2072 replies to this topic

[AplusWebMaster]

FYI...

DYRE Banking Malware Upsurge - Europe and North America Most Affected
- http://blog.trendmic...-most-affected/
June 2, 2015 - "Online banking users in Europe and North America are experiencing the upsurge of DYRE*, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow... We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like... What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX. This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can -disable- detection, thus making it easier for the download of DYRE or other malware into user systems. Specifically, its additional functions include the following:
- Disabling firewall/network related security by modifying some registry entries.
- Disabling firewall/network related security via stoppage of related services.
- Disabling window’s default anti-malware feature (WinDef)
Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers. Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to -scare- users into opening an attached .EXE file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam. Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences... It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via -spammed- mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions..."
* http://blog.trendmic...malware-part-1/
___

Fake 'Rental Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
2 Jun 2015 - "'June 2015 Rental Invoice' pretending to come from Alex Batts <abatts@ bbsp .co .uk> is being delivered mangled and malformed. It is supposed to come with a malicious word doc or Excel XLS spreadsheet attachment but that is being embedded as a base 64 encoded set of text in the mangled body of the email, rather than being attached. Most users should be protected from this malware, but be aware that some mail servers will automatically fix this sort of garbled corruption and deliver the email as a warning email with a zip of the extracted content. Do-not-click on or open the word doc inside the zip... The email which comes in -garbled- looks like:
[Garbled text...]
Hi
Please find attached the Rental Invoice for June 2015 – which is due for pa=
yment on or before 10st June.
Have a lovely afternoon.
Kind regards
Alex Batts
Forum Receptionist
Telephone : 0117 370 7700
Mobile : 0750 083 5323 ...
 [More garbled text...]

2 June 2015: June 2015 Rental Invoice – Inv 103756.doc - Current Virus total detections: 1/56* | 2/57**
The second -malicious- macro downloads http ://amagumori.3dfxwave .com/7/8.exe Which is a Dridex banking malware (VirusTotal***). The first will also download the same malware but from a different location... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1433243825/

** https://www.virustot...sis/1433250642/

*** https://www.virustot...sis/1433248974/
... Behavioural information
TCP connections
31.186.99.250: https://www.virustot...50/information/
5.178.43.49: https://www.virustot...49/information/

amagumori.3dfxwave .com: 202.129.207.121: https://www.virustot...21/information/
___

Fake 'Invoice ID' SPAM - malware attachment
- http://blog.mxlab.eu...ontains-trojan/
June 2, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Invoice ID”. This email is sent from a -spoofed- address and has the following short body:
    INVOICE
    Invoice ID: 6568469164
    Store id: 9135

The attached file 6568469164_9135.zip contains the 156 kB large file invoice_company.exe. The trojan is known as PE:Malware.Obscure!1.9C59 or Trojan.Win32.Qudamah.Gen.24. At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1433259213/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
188.120.194.101: https://www.virustot...01/information/
173.243.255.79: https://www.virustot...79/information/
90.84.60.99: https://www.virustot...99/information/
188.120.194.101: https://www.virustot...01/information/
___

2015 Malvertising infected millions of users
- http://net-security....ews.php?id=3049
June 2, 2015 - "New research from Malwarebytes has found that -malvertising- is one of the primary infection vectors used to reach millions of consumers this year. The analysis looked at the three large scale zero-day attacks affecting Flash Player*, and the results have been presented at Infosecurity Europe 2015:
> http://www.net-secur...ys-02062015.jpg
Analysis of one particular zero-day attack instigated using the HanJuan Exploit Kit showed that cybercriminals paid an average of 49p for every 1,000 infected adverts impressions on major websites at highly trafficked times of day. This amount could even drop as low as 4p per infected ad impression on lesser-known websites and during quieter times of day. Malicious adverts placed on popular websites including The Huffington Post, Answers.com and Daily Motion, which all boast monthly unique users in the millions, are responsible for exposing vast numbers of consumers to zero-day attacks. Even consumers and businesses running the -latest- versions of Internet Explorer, Firefox and Flash Player are susceptible to becoming immediately infected when exposed to this type of threat which makes it particularly lucrative for the criminal community. Further, with one zero-day remaining active for almost two months of the analysis period there is scope for exploits to have especially wide-reaching effects. The nefarious use of the online ad industry is facilitated by real-time bidding as this allows advertisers to bid in real-time for specific targets and weed out non-genuine users or those that should not be targeted by exploits... This is especially important with the kind of malware that is dropped by exploit kits, and in particular ransomware. Companies can literally be crippled by such malware, lose customers and in some cases put their business in jeopardy."
* https://www.malwareb.../threezerodays/
"... new vulnerabilities are found and weaponized at a much faster rate. Combine this trend with the fact that rolling out patches requires time and testing for businesses and you see the issue: A window of opportunity to exploit systems emerges... While keeping systems up to date remains one of the most important pieces of advice against exploits, zero-days make it completely irrelevant... To face this new reality, businesses and consumers must adapt as well by adopting new tools to safeguard their assets..."
 

  

Edited by AplusWebMaster, 02 June 2015 - 02:43 PM.

[AplusWebMaster]

FYI...

Fake 'your receipt' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
3 Jun 2015 - "'your receipt' pretending to come from Amy Morley <amymorley@ howardcundey .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...our-receipt.png

3 June 2015: 20150414151213550.doc - Current Virus total detections: 3/57*
The malicious macro in this version connects to and downloads anthonymaddaloni .com/~web/5/0.exe  which is a Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433318349/

** https://www.virustot...sis/1433318155/
... Behavioural information
TCP connections
37.140.195.177: https://www.virustot...77/information/
5.178.43.34: https://www.virustot...34/information/

anthonymaddaloni .com: 69.72.240.66: https://www.virustot...66/information/
___

Myfax malspam wave - links to malware and Neutrino exploit kit
- https://isc.sans.edu...l?storyid=19759
2015-06-03 - "... there have been more waves of malicious spam (malspam) spoofing myfax .com. On Tuesday 2015-06-02, the messages contained links to a zip archive of a Pony downloader. Tuesday's messages also had links pushing Neutrino exploit kit (EK). Spoofed myfax emails are nothing new. They've been around for years. This is yet another wave in the continuous onslaught of malspam that organizations face every day... I noticed similar messages last week, but they were all blocked. At that time, I wasn't able to investigate any further. On 2015-06-02, checking my employer's spam filters revealed spoofed myfax messages were coming in again after a 3 day break... Below is an example of the messages blocked by my organization's spam filters on 2015-06-02:
> https://isc.sans.edu...y-image-03a.jpg
The above example shows 2 types of URLs. The first points to a zip file. The second points to URLs ending in fax.php that push Neutrino EK. Last week's malspam only had links to the zip files... In a lab environment, those links ending with fax.php returned HTML with iframes leading to Neutrino EK..."
(More detail at the isc URL above.)
___

Fake email “Fax to” contains trojan
- http://blog.mxlab.eu...ontains-trojan/
June 3, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Fax to”.
This email is send from a -spoofed- address and has the following body:
    Fax Massege:
    Fax ID: 1500566473
    User ID: 429286424

The attached file fax-1500566473_429286424.zip contains the 148 kB large file Document_invoice.exe.
The trojan is known as Downloader-FAVN!A43A201F788E, Trj/Genetic.gen, PE:Malware.Obscure!1.9C59 or Win32.Trojan.Fakedoc.Auto. At the time of writing, 4 the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1433353970/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
188.120.194.101: https://www.virustot...01/information/
92.38.41.38: https://www.virustot...38/information/
88.221.15.80: https://www.virustot...80/information/
 

  

Edited by AplusWebMaster, 03 June 2015 - 02:59 PM.

[AplusWebMaster]

FYI...

Fake 'Scan' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 June 2015 - "'Scan number: 3744444093' [all the numbers are random] coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    Scan number: 3744444093
    Pages: 54

4 June 2015: scan-3744444093_54.zip: Extracts to: Document_invoice.exe
Current Virus total detections: 0/58* | 1/57** This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433413368/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
188.120.194.101: https://www.virustot...10/information/
94.103.54.19: https://www.virustot...19/information/
5.178.43.35: https://www.virustot...35/information/

** https://www.virustot...sis/1433412921/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
188.120.194.101: https://www.virustot...10/information/
185.47.89.249: https://www.virustot...49/information/
5.178.43.49: https://www.virustot...49/information/
188.120.194.101: https://www.virustot...10/information/
___

Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
4 June 2015 - "'Eclipse Internet Invoice – 17987580EC' pretending to come from customer@ eclipse .net.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Customer,
    Thank you for choosing to receive your invoice by email. Please find this attached.
    If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password, at www .eclipse .net.uk/billing. Alternatively, you can contact our Customer Service Team, Monday to Friday 9am – 5.30pm, on the telephone number...
    Kind regards
    Eclipse Internet
    This email has been scanned for all viruses. Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any... [blah, blah, blah]

4 June 2015 : invoice_EC_17987580_20141013081054.doc - Current Virus total detections: 2/57*
... the macro connects to http ://empreinte .com.ar/42/91.exe which is a Dridex banking malware (virusTotal***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433415353/

** https://www.virustot...sis/1433415107/

empreinte .com.ar: 200.68.105.31: https://www.virustot...31/information/
___

Dyre banking Trojan infections up 125%
- http://net-security....ews.php?id=3050
June 4, 2015 - "Cybercriminal interest in online banking continues to grow, and crooks wielding the Dyre/Dyreza banking Trojan continue spewing out spam emails delivering a new variant of the malware:
> http://www.net-secur...re-04062015.jpg
'There has been a 125% increase of Dyre-related infections worldwide this quarter compared to the last', Trend Micro researchers have noted*. 'Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.' In early May, there was a considerable spike in these spam emails targeting the APAC region. 'We looked closely at the financial institutions whose URLs were contained in the Dyre malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like,' the researchers shared. As before, Dyre is -not- delivered directly via email. Instead, the malicious attachments hold the Upatre downloader, which then downloads Dyre. Upatre also got updated, and these newer versions have the ability to disable firewall/network related security by modifying some registry entries and via -stoppage- of related services, and to disable Windows' default anti-malware feature (Windows Defender). The emails delivering the malware try to -scare- users into opening the attached file by claiming that the recipients' tax payments have doubled. So far, they have been mostly in English, but Trend Micro expects more regionalized messages in the future, as the attackers are looking to expand globally."
* http://blog.trendmic...-most-affected/
 

 

Edited by AplusWebMaster, 04 June 2015 - 06:40 AM.

[AplusWebMaster]

FYI...

Fake 'PPL invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
5 June 2015 - "'Your PPL invoice is attached' pretending to come from no-reply@ PPLUK .COM with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Customer,
    Please find attached your PPL invoice for your licence to use recorded music (whether via CDs, Radio/TV broadcasts, background music systems or other sources) at your premises.
    Permission to use PPL repertoire under the terms of the licence will only be effective once payment has been made. Payment of your invoice can be made online at ppluk.com/payonline or you can call us on 020 7534 1070 to pay by credit or debit card. All payment methods can be found on the back of your invoice.
    This is an automated email. If you have any queries about the invoice or requirements for a PPL licence, please refer to the contact information below.
    Yours faithfully,
    PPL Customer Services
    PPL
    1 Upper James Street London W1F 9DE
    T +44 (0)20 7534 1070 ...

5 June 2015 : P_PP_INVN_02573466_01-43-52_03657322_NEWBUS_O_E.DOC
Current Virus total detections: 3/57* . The malicious macro in this version downloads Dridex banking malware from http ://g6000424 .ferozo .com/25/10.exe (VirusTotal**). Other download locations downloading the same Dridex banking malware that I have been informed about are:
http ://zolghadri-co .com/25/10.exe
http ://elkettasandassociates .com/25/10.exe
http ://segurosdenotebooks .com.br/25/10.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433498590/

** https://www.virustot...sis/1433496324/
... Behavioural information
TCP connections
203.151.94.120: https://www.virustot...20/information/
88.221.15.80: https://www.virustot...80/information/
___

Fake 'General Election 2015 Invoices' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
5 June 2015 - "'General Election 2015 Invoices' pretending to come from SIMSSL@ st-ives .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Sir/Madam
    Please find attached your invoice 62812 for GE2015
    Please could payment be quoted with your constituency name/Invoice numbers
    Our Bank Details are:
    St Ives Management Services Limited
    HSBC
    Sort Code: 40-04-24
    Account Number: 71419501
    Account Name: St Ives Management Services Limited
    Remittance advices should be emailed to simsAR@ st-ives .co.uk
    If paying by cheque, please kindly remit to the address below and not to 1 Tudor Street:
     St Ives Management Services Limited
    c/o Branded3
    2nd Floor, 2180 Century Way
    Thorpe Park
    Leeds
    LS 8ZB
    If you have already paid by credit card then there is no need for you to make payment again.
    For payment queries please contact Steven Wilde 0113 306 6966
    For invoice queries please contact Emily Villiers 0207 902 6449
    Kind Regards
    SIMS Sales Ledger...

5 June 2015 : 1445942147T0.doc ... which is -exactly- the same malware as described in 'Your PPL invoice is attached – word doc or excel xls spreadsheet malware'*
* http://myonlinesecur...dsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

- http://blog.dynamoo....ction-2015.html
5 June 2015
"... Recommended blocklist:
203.151.94.120
31.186.99.250
146.185.128.226
185.12.95.40 "
 

 

Edited by AplusWebMaster, 05 June 2015 - 06:01 AM.

[AplusWebMaster]

FYI...

Fake 'Bank payment' SPAM – PDF malware
- http://myonlinesecur...uk-pdf-malware/
8 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a pdf attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded scripts that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages...
Update: An automatic analysis by Payload security* gives the download location as hundeschulegoerg .de/15/10.exe ( VirusTotal**)... Adobe reader in -recent- versions has Protected view automatically -enabled- and unless you press-the-button to 'enable all features', you should be safe from this attack... make sure you -uncheck- -any- additional offerings of security scans/Google chrome or -toolbars- that it wants to include in the download:
> http://myonlinesecur...c4-1024x423.png
The email (which has random amounts) looks like:
    Dear client
    Please find attached a bank payment for £3033.10 dated 10th June 2015
    to pay invoice 1757. With thanks.
    Kind regards
    Sarah
    Accounts

Todays Date: Bank payment 100615.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-a...environmentId=2

** https://www.virustot...sis/1433753588/
... Behavioural information
TCP connections
146.185.128.226: https://www.virustot...26/information/
88.221.15.80: https://www.virustot...80/information/

*** https://www.virustot...sis/1433751824/

hundeschulegoerg .de: 212.40.179.111: https://www.virustot...11/information/

- http://blog.dynamoo....nk-payment.html
8 June 2015
"... Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40 "
 

  

Edited by AplusWebMaster, 08 June 2015 - 08:35 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 June 2015 - "'Re: Invoice' coming from random senders and random email addresses with  a semi random zip attachment the zip is always called 'invoice(random number).zip' is another one from the current bot runs... other emails today pretending to come from RBC Express <ISVAdmin@ rbc .com> with a subject of 'invoices', along with a 'Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 4084583/'. These 2 have a different malware payload (VirusTotal*)... The email looks like:

    Check Invoice number

9 June 2015: Invoice (42).zip: Extracts to: Invoice_store.exe - Current Virus total detections: 2/57**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1433843143/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
188.120.194.101: https://www.virustot...01/information/
216.254.231.11: https://www.virustot...11/information/
88.221.15.80: https://www.virustot...80/information/
188.120.194.101: https://www.virustot...01/information/

** https://www.virustot...sis/1433843556/
___

Fake 'Password Confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
9 June 2015 - "'Password Confirmation [742263403307] T82' pretending to come from steve.tasker81@ thomashiggins .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email (which has random numbers in the subject) looks like:

    Full document is attached

09 June 2015: 1913.doc - Current Virus total detections: 2/57*
... which connects to and downloads a Dridex banking malware from speakhighly .com/42/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433841783/

** https://www.virustot...sis/1433842088/
... Behavioural information
TCP connections
173.230.130.172: https://www.virustot...72/information/
5.178.43.48: https://www.virustot...48/information/

speakhighly .com: 77.73.6.74: https://www.virustot...74/information/

- http://blog.dynamoo....nfirmation.html
9 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250 "
___

Fake 'Unpaid invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
9 June 2015 - "'Unpaid invoice' pretending to come from  Debbie Spencer <Debbie@ burgoynes-lyonshall .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hi
    Could you let me know when the attached will be paid?
    Many thanks
    Debbie
    Deborah Spencer
    Company Accountant
    Burgoynes (Lyonshall) Ltd
    Lyonshall
    Kington
    Herefordshire HR5 3JR
    01544 340283 ...

The malware in this email is exactly the -same- as described in today’s earlier malspam run with word docs 'Password Confirmation [742263403307] T82 – word doc or excel xls spreadsheet malware'*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

The HTTPS-Only Standard
- https://https.cio.gov/
___

Beware of Emails Bearing Gifts
- http://www.darkreadi.../a/d-id/1320769
6/9/2015 - "Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating. In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks* believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom. The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business... Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework."
* http://www.securewor...hreat-analysis/
___

Flash malware jumps over 300 percent - Q1-2015
- http://www.theinquir...quarter-of-2015
Jun 09 2015 - "MALWARE ATTACKS on the Adobe Flash platform rose by a horrifying 317 percent in the first quarter of 2015. New figures in the McAfee Labs Threats Report May 2015 (PDF*) show that the number of recorded Flash malware instances was almost 200,000 in Q1 2015, compared with 47,000 in Q4 2014...
* http://www.mcafee.co...eat-q1-2015.pdf
Spam continues ever onward with six trillion messages sent in Q1. A total of 1,118 spam domains were discovered in the UK alone, beating Russia (1,104) and Japan (1,035). Phishing domains hit 887 in the UK, compared with France (799) and the Netherlands (680). Overall, McAfee Labs observed 362 phishing attacks a minute, or six every second..."
 

  

Edited by AplusWebMaster, 09 June 2015 - 12:53 PM.

[AplusWebMaster]

FYI...

Fake 'BTT telephone bill' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Jun 2015 - "'Your monthly BTT telephone bill' pretending to come from Hayley Sweeney <admins@ bttcomms .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Please find attached your telephone bill for last month. This message was sent automatically.
    For any queries relating to this bill, please contact Customer Services on 01536 211100.

10 June 2015 : Invoice_68362.doc - Current Virus total detections: 5/57*
... Which downloads a Dridex banking malware from www .jimaimracing .co.uk/64/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1433931273/

** https://www.virustot...sis/1433932505/

jimaimracing .co.uk: 91.194.151.37: https://www.virustot...37/information/

- http://blog.dynamoo....ey-sweeney.html
10 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10 "
 

Edited by AplusWebMaster, 10 June 2015 - 07:27 AM.

[AplusWebMaster]

FYI...

Fake 'order reference' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Jun 2015 - "'Your order reference is 05806' pretending to come from inform <john.wade@ precisionclubs .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear client,
    Thank you for the order,  
    your credit card will be charged for 312 dollars.
    For more information, please visit our web site ...
    Best regards, ticket service.
    Tel./Fax.: (828) 012 88 840

11 June 2015: payment_n09837462_pdf.zip:
Extracts to:   payment_n09837462_pdf_  _ _ _ _ _ _ _ _ _ _  _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.exe
Current Virus total detections: 5/57*. Note the series of _ after the pdf. That is designed to try to fool you into thinking that the .exe file is a pdf so you open it. Most windows computers won’t show the .exe in windows explorer if enough spaces or _ are inserted. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434002812/
___

Fake 'New_Order' email / Phish...
- http://blog.dynamoo....structions.html
11 Jun 2015 - "I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters.. The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section:
Screenshot: https://4.bp.blogspo...Y/s640/hf-1.jpg

An examination of the underlying PDF file shows two URLs... In turn these redirect... The second URL listed 404s, but the first one is active. According to the URLquery report*, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page... This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report**]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort. The "megatrading .hol.es" (hosted on 31.220.16.16 by Hostinger - VT report***) landing page looks like a straightforward phish:
Screenshot: https://4.bp.blogspo...k/s640/hf-2.png

Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct:
> https://2.bp.blogspo...g/s320/hf-3.png
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.
Recommended blocklist:
31.220.16.16
92.222.42.183 "

* http://urlquery.net/...d=1434011774093

** https://www.virustot...83/information/

*** https://www.virustot...16/information/
___

Mystery continues to surround the nude celebrity iCloud hack
- http://www.hotforsec...hack-11990.html
June 11, 2015 - "Sure, companies and governments get hacked all the time. But for the mainstream media to *really* take an interest, you need to add a twist of celebrity (preferable nude and female). That’s what happened last year when the so-called 'Fappening' saw the intimate and private photographs of scores of female celebrities and actresses, many of them topless or nude, leak onto 4Chan and the seedier corners of Reddit. Famous names who had their privacy violated by the leak included Jennifer Lawrence, Kate Upton, Victoria Justice, Kirsten Dunst, Hope Solo, Krysten Ritter, Yvonne Strahovski, Teresa Palmer, Ariana Grande, and Mary Elizabeth Winstead, amongst many others... According to Gawker has revealed a search warrant and affidavit, revealing that the FBI has seized computers belonging to a Chicago man in connection with the hack. And it appears that the documents back Apple’s claim that their iCloud service did -not- suffer a breach as such, but instead was the victim of a targeted attack after celebrities’ passwords and security questions were determined. In the affidavit, FBI cybercrime special agent Josh Sadowsky says that an IP address assigned to one Emilio Herrera was “used to access approximately 572 unique iCloud accounts” between May 13 2013 and August 31 2014. According to the statement, a number of the accounts accessed belonged to celebrities who had photos leaked online. In all, iCloud accounts were accessed -3,263- times from the IP address. In addition, the IP address was used from a computer running Windows 7 to reset -1,987- unique iCloud account passwords. Unsurprisingly, law enforcement officers visited Herrera’s house in Chicago and walked away with computers, phones, SD cards, and other devices that no doubt they planned to submit to forensic scrutiny. In particular they would be interested in uncovering any evidence of activity which might suggest phishing, the usage of hacking tools or email forwarding. But here’s where things get interesting. According to Gawker, Herrera has -not- been charged with any crime and is not even considered a suspect at this point. It would certainly be surprising if someone involved in such an industrial-scale account hijacking operation would not have taken elementary steps to hide their true IP address, so is it possible that Herersa’s computers were being used by the hackers of nude celeb’s iCloud accounts -without- Hererra’s knowledge or permission? If that is the case, then it’s yet another reason why all computer users need to learn the importance of proper computer security. Keeping your computer protected with a layered defence and patched against the latest vulnerabilities reduces the chance of a remote-hacker gaining control of your PC. Because the very last thing you want is to be implicated in a crime that you didn’t commit, because hackers have been able to commandeer your computer for their own evil ends."
- Graham Cluley
 

Edited by AplusWebMaster, 11 June 2015 - 07:53 AM.

[AplusWebMaster]

FYI...

Fake 'Confirmation transfer' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 June 2015 - "'Confirmation of the transfer' pretending to come from HSBC (random name@random email address) with a zip attachment is another one from the current bot runs... The email looks like:
    Transfer:
    Number of Transfer: 359880-67692630-94464
    To: [redacted]
    Bank sender: HSBS
    Country Poster: England
    City Poster: London

12 June 2015: transfer-England-359880-67692630-94464.zip(random numbers):
Extracts to: New_docs.exe - Current Virus total detections: 4/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434111878/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
188.120.194.101: https://www.virustot...01/information/
24.19.25.40: https://www.virustot...40/information/
88.221.14.249: https://www.virustot...49/information/
___

Malvertising 'Pop-under ads' lead to CryptoWall
- https://blog.malware...cryptowall-3-0/
June 11, 2015 - "...  malvertising leverages the infrastructure provided by ad networks to distribute malicious content to end users while they browse the Internet... a prolific ad network (over 180M hits/month according to SimilarWeb) being used by online fraudsters to distribute malware and other nuisances. 'Popcash' is a pop-under ad network that offers services for both publishers and advertisers: https://blog.malware...popcashlogo.png
'Pop-under ads are similar to pop-up ads, but the ad window appears -hidden- behind the main browser window rather than superimposed in front of it... They usually remain -unnoticed- until the main browser window is closed or minimized, leaving the user’s attention free for the advertisement... users therefore react 'better' to pop-under advertising than to pop-up advertising because of this different, delayed 'impression'. — Wikipedia**
** https://en.wikipedia...d#Pop-under_ads
... In this case, we received a URL used as a gate to an exploit kit:
> https://blog.malware...redirection.png
The Magnitude EK starts with a simplified landing page that contains the code to launch a Flash exploit and an iframe to perform an Internet Explorer exploit... The Flash exploit (VT)[3]  is CVE-2015-3090 as reported on malware.dontneedcoffee[4]:
3] https://www.virustot...sis/1434044838/
4] http://malware.dontn...700169-and.html
... The Internet Explorer exploit (CVE-2014-6332 or CVE-2013-2551 thanks @kafeine) is prepared via a heavily encoded piece of JavaScript... Several URLs are loaded but only a couple actually loaded the same binary (VT)[5] detected by Malwarebytes Anti-Malware as Trojan.Dropper.Necurs, which eventually loads CryptoWall 3.0... other slots are available and could be filled with different malware families by the exploit kit operator...
5] https://www.virustot...sis/1434001814/
... CryptoWall 3.0: Magnitude EK, just like many other exploit kits recently, is pushing crypto ransomware, possibly one of the worst strains of malware because it uses genuine encryption to lock down a user’s personal files. Soon after the ransomware takes over the PC, it will prompt a message warning of what just happened and giving details on how to proceed:
> https://blog.malware...ELP_DECRYPT.png
In this case, one needs to pay $500 to get their files back within the deadline, otherwise that amounts doubles:
> https://blog.malware.../2015/06/BT.png
Conclusions: Because malvertising involves multiple players in order to work (publishers, ad networks, visitors) each has its own role to play in combatting this problem. Publishers (should) be wise in choosing their third-party advertisers by choosing reputable ones (although it is not a 100% guarantee (nothing is) that incidents will not happen). Ad networks can and should also ensure that the traffic they serve is clean. We contacted Popca$h on two separate occasions through their official “report malware” page, but -never- received a response... The campaign is still -ongoing- and not only serving exploits but -also- tech support scams[6] customized for your browser, ISP, city, etc:
6] https://blog.malware.../06/warning.png "
(More detail at the malwarebytes URL at the top of this post.)

- http://windowssecret...office-updates/
June 11, 2015 - "... Flash Player 18.0.0.160 addresses 13 vulnerabilities, some of which have already been used in ransomware attacks..."
 

  

Edited by AplusWebMaster, 12 June 2015 - 08:51 AM.

[AplusWebMaster]

FYI...

Fake 'Payment Confirmation' SPAM - doc/xls malware
- http://blog.dynamoo....nfirmation.html
15 Jun 2015 - "This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:
    From: reed .co.uk Credit Control [mailto:creditcontrol.rol@ reed .co.uk]
    Sent: Monday, June 15, 2015 11:10 AM
    Subject: Payment Confirmation 29172230
    Dear Sirs,
    Many thanks for your card payment. Please find payment confirmation attached below.
    Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.
    Kind Regards
    Credit Control Team
    T: 020 7067 4584
    F: 020 7067 4628
    Email: creditcontrol.rol@ reed .co.uk

The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57*] which contains this malicious macro... which downloads a component from the following location:
http ://www .freewebstuff .be/34/44.exe
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57**. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools... show traffic to the following IPs:
136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
According the this Malwr report[3], it also drops a Dridex DLL with a detection rate of 18/57[4].
Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10 "
* https://www.virustot...sis/1434362701/

** https://www.virustot...sis/1434362861/

3] https://malwr.com/an...TA0YzFlMzk2MDA/

4] https://www.virustot...sis/1434362861/

freewebstuff .be: 46.21.172.135: https://www.virustot...35/information/

- http://myonlinesecur...dsheet-malware/
15 Jun 2015
Screenshot: http://myonlinesecur...onfirmation.png
> https://www.virustot...sis/1434364970/
___

Fake 'Nyfast Payment' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
15 Jun 2015 - "'[Nyfast] Payment accepted' pretending to come from  Nyfast <sales@ nyfast .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...5/06/nyfast.png

15 June 2015: 101153.doc -  Current Virus total detections: 3/57*
... Which connects to and downloads Dridex banking malware from http ://webbouw .be/34/44.exe ( VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434364039/

** https://www.virustot...sis/1434362861/

webbouw .be: 46.21.172.135: https://www.virustot...35/information/
___

Fake 'PI-ORDER' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Jun 2015 - "'PI-ORDER' with a zip attachment pretending to come from suiming <suiminggroup@ cs .ename .net> is another one from the current bot runs... The email looks like:
    Dear Sir/madam,
    Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment.kindly confirm the PO and send PI asap.
    kind Regards
    suiming Group

15 June 2015: PI-ORDER.zip: Extracts to:  PI-ORDER.exe - Current Virus total detections: 9/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434339886/
___

Fake 'New Doc' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
15 Jun 2015 - "'Will Kinghan henryhowardfinance .co .uk New Doc' pretending to come from  Will Kinghan <WKinghan@hhf .uk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ill-kinghan.png

15 June  2015 : New doc.doc ... which is the -same- malware as described in today’s other word doc malspam runs Payment Confirmation reed .co .uk Credit Control* – word doc or excel xls spreadsheet malware and [Nyfast] Payment accepted** – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* http://myonlinesecur...dsheet-malware/

** http://myonlinesecur...dsheet-malware/
___

'Let us help you make your online banking with HSBC more secure' - PHISH
- http://myonlinesecur...ecure-phishing/
15 Jun 2015 - "An email saying 'Let us help you make your online banking with HSBC more secure' is one of today’s -phishing- attempts. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
- Confirmation of Order

... It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. That is also false... The link in the email directs you to a -fake- site, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the Genuine PayPal site, when using Internet Explorer the entire address bar is in green (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):
>> http://myonlinesecur..._phish_site.png
... luckily the phishing site has been deactivated by the webhosts, but be careful and remember that banks don’t send emails saying 'follow-the-link' to change anything..."
___

Fake 'Notice DHL' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Jun 2015 - "'Notice DHL' pretending to come from HSBC (random name @ random email address) with a zip attachment is another one from the current bot runs... The waybill number is random in each email but -matches- the attachment name. The email looks like:
    Notice DHL
    Courier our company was unable to deliver the goods.
    CAUSE: was lost your number
    Delivery Status: Active
    Services: delivery in one day
    Waybill number for your cargo: WL4OY-k5qvML-0136
    Special sticker attached to the letter. Print sticker and show it in your post office.

15 June 2015: Sticker-WL4OY-k5qvML-0136.zip: Extracts to: New_docs.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434373340/
 

Edited by AplusWebMaster, 15 June 2015 - 10:05 AM.

[AplusWebMaster]

FYI...

Magnitude Exploit Kit uses Newly Patched Adobe Vuln ...
- http://blog.trendmic...e-most-at-risk/
Jun 16, 2015 - "Adobe may have already patched a Flash Player vulnerability last week, but several users — especially those in the US, Canada, and the UK — are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems. We first saw signs of this activity yesterday, June 15... Adobe’s regular June Update for Adobe Flash Player... upgraded the software to version 18.0.0.160*. However, many users are still running the previous version (17.0.0.188), which means that a lot of users are still at risk... cybercriminals rapidly take advantage of recently-patched vulnerabilities through exploit kits. We saw a similar incident in March, where exploits for an Adobe Flash Player vulnerability were added to the Nuclear Exploit Kit just a week after the patch was released. We also noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that shows no sign of changing soon..."
* https://www.adobe.co...tribution3.html
___

Fake 'Travel order' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Jun 2015 - "'Travel order confirmation 0300202959' pretending to come from  overseastravel@ caravanclub .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    Thank you for your travel order.
    Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
    Your booking confirmation document is stored as a DOC file which requires the use of Microsoft Word software to view it.
    Yours sincerely
    The Caravan Club
    This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA.
    Regulation The Caravan Club Ltd is authorised and regulated by the Financial Conduct Authority. FCA registration number is 311890
    This email is sent from the offices of The Caravan Club Limited...

16 June 2015: Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads Dridex banking malware from  aspectaceindia .in/90/72.exe (VirusTotal**). Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434440780/

** https://www.virustot...sis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustot...65/information/
88.221.15.80: https://www.virustot...80/information/

aspectaceindia .in: 203.124.96.148: https://www.virustot...48/information/
___

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Jun 2016 - "'Invoice' pretending to come from Carol Young <carol@ baguette-express. co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Invoice Attached
    Carol Young
    Accounts Manager
    Office:0845 070 4360
    Email: carol@ baguette-express .co.uk
    Web: www .baguette-express .co.uk
    1 Cranston Crescent
    Lauder
    Borders
    TD2 6UB

16 June 2015: A4 Inv_Crd Unit Price, With Discount.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from dubrovnik-marryme .com/90/72.exe (VirusTotal**) This is the -same- malware payload as described in today’s other malspam word macro malware 'The caravan Club Travel order confirmation 0300202959'*** – word doc or excel xls spreadsheet malware..."
* https://www.virustot...sis/1434441322/

** https://www.virustot...sis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustot...65/information/
88.221.15.80: https://www.virustot...80/information/

*** http://myonlinesecur...dsheet-malware/

dubrovnik-marryme .com: 188.40.57.166: https://www.virustot...66/information/
___

Fake 'Invoice copy' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Jun 2015 - "'Invoice copy no. 252576' pretending to come from kathy@ almondscateringsupplies .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find attached DOC document with invoice copy no. 252576
     Kind regards,
     Gary Almond

16 June 2015 : DespatchNote_-_252576_160615_063107663.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from aspectaceindia .in/90/72.exe (VirusTotal**)
Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434440780/

** https://www.virustot...sis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustot...65/information/
88.221.15.80: https://www.virustot...80/information/

aspectaceindia .in: 203.124.96.148: https://www.virustot...48/information/
___

Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Jun 2015 - "'Eclipse Internet Invoice is available online – 36889843EC' pretending to come from  customer@ eclipse .net.uk with a malicious word doc called EC_36889843_88113463.doc is another one from the current bot runs... The email looks like:
    Dear Customer,
    Thank you for choosing to receive your invoice by email. Please find this attached.
    If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password... Alternatively, you can contact our Customer Service Team, Monday to Friday 8am – 6pm, on the telephone number published...
    Kind regards
    Eclipse Internet

The number in the subject which is random -matches- the word attachment name, so everybody gets a different named email and attachment. The malicious macro and the downloaded Dridex banking malware is exactly the -same- as described in today’s earlier other word macro malspam runs:

1]'Gary Almond almondscateringsupplies .co.uk Invoice copy no. 252576 – word doc or excel xls spreadsheet malware':
- http://myonlinesecur...dsheet-malware/

2]'Carol Young baguette-express Invoice – word doc or excel xls spreadsheet malware':
- http://myonlinesecur...dsheet-malware/

3]'The caravan Club Travel order confirmation 0300202959 – word doc or excel xls spreadsheet malware':
- http://myonlinesecur...dsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
___

Trojan uses steganography to hide itself in image files
- http://net-security....ews.php?id=3058
16.06.2015 - "The Dell SecureWorks* CTU research team has recently analyzed a piece of malware that uses digital steganography to hide part of its malicious code. Stegoloader, as they dubbed it, is not technically new. Previous versions of the malware have been spotted in 2013 and 2014, bundled with tools used to crack or generate software keys... Stegoloader's main reason of being is to steal information from users, but it has a modular design, and the researchers themselves say that they might not have yet seen and analyzed all of its modules... Stegoloader is not the first malware to use steganography to hide malicious code or information such as the address of the malware's backup C&C, but the researchers note that it could represent an emerging trend in malware... researcher Saumil Shah recently demonstrated at the Hack in the Box conference**, it's possible to insert both malicious code and exploit code that will trigger it into an image, and this type of delivery mechanism is still undetectable by current defensive solutions."
* http://www.securewor...mation-stealer/

** http://www.net-secur...ld.php?id=18443
___

Dutch Users: victims of Large Malvertising Campaign
- https://blog.malware...ising-campaign/
June 15, 2015 - "Security firm Fox-IT* has identified a large malvertising campaign that began affecting Dutch users on June 11:
* http://blog.fox-it.c...he-netherlands/
In their blog post, they say that several major news sites were loading the -bogus- advertisement that ultimately lead to the Angler exploit kit. Looking at our telemetry we also noticed this attack, and in particular on Dutch news site Telegraaf[.]nl via an advert from otsmarketing .com, which according to Fox-IT is -more- than a suspicious ad network:
> https://blog.malware.../06/diagram.png
The ad silently loaded a Google shortened URL used to -redirect- to the exploit kit... This latest malvertising case illustrates the efficacy of leveraging ad networks to selectively infect end users while also demonstrating that there is a clear problem with identifying rogue advertisers. As stated by Fox-IT, the company responsible for the malvertising was not 'loaded via advertisements until Thursday last week, the first day we’ve seen this malvertising campaign in action'. This leaves some serious questions about the additional scrutiny in place for new advertisers and how it made it through security checks."

107.181.187.81: https://www.virustot...81/information/
 

  

Edited by AplusWebMaster, 16 June 2015 - 03:19 PM.

[AplusWebMaster]

FYI...

Fake 'PayPal Receipt' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 June 2015 - "'Receipt for Your Payment to OMER SALIM' pretending to come from service@ intl .paypal .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-OMER-SALIM.png

17 June 2015: Receipt99704.zip: Extracts to: Receipt99704.PDF.exe
Current Virus total detections: 10/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434488522/
___

Fake 'Refunds for overpaid taxes' – Phish ...
- http://myonlinesecur...taxes-phishing/
17 June 2015 - "'Refunds for overpaid property taxes' pretending to come from HM Revenue & Customs <ecustomer.support@ hmrc .gateway .gov.uk> is an email pretending to come from HM Revenue & Customs... This one wants your personal details and your bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... This particular email has a zip attachment that when unzipped has html webpage that asks you to fill in bank details. If you open the html attachment you see a webpage looking like this where they want your bank details, name and birth date:

Phish Screenshot: http://myonlinesecur...perty-taxes.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake 'Document Service' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 June 2015 - "'Document Service, Order Id: 14262781 pretending to come from ICC <orders@ icc .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-Order-Id.png

17 June 2015: 14262781_FMM_751061928.doc - Current Virus total detections:4/57*
The malicious macro in this particular word doc downloads Dridex banking malware from http ://cheshiregunroom .com/23/07.exe. There are normally between 5 and 10 other download sites, all giving the same Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434529913/

** https://www.virustot...sis/1434531876/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustot...65/information/
88.221.14.249: https://www.virustot...49/information/

cheshiregunroom .com: 92.63.140.197: https://www.virustot...97/information/
___

Fake 'Message from KMBT' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 Jun 2015 - "Message from KMBT_C280' pretending to come from scanner@ your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email comes in with a completely -empty- body and just the subject line of Message from KMBT_C280.

17 June 2015 : SKMBT_C28015061614410.doc - Current Virus total detections: 4/57*
This particular malicious macro downloads Dridex banking malware from http ://businesssupportsoutheastlondon .co.uk/23/07.exe which is the -same- as described in today’s other malspam word doc campaign Document Service, Order Id: 14262781** - LE BISTROT PIERRE LIMITED – ICC – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434531806/

** http://myonlinesecur...dsheet-malware/

businesssupportsoutheastlondon .co.uk: 88.208.248.144: https://www.virustot...44/information/
___

Botnet-based malicious SPAM seen this week
- https://isc.sans.edu...l?storyid=19807
2015-06-17 - "Botnets continually send out malicious spam (malspam). As mentioned in previous diaries, we see botnet-based malspam delivering Dridex and Dyre malware almost every day [1, 2]. Recently, someone sent us a malicious Word document from what appeared to be Dridex malspam on Tuesday 2015-06-16... Unfortunately, while investigating the malware, I could not generate the full range of infection traffic. Otherwise, the traffic follows the same general patterns we've previously seen with Dridex [1]... Dridex has been using Microsoft Word documents and Excel spreadsheets designed to infect a computer if macros are enabled, which matches the infection vector used by this malspam... Macros are -not- enabled in the default installation for Microsoft Office. To infect a computer, most people will have to -enable- macros after the document is opened, as shown below:
> https://isc.sans.edu...ry-image-04.jpg
...
> https://isc.sans.edu...ry-image-05.jpg..."

1] https://isc.sans.edu... activity/19687

2] https://isc.sans.edu...d malspam/19657
 

Edited by AplusWebMaster, 17 June 2015 - 11:32 AM.

[AplusWebMaster]

FYI...

Fake email “Bank query alert” contains trojan
- http://blog.mxlab.eu...ontains-trojan/
June 18, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Bank query alert”. This email is sent from spoofed email addresses and has the following body:
    Good day!
    Please note that we have received the bank query from Your bank regarding the current account.
    You are asked to fill the appropriate bank form, which is enclosed below, until 20th day of
    June in order to avoid the security hold of the account. Please also confirm the following
    account No.: 9042 5736 6695 0412. After filling the document please send us the scan-copy
    so that we could duly forward it to the bank manager. If you have any questions feel
    free to contact us on: 677-77-90.
    Thanks in advance.
    Best regards, Michael Forester Managing Partner

The attached file Michael.zip contains the 46 kB large file Transfer_blocked.exe. The trojan is known as Trojan.Win32.Generic.pak!cobra, Gen:Variant.Graftor.198120, Trojan.Win32.YY.Gen.4, LooksLike.Win32.Upatre.g (v) or Downloader.Upatre!gen9. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...f11da/analysis/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
93.93.194.202: https://www.virustot...02/information/
173.248.29.43: https://www.virustot...43/information/
88.221.15.80: https://www.virustot...80/information/
___

Fake 'CVD Insurance' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
18 Jun 2015 - "'CVD Insurance – documents attached' pretending to come from Lowri Duffield <lowri.duffield@ brightsidegroup .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ts-attached.png

18 June2015: 3098_001.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from http ://evolutionfoundationcollege .co.uk/66/71.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434619773/

** https://www.virustot...sis/1434619280/

evolutionfoundationcollege .co.uk: 188.121.55.128: https://www.virustot...28/information/
___

Fake 'Transfer to your account blocked' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Jun 2015 - "'Transfer to your account blocked' coming from random names at random email addresses with  a zip attachment is another one from the current bot runs... The email  which has random ID numbers that -match- the attachment name looks like:

    Transfer has been blocked, details in an attachment.
    ID Transfer: 96907740967
    Date of formation: Thu, 18 Jun 2015 13:35:45 +0100

18 June 2015: id96907740967_Transfer_details.zip: Extracts to: Transfer_blocked.exe
Current Virus total detections: 3/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434629016/
___

Fake 'banking invoice' SPAM - leads to malware
- http://blog.dynamoo....ronica-cod.html
18 Jun 2015 - "These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.

    From: sac.contact4e74974737@ bol .com.br
    To:    mariomarinho@ uol .com.br
    Date:    18 June 2015 at 08:46
    Subject:    NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
    Signed by:    bol .com.br ...

The reference numbers and sender change slightly in each version. I've seen three samples before, each one with a different download location... which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57*. Comments in that report indicate that this may be the Spy.Banker trojan. The Malwr report indicates that it downloads components from the following locations:
http ://donwup2015 .com.br/arq/point.php
http ://tynly2015 .com.br/upt/ext.zlib
... These sites are hosted on:
108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)
The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be -blocked-. Furthermore, Malwr shows that it drops a file with a detection rate of 2/57**...
Recommended blocklist:
108.167.188.249
187.17.111.104 ..."
* https://www.virustot...sis/1434618710/
... Behavioural information
TCP connections
1] 108.167.188.249: https://www.virustot...49/information/

2] 187.17.111.104: https://www.virustot...04/information/

** https://www.virustot...sis/1434619879/
 

 

Edited by AplusWebMaster, 18 June 2015 - 11:12 AM.

[AplusWebMaster]

FYI...

Fake 'New instructions' SPAM - malicious payload
- http://blog.dynamoo....structions.html
19 June 2015 - "This rather terse spam comes with a malicious payload:
    From:    tim [tim@ thramb .com]
    Date:    19 June 2015 at 16:40
    Subject:    New instructions
    New instructions payment of US banks, ask to read

Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe. The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57*]. Automated analysis tools... show traffic to: 93.93.194.202 :13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID ... which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33 :443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection. In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.
Recommended blocklist:
93.93.194.202
66.196.63.33 "
* https://www.virustot...sis/1434725207/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.93.194.202: https://www.virustot...02/information/
66.196.63.33: https://www.virustot...33/information/
88.221.14.249: https://www.virustot...49/information/
 

  

Edited by AplusWebMaster, 19 June 2015 - 09:40 AM.

[AplusWebMaster]

FYI...

Fake 'Shareholder alert' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Jun 2015 - "'Shareholder alert' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to
    resolution of the Board of Directors. Please see attached.     Glen McCoy, Partner

22 June 2015: instructions.zip size=21120.zip : Extracts to: instructions_document.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434971131/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
93.93.194.202: https://www.virustot...02/information/
109.86.226.85: https://www.virustot...85/information/
88.221.15.80: https://www.virustot...80/information/

- http://blog.dynamoo....lder-alert.html
22 June 2015
"... Recommended blocklist:
64.111.36.35
93.93.194.202 "
___

Fake 'Tax inspection notification' SPAM - malicious payload
- http://blog.dynamoo....inspection.html
22 June 2015 - "This -fake- tax notification comes with a malicious payload.
    Date:    22 June 2015 at 19:10
    Subject:    Tax inspection notification
    Good day!
    Trust this e-mail finds You well.
    Please be notified that next week the revenue service is going to organize tax inspections.
    That is why we highly recommend You to file the attached form in order to be prepared.
    Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
    According to our records, the inspectors license No. is 090-96919-5886-935. Please check  as it is an important procedure rule.
    We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
    Bruce Climt,
    Tax Advisor

Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57*...  Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http ://93.93.194.202 :13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://93.93.194.202 :13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today[1] and it belongs to Orion Telekom in Serbia. This VirusTotal report*** also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report[2] also shows traffic to 37.57.144.177 (Triolan, Ukraine). Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57***] and sveezback.exe [VT 15/57****]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177 "
* https://www.virustot...92f40/analysis/

** https://www.virustot...92f40/analysis/

*** https://www.virustot...sis/1434994679/

**** https://www.virustot...sis/1434994696/

1] http://blog.dynamoo....lder-alert.html

2] https://www.hybrid-a...environmentId=1
___

'Password recovery' SCAM hitting Gmail, Outlook and Yahoo Mail users
- http://net-security....ld.php?id=18537
22 June 2015 - "A simple yet ingenious scam is being used by scammers to compromise accounts of Gmail, Outlook and Yahoo Mail users, Symantec researcher Slawomir Grzonkowski warns*. 'To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort... The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their -mobile- phone.' Once the verification code is sent to the legitimate user's mobile phone, it's followed by a message by the scammer, saying something like: 'Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.' The victim sends the verification code to the scammers, and they use it to access the email account.
Occasionally, the code is sent too late and doesn't work anymore, so the scammers -reiterate- the need for the code to be sent in. When they finally get access to the email account, they don't shut the real owner out. Instead, they usually add an -alternate- email to the account and set it up so that copies of all messages are forwarded to it. Then they change the password, and send it to victim via SMS ('Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]') in order to complete the illusion of legitimacy. 'The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals. The way they operate is similar to the methods used by APT groups'... It's likely that they use those email accounts to gain access to other online accounts tied to them. Users are advised to be suspicious of SMS messages asking about verification codes, especially if they did -not- request one, and check their authenticity directly with their email provider."
*
Video 2:17
 

Edited by AplusWebMaster, 22 June 2015 - 01:17 PM.