• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
AplusWebMaster

SPAM frauds, fakes, and other MALWARE deliveries...

1,890 posts in this topic

FYI...

Fake 'Amount Payable' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malware-spam-amount-payable-leads-to.html
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Lynn Drake
Date: 15 December 2016 at 09:55
Subject: Amount Payable
Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.
Best Regards,
Lynn Drake


The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js... highly obfuscated script... Typical detection rates for the script are around 16/54*. There are many different scripts, downloading a component...
(Long list of domain-names at the dynamoo URL above.)
According to this Malwr analysis**, a DLL is dropped with a detection rate of 18/55***. This Hybrid Analysis[4] shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:
86.110.117.155 /checkupdate (Rustelekom, Russia)
185.129.148.56 /checkupdate (MWTV, Latvia)
185.17.120.166 /checkupdate (Rustelekom, Russia)
MWTV is a known-bad-host, so I recommend blocking the entire /24.
Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166
"
* https://virustotal.com/en/file/bd0284afb6336c01532a17472028e191ff8905eb66473caec5d26104c56d07c7/analysis/1481796164/

** https://malwr.com/analysis/MzY2YzNhZGExZWFiNDdmODk2N2YwMjgxNzFiYTMxYjk/
Hosts
92.48.111.60

*** https://virustotal.com/en/file/d46baac92c34244c14f4b5e42c8c1c605807f5a32f1605bf21be8b10cd6d6099/analysis/1481796614/

4] https://www.hybrid-analysis.com/sample/bd0284afb6336c01532a17472028e191ff8905eb66473caec5d26104c56d07c7?environmentId=100
Contacted Hosts
92.48.111.60
185.129.148.56
86.110.117.155
52.42.26.69
52.85.184.67
52.35.54.251

___

Fake 'Order Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-order-receipt-malspam-delivers-locky-ransomware/
15 Dec 2016 - "... an email with the subject of 'Order Receipt' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format which delivers Locky ransomware... One of the emails looks like:
From: Joshua Mooney <Mooney.Joshua@ ricket .net>
Date: Thu 15/12/2016 10:54
Subject: Order Receipt
Attachment: scan9022222.zip
Dear enrico,
Thank you for making your order in our store!
The payment receipt and crucial payment information are in the attached document.
King Regards,
Joshua Mooney
Sales Manager

15 December 2016: scan9022222.zip: Extracts to: ~_4RYT3KP_~.js - Current Virus total detections 6/54*
MALWR** shows a download of an encrypted file from http ://www.bds-1 .com/gfftte3uv which is converted by the script to RJJvCX8vggvNw4PW.zk (VirusTotal 4/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/79ad91717809c863ce1c8c9012e88bfbd6090f0323d3778ffd05a43c11e78fe5/analysis/1481799202/

** https://malwr.com/analysis/NjUxOTUxM2QzYWZmNDgyOWFiYTBjYmY1YTYwZWZlNTA/
Hosts
64.71.33.107

*** https://www.virustotal.com/en/file/5eaa09a1692828877a42db04cb9b96d550632930c39dec9d5eabfef45f52d57d/analysis/1481804458/

4] https://www.hybrid-analysis.com/sample/79ad91717809c863ce1c8c9012e88bfbd6090f0323d3778ffd05a43c11e78fe5?environmentId=100
Contacted Hosts
64.71.33.107
185.17.120.166
185.129.148.56
178.209.51.223
52.42.26.69
52.85.184.195
35.160.111.237
91.198.174.192
91.198.174.208

___

One -billion- users affected - Yahoo hack
- https://www.helpnetsecurity.com/2016/12/15/one-billion-yahoo-hack/
Dec 15, 2016 - "Yahoo has revealed that it’s been the victim of -another- hack and massive data breach that resulted in the compromise of information of a -billion- users... Outside forensic experts that have been called in to help with the investigation believe that this breach happened in August 2013, and that it’s likely -not- been performed by the same attackers as the 2014 breach disclosed this September. In addition to this, the company says that attackers have accessed the company’s proprietary code, which allowed them to learn how to -forge-cookies- and to, therefore, be able to access user accounts -without- a password... Yahoo says that they were unable to identify the intrusion associated with this latest data theft, but that it seems that data associated with more than one-billion- user accounts has been stolen..."
* https://help.yahoo.com/kb/account/SLN27925.html?impressions=true
Dec 14, 2016

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-copier-your-own-email-address-attached-document-malspam-delivers-locky-ransomware-again-today/
16 Dec 2016 - "Another -blank/empty- email with the subject of 'Attached document' pretending to come from copier@ your-own-email-address with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: copier@ your-own-email-address
Date: Fri 16/12/2016 09:57
Subject: Attached document
Attachment: 3867_002.docm


Body content: Completely empty/Blank

16 December 2016: 3867_002.docm - Current Virus total detections 12/56*
Payload Security** shows a download of an encrypted file from http ://fiddlefire .net/hjg766′ which is converted by the script to loppsa2.aww ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ae1cd2f1554ac5c1cd7ca5e9a34cc46889c4998505bd4be86e688438b3d3e44e/analysis/1481882199/

** https://www.hybrid-analysis.com/sample/ae1cd2f1554ac5c1cd7ca5e9a34cc46889c4998505bd4be86e688438b3d3e44e?environmentId=100
Contacted Hosts
69.161.143.24
37.235.50.29
176.121.14.95
86.110.117.155
83.220.172.182
52.88.7.60
91.198.174.192
91.198.174.208

___

Fake 'Subscription' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/subscription-details-malspam-delivers-locky-ransomware/
16 Dec 2016 - "... an email with the subject of 'Subscription Details' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of user0989063.zip which delivers Locky ransomware... One of the emails looks like:
From: Cyril Levy <Levy.Cyril@ dragonflystudiosalon .com>
Date: Fri 16/12/2016 10:49
Subject: Subscription Details
Attachment: user0989063.zip
Dear mammoth, thank for you for subscribing to our service!
All payment and ID details are in the attachment.

16 December 2016: user0989063.zip: Extracts to: ~_P1EJYA_~.js - Current Virus total detections 4/55*
Payload Security** shows a download of an encrypted file from http ://rondurkin .com/c6w5pscmc which is converted by the script to jex1N6oXpYUpIQ.zk (VirusTotal 5/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5fc270095ad6314249b8ba7f58f0503c13c7aee05c21c69d637e20ecb231d08e/analysis/1481885511/

** https://www.hybrid-analysis.com/sample/794dcfdcc1362140eee6fcda11ddf239ab048a965bba634bb787321db9672cfa?environmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137


*** https://www.virustotal.com/en/file/336617cc35b116446f4a082dfa04985e9d01999abd4c72755ccc31eb46a70992/analysis/1481886225/
___

Fake 'Processing Problem' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malware-spam-payment-processing-problem.html
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Juliet Langley
Date: 15 December 2016 at 23:17
Subject: Payment Processing Problem
Dear [redacted],
We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
The receipt is in the attachment. Please study it and contact us.
King Regards,
Juliet Langley


The name of the sender will vary as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js... the scripts download a component...
(Long list of domain-names at the dynamoo URL above.)
The malware then phones home to the following locations:
185.129.148.56 /checkupdate (MWTV, Latvia)
178.209.51.223 /checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119 /checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)
Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119
"

- https://myonlinesecurity.co.uk/payment-processing-problem-malspam-delivers-locky/
15 Dec 2016 - "... an email with the subject of 'Payment Processing Problem' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of MPay7197337.zip which delivers Locky ransomware... One of the emails looks like:
From: Kristie Soto <Soto.Kristie@ kadgraphics .com>
Date: Thu 15/12/2016 22:33
Subject: Payment Processing Problem
Attachment: MPay7197337.zip
Dear adkins,
We have to inform you that a problem occured when processing your last payment (code: 7197337-M, $454.$86).
The receipt is in the attachment. Please study it and contact us.
King Regards,
Kristie Soto


15 December 2016: MPay7197337.zip: Extracts to: ~_7XXTOQ_~.js - Current Virus total detections 3/55*
Payload Security** shows a download of an encrypted file from http ://ustadhanif .com/q0w93lkrvp
which is converted by the script to HNUsEBnh.zk (VirusTotal 6/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8a192f7378003d0eea4ab08f127021297dd4eb7f428c8375a312269bcbe43825/analysis/1481842328/

** https://www.hybrid-analysis.com/sample/8a192f7378003d0eea4ab08f127021297dd4eb7f428c8375a312269bcbe43825?environmentId=100
Contacted Hosts
208.75.151.108
37.235.50.119
52.85.184.150


*** https://www.virustotal.com/en/file/7e87fd6074f6a18791adcea5f78d6fdb54f5207e3ba0442e716bdf32b7011a18/analysis/1481843139/
___

Malvertising compromises routers instead of computers
- https://www.helpnetsecurity.com/2016/12/16/malvertising-campaign-compromises-routers/
Dec 16, 2016 - "The DNSChanger exploit kit is back and more effective than ever, and is being used in a widespread malvertising attack whose goal is to compromise small/home office routers. According to Proofpoint* researchers, the attacker’s current main goal is to change DNS records on the target router, so that it queries the attacker’s rogue DNS servers, and the users are served with ads that will earn the attackers money:
> https://www.helpnetsecurity.com/images/posts/dnschanger-attack.jpg
... Using ad-blocking software should also minimize the risk of getting hit through this and other malvertising campaigns. According to Kafeine**, the current one is successfully targeting Chrome browser users on Windows desktops and Android devices. Also, this is not the first time that attackers are successfully using steganography to deliver and run malicious code. Earlier this month, ESET researchers flagged a malvertising campaign that redirected users to the Stegano exploit kit through malicious code hidden in the pixels of the bad ads/banners."
* https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
"... Since the end of October, we have seen an improved version of the “DNSChanger EK” ** used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims' home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising..."
** http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'Payslip' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/payslip-for-the-month-dec-2016-malspam-delivers-locky/
19 Dec 2016 - "An email with the subject of 'Payslip for the month Dec 2016' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: JASMINE DICKEY <jasmine.dickey@ ejmbcommercial .com>
Date: Mon 19/12/2016 09:50
Subject: Payslip for the month Dec 2016.
Attachment: Payslip_Dec_2016_5490254.doc
Dear customer,
We are sending your payslip for the month Dec 2016 as an attachment with this mail.
Note: This is an auto-generated mail. Please do not reply.


19 December 2016: Payslip_Dec_2016_5490254.doc - Current Virus total detections 11/53*
Payload Security** shows a download of an encrypted file from http ://routerpanyoso.50webs .com/8hrnv3 which is converted by the script to shtrina2.ero (VirusTotal 12/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/91b7124597531d4de057abd1b6e43e2c3ebd2e4defb3cf9485bd8b2a9c1a02fc/analysis/1482144602/

** https://www.hybrid-analysis.com/sample/91b7124597531d4de057abd1b6e43e2c3ebd2e4defb3cf9485bd8b2a9c1a02fc?environmentId=100
Contacted Hosts
162.210.101.94
193.201.225.124
46.148.26.82
188.127.237.76
176.121.14.95
52.39.24.163
52.85.184.92
91.198.174.192
13.82.139.29
91.198.174.192
91.198.174.208


*** https://www.virustotal.com/en/file/a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3/analysis/1482144877/

- http://blog.dynamoo.com/2016/12/malware-spam-payslip-for-month-dec-2016.html
19 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: PATRICA GROVES
Date: 19 December 2016 at 10:12
Subject: Payslip for the month Dec 2016.
Dear customer,
We are sending your payslip for the month Dec 2016 as an attachment with this mail.
Note: This is an auto-generated mail. Please do not reply.


The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55*. This Hybrid Analysis** clearly shows Locky ransomware in action when the document is opened. According to my usual reliable source, the various versions of this download a component...
(Long list of domain-names shown at the dynamoo URL above.)
... The malware then phones home to one of the following locations:
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
193.201.225.124 /checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76 /checkupdate (SmartApe, Russia)
46.148.26.82 /checkupdate (Infium, Latvia / Ukraine)
A DLL is dropped with a detection rate of 12/52*.
Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82
"
* https://virustotal.com/en/file/17e89651bb35aba8a89b527c3f1c8a2bca1d06e3e070c8f2e11bfaa0c0600533/analysis/1482147232/

** https://www.hybrid-analysis.com/sample/17e89651bb35aba8a89b527c3f1c8a2bca1d06e3e070c8f2e11bfaa0c0600533?environmentId=100
Contacted Hosts
193.201.225.124
188.127.237.76
46.148.26.82
176.121.14.95
52.85.184.12


*** https://virustotal.com/en/file/a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3/analysis/
___

Fake 'LogMeIn' SPAM - delivers malware
- https://myonlinesecurity.co.uk/logmein-account-notification-ip-blocked-malspam-delivers-malware/
19 Dec 2016 - "The email looks like:
From: LogMeIn.com Auto-Mailer <noreply@ ssl-logmein .com>
Date: Mon 19/12/2016 17:10
Subject: LogMeIn Account Notification – Ip blocked
Attachment: -Link-in-email-body- downloads notification_recipients_name.doc
Your IP has been blocked from using the LogMeIn website after too many failed log-in attempts.
Account holder: keith@[redacted]
Event: IP blocked
At: Mon, 19 Dec 2016 19:09:37 +0200
To clear the IP address lockout, please follow the instructions...


Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/offfice-enable-editing.png

19 December 2016: notification_keith.doc - Current Virus total detections 3/54*
Payload Security **. The link-in-the-email is to http ://www .celf .jp/wp-content/themes/i-max/api/get.php?id=recipients email address encoded in base 64... The domain ssl-logmein .com was registered -today- 19 December 2016 via a Chinese registrar to a Bulgarian entity (IP address listed as 1.1.1.1). The emails are actually coming via a botnet of infected/compromised computers and servers... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c56ff7309ed75a4f416e6116f5a3777e15107811085ba96f7ca7f210d6780c14/analysis/1482167739/
Trojan:W97...

** https://www.hybrid-analysis.com/sample/c56ff7309ed75a4f416e6116f5a3777e15107811085ba96f7ca7f210d6780c14?environmentId=100
Contacted Hosts
23.21.228.240
80.78.251.134
212.24.98.247


ssl-logmein .com: 1.1.1.1: https://www.virustotal.com/en/ip-address/1.1.1.1/information/
> https://www.virustotal.com/en/url/9871e5fb836e10cff16a5ec95587fdf449fd8bd8703f6f2dbbf3849f59e7a4a5/analysis/

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'printing' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-moonbake-inc-for-printing-malspam-delivers-locky-ransomware/
20 Dec 2016 - "An email spoofing Moonbake Inc with the subject of 'for printing' coming from random sender with a malicious Excel XLS spreadsheet attachment delivers Locky... One of the email looks like:
From: HILLARY TATEHAM <hillary.tateham@ stonelawassociates .Com>
Date: Tue 20/12/2016 09:47
Subject: for printing
Attachment: Certificate_2373.xls
Hi,
For printing.
Thank you so much.
HILLARY TATEHAM Cristobal HRD/Admin Officer
Moonbake Inc. 14 Langka St., Golden Acres Talon 1
Las Piñas City, Philippines ...


20 December 2016: Certificate_2373.xls - Current Virus total detections 5/56*
Payload Security** shows a download of an encrypted file from http ://yorkshire-pm .com/hjv56 which is converted by the script to momerk2.vip (VirusTotal 9/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do. Manual analysis shows these download locations:
yorkshire-pm .com/hjv56
isriir .com/hjv56
noosnegah .com/hjv56 ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a7b6a31482ae8ff7d607390deaf57bcfd488e98b5fd5598abc1ecaac099b9603/analysis/1482227222/

** https://www.hybrid-analysis.com/sample/a7b6a31482ae8ff7d607390deaf57bcfd488e98b5fd5598abc1ecaac099b9603?environmentId=100
Contacted Hosts
103.11.101.46
91.223.180.3
188.127.239.48
193.201.225.124
54.239.168.79


*** https://www.virustotal.com/en/file/3f474165756cfb12f459379420447e397e966fc4b665c1ec90d894772926f893/analysis/1482228007/
___

Fake 'Scan' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-lumax-industries-ltd-scan-malspam-delivers-locky/
20 Dec 2016 - "... an email spoofing Lumax Industries Ltd. with the subject of 'Scan' pretending to come from random companies, names and email addresses with a random named zip attachment which delivers Locky ransomware...

Screenshot: https://i0.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/spoofed-lumax-industries-email.png?w=896&ssl=1

20 December 2016: 07cff4edf9a.zip: Extracts to: r9a2aa5cdfcbabe8bbbfc598cd334abb.wsf
Current Virus total detections 9/55*. Payload Security** shows a download of an encrypted file from
http ://www.judo-hattingen .de /hjv56?lktttKC=koHaQOx which is converted by the script to pYmpJfsNiM1.dll which unfortunately the free web version of Payload security does not make available for download... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e07e2bbc8f9b23c5881d9305014cc4e6670b8a8965136e584a9cad43d3dba21e/analysis/1482248792/

** https://www.hybrid-analysis.com/sample/e07e2bbc8f9b23c5881d9305014cc4e6670b8a8965136e584a9cad43d3dba21e?environmentId=100
Contacted Hosts
91.250.102.57
176.121.14.95
193.201.225.124
52.32.150.180
52.85.184.12

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'Secure Comm' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-commbank-secure-communication-delivers-malware/
21 Dec 2016 - "An email spoofing CommBank with the subject of 'Secure Communication' coming from < secure.message@ commbanksecureemail .com > with a malicious word doc attachment delivers Trickbot banking Trojan...

Screenshot: https://i1.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2016/12/commbank-secure-message.png?resize=1024%2C805&ssl=1

21 December 2016: Message.doc - Current Virus total detections 14/54*
Payload Security** shows a downloadfrom http ://onsitepcinc .com/images/344bzhmyVYyWz7NqRpfuunqXxjkseLhdmy.png which is -not- a png (image file) but a renamed .exe that is renamed by the script to wynrajo.exe (VirusTotal 22/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b989d3fc3596fcfbf33f4579f91366bbcddc948fb4195fb1d195c60a6762ddcf/analysis/1482306465/

** https://www.hybrid-analysis.com/sample/b989d3fc3596fcfbf33f4579f91366bbcddc948fb4195fb1d195c60a6762ddcf?environmentId=100
Contacted Hosts
65.108.116.221
78.47.139.102
36.37.176.6
201.236.219.180
144.76.249.26


*** https://www.virustotal.com/en/file/5045b95b39d1481f06a520d18d4635c3f79458830a8441f1b945103d6e79714a/analysis/1482314962/
___

Fake 'Photo' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/photo-from-random-girl-malspam-delivers-locky/
21 Dec 2016 - "... another -blank- empty email with the subject of 'Photo' from {random Girl’s name} pretending to come from names and email addresses with a semi-random named zip attachment in the format of IMG-date-WA1234.zip which delivers Locky ransomware... One of the emails looks like:
From: Glenna <Glennaherron3424@ syprotek .com>
Date: Wed 21/12/2016 09:32
Subject: Photo from Glenna
Attachment: IMG-20161221-WA4646.zip

Body content: totally blank/Empty

21 December 2016: IMG-20161221-WA4646.zip: Extracts to: A87D1FCF.wsf - Current Virus total detections 8/55*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/11261ce07393393e43e2ef5e0cabfa1d58ecb314b98028228d981f83b44ea3f5/analysis/1482312946/

** https://www.hybrid-analysis.com/sample/11261ce07393393e43e2ef5e0cabfa1d58ecb314b98028228d981f83b44ea3f5?environmentId=100
Contacted Hosts
103.232.120.79
176.121.14.95
52.42.26.69
54.240.162.130
52.35.54.251

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'scanned copy' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scanned-copy-malspam-should-deliver-locky-ransomware/
22 Dec 2016 - "... another -blank/empty- email with the subject of 'scanned copy' pretending to come from random names and email addresses with a semi-random named zip attachment in the format of HP0000000937.zip delivers Locky ransomware... One of the emails looks like:
From: jeanne whitehorne <jeanne.whitehorne@ owdv .net>
Date: Thu 22/12/2016 03:55
Subject: scanned copy
Attachment: HP0000000937.zip


Body content: totally blank/empty

22 December 2016: HP0000000937.zip: Extracts to: JFF38A.vbs - Current Virus total detections 8/55*
Payload Security** shows a download of an encrypted file from http ://www .dvdpostal .net/result ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d8758da1d4408465de8b8231e34bf7536e7ffc0c83a46013db4f728401d9be68/analysis/1482379501/

** https://www.hybrid-analysis.com/sample/d8758da1d4408465de8b8231e34bf7536e7ffc0c83a46013db4f728401d9be68?environmentId=100
Contacted Hosts
213.0.77.6
176.121.14.95
52.88.7.60
54.240.162.173
35.160.111.237

___

Fake 'Bestbuy' SPAM - delivers malware
- https://myonlinesecurity.co.uk/your-bestbuy-item-is-due-for-delivery-on-22th-december-malspam-tries-to-deliver-malware/
22 Dec 2016 - "... an email with the subject of 'Your Bestbuy item is due for delivery on 22th December' pretending to come from random names at yahoo .com with a random named zip attachment which tries to deliver some sort of malware. This zip file extracts to another zip file before it extracts to the .js file... One of the emails looks like:
From: josecastillo2344@ yahoo .com
Date: Thu 22/12/2016 08:56
Subject: Your Bestbuy item is due for delivery on 22th December
Attachment: ECIOPZiodlxc.zip
On the morning 22th of December you’ll be delivered a window and you’ll have the possibility to track your request on its way to your address.
Please make sure someone is available to sign for your delivery.
Pack delivery info and your contact data is in the file attached to this letter.
If you will be out, it’s not a problem: you have a range of ‘in-flight’ options like changing your delivery time collecting from the nearest DPD Pickup Shop, asking us to deliver to one of your frients or arranging to have your item delivered to a safe place at your work address.

22 December 2016: ECIOPZiodlxc.zip: Extracts to: ECIOPZiodlxc.js - Current Virus total detections 3/54*
Payload Security** shows a download of an encrypted file from http ://optimastop .eu/castle/map which is currently giving me a 403 forbidden. It does show it wants to use BITS transfer and it is possible that a standard http get is blocked... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6678f9d2e65b8ef687fe40693f88d71b526a2f119b2337882a63236bd15ef285/analysis/1482399844/
Troj.Downloader.Js...

** https://www.hybrid-analysis.com/sample/6678f9d2e65b8ef687fe40693f88d71b526a2f119b2337882a63236bd15ef285?environmentId=100

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Tech support phone SCAM
- http://blog.dynamoo.com/2016/12/02085258899-tech-support-scam-using.html
23 Dec 2016 - "If these people ring you DO -NOT- GIVE THEM ACCESS TO YOUR PC and either hang up - or waste their time like I do. It seems there are some prolific technical support scammers ringing from 02085258899 pretending to be from BT. They had a very heavy Indian accent, and they have made many silent calls to my telephone number before today. They -claim- that hackers are accessing my router. I wasted 37 minutes of their time, these are some of the steps to watch out for..
1. They get you to open a command prompt and type ASSOC which brings up a big long list of file associations, in particular they seem interested in one that says .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
2. Then they get you to bring up the Event Viewer by typing EVENTVWR and then clicking "Custom Views" and "Administrative Events". This is a log file that will always show a whole bunch of meaningless errors (such as network faults). It's quite normal for this to look quite bad to the untrained eye.
3. Then in order they try to get you to connect to the following services to take remote control of your PC: www .anydesk .com, www .teamviewer .com and www .supremofree .com. All of these are legitimate services, but I have to confess I'd never heard of the last one.. so I will add it to my corporate blacklist.
4. When those didn't work they tried directing me to a proxy at hide .me/proxy and www .hide .me/proxy (the same thing I know) which is probably another candidate for blocking.
Of course, once they have access to your PC they will try to convince you that you need to -pay- them some money for technical support. Be warned, that they can render-your-PC-unusable if you don't pay, and they can also steal confidential data. Despite how many times they may tell you they are from BT, they are not.. they are simply fraudsters."
___

Fake 'eFax' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-efax-from-scanner-at-your-own-email-address-malspam-delivers-unknown-malware/
22 Dec 2016 - "... another email spoofing eFax with the subject of 'You have recevied a message' pretending to come from faxscanner scanner@ your-own-email-address with a semi-random named zip attachment in the format of Message efax system-1701.zip which delivers an unknown malware. Indications are that this could be Trickbot or could be Dridex banking Trojan... One of the emails looks like:
From: Fax Scanner <scanner @ your-email-address>
Date: Thu 22/12/2016 20:51
Subject: You have recevied a message
Attachment: Message efax system-1701.zip
You have received a message on efax.
Please download and open document attached.
Scanner eFax system.


22 December 2016: Message efax system-1701.zip: Extracts to: Message efax system-2817.js
Current Virus total detections 4/53*. Payload Security** shows a download of ntntoto1].png (but doesn’t give the download url) which is renamed by the script to QE7JlpDt.exe (VirusTotal 29/56***). The js file is heavily obfuscated and almost impossible to human read and decrypt. Update: MALWR[4] gave me ‘http ://glendaleoffice .com/js/ntntoto.png’ as the download location... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dedf48735fa9bcb628d351b1d5f6f2e55d99c4afbf4705d287c21dd7c54e89e9/analysis/1482441908/

** https://www.hybrid-analysis.com/sample/dedf48735fa9bcb628d351b1d5f6f2e55d99c4afbf4705d287c21dd7c54e89e9?environmentId=100
Contacted Hosts
78.47.139.102
36.37.176.6
201.236.219.180


*** https://www.virustotal.com/en/file/b9d9fcb7717a40eecd83918a46def475d5861ad0aa6b7eeac7eb5f5c518d9c29/analysis/

4] https://malwr.com/analysis/MGQ1ZTFiZWEwMjFlNDkyMjk3NWEwZDgwMDIxODEwMmU/
Hosts
69.67.54.86
78.47.139.102
54.243.154.49
45.76.25.15
167.114.174.158
188.40.53.51
36.37.176.6
192.189.25.143


glendaleoffice .com: 69.67.54.86: https://www.virustotal.com/en/ip-address/69.67.54.86/information/
> https://www.virustotal.com/en/url/4eb0751aaeea7e640b6957cb64cf8c24901b9d34f1917b2536a1c0fb6195d12e/analysis/

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'USPS' SPAM - delivers Locky, Kovter, other malware
- https://myonlinesecurity.co.uk/spoofed-usps-unable-to-deliver-malspam-continues-to-deliver-locky-kovter-and-other-malware/
27 Dec 2016 - "... malware gang spoofing FedEx, USPS and every other courier, delivery or postal service, sending thousands of 'Courier was not able to deliver your parcel' and hundreds of variants or similar subjects like 'USPS issue #06914074: unable to delivery parcel'... Some subjects seen, all have random numbers, include:
USPS issue #06914074: unable to delivery parcel
Parcel #006514814 shipment problem, please review
USPS parcel #3150281 delivery problem
Courier was not able to deliver your parcel (ID006976677, USPS)
Parcel 05836911 delivery notification, USPS

... malware downloaders spoofing USPS pretending to be a message saying cannot deliver the parcel. These deliver Locky ransomware and Kovter Trojans amongst others...

27 December 2016: Delivery-Details-06914074.zip: Extracts to: Delivery-Details-06914074.doc.wsf
Current Virus total detections 7/55*. Payload Security** shows a download from
http ://boardedhallgreen .com/counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7
which gives counter.js (VirusTotal 1/55***) that in turn downloads from
http ://baltasmenulis .lt/counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01 (and 02 – 05).
The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js on your computer, that is run directly from temp internet files ). It downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site giving counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the original counter.js) pretend to be png (image files). They are actually all renamed .exe files or in the case of number 3, a -renamed- php script. Both of the innocent files are misused to run the malware. This is a very noisy malware set that contacts 4 domains and -179- hosts. View the network section on the Payload Security report[4] for more details... One of the emails looks like:
From: USPS Priority Delivery <steven.kent@ confedampa .org>
Date: Tue 27/12/2016 06:57
Subject: USPS issue #06914074: unable to delivery parcel
Attachment: Delivery-Details-06914074.zip
Dear Customer,
Your item has arrived at December 25, but our courier was not able to deliver the parcel.
You can download the shipment label attached!
Thank you for your assistance in this matter,
Steven Kent,
USPS Chief Delivery Manager.


The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/72da4f5b2277f21eeb4d02bdc5d62d9b128b843eb91cbacfedc5c6abc6b6f9fb/analysis/1482822876/

** https://www.hybrid-analysis.com/sample/72da4f5b2277f21eeb4d02bdc5d62d9b128b843eb91cbacfedc5c6abc6b6f9fb?environmentId=100

*** https://www.virustotal.com/en/file/7f7a853245e8e20aea599f9bb1ed4fcf4afcaccf7dc42063820993458fb49a21/analysis/1482824922/

4] https://www.hybrid-analysis.com/sample/72da4f5b2277f21eeb4d02bdc5d62d9b128b843eb91cbacfedc5c6abc6b6f9fb?environmentId=100#sample-network-traffic
Contacted Hosts (179)
___

Fake 'FedEx' SPAM - delivers Locky and other malware
- https://myonlinesecurity.co.uk/more-spoofed-fedex-unable-to-deliver-your-parcel-malspam-delivering-locky-and-multiple-other-malwares/
25 Dec 2016

> https://www.hybrid-analysis.com/sample/956bba1467c1f08d6f31c3c16af10b915f1e4e82241ca057dffeba4d276ede8e?environmentId=100#sample-network-traffic
Contacted Hosts (170)

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'FedEx/USPS' SPAM - Kovter/Locky sites
- https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
28 Dec 2016 - "Following on from these [FEDEX(1)] [uSPS(2)] posts describing the Spoofed FedEx and USPS (and other delivery services from time to time). I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are -reused-daily- until taken down by their hosts. -All- the sites used in this malware spreading campaign are -hacked/compromised- sites.
1] https://myonlinesecurity.co.uk/more-spoofed-fedex-unable-to-deliver-your-parcel-malspam-delivering-locky-and-multiple-other-malwares/

2] https://myonlinesecurity.co.uk/spoofed-usps-unable-to-deliver-malspam-continues-to-deliver-locky-kovter-and-other-malware/

The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file (counter.js by searching on your computer, that is run directly from temp internet files). Counter.js then downloads a different -variant- of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the -original- counter.js) pretend to be png (image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the -second- counter.js you need to change the &r=01 at the end of the url to &m=01 (or 02-05). This -second- counter.js contains -additional- sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.
I only accidentally found out about the second /3rd /4th /5th counter.js when I made a mistake in manually decoding the original wsf file (and the original counter.js) and mistyped/miscopied the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and -blocked- by an antivirus or web filter service.

25 December 2016: (Payload Security report [3]) Contacted Hosts (170)
3spension .com: 116.127.123.32: https://www.virustotal.com/en/ip-address/116.127.123.32/information/
minebleue .com: 213.186.33.87: https://www.virustotal.com/en/ip-address/213.186.33.87/information/
chaitanyaimpex .org: 43.255.154.44: https://www.virustotal.com/en/ip-address/43.255.154.44/information/
grancaffe .net: 94.23.64.40: https://www.virustotal.com/en/ip-address/94.23.64.40/information/
break-first .com: 87.98.144.123: https://www.virustotal.com/en/ip-address/87.98.144.123/information/
www .meizumalaysia .com: 103.51.41.205: https://www.virustotal.com/en/ip-address/103.51.41.205/information/
dreamoutloudcenter .org: 184.168.234.1: https://www.virustotal.com/en/ip-address/184.168.234.1/information/
megrelis-avocat .com: 213.186.33.82: https://www.virustotal.com/en/ip-address/213.186.33.82/information/

/counter/?a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&m=9488599&i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ
/counter/?i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ&a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&r=01

27 December 2016: (Payload Security report[4]) Contacted Hosts (179)
lacasadeicuochi .it: 185.2.4.12: https://www.virustotal.com/en/ip-address/185.2.4.12/information/
boardedhallgreen .com: 184.168.230.1: https://www.virustotal.com/en/ip-address/184.168.230.1/information/
www .memoodgetactive.det.nsw .edu.au: 153.107.134.124: https://www.virustotal.com/en/ip-address/153.107.134.124/information/
rebecook .fr: 213.186.33.104: https://www.virustotal.com/en/ip-address/213.186.33.104/information/
peachaid .com: 107.180.26.91: https://www.virustotal.com/en/ip-address/107.180.26.91/information/
kidsgalaxy .fr: 213.186.33.18: https://www.virustotal.com/en/ip-address/213.186.33.18/information/
baltasmenulis .lt: 185.5.53.28: https://www.virustotal.com/en/ip-address/185.5.53.28/information/
artss .org: 166.62.27.56: https://www.virustotal.com/en/ip-address/166.62.27.56/information/

/counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7
/counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01

28 December 2016: (Payload Security report[5]) Contacted Hosts (174)
thanepoliceschool .com: 166.62.27.146: https://www.virustotal.com/en/ip-address/166.62.27.146/information/
chimie.iset-liege .be: 213.186.33.17: https://www.virustotal.com/en/ip-address/213.186.33.17/information/
partnersforcleanstreams .org: 192.186.205.128: https://www.virustotal.com/en/ip-address/192.186.205.128/information/

/counter/?a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&m=8429816&i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE
/counter/?i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE&a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&r=01 "

3] https://www.hybrid-analysis.com/sample/956bba1467c1f08d6f31c3c16af10b915f1e4e82241ca057dffeba4d276ede8e?environmentId=100

4] https://www.hybrid-analysis.com/sample/72da4f5b2277f21eeb4d02bdc5d62d9b128b843eb91cbacfedc5c6abc6b6f9fb?environmentId=100

5] https://www.hybrid-analysis.com/sample/db78af048f241294b13925b33a33b088642110f51d2a0f14116d902a68a97eb3?environmentId=100
___

29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
cobycaresfoundation .org: 72.47.244.92: https://www.virustotal.com/en/ip-address/72.47.244.92/information/
dev.zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-address/153.121.37.174/information/
shark1.idhost .kz: 82.200.247.240: https://www.virustotal.com/en/ip-address/82.200.247.240/information/
italysfinestdesign .it: 217.72.102.152: https://www.virustotal.com/en/ip-address/217.72.102.152/information/
salutgaudi .com: 185.2.4.20: https://www.virustotal.com/en/ip-address/185.2.4.20/information/
zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-address/153.121.37.174/information/

/counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

/counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

> 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

/counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

/counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

6] https://www.hybrid-analysis.com/sample/9d8fe4f9408d5936deaf20d03caf0a96d589a2e495ebf5f70a1d1ad499f608fc?environmentId=100

7] https://www.hybrid-analysis.com/sample/69a5826fb1cf3c06d8e7971fb7a9668e4b8c28c7bf3df120afe3fed52a9f42ef?environmentId=100

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'FedEx/USPS' SPAM - updates
- https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
28 Dec 2016

29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
cobycaresfoundation .org: 72.47.244.92: https://www.virustotal.com/en/ip-address/72.47.244.92/information/
dev.zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-address/153.121.37.174/information/
shark1.idhost .kz: 82.200.247.240: https://www.virustotal.com/en/ip-address/82.200.247.240/information/
italysfinestdesign .it: 217.72.102.152: https://www.virustotal.com/en/ip-address/217.72.102.152/information/
salutgaudi .com: 185.2.4.20: https://www.virustotal.com/en/ip-address/185.2.4.20/information/
zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-address/153.121.37.174/information/

/counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

/counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

> 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

/counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

/counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

6] https://www.hybrid-analysis.com/sample/9d8fe4f9408d5936deaf20d03caf0a96d589a2e495ebf5f70a1d1ad499f608fc?environmentId=100

7] https://www.hybrid-analysis.com/sample/69a5826fb1cf3c06d8e7971fb7a9668e4b8c28c7bf3df120afe3fed52a9f42ef?environmentId=100
___

Updated Sundown EK ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploit-kit-uses-steganography/
Dec 29, 2016 - "... On December 27, 2016, we noticed that Sundown was updated... The PNG files weren’t just used to store harvested information; the malware designers now used -steganography- to hide their exploit code. The newly updated exploit kit was used by multiple-malvertising-campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/12/sundown-steganography-1.jpg
... previous Sundown versions directly connected victims to the Flash-exploit-file on their landing page. In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page. The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code... we found that it included the exploit code targeting CVE-2015-2419, a vulnerability in the JScript handling of Internet Explorer. A Flash exploit for CVE-2016-4117 is also retrieved by the exploit code. The landing page itself includes an exploit targeting another Internet Explorer (IE) vulnerability, CVE-2016-0189... The Sundown exploit kit exploits vulnerabilities in Adobe Flash and JavaScript, among others... Indicators of Compromise: The following domains were used by the Sundown Exploit kit with the matching IP addresses:
xbs.q30 .biz (188.165.163.228)
cjf.0340 .mobi (93.190.143.211)
The Chthonic sample has the following SHA1 hash:
c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9
The sample also used the following C&C server:
pationare .bit"

pationare .bit: 'Could not find an IP address for this domain name.'

188.165.163.228: https://www.virustotal.com/en/ip-address/188.165.163.228/information/

93.190.143.211: https://www.virustotal.com/en/ip-address/93.190.143.211/information/

:ph34r: :ph34r: :grrr:

Share this post


Link to post
Share on other sites

FYI...

Fake 'FTC' SPAM - ransomware
- https://myonlinesecurity.co.uk/spoofed-ftc-consumer-complaint-notification/
3 Jan 2017 - "... an email with the subject of 'Consumer complaint notification' pretending to come from Federal Trade Commission <ftc.mvUJw@ ftc .gov.uk>... this is a ransomware version. Techhelplist* has kindly helped out and run the sample on a test system and got this very seasonal screenshot:
* https://twitter.com/Techhelplistcom/status/816316984371646469
... The domain “ftc .gov.uk” does -not- exist... The link-in-the-email goes to:
http ://govapego .com//COMPLAINT42084270.zip

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2017/01/ftc-1.png?resize=1024%2C574&ssl=1

3 January 2017: COMPLAINT42084270.zip: Extracts to: COMPLAINT.pdf.exe - Current Virus total detections 21/57*
Payload Security**..."
* https://www.virustotal.com/en/file/75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa/analysis/1483458092/
COMPLAINT.pdf.exe

** https://www.hybrid-analysis.com/sample/75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa?environmentId=100
Contacted Hosts
81.4.123.67: https://www.virustotal.com/en/ip-address/81.4.123.67/information/

govapego .com: 92.51.134.34: https://www.virustotal.com/en/ip-address/92.51.134.34/information/

:ph34r: :ph34r: :grrr:

Share this post


Link to post
Share on other sites

FYI...

Blockchain - phish
- https://myonlinesecurity.co.uk/verify-your-wallet-blockchain-phishing/
4 Jan 2017 - "... don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Blockchain website but you can clearly see in the address bar, that it is fake. Some versions of this and similar phish will ask you fill in the html ( webpage) form that comes attached to the email. The link-in-the-email goes to
http:// 178.33.66.249 /~kudi/admin/blockchain/info/login.php .. which is an OVH German server..

Screenshot: https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2017/01/blockchain1.png?fit=1361%2C998&ssl=1

If you follow through, all they want is your email address and password but none of the other information that these phishing scams usually ask for:
> https://i2.wp.com/myonlinesecurity.co.uk/wp-content/uploads/2017/01/blockchain2.png?resize=1024%2C758&ssl=1.."

178.33.66.249: https://www.virustotal.com/en/ip-address/178.33.66.249/information/
> https://www.virustotal.com/en/url/533ca4115b4d1816c812673ac07bb8e6f169ab764ccf5f6f64f1a042707ef706/analysis/
Detection: 5/68

:ph34r: :ph34r: :grrr:

Share this post


Link to post
Share on other sites

FYI...

Fake 'New Invoice' SPAM - Cerber ransomware
- https://myonlinesecurity.co.uk/new-invoice-2768-16-malspam-delivers-cerber-ransomware/
5 Jan 2017 - "... an email with the subject of 'New Invoice #2768-16'... pretending to come from what I assume are random companies, names and email addresses with a zip attachment containing a js file that eventually delivers Cerber ransomware... One of the emails looks like:
From: Janie Cain <asgard1234@ post .su>
Date:Thu 05/01/2017 17:25
Subject: New Invoice #2768-16
Attachment: info-inv.zip
This email is being sent in order to inform you that a new invoice has been generated for your account.
Please see the file that is attached.
The file is password protected to protect your information.
The password is 123456
Thank you.
Janie Cain


5 January 2017: info-inv.zip: Extracts to: info-inv.js - Current Virus total detections 12/54*
... Analysis by techhelplist[1] has found it to deliver Cerber ransomware. It downloads from 86.106.131.141 /10.mov which is a renamed .exe file that if you try to run manually would open windows media player instead, although the script file will run it successfully (VirusTotal 3/45**) (Payload Security ***) (MALWR [4]). This Cerber version contacts -576- hosts... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://twitter.com/Techhelplistcom/status/817105275580772353

* https://www.virustotal.com/en/file/83d741f46ed902d9ba9b364ea3edbb4b2e16078691d94d78c5845e3b40092c34/analysis/1483646751/

** https://virustotal.com/en/file/a7843fa467b3b912f85969e9e1a939639ae08a24b38152169509511b8d0642bb/analysis/

*** https://www.hybrid-analysis.com/sample/a7843fa467b3b912f85969e9e1a939639ae08a24b38152169509511b8d0642bb?environmentId=100
Contacted Hosts (576)

4] https://malwr.com/analysis/MTQ2NTI1ZjNjOTIxNDI0Mzk4ZDczOWYzMTg5NjBhOGI/

86.106.131.141: https://www.virustotal.com/en/ip-address/86.106.131.141/information/
> https://www.virustotal.com/en/url/92d7179d40a13f14c58f3f55c85b5fdfec770590c58b7f7853702439c2acf181/analysis/
___

Tech support SCAM - DoS on Macs
- https://blog.malwarebytes.com/101/mac-the-basics/2017/01/tech-support-scam-page-attempts-denial-of-service-via-mail-app/
Jan 5, 2017 - "... yet another 'technique' that targets Mac OS users running Safari... second variant appears to still be capable of opening up iTunes, without any prompt in Safari... IOCs:
safari-get[.]com: Could not find an IP address for this domain name
safari-get[.]net: 111.118.212.86: https://www.virustotal.com/en/ip-address/111.118.212.86/information/
> https://www.virustotal.com/en/url/4fcc11105a7e072a4ed4cf9efacaf7fbab339f1063cb94c8ddcec0f90c229831/analysis/
safari-serverhost[.]com: Could not find an IP address for this domain name
safari-serverhost[.]net: 111.118.212.86 "

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Merry X-Mas Ransomware
- https://isc.sans.edu/diary.html?storyid=21905
2017-01-09 - "... Merry X-Mas Ransomware was first reported as distributed through malicious spam (malspam) disguised as FTC consumer complaints*...
* https://myonlinesecurity.co.uk/spoofed-ftc-consumer-complaint-notification/
3 Jan 2017
By Sunday 2017-01-08, I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as 'court attendance' notifications. The malspam was a -fake- notification to appear in court. Email headers indicate the sender's address was -spoofed- and the email came from a cloudapp .net domain associated with Microsoft:
> https://isc.sans.edu/diaryimages/images/2017-01-09-ISC-diary-image-02.jpg
The -link- from the malspam downloaded a zip archive. The zip archive contained a Microsoft Word document with a malicious macro. If macros were enabled on the Word document, it downloaded and executed the ransomware.
Flow chart of the infection process:
> https://isc.sans.edu/diaryimages/images/2017-01-09-ISC-diary-image-03.jpg
... IoCs follow:
192.185.18.204 port 80 - neogenomes .com - GET /court/PlaintNote_12545_copy.zip [initial zip download]
81.4.123.67 port 443 - onion1 .host:443 - GET /temper/PGPClient.exe [ransomware binary]
168.235.98.160 port 443 - onion1 .pw - POST /blog/index.php [post-infection callback]
... Malspam with links to malware is a common threat. This is not an unusual method of malware distribution, and its holiday theme also fits the season... Still, we need to keep an ongoing dialog to promote awareness of this and other ransomware threats. Too many people continue to fall for it..."
(More detail at the isc URL above.)

192.185.18.204: https://www.virustotal.com/en/ip-address/192.185.18.204/information/

81.4.123.67: https://www.virustotal.com/en/ip-address/81.4.123.67/information/

168.235.98.160: https://www.virustotal.com/en/ip-address/168.235.98.160/information/
___

Fake 'Apple' SPAM - links to malware
- https://myonlinesecurity.co.uk/spoofed-apple-latest-security-checks-malspam-delivers-cerber-ransomware/
9 Jan 2016 - "... an email with the subject of 'Apple latest security checks' pretending to come from Support@ App .com... Link goes to ‘http ://bellinghamontap .com/apple.zip’... Attachment: Link in email...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/Apple-latest-security-check-1024x666.png

9 January 2017: apple.zip: Extracts to: apple.exe - Current Virus total detections 4/56*
Payload Security**. I am guessing from this report it is Cerber ransomware, by the number of IP addresses it contacts... The basic rule is NEVER open any attachment to an email -or- click-a-link in an email unless you are expecting it...."
* https://www.virustotal.com/en/file/501ce31d1fb6a161b960e4ddc7d2578582b3f20d37c838c42c6c4297b9ca8b7f/analysis/

** https://www.hybrid-analysis.com/sample/501ce31d1fb6a161b960e4ddc7d2578582b3f20d37c838c42c6c4297b9ca8b7f?environmentId=100
Contacted Hosts (576)

bellinghamontap .com: 192.254.185.196: https://www.virustotal.com/en/ip-address/192.254.185.196/information/
> https://www.virustotal.com/en/url/7864263c98e3cf989e7f71e52b6e9f8240299296128bfde5b98f4c825c96007e/analysis/

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'Certificate UPDATE' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-certificate-update-from-your-email-administrator-malspam-delivers-trickbot-banking-trojan/
10 Jan 2017 - "... an email with the subject of 'Certificate UPDATE' pretending to come from Administrator at your-own-email-address delivers Trickbot banking Trojan... One of the emails looks like:
From: Administrator <Administrator@ victim domain .tld >
Date: Tue 10/01/2017 01:25
Subject: Certificate UPDATE
Attachment: certificate.zip
**********Important – Internal ONLY**********
Your Web mail account Certificate is about to expire. Please update it.
New Certificate is in attachment. Download and launch file.
Certificate details:
Filename: Certificate.crt
Key: 6260-6233-GFPV-6072-UAAV-1048
Domain: ...
MX record: ...


10 January 2017: certificate.zip: Extracts to: Certificate_webmail.scr - Current Virus total detections 15/57*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cdb8ef5a814f40c05ae4f07a65ab993bae49bd1c117e6d7c6ef931ab0b5fa720/analysis/1484029988/

** https://www.hybrid-analysis.com/sample/cdb8ef5a814f40c05ae4f07a65ab993bae49bd1c117e6d7c6ef931ab0b5fa720?environmentId=100
Contacted Hosts
78.47.139.102
36.37.176.6
201.236.219.180
144.76.203.79

___

Extortionists Wipe Databases, Victims Who-Pay-Up Get-Stiffed
- https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/
Jan 10, 2017 - "Tens of thousands of personal and possibly proprietary databases that were left accessible to the public online have just been -wiped- from the Internet, replaced with ransom-notes demanding payment for the return of the files. Adding insult to injury, it appears that virtually none-of-the-victims (who) have paid the ransom have gotten-their-files-back because multiple-fraudsters are now wise to the extortion attempts and are competing to replace-each-other’s-ransom notes.
At the eye of this developing data destruction maelstrom is an online database platform called MongoDB. Tens of thousands of organizations use MongoDB to store data, but it is easy to misconfigure and leave the database exposed online. If installed on a server with the default settings, for example, MongoDB allows anyone to browse the databases, download them, or even write over them and delete them..."
Shodan, a specialized search engine designed to find things that probably won’t be picked up by Google, lists the number of open, remotely accessible MongDB databases available as of Jan. 10, 2017
> https://krebsonsecurity.com/wp-content/uploads/2017/01/shodanmongo.png
... Truth 1: “If you connect it to the Internet, someone will try to hack it.”
Truth 2: “If what you put on the Internet has value, someone will invest time and effort to steal it.”
Truth 3: “Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”
(More detail at the 1st krebsonsecurity URL at the top.)

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'Document' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/document-from-random-name-at-your-own-email-address-delivers-trickbot-banking-trojan-2/
11 Jan 2017 - "An email with the subject of 'Document from Vogel' (random name) pretending to come from the same random name at your-own-email-address with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like:
From: Michael Vogel <Michael.Vogel@ victim domain .tld >
Date: Wed 11/01/2017 06:59
Subject: Document from Vogel
To: admin@victim domain.tld + 9 other names at my domain
Attachment: Vogel_1101_30.doc
My company sent you a document. Check it attached.
Regards,
Michael Vogel
G8 Education Limited


11 January 2017: Vogel_1101_30.doc - Current Virus total detections 9/55*
Payload Security** shows a download of what pretends to be a png (image file) but is actually a renamed .exe file from ‘http ://artslogan .com.br/images/jhfkjsdhfntnt.png’ which is renamed by the script to yatzxwe.exe and automatically run (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/da98847ac64adb9a9333cb70ac9d67240665f8d110d8f87d9e021fe8a505e369/analysis/1484121516/

** https://www.hybrid-analysis.com/sample/da98847ac64adb9a9333cb70ac9d67240665f8d110d8f87d9e021fe8a505e369?environmentId=100
Contacted Hosts
189.1.168.176
78.47.139.102
36.37.176.6
201.236.219.180
144.76.203.79


*** https://www.virustotal.com/en/file/554132df407db525382baceb43fc0804839592fbd7038ffcd0e3736119d37be2/analysis/1484091723/
___

Post-holiday spam campaign delivers Neutrino Bot
- https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/
Jan 11, 2017 - "During the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as online criminals took a break from their malicious activities and popped the champagne to celebrate. It could also have been a time to regroup and plan new strategies for the upcoming year... over the weekend we observed a large new campaign purporting to be an email from ‘Microsoft Security Office’ with a link to a full security report (Microsoft.report.doc). This was somewhat unexpected, as typically the malicious Office files are directly attached to the email. Instead, the files are hosted on various servers with a short time to live window:
> https://blog.malwarebytes.com/wp-content/uploads/2017/01/email.png
The booby-trapped document asks users to enable-macros in order to launch the malicious code:
> https://blog.malwarebytes.com/wp-content/uploads/2017/01/macro_blocked.png
If the macro executes, the final payload will be downloaded and executed. This is Neutrino bot..."
IOCs:
Malicious doc:
agranfoundation[.]org/Microsoft[.]report[.]doc: 192.185.77.168
xn--hastabakc-2pbb[.]net/Microsoft[.]report[.]doc: 176.53.17.106
ecpi[.]ro/Microsoft[.]report[.]doc: 89.42.223.64
ilkhaberadana[.]com/Microsoft[.]report[.]doc: 159.253.46.194
cincote[.]com/Microsoft[.]report[.]doc: 192.185.145.46
mallsofjeddah[.]com/Microsoft[.]report[.]doc: 192.185.191.165
dianasoligorsk[.]by/Microsoft[.]report[.]doc: 178.124.131.21
8dd66dd191c9f0d2f4b5407e5d94e815e8007a3de21ab16de49be87ea8a92e8d
Neutrino bot:
www.endclothing[.]cu[.]cc/nn.exe: 137.74.93.42
87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe
b1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b
ca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'MoneyGram' SPAM - delivers Java Jacksbot
- https://myonlinesecurity.co.uk/spoofed-moneygram-urgent-request/
12 Jan 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...previously mentioned... HERE*....
* https://myonlinesecurity.co.uk/?s=java+adwind
... This version is slightly unusual... has a html attachment with -links- for you to download the file yourself.

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/spoofed-moneygram-Urgent-Request-of-Payment-Confirmation-email-.png

If you are unwise enough to open the html -attachment- you see a webpage looking like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/Urgent-Request-of-Payment-Confirmation.png
The page tries to automatically download the zip file, if that doesn’t work then the download button appears. That goes to http ://dreamsbroker .com/Requested%20Missing-Confirmation%20of%20payment.zip which extracts to 2 identical but differently named java.jar files. Received documents And Customers identification.jar and Request Missing Transaction Details and Refrence.jar

12 January 2017: Received documents And Customers identification.jar (323kb) - Current Virus total detections 24/55*
Payload Security**. These malicious attachments have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP (web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3b46aa9ba8b27a9ec21fab67426c72f94ede763cc59e5048ae9ee944bd84d443/analysis/1484201418/

** https://www.hybrid-analysis.com/sample/3b46aa9ba8b27a9ec21fab67426c72f94ede763cc59e5048ae9ee944bd84d443?environmentId=100
Contacted Hosts
83.243.41.200

dreamsbroker .com: 180.235.148.70: https://www.virustotal.com/en/ip-address/180.235.148.70/information/
___

'Phishy' sponsored tweets
- https://blog.malwarebytes.com/cybercrime/2017/01/more-phishy-sponsored-tweets/
Jan 12, 2016 - "Another day, another couple of rogue sponsored tweets [1], [2] which lead to phishing:
1] https://blog.malwarebytes.com/cybercrime/2016/10/promoted-tweet-leads-to-credit-card-phishing/
2] https://www.scmagazineuk.com/criminals-phish-credit-card-numbers-with-twitter-verification-scam/article/629182/
The account pushing the first phish has now been deleted, but it’s trivial to set up another one – and the phishing URL itself is -still- active, ready to be redeployed at a moment’s notice... site is located at
verifiedaccounts(dot)us
and – like the older versions of this scam – is all about getting yourself verified:
> https://blog.malwarebytes.com/wp-content/uploads/2017/01/sponsored-phish1.jpg
The site kicks things off by asking for username, email address, account type, phone number, year of account creation, and (finally) associated password. It’s not long before they’re sniffing around your wallet, too:
> https://blog.malwarebytes.com/wp-content/uploads/2017/01/sponsored-phish2.jpg
... We strongly advise all users of Twitter to be on their guard – just because a tweet is sponsored, doesn’t mean the content it leads to is legitimate. Be on your guard and don’t hand over login details, payment credentials, or anything else to sites -claiming- they can get you verified."

verifiedaccounts(dot)us: 192.185.128.203: https://www.virustotal.com/en/ip-address/192.185.128.203/information/
> https://www.virustotal.com/en/url/a51c493c1b46c74e0fa78819dddc1eec64f1f8b434fa3d4e84534d559caa3883/analysis/
Detection ratio: 10/68
___

More Indian tech support SCAMS
- http://blog.dynamoo.com/2017/01/scam-01254522444-fake-bt-engineer-and.html
12 Jan 2017 - "... huge upsurge in the number of Indian tech support scammers ringing, both at home and my place of work. For example.. this:
One common trick they use revolves around this hexadecimal number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. Either it's a signal that hackers are at your PC, or it's your secret router ID that only BT would know. The conversation goes something like this..
Victim: "But I don't get my internet from BT.."
Scammer: "BT provides all the internet connections for everyone else, including TalkTalk and Virgin Media."
Victim: "How do I know you're from BT?
Scammer: "There is a confidential Router ID that only BT will know. You can verify this to prove that we are BT."
The scammer then talks the victim through pressing -R then CMD (followed by OK) and then ASSOC (followed by RETURN). That simply produces a list of file associations (e.g. to say that .xlsx is an Excel spreadsheet). The line they want you to see is:
.ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
This is just something to do with how Windows handles compressed files and folders. All Windows machines should have this entry, but it looks sufficiently scary about to impress at least some victims.
>> NEVER GIVE THESE PEOPLE ACCESS TO YOUR PC.
However, if you want to waste their time please do so.. if you work in IT you can probably play a convincingly dumb user. It seems that they will try for up to 40 minutes or so before they give up. Alternatively, say that you have to get your laptop out from somewhere and it is very slow and just put them on hold. Every minute of their time you can waste will stop them targeting other potential victims. And don't just ignore the call - report it. If you are in the UK you can report this sort of -scam- to Action Fraud* - it will certainly help law enforcement if they have an idea of how many potential victims there are."
* http://www.actionfraud.police.uk/report_fraud

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake blank-body/no-subject SPAM - delivers Cerber
- https://myonlinesecurity.co.uk/empty-blank-email-asisianu-delivers-cerber-ransomware/
15 Jan 2017 - "I have been seeing these emails sporadically for the last month or so, but all previous versions have been corrupt... today’s actually has a working zip file. These arrive as a blank/empty email with no-subject pretending to come from asisianu @ pauleycreative .co.uk with a zip file containing a malicious word doc. They all actually come from asisianu at random email addresses, sometimes they spoof your-own-email-address, but always the 'From' address in the email is asisianu@pauleycreative .co.uk. This is Cerber ransomware... The email looks like:
From: asisianu@ pauleycreative .co.uk
Date: Sun 15/01/2017 06:54
Subject: none
Attachment: EMAIL_31327_info.zip


Body content: Totally empty/blank

15 January 2017: 12412.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
http ://coolzeropa .top/admin.php?f=0.dat which is renamed by the script to rcica.exe (VirusTotal 7/58**).
This also drops a full screen set of instructions on how to decrypt and pay the ransom:
_HOW_TO_DECRYPT_CDF8WC_.hta ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0db60c636c5c923b4ec5b24364cf76f3db8db76e12dab8ab1f7002c97b8b5788/analysis/1484469048/

** https://www.hybrid-analysis.com/sample/0db60c636c5c923b4ec5b24364cf76f3db8db76e12dab8ab1f7002c97b8b5788?environmentId=100
Contacted Hosts (577)

*** https://www.virustotal.com/en/file/ea02dca7a56ed149680345791bf6bc9df1e82518ea65f024e4bd0059659024d7/analysis/1484469369/

coolzeropa .top: 35.161.229.79: https://www.virustotal.com/en/ip-address/35.161.229.79/information/
84.200.34.99: https://www.virustotal.com/en/ip-address/84.200.34.99/information/

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Blank-emails no-subject SPAM - deliver Locky and Kovter
- https://myonlinesecurity.co.uk/blank-emails-with-no-subject-delivering-locky-and-kovter/
17 Jan 2017 - "... We are starting to see Locky, Kovter delivery emails trickling in this morning. The sites and payloads are the same as described in this post:
> https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
It looks like the Locky gangs are gearing up for a mass malspam, but are getting the delivery systems fine tweaked and having a few problems. We always see errors and problems before a mass Locky onslaught. If they keep to the sites they have been using for the last month or so, it will be relatively easy to track them & block malware. The emails received so far today are totally-blank, no-subject. The zip attachment extracts to another zip before extracting to a supposedly .jse file. However these are not encoded javascript. They are just minimally obfuscated, in fact perfectly readable by a human:
From: charlie.wills@ 02glass .com
Date: Mon 16/01/2017 23:30 (arrived 07:35 utc 17/01/2017)
Subject: blank


Attachment: 38168891.zip extracts to 38168891.doc.zip extracts to 38168891.doc.jse
VirusTotal 5/54* | Payload Security**
Payload:
1bin Locky: https://www.virustotal.com/en/file/2d193757baa6dfc600931ceeb0d8ffb690d57b403633c0c6c57833e4b6d5d618/analysis/1484631951/
File name: a1.exe / Detection: 16/55

2.bin Kovter: https://www.virustotal.com/en/file/a1f770ddd4a0dcdfd481112708586aae857060909cbc4e93a802ae4b0359d965/analysis/1484642102/
File name: 2.bin / Detection: 12/56

* https://www.virustotal.com/en/file/9bb0475d1b5945f2f703d74d2baccfafa7e8f27f3d08c03eb1a71ea8dae5eb59/analysis/1484641911/

** https://www.hybrid-analysis.com/sample/9bb0475d1b5945f2f703d74d2baccfafa7e8f27f3d08c03eb1a71ea8dae5eb59?environmentId=100
Contacted Hosts (171)

:ph34r: :ph34r: :grrr:

Share this post


Link to post
Share on other sites

FYI...

Fake 'ACH' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-ach-blocked-transaction-case-no-malspam-delivers-locky-ransomware/
18 Jan 2017 - "... an email spoofing ACH (Automated Clearing House) with the subject of 'Blocked Transaction Case No 255275283' coming or pretending to come from random companies, names and email addresses with rar attachment extracting to a very heavily obfuscated .JS file delivers Locky ransomware after a long convoluted download system... One of the emails looks like:
From: Eufemia Quintyne <xefiuza03040150@ photogra .com>
Date: Wed 18/01/2017 14:08
Subject: Blocked Transaction. Case No 255275283
Attachment: doc_details.rar
The Automated Clearing House transaction (ID: 058133683), recently initiated
from your online banking account, was rejected by the other financial
institution.
Canceled ACH transaction
ACH file Case ID 04123240
Transaction Amount 1624.05 USD ...


18 January 2017: doc_details.rar: Extracts to: doc_details.js - Current Virus total detections 7/54*
Payload Security** shows it drops another .js file (Payload Security ***) (VirusTotal 7/53[4]) which in turn downloads Locky ransomware from unwelcomeaz .top/2/56.exe (VirusTotal 9/55[5])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0822a63725345e6b8921877367e43ee23696d75f712a9c54d5442dbc0d5f2056/analysis/1484760601/

** https://www.hybrid-analysis.com/sample/0822a63725345e6b8921877367e43ee23696d75f712a9c54d5442dbc0d5f2056?environmentId=100

*** https://www.hybrid-analysis.com/sample/9dd0402e888ceb0ec00f641688836f5251cfa6d57ebe5fdbdebce79dcc4aae6f?environmentId=100
35.164.68.81
91.237.247.24
194.31.59.5
52.88.7.60
35.161.88.115


4] https://www.virustotal.com/en/file/9dd0402e888ceb0ec00f641688836f5251cfa6d57ebe5fdbdebce79dcc4aae6f/analysis/1484757035/

5] https://www.virustotal.com/en/file/ec9c06a7cf810b07c342033588d2e7f5741e7acbea5f0c8e7009f6cc7087e1f7/analysis/1484758078/

unwelcomeaz .top: 35.164.68.81: https://www.virustotal.com/en/ip-address/35.164.68.81/information/
54.149.186.25: https://www.virustotal.com/en/ip-address/54.149.186.25/information/
___

Fake 'signature required' SPAM - delivers hancitor
- https://myonlinesecurity.co.uk/spoofed-signature-required-on-the-contract-delivers-hancitor/
18 Jan 2017 - "An email pretending to come from a firm of -lawyers- with the subject of 'RE: settlement' pretending to come from a random firm of lawyers with a link-that-downloads a malicious word doc delivers hancitor [1]...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/bracewell.png

18 January 2017: contract_submit.doc - Current Virus total detections 3/53*. Payload Security**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html

* https://www.virustotal.com/en/file/dcb7054c347d0f86dc22b80312daf63b704f56866397e70a691731ab2cc453cd/analysis/1484759676/

** https://www.hybrid-analysis.com/sample/dcb7054c347d0f86dc22b80312daf63b704f56866397e70a691731ab2cc453cd?environmentId=100
Contacted Hosts
23.23.117.228
109.120.170.116
188.212.255.49
78.47.141.185

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'Insolvency Service' SPAM - delivers Cerber
- http://blog.dynamoo.com/2017/01/malware-spam-insolvency-service.html
19 Jan 2017 - "This malware spam in unusual in many respects. The payload may be some sort of ransomware (UPDATE: this appears to be Cerber ).

Screenshot: https://3.bp.blogspot.com/-CvAb-WcwGAw/WIDKZamyZYI/AAAAAAAAJwg/WvX4puoJmcM571M8qP5VMHXIT8GpKcwtgCLcB/s1600/insolvency.png

Sample subjects are:
LSV 354EMPU31 - Investigations Inquiry Reminder
JXI 647TESR39 - Investigations Inquiry Reminder
SHV 622WYXP68 - Investigations Inquiry Notice
QPY 661APWZ41 - Investigations Inquiry Notice
FHF 338SYBV85 - Investigations Inquiry Notice
EGY 318NHAR12 - Investigations Inquiry Notification
IZJ 296CNWP92 - Investigations Inquiry Notice
All the senders I have seen come from the chucktowncheckin .com domain. Furthermore, all of the sending servers are in the same /24: 194.87.216.* .. All the servers have names like kvm42.chapelnash .com in a network block controlled by Reg .ru in Russia. The link-in-the-email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect .com e.g. 2vo4 .uk-insolvencydirect .com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:
> https://3.bp.blogspot.com/-qn0cYVJbc38/WIDNiWM0y5I/AAAAAAAAJws/vngZ3BeEgMcppeoSs17T8hRW54qbPkaSwCLcB/s1600/gov-uk-fake.png
Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js)... Hybrid Analysis* of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool). The script downloads a component from www .studiolegaleabbruzzese .com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53**. Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:
soumakereceivedthiswith .ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor .ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource .ru (does not resolve)
maytermsmodiall .ru (does not resolve)
... I recommend that you block email traffic from:
194.87.216.0/24
-and- block web traffic to
uk-insolvencydirect .com
studiolegaleabbruzzese .com
176.98.52.157
151.0.42.255
"
* https://www.hybrid-analysis.com/sample/ff060abdf02c55b91abd812c142f1c264263786b5f8faf346e860b1d2b41309e?environmentId=100
Contacted Hosts
62.149.142.206
208.118.235.148
208.67.222.222
5.58.153.190


** https://virustotal.com/en/file/ff060abdf02c55b91abd812c142f1c264263786b5f8faf346e860b1d2b41309e/analysis/
___

Verified Twitter accounts compromised ...
- https://blog.malwarebytes.com/cybercrime/2017/01/verified-twitter-accounts-compromised-get-busy-spamming/
Jan 18, 2017 - "Verified Twitter accounts tend to be a little more secure than those belonging to non-verified users due to the amount of extra hoop jumping required to get one of those ticks in the first place. A number of security requirements, including providing a phone number and setting up 2FA, are all things a would-be verified Twitter user needs to do. In theory, it should be somewhat tricky to compromise those accounts – it wouldn’t really help Twitter if their theoretically appealing verified accounts were firing out Viagra spam all day long. Brand reputation and all that. And yet…in the space of a few hours last week, we had multiple verified users hitting the 'I’ve been compromised' wall of doom and gloom... 'rogue tweets' were, in theory, being sent to a combined audience of around 200,000+ people which could have been disastrous if the links had contained malicious files. Thankfully, these links were “just” porn spam and sunglasses, but the danger for something much worse is always present where a compromise is concerned. People trust the verified ticks in the same way they probably let their guard down around sponsored tweets, and in both cases a little trust can be a bad thing... scammers are doing it, always pay attention when your favorites start firing out URLs. Links are meant to be clicked, but that doesn’t mean we have to leap before looking – Twitter works best with shortened URLs, but you can usually see where they lead:
> https://blog.malwarebytes.com/cybercrime/2015/09/obfuscated-urls-where-is-that-link-taking-you/
Whether you’re verified or not, keep your wits about you and have a hopefully stress free experience on that most popular of social networks."

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'Western Union' SPAM - delivers java Adwind/Jacksbot
- https://myonlinesecurity.co.uk/spoofed-wupos-agent-portal-upgrade-for-all-agents-delivers-java-adwind-jacksbot/
20 Jan 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE:
> https://myonlinesecurity.co.uk/?s=java+adwind
The email looks like:
From: WU-IT Department <csc.it.westernunion@ gmail .com>
Date: Fri 20/01/2017 02:02
Subject: WUPOS Agent Portal Upgrade For All Agents
Attachment: Update Manual & Agent Certificate .pdf
Dear All,
Western Union ,IT Department data is posting upgrade for new version of WUPOS.Please download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen
Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue. Thanks & Regards, IT Department Western Union Internet United Kingdom PO Box 8252 London United Kingdom W6 0BX..."


Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/WUPOS-Agent-Portal-Upgrade-For-All-Agents-email.png

The attached PDF looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/wupos_pdf.png

The link-in-the-PDF is to http ://phrantceena .com/wp-content/plugins/Update%20Manual%20&%20Agent%20Certificate%20.zip which will give you -2- identical (although named differently) java.jar files. Agent certificate & branch details..jar and Wupos manual and update file..jar ..

20 January 2017: Agent certificate & branch details..jar (323kb) Current Virus total detections 26/55*
Payload Security **... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0395684b27d5d918dcbd3ec661e922be055a330c5d7b63a63b30a8f365d6d2b1/analysis/1484897128/

** https://www.hybrid-analysis.com/sample/0395684b27d5d918dcbd3ec661e922be055a330c5d7b63a63b30a8f365d6d2b1?environmentId=100
Contacted Hosts
83.243.41.200

phrantceena .com: 66.147.244.127: https://www.virustotal.com/en/ip-address/66.147.244.127/information/

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Sage 2.0 ransomeware
- https://isc.sans.edu/diary.html?storyid=21959
2017-01-21 - "On Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware I'd never seen before called 'Sage'. More specifically, it was 'Sage 2.0'... Sage is yet another family of ransomware in an already crowded field. It was noted on BleepingComputer forums back in December 2016 [1, 2]...
1] https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/

2] https://www.bleepingcomputer.com/forums/t/634747/sage-ransomware-sage-support-help-topic/

... Emails from this particular campaign generally have -no- subject lines, and they always have -no- message text. The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware. Sometimes, I'll see a .js file instead of a Word document, but it does the same thing... attachments are often double-zipped. They contain -another- zip archive before you get to the Word document or .js file...
Example of a Word document with a malicious macro:
> https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-05.jpg
Another example of the Word document with a malicious macro:
> https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-06.jpg
The Word document macros or .js files are designed to download and install ransomware. In most cases on Friday, the ransomware was Sage 2.0... Under default settings, an infected Windows 7 host will present a UAC window before Sage continues any further. It keeps appearing until you click 'yes':
UAC pop-up caused by Sage: https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-12.jpg
The infected Windows host has an image of the decryption instructions as the desktop background. There's also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ".sage" is the suffix for all encrypted files:
Desktop of an infected Windows host: https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-13.jpg
... Following the decryption instructions should take you to a Tor-based domain with a decryptor screen. On Friday, the cost to decrypt the files was $2,000 US dollars (or 2.22188 bitcoin):
The Sage 2.0 decryptor: https://isc.sans.edu/diaryimages/images/2017-01-21-ISC-diary-image-15.jpg
... When the callback domains for Sage didn't resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses...
Below are IOCs for Sage 2.0 from Friday 2017-01-20:
Ransomware downloads caused by Word document macros or .js files:
54.165.109.229 port 80 - smoeroota .top - GET /read.php?f=0.dat
54.165.109.229 port 80 - newfoodas .top - GET /read.php?f=0.dat
84.200.34.99 port 80 - fortycooola .top - GET /user.php?f=0.dat
Post-infection traffic:
54.146.39.22 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
66.23.246.239 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
mbfce24rgn65bx3g .rzunt3u2 .com (DNS queries did not resolve)
Various IP addresses, UDP port 13655 - possible P2P traffic...
... not sure how widely-distributed Sage ransomware is. I've only seen it from this one malspam campaign, and I've only seen it one day so far. I'm also not sure how effective this particular campaign is. It seems these emails can easily be -blocked- so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals..."
(More detail at the isc URL at the top of this post.)

:ph34r: :ph34r: :grrr:

Share this post


Link to post
Share on other sites

FYI...

Fake 'Tiket alert' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoofed-fbi-tiket-alert-delivers-locky-ransomware/
23 Jan 2017 - "An email spoofing the FBI with the subject of 'Tiket alert 331328222' pretending to come from random senders with a malicious word doc downloads locky ransomware... The email looks like:
From: Ngoc Trane <dpeupyl0386@ eiv .cl>
Date: Mon 23/01/2017 13:14
Subject: Tiket alert 331328222
Attachment: information.doc
From: FBI service [dpeupyl0386@ fbi .com]
Date: Mon, 23 Jan 2017 14:14:09 +0100
Subject: Tiket alert
Look at the attached file for more information.
Assistant Vice President, FBI service
Management Corporation


23 January 2017: information.doc - Current Virus total detections 5/54*
Payload Security** shows a download from http ://unwelcomeaz .top/2/56.exe (VirusTotal 3/56***).
Payload Security[4]. Last week this site[1] was delivering Locky ransomware, which is continuing today. It also looks like this Locky version is trying to download & install opera browser as well... The actual 56.exe pretends to be an adobe flash player 13 file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://myonlinesecurity.co.uk/spoofed-ach-blocked-transaction-case-no-malspam-delivers-locky-ransomware/

* https://www.virustotal.com/en/file/8d5259dd99cc605b19cd5a176c46503f29c7a61107013f5f97180a1fc84d001e/analysis/1485177870/

** https://www.hybrid-analysis.com/sample/8d5259dd99cc605b19cd5a176c46503f29c7a61107013f5f97180a1fc84d001e?environmentId=100

*** https://www.virustotal.com/en/file/c1015f4597996c25f6d6ad5929f4a24fbd79fe508ea5f45b93544b35db4e98f3/analysis/1485178446/

4] https://www.hybrid-analysis.com/sample/c1015f4597996c25f6d6ad5929f4a24fbd79fe508ea5f45b93544b35db4e98f3?environmentId=100
Contacted Hosts
46.17.40.234
52.88.7.60
54.240.162.210
35.161.88.115
91.198.174.192
91.198.174.208


unwelcomeaz .top: 35.164.68.81: https://www.virustotal.com/en/ip-address/35.164.68.81/information/
> https://www.virustotal.com/en/url/8471d7d9d949dce656afc273ad23fd3a01b830fd0d4e4008dd9206dc5de0c689/analysis/
154.16.247.115: https://www.virustotal.com/en/ip-address/154.16.247.115/information/
> https://www.virustotal.com/en/url/8471d7d9d949dce656afc273ad23fd3a01b830fd0d4e4008dd9206dc5de0c689/analysis/

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'Refund Unsuccessful' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/refund-unsuccessful-malspam-delivers-locky/
24 Jan 2017 - "... an email with the subject of 'Refund Unsuccessful 03246113' (random numbers) pretending to come from random companies, names and email addresses with a word doc attachment in the format of which delivers Locky ransomware... The email looks like:
From: Stefania Collyer <heg64423837@ zinchospitality .com>
Date: Tue 24/01/2017 01:53
Subject: Refund Unsuccessful 03246113
Attachment: information.doc
Your order has been cancelled, however we are not able to proceed with the
refund of $ 1371.48
All the information on your case 527312277 is listed in the document below.


Locky binary (virustotal 24/55*)
Macro (VirusTotal 26/55**)
Antivirus detections on these are still terrible, 24 hours after being submitted... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c1015f4597996c25f6d6ad5929f4a24fbd79fe508ea5f45b93544b35db4e98f3/analysis/1485240808/

** https://www.virustotal.com/en/file/8d5259dd99cc605b19cd5a176c46503f29c7a61107013f5f97180a1fc84d001e/analysis/
___

Fake 'DHL Shipment' SPAM - delivers Cerber
- https://myonlinesecurity.co.uk/spoofed-dhl-shipment-notification-delivers-cerber-ransomware/
24 Jan 2017 - "... an email with the subject of 'DHL Shipment Notification: 6349701436' pretending to come from DHL Customer Support <support@ dhl .com> delivers Cerber ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/DHL-Shipment-Notification.png

There are several different named attachments with this campaign. _Dhl_expr. DATE20170120.zip -EXPRESS -Date20170120.zip and probably other variants.
All extract to the same named .js file: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js...

9 January 2017: P_rek.zip: Extracts to: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js
Current Virus total detections 9/54*. Payload Security** shows a download from
http ://bonetlozano .com/kvst.exe (VirusTotal 7/56***) which from the network noise looks like Cerber ransomware, although neither Payload Security nor any Antivirus on Virus total detect it as Cerber... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/18df0fef2ac7b04f6a5f543117d0d6d6f221d27008a89128b32e2f8b826f1279/analysis/1485239971/

** https://www.hybrid-analysis.com/sample/18df0fef2ac7b04f6a5f543117d0d6d6f221d27008a89128b32e2f8b826f1279?environmentId=100
Contacted Hosts (695)

*** https://www.virustotal.com/en/file/00a3afa969a051fab57d529b123c20977a9c6f08d6cc76b5e41a700de7dafe2d/analysis/1485168150/

bonetlozano .com: 217.76.130.248: https://www.virustotal.com/en/ip-address/217.76.130.248/information/
> https://www.virustotal.com/en/url/ff74bcfc8f6cf6508e9aa9f7a4b78b5af42af03e0bb2674a6772c7045132865c/analysis/
___

Fake 'Online-Shop' SPAM - delivers malware
- https://myonlinesecurity.co.uk/bestellung-online-shop-auftr-nr-02132596-malspam-delivers/
24 Jan 2017 - "... email with the subject of 'Bestellung Online-Shop Auftr.Nr 02132596' (random numbers) coming or pretending to come from random companies, names and email addresses zip attachment containing a very heavily obfuscated JavaScript file which delivers an unknown malware... One of the emails looks like:
From: waldemar.wysocki@ gmx .de
Date: Tue 24/01/2017 10:53
Subject: Bestellung Online-Shop Auftr.Nr 02132596
Attachment: ea00ba32a5.zip
Bestellung Nr.: 02132596 Datum: 24.01.2017


24 January 2017: -Bestellpositionen[alle Preise in EUR].zip: Extracts to: -Bestellpositionen[alle Preise in EUR].pdf.js - Current Virus total detections 1/55*
Payload Security** shows a download from volleymultdom .biz/fsgdhyrer6cdve8rv7hdsvkekvhbsdjh/cfhr.exe (VirusTotal 7/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5f93d4163e04ed55e19119cfed0d129da674cff7fb45eac0e5cc8c58dc117134/analysis/1485255695/

** https://www.hybrid-analysis.com/sample/5f93d4163e04ed55e19119cfed0d129da674cff7fb45eac0e5cc8c58dc117134?environmentId=100
Contacted Hosts
162.144.125.170
212.2.153.190


*** https://www.virustotal.com/en/file/49ff8393fbccf63c2e4d47be027b371ff5ec2af459e272bf3939f599bfbc1684/analysis/

volleymultdom .biz: 162.144.125.170: https://www.virustotal.com/en/ip-address/162.144.125.170/information/
___

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-hmrc-final-payment-request-malspam-delivers-yet-another-unknown-malware/
24 Jan 2017 - "... common email template pretending to come from HMRC, threatening enforcement action to recover unpaid tax... Update: being told this is Zurgop and Zbot spy...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/01/hmrc-final-payment-request.png

24 January 2017: Statement of Liabilities_7.doc - Current Virus total detections 3/54*
Payload Security** shows a download from http ://sergiosuarezgil .com/adobe_upd7.exe (VirusTotal 4/56***)
Payload Security[4].. nothing gives any real clue what it is or what it does... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1f275b7ab089ca15a0d987b0c71391f6ba9c612b996ffe6cd99221c82c093836/analysis/1485264589/

** https://www.hybrid-analysis.com/sample/1f275b7ab089ca15a0d987b0c71391f6ba9c612b996ffe6cd99221c82c093836?environmentId=100
Contacted Hosts
198.20.102.131

*** https://www.virustotal.com/en/file/8ac92ec30c8632327ae276b9ddba70b7426a71d0764a2b00c6e8110e6ed81979/analysis/1485260445/

4] https://www.hybrid-analysis.com/sample/aaf6a627d92c4984762caa40e4e26c2f55f2df393d5d2a91b14a3eed7df51af1?environmentId=100
Contacted Hosts
23.63.140.108
193.104.215.58
185.162.9.59
212.227.91.231
104.87.224.175
82.192.75.161
37.252.227.51
178.77.120.104
169.50.71.245


sergiosuarezgil .com: 198.20.102.131: https://www.virustotal.com/en/ip-address/198.20.102.131/information/
> https://www.virustotal.com/en/url/e0c03de8582531ff9d7821f1a308ea0227789035e323d599c1ff36d3e65efedc/analysis/
6/64

email return URL: hmrcgsigov .org: 93.190.140.136: https://www.virustotal.com/en/ip-address/93.190.140.136/information/
Country - NL << Fraud
___

Android malware returns, gets >2M downloads on Google Play
- http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/
1/23/2017 - "A virulent family of malware that infected more than 10 million Android devices last year has made a comeback, this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users. HummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the name given to a family of malicious apps researchers documented in July invading non-Google app markets. HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000 fraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per month in revenue..."
> http://blog.checkpoint.com/2017/01/23/hummingbad-returns/

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'DHL' SPAM - delivers banking Trojan
- https://myonlinesecurity.co.uk/spoofed-fake-dhl-prepared-commercial-invoice-delivers-ursnif-banking-trojan/
25 Jan 2017 - "... an email with the subject of 'DHL prepared commercial invoice 9500238176 902694287308' (random numbers) pretending to come from ebillingcmf.td@ DHL .COM that delivers ursnif banking Trojan... One of the emails looks like:
From: ebillingcmf.td@ DHL .COM
Date: Wed 25/01/2017 07:49
Subject: DHL prepared commercial invoice 9500238176 902694287308
Attachment: Commercial.Form.25.01.2017.CVS.zip
Attached notice amount customs charges
Dear Customer,
Attached your invoice in PDF format, dated 25/01/2017 and csv files for shipments and services provided by DHL Express.
You can also display the details of his account and the historical invoices online.
In case of substantial problems in the Annex, contact support at: support@dhl.com
We expect to receive payment within the prescribed period, as indicated on the invoice.
We send our thanks for having taken advantage of DHL Express services.
Best regards,
DHL Express


25 January 2017: Commercial.Form.25.01.2017.CVS.zip: Extracts to: Commercial.Form.25.01.2017.CVS.wsf
Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
http :// www .cp4 .de/cp4/2401.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/870502f4a13bb065499c78a7b99ce4051555007f11c8456c4cfebce7e86cde47/analysis/1485330508/

** https://www.hybrid-analysis.com/sample/870502f4a13bb065499c78a7b99ce4051555007f11c8456c4cfebce7e86cde47?environmentId=100
Contacted Hosts (16)
81.169.145.165
192.229.221.24
195.93.42.3
195.93.42.2
217.79.188.60
207.200.74.133
217.79.188.46
37.157.6.252
172.227.147.7
152.163.56.3
217.79.188.60
64.12.235.98
151.101.192.249
107.22.179.226
104.94.37.243
104.74.100.205

___

Sage 2 ransomware - spreading in UK via malspam emails
- https://myonlinesecurity.co.uk/sage-2-ransomware-now-spreading-in-uk-via-malspam-emails/
25 Jan 2017 - "... new entry to the market. Sage 2.0 ransomware. They are using the same basic email template telling you the order was cancelled but cannot give a refund. There are also 'ACH Blocked transaction' emails also spreading the same sage 2.0 ransomware. The security community has been warning about Sage2.0 ransomware for a few days now, but today is the first day we have seen malspam emails targeting UK users. All the emails so far received have contained the same zip file containing a very heavily encoded/obfuscated javascript file document_1.zip - there also appear to be 2 other files with no names inside the zip that don’t automatically extract and are probably there as padding or left over artefacts. They just appear to contain a list of txt characters, possibly a tracking identity or even the decryption key. I am attaching a couple of different document_1.zip versions to a zip file for researchers to look at P/W ”infected”
25 jan_sage2 zip. Some subjects seen include:
' Refund Unsuccessful 26485806 ( random numbers)
Blocked Transaction. Case No 15120544 ( random numbers)
Re:
Fw: '

One of the emails looks like:
Body content with 'Refund Unsuccessful' or 'FW' and 'RE:'
Your order has been cancelled, however we are not able to proceed with the
refund of $ 1460.01
All the information on your case 652661070 is listed in the document below.

Body content with 'Blocked Transaction'. 'Case No nnnn'
The Automated Clearing House transaction (ID: 085112046), recently initiated
from your online banking account, was rejected by the other financial
institution.
Canceled ACH transaction
ACH file Case ID 07677730
Transaction Amount 1436.17 USD
Sender e-mail obqeygua57341@ scaledagile .com
Reason of Termination See attached statement


25 January 2017: document_1.zip: Extracts to: doc_details_jOiqRJ.js - Current Virus total detections 7/54*
Payload Security** doesn’t show any download or file action, but the VT comments by @techhelplist[3] shows a download of sage 2.0 from http ://affections .top/ff/55.exe (VirusTotal 9/56[4]). Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/eccf08ab84cc226aee8f799d560c94d7e5b47254b22549bcdbc0f317f9e0d27c/analysis/1485324653/

** https://www.hybrid-analysis.com/sample/eccf08ab84cc226aee8f799d560c94d7e5b47254b22549bcdbc0f317f9e0d27c?environmentId=100

3] https://twitter.com/Techhelplistcom/status/824053746829291520

4] https://www.virustotal.com/en/file/b71167636e00ed97a10e0bf63270709d1dd32dac9001db1892bd9178382afd7d/analysis/1485304233/

5] https://www.hybrid-analysis.com/sample/b71167636e00ed97a10e0bf63270709d1dd32dac9001db1892bd9178382afd7d?environmentId=100
54.149.186.25: https://www.virustotal.com/en/ip-address/54.149.186.25/information/
> https://www.virustotal.com/en/url/1d6b09c66cd47489598f77aff2f7922aca3b7dfbbb2441b958fcf97a841509d1/analysis/

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'USPS' SPAM - delivers Sage 2 ransomware
- https://myonlinesecurity.co.uk/spoofed-fake-usps-unable-to-deliver-your-parcel-malspam-now-delivering-sage-2-ransomware/
26 Jan 2017 - "... Sage 2 ransomware has started to use the same email template that we see daily that normally delivers Locky ransomware and Kovter Trojans HERE:
> https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
... The only noticeable difference between the 2 campaigns (until you actually analyze the files inside the zip attachments) is the file size and file names. In the Locky/Kovter versions they were using .js files but now use lnk files... Locky /Kovter use a file name something like Delivery-Receipt-3793490.zip that extracts to another zip file Delivery-Receipt-3793490.doc..zip that eventually extracts to Delivery-Receipt-3793490.doc.lnk where the numbers change with each email received. There are numerous different download sites for the malware each day. Sage 2 ransomware uses a static named file for all emails, currently Delivery-Details.zip extracting to Delivery-Details.js - There is one download site each day... One of the emails looks like:
From: USPS Ground <uwawsne253468@ netpetar .com>
Date: Thu 26/01/2017 02:04
Subject: Delivery problem, parcel USPS #40088683
Attachment: Delivery-Details.zip
Hello,
Your item has arrived at Thu, 26 Jan 2017 03:04:09 +0100, but our courier
was not able to deliver the parcel.
You can download the shipment label attached!
All the best.
Leisha Marshman – USPS Support Agent.


26 January 2017: Delivery-Details.zip: Extracts to: Delivery-Details.js - Current Virus total detections 14/53*
Payload Security** shows a download from http ://affections .top/ff/55.exe (VirusTotal 14/56***) (Payload Security [4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/24e7c851ee5fae56949a65b9033732524d625709333cc205ed54ba7de92dad81/analysis/1485410870/

** https://www.hybrid-analysis.com/sample/24e7c851ee5fae56949a65b9033732524d625709333cc205ed54ba7de92dad81?environmentId=100

*** https://www.virustotal.com/en/file/00a244a8f833f035d3de9cc137054bef5efd31169bb82fd17cc8f45f213f3e3a/analysis/1485413961/

4] https://www.hybrid-analysis.com/sample/00a244a8f833f035d3de9cc137054bef5efd31169bb82fd17cc8f45f213f3e3a?environmentId=100
Contacted Hosts
54.211.245.199

affections .top: 54.165.5.111: https://www.virustotal.com/en/ip-address/54.165.5.111/information/

Country US / Autonomous System 14618 (Amazon.com, Inc.)
> https://www.virustotal.com/en/url

/1d6b09c66cd47489598f77aff2f7922aca3b7dfbbb2441b958fcf97a841509d1/analysis/
52.203.213.69: https://www.virustotal.com/en/ip-address/52.203.213.69/information/
___

Fake 'Microsoft' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-blank-microsoft-email-delivers-an-unknown-malware/
26 Jan 2017 - "A blank/empty email pretending to come from Microsoft with a subject like 'RE: 23337 Microsoft Free 23337' with zip attachment that extracts to another zip file that in turn contains a malicious word doc...
Update: I am being told it is Ursnif banking Trojan... Update again: ... weird. This site is delivering different malware, almost at random it seems. Each visit gives a -different- file, although always the same name read.doc or read.php - currently all are 243kb but all have different file #. So far we have seen Cerber, Ursnif and the original unknown malware... The email looks like:
From: tcmf.microsoft <suard-c@ vendome .pf>
Date: Thu 26/01/2017 16:00
Subject: RE: 23337 Microsoft Free 23337
Attachment: 55554546637489.zip


Body content: totally blank/empty

> https://www.reverse.it/sample/aa8953de6e54030e4a903a8fd2729c41c4f4c284a451a86e1ec945ebf43eb919?environmentId=100
Contacted Hosts
208.67.222.222
195.5.126.248
46.150.69.43
188.27.92.82


> https://www.hybrid-analysis.com/sample/eaaea87f0dd68ae1c998c2c7a6e0584bfa2f57f69a778e4bc1b5f954486a0350?environmentId=100
Contacted Hosts (576)

26 January 2017: 55554546637489.zip: extracts to: 4446_ZIP.zip extracts to 4446.doc
Current Virus total detections 2/55*. Payload Security shows a download from
http ://vvorootad .top/read.php?f=0.dat which delivers read.doc (which is -not- a doc file, although having an icon looking like a word doc, but a renamed .exe) (VirusTotal 9/57**). Payload Security***... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/77dbd5b65f26599343aee6df4c7af7ac3ab7678a6c32cbbf2df5eebf4d06639f/analysis/1485447397/

** https://www.virustotal.com/en/file/70449b4519aeb20dd2871bed100ca3dd5f68b347c95a23edfd47e6e648bfa954/analysis/1485448703/

*** https://www.hybrid-analysis.com/sample/70449b4519aeb20dd2871bed100ca3dd5f68b347c95a23edfd47e6e648bfa954?environmentId=100

vvorootad .top: 52.203.115.53: https://www.virustotal.com/en/ip-address/52.203.115.53/information/
> https://www.virustotal.com/en/url/119f7bbc2a8f8ba821cadadf145e1b8c9592ccc49b6d8c8c599f820808f76629/analysis/
35.165.86.173: https://www.virustotal.com/en/ip-address/35.165.86.173/information/
> https://www.virustotal.com/en/url/d11134c1e38ff62f0312a3639ac180dbfd6888a73e7ad306c0667a64d8131339/analysis/
___

Spyware on a Chromebook ??
- http://www.computerworld.com/article/3161765/chrome-os/spyware-on-a-chromebook.html
Jan 25, 2017 - "... According to Google*, it means the extension 'can enable, disable, uninstall or launch themes, extensions, and apps you have installed'. Uninstall and disable other extensions? Are you kidding me? Why does Chrome even allow this? Web browsers do -not- allow a page on one website to interact with a page on another. Why does Chrome let an extension from Developer A disable or uninstall one from Developer B? Perhaps worse, is that Chrome does not warn, at installation time, about the modification to the New Tab page. This is inexcusable. And here's a sentence I never expected to write. When it comes to extensions modifying the New Tab page, Chrome on Windows is more secure than Chrome on Chrome OS..."
* https://support.google.com/chrome_webstore/answer/186213?hl=en

(More detail at the computerworld URL above.)

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Phish - using PDF attachments
- https://blogs.technet.microsoft.com/mmpc/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/
Jan 26, 2017 - "... deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the heightened phishing activity that we have come to expect every year during the holiday season has not subsided. Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where -you- are then asked-to-divulge sensitive information...
Example 1: One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity:
> https://msdnshared.blob.core.windows.net/media/2017/01/120.jpg
When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel”. But it’s actually a link to a website:
> https://msdnshared.blob.core.windows.net/media/2017/01/PDF-example-1-screenshot-1.png
Clicking the link opens your browser and brings you to a website, where the social engineering attack continues with a message that the document is protected because it is confidential, and therefore you need to sign in with your email credentials:
> https://msdnshared.blob.core.windows.net/media/2017/01/PDF-example-1-screenshot-2.png
... Don’t open attachments or click-links in suspicious emails. Even if the emails came from someone you know, if you are not expecting the email, be wary about opening the attachment, because spam and phishing emails may spoof the sender..."
(More detail at the blogs.technet.microsoft URL at the top of this post.)

 

:ph34r: :ph34r: :grrr:

Share this post


Link to post
Share on other sites

FYI...

Netflix Scam delivers Ransomware
- http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/
Jan 29, 2017 - "Netflix has a 93 million-strong subscriber base in more than 190 countries, so it’s unsurprising that cybercriminals want a piece of the pie. Among their modus operandi: stealing user credentials that can be monetized in the underground, exploiting vulnerabilities, and more recently infecting systems with Trojans capable of pilfering the user’s financial and personal information. What other purposes can stolen Netflix credential serve? Offer them up as bargaining chip to fellow cybercriminals, for instance. Or more nefariously, use them as lure to trick certain users into installing malware (and turn a profit in the process).
If you’re planning to free ride your way into binge-watching your favorite shows on Netflix, think again. Your computer’s files may end up getting held hostage instead. We came across a -ransomware- (detected by Trend Micro as RANSOM_ NETIX.A) luring Windows/PC users with a Netflix account via a login generator, one of the tools typically used in software and account membership piracy. These programs are usually found on suspicious websites sharing cracked applications and access to premium/paid web-based services:
(The ransom note displayed as wallpaper in the affected system)
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/01/netflix-ransomware1.jpg
(One of the ransom notes with instructions to victims)
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/01/netflix-ransomware2.jpg
(Fake Netflix Login Generator)
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/01/netflix-ransomware3.jpg
(The prompt window after clicking “Generate Login”)
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/01/netflix-ransomware4.jpg
The ransomware starts as an executable (Netflix Login Generator v1.1.exe) that drops another copy of itself (netprotocol.exe) and then executed afterwards. Clicking the “Generate Login” button leads to another prompt window that purportedly has the login information of a genuine Netflix account. RANSOM_NETIX.A uses these fake prompts/windows as distraction while it performs its encryption routine on 39 file types under the C:\Users directory... The ransomware employs AES-256 encryption algorithm and appends the encrypted files with the .se extension. The ransom notes demand $100 worth of Bitcoin (0.18 BTC) from its victims... Interestingly, the ransomware terminates itself if the system is -not- running Windows 7 or Windows 10... This highlights the significance for end users to keep their subscription accounts safe from crooks. Keep to your service provider’s security recommendations. More importantly, practice good security habits: beware of -emails- you receive pretending to be legitimate, regularly update your credentials, use two-factor authentication, and download -only- from official sources... Does getting your important files encrypted worth the piracy? Netflix’s premium plan costs around $12 per month, and allows content to be streamed in four devices at the same time. Compare that with $100 you need to pay in order to get your files decrypted. Getting them back isn’t guaranteed either, as other ransomware families have shown... Bad guys need only hack a modicum of weakness for which no patch is available — the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download -or- click-ads promising the impossible. If the deal sounds too good to be true, it usually is."

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...


Fake 'eFax' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-efax-you-received-a-new-efax-from-516-6128936-delivers-unknown-malware/
2 Feb 2017 - "... an email with the subject of 'You received a new eFax from 516-6128936' (numbers are normally random) pretending to come from eFax <messaging@ efax .com> with a link-that-downloads a malicious word doc... Update: I am reliably informed* it downloads Hancitor & other associated malware...
* https://twitter.com/Techhelplistcom/status/827235660352323584

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/efax-from-5166128936.png

... The download link in the body of the email is:
 http ://akatsuki-eng .co.jp/api/get.php?id=dmljdGltQGRvbWFpbi5jb20=  where the base64 encoded section is the recipients email address...

2 February 2017: eFax_victim.doc - Current Virus total detections 3/54**. Payload Security***... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
** https://www.virustotal.com/en/file/50d479955bdd9d0be7b72bff2e6df59208fb65ec91247d99dd771dd34f53ae4d/analysis/1486056401/

*** https://www.hybrid-analysis.com/sample/50d479955bdd9d0be7b72bff2e6df59208fb65ec91247d99dd771dd34f53ae4d?environmentId=100

akatsuki-eng .co.jp: 157.7.107.124: https://www.virustotal.com/en/ip-address/157.7.107.124/information/
> https://www.virustotal.com/en/url/a5fab0b8635f8870a028d7af945d6f39aa81f58f4f118547dd664c3289e4e687/analysis/


... Update: 3 February 2017: Today’s version has a .lnk file inside-a-zip as an attachment
(VirusTotal 3/56[1]) connects to & downloads analytics.activeadvisory .com/007.bin
 but only from a Canadian IP range. The rest of the world appears blocked. (VirusTotal 6/56[2])
(Payload Security[3]). This one is delivering Urnsif banking Trojan...
1] https://www.virustotal.com/en/file/863177ba5cd57fbaf71a82600a05548541afc4e160dd0ff1f8c26f031f6474ac/analysis/

2] https://www.virustotal.com/en/file/4bd30b55b560bff8970da92dd7e892ac292f4ce41543c17c8c2929a22519e248/analysis/1486120969/

3] https://www.hybrid-analysis.com/sample/4bd30b55b560bff8970da92dd7e892ac292f4ce41543c17c8c2929a22519e248?environmentId=100
Contacted Hosts
208.67.222.222
185.77.128.246
85.17.94.33
172.86.121.117

analytics.activeadvisory .com: 149.56.201.88: https://www.virustotal.com/en/ip-address/149.56.201.88/information/
> https://www.virustotal.com/en/url/10aafd93b7081d1ee6ce30ce40f417c21d88530e1f9ca4738574f0730dfa7736/analysis/

___

Identity fraud hits record high
- https://www.helpnetsecurity.com/2017/02/02/identity-fraud-hits-record-high/
Feb 2, 2017 - "The number of identity fraud victims increased by sixteen percent (rising to 15.4 million U.S. consumers) in the last year, according to Javelin Strategy & Research*. Their study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly one-billion-dollars to $16 billion..."
> https://www.helpnetsecurity.com/images/posts/javelin-022017-1.jpg

* https://www.javelinstrategy.com/press-release/identity-fraud-hits-record-high-154-million-us-victims-2016-16-percent-according-new
Feb 1, 2017

- https://krebsonsecurity.com/2017/01/shopping-for-w2s-tax-data-on-the-dark-web/
Jan 31, 2017 - "... Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS. Tax data can be -phished- directly from consumers via phony emails spoofing the IRS or employers. But more often, the information is stolen in bulk from employers. In a typical scenario, the thieves target people who work in HR and payroll departments at corporations, and spoof an email from a higher-up in the company asking for all employee W-2 data to be included in a single file and emailed immediately..."

___

W-2 Phishing SCAM - targets schools, Restaurants, Hospitals... Others
- https://www.irs.gov/uac/dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-hospitals-tribal-groups-and-others
Feb. 2, 2017 - "... W-2 scammers are coupling their efforts to steal employee W-2 information with an older scheme on -wire-transfers- that is victimizing some organizations -twice- ... When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies and the tax industry, working together as the Security Summit, have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this. As the Summit partners make progress, cybercriminals need more data to mimic real tax returns.
> Here’s how the scam works: Cybercriminals use various -spoofing- techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This -scam- is sometimes referred to as business email compromise (BEC) or business email spoofing (BES). The Security Summit partners urge all employers to be vigilant. The W-2 scam, which first appeared last year, is circulating earlier in the tax season and to a broader cross-section of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight. Those businesses that received the scam email last year also are reportedly receiving it again this-year...
New Twist to W-2 Scam: Companies Also Being Asked to Wire Money
In the latest twist, the cybercriminal follows up with an “executive” email to the payroll or comptroller and asks that a wire transfer also be made to a certain account. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers. The IRS, states and tax industry urge all employers to share information with their payroll, finance and human resources employees about this W-2 and wire-transfer-scam. Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers..."

___

Apple 'Security Measures' - phish
- https://myonlinesecurity.co.uk/apple-security-measures-phishing/
2 Feb 2017 - "... spam run apple phishing today. The bad spelling and grammar should be enough to warn anybody that it is a fake...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Apple-Security-Measures.png

The link-in-the-email goes to:
 http ://www .interwurlitzer .com/mc.html which redirects you to
 http ://www .bdic .ca/mardei/Itunes/apple/ where you see the typical Apple phishing page."

interwurlitzer .com: 87.229.45.133: https://www.virustotal.com/en/ip-address/87.229.45.133/information/
> https://www.virustotal.com/en/url/b3f673a5be4a48fdae3c0c149a0a2bbd5313113a4908796f68a58a61051ac7f8/analysis/
bdic .ca: 67.212.91.221: https://www.virustotal.com/en/ip-address/67.212.91.221/information/
> https://www.virustotal.com/en/url/0b430f5f53a594afa4a2c1c5538c23dc12848e15caae36ac0ea093ef7b323e95/analysis/
___

Netgear addresses 'Password Bypass' vulns in 31 Router Models
- http://www.darkreading.com/vulnerabilities---threats/netgear-addresses-password-bypass-vulns-in-31-router-models/d/d-id/1328036
Feb 1, 2017
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521
Last revised: 01/23/2017
CVSS v3 Base Score: 8.1 High

> http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
"... Firmware fixes are currently available for the following affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for your model and visit the firmware release page for instructions.."
Last Updated: 01/27/2017

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Fake 'notice to Appear' SPAM - delivers Kovter/Locky
- https://myonlinesecurity.co.uk/spoofed-fake-new-notice-to-appear-in-court-delivers-locky-and-kovter/
5 Feb 2017 - "... start of a campaign using 'New notice to Appear in Court' as the email subject. The attachments are identical to the typical .JS, .WSF, .lnk file inside a double zip. All the sites seen so far today are the -same- sites used in the USPS, FedEx, UPS current campaigns*...
* https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
... The attachments all start with a zip named along the lines of Notice_00790613.zip which contain -another- zip Notice_00790613.doc.zip which in turn contains Notice_00790613.doc.js ... All of the sites are listed on THIS post**... All the sites contain the -same- Malware downloads of Kovter and Locky. They do get updated frequently during the day...
** https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
... The infection process is described very well by this Microsoft blog post***...
*** https://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk-files-now-deliver-kovter-in-addition-to-locky/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/spoofed-New-notice-to-Appear-in-Court.png

5 February 2017: Notice_00790613.doc.js - Current Virus total detections 11/54[4].
Payload Security[5]. Today’s eventual downloads: Locky (VirusTotal 6/56[6]). Kovter (VirusTotal 9/57[7])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
4] https://www.virustotal.com/en/file/bd16df103c3587736f82de1e72190cc253c234ff5418d7bf01d4e34d5e562df1/analysis/1486286066/

5] https://www.hybrid-analysis.com/sample/bd16df103c3587736f82de1e72190cc253c234ff5418d7bf01d4e34d5e562df1?environmentId=100
Contacted Hosts (176)

HTTP Traffic
97.74.144.118: https://www.virustotal.com/en/ip-address/97.74.144.118/information/

50.62.117.7: https://www.virustotal.com/en/ip-address/50.62.117.7/information/

107.181.187.77: https://www.virustotal.com/en/ip-address/107.181.187.77/information/

6] https://www.virustotal.com/en/file/b620808631f1a98d03a6574badeabe685b0ceae39697776000e3ca852e5d392e/analysis/1486287187/

7] https://www.virustotal.com/en/file/8490e3376f051dc36eb1b7729c18c4c66dd9984423c545f29c9de0c863ba27d3/analysis/1486287513/

___

 

Many Malware Samples found on Pastebin
- https://isc.sans.edu/diary.html?storyid=22036
2017-02-05

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Fake 'To all employee’s' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fw-to-all-employees-malspam-delivers-dridex/
6 Feb 2017 - "... an email with the subject of 'FW: To all employee’s' pretending to come from Administrator <Administrator@ administrator .delivery> with a malicious word doc attachment... not 100% certain this is Dridex, Payload Security is unable to save to webservice on the Word Macro or the downloaded .exe file. The other samples doing that today are Dridex, so it looks like the Dridex gang have added some sort of anti-sandbox protection to itself...

 

Screenshot: to-all-employees.png

 

6 February 2017: EmployeeConfidential.doc - Current Virus total detections 2/54*
Payload Security** was unable to 'save to webservice'. VirusTotal comments gave me the download location:
  http ://fistnote .com/images/k6kkGcHpPi7m5iJprQPxPcoiVhmT7.exe (VirusTotal 11/55***). Payload Security again was unable to save to webservice Zip file attached... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/33627c03b65a860e6854e80f58fb4872aeb02b5e10cbccd7f035b407b662701e/analysis/1486399875/

 

** https://www.hybrid-analysis.com/sample/33627c03b65a860e6854e80f58fb4872aeb02b5e10cbccd7f035b407b662701e?environmentId=100

 

*** https://www.virustotal.com/en/file/40046dffcfb7799374301b2f78baca4953ede07e8baf8452ac4068edfa1bd227/analysis/1486399137/

 

fistnote .com: 208.56.226.20: https://www.virustotal.com/en/ip-address/208.56.226.20/information/
> https://www.virustotal.com/en/url/1df7432b36d769b77ebabb5dc1c6b92a587802cdad2e409cc003e25d9f9a957b/analysis/

___

 

Fake 'Shipping info' SPAM - delivers malware via macro word docs
- https://myonlinesecurity.co.uk/spoofed-usps-shipping-information-for-parcel-delivers-hancitor-and-other-malware-via-macro-word-docs/
6 Feb 2017 - "An email with the subject of 'Shipping information for parcel 3627458' pretending to come from USPS <shipping@ usps-service .com> with a malicious word doc attachment delivers hancitor which downloads Zloader and Pony which will download -more- malware... The email looks like:
From: USPS <shipping@ usps-service .com>
Date:
Subject: Shipping information for parcel 3627458
Attachment:
    Our courrier was not able to deliver your parcel because nobody was present at your address.
    Someone must always be present on the delivery day, to sign for receiving the parcel.
    Shipping type: USPS Next Day Box size: Large Box ( 2-5kg ) Date : Feb 6th 2017
    You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.
    Another delivery can be arranged, by calling the number on the delivery invoice we left at your address and confirming the shipping information, including the address and tracking number.
    A scanned copy of the delivery invoice can also be downloaded by visiting the USPS website:
    https ://tools.usps .com/web/pages/view.invoice?id=3627458&dest=submit@...
    In the exceptional case that a new delivery is not rescheduled in 24 hours, the shipment will be cancelled and the package will be returned to the sender.
    Thanks for shipping with USPS ...

 

6 February 2017: USPS_invoice_submit.doc - Current Virus total detections 4/54*
Payload Security**... The download link-in-the-body of the email is:
 http ://fam-life .jp/api/get.php?id=c3VibWl0QHRoZXNweWtpbGxlci5jby51aw==  where the base64 encoded section is the recipients email address. The downloaded word doc is created by adding the recipients name, or at least the bit before the @ in the email address... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/ecb1b06414b3e11d0bf66d2bfca5dd61ae529c6ec73f91ea2ee57bdb2c06a49b/analysis/1486405685/

 

** https://www.hybrid-analysis.com/sample/ecb1b06414b3e11d0bf66d2bfca5dd61ae529c6ec73f91ea2ee57bdb2c06a49b?environmentId=100

 

fam-life .jp: 157.7.107.28: https://www.virustotal.com/en/ip-address/157.7.107.28/information/
> https://www.virustotal.com/en/url/80f4d13ebf6b824e06170be769d98804c2b6ccaec647d101a3461106805102da/analysis/

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Fake sex lure SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/get-laid-tonight-sex-lure-malspam-delivers-ransomware/
7 Feb 2017 - "The sex lures in an email always work. Curiosity is just too much for some recipients... an email with the subject of 'get laid tonight'  pretending to come from Alice Olsen <Alice.Olsen@ mail .com> with a very enticingly named zip attachment 'ourSexPhoto.zip' containing an .exe file with a definite sexy or pornographic lure 'byAliceforyouOurSexPhotosiwantyou .exe'... One of the emails looks like:
From: Alice Olsen <Alice.Olsen@ mail .com>
Date: Mon 06/02/2017 22:42
Subject: get laid tonight
Attachment: ourSexPhoto.zip
    Iam Thinking Of You ! My photos after our party

 

7 February 2017: ourSexPhoto.zip: Extracts to: byAliceforyouOurSexPhotosiwantyou.exe
Current Virus total detections 8/56*. Payload Security**... VT is differing between Sage ransomware and generic malware detections. Payload Security is inconclusive. Returns from Anti-Virus submissions vary between Generic Ransomware and Yakes Trojan... we can pretty much assume it is -ransomware- but there is some doubt which one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3428e9fb2d250ff24621f948f061f0ed12fba0a210ada1e38b83c8af5a09f0ca/analysis/1486431675/

 

** https://www.hybrid-analysis.com/sample/3428e9fb2d250ff24621f948f061f0ed12fba0a210ada1e38b83c8af5a09f0ca?environmentId=100

___

 

Fake 'Your order Canceled' SPAM - delivers sage ransomware
- https://myonlinesecurity.co.uk/your-order-canceled-fraud-malspam-delivers-sage-ransomware/
7 Feb 2017 - "... an email with the subject of 'Your order Canceled. fraud' pretending to come from Security Service <security-service@ mail .com> with a zip attachment containing an .exe file. The bad spelling should be enough to alert recipients... 'looks like a new version of Sage with updated decryption and what to do instructions... Drops a vbs file that gives -audio- alerts telling you that your files are encrypted:
    “Attention! Attention! This is not a test!
     All you documents, data bases and other important files were encrypted and Windows can not restore them without special software.User action is required as soon as possible to recover the file”
It also changes Bcdedit to prevent system recovery and of course deletes all shadow copies... One of the  emails looks like:
From: Security Service <security-service@ mail .com>
Date: Tue 07/02/2017 18:19
Subject: Your order Canceled. fraud
Attachment:
    Your order has been canceled.
    Your credit card is invalid.
    For an explanation of the reason you have 3 days.
    By discharging is distributed 3 days, your card will be blocked.
    All the details in the attached documents.

 

7 February 2017: Your.orderCanceled.fraud.zip Extracts to: Your.order10988322.Canceled. fraud.2017-01-15.exe
Current Virus total detections 9/57*. Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f042302d6de8e5e5cefb53820e950ecbd5f4113d565afde543a9524059b71d8d/analysis/1486490294/

 

** https://www.hybrid-analysis.com/sample/f042302d6de8e5e5cefb53820e950ecbd5f4113d565afde543a9524059b71d8d?environmentId=100
Contacted Hosts
91.214.114.197

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Fake 'Confidential documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/confidential-documents-spoofed-anz-bank-delivers-trickbot-banking-trojan/
9 Feb 2017 - "... An email with the subject of 'Confidential documents' pretending to come from random names @ anz .com with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like:
From: Kathy.Hilton@ anz .com
Date: Thu 09/02/2017 01:45
Subject: Confidential documents
Attachment: ANZ_message00207.doc
    Please review attached document.
    Kathy.Hilton@ anz .com
    Australia and New Zealand Bank
    1800-575-892 office
    1800-640-855 cell
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    CONFIDENTIAL NOTICE ...

 

9 February 2017: ANZ_message00207.doc - Current Virus total detections 6/54*
Payload Security**. Neither show anything definite, but searching around gave me these links to VirusTotal reports from the same campaign:
> https://virustotal.com/en/file/03f75c3d5cddbf39f6a9cad72ccc6649cec8959dd3bca87b2de80e036d054461/analysis/
Behavioural information > TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
47.18.17.114: https://www.virustotal.com/en/ip-address/47.18.17.114/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/
213.25.134.75: https://www.virustotal.com/en/ip-address/213.25.134.75/information/
> https://virustotal.com/en/file/8b90a15f656b86e0843c2b6ce93a2a70ae149b1c79c869c7bded2e3f569946a5/analysis/
> https://virustotal.com/en/file/0456c1052b86d6b7e36ca1246a7be81015762721a950fd56bb84c8bdafaf49d0/analysis/
Download sites appear to be:
- andiamoluggage .com/skin/frontend/holloway.png
- andiamoluggage .com/skin/frontend/fortis/ahjakacbakawda.png
- andiamoluggage .com/skin/install/not16.png
All of which are NOT png (image files) but renamed .exe files... Thanks to @Techhelplist[1]...
1] https://twitter.com/Techhelplistcom/status/829468826676899840

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a4927bc6bb5771a0f9c4e8c30be70a39504511813f1c1ac1f855e556d96fee13/analysis/1486618849/

 

** https://www.hybrid-analysis.com/sample/a4927bc6bb5771a0f9c4e8c30be70a39504511813f1c1ac1f855e556d96fee13?environmentId=100

 

andiamoluggage .com: 173.254.28.82: https://www.virustotal.com/en/ip-address/173.254.28.82/information/
> https://www.virustotal.com/en/url/e3a65811fdcaa954144fea3ea0bd1684f35155bf283c860df04a76deb17b9bd0/analysis/

___

 

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-hmrc-final-payment-request-delivers-something-looking-like-zbot-malware/
9 Feb 2017 - "An email with the subject of 'Final payment request' pretending to come from MatthewPeters@ hmrc.gsi .gov.uk with a malicious word doc attachment delivers what looks like a Zbot variant... The email looks like:
From: MatthewPeters@hmrc.gsi.gov.uk” <info@ nestpensions63 .top>
Date: Thu, 9 Feb 2017 13:24:00 +0100
Subject: Final payment request
Attachment: debt_93498438747.doc
    Date of issue 09 February 2017
    Reference K2135700006
    Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you.
    We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe.
    As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money.
    For more information and how to pay us please see attached statement.
    We’ll continue to add interest to the original debt until you pay in full.
    Debt Management ...

 

9 February 2017: debt_93498438747.doc - Current Virus total detections 7/53*
Payload Security** shows a download from http ://jsmkitchensandbedrooms .co.uk/explo.exe
(VirusTotal 4/57***) - Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a14e7835032ae95be99ed102fbdd54d639e69427185f2d652f0e041ce766ff4f/analysis/1486645244/

** https://www.hybrid-analysis.com/sample/a14e7835032ae95be99ed102fbdd54d639e69427185f2d652f0e041ce766ff4f?environmentId=100
94.199.185.21
172.227.109.213
185.162.9.59

 

*** https://www.virustotal.com/en/file/ca0e68593feffec57994bd02c6a84abd51375fe092f6a04e57e2d69d7e00c5ef/analysis/1486642865/

 

4] https://www.hybrid-analysis.com/sample/ca0e68593feffec57994bd02c6a84abd51375fe092f6a04e57e2d69d7e00c5ef?environmentId=100
Contacted Hosts
104.85.50.185
178.77.110.129
185.162.9.59

 

jsmkitchensandbedrooms .co.uk: 94.199.185.21: https://www.virustotal.com/en/ip-address/94.199.185.21/information/
> https://www.virustotal.com/en/url/f4ca65a193fd7b79eef486bd40e2688049454facb77b9ec2ef2cbf48f001cd55/analysis/

___


MacDownloader malware targets defense industry
- https://blog.malwarebytes.com/threat-analysis/2017/02/macdownloader-malware-targeting-defense-industry/
Feb 9, 2017 - "... this -malware- appears to be the work of Iranian hackers and is targeting US defense contractors, such as Lockheed Martin, Sierra Nevada Corporation, Raytheon, and Boeing. The malware was first found on a -spearphishing- site, claiming to offer 'Special Programs and Courses' to interns at these companies. The site showed a 'broken video' using the common trick of claiming that Adobe Flash Player was outdated and offering a link to a 'Flash installer':
> https://blog.malwarebytes.com/wp-content/uploads/2017/02/Screen-Shot-2017-02-06-at-3.12.27-PM-600x472.png
To those who know better, this doesn’t really look much like an actual Adobe Flash Player installer, but many people won’t realize that. There are some other red flags as well, such as some odd phrasing and other errors in the text shown. The biggest red flag, though, is the name of the application shown in the menu bar next to the Apple menu. As can be seen from the screenshot above, it claims to be Bitdefender Adware Removal Tool. This is the first sign of a serious split personality issue in this malware, which can’t seem to decide whether it’s a Flash installer or an anti-adware program. Interestingly, if the user clicks the Close button here the malware quits without doing anything else. If the user chooses to proceed with the “update,” the malware will then show a rather odd window for what is supposed to be a Flash updater: a claim to have detected malware:
> https://blog.malwarebytes.com/wp-content/uploads/2017/02/MacDownloader-2-600x276.png
... there are some issues with phrasing and spacing in the text of this alert, not to mention the fact that a Flash updater should -not- be scanning your system like anti-virus software... This malware continues the recent malware trends on macOS. In the past year, nearly all true Mac malware (as opposed to adware) has been 1) lame and 2) targeted... This malware is no different, as it is being used to target US defense contractors via spearphishing, a technique in which links to specially-crafted malicious sites are sent to targeted individuals or groups via e-mail or other messaging services. The majority of Mac users will never see this malware and one would hope that most of those who do would not be fooled by the clumsy behavior. Still, it doesn’t take many to fall for the tricks employed by this malware to get access to sensitive accounts within an organization, which can be used to -pwn- the entire company."

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Fake 'Xpress Money' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-xpress-money-compliant-report-malspam-delivers-java-adwind/
14 Feb 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... The email looks like:
From: elizabethst2.mel@ xpressmoney .com
Date: Mon 13/02/2017 23:45
Subject: Fwd: Reference: Xpress Money compliant report
Attachment: XPRESS MONEY UPTHRONI DATA.zip (contains 2 identical although differently named java.jar files)
    Dear Agent,
    The attached Compliant report was issued yesterday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked.
    Regards
    Nasir Usuman
    Regional Compliance Manager Pakistan & Afghanistan
    Global Compliance, Xpress Money ...

 

14 February 2017: XPRESS MONEY REFERENCES FOLLOW UP.jar.jar (287 kb) - Current Virus total detections 8/57*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af/analysis/1487047920/

 

** https://www.hybrid-analysis.com/sample/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af?environmentId=100

___

 

Fake 'Secure Message' SPAM - delivers malware
- https://myonlinesecurity.co.uk/rbc-royal-bank-secure-message-malspam-delivers-malware/
14 Feb 2017 - "An email with the subject of 'Secure Message' pretending to come from  RBC Royal Bank but actually coming from a -fake- domain imitating the RBC <service@ rbcroyalbanksecuremessage .com> with a malicious word doc attachment delivers an unknown malware...
The domain in the email address rbcroyalbanksecuremessage .com was registered today by criminals using privacy protection by Godaddy and hosted on Rackspace...

 

rbcroyalbanksecuremessage .com: 104.130.159.40: https://www.virustotal.com/en/ip-address/104.130.159.40/information/

23.253.233.16: https://www.virustotal.com/en/ip-address/23.253.233.16/information/

 

The email looks like:
From: RBC Royal Bank <service@rbcroyalbanksecuremessage .com>
Date: Tue 14/02/2017 17:13
Subject: Secure Message
Attachment: SecureMessage.doc
Secure Message
This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information. Note: You should not store confidential information unless it is encrypted.
CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure...

 

14 February 2017: SecureMessage.doc - Current Virus total detections 4/55*
Payload Security**.. neither give any real indication what it downloads..
Update: Thanks to help from another researcher***.. It downloads
 http ://sungkrorsang .com/jerohnimo.png which of course is -not- a png (image file) but a renamed .exe that the macro will rename & autorun. VirusTotal 10/59[4] | Payload Security[5]...


 sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/


> https://www.virustotal.com/en/url/a1b3d6504fbe577145c86b7191d5d4bd9a0486ba2c1d36145c37d4c4ff101b8e/analysis/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa/analysis/1487094048/


** https://www.hybrid-analysis.com/sample/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa?environmentId=100

 

***

4] https://www.virustotal.com/en/file/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3/analysis/1487095755/

 

5] https://www.hybrid-analysis.com/sample/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3?environmentId=100
Contacted Hosts
78.47.139.102
47.18.17.114
213.25.134.75
219.93.24.2
192.189.25.143

___

 

Safeguard Account Update – phish
- https://myonlinesecurity.co.uk/hsbc-safeguard-account-update-phishing/
14 Feb 2017 - "Another Banking phish. This time HSBC. What makes this “slightly” more believable is the url the phishing email leads to http ://hsbc-verify .org.uk/ - which is a very plausible web address...

 

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc-safeguard-phishing-email.png

 

The link goes to http ://hsbc-verify .org.uk/  where you see a webpage like this*, which leads to a typical set of phishing pages asking for all your bank, credit card and personal details, so they can empty your bank and credit card accounts and take over your identity completely:
* https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc_verify.png
... registrars are not taking enough precautions and allowing dodgy domain names to be registered to non existent people..."

 

hsbc-verify .org.uk: 91.218.247.93: https://www.virustotal.com/en/ip-address/91.218.247.93/information/
> https://www.virustotal.com/en/url/7f9c17276c63fe0e02de98f7ac20f058e88c3b61e507ea81d7842c425d7952f2/analysis/

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-hmrc-secure-message-malspam-delivers-trickbot/
15 Feb 2017 - "An email with the subject of 'Secure Message'  pretending to come from HM Revenue & Customs with a malicious word doc attachment delivers Trickbot banking Trojan... The sending domain for these malspam emails was hmrcgovsec .co.uk which was registered -today- by criminals via Godaddy. Godaddy have jumped on this very quickly & suspended the domain within a few minutes of the first batch being sent...

 

Screenshot: hmrc_secure_message_malspam-email.png

 

hmrcgovsec .co.uk: 172.99.114.9: https://www.virustotal.com/en/ip-address/172.99.114.9/information/

 

15 February 2017: SecureCommunication.doc - Current Virus total detections 4/55*
Payload Security**..  as usual nothing is showing the download location or what actual malware this is...
Update: I am reliably informed*** the download location is:
 http ://fistnote .com/images/CV6amPf8jsgJeHVgLX.png which of course is renamed .exe and -not- an image file
(Payload Security[4]) (VirusTotal 9/56[5]) (VirusTotal 2/64[6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/fcdfe2b640fd560c2c72becd2dc27e004cd91638a47ce5845b5ec3b338c0e190/analysis/1487167293/

 

** https://www.hybrid-analysis.com/sample/fcdfe2b640fd560c2c72becd2dc27e004cd91638a47ce5845b5ec3b338c0e190?environmentId=100

 

***

 

4] https://www.hybrid-analysis.com/sample/58257114a4a7bc8384933110dd8d6e3f9e0099c664cca6a9db9f903f2dd3e3b3?environmentId=100
Contacted Hosts
78.47.139.102
47.18.17.114
213.25.134.75
219.93.24.2
192.189.25.143

 

5] https://www.virustotal.com/en/file/58257114a4a7bc8384933110dd8d6e3f9e0099c664cca6a9db9f903f2dd3e3b3/analysis/1487168128/

 

6] https://www.virustotal.com/en/url/d1682a945ca3d46e9e84df11f92878e5dc9621fc19daecec8179e77882e692e5/analysis/

 

fistnote .com: 208.56.226.20: https://www.virustotal.com/en/ip-address/208.56.226.20/information/
> https://www.virustotal.com/en/url/d1682a945ca3d46e9e84df11f92878e5dc9621fc19daecec8179e77882e692e5/analysis/


- http://blog.dynamoo.com/2017/02/malware-spam-rbc-secure-message.html
15 Feb 2017 - "... Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings:
> https://1.bp.blogspot.com/-FqntNZLfbiY/WKS1maD9bOI/AAAAAAAAKP8/rAX1avueYc0sZWCSA3s74gAqQ1LG3sCOACLcB/s1600/fake-rbc.png
... The domain rbc-secure-message .com is -fake- and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:
64.91.248.137
64.91.248.146
64.91.248.148
64.91.248.150
I recommend you block 64.91.248.128/27 at your email gateway to be sure."

___

 

Personaliazed SPAM - uses hijacked domains
- http://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html
15 Feb 2017 - "This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:
    Sent: 14 February 2017 13:52
    To: [redacted]
    From: <customer@ localpoolrepair .com>
    Subject: Mr [Redacted] Your order G29804772-064 confirmation
    Dear Mr [redacted],
    Thank you for placing an order with us.
    For your reference your order number is G29804772-064.
    Please note this is an automated email. Please do not reply to this email.
    Get your order G29804772-064 details
Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.
Delivery Address [address redacted] [telephone number redacted]
Delivery Method: Standard Delivery
Your Order Information
Prices include VAT at 20%
Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive...

 

The data in the spam was identifiable as being a few -years- old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach. I was not able to extract the final payload, however the infection path is as follows:
 http ://bebracelet .com/customerarea/notification-processing-G29804772-064.doc
--> http ://customer.abudusolicitors .com/customerarea/notification-processing-G29804772-064.doc
--> https ://customer.affiliate-labs .net/customerarea/notification-processing-G29804772-064.zip
... So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click-the-link?
Recommended blocklist (email)
188.214.88.0/24
Recommended blocklist (web)
5.152.199.228: https://www.virustotal.com/en/ip-address/5.152.199.228/information/
185.130.207.37: https://www.virustotal.com/en/ip-address/185.130.207.37/information/ - Country code - ZZ
185.141.165.204: https://www.virustotal.com/en/ip-address/185.141.165.204/information/ - Country code - ZZ "

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Fake 'Company Complaint' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-companies-house-id-8d6ba737-775e8bdc-f95f16f3-1b460259-company-complaint-malspam-delivers-trickbot/
16 Feb 2017 - "An email with the subject of 'ID 8d6ba737-775e8bdc-f95f16f3-1b460259 – Company Complaint' pretending to come from Companies House <no-reply@ companieshousecomplaints .uk> with a malicious word doc attachment delivers Trickbot...

 

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/ID-8d6ba737-775e8bdc-f95f16f3-1b460259-Company-Complaint.png

 

If you open the word doc you see a screen looking like this*. DO NOT enable macros or content or enable editing, you -will- be infected:
* https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/spoofed-companies-house-complaint-secure-document.png

16 February 2017: 8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 4/55*
Payload Security**.. Neither shows the download but it looks like the download location for the trickbot payload is
 http ://www.sungkrorsang .com/hustonweare.png which is -not- an image file but a renamed .exe  (VirusTotal 12/57***) (Payload Security[4])... As usual the domain sending these was registered by criminals today 16 February 2017 using Godaddy, with what are certain to be -fake- details:
canonical name: companieshousecomplaints .uk
addresses: 104.130.246.14
23.253.233.18
104.130.246.9 ..
104.239.201.9

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2/analysis/1487245555/

** https://www.hybrid-analysis.com/sample/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2?environmentId=100

*** https://www.virustotal.com/en/file/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665/analysis/1487246635/

4] https://www.hybrid-analysis.com/sample/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665?environmentId=100
Contacted Hosts
78.47.139.102
58.52.155.163
217.29.220.255
200.120.214.150
77.222.42.240

 

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/47ea3703624f7191b559848afef5f956cbd563ed86ba13c0ede6b3c956b0bb92/analysis/

 

:ph34r::ph34r:  :grrr:

Share this post


Link to post
Share on other sites

FYI...

 

Fake 'Urgent Compliance' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-xpressmoney-western-union-urgent-compliance-status-of-transfer-malspam-delivers-java-adwind/
20 Feb 2017 - "... previously mentioned many of these HERE[1]... a slightly different subject and email content to previous ones. They can’t seem to decide if it should be Xpress money or Western Union, so they decided to have an email body with a Western Union Content but pretend to send from Xpress money. I am also getting some from Spoofed Western Union Addresses...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... The email looks like:
From: elizabethst2 .mel@ xpressmoney .com
Date: Mon 20/02/2017 00:47
Subject: Urgent Compliance, Status of transfer
Attachment: Details.zip
    Dear agent,
    Please kindly check the status of  this transaction. The remitter
    demands for the payment record, because the beneficiary denied the
    payment that He didn’t receive this money.
    So Please kindly check this transaction if it was paid,please arrange us the
    receipt of transaction
    Regards,
    Senzo Dlamini
    Regional Ops Executive
    WesternUnion International ...

 

20 February 2017: Urgent Compliance.jar - Current Virus total detections 6/58*
Payload Security**.. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b/analysis/1487576150/

 

** https://www.hybrid-analysis.com/sample/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b?environmentId=100
___

 

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/
20 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... the email contains a genuine PDF file with an-embedded-link that downloads the java Adwind zip. The zip contains -2- different sized and named java files. The link in the pdf goes to:
 http ://www.greavy .com/wp-includes/certificates/CERTIFICATE%20DETAILS%20AND%20WUPOS%20UPDATE%20MANUAL.zip
which extracts to -2- java.jar files hoping that if one fails the second will get you. Although both are detected as Java Adwind on Virus Total, the Payload Security reports does show different behaviour for each file...


New E-maual and updated payout procedures.jar (507kb)  VirusTotal 6/58* | Payload Security**

 

WU certificate and agent updated branch details..jar (333kb) VirusTotal 8/57*** | Payload Security[4]

 

The email looks like:
From: Western Union IT Dept. <wu.it-dept@ outlook .com>
Date: Mon 20/02/2017 02:37
Subject: WUPOS Agent Upgrade For All Branches.
Attachment: Details.zip
    Dear All,
    Western Union ,IT Department  data is posting upgrade for new version of WUPOS.Please  download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen
    Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue.
    Thanks & Regards, IT Department Western Union...

 

The pdf looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/wupos-update.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/

 

** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100

 

*** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/

 

4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100
Contacted Hosts
83.243.41.200

 

greavy .com: 180.240.134.105: https://www.virustotal.com/en/ip-address/180.240.134.105/information/
> https://www.virustotal.com/en/url/059494b4e1a329645378d93c797dbdebe5e5c428f155f8c6bf9d69b3e3aa83b4/analysis/

___

 

Fake 'Secure Bank Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-lloyds-bank-important-secure-bank-documents-malspam-delivers-trickbot-banking-trojan/
20 Feb 2017 - "... an email with the subject of 'Important – Secure Bank Documents'... pretending to come from Lloyds Bank <no-reply@ lloydsbanksecuredocs .com> delivers Trickbot banking Trojan...

 

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/lloyds-bank-secure-documents.png

 

20 February 2017: BACs.doc - Current Virus total detections 7/55*
I am informed about 2 known download locations for the Trickbot malware:
 www .sungkrorsang .com/hostelfrost.png and wp .pilbauer .com/wp-content/uploads/lordsofsteel.png
There probably are many more. VirusTotal 11/57*... The sending email Address lloydsbanksecuredocs .com was registered by criminals -today- using Godaddy and Privacy protection. It is -not- a genuine Lloyds bank web site or web address.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2ba82eb83d32e55787f00b753be8d75b143e7a0984918010719a3ee0f0334743/analysis/1487606754/

 

** https://www.virustotal.com/en/file/6356ed6ca05c8f87f1ae34aa1f3c4a119c5b6e811b00cb996ba688cc6695f683/analysis/1487607471/

 

lloydsbanksecuredocs .com: 45.55.36.38
159.203.126.233
159.203.117.63
159.203.115.143
159.203.170.214

 

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/27e7a98cde7df7094f20d32db75dcfa5d9625fa9e2a73bcf2e89e9fe32184e02/analysis/

 

pilbauer .com: 178.217.244.53: https://www.virustotal.com/en/ip-address/178.217.244.53/information/

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...


Rogue Chrome extension - tech support scam
- https://blog.malwarebytes.com/threat-analysis/2017/02/rogue-chrome-extension-pushes-tech-support-scam/
Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning:
> https://blog.malwarebytes.com/wp-content/uploads/2017/02/TSS1.png
... We detect and remove this one as Rogue.ForcedExtension.
IOCs:
Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-address/104.27.185.37/information/
104.27.184.37: https://www.virustotal.com/en/ip-address/104.27.184.37/information/
lfbmleejnobidmafhlihokngmlpbjfgo
Backend server (ad fraud/malvertising):
amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-address/104.31.70.128/information/
104.31.71.128: https://www.virustotal.com/en/ip-address/104.31.71.128/information/
qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-address/173.208.199.163/information/
Tech support scam:
microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-address/66.23.230.31/information/
___

 

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/more-spoofed-western-union-malspam-continues-to-deliver-java-adwind/
21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day...
1] https://myonlinesecurity.co.uk/?s=java+adwind
The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical.
2] https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/

 

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Western-Union-rtra-rules.png

 

DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb)  VirusTotal 8/58* Payload Security**

 

WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4]

 

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/\

 

** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100

 

*** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/

 

4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100

Contacted Hosts
83.243.41.200
___

 

BoA 'Access Locked' - phish
- https://myonlinesecurity.co.uk/bank-america-phishing-scam/
21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual...

 

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Bank-of-America-Alert-Your-Online-Access-is-Temporarily-Locked.png

 

The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm
where you see a site looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/BofA_FTP_signon.png "

 

121.170.178.35: https://www.virustotal.com/en/ip-address/121.170.178.35/information/
> https://www.virustotal.com/en/url/317ec9b5c767caf2f0697361e99c2f8fe2254e7ee51abb1779a2954dd63e2497/analysis/

___

 

'TurboTax' - phish
- https://myonlinesecurity.co.uk/turbotax-important-notice-request-for-account-update-phishing/
21 Feb 2017 - "Another phishing scam, this time TurboTax:

 

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-Important-Notice-Request-for-Account-Update.png

 

The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-phishing-page.png "

 

whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-address/205.204.89.214/information/
> https://www.virustotal.com/en/url/293b141852f722080d51e30d062d8f5703a1646296e460b0ede687cdb8fd26d6/analysis/

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...


Fake 'Secure Bank Comm' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-canada-revenue-agency-important-secure-bank-communication-malspam-delivers-trickbot-banking-trojan/
22 Feb 2017 - "An email with the subject of 'Important – Secure Bank Communication' coming from either Canada Revenue Agency <no-reply@ secure-gc .ca> or Canada Revenue Agency <no-reply@ securegcemail .ca> with a malicious word doc attachment delivers Trickbot banking Trojan...

 

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/canada-revenue-agaency-secure-doc.png

 

22 February 2017: SecureDoc.doc - Current Virus total detections 2/55[1] 2/55[2]
Payload Security [1A] [2A] none of which are showing the download location of the actual Trickbot itself, although it is on Virus Total 20/58[3]. I am informed[4] the download location is
 www .TPSCI .COM/pngg/granionulos.png -or- http ://www .sungkrorsang .com/fileFTP/granionulos.png
which of course is -not- an image file but a renamed .exe... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a/analysis/1487783258/

 

2] https://www.virustotal.com/en/file/bea79c0a9445e48019cb65c494d90a366ae9f4f45ea3a330beb39dbddecb072b/analysis/

 

1A] https://www.hybrid-analysis.com/sample/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a?environmentId=100

 

2A] https://www.hybrid-analysis.com/sample/bea79c0a9445e48019cb65c494d90a366ae9f4f45ea3a330beb39dbddecb072b?environmentId=100

 

3] https://www.virustotal.com/en/file/8dbddb55d22bff09a5286e10edc104e67dec8c864bc06a797183e9b898423427/analysis/

 

4] https://twitter.com/GossiTheDog/status/834453695299518464

 

TPSCI .COM: 203.121.180.74: https://www.virustotal.com/en/ip-address/203.121.180.74/information/
> https://www.virustotal.com/en/url/8d2abb870d46dd468b8c01246ce20f2266da858215f65b960ff1e1960a1ce0cb/analysis/

 

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/773bfa543ee80ce5ca0db5dda59ec2002f0de997b3d2975fb071e258e1fda633/analysis/
___

 

Dropbox phish
- https://myonlinesecurity.co.uk/you-have-2-new-documents-dropbox-phishing/
22 Feb 2017 - "Another phishing email, this time spoofing -Dropbox- where you land on a page with lots of

different email providers and the evil scum doing these phishes will pop up the appropriate one for you to enter

all your details, pretending that  you can now sign into dropbox using your email address. After giving the

details you get sent to the genuine DropBox site:

 

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing_email.png

 

The -link- goes to http ://www.pedraforte .net/js/index/klnkjfe/dropbox/dropbox/ (there might be other sites,

there usually are with these scams) where you see a page looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing.png
Select -any- of the links and you get:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing1.png "

 

pedraforte .net: 192.185.217.111: https://www.virustotal.com/en/ip-address/192.185.217.111/information/
> https://www.virustotal.com/en/url/85c6b743832fca360807f9633efbab6f1ee415ab0ccafc0188e1d05ae6a5552e/analysis/

 

:ph34r::ph34r:  :grrr:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now