Fake Citicorp SPAM – PDF malware
14 Aug 2014 - "Citicorp Mail Out Report Attached pretending to come from CITICorp <random name @ citicorp .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
From Securitas, please do not reply to this e-mail as it is auto generated.
For any problems please e-mail derry.andrews@ securitas .uk .com
14 August 2014 Q100515078_Mail Out Report.zip (9kb): Extracts to Q100229861_Mail Out Report.exe
Current Virus total detections: 3/54* . This Citicorp Mail Out Report Attached is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Fake Charity Trends SPAM ...
Aug 14, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Oder invoice 9156230_08.xls”. This email is send from the spoofed address and has the following body:
Please find attached invoice #9156230_08 from 13/08/2014.
Reyes Mcdaniel .
We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via hxxp ://www.charitytrends .org/ContactUs.aspx
The attached ZIP file has the name 9156230_08.zip which contains the folder Inv_3145835_453_979154.xls. In this folder the 131 kB large file Inv_3145835_453_979154.xls.scr is found. Please note that the subject line and attachment file names may change with each message.
The trojan is known as Backdoor.Bot.ED. At the time of writing, 1 of the 53 AV engines did detect the trojan at Virus Total*..."
Aug 14, 2014 - "... intercept a new trojan distribution campaign by email with the subject “Thank you for your generous donation! Charity Trends .”. This email is send from the spoofed address and has the following body:
Thank you for your generous donation of 2623 GBP, which we received today.
Your generosity will make an immediate difference in the lives of many people who need your help. The funds raised will go toward them.
You will find all information about your donation in zip archive.You are making a difference!
Thanks again for your kindness,
Elsa Nash ...
The attached ZIP file has the name DON_9683272_90.zip and contains the folder DON_4356984_08_14_14. Indside this folder, the 102 kB large file DON_4356_45984_08_14_14.scr will be found. Please note that the subject line and attachment file names may change with each message. The trojan is known as Trojan/Win32.Zbot, Win32:Malware-gen, HEUR/Malware.QVM20.Gen or Mal/Generic-S... 4/54 VirusTotal*..."
Fake Citibank SPAM - PDF malware
14 Aug 2014 - "'Citibank RE: Account documents' have been uploaded pretending to come from Citibank <noreply@ citibank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like"
RE: Account Documents
Your Documents have been uploaded to dropbox. In order to download / view Please click here to download / view .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record...
14 August 2014 Document-7119.zip ; Extracts to Document-7119.scr ;
Current Virus total detections: 0/54* . This 'Citibank RE: Account documents have been uploaded' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Aug 14, 2014 - "... we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev’s botnet. That is a major portion of the traditional red GUI cryptolocker that became famous... since the emergence of their tool to decrypt files for free, there has been a new encrypting ransomware going around that aims at scamming you into thinking this is a similar helpful tool – except that it demands something all -scams- do - payment:
This newest edition to the ever popular business model that is encrypting ransomware doesn’t really have many improvements over the others we’ve already seen. Using -Bitcoin- for payment is standard now. This variant doesn’t show the GUI untill all encryption is completed and the computer is suddenly restarted. Upon restart this window is presented and threatens that you will lose all your files if you close or remove it. The payment structure is right where industry average is – PAINFUL. This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer... expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution... remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity..."
Suspicious login message Faked, distributes Backdoor
Aug 14, 2014 - "Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:
Sample spam email:
Even though the email message is -similar- to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did -not- match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form... all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user... Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):
Fake plugin download page:
... while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A. This -backdoor- steals email credentials and user names and passwords. It also logs -keystrokes- as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers... The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same... As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a -compromised- website’s mailer system and an IPv6 address, which can also evade email reputation services..."
(More detail at the trendmicro URL at the top.)
Beware of Risky Ads on Tumblr
Aug 14, 2014 - "Online users have come to rely on social media and social networking sites to also update them on current events and commentaries, general news, and what’s happening just down the street and around the corner. Twitter and Facebook are the first go-to sites for most when it comes to real-time news updates. For some, Tumblr.
We found the above site posting what appears as news clips but not on a daily basis, as indicated in the URL, unfortunately. According to Google Translate, the site uses both Swahili and Urdu. This site serves ads on its default page and on individual posts. So every time someone shares one, the ads are shared with it. Below is a screenshot of a post:
Online advertisement is a major source of revenue. Unfortunately, normal ads can easily become malvertisements, serving as a go-between for users and sites hosting -malicious- software. For this particular Tumblr page, it uses the ad network Yllix Media. Google Safe Browsing profiled its official website here*. Other third-party sites either blacklist** the domain or flag it as untrustworthy*** due to its history of leading users to infected sites. As of this writing, the ads are benign, but we may never know several months from now if this will still be the case... we encourage you to use ad blockers, such as AdBlock Plus (ABP) or NoScript (for Mozilla-based browsers only), if you don’t want ads to appear on sites you visit..."
Edited by AplusWebMaster, 14 August 2014 - 04:50 PM.