Fake Facebook pwd SPAM - Recoverypassword.zip and Facebook-SecureMessage.exe
26 Nov 2013 - "This -fake- Facebook message comes with a malicious attachment:
Date: Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password!
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.
Didn't request this change?
If you didn't request a new password, let us know immediately.
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42*. Automated analysis tools... shows attempted connections to developmentinn .com on 18.104.22.168 (Cogent, US) and spotopia .com on 22.214.171.124 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or not."
Xerox Incoming Fax Spam
Nov 26, 2013 - "Subjects Seen:
INCOMING FAX REPORT : Remote ID: 633-553-5385 [/i]
Typical e-mail details:
INCOMING FAX REPORT
Date/Time: 11/26/2013 04:51:31 EST
Speed: 17766 bps
Connection time: 07:01
Remote ID: 633-553-5385
Line number: 633-553-5385
Description: Сost sheet for first half of 2013.pdf
Malicious File Name and MD5:
Tagged: Xerox, Upatre
Fake Loan site delivers adware
Nov 26, 2013 - "... a fake loan page from an equally fake financial institution called “Trust Financial Group”.
Once users visit trustfinancial(dot)org, they are -redirected- to a default page serving a loan decision document. In order for visitors to see its unblurred version, they have to install a “secure loan viewer” application. Unfortunately, users will find out that the name of the program is actually called “Search Smarted and Search Assistor” and is signed by a verified publisher called Access Financial Resources, Inc.
Here’s another sample that we have acquired:
A quick search on Google for the name points me to a small company of financial planners in Oklahoma, but I can’t find connections to any legitimate software it’s involved in or to “Trust Financial Group”. We can count on the idea that whoever is behind the bogus page and brand had used the name of a legitimate small financial company to make the certificate appear more authentic, which in turn makes the applications seem legit. Unfortunately, this is -not- the case. The files are not document viewer applications, but they are -adware- programs that, once installed, -injects- ads into search engine results.
... Eric Howes, ThreatTrack Security’s Principal Lab Researcher, “The domains used here are all anonymously registered. And while this attack technically isn’t a phishing attack, it is exploiting users’ trust and faith in financial institutions to trick them into installing adware.” Our researchers have further determined that the ads being injected are pulled through the domain, ez-input(dot)info, which was also registered anonymously..."
Something evil on 126.96.36.199
26 Nov 2013 - "188.8.131.52 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java -exploit- kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples* ..."
(More detail at the dynamoo URL above.)
Blackshades Rat usage on the rise...
Nov 25, 2013 - "... Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several -other- malware families.
Shadesrat evolution since July 2013:
> http://www.symantec....l Exploit 1.png
For the last few years we have seen a spectacular increase of attacks against Web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. In all cases, the attacker’s goal is very clear; to execute a malicious payload on the user’s computer. The attackers managed to do this using different exploit kits. When Symantec observed the increase of W32.Shadesrat infections, we identified hundreds of C&C servers being used to gather credentials from compromised computers. W32.Shadesrat targets a wide variety of credentials including email services, Web services, instant messaging applications, and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information. During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point, and until the arrest of the author of the Blackhole Exploit Kit and the Cool Exploit Kit, the latter has been the most prevalent. These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.
> http://www.symantec....l Exploit 2.png
We also observed that after the arrest of the author of the Blackhole Exploit Kit and Cool Exploit Kit, both exploit kits have nearly disappeared, leaving Neutrino as the new kit of choice.
> http://www.symantec....l Exploit 3.png
Once an unsuspecting user has been compromised, -multiple- payloads are downloaded and used to retain control by using Remote Administration Tools or downloaders that enable them to install additional malware with new functionalities. The C&C servers also spread the following other malware threats.
> http://www.symantec....l Exploit 4.png
... The distribution of the threats suggests that the attackers attempted to infect as many computers as possible. The attackers do not seem to have targeted specific people or companies. This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal. Don’t forget to make sure that your software is up-to-date and that your antivirus solution has the latest definitions."
Edited by AplusWebMaster, 27 November 2013 - 09:35 AM.