw... Elsewhere, another imitation Bitly link — this time, btly[DOT]org—is said to be used in a spam campaign that led recipients to a fake BBC site that advertises questionable Garcinia Cambogia dietary supplements. Please be reminded that the official website for Bitly where users can visit to shorten URLs is https ://bitly .com. Shortened URLs always begin with bit. ly. Everything else that resembles the real thing may need to be ignored, reported, and/or blacklisted."
 

 

Edited by AplusWebMaster, 19 May 2015 - 03:25 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo....1-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
    From:    PGOMEZ@polyair .co .uk
    Date:    21 May 2015 at 08:58
    Subject:    Invoice# 2976361 Attached
    Invoice Attached - please confirm..

Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that -other- versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195 "
* https://www.virustot...sis/1432196986/

** https://www.virustot...sis/1432197071/

*** https://www.virustot...sis/1432198215/


- http://myonlinesecur...dsheet-malware/
21 May 2015
> https://www.virustot...sis/1432194451/
000001.DOC

mercury.powerweave .com: 50.97.147.195: https://www.virustot...95/information/
___

Fake 'Travel order confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
21 May 2015 - "'Travel order confirmation 0300202959' pretending to come from  overseastravel@ caravanclub .co .uk with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email looks like:
    Dear Customer,
    Thank you for your travel order.
    Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
    Now you have booked your trip why not let The Club help you make the most of your stay?
    Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?
    Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.
    If you’ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .
    Yours sincerely
    The Caravan Club
    This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA...

21 May2015 : Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads -same- Dridex malware as today’s other word doc malspam run Invoice# 2976361 Attached – word doc or excel xls spreadsheet malware:
- http://myonlinesecur...dsheet-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1432197951/

- http://blog.dynamoo....nfirmation.html
21 May 2015 - "... Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run*."
* http://blog.dynamoo....1-attached.html
___

Fake 'Pampered Chef' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 May 2015 - "'Recipes for your new Pampered Chef Baker' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    Hello!
    I know you’ll love your new Pampered Chef baker! Thank you for your order.
    Attached are Deep Covered Baker recipes.
    Many Deep Covered Baker Recipes can also be made in the smaller, Round Covered Baker.
    For microwave recipes, use half the ingredients and half the bake time suggested. For oven recipes, use half the
    ingredients but follow recommended bake times or visual indicators in the recipe.
    Enjoy!
    Please contact me if you have questions or concerns.
    Thank you,
    Robbin 

21 May 2015: Pampered_ingredients.zip: Extracts to: Pampered_ingredients.exe
Current Virus total detections: 3/57* . There are several different versions of the malware floating around. This is just one example. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432205437/
___

Fake 'Unpaid Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 May 2015 - "'Unpaid Invoice' pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with  a zip attachment is another one from the current bot runs... The email looks like:
     Please pay this invoice at your earliest opportunity.

21 May 2015: invoice_8467_08202014.zip: Extracts to: invoice_8467_08202014.scr
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432226961/
___

Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo....1-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
    From:    PGOMEZ@ polyair .co .uk
    Date:    21 May 2015 at 08:58
    Subject:    Invoice# 2976361 Attached
    Invoice Attached - please confirm...

Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195 "
* https://www.virustot...sis/1432196986/

** https://www.virustot...sis/1432197071/

*** https://www.virustot...sis/1432198215/
___

Exploit kits delivering Necurs
- https://isc.sans.edu...l?storyid=19719
2015-05-21 - "In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering -malware- identified as Necurs... Necurs is a type of malware that opens a back door on the infected computer [1]. It may also disable antivirus products as well as download additional malware [1][2]... I saw Necurs as a malware payload from Nuclear and Angler EKs last week... In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page). We ran across Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 91.121.63.249..."
(More detail at the isc URL above.)

1] https://www.symantec...-121212-2802-99

2] https://www.microsof...an:Win32/Necurs

185.14.30.218: https://www.virustot...18/information/

91.121.63.249: https://www.virustot...49/information/
___

“Facebook Recovery” accounts share Phishing link, offer Tech Support
- https://blog.malware...r-tech-support/
May 21, 2015 - "We’ve seen a certain j.mp -shortened- URL being shared by what we believe are
-rogue- (if not compromised) accounts within Facebook a couple of days ago. In the below sample we recovered, the URL in question is part of a message from another account called “Facebook recovery” — a truly -fake- one... that is up to task of notifying users that their accounts have been reported for abuse and will likely be disabled if they don’t act on the notice ASAP:
> https://blog.malware...y-spam-post.png
The URL, of course, hides the below phishing page:
> https://blog.malware...age-default.png
The blurb on the page is the same as the spammed message on Facebook. Once a user entered the credentials asked and click Log In, data is posted to recovery.php, and then users are -redirected- to this payment page, which asks for his/her full name, credit card details, and billing address:
> https://blog.malware...ing-payment.png
We have no idea why all of a sudden the account that claims to be a legitimate entity from Facebook is asking for a form of monetary compensation for the recovery of accounts. Perhaps that is what the phishers meant when they said “help us do more for security and convenience for everyone”. We have looked at the stats for the j.mp URL and found that it didn’t yield that many clicks from the time of its creation up to the present... It’s highly likely that the URL is not shared during these days, making it less visible than your average malicious URL. Less visibility also means that potentially less companies would be able to block it due to flying under the radar. VT results for the j.mp URL shows this*.
* https://www.virustot...sis/1432202719/
Furthermore, the majority of clicks are mostly from Asian countries and the United States:
> https://blog.malware...per-country.png
We did a simple search on Facebook for accounts that may contain the string “Facebook recovery”. To date, we found more than 40... If you see posts on your feed that appear similar to the Facebook post we discussed here, whether it continues to bear the same URL or not, it’s best to -ignore- it and warn your network about an on-going -spam- campaign."

recovery-page-php .zz .mu: 185.28.21.145: https://www.virustot...45/information/
___

"Logjam"...
- https://blog.malware...u-need-to-know/
May 20, 2015 - "... Dubbed as Logjam, the vulnerability affects home users -and- corporations alike, and over 80,000 of the top one million domains worldwide were found to be vulnerable. The original report on Logjam can be found here:
- https://weakdh.org/
... While much of the research is performed against a Diffie-Hellman 512-bit key group, the researchers behind the Logjam discovery also speculate that 1024-bit groups could be vulnerable to those with “nation-state” resources, making a suggestion that groups like the NSA might have already accomplished this... . A comprehensive look at all of their research can be found here:
- https://weakdh.org/i...ard-secrecy.pdf
... At the time of this writing, patches are still in works for all the major web browsers, including Chrome, Firefox, Safari, and Internet Explorer. They should be released in the next day or two, so ensure your browser updates correctly once its released. These updates should reject Diffie-Hellman key lengths that are less that 1024-bits..."

Also see:
- https://isc.sans.edu...l?storyid=19717
2015-05-20
 

 

Edited by AplusWebMaster, 21 May 2015 - 01:16 PM.

[AplusWebMaster]

FYI...

Fake 'Australian Tax' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 May 2015 - "'Australian Taxation Office – Remittance Advisory Email' pretending to come from Australian Taxation Office <noreply@ ato .gov .au> with a link to download a zip file is another one from the current bot runs... The bots seem to be getting very confused today and are mixing up Lloyds Bank with Australian Taxation Office and even using a date 1 year in the past. Nobody should fall for these. The links in the emails currently are set to download from:
-  https ://storage-ec2-13.sharefile .com/download.ashx?dt=dt8fdfcdfa200a4b01b93e2643fa61fcc1&h=xw9ZAT0fvavEwl7uRL2DX3xEJcw6II19IbZfNyN1ix0%3d
Update: we are now seeing several different sharefile .com download links. All appear to be the same malware, regardless of the link. The same set of download links are being spammed out in other emails from the same bot net with subjects of 'You’ve received a new fax' appearing to come from fax@ your own domain and 'Internal ONLY' pretending to come from Administrator@ your own domain both alleging to contain a fax message. The email looks like:

     Monday 22 May 2014
    This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc. Please review the details of the payment here.
    Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637
    Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
    Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
    Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
    HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813...

22 May 2015 : FAX_82QPL932UN_771.zip: Extracts to: FAX_82QPL932UN_771.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432286982/

storage-ec2-13.sharefile .com: 54.84.9.118: https://www.virustot...18/information/

- http://blog.dynamoo....ter-advice.html
22 May 2015
"... Recommended blocklist:
209.15.197.235
217.23.194.237 "
___

Fake 'Invoice IN278577' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
22 May 2015 - "'Your Invoice IN278577 from Out of Eden pretending to come from sales@ outofeden .co .uk  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Out-of-Eden.png

22 May 2015 : Invoice IN278577 (emailed 2015-05-21).doc
Current Virus total detections: 1/57*... Which downloads www .footingclub .com/85/20.exe which is a Dridex banking Trojan (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1432288366/

** https://www.virustot...sis/1432288878/
... Behavioural information
TCP connections
185.12.95.191: https://www.virustot...91/information/
2.18.213.208: https://www.virustot...08/information/
 

  

Edited by AplusWebMaster, 22 May 2015 - 05:44 AM.

[AplusWebMaster]

FYI...

Fake 'Blank 11' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 May 2015 - "'Blank 11' pretending to come from hannah.e.righton@ gmail .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a completely blank body.
 
26 May 2015: Blank 11.doc - Current Virus total detections: 2/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432633538/
___

Fake 'Invoice' SPAM -  doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 May 2015 - "'Your Invoice (ref: INV232654) from thomsonlocal' pretending to come from Pleasedonotreply@ thomsonlocal .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...cal_corrupt.png

... It is supposed to look like or read:
> http://myonlinesecur...omson_local.png

26 May 2015: Invoice INV232654.doc - Current Virus total detections: 2/56*
... downloads the same Dridex banking malware as described in today’s other word macro malware downloaders being spammed out 'Blank 11 hannah.e.righton' – word doc or excel xls spreadsheet malware**. This particular macro version downloads from http ://crestliquors .com/73/20.exe
(VirusTotal***) but all the downloads are identical, just from multiple different locations.The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1432634028/

** http://myonlinesecur...dsheet-malware/

*** https://www.virustot...sis/1432631807/
File name: 20_exe
... Behavioural information
TCP connections
144.76.238.214: https://www.virustot...14/information/
88.221.14.249: https://www.virustot...49/information/

crestliquors .com: 64.29.151.221: https://www.virustot...21/information/
___

Fake 'Underreported Income' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 May 2015 - "'Notice of Underreported Income' pretending to come from Australian Taxation Office <noreply@ ato .gov .au> and 'Outdated Invoice' pretending to come from Sage Invoice <invoice@ sage .com> with a -link- in the body of the email to download a zip file is another one from the current bot runs... The  Australian Taxation Office email looks like:

    Taxpayer ID: ufwsd-000008882579UK Tax Type: Income Tax Issue: Unreported/Underreported Income (Fraud Application) Please review your tax income statement on HM Revenue and Customs ( HMRC). Download your HMRC statement. Please complete the form...

The links in these emails go to https ://a .uguu .se/hivjca_Invoice_00471200.zip  (Note the HTTPS) which gives a not found message. If you drop the S and just use a standard HTTP link then you get the malware. The Sage invoice looks like:

    Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
https ://invoice .sage .co.uk/Account?769525=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@ sage .com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies...

26 May 2015: ytuads_Invoice_00471206.zip: Extracts to: Invoice_00471206.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432638854/
Invoice_00471203.scr
... Behavioural information
 TCP connections
104.238.136.31: https://www.virustot...10/information/
93.185.4.90: https://www.virustot...90/information/
66.215.30.118: https://www.virustot...18/information/
88.221.14.249: https://www.virustot...49/information/

uguu .se:
104.28.24.2: https://www.virustot....2/information/
104.28.25.2: https://www.virustot....2/information/
___

Fake 'Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 May 2015 - "'775 Westminster Avenue APT D5 Fw: Invoice' coming from random email addresses and names with a zip attachment is another one from the current bot runs... The email looks like:
    Name: Invoice
    Customer ID: 718527
    Street Address
    775 Westminster Avenue APT D5
    Brooklyn, NY, 01748
    Phone: (235) 194-2842

The customer ID number, The NY code and the Phone numbers are all random and different in each email. The attachment zip names are also random but all extract to the same invoice_company.exe
26 May 2015: 030018-.zip: Extracts to: invoice_company.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432647309/
___

Tesco – Phish ...
- http://myonlinesecur...tesco-phishing/
26 May 2015 - "'Collect a 80GBP reward!' pretending to come from Tesco <postmaster@ tescoina .com>. It is the end of May, just after the bank holiday. You have spent up to your limit on the credit cards and are wondering how to pay they bills until the next pay cheque arrives, when what looks like a miracle happens. An email arrives apparently from Tesco saying Collect a 80GBP reward! that offers you £80 for filling in a Tesco customer satisfaction -survey... it is a -scam- and is a phishing fraud designed to steal your bank and credit card details... If you open the link you see a webpage looking like this: (I had to split it into 2 parts to take a screenshot):

> http://myonlinesecur...sco-survey1.png

>  http://myonlinesecur...sco-survey2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."
 

  

Edited by AplusWebMaster, 26 May 2015 - 09:30 AM.

[AplusWebMaster]

FYI...

Fake 'INV-152307' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 May 2015 - "'Anthony Alexandra Associates MAY INV-152307 GBP 418.80' pretending to come from Lauren Braisby <lauren.braisby@ reed .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-GBP-418.80.png

25 February 2015: logmein_pro_receipt.xls - Current Virus total detections: 1/57*
... which downloads Dridex banking malware from http ://wingtouch .com/776/331.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1432725577/

** https://www.virustot...sis/1432727693/
... Behavioural information
TCP connections
185.11.247.226: https://www.virustot...26/information/
88.221.14.249: https://www.virustot...49/information/

wingtouch .com: 64.29.151.221: https://www.virustot...21/information/
___

Fake 'Invoice charge' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 May 2015 - "'Announce of importance: Invoice charge' coming from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The emails looks like:
    Hi,
    Please see attached the copy of invoice from 22/05/2015.
    Please can you send a revised statement so we can settle any outstanding balances.
    Kind Regards,
    Mason Lloyd
-Or-
    Your monthly Rainbow Communications invoice is attached to this mail.
    This bill is for account RT963382
    Please note that for those who receive multiple reports you may need to check your attachment field on your e-mail program to ensure that you have received them all.
    Louie Hood
    Business Account Manager
-Or-
    Good morning,
    Our billing department have identified that you are getting both a hard copy and an e-mail copy of your bill. As a result you will be getting a monthly £3 hard copy fee.
    Can you let me know if the hard copy can be removed?
    Kind regards
    Angie Ayers
    Business Account Manager

27 May 2015 : F6F0_C6C7DE4EE83EDC.doc - No detections anywhere and all automatic analysis has failed. The file appears to be base 64 encoded text that I haven’t yet managed to decode and find a working content...
Update: 2nd version 25B5F_7B101029E76005.doc (VirusTotal*), so far I haven’t found a payload and the only automatic analysis hasn’t found anything... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432729315/
File name: 25B5F_7B101029E76005.doc
Detection ratio: 0/57
___

Fake 'Statement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 May 2015 - "'Statement from [random company]' coming from random companies, names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please see attached statement.
    Please be advised that our company is now incorporated andtrades as DOMINO’S PIZZA GROUP PLC. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:
    Sort Code: 98-12-30
    Account Number: 10991670
    Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.
    Our company number isNI624042.
    DOMINO’S PIZZA GROUP PLC VAT registration number: GB184578365.
    We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.
    Regards,
    Della Medina
    Accounts Dept.
-Or-
    Please see attached statement.
    Please be advised that our company is now incorporated andtrades as Cleantec Equipment Ltd. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:
    Sort Code: 98-12-30
    Account Number: 10991670
    Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.
    Our company number isNI624042.
    Cleantec Equipment Ltd VAT registration number: GB184578365.
    We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.
    Regards,
    Dallas Dickerson
    Accounts Dept.

27 May 2015: 0A15_968CD62833A4B.doc - Current Virus total detections: 0/56*
... Once again today Analysis -fails- to give any download locations. It looks like the same behaviour as today’s earlier attempt Announce of importance: Invoice charge – word doc or excel xls spreadsheet malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432735276/

** http://myonlinesecur...dsheet-malware/
___

Chrome Lure used in Facebook Attack ...
- http://blog.trendmic...les-new-policy/
May 26, 2015 - "... cybercriminals keep using Google Chrome and Facebook to infect their victims with malware... We’ve already seen both platforms be used as parts of malicious social engineering schemes. Both Google and Facebook are aware of this and have taken steps to protect their users. The number of times malicious Chrome extensions have sprouted, for example, has driven Google to restrict the use of any extension not available on the Chrome Web Store. Unfortunately, initiatives like these have not deterred cybercriminal efforts. Our findings also show that many of these platforms users still get tricked.
Message on Facebook: Clicking the link led us to a site with a page designed to mimic the look and feel of Facebook. The page even pretends to have content from YouTube. Visiting the -malicious- site led to the automatic download of a file titled Chrome_Video_installer.scr. The filename used makes it seem that it’s a harmless Chrome browser plugin required to play videos.
Malicious page with the Facebook design: This supposed video installer file is detected as TROJ_KILIM.EFLD. This variant attempts to download another file — possibly the final payload — but the site is currently down. However, it should be noted that KILIM malware are known to be -malicious- Chrome extensions and plugins. KILIM variants have also been observed to spam Facebook messages and cause system infection... We checked the landing page and found out that the Philippines had the most number of users who visited the site, followed by those from Indonesia, India, Brazil, and the U.S... these countries are the same ones reported to have the highest percentage in terms of Facebook penetration... Given the popularity of Facebook, members of the site must be discerning when it comes to dealing with the content they come across with. -Never- click links from unknown or unverified sites, especially if the content sounds too interesting to be true. Cybercriminals often use shocking or eye-catching content to convince users to visit malicious websites. It’s far better to click links that lead to a reputable source than some random blog or site. The Trend Micro Site Safety Center* can also be used to check if websites are safe or not. The same can be said for links or attachments sent by friends. It’s worth the effort to first confirm the message before clicking the link or opening the attachment..."
* http://global.sitesa...trendmicro.com/
 

 

Edited by AplusWebMaster, 27 May 2015 - 01:32 PM.

[AplusWebMaster]

FYI...

Fake 'latest invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
28 May 2015 - "'Your latest invoice from The Fuelcard Company UK Ltd' pretending to come from invoicing@ fuelcards .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find your latest invoice attached.
     If you have any queries please do not hesitate to contact our Customer
    Service Team at invoicing@ fuelcards .co .uk
     Regards
     The Fuelcard Compa

28 May 2015: invoice.doc - Current Virus total detections: 2/57*
... This malicious macro downloads http ://contesafricains .com/01/59.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432800000/

** https://www.virustot...sis/1432800544/
... Behavioural information
TCP connections
134.0.115.157: https://www.virustot...57/information/
88.221.15.80: https://www.virustot...80/information/

contesafricains .com: 213.186.33.19: https://www.virustot...19/information/
___

Fake 'Chasing delivery' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
28 May 2015 - "'212-B59329-23A – Chasing delivery' pretending to come from Rachel.Hopkinson@ anixter .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ng-delivery.png

28 May 2015 : RR1A240D.doc - Current Virus total detections: 2/57*
... downloads http ://swiftlaw .com/01/59.exe** which is same Dridex banking malware as today’s earlier malicious word doc malspam run 'Your latest invoice from The Fuelcard Company UK Ltd – word doc or excel xls spreadsheet malware'**... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432811062/

** http://myonlinesecur...dsheet-malware/

swiftlaw .com: 216.251.32.98: https://www.virustot...98/information/
 

  

Edited by AplusWebMaster, 28 May 2015 - 06:13 AM.

[AplusWebMaster]

FYI...

Fake email SPAM - doc/xls malware attachment
- http://myonlinesecur...dsheet-malware/
1 Jun 2015 - "'Uplata po pon 43421' pretending to come from Mirjana Prgomet <mirjana@ fokus-medical .hr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally -blank- body with just an attachment.

1 June 2015: report20520159260[1].doc - Current Virus total detections: 1/56*
... downloads Dridex banking malware from http ://jcmartz .com/1/09.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433147275/

** https://www.virustot...sis/1433147275/
... Behavioural information
TCP connections
31.186.99.250: https://www.virustot...50/information/
88.221.15.80: https://www.virustot...80/information/

jcmartz .com: 66.175.58.9: https://www.virustot....9/information/

- http://blog.dynamoo....-pon-43421.html
1 Jun 2015
"... Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214 "
___

Fake 'slide1' SPAM - doc/xls malware attachment
- http://myonlinesecur...dsheet-malware/
1 Jun 2015 - "'Emailing: slide1 Date: Mon, 01 Jun 2015 14:36:47 +0200' pretending to come from  Simon Harrington <simonharrington@ talktalk .net> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ling-slide1.png

1 Jun 2015 : slide1.doc - Current Virus total detections:2/56*
... which connects to and downloads http ://216.22.14.37/~congafx/1/09.exe which is an updated Dridex banking malware (VirusTotal**)... It is using the same file name as today’s earlier malspam run but is a totally different file size Uplata po pon 43421 -Mirjana Prgomet – fokus-medical – word doc or excel xls spreadsheet malware***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433162360/

** https://www.virustot...5ab09/analysis/

*** http://myonlinesecur...dsheet-malware/

216.22.14.37: https://www.virustot...37/information/

- http://blog.dynamoo....alktalknet.html
1 Jun 2015
"... Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214 ..."
___

Fake 'Order confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Jun 2015 - "'Order confirmation 300-2015001469' with no apparent -from- address or -sender- & a
-blank- empty body that is addressed to:
To: <p.pichler@ allfi .com<randomname>@ Your email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely blank body.

1 June 2015: Order confirmation 300-2015001469.doc - Current Virus total detections: 4/56*   ... downloads the same Dridex banking Trojan as one of today’s earlier word based malspam runs Emailing: slide1 Date: Mon, 01 Jun 2015 14:36:47 +0200 – Simon Harrington – word doc or excel xls spreadsheet malware**. The single version I examined downloaded from http ://irpanet .com/1/09.exe but there are -multiple- download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1433170304/

** http://myonlinesecur...dsheet-malware/

irpanet .com: 64.29.151.221: https://www.virustot...21/information/
 

  

Edited by AplusWebMaster, 01 June 2015 - 11:09 AM.