Jump to content


SPAM frauds, fakes, and other MALWARE deliveries...

  • Please log in to reply
1351 replies to this topic

#1351 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 9,258 posts

Posted Yesterday, 07:26 AM


- http://blog.dynamoo....ef844127rh.html
17 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
    From:    Briana
    Date:    17 December 2014 at 08:42
    Subject:    PL REMITTANCE DETAILS ref844127RH
    The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
    This email was generated using PL Payment Remittance of Integra Finance System.
    Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros.. which then reach out to the following download locations:
http ://
http ://
The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55*. The ThreatTrack report shows it POSTing to the following IP: (PE "Filipets Igor Victorovych", Ukraine)
This IP has been used in several recent attacks and I strongly recommend blocking it. The Malwr report also shows it dropping a malicious DLL identified as Dridex. The ThreatExpert report gives some different IPs being contacted: (Denes Balazs / HostEurope, Germany) (PlusServer, Germany)
The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:
1] https://www.virustot...sis/1418810946/

2] https://www.virustot...sis/1418810941/

* https://www.virustot...sis/1418810686/

> http://blog.mxlab.eu...ls-in-the-wild/
Dec 17, 2014
Screenshot of the XLS: http://img.blog.mxla...mittance_01.gif
- https://www.virustot...6cae3/analysis/

> http://myonlinesecur...el-xls-malware/
17 Dec 2014
- https://www.virustot...sis/1418816542/

> https://www.virustot...sis/1418817871/

Fake 'Blocked ACH Transfer' SPAM - malicious DOC attachment
- http://blog.dynamoo....-malicious.html
17 DEC 2014 - "Another spam run pushing a malicious Word attachment..
    Date:    17 December 2014 at 07:27
    Subject:    Blocked ACH Transfer
    The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.
    Canceled transaction
    ACH file Case ID     623742
    Total Amount     2644.93 USD
    Sender e-mail     info@mobilegazette.com
    Reason for rejection     See attached word file
    Please see the document provided below to have more details about this issue...

Screenshot: https://2.bp.blogspo...k/s1600/ach.png

Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55*. Inside this is a malicious macro... which downloads a file from:
http ://www.lynxtech .com.hk/images/tn.exe
This has a VirusTotal detection rate of just 1/54**. The Malwr report shows it POSTING to (Fornex Hosting, Germany) and also a query to (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.
Recommended blocklist:
* https://www.virustot...sis/1418826644/

** https://www.virustot...sis/1418826840/

Exploit Kits in 2014
- http://blog.trendmic...t-kits-in-2014/
Dec 17, 2014 - "... Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:
    CVE-2013-0074 (Silverlight)
    CVE-2014-0515 (Adobe Flash)
    CVE-2014-0569 (Adobe Flash)
    CVE-2014-2551 (Internet Explorer)
The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits. The tables below shows which exploits are in use by exploit kits:
> http://blog.trendmic...t-kit-usage.png
Plugin Detection: Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.
The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.
Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits. By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – too. The following table summarizes which libraries are used.
> http://blog.trendmic...it-detect-b.png
Antivirus Detection: A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner. This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052. The following table summarizes the products that each exploit kit detects:
> http://blog.trendmic...it-software.png
Obfuscation Techniques: Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files. The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file)...
Summary: Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools. The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors."

:ph34r: :ph34r:  :grrr:

Edited by AplusWebMaster, Yesterday, 03:08 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

#1352 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 9,258 posts

Posted Today, 08:00 AM



More than 100,000 'WordPress sites infected with Malware'
- https://www.sans.org...ites/xvi/99#301
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
> http://arstechnica.c...erious-malware/
Dec 15, 2014
(More links at the sans URL above.)

* http://blog.sucuri.n...s-websites.html
Dec 14, 2014



Fake 'AquAid Card' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them.  If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
    Please find attached receipt of payment made to us today
    Tracey Smith| Branch Administrator
    AquAid | Birmingham & Midlands Central
    Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...

Screenshot: http://myonlinesecur...cious-email.jpg

The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe  ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
* https://www.virustot...sis/1418893740/

** https://www.virustot...sis/1418891360/

***  https://www.virustot...sis/1418891888/

> http://blog.dynamoo....rd-receipt.html
18 Dec 2014
- https://www.virustot...sis/1418893415/
... Recommended blocklist:

Fake 'JPMorgan Chase' SPAM - fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This is a secure, encrypted message.
    Desktop Users:
    Open the attachment (message_zdm.html) and follow the instructions.
    Mobile Users:
    Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
    Need Help?
    Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved

Screenshot: http://myonlinesecur...ure-message.jpg

17 December 2014: message_zdm.zip: Extracts to:  message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1418844158/
... Behavioural information
TCP connections https://www.virustot...33/information/ https://www.virustot...66/information/
UDP communications https://www.virustot...52/information/ https://www.virustot...78/information/

ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
- http://arstechnica.c...hishing-attack/
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
* https://www.icann.or...2-2014-12-16-en

* https://czds.icann.org/en

Worm exploits nasty Shellshock bug to commandeer network storage systems
- http://arstechnica.c...torage-systems/
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
* http://arstechnica.c...with-nix-in-it/

** https://isc.sans.edu...e Devices/19061

:ph34r:  :grrr:

Edited by AplusWebMaster, Today, 03:59 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

8 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users

    Google (1)
Member of ASAP and UNITE
Support SpywareInfo Forum - click the button