Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1385 replies to this topic

#1351 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 17 December 2014 - 07:26 AM

FYI...

Fake 'PL REMITTANCE' malware SPAM
- http://blog.dynamoo....ef844127rh.html
17 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
    From:    Briana
    Date:    17 December 2014 at 08:42
    Subject:    PL REMITTANCE DETAILS ref844127RH
    The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
    This email was generated using PL Payment Remittance of Integra Finance System.
    Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.


The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros.. which then reach out to the following download locations:
http ://23.226.229.112:8080/stat/lldv.php
http ://38.96.175.139:8080/stat/lldv.php
The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55*. The ThreatTrack report shows it POSTing to the following IP:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP has been used in several recent attacks and I strongly recommend blocking it. The Malwr report also shows it dropping a malicious DLL identified as Dridex. The ThreatExpert report gives some different IPs being contacted:
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)
The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139
"
1] https://www.virustot...sis/1418810946/

2] https://www.virustot...sis/1418810941/

* https://www.virustot...sis/1418810686/

> http://blog.mxlab.eu...ls-in-the-wild/
Dec 17, 2014
Screenshot of the XLS: http://img.blog.mxla...mittance_01.gif
- https://www.virustot...6cae3/analysis/

> http://myonlinesecur...el-xls-malware/
17 Dec 2014
- https://www.virustot...sis/1418816542/

> https://www.virustot...sis/1418817871/
___

Fake 'Blocked ACH Transfer' SPAM - malicious DOC attachment
- http://blog.dynamoo....-malicious.html
17 DEC 2014 - "Another spam run pushing a malicious Word attachment..
    Date:    17 December 2014 at 07:27
    Subject:    Blocked ACH Transfer
    The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.
    Canceled transaction
    ACH file Case ID     623742
    Total Amount     2644.93 USD
    Sender e-mail     info@mobilegazette.com
    Reason for rejection     See attached word file
    Please see the document provided below to have more details about this issue...

Screenshot: https://2.bp.blogspo...k/s1600/ach.png

Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55*. Inside this is a malicious macro... which downloads a file from:
http ://www.lynxtech .com.hk/images/tn.exe
This has a VirusTotal detection rate of just 1/54**. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.
Recommended blocklist:
5.187.1.78
209.208.62.36
"
* https://www.virustot...sis/1418826644/

** https://www.virustot...sis/1418826840/
___

Exploit Kits in 2014
- http://blog.trendmic...t-kits-in-2014/
Dec 17, 2014 - "... Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:
    CVE-2013-0074 (Silverlight)
    CVE-2014-0515 (Adobe Flash)
    CVE-2014-0569 (Adobe Flash)
    CVE-2014-2551 (Internet Explorer)
The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits. The tables below shows which exploits are in use by exploit kits:
> http://blog.trendmic...t-kit-usage.png
Plugin Detection: Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.
The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.
Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits. By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – too. The following table summarizes which libraries are used.
> http://blog.trendmic...it-detect-b.png
Antivirus Detection: A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner. This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052. The following table summarizes the products that each exploit kit detects:
> http://blog.trendmic...it-software.png
Obfuscation Techniques: Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files. The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file)...
Summary: Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools. The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors."
___

Dyre Banking Trojan - Secureworks
- http://www.securewor...banking-trojan/
Dec 17 2014
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 23 December 2014 - 01:29 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1352 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 18 December 2014 - 08:00 AM

FYI...

 

More than 100,000 'WordPress sites infected with Malware'
- https://www.sans.org...ites/xvi/99#301
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
> http://arstechnica.c...erious-malware/
Dec 15, 2014
(More links at the sans URL above.)

* http://blog.sucuri.n...s-websites.html
Dec 14, 2014

___

 

Fake 'AquAid Card' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them.  If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
    Hi
    Please find attached receipt of payment made to us today
    Tracey
    Tracey Smith| Branch Administrator
    AquAid | Birmingham & Midlands Central
    Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...


Screenshot: http://myonlinesecur...cious-email.jpg

The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe  ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
* https://www.virustot...sis/1418893740/

** https://www.virustot...sis/1418891360/

***  https://www.virustot...sis/1418891888/


> http://blog.dynamoo....rd-receipt.html
18 Dec 2014
- https://www.virustot...sis/1418893415/
... Recommended blocklist:
74.208.11.204
81.169.156.5
"
___

Fake 'Internet Fax' SPAM - trojan Upatre.FH
- http://blog.mxlab.eu...ojan-upatre-fh/
Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
    Fax image data
    hxxp ://bursalianneler .com/documents/fax.html


The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...7f048/analysis/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
192.185.52.226: https://www.virustot...26/information/
78.46.73.197: https://www.virustot...97/information/
UDP communications
203.183.172.196: https://www.virustot...96/information/
203.183.172.212: https://www.virustot...12/information/
___

Fake 'JPMorgan Chase' SPAM - fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This is a secure, encrypted message.
    Desktop Users:
    Open the attachment (message_zdm.html) and follow the instructions.
    Mobile Users:
    Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
    Need Help?
    Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved


Screenshot: http://myonlinesecur...ure-message.jpg

17 December 2014: message_zdm.zip: Extracts to:  message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1418844158/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
217.199.168.166: https://www.virustot...66/information/
UDP communications
217.10.68.152: https://www.virustot...52/information/
217.10.68.178: https://www.virustot...78/information/

- http://threattrack.t...re-message-spam
Dec 18, 2014
Screenshot: https://gs1.wac.edge...JHwm1r6pupn.png
Tagged: JPMorgan, Upatre
___

ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
- http://arstechnica.c...hishing-attack/
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
* https://www.icann.or...2-2014-12-16-en

* https://czds.icann.org/en
___

Worm exploits nasty Shellshock bug to commandeer network storage systems
- http://arstechnica.c...torage-systems/
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
* http://arstechnica.c...with-nix-in-it/

** https://isc.sans.edu...e Devices/19061
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 19 December 2014 - 06:27 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1353 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 19 December 2014 - 06:47 AM

FYI...

Fake 'BACS payment' SPAM - XLS malware
- http://myonlinesecur...el-xls-malware/
19 Dec 2014 - "'BACS payment Ref:9408YC' coming from random  email addresses with a malicious Excel XLS attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please see below our payment confirmation for funds into your account on Tuesday re invoice 9408YC
Accounts Assistant
Tel:  01874 430 632
Fax: 01874 254 622


19 December 2014: 9408YC.xls - Current Virus total detections: 0/53* 0/55** 0/53***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1418987287/

** https://www.virustot...sis/1418987903/

*** https://www.virustot...sis/1418987497/

- http://blog.dynamoo....ef901109rw.html
19 Dec 2014
> https://www.virustot...sis/1418994768/
"... UPDATE: A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal*..."
* https://www.virustot...sis/1418994768/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustot....1/information/
___

Fake ACH SPAM
- http://blog.dynamoo....ction-case.html
19 Dec 2014 - "This -fake- ACH spam leads to malware:
    Date:    19 December 2014 at 16:06
    Subject:    Blocked Transaction. Case No 970332
    The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.
    Canceled ACH transaction
    ACH file Case ID     083520
    Transaction Amount     1458.42 USD
    Sender e-mail     info@victimdomain
    Reason of Termination     See attached statement
  Please open the word file enclosed with this email to get more info about this issue.


In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54*. Inside are a series of images detailing how to turn off macro security.. which is a very -bad- idea.
1] https://1.bp.blogspo...1600/image3.png

2] https://2.bp.blogspo...1600/image4.png

3] https://1.bp.blogspo...1600/image5.png

4] https://4.bp.blogspo...1600/image6.png

If you enable macros, then this macro... will run which will download a malicious binary from http ://nikolesy .com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51** as is identified as the Dridex banking trojan."
* https://www.virustot...sis/1419014981/

** https://www.virustot...sis/1419015141/
___

Fake 'my-fax' SPAM
- http://blog.dynamoo....ymy-faxcom.html
19 Dec 2014 - "This -fake- fax spam leads to malware:
    From:    Fax [no-replay@ my-fax .com]
    Date:    19 December 2014 at 15:37
    Subject:    Employee Documents - Internal Use
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Fax Documents
    DOCUMENT LINK: http ://crematori .org/myfax/company.html
    Documents are encrypted in transit and store in a secure repository...


... Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55*. Most automated analysis tools are inconclusive... but the VT report shows network connections to the following locations:
http ://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http ://202.153.35.133:40542/1912uk22//1/0/0/
http ://natural-anxiety-remedies .com/wp-includes/images/wlw/pack22.pne
Recommended blocklist:
202.153.35.133
natural-anxiety-remedies .com
"
* https://www.virustot...sis/1419003908/

202.153.35.133: https://www.virustot...33/information/
___

Fake 'Target Order Confirmation' - malware SPAM
- http://www.hoax-slay...n-malware.shtml
Dec 19, 2014 - "Order confirmation email purporting to be from Target claims that the company's online store has an order addressed to you... The email is -not- from Target. The link in the message opens a compromised website that contains malware. The Target version is just one in a series of similar malware messages that have falsely claimed to be from well-known stores, including Walmart, Costco and Wallgreens...
> http://www.hoax-slay...n-malware-1.jpg
If you use a non-Windows operating system, you may see a message claiming that the download is not compatible with your computer. If you are using one of the targeted operating systems, the malicious file may start downloading automatically. Alternatively, a message on the website may instruct you to click a link to download the file. Typically, the download will be a .zip file that hides a .exe file inside. Opening the .exe file will install the malware. The malware payload used in these campaigns can vary. But, typically, the malware can steal personal information from your computer and relay it to online scammers. The malware in this version is designed to add your computer to the infamous Asprox Botnet... This email is just one in a continuing series of malware messages that claim to be from various high profile stores, including Costco, Walmart and Wallgreens. Other versions list order or transaction details, but do not name any particular store. Again, links in the messages lead to malware websites. In some cases, the malware is contained in an attached file. If you receive one of these -bogus- emails, do -not- click any links or open any attachments..."
___

Walgreens Order Spam
- http://threattrack.t...eens-order-spam
Dec 19, 2014 - "Subjects Seen:
    Order Status
Typical e-mail details:
    E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.
    Detailed order information is provided here.
    Walgreens


Malicious URLs:
    rugby-game .com/search.php?w=ZT5EpruzameN92MeSlvI09DbnfrIhx1yqu3wrootEpM=
Malicious File Name and MD5:
    Walgreens_OrderID-543759.exe (39CEBF3F19AF4C4F17CA5D8EFB940CB6)


Screenshot: https://gs1.wac.edge...U7f51r6pupn.png

Tagged: Walgreens, Kuluoz
___

Ars was briefly hacked yesterday; here’s what we know
If you have an account on Ars Technica, please change your password today..
- http://arstechnica.c...s-what-we-know/
Dec 16 2014 - "At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core... "All the Things"... by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). Out of an excess of caution, we strongly encourage all Ars readers - especially any who have reused their Ars passwords on other, more sensitive sites - to change their passwords today. We are continuing with a full autopsy of the hack and will provide updates if anything new comes to light..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 19 December 2014 - 05:33 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1354 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 21 December 2014 - 07:51 AM

FYI...

Targeted Destructive Malware - Alert (TA14-353A)
- https://www.us-cert....lerts/TA14-353A
Last revised: Dec 20, 2014 - "Systems Affected: Microsoft Windows
Overview: US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2*. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host...
Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
... *summary of the C2 IP addresses:
203.131.222.102 Thailand...
217.96.33.164 Poland...
88.53.215.64 Italy...
200.87.126.116 Bolivia...
58.185.154.99 Singapore...
212.31.102.100 Cypress...
208.105.226.235 United States..."
(More detail at the us-cert URL above.)

203.131.222.102: https://www.virustot...02/information/
217.96.33.164: https://www.virustot...64/information/
88.53.215.64: https://www.virustot...64/information/
200.87.126.116: https://www.virustot...16/information/
58.185.154.99: https://www.virustot...99/information/
212.31.102.100: https://www.virustot...00/information/
208.105.226.235: https://www.virustot...35/information/

- http://arstechnica.c...ail-of-badness/
Dec 19 2014
> http://cdn.arstechni...p-addresses.png
___

Fake FedEx SPAM – malware
- http://myonlinesecur...ervice-malware/
20 Dec 2014 - "'Postal Notification Service' pretending to come from FedEx with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...ion-Service.jpg

20 December 2014 : notification.zip: Extracts to:  notification_48957348759483759834759834758934798537498.exe
Current Virus total detections: 1/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1419076775/

"Package Delivery" Themed Scam Alert
- https://www.us-cert....emed-Scam-Alert
Dec 19, 2014
> http://www.consumer....ered-your-inbox
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 23 December 2014 - 12:55 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1355 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 22 December 2014 - 12:38 PM

FYI...

Angler EK on 193.109.69.59

- http://blog.dynamoo....1931096959.html
22 Dec 2014 - "193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit... infection chain... The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:
qwe.holidayspeedsix .biz
qwe.holidayspeedfive .biz
qwe.holidayspeedseven .biz
A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted* in this /23 indicates that most of them appear to be selling counterfeit goods, so -blocking- the entire /23 will probably be no great loss.
Recommended -minimum- blocklist:
193.109.69.59
holidayspeedsix .biz
holidayspeedfive .biz
holidayspeedseven .biz
"
* http://www.dynamoo.c...s/mmuskatov.csv

193.109.69.59: https://www.virustot...59/information/
___

Fake 'Tiket alert' SPAM
- http://blog.dynamoo....ket-really.html
22 Dec 2014 - "Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

    From:    FBR service [jon.wo@ fbi .com]
    Date:    22 December 2014 at 18:29
    Subject:    Tiket alert
    Look at the link file for more information.
    http <redacted>
    Assistant Vice President, FBR service
    Management Corporation


I have seen another version of this where the download location is negociomega .com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe. This has a VirusTotal detection rate of 2/54*. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:
http ://202.153.35.133 :42463/2212us12//0/51-SP3/0/
http ://202.153.35.133 :42463/2212us12//1/0/0/
http ://moorfuse .com/images/unk12.pne
202.153.35.133 is Excell Media Pvt Ltd, India.
Recommended blocklist:
202.153.35.133
moorfuse .com
mitsuba-kenya .com
negociomega .com
"
* https://www.virustot...sis/1419277515/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
188.132.231.115: https://www.virustot...15/information/
___

Fake 'Employee Documents' Fax SPAM
- http://blog.mxlab.eu...cious-zip-file/
Dec 19, 2014 - "... intercepted quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is sent from the spoofed address “Fax <no-replay@ my-fax .com>” and has the following body:
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Fax Documents
    DOCUMENT LINK: ... <redacted>
    Documents are encrypted in transit and store in a secure repository ...


The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe. The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ... Virus Total*..."
https://www.virustot...a5dcb/analysis/
File name: fax8127480_924.exe
Detection ratio: 26/53
Analysis date: 2014-12-22
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
174.127.104.112: https://www.virustot...12/information/
83.166.234.251: https://www.virustot...51/information/
23.10.252.26: https://www.virustot...26/information/
50.7.247.42: https://www.virustot...42/information/
217.172.180.178: https://www.virustot...78/information/
UDP communications
173.194.71.127: https://www.virustot...27/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 22 December 2014 - 05:02 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1356 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 23 December 2014 - 08:27 AM

FYI...

Fake 'Remittance Advice' SPAM -  malicious Excel attachment
- http://blog.dynamoo....comes-with.html
23 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
   From:    Whitney
    Date:    23 December 2014 at 09:12
    Subject:    Remittance Advice -DPRC93
    Confidentiality and Disclaimer:  This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
    If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
    Please contact the sender to notify them of the error...


The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, none of these are detected by anti-virus vendors [1] [2] [3]... the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself and puts it into a file %TEMP%\windows.vbs. So far I have seen three different scripts... which download a component from one of the following locations:
http ://185.48.56.133:8080/sstat/lldvs.php
http ://95.163.121.27:8080/sstat/lldvs.php
http ://92.63.88.100:8080/sstat/lldvs.php
It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe. The ThreatExpert report shows traffic to the following:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)
VirusTotal indicates a detection rate of just 3/54*, and identifies it as Dridex.
Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106

Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well. "
1] https://www.virustot...sis/1419330172/

2] https://www.virustot...sis/1419330170/

3] https://www.virustot...sis/1419330172/

* https://www.virustot...sis/1419333104/

- http://myonlinesecur...el-xls-malware/
23 Dec 2014
> 22 Dec 2014 : PZDF16.xls  Current Virus total detections: 0/55*:
TKBJ98.xls Current Virus total detections: 0/55**
* https://www.virustot...sis/1419328785/

** https://www.virustot...sis/1419329398/

- http://blog.mxlab.eu...alicious-macro/
Dec 23 2014
> https://www.virustot...ee6b5/analysis/
___

Fake 'CHRISTMAS OFFERS.docx' SPAM - Word doc malware
- http://myonlinesecur...rd-doc-malware/
23 Dec 2014 - "'CHRISTMAS OFFERS.docx' pretending to come from Jayne <Jayne@ route2fitness .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email body is completely -blank- . As per usual there are at least 2 different file sizes of this malware although all are named exactly the same.

22 Dec 2014: CHRISTMAS OFFERS.doc (41 kb) . Current Virus total detections: 0/55* : CHRISTMAS OFFERS.doc (44 kb) . Current Virus total detections: 0/56**  
Downloads dridex Trojan from microinvent .com//js/bin.exe  which is moved to and run from %temp%1\V2MUY2XWYSFXQ.exe  Virus total*** ..."
* https://www.virustot...sis/1419327481/

** https://www.virustot...sis/1419327349/

*** https://www.virustot...sis/1419334606/

- http://blog.mxlab.eu...alicious-macro/
Dec 23, 2014
> https://www.virustot...35d9c/analysis/
___

Network Time Protocol Vulnerabilities
- https://ics-cert.us-.../ICSA-14-353-01
Dec 22, 2014 - "... vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available. Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
IMPACT: Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process..."

- https://web.nvd.nist...d=CVE-2014-9295- 7.5 (HIGH)

- http://www.securityt....com/id/1031409

- http://www.securityt....com/id/1031410

- http://www.securityt....com/id/1031411

- http://arstechnica.c...ervers-at-risk/
Dec 19 2014
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 23 December 2014 - 05:22 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1357 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 24 December 2014 - 03:45 AM

FYI...

MBR Wiper attacks strike Korean Power Plant
- http://blog.trendmic...an-power-plant/
Dec 23, 2014 - "In recent weeks, a major Korean electric utility has been affected by destructive malware, which was designed to wipe the master boot records (MBRs) of affected systems. It is believed that this MBR wiper arrived at the target systems in part via a vulnerability in the Hangul Word Processor (HWP), a commonly used application in South Korea. A variety of social engineering lures were used to get would-be victims to open these files. Below is a quick overview of the attack with the infection chain starting from a spearphishing email sent to the employees’ inboxes:
> http://blog.trendmic..._MBR-wiper3.png
We detect the malware as TROJ_WHAIM.A*, which is a fairly straightforward MBR wiper. In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted... it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat -evade- detection... This particular MBR-wiping behavior, while uncommon, has been seen before. We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability. There are also similarities to the previous MBR wiper attacks as well. All three attacks mentioned earlier overwrite the MBR with certain repeated strings... These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors. This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.
Update as of 11:29 P.M. PST, December 23, 2014
Upon further analysis, we confirmed that TROJ_WHAIM.A checks if the current date and time is Dec 10, 2014 11:00 AM or later. If it meets this condition, it sets the registry, HKEY_LOCAL_MACHINE\SOFTWARE\PcaSvcc\finish to 1, thus triggering the MBR infection. Otherwise, it sleeps for a minute and checks the system time again. Aside from the MBR infection capabilities and overwriting certain strings, another similarity of this attack to the March 2013 incident is its ‘time bomb’ routine. A certain action is set in motion once the indicated date/time by the attackers is reached by the infected system."
* http://www.trendmicr...re/troj_whaim.a
"To restore your system's Master Boot Record (MBR)..."

South Korea seeks China's cooperation in probe into cyberattack on nuclear operator
- http://www.reuters.c...N0K20DT20141224
Dec 24, 2014 - "... Connections to South Korean virtual private networks (VPNs) used in the cyberattacks were traced to multiple IP addresses in China's Shenyang city, located in a province which borders North Korea..."

Japan, wary of North Korea, works to secure infrastructure after Sony attack
- http://www.reuters.c...N0K20IX20141224
Dec 24, 2014 - "Japan, fearing it could be a soft target for possible North Korean cyberattacks in the escalating row over the Sony Pictures hack, has begun working to ensure basic infrastructure is safe and to formulate its diplomatic response, officials said... The government's National Information Security Center, working through various ministries, is pressing companies to improve their security from cyberattacks..."

Attack maps: http://map.ipviking.com/
___

Fake 'Signature Invoice' SPAM - malicious attachment
- http://blog.dynamoo....a-wellings.html
24 Dec 2014 - "Teckentrup Depot UK is a legitimate UK company, but these emails are -not- from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are -not- responsible for this in any way.
    From:    Rhianna Wellings [Rhianna@ teckentrupdepot .co.uk]
    Date:    24 December 2014 at 07:54
    Subject:    Signature Invoice 44281
    Your report is attached in DOC format.
    To load the report, you will need the Microsoft® Word® reader...


Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro... which then downloads an additional component from one of these two locations:
http ://Lichtblick-tiere .de/js/bin.exe
http ://sunfung .hk/js/bin.exe
The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56*. The ThreatExpert report shows traffic to the following IPs:
74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)
According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56**, detected as the Dridex banking trojan.
Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere .de
sunfung .hk
"
1] https://www.virustot...sis/1419412603/

2] https://www.virustot...sis/1419412612/

* https://www.virustot...sis/1419413157/

** https://www.virustot...sis/1419417434/

- http://myonlinesecur...rd-doc-malware/
24 Dec 2014 : Signature Invoice.doc . Current Virus total detections: 0/56*: 0/56**
* https://www.virustot...sis/1419409093/

** https://www.virustot...sis/1419409548/
___

Fake Christmas offers infect PCs with banking Trojan
- https://blog.malware...banking-trojan/
Dec 24, 2014 - "... The email is accompanied by a Word document with a catchy name: CHRISTMAS OFFERS.docx:
> https://blog.malware...mas_message.png
... the document is blank and requires the user to enable macros in order to view it. By default Microsoft Office disables macros, a handy automation feature but also a huge security risk. This is where the social engineering lies and the crooks are counting on people so eager to see the promised content that they will push the button and get infected. Macros enable you to create scripts that automate repetitive tasks within a document, for example copying content from one page and pasting it with a different font and color on another. At the same time, a macro can be used to perform a malicious action, which happens to be the case here.
> https://blog.malware...12/word_doc.png
... What happens if you were to trust the document? A remote file is downloaded from
hxxp ://jasoncurtis .co.uk/js/bin.exe and ran from the temp folder... It is known as Dridex, a banking Trojan... Macro malware often relies on social engineering to convince the mark to open a file and disable the default protection. It is not terribly sophisticated but yet it has seen a bit of a revive in recent months with -spam- being the preferred delivery method. The best protection against these types of threats is to be particularly cautious before opening attachments, even if they are ‘classic’ Microsoft Office documents... This holiday season, whether you believe in Santa or not, please be extra cautious with offers that sound too good to be true. The bad guys like to make believe, but we’d rather leave them empty handed or send them off with a lump of coal."
___

Fake 'Postal Notification' SPAM - malicious notification.exe
- http://blog.mxlab.eu...tification-exe/
Dec 24, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Postal Notification Service”. This email is sent from the spoofed address “”Fedex >” <voyeuristicxd@ jackpowerspiritbind .us>” and has the following body:

Screenshot: http://img.blog.mxla...41224_fedex.gif

The embedded URL, in our sample hxxp ://appimmobilier .com/notification.exe, will download the 58 kB large file notification.exe. The trojan is known as Win32/TrojanDownloader.Wauchos.AF, UDS:DangerousObject.Multi.Generic or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 56 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...20be8/analysis/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 25 December 2014 - 08:48 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1358 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 29 December 2014 - 09:00 AM

FYI...

Phish - "Your Netflix Account Has Been Suspeded"
- http://blog.mxlab.eu...-been-suspeded/
Dec 29, 2014 - "... intercepted a phishing campaign by email with the subject “Your Netflix Account Has Been Suspeded [#654789]”. This email is sent from the spoofed address “”secure@ netflix .ssl .co.uk” <secure@ netflix .ssl .co.uk>” and has the following body:

Screenshot: http://img.blog.mxla...9_netflix_1.gif

In our sample, the URL takes us to the phishing site located at hxxp ://netflix-validation-  uk .co .uk/~netflix/authcode.22e2839f6ea44972845f1e0b02f397ba/email_identifier=71a605276e146b93e52b0c1bfb98ade285c337b0a6b7e5f3f560fd5bb11f1d1c/d0446fac4ba6feceb507af17e1b0bca8/Login.php
This shows us an identical copy of the official Netflix login page. Screenshot of the member login form on the phishing web site:
> http://img.blog.mxla...9_netflix_2.gif
After submitting the login and password, the phishing process begins by asking to fill in our billing information.
> http://img.blog.mxla...9_netflix_3.gif
Followed by filling in our credit card details:
> http://img.blog.mxla...9_netflix_4.gif
Our account seems to be updated and we can continue:
> http://img.blog.mxla...9_netflix_5.gif
…. straight to the official Netflix login site:
> http://img.blog.mxla...9_netflix_6.gif "
___

64-bit Version of HAVEX seen - ICS
- http://blog.trendmic...-havex-spotted/
Dec 29, 2014 - "The remote access tool (RAT) HAVEX* became the focus of the security industry after it was discovered to have played a major role in a campaign targeting industrial control systems (ICS). While observing HAVEX detections (known by different vendors as Dragonfly, Energetic Bear, and Crouching Yeti), we noticed something interesting. The Dragonfly campaign was previously believed to be compatible with only for 32-bit versions as most mission critical systems would most likely Windows XP, which has since been listed as end of support. In contrast, we came across two interesting infections running on Windows 7 systems. First 64-bit HAVEX Sighting: Based on our analysis (seen in the chain below), a file called TMPpovider023.dll, detected as BKDR64_HAVEX.A, was found, which creates several files in the file system. It should be noted that TMPprovider0<2-digit version number>.dll is a known indicator of HAVEX and is the component of this threat that interacts with the command-and-control (C&C) servers to perform downloads or receive execution commands associated with it.
> File installation chain: http://blog.trendmic...12/64havex1.jpg
... we’re seeing three indicators of BKDR_HAVEX:
- The file TMPProvider023.dll, as indicated above, with the number indicating the version of this HAVEX RAT (v023)
- A dropped file named 34CD.tmp.dll, detected as BKDR_HAVEX.SM. At this point, the file is being repeatedly detected and quarantined by the installed Trend Micro product. This was later found out to be version 29 or v029 of HAVEX.
- C&C communication from the host and back
...  a 64-bit file, was upgraded to a 32-bit v029 HAVEX RAT. This now brings us to four files that seem to be interrelated in one single infection, as seen below:
File name         SHA1                         Compile Date     Architecture
%TEMP%\TMPprovider023.dll 997C0EDC9E8E67FA0C0BC88D6FDEA512DD8F7277     2012-10-03     AMD64
%TEMP%\34CD.tmp.dll     CF5755D167077C1F8DEEDDEAFEBEA0982BEED718     2013-04-30     I386
%TEMP%\734.tmp.dll     BFDDB455643675B1943D4E33805D6FD6884D592F     2013-08-16     I386
%TEMP%\4F2.tmp.dll     8B634C47087CF3F268AB7EBFB6F7FBCFE77D1007     2013-06-27     I386
... In this particular infection, the v023 HAVEX file was using the same command-and-control server as that of the v029 HAVEX file... Currently, we have seen at least four IP addresses communicating to the command-and-control server, two of which have exhibited the behavior of upgrading the version of the C&C module of the HAVEX RAT... the HAVEX RAT has gone through several iterations—used in campaigns with ICS/SCADA and even pharmaceutical targets, nothing prevents it from being used again and again. ICS operators have to take note that the structure of the HAVEX binaries resemble much of what we see in common Windows malware – more so now that we’ve seen Windows 7 64-bit infections. It is thereby important to validate software being installed on endpoints within the environment, and to frequently monitor HTTP traffic..."
(More detail at the trendmicro URL at the top of this post.)
* Havex infection (ICS)/SCADA systems chain:
> http://about-threats...ges/HAVEX_2.jpg
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 29 December 2014 - 04:41 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1359 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 30 December 2014 - 03:33 PM

FYI...

'Worm' removed at hacked South Korea nuclear operator
- http://www.reuters.c...N0K80J620141230
Dec 30, 2014 - "South Korean authorities have found evidence that a low-risk computer "worm" had been removed from devices connected to some nuclear plant control systems, but no harmful virus was found in reactor controls threatened by a hacker. Korea Hydro & Nuclear Power Co Ltd said it would beef up cyber security by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters. The nuclear operator, part of state-run utility Korea Electric Power Corp, said earlier this month that non-critical data had been stolen from its systems, while a hacker threatened in Twitter messages to close three reactors. The control systems of the two complexes housing those reactors had not been exposed to any malignant virus, Seoul's energy ministry and nuclear watchdog said in a joint statement on Tuesday, adding the systems were -inaccessible- from external networks. The nuclear plant operator said on Tuesday it was increasing the number of staff devoted to cyber security from 53 to around 70, and would set up a committee of internal and external experts to oversee security..."
___

Target hacks hit OneStopParking .com
- http://krebsonsecuri...topparking-com/
Dec 30, 2014 - "Parking services have taken a beating this year at the hands of hackers bent on stealing credit and debit card data. This week’s victim — onestopparking .com — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot. Late last week, the cybercrime shop best known for being the first to sell cards stolen in the Target and Home Depot breach moved a new batch of cards taken from an unknown online merchant. Several banks contacted by KrebsOnSecurity acquired cards from this batch, and determined that all had one thing in common: They’d all been used at onestopparking .com, a Florence, Ky. based company that provides low-cost parking services at airport hotels and seaports throughout the United States. Contacted about the suspicious activity that banks have traced back to onestopparking .com, Amer Ghanem, the site’s manager, said the company began receiving complaints from customers about a week before Christmas...
Cards from the “Solidus” base at Rescator map back to One Stop Parking
> http://krebsonsecuri...dus-600x291.png
This was the second time in as many weeks that this cybercrime shop –Rescator[dot]cm — has put up for sale a batch of credit cards stolen from an online parking service: On Dec. 16, this KrebsOnSecurity reported that the same shop was selling cards stolen from Park-n-Fly, a competing airport parking reservation service. Sometime over the past few days, Park-n-Fly announced it was suspending its online service... a security update posted on the company’s site*. Park ‘N Fly noted that it is still taking reservations over the phone... Last month, SP Plus — a Chicago-based parking facility provider — said** payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were -hacked- to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime -store- called Goodshop. In Missouri, the St. Louis Parking Company recently disclosed*** that it learned of breach involving card data -stolen- from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014."
* http://www.pnf.com/security-update/

** http://www.qconline....feecb95eb1.html

*** http://stlouisparkin.../press-release/
___

Instagram Profile Deletion Hoax
- https://blog.malware...-deletion-hoax/
Dec 30, 2014 - "... accounts on Instagram claiming a mass purge is coming on January 1, 2015 unless your account is “verified”, with the aid of a so-called Verification Arrow. Profiles such as the one below (with 110k followers at time of writing) are receiving a fair amount of traction with between 5,000-8,000 likes per image (I got 6 for a picture of a cat once), stating:

If your account doesn't have a picture of an arrow next to it then it's in the process of being deleted. To get your arrow, please follow the instructions below
1) Follow @verifyingarrows
2) Repost our photo
3) Tag @verifyingarrows
4) Hashtag #verifyingarrows

Screenshot: https://blog.malware...instaarrow2.jpg
Here’s a similar profile – now deleted – which managed to grab 245k followers before being banned itself:
> https://blog.malware...instaarrow1.jpg
The “arrow” in question appears to be nothing more than a drop down box on profiles which suggests accounts similar to the one you’re looking at. It has -nothing- to do with profile verification or dodging deletion waves. Regardless, panicked Instagram users appear to be jumping on the ban(d)wagon and doing what they can to fend off a profile extinction event that is never going to arrive. In terms of what the ultimate end game is with all of this, it’s a case of wait and see for the time being. This is either just a -hoax- for the sake of it, or maybe the accounts asking people to bolster their visibility on Instagram will suddenly start selling something come the New Year. Whatever they’re up to, you can safely -ignore- these profiles and carry on taking selfies and pictures of sandwiches, with or without a filter."
___

Apple Store 'Transaction Cancellation Form' Phish...
- http://www.hoax-slay...hing-scam.shtml
Dec 30, 2014 - "According to this email, which purports to be from Apple, you have purchased a TomTom from the Apple Store (GPS car navigation system). The email explains that, if you did not authorise the TomTom purchase, you should click-a-link-to-access an Apple Store Transaction Cancellation Form. Supposedly, by filling in the form, the purchase will be cancelled and you will receive a full refund. However, the email is -NOT- from Apple and the claim that you have bought a Tom Tom is just a ruse designed to trick you into clicking the 'cancel' link.
Clicking the link takes you to a website that hosts a -fake- Apple Store 'Cancellation' form. The -fake- form asks you to provide name and contact details as well as your credit card and banking information.
Clicking the 'Cancel Transaction' button will send all of your information to criminals who can then use it to commit financial -fraud- and identity theft.

The scammers bank on the fact that at least a few recipients of the email will be -panicked- into clicking the link and supplying their information in the mistaken belief that someone has made fraudulent purchases in their name."
> http://www.hoax-slay...hing-scam-1.jpg
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 30 December 2014 - 04:28 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1360 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 31 December 2014 - 02:52 PM

FYI...

'NetGuard Toolbar' SPAM
- http://blog.dynamoo....mpcom-spam.html
31 Dec 2014 - "Sometimes a spam comes through and it isn't immediately obvious what they are trying to do:
    From:    Brad Lorien [bclorien@ ngcmp .com]
    Date:    31 December 2014 at 01:12
    Subject:    Real estate (12/30/2014)
    Our company reaches an online community of almost 41 million people,
    who are mostly US and Canadian based. We have the ability to present
    our nearly 41 million strong network with a best, first choice when
    they are looking online for what your company does.
    We are seeking a preferred choice to send our people who are looking
    for real estate in Abilene and surrounding markets.
    I’m in the office weekdays from 9:00 AM to 5:00 PM Pacific time.
    Best regards,
    Brad Lorien
    Network Specialist, SPS EServices
    Phone: (877) 489.2929, ext. 64


There is no link or attachment in the email. So presumably the spammer is soliciting replies to the email address bclorien@ ngcmp .com which is a valid address. The domain ngcmp.com uses a mail server mail.ngcmp .com to receive email messages, hosted on 38.71.66.127 (PSInet / Virtual Empire, US)... the spam was sent via a relay at 38.71.66.126 which is one IP different from the server handling incoming mail, which pretty much firmly identifies that whoever controls the ngcmp .com domain is actually sending the spam. The mail headers also identify the originating IP as well as the relay, which is a Verizon Wireless customer at 75.215.49.211, possibly someone sending spam using throwaway cell phones to avoid being traced. An examination of those two PSInet addresses shows the following domains are associated with them:
ncmp .co
ngmp .co
ngcmp .com
ng-portal .com
ngcmp .net
ng-central .net
luxebagscloset .com
reviewwordofmouth .com
All of these domains have -anonymous- WHOIS details, but you can see that there is a common pattern here. I don't recommend that you visit spam sites...  I did in this case to see what it was about:
> https://2.bp.blogspo...00/netguard.png
This is basically -adware- . Going back to the original spam message, these "41 million people" are presumably suckers who have downloaded this crap, and NG Systems are busy spamming out to find more low-life advertisers to fill up their network... Predictably, there seems to be -no- such corporation as "NG Systems", but if you download the Toolbar it turns out it is digitally -signed- by a company called "IP Marketing Concepts, Inc." ... The executable itself is tagged by only one AV engine* as malicious, but VirusTotal does note that it looks like a PUA. Malwr notes** that individual components appear to be Russian in origin. So all in all, this spam is being sent out by a company that goes a very, very long way to disguise its origins..."
* https://www.virustot...sis/1420024818/

** https://malwr.com/an...zRjNTUyNjhmNjM/
___

PUP borrows tricks from malware authors
- https://blog.malware...alware-authors/
Dec 31, 2014 - "... These days it is getting harder and harder to download a program from its official source, in its original format, without additional pieces of software bundled to it:
> https://blog.malware...ack-965x395.png
Companies specializing in so-called ‘download assistants’ or ‘download managers’ claim that they:
    Provide a value added service to users by suggesting additional programs tailored to the users’ needs.
    Offer a way for software manufacturers to monetize their free applications.

Let’s have a look for ourselves by checking an installer for the Adobe Flash Player. The details are as follows:
Name: adobe_flash_setup.exe
Size: 809.0 KB
MD5: d549def7dd9006954839a187304e3835
imphash: 884310b1928934402ea6fec1dbd3cf5e

Out of the box: The first thing we noticed was that the program behaves differently whether it is launched on a real physical machine or a Virtual Machine:
> https://blog.malware...ma-1024x782.png
In a VM such as VirtualBox, the installer skips all the bundled offers and goes straight for the Flash Player... There might be a few reasons for this:
    To avoid unnecessary impressions and installs on ‘fake’ systems that would skew metrics.
    To appear as a ‘clean’ installer when installed on automated sandboxes or by hand from security researchers.

Anti-vm behavior does not necessarily mean that the application is malicious, but it -is- something that many malware authors use... The certificate details show that said company is located in Tel Aviv, Israel and a VirusTotal scan* hints at a connection with InstallCore, a “digital content delivery platform”... There are also various other offers bundled in this installer, courtesy of “distributer” called Entarion Ltd., with an “address” conveniently located in Cyprus, well-known as a safe haven for offshore companies... Malwarebytes’ criteria for listing a program as a PUP can be viewed here**. The list is pretty thorough and will most likely continue to evolve as PUP makers diversify their operations. Consumers should be able to make educated choices rather than being mislead down a path that they didn’t intend to take..."
* https://www.virustot...76d0b/analysis/

** https://www.malwarebytes.org/pup/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 31 December 2014 - 03:23 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1361 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 01 January 2015 - 07:30 PM

FYI...

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@ inet .ba
- http://blog.dynamoo....takabel-as.html
31 Dec 2014 - "This post by Brian Krebs* drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics**..
** http://www.google.co...?site=AS:198252
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large*** collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts. An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very -many- bad sites...
*** http://bgp.he.net/AS198252#_prefixes
... appears to be a block suballocated to someone using the email address aadeno@ inet .ba. I took a look at the sites hosted in this /24... There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.
Recommended blocklist:
217.71.50.0/24 ..."
(Long list at the dynamoo URL at the top.)

* http://krebsonsecuri...-trail-of-fail/
 

:ph34r: :ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1362 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 02 January 2015 - 07:56 AM

FYI...

binarysmoney .com / clickmoneys .com / thinkedmoney .com "job" SPAM
- http://blog.dynamoo....kmoneyscom.html
2 Jan 2015 - "I've been plagued with these for the past few days:
    Date:    2 January 2015 at 11:02
    Subject:    response
    Good day!
    We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
    We cooperate with different countries and currently we have many clients in the world.
    Part-time and full-time employment are both currently important.
    We offer a flat wage from $1500 up to $5000 per month.
    The job offers a good salary so, interested candidates please registration on the our site: www .binarysmoney .com
    Attention! Accept applications only on this and next week.
    Respectively submitted
    Personnel department


Subject lines include:
New employment opportunities
Staff Wanted
Employment invitation
new job
New job offer
Interesting Job
response
Spamvertised sites seen so far are binarysmoney .com, clickmoneys .com and thinkedmoney .com, all multihomed on the following IPs:
46.108.40.76 (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania)
201.215.67.43 (VTR Banda Ancha S.A., Chile)
31.210.63.94 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
Another site hosted on these IPs is moneyproff .com. All the domains have apparently -fake- WHOIS details.
It looks like a money mule spam, but in fact it leads to some binary options trading crap.
> http://2.bp.blogspot...ary-options.jpg
... that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere. Binary options are a haven for scammers, and my opinion is that this is such a -scam- given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:
46.108.40.76
201.215.67.43
31.210.63.94
clickmoneys .com
thinkedmoney .com
binarysmoney .com
moneyproff .com
"
 

:ph34r: :ph34r: :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1363 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 03 January 2015 - 12:24 PM

FYI...

Fake 'Thank you' SPAM - malware
- http://myonlinesecur...xi-pro-malware/
3 Jan 2015 - "'Thank you for buying from Acrobat XI Pro' pretending to come from Plimus Sales <receipt@ plimus .com> with a link to a malicious website is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...  Plimus is a genuine  affiliate marketing service/reseller/payment gateway for many software companies including Adobe. If you look carefully at the email, you can see the links are to IPLIMUS -not- plimus...

Screenshot: http://myonlinesecur...robat-XI-Pr.jpg

3 January 2015: adbx1pro.exe: | Current Virus total detections: 25/56*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1420298571/
 

:ph34r: :ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1364 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 05 January 2015 - 08:42 AM

FYI...

Phish - 'Tesco Important Notification' ...
- http://myonlinesecur...ation-phishing/
5 Jan 2015 - "'Tesco Important Notification' pretending to come from Tesco .com offering you -free- Tesco vouchers is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well. If you are unwise enough to fill in the personal details and security questions, there is a very high likelihood that information could be used to compromise any other account or log in ANYWHERE on the net... don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine Tesco -bank- website but you can clearly see in the address bar, that it is -fake- ... Some versions of this -phish- will ask you fill in the html ( webpage) form that comes attached to the email...

If you follow the link you see a webpage looking like:
> http://myonlinesecur...s1-1024x606.jpg

Then you get a page asking for password and Security number:
> http://myonlinesecur...s2-1024x534.jpg

After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur...s3-1024x746.jpg

Then they send you to this page  and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecur...s4-1024x625.jpg

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 05 January 2015 - 08:42 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1365 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 06 January 2015 - 08:20 AM

FYI...

hqq .tv serving up Exploit kit (via Digital Ocean and Choopa)
- http://blog.dynamoo....it-kit-via.html
6 Jan 2014 - "... here's an infection chain starting from a scummy-looking video streaming site called cine-stream .net. I do not recommend visiting any of the sites labelled [donotclick]
Step 1
[donotclick]cine-stream .net/1609-le-pre-nol-est-une-ordure-en-streaming.html
89.248.170.206 (Ecatel Ltd, Netherlands)
URLquery report: http://urlquery.net/...d=1420561240827
Step 2
[donotclick]hqq .tv/player/embed_player.php?vid=7SO84O65X5SM&autoplay=no
199.83.130.198 (Incapsula, US)
Step 3
[donotclick]agroristaler .info/dasimotulpes16.html
128.199.48.44 (Digital Ocean, Netherlands)
URLquery report: http://urlquery.net/...d=1420561209263
Step 4
[donotclick]aflesministal .info/chat.html
178.62.147.144 (Digital Ocean, Netherlands)
128.199.52.108 (Digital Ocean, Netherlands)
Step 5
[donotclick]pohfefungie .co.vu/VUZQBUgAAgtAGlc.html
[donotclick]eixaaweexum .co.vu/VxFVBkgAAgtAGlc.html
108.61.165.69 (Choopa LLC / Game Servers, Netherlands)
URLquery report: http://urlquery.net/...d=1420560803160
The Digital Ocean and Choopa IPs host several apparently malicious domains:
108.61.165.69
eixaaweexum .co.vu
ienaakeoke .co.vu
weswalkers .co.vu
pohfefungie .co.vu
vieleevethu .co.vu
178.62.147.144
128.199.52.108
sebitibir .info
abrisgalor .info
aflesministal .info
128.199.48.44
abibruget .info
alsonutird .info
fiflakutir .info
fistikopor .info
agroristaler .info
poliloparatoser .info
In my opinion, .co.vu domains are often bad news and are good candidates for blocking. In the mean time I would recommend the following -minimum- blocklist:
108.61.165.69
178.62.147.144
128.199.52.108
128.199.48.44
"
___

Fake 'National Payments Centre' SPAM - malware
- http://blog.dynamoo....l-payments.html
6 Jan 2015 - "This -fake- financial spam has a malicious payload:
    Date:    6 January 2015 at 08:56
    Subject:    This is your Remittance Advice #ATS29858
    DO NOT REPLY TO THIS EMAIL ADDRESS
    Please find attached your remittance advice from Saint Gobain UK.
    For any queries relating to this remittance please notify the Payment Enquiry Team on 01484913947
    Regards,
    SGBD National Payments Centre


Note that this email is a forgery. Saint Gobain UK are -not- sending the spam, nor have their systems been compromised in any way. Instead, criminals are using a -botnet- to spam out malicious Excel documents. Each email has a different reference number, and the attachment file name matches. The telephone number is randomly generated in each case, using a dialling code of 01484 which is Huddersfield (in the UK). There will probably be a lot of confused people in Huddersfield at the moment.
There are actually four different versions of the -malicious- Excel file, none of which are detected by anti-virus vendors [1] [2] [3] [4] containing four different but similar macros...  which then download a component from one of the following locations:
http ://213.174.162.126:8080 /mans/pops.php
http ://194.28.139.100:8080 /mans/pops.php
http ://206.72.192.15:8080 /mans/pops.php
http ://213.9.95.58:8080 /mans/pops.php
This file is downloaded as test.exe and it then saved as %TEMP%\1V2MUY2XWYSFXQ.exe. It has a VirusTotal detection rate of just 3/48*. That report shows that the malware then connects to the following URLs:
http ://194.146.136.1:8080/
http ://179.43.141.164/X9BMtSKOfaz/e&WGWM+o%3D_c%26%248/InRRqJL~L
http ://179.43.141.164/TiHlXjsnCOo8%2C/fS%24P/VZFrel2ih%2Dlv+%26aTn
http ://179.43.141.164/suELl1XsT%2CFX.k%26z4./sn%3F=/%3Ffw/HFBN@8J
http ://179.43.141.164/fhmhi/igm/c&@%7E%2Dj.==m~cg_%2B%2C%3Daggs.%2Dkgm%26$~@fk@g/a%2Cgm+lkb%2D.~$kh/
194.146.136.1 is allocated to PE "Filipets Igor Victorovych" in Ukraine. 179.43.141.164 is Private Layer Incin Panama. I would definitely recommend blocking them and possibly the entire /24s in which they are hosted. The Malwr report shows no activity, indicating that it is hardened against analysis.
Recommend blocklist:
194.146.136.1
179.43.141.164
213.174.162.126
194.28.139.100
206.72.192.15
213.9.95.58
"
1] https://www.virustot...sis/1420539739/

2] https://www.virustot...sis/1420539746/

3] https://www.virustot...sis/1420539753/

4] https://www.virustot...sis/1420539759/

* https://www.virustot...sis/1420540311/

- http://myonlinesecur...el-xls-malware/
6 Jan 2015
___

Fake 'PAYMENT ADVICE' malware SPAM
- http://blog.dynamoo....lware-spam.html
6 Jan 2015 - "This spam has a malicious attachment:
    From:    Celeste , Senior Accountant
    Date:    6 January 2015 at 10:13
    Subject:    PAYMENT ADVICE 06-JAN-2015
    Dear all,
    Payment has been made to you in amount GBP 18898,28 by BACS.
    See attachment.
    Regards,
    Celeste
    Senior Accountant


I have only seen one sample so far, with a document BACS092459_473.doc which has a VirusTotal detection rate of 0/56* and which contains this macro... which attempts to download an additional component from:
http ://206.72.192.15:8080 /mans/pops.php
This is exactly the same file as seen in this parallel spam run** today and it has the same characteristics."
* https://www.virustot...sis/1420543064/

** http://blog.dynamoo....l-payments.html

- http://myonlinesecur...rd-doc-malware/
6 Jan 2015
___

MS warns of new malware attacks w/ Office docs
- http://www.techworm....-documents.html
Jan 5, 2015 - "Microsoft has warned its Microsoft Office users of significant rise in malware attacks through macros in Excel and Word programs. In a report published on its blog*, Microsoft says that there is more than a threefold jump in the malware campaigns spreading two different Trojan downloaders. These Trojan downloaders arrive in -emails- masquerading as orders or invoices. The malwares are being spread through spam emails containing following subject lines accordingly to Microsoft:
    ACH Transaction Report
    DOC-file for report is ready
    Invoice as requested
    Invoice – P97291
    Order – Y24383
    Payment Details
    Remittance Advice from Engineering Solutions Ltd
    Your Automated Clearing House Transaction Has Been Put On ...
...the attachment containing Adnel and Tarbir campaigns is usually named as following :
    20140918_122519.doc
    813536MY.xls
    ACH Transfer 0084.doc
    Automated Clearing House transfer 4995.doc
    BAC474047MZ.xls
    BILLING DETAILS 4905.doc
    CAR014 151239.doc
    ID_2542Z.xls
    Fuel bill.doc
    ORDER DETAILS 9650.doc
    Payment Advice 593016.doc
    SHIPPING DETAILS 1181.doc
    SHIP INVOICE 1677.doc
    SHIPPING NO.doc
Microsoft Technet blog* says that the two Trojan downloaders,  TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir are being spread at a rapid pace through spam emails and phishing campaigns..."
* http://blogs.technet...ose-macros.aspx
2 Jan 2015
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 06 January 2015 - 12:44 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1366 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 07 January 2015 - 04:44 AM

FYI...

Exploit kits on Choopa LLC / Gameservers .com IP addresses
- http://blog.dynamoo....choopa-llc.html
7 Jan 2015 - "... The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE:
ooshuchahxe .co.vu
ahjoneeshae .co.vu
phamiephim .co.vu
kaemahchuum .co.vu
pahsiefoono .co.vu
kaghaingai .co.vu
buengaiyei .co.vu
ohmiajusoo .co.vu
oodeerahshe .co.vu
paotuchepha .co.vu
aedeequeekou .co.vu
eikoosiexa .co.vu
phielaingi .co.vu
thohbeekee .co.vu
A typical exploit landing page looks like this [urlquery report*] which appears to be the Nuclear EK. These are hosted on the following Choopa LLC / Gamservers .com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:
108.61.165.69: https://www.virustot...69/information/
108.61.165.70: https://www.virustot...70/information/
108.61.165.96: https://www.virustot...96/information/
108.61.167.160: https://www.virustot...60/information/
108.61.172.139: https://www.virustot...39/information/
108.61.175.125: https://www.virustot...25/information/
108.61.177.107: https://www.virustot...07/information/
108.61.177.89: https://www.virustot...89/information/
... these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google...

Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121

64.187.225.245
104.224.147.220
UPDATE: Choopa LLC say they have terminated those IPs**. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised."

* http://urlquery.net/...d=1420560803160

 

** https://2.bp.blogspo...1600/choopa.png
___

Huffington Post and Gamezone vistors targeted with malvertising, infected with ransomware
- http://net-security....ews.php?id=2936
Jan 7, 2015 - "The last days of the past and the first days of the current year have been unlucky for visitors of several popular sites including the Huffington Post and Gamezone .com, which were unknowingly serving malicious ads that ultimately led to a ransomware infection. Cyphort Lab researchers first spotted the malvertising campaign on New Year's Eve on the HuffPo's Canadian website. A few days later, the ads were served on HuffingtonPost .com. The ensuing investigation revealed that the source of the ads is advertising .com, an AOL ad-network. Visitors to the sites who were served the ads were automatically redirected to a landing page hosting either the Neutrino or the Sweet Orange exploit kit. The kits served several exploits, and if one of them was successful, a new variant of the Kovter ransowmare was downloaded and executed. Kovter* blocks the targeted computer's keyboard and mouse, usually demands a ransom of around $300, and searches the web browser's history for URLs of adult content sites to include in the ransom note. AOL has been notified of the problem, and has removed the malicious ads from rotation both in their advertising.com ad-network as well as in their adtech .de one... This is not the first time that Kovter was delivered in this way. Another malvertising campaign targeting YouTube users** was spotted in October 2014."
* http://www.net-secur...ews.php?id=2450

** http://www.net-secur...ews.php?id=2883
Sweet Orange exploit kit/NeutrinoEK: http://blog.trendmic...hit-us-victims/

>> http://www.cyphort.c...erving-malware/
___

Fake 'Accounts Payable - Remittance Advice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
7 Jan 2015 - "'Remittance Advice for 945.66 GBP' ( random amounts) pretending to come from a random named Senior Accounts Payable Specialist at a random company with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Update: we are also seeing a slightly different version with the subject Invoice 2907.51 GBP (random amounts) with an Excel XLS attachment... The email looks like:

    Please find attached a remittance advice for recent BACS payment of 945.66 GBP.
     Any queries please contact us.
     Katie Carr
    Senior Accounts Payable Specialist
    BUSHVELD MINERALS LTD


7 January 2015 : REM_5160JW.doc - Current Virus total detections: 4/56*
... [1]connects to 193.136.19.160 :8080//mans/pops.php and downloads the usual dridex to %temp%\1V2MUY2XWYSFXQ.exe  Current VirusTotal definitions 4/56**
RBAC_2856PJ.xls Current Virus total detections: 3/56***
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1420634098/

** https://www.virustot...sis/1420635840/
... Behavioural information:
TCP connections
194.146.136.1: https://www.virustot....1/information/

*** https://www.virustot...sis/1420636228/

1] 193.136.19.160: https://www.virustot...60/information/
___

Fake 'NUCSOFT-Payroll' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
7 Jan 2015 - "'NUCSOFT-Payroll December 2014' pretending to come from Eliza Fernandes <eliza_fernandes@ nucsoft .co.in> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... The email looks like:

Screenshot: http://myonlinesecur...cember-2014.jpg

7 January 2015 : Payroll Dec’14.doc . Current Virus total detections: 2/56*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1420619222/

- http://blog.dynamoo....es-nucsoft.html
7 Jan 2015
> https://www.virustot...sis/1420623113/

>> https://www.virustot...sis/1420624521/

Recommended blocklist:
59.148.196.153: https://www.virustot...53/information/
74.208.11.204: https://www.virustot...04/information/
___

Malformed AndroidManifest.xml in Apps Can Crash Mobile Devices
- http://blog.trendmic...mobile-devices/
Jan 7, 2015 - "Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, “information the system must have before it can run any of the app’s code.” We came across a vulnerability related to the manifest file that may cause an affected device to experience a -continuous- cycle of rebooting — rendering the device nearly useless to the user. The Manifest File Vulnerability: The vulnerability can cause the OS to crash through two different ways. The first involves very long strings and memory allocation. Some apps may contain huge strings in their .XML files, using document type definition (DTD) technology. When this string reference is assigned to some of the tags in AndroidManifest.xml (e.g., permission name, label, name of activity), the Package Parser will require memory to parse this .XML file. However, when it requires more memory than is available, the PackageParser will crash. This triggers a chain reaction wherein all the running services stops and the whole system consequently reboots once. The second way involves .APK files and a specific intent-filter, which declares what a service or activity can do. An icon will be created in the launcher if the manifest file contains an activity definition with this specific intent-filter:
    <intent-filter>
            <action android:name=”android.intent.action.MAIN”/>
            <category android:name=”android.intent.category.LAUNCHER”/>
     </intent-filter>
If there are many activities defined with this intent-filter, the same number of icons will be created in the home page after installation. However, if this number is too large, the .APK file will trigger a loop of rebooting. If the number of activities is bigger than 10,000:
    For Android OS version 4.4, the launcher process will undergo the reboot.
    For version L, the PackageParser crashes and reboots. The malformed .APK will be installed by no icon will be displayed. If the number of activities is larger than 100,000, the devices will undergo the -loop- of rebooting...
We have tested and proven that this created APK could -crash- both Android OS 4.4.4, Android OS L, -and- older versions of the platform... While this vulnerability isn’t a technically a security risk, it does put devices at risk in terms of functionality. This vulnerability can essentially leave devices useless. Affected devices can be “rescued” but -only- if the Android Debug Bridge (ADB) is activated or enabled. The only solution would be to connect the device to a computer, boot the phone in fastboot mode, and flash the ROM. Unfortunately, such actions can only be done by highly technical users as a mistake can possibly brick a device. For this issue, we recommend that users contact customer service (if their devices are still under warranty) or a reputable repair shop. We have notified Google about this issue."
___

Fake Flight QZ8501 Video on Facebook
- https://blog.malware...eo-on-facebook/
Jan 6, 2015 - "... If you’re waiting on information with regards what caused the tragic crash of AirAsia Flight QZ8501, please be aware that the inevitable fake Facebook video links are now putting in an appearance. Here’s one, located at: bergkids(dot)com/qz8501 - The page is pretty bare, save for the imagery of what they claim is the plane in question and the following text:
[CRASH VIDEO] AirAsia Flight QZ8501 Crashed near east coast of Sumatera.
> https://blog.malware.../01/fakeqz1.jpg
Clicking the play button encourages Facebook users to share it, before being redirected to an -imitation- YouTube page located at: urvashi(dot)altervista(dot)org/video/vid(dot)php
> https://blog.malware.../01/fakeqz2.jpg
While visitors might think this would be the video in question, in actual fact they’re looking at a sort of -fake- video -farm- where clicking the link takes them to a wide variety of phony clip scams... From there, they’re then (re)directed to one of the links in the screenshot above. There’s everything from “You won’t eat [product x] again after seeing this” to non-existent leaked celebrity tapes. Disturbingly, two of the pages claim to show car accidents and one of them uses a rather graphic photograph. Given that people could be arriving there from a personal need to find out more information about the plane crash, this is just more proof that the people behind these pages couldn’t care less... All of the above pages return the visitor to the “main” Altervista URL, where they’ll be asked to share then be sent to another of the links in the -redirect- code. It seems to be a way of trying to drop the links on as many feeds as possible (assuming the Facebook account owner changes the share option from “just me” to people in their social circles). Should the weary clicker grow tired of this digital roundabout and simply sit on the altervista page too long, they’ll find that they’re automatically sent to a page called “Horrific Video”:
> https://blog.malware.../01/fakeqz5.jpg
Unlike the other pages which simply loop potential victims around while asking them to share links, this one will take them to a -survey- page if the video “player” is clicked... As with all other survey pages, the links could lead to everything from offers and personal questions to ringtone signups or software installs and are usually served up according to region... If you want to know the latest information on the AirAsia crash, please stick to news sources you know and trust. It’s extremely unlikely someone is going to have exclusive footage sitting on some video website you’ve near heard of, and the moment you’re caught in a loop of “Share this on Facebook to view” messages you can bet there’s nothing on offer except someone trying to make a fast buck."
 

:ph34r:  :grrr:  :ph34r:


Edited by AplusWebMaster, 07 January 2015 - 02:20 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1367 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 08 January 2015 - 07:47 AM

FYI...

Fake 'invoice EME018' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
8 Jan 2015 - "'invoice EME018.docx' pretending to come from Ieuan James <emerysieuan@ gmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has come in corrupted on my email server and looks like this (I am sure some email servers will serve up a working version) :
    –Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
    Content-Type: text/plain;
    charset=us-ascii
    Content-Transfer-Encoding: 7bit
    –Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
    Content-Type: application/msword;
    name=”invoice EME018.doc”;
    x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
    Content-Disposition: attachment;
    filename=”invoice EME018.doc”
    Content-Transfer-Encoding: base64 ...


... extracted the malicious word doc from the content.
8 January 2015 : invoice EME018.doc - Current Virus total detections: 1/56*
According to Dynamoo’s blog[1] this EME018.doc malware file will connect to one of these sites http ://ecovoyage.hi2 .ro/js/bin.exe http ://mateusz321.cba .pl/js/bin.exe - This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55** ..."
* https://www.virustot...sis/1420701971/

** https://www.virustot...sis/1420708713/

1] http://blog.dynamoo....es-invoice.html
8 Jan 2015 - "... this morning I've seen a handful of these malformed malware spams, claiming to be from a Ieuan James and with a subject of invoice EME018.docx. The body text contains some Base64 encoded data which presumably is meant to be an attachment... Recommended minimum blocklist:
59.148.196.153
74.208.11.204
129.215.249.52
78.140.164.160
37.1.208.21
86.156.238.178

In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range..."
___

Fake 'INVOICE ADVISE' and 'NOVEMBER INVOICE' SPAM - doc/xls malware
- http://blog.dynamoo....e-08012015.html
8 Jan 2015 - "These two -spam- runs have different email messages but the same payload. In both cases, there are multiple -fake- senders:
Sample 1 - INVOICE ADVISE 08/01/2015
    From:    Mia Holmes
    Date:    8 January 2015 at 09:11
    Subject:    INVOICE ADVISE 08/01/2015
    Good morning
    Happy New Year
    Please could you advise on the  November GBP invoice in the attachment for me?
    Many thanks
    Kind Regards
    Mia Holmes
    Accountant
    SULA IRON & GOLD PLC

Sample 2 - NOVEMBER INVOICE
    From:    Reed Barrera
    Date:    8 January 2015 at 09:16
    Subject:    NOVEMBER INVOICE
    Good morning
    Happy New Year
    Please could you advise on the  November GBP invoice in the attachment for me?
    Many thanks
    Kind Regards
    Reed Barrera
    Controller
    ASSETCO PLC


Other sender names include:
-    Marlin Rodriquez
    Accountant
    CLONTARF ENERGY PLC
-    Olive Pearson
    Senior Accountant
    ABERDEEN UK TRACKER TRUST PLC
-    Andrew Salas
    Credit Management
    AMTEK AUTO
The attachment is in a Word document (in one sample it was a Word document saved as an XLS file). Example filenames include:
RBAC_9971IV.xls
INV_6495NU.doc
2895SC.doc
There are -four- different malicious files that I have seen so far, all with low detection rates [1] [2] [3] [4] which contain in turn one of these macros... leading to a download from one of the following locations:
http ://188.241.116.63 :8080/mops/pops.php
http ://108.59.252.116 :8080/mops/pops.php
http ://178.77.79.224 :8080/mops/pops.php
http ://192.227.167.32 :8080/mops/pops.php
This file is downloaded as g08.exe which is then copied to %TEMP%\1V2MUY2XWYSFXQ.exe. This file has a detection rate of 3/56*. The VT report shows a POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known malware server which I recommend that you block. This IP is confirmed in the Malwr report which also shows a dropped DLL which is the same as found in this spam run and has a detection rate of just 2/56**."
1] https://www.virustot...sis/1420712512/

2] https://www.virustot...sis/1420712527/

3] https://www.virustot...sis/1420712717/

4] https://www.virustot...sis/1420713398/

* https://www.virustot...sis/1420713841/

** https://www.virustot...sis/1420714510/

- http://myonlinesecur...el-xls-malware/
8 Jan 2015: INV_7330KQ.doc - Current Virus total detections: 1/56*
* https://www.virustot...sis/1420713841/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustot....1/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 08 January 2015 - 08:30 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1368 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 09 January 2015 - 08:09 AM

FYI...

Fake 'Monthly Invoice & Report' SPAM - malware
- http://blog.dynamoo....tasharp-uk.html
9 Jan 2015 - "This spam email pretends to be from a wholly legitimate company called Datasharp UK Ltd but it isn't, it is a spoof. Datasharp is not sending the spam, their systems have not been compromised in any way.
    From:    ebilling@ datasharp .co
    Date:    9 January 2015 at 06:55
    Subject:    DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report
    THIS MESSAGE WAS SENT AUTOMATICALLY
    Attached is your Invoice from Datasharp Hosted Services for this month.
    To view your bill please go to www.datasharp .co.uk.  Allow 24 hours before viewing this information.
    For any queries relating to this bill, please contact hosted.services@ datasharp .co.uk or call 01872 266644.
    Please put your account number on your reply to prevent delays
    Kind Regards
    Ebilling


So far I have seen two different Word documents attached with low detection rates at VirusTotal [1] [2] containing one of two malicious macros... which then attempt to download an additional component from the following locations:
http ://TICKLESTOOTSIES .COM/js/bin.exe
http ://nubsjackbox.oboroduki .com/js/bin.exe
The tickletootsies .com download location has been cleaned up, but the other one is still working as it downloads a file with a VirusTotal detection rate of 5/56*. That VirusTotal report also shows that it attempts to POST to 74.208.11.204:8080 (1&1, US) which has been a malware C&C server for several weeks and is definitely worth blocking.
UPDATE: the Malwr report shows connections to the following IPs which I recommend you block:
59.148.196.153
74.208.11.204
"
1] https://www.virustot...sis/1420794297/

2] https://www.virustot...sis/1420794299/

* https://www.virustot...sis/1420793909/

- http://myonlinesecur...rd-doc-malware/
9 Jan 2015
Screenshot: http://myonlinesecur...oice-Report.jpg

* https://www.virustot...sis/1420787444/

** https://www.virustot...sis/1420787603/

*** https://www.virustot...sis/1420793909/
___

Fake 'Fax' SPAM
- http://blog.dynamoo....-documents.html
9 Jan 2015 - "This -fake- fax run is a variation of this one* from yesterday.
    From:    Fax [no-replay@ fax-voice .com]
    Date:    9 January 2015 at 14:52
    Subject:    Employee Documents - Internal Use
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Fax Documents
    DOCUMENT LINK: <redacted> ...


As before, there are several links leading to different download locations... These landing pages lead to a pair of jjencoded javascripts hosted on different files. I explained a little about those last time* ... the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "message.zip ;.zip ;.zip ;" it seems to be different... That led to -10- different ZIP files containing different EXE files... Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:
http ://202.153.35.133 :55365/0901us1/HOME/0/51-SP3/0/
http ://202.153.35.133 :55365/0901us1/HOME/1/0/0/
http ://crecrec .com/mandoc/nuts12.pdf
http ://202.153.35.133 :55350/0901us1/HOME/41/7/4/
http ://samrhamburg .com/img/ml1.tar
202.153.35.133 (Excell Media Pvt Lt, India) is probably the key thing to block. Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of 1/55** and you can see the Malwr report for that file here***..."  
* http://blog.dynamoo....m-campaign.html

** https://www.virustot...sis/1420818425/

*** https://malwr.com/an...jVjYWE0ZmQwZDU/

202.153.35.133: https://www.virustot...33/information/
___

Bingham McCutchen Law Firm Spam
- http://threattrack.t...n-law-firm-spam
Jan 9, 2015 - "Subjects Seen:
     Judicial summons
Typical e-mail details:
    Warrant to appear Please be informed that you are expected in the Hamilton County Court of Appeals on February 2nd, 2015 at 9:30 a.m. where the hearing of your case of illegal software use will take place. You may obtain protection of a lawyer, if necessary.
    Please bring your identity documents to the Court on the named day. Attendance is compulsory.
    The detailed plaint note is attached to this letter, please download and read it thoroughly.
    Clerk of court,
    Jacob Velez


Malicious URLs:
    joalpe.firebearstudio .com/dir.php?bh=oBRzRrtM0A02ooUI1aER2YGsHzIP29bCneRZntfom+A=
Malicious File Name and MD5:
    PlaintNote_BinghamMcCutchen_00588315.exe (E1A7061CCB8997EAB296AA84454B072B)


Screenshot: https://gs1.wac.edge...zDyH1r6pupn.png

Tagged: law firm, Kuluoz

176.9.136.137: https://www.virustot...37/information/

> https://www.google.c...c?site=AS:24940
___

Fake CNN Twitter Feeds SPAM weight loss links
- https://blog.malware...ght-loss-links/
Jan 9, 2014 - "We’ve noticed a number of fake CNN-themed Twitter accounts driving traffic to a couple of different weight loss sites. The accounts in question are:
CNNOnly
TheCNNBreak
MyCNNNews
CNNHotline
All of the above started posting their links in the last few hours... Curiously, they all stopped posting their random mish-mash of memes and joke images around December 18 or 19, so it’s possible they could be formally parked bots which have taken on a new lease of life in some way. We’ve also seen non CNN-themed accounts sending out the same links. To give you an idea of click totals, the stats for two of the links we’ve seen are as follows:
bit(dot)ly/12NTPUP – 25,814 clicks
bit(dot)ly/1zxVKtB – 37,262 clicks
Worth noting that both of those links were created December 10, and as you now have to log into Bit.ly to see additional stats – and I can’t currently login – we can’t comment on what percentage of those clicks are very recent. All the same, we shouldn’t look to keep clicking now and encourage -more- spam as a result. Twitter spam runs are one of those things which will never go away, and it pays to have an idea of the kind of antics* spammers get up to. If you’re looking for some advice on how to keep your Twitter account safe you may wish to look at the latter half of this post** while you’re at it..."
* https://blog.malware...?s=twitter spam

** https://blog.malware...r-account-safe/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 09 January 2015 - 04:41 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1369 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 12 January 2015 - 08:42 AM

FYI...

Fake 'Summary Paid Against' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
12 Jan 2015 - "'Summary Paid Against' pretending to come from Jason Bracegirdle JPS Projects Ltd <jason.bracegirdle@ jpsprojectsltd .co.uk>with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains the same malware payload as today’s Invoice from 'simply carpets of Keynsham Ltd' - Word doc malware* although the file attachment has a different name...

Screenshot: http://myonlinesecur...aid-Against.jpg

11 January 2015: Copy of Weekly Summary 28 12 2014 w.e 28.12.14.doc - Current Virus total detections: 3/54**
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...rd-doc-malware/

** https://www.virustot...sis/1421063953/

- http://blog.dynamoo....ears-to-be.html
12 Jan 2015
1] https://www.virustot...sis/1421065786/

2] https://www.virustot...sis/1421065795/

> http://blog.dynamoo....rom-simply.html
12 Jan 2015
Recommended blocklist:
59.148.196.153
74.208.11.204
"
___

Outlook Settings Spam
- http://threattrack.t...k-settings-spam
Jan 12, 2015 - "Subjects Seen:
     Important - New Outlook Settings
Typical e-mail details:
    Please carefully read the downloaded instructions before updating settings.
    campusnut .com/outlook/settings.html
    This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ Outlook-us.com and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.


Malicious URLs:
    campusnut .com/outlook/settings.html
    images .californiafamilyfitness.com/outlook/settings.html
    data.gamin .cz/outlook/settings.html
    capslik .com/outlook/settings.html
    duedisnc .it/outlook/settings.html
    cwvancouver .com/outlook/settings.html
    eu1.panalinks .com/outlook/settings.html
    indemnizaciongarantizada .com/outlook/settings.html
    dprofessionals .org/outlook/settings.html
    homewoodsuitestremblant .com/outlook/settings.html
    ig4mbeco .com/outlook/settings.html
    bestni .com/outlook/settings.html
    boryapim .com/outlook/settings.html
    hinchablessegarra .com/outlook/settings.html
    bonificachiana .it/outlook/settings.html
Malicious File Name and MD5:
    outlook_setting_pdf.exe (9F2018FC3C7DE300D1069460559659F4)


Screenshot: https://gs1.wac.edge...AfD81r6pupn.png

Tagged: Outlook, Upatre

- http://blog.dynamoo....ew-outlook.html
12 Jan 2015
... outlook_setting_pdf.exe
https://www.virustot...sis/1421077347/
"... Recommended blocklist:
202.153.35.133
morph-x .com
coffeeofthemonth .biz
"

202.153.35.133: https://www.virustot...33/information/
___

iPhone 6 SCAM
- https://blog.malware...6-scam-returns/
Jan 12, 2015 - "... a familiar -scam- on the verge of a come-back:
> https://blog.malware...015/01/brad.png
... we first encountered the spammed link on LinkedIn, thanks to a user named Kolko Kolko, who according to his profile is a coach and has the face of an A-list celebrity. Doing a quick online search using the Goog.gl shortened URL brings up other domains—Google Plus, Livejournal, and Picasa, specifically — where the list is also being posted and shared. Once users click-the-link, they are directed to a survey -scam- page. Below is an example:
> https://blog.malware...5/01/survey.png
The above page is a type of survey that gives users the option to skip. Doing so, however, opens additional layers of survey pages that needs skipping until such a point that users encounter a page they could not escape, such as this:
> https://blog.malware...ore-surveys.png
... the surveys vary depending on the user’s location... Should you encounter any posts from random users on sites you frequent with regard to claiming an iPhone 6, don’t click-the-link... warn friends and contacts on that site to avoid falling for it..."
___

Phish - Barclaycard Credit limit increase
- http://myonlinesecur...rease-phishing/
12 Jan 2015 - "'Credit limit increase' pretending to come from Barclaycard <barclaycard@ mail.barclaycard .co.uk>is one of the latest phish attempts to steal your Bank, credit card and personal details. We are seeing a quite big run of this email today. We see these phishing emails frequently, but today’s spam run of them has a much larger number than usual. This one only wants your personal details, Barclaycard log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: http://myonlinesecur...rease-email.jpg

If you open the attached html file you see a webpage looking like:
> http://myonlinesecur...it-increase.jpg
When you fill in your user name and password you get a page where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. They then send you on to the genuine Barclaycard website..."
___

Google/Microsoft feud over latest 0-day disclosures
- http://www.infoworld...-microsoft.html
Jan 12, 2015 - "... The subject is the long-running feud between Google and Microsoft over the handling of zero-day flaws. Google engineer Tavis Ormandy has built quite a reputation in security circles for finding zero days in Windows and notifying Microsoft. If no action is forthcoming from Microsoft in a pre-determined amount of time (usually 90 days), Ormandy releases the details (presumably with Google's permission), typically on the Full Disclosure mailing list... The process is now formally supported by Google, under the name Project Zero*. There's no better way I know to get Microsoft's attention. The latest instances actually concern two zero-day bugs, both reported by a Google researcher known as Forshaw... Here's how the argument boils down, in my estimation. If you trust Microsoft to fix the holes in Windows, then Coordinated Vulnerability Disclosure - where we, as customers, trust Microsoft to dig in and fix problems as soon as they're discovered - is a great idea. We would trust Microsoft to fix the problems expeditiously, because other people may have discovered the problem already. We also trust Microsoft to put enough money into the patching effort to make the fixes appear quickly and accurately. If you don't trust Microsoft, then the question becomes how best to hold Microsoft's feet to the fire. Although some believe in full, immediate disclosure, I don't buy that. There has to be a better way. Google's approach seems to me a reasonable one - although it's arguable that the zero-day notification window should be extended to 120 days..."
* http://googleonlines...oject-zero.html

> http://blogs.technet...disclosure.aspx
___

TorrentLocker -ransomware- hits ANZ Region
- http://blog.trendmic...its-anz-region/
Jan 11, 2015 - "... the EMEA (Europe-Middle East-Africa) region experienced a surge in ransomware, specifically, crypto-ransomware attacks. It appears that these attacks are no longer limited to that region. Research from Trend Micro engineers shows that the ANZ (Australia-New Zealand) region is the latest to be greatly affected by this type of malware—this time by TorrentLocker ransomware. The Infection Chain:
Infection diagram for ANZ attacks:
> http://blog.trendmic.../ANZ-cryp11.jpg
The malware arrives through -emails- that pretend to be penal notices from the New South Wales government (referred in this entry as “NSW”) -or- shipping information from the Australia Post. Once users click-the-link, they will be -redirected- to a -spoofed- page bearing a newly-registered domain similar to the official, legitimate one. The page instructs users to download a file by first entering a CAPTCHA code. If correctly entered, it triggers the download of the malicious file in a zipped format from SendSpace, a file-hosting site. If the user -opens- the zipped file and executes the malware, it will connect to secure command-and-control (C&C) servers. After successful sending and receiving of information, the malware will then encrypt files in the users’ machines using Elliptic Curve Cryptography Encryption and appends the string .encrypted. Afterwards, it drops an .HTML file with decryption instructions and displays a ransom page. It also deletes the shadow copy of the infected system by executing the command line instruction vssadmin.exe Delete Shadows /All /Quiet, thus preventing the user to restore their files from back-up. Based on feedback from the Smart Protection Network, 98.28% of the recipients are from Australia... ... we have identified several fake domains, 180 for Australia Post and 134 for NSW. These domains are hosted in the following Russian name servers, registered to certain email addresses:
    91.218.228.XX
    193.124.200.13X
    193.124.205.18X
    193.124.89.10X

The C&C servers in these attacks are newly registered and hosted under IP addresses ranging from 46.161.30.17 to 46.161.30.49. We have also identified eight domains, including adwordshelper[.]ru and countryregion[.]ru... Sample hashes of the files supported by our detections:
    4d07581b5bdb3f93ff2721f2125f30e7d2769270
    6a46ff02b1a075c967939851e90dfb36329876fa
    9d71e27ad25dfe235dfaec99f6241673a6cff30e
    a0bbbd2c75e059d54d217c2912b56b1cb447ef31
    0ce7690a209796b530b89f3cac89c90626785b84
    09d5bc847f60ce3892159f717548d30e46cd53f0
    1816a65aa497877b8f656b87550110e04ac972cd
    bee66ab8460ad41ba0589c4f46672c0f8c8419f8 ..."
(More detail at the trendmicro URL at the top of this post.)

 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 12 January 2015 - 02:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1370 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 13 January 2015 - 09:19 AM

FYI...

Fake 'Nat West Secure Message' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Jan 2013 - "'You have a new Secure Message' pretending to come from NatWest <secure.message@ natwest .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 2313.


13 January 2015: SecureMessage.pdf.zip: Extracts to: SecureMessage.pdf.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1421155786/
___

Fake 'Tax return' SPAM
- http://blog.dynamoo....rsgov-your.html
13 Jan 2015 - "This -fake- tax return spam leads to malware:
    From: John Smith [mailto:john.smith@ mail-irs .gov]
    Sent: 13 January 2015 11:13
    Subject: Your tax return was incorrectly filled out
    Attention: Owner/ Manager
    We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
    Please follow the advice of our tax specialists HERE
    Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
    Yours sincerely


The link in the email has a format such as:
http ://marypageevans .com/taxadmin/get_doc.html
http ://laser-support .co.uk/taxadmin/get_doc.html
A journey through some heavily obfuscated javascript follows... which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead. The .exe file has a VirusTotal detection rate of just 2/57* and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:
http ://202.153.35.133 :19639/1301us23/HOME/0/51-SP3/0/
http ://202.153.35.133 :19639/1301us23/HOME/1/0/0/
http ://dstkom .com/mandoc/lit23.pdf
http ://202.153.35.133 :19657/1301us23/HOME/41/7/4/
It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57**. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs .gov on your email gateway might help."
* https://www.virustot...sis/1421160583/

** https://www.virustot...sis/1421161232/

202.153.35.133: https://www.virustot...33/information/
___

University Employee Payroll SCAM
- https://www.ic3.gov/...5/150113-2.aspx
13 Jan 2015 - "University employees are receiving fraudulent e-mails indicating a change in their human resource status. The e-mail contains a link directing the employee to login to their human resources website to identify this change. The website provided appears very similar to the legitimate site in an effort to steal the employee’s credentials. Once the employee enters his/her login information, the scammer takes that information and signs into the employee’s official human resources account to change the employee’s direct deposit information. This redirects the employee’s paycheck to the bank account of another individual involved in the scam..."

- https://www.ic3.gov/...5/150113-1.aspx
"College -students- across the United States have been -targeted- to participate in work-from-home scams. Students have been receiving e-mails to their school accounts recruiting them for payroll and/or human resource positions with fictitious companies. The “position” simply requires the student to provide his/her bank account number to receive a deposit and then transfer a portion of the funds to another bank account. Unbeknownst to the student, the other account is involved in the scam that the student has now helped perpetrate. The funds the student receives and is directed elsewhere have been stolen by cyber criminals. Participating in the scam is a crime and could lead to the student’s bank account being closed due to fraudulent activity or federal charges..."
___

Win7 - End of mainstream support
- http://windowssecret...for-its-demise/
Jan 8, 2015 - "... Most major Microsoft products have a formal life cycle that includes two key end-of-life dates. For Windows, those dates are listed on Microsoft’s “Windows lifecycle fact sheet” webpage.* The first date — End of mainstream support — effectively means that Microsoft will no longer offer free updates to the operating system. Once mainstream support ends for a specific version of Windows, it then enters its Extended support phase, during which Microsoft offers only essential fixes and security updates. (Companies can also pay for specific nonsecurity updates.) When an OS reaches its End of extended support milestone, all official support ends. Windows XP, as many Windows Secrets readers know, passed its “End of extended support” date on April 8, 2014. It has not had official updates of any kind since. (For more specifics on MS product life cycles, see the online “Microsoft support lifecycle policy FAQ.”) As noted in the “Windows lifecycle fact sheet,” Jan. 13 marks the end of mainstream support for all versions of Windows 7 SP1. What does that mean for the millions of us doing our daily computing on Win7 systems? Very soon, our operating systems will be essentially frozen — we’ll no longer receive any enhancements or nonessential fixes. We will, however, receive monthly security updates until Jan. 14, 2020, Win7’s official “End of extended support” date (at which point, Microsoft will want us on Windows 13 — or whatever it’s then called). Just as with XP this past April, Win7 systems should no longer receive updates of any kind after January 2020..."
* http://windows.micro...ndows/lifecycle

- http://www.theinquir...t-for-windows-7
Jan 13 2015
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 14 January 2015 - 03:37 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1371 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 14 January 2015 - 06:55 AM

FYI...

Fake 'Invoice' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
14 Jan 2015 - "'Les Mills Invoice' pretending to come from lmuk.accounts@ lesmills .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... As usual 2 slightly different -malware- versions. The email looks like:
    Dear Customer,
    Please find attached an invoice for Les Mills goods/services. Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
    If you have any queries please email lmuk.accounts@ lesmills .com or call 0207 264 0200 and select option 3 to speak to a member of the team.
    Best regards,
    Les Mills Finance Team


14 January 2015 : Les Mills SIV035931.doc - Current Virus total detections: 0/57* : 0/55**
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...96564/analysis/

** https://www.virustot...sis/1421225265/

- http://blog.dynamoo....ls-invoice.html
14 Jan 2015
"... Recommended blocklist:
59.148.196.153
74.208.11.204
81.27.38.97
okurimono.ina-ka .com
"
___

Fake 'SEPA' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
14 Jan 2015 - "'Senior Accounts Payable SEPA REMITTANCE ADVICE 2503.62 EUR 12 JAN 2014' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Good Afternoon
    Please see attached a copy of remittance advice for SEPA payment of 2503.62  EUR made on 12/01/2015
    Regards,
    Victoria Mack
    Senior Accounts Payable


14 January 2015 : SE827QR.doc - Current Virus total detections: 0/57*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1421236177/
___

Fake Fax SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Jan 2015 - "'Fax Received: Fax Server | 1/14/2015 8:21 AM' pretending to come from Nextiva vFax <notifications@ nextivafax .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     HI ...
    Delivery Information:
    Message #:         131177970
    Local Number:         4853872678
    Remote CSID:         Fax Server
    Total Pages:         2
    Transmit Time:         3 min 41.000 sec
    Click here to view this message ...
    Delivered by vFax…     “When Every Fax is Mission Critical”


14 January 2015: fax_message_01142015_784398443.pdf.zip ( 83kb): Extracts to:  fax_message_01142015_784398443.pdf.scr - Current Virus total detections: 3/55*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1421251998/
___

Malware sites offering Oracle 'patches'
- https://blogs.oracle..._oracle_patches
Jan 14, 2015 - "It has come to our attention that there are non-Oracle sites offering Oracle 'fixes' for genuine Oracle error messages... If you do encounter one of these sites please inform us immediately via Communities* or create a SR and we will rectify the situation... Proactive Support are already investigating some known sites..."
* https://community.oracle.com/
___

Outlook Phish
- https://blog.malware...-outlook-phish/
Jan 14, 2015 - "... phish mail in circulation... for Outlook accounts. The email reads as follows:
Dear Microsoft User,
Please note we have temporary blocked your account from receiving e-mails, because we detected fraudulent and spam activities from your mail box to some blacklisted email address, So for your own safety verify your account.
If a verification respond is not gotten from you in the next 24 hours, we are sorry we will be forced to permanently disable and delete your account from Microsoft Account.
To verify your Microsoft account, Click Here
We regret Any inconvenience.
Thanks,
The Microsoft account team


Clicking the link in the email – sbmarticles(dot)com/Z-zone/SigrypAmt2nd(dot)htm*, which has already popped up on Phishtank – takes potential victims to a spot of data URI phishing**.
> https://blog.malware...sh1-300x186.jpg
Don’t be tricked into filling in login details via these types of attack – any email asking you to login or enter personal information (especially when warning you about account suspensions, unusual activity or any other form of shenanigans) should be treated with a generous helping of caution."
* 192.190.80.53: https://www.virustot...53/information/

** http://www.csoonline...e-accounts.html
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 14 January 2015 - 12:36 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1372 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 15 January 2015 - 08:25 AM

FYI...

Fake 'invoice' SPAM - malware attached
- http://blog.dynamoo....ed-invoice.html
15 Jan 2015 - "This -fake- invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.
    From:    Invoice from Hexis [Invoice@ hexis .co.uk]
    Date:    15 January 2015 at 06:36
    Subject:    Invoice
    Sent 15 JAN 15 08:30
    HEXIS (UK) LIMITED
    7 Europa Way
    Britannia Park
    Lichfield
    Staffordshire
    WS14 9TZ
    Telephone 01543 411221
    Fax 01543 411246


Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in -two- different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros... which download a component from one of the following locations:
http ://dramakazuki.kesagiri .net/js/bin.exe
http ://cassiope .cz/js/bin.exe
This has a VirusTotal detection rate of 3/57*. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:
59.148.196.153
74.208.11.204
81.27.38.97

UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57**."
1] https://www.virustot...sis/1421314924/

2] https://www.virustot...sis/1421314937/

* https://www.virustot...sis/1421315774/

** https://www.virustot...sis/1421318457/


- http://myonlinesecur...rd-doc-malware/
15 Jan 2015
* https://www.virustot...sis/1421309107/

** https://www.virustot...sis/1421309412/
___

Fake 'Payment request' SPAM - malware attachments
- http://blog.dynamoo....-of-417694.html
15 Jan 2015 - "This -spam- comes with a malicious Word document attached:
    from:    Alan Case
    date:    15 January 2015 at 08:49
    subject:    Payment request of 4176.94 (14 JAN 2015)
    Dear Sirs,
    Sub: Remitance of GBP 4176.94
    This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
    For more information on our bank details please refer to the attached document.
    Thanking you,
    Alan Case Remittance Manager


Other names and job titles seen... The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro... which attempt to download another component from one of the following locations:
http ://95.163.121.71 :8080/mopsi/popsi.php
http ://95.163.121.72 :8080/mopsi/popsi.php
http ://136.243.237.204 :8080/mopsi/popsi.php
Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking.  136.243.237.204 is a Hetzner IP. The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57*. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP. The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.
Recommended blocklist:
194.146.136.1
95.163.121.71
95.163.121.72
136.243.237.204

UPDATE: the following -are- Dridex C&C servers which you should also block:
80.237.255.196 "
1] https://www.virustot...sis/1421313787/

2] https://www.virustot...sis/1421313798/

3] https://www.virustot...sis/1421313810/

* https://www.virustot...sis/1421313825/


- http://myonlinesecur...rd-doc-malware/
15 Jan 2015
15 January 2015 : ADV0291LO.doc - Current Virus total detections: 3/55*
15 January 2015 : 57959SI.xls (35 kb) - Current Virus total detections: 3/57**
 |  3093720WF.xls (47 kb) - Current Virus total detections: 2/57***
* https://www.virustot...sis/1421309631/

** https://www.virustot...sis/1421316140/

*** https://www.virustot...sis/1421315881/
___

Fake 'open24 .ie important changes alert' SPAM – malware
- http://myonlinesecur...-alert-malware/
15 Jan 2015 - "'Some important changes to some services' (email alert) pretending to come from Open24 <inf01@ open24 .ie> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Fwd: Software Upgrade
    Dear
    Open24 Customer,
    We have now implemented a number of
    changes to our Internet  Banking service. This is to ensure the highest
    level of security of information passing between you and our server.
    To have access to this service, simply follow the button below and activate the service...
    Kind regards
    Open24
    This email is personal & confidential and is intended for the recipient only...


15 January 2015: open24changes.zip (523 kb)  : Extracts to: Payment.scr
Current Virus total detections: 17/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1421332957/
___

Fake 'ADP Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Jan 2015 - "'ADP Invoice for week ending 01/11/2015' pretending to come from Johnny.West@ adp .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Your most recent ADP invoice is attached for your review.
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Thank you for choosing ADP for your business solutions.
    Important: Please do not respond to this message. It comes from an unattended mailbox.


15 January 2015: invoice_418270412.pdf.zip (11kb): Extracts to: invoice_418270412.pdf.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1421335768/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
174.120.16.66: https://www.virustot...66/information/
69.49.101.51: https://www.virustot...51/information/
___

Fake 'HSBC Payment Advice SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Jan 2015 - "'Payment Advice – Advice Ref:[GB956959] / CHAPS credits' pretending to come from HSBC Advising Service [mailto:Bankline.Administrator@ nutwest .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link or open the attachment... The email looks like:
    Sir/Madam,
     Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
     Download link: <redacted>
     Yours faithfully,
    Global Payments and Cash Management
    HSBC ...


When you follow the... link you get a page looking like this, where depending on which browser you are using, you might get a direct download of the zip file containing the -malware- or you might get the message to follow the link... which will give you the malware:
Screenshot: http://myonlinesecur.../01/avralab.jpg
15 January 2015: doc974_pdf.zip (11kb) : Extracts to:   doc963_pdf.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1421341083/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
66.147.240.173: https://www.virustot...73/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 15 January 2015 - 05:10 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1373 Sanesecurity

Sanesecurity

    Member

  • New Member
  • Pip
  • 1 posts

Posted 16 January 2015 - 03:55 AM

Fake UK Fuels velocitycardmanagement.com ebillinvoice.com malware  are being spammed out,
attaching a macro enabled word document.. more details on my Security blog here:
 
blogspot.co
 
Cheers,
 
Steve
Sanesecurity

EDIT: To remove links and info for blog - we do not allow personal advertising on this forum and consider it to be SPAM... Any further efforts to advertise your blog will result in being banned from the forum...


Edited by Budfred, 16 January 2015 - 07:14 AM.


#1374 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 16 January 2015 - 06:45 AM

FYI...

Affordable Care Act Phishing Campaign
- https://www.us-cert....ishing-Campaign
Jan 15, 2015 - "US-CERT is aware of a phishing campaign purporting to come from a U.S. Federal Government Agency. The phishing emails reference the Affordable Care Act in the subject and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code. US-CERT encourages users to take the following measures to protect themselves:
- Do not follow links or download attachments in unsolicited email messages.
- Maintain up-to-date antivirus software.
- Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip* for additional information on social engineering attacks..."
* https://www.us-cert....s/tips/ST04-014
___

Fake 'voice mail' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Jan 2015 -"'You have received a voice mail' pretending to come from Microsoft Outlook Voicemail <no-reply@your own domain>with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You received a voice mail : VOICE549-693-8777.wav (20 KB)
    Caller-Id: 549-693-8777
    Message-Id: 8X3NI1
    Email-Id: a.j.lefeber14d @ ...
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server


They are not being sent by your own server or email server, but by one of the botnets...
16 January 2015: VOICE44982109219.zip (11kb) : Extracts to: VOICE44982109219.scr
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1421413445/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
192.185.16.192: https://www.virustot...92/information/
UDP communications
198.27.81.168: https://www.virustot...68/information/
192.95.17.62: https://www.virustot...62/information/
___

Adobe Phish back in-the-Wild
- https://blog.malware...ck-in-the-wild/
Jan 15, 2015 - "We recently found a -compromised- site serving what appears to be an Adobe phish. Like most phishing campaigns, this one may have originated from a spammed email. Although we do not have the actual sample of said email, it pays to be familiar with what the fraud page looks like and its content, too. Please direct your attention to the screenshot below:
> https://blog.malware.../00-default.png
We can deduce from the page’s content that the spam may have originated from a spoofed Adobe address, promising an important document the recipient has to see. In order to do so, they are then instructed to access their Adobe account by entering their email credentials, specifically for AOL, Gmail, Outlook, and Yahoo! The page also caters to credentials for other email providers. Visitors clicking either of the email service brands at the right side of the page changes the user entry fields at the left side to match with the look of the real thing... Some of us may quickly and easily identify that the whole thing is a phishing campaign, but some may also not realize this until it’s too late. Be extra careful when dealing with emails purporting to have come from Adobe... It also pays to remain informed and read Adobe’s page here* on how to avoid falling for phishing schemes."
* https://www.adobe.co...t-phishing.html
___

North Korean News Agency site serves File Infector
- http://blog.trendmic...-file-infector/
Jan 16, 2015 - "We were recently alerted to reports* claiming that the website North Korea’s official news service, www.kcna .kp, had been delivering -malware- via embedded malicious code. One of the photo spreads on the website was found to contain malware that launched a watering hole attack on individuals who came to visit the website and its other pages. Below is an infection diagram for the malware associated with this attack:
> http://blog.trendmic...01/Diagram2.jpg
The mother file in this attack is detected as PE_WINDEX.A-O. As seen in the diagram above, the executable file mscaps.exe drops wtime32.dll, which contains the infection code and backdoor routine. Another executable file mscaps.exe injects code to explorer.exe to stay memory resident. As such, every time the affected system reboots, the malware runs on the system and begins its infection routine. Explorer.exe executes the infection code and targets .EXE files in drive types that are removable or shared, with drive letters traversed from A-Z. We observed that it skips fixed drives. Apart from explorer.exe, this file infector looks for the following processes where it injects its malicious code:
    iexplore.exe
    ieuser.exe
    firefox.exe
    chrome.exe
    msimn.exe
    msnmsgr.exe
    outlook.exe
    winmail.exe
    yahoomessenger.exe
    ftp.exe
The website contains an -infected- .ZIP file named FlashPlayer.zip. Our initial analysis shows that the outdated Flash Player installer drops the main file infector WdExt.exe, which we detect as PE_WINDEX.A-O. It copies and renames the file Ws2_32.dll, which is the file for the Windows Sockets API used by most Internet and network applications to handle network connections. PE_WINDEX.A-O also creates the file SP{random}.tmp, which contains system information that may be responsible for the malware’s information theft routines. It gathers data such as date and time, computer name, user name, OS information, MAC address, and more. The embedded malicious code runs on Internet Explorer version 11.0, Mozilla Firefox versions 10.0.9 and 36.0, Safari versions 7.0.3 and 4.0, Opera version 9.00 and 12.14, and Google Chrome 41.0.2228.0. The browsers we tested all displayed the code snippet that includes /download/FlashPlayer10.zip. Based on replicating the attack with an infected sample (calc.exe), we noticed that the file size is almost the same size as the mother file infector, PE_WINDEX.A-O. Additional analysis also shows that PE_WINDEX.A-O has developer metadata that lists its copyright as © Microsoft Corporation. All rights reserved with its publisher is listed as Microsoft Corporation. Its description and comments contain the text Windows Defender Extension, among other listed information. This may be a disguise for the malware so that users won’t be suspicious about the file..."
* http://arstechnica.c...rs-malware-too/
___

Google finally quashes month-Old Malvertising Campaign
- http://it.slashdot.o...tising-campaign
Jan 16, 2015 - "Since the middle of December, visitors to sites that run Google AdSense ads have intermittently found themselves -redirected- to other sites featuring spammy offerings for anti-aging and brain-enhancing products*. While webmasters who have managed to figure out which advertisers are responsible could quash the attacks on their AdSense consoles, only now has Google itself managed to track down the villains and -ban- them from the service."
* http://www.itworld.c...ing-attack.html
Jan 14, 2015
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 16 January 2015 - 09:39 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1375 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 17 January 2015 - 11:42 AM

FYI...

iTunes invoice – phish
- http://myonlinesecur...x175t-phishing/
17 Jan 2015 - "'ITunes Your invoice #ID31WX175T' pretending to come from iTunes Store <do_not_reply@ btconnect .com> is one of the latest -phish- attempts to steal your Bank, credit card and personal details. This one is slightly different to usual ones in that it is designed to make you think that it is a mistake and that you need to enter all your bank/credit card details in order to -cancel- the transaction that you never made in the first place... persuading the recipient that somebody must have compromised their ITunes account and telling you to change all the details in it... not only would you lose a lot of money but could also end up losing a lot more. This one only wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well*...
* http://myonlinesecur...ghten-security/
looks at first glance like the genuine Itunes website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email. If you open the attached html file you see a webpage looking like:
> http://myonlinesecur...onfirmation.png
When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format...make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
 

:ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1376 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 19 January 2015 - 08:04 AM

FYI...

Fake 'order payment slip' SPAM - malware
- http://myonlinesecur...t-slip-malware/
19 Jan 2015 - "'RE: order payment slip' coming from info@ bukasonventure .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This is just to inform you that we have made the payment as Requested.
    We try to contact you about the payment we made here in our office, but because the payment was made on Friday evening before the bank closed, and our server was down,
    PLEASE REFER TO THE ATTACHMENT SLIP
    Best regards,
    Mr Pierre Jude Genaral Manager
    323 Collier Road, Bayswater WA 6053
    Phone: (1) 9379 0811
    Fax: (1) 9379 0822 ...


These actually look they they are coming from bukasonventure .com which is hosted in USA and was only registered on 15 January 2015. This might be compromised server, have an open relay allowing the emails to be sent or have been registered under a false set of details with the aim of sending malicious emails and spam. The more I look at this one, the more I am convinced the entire set up has been done with the aim of distributing malware. The domain was registered on 15 January 2015. The computer sending IP 120.140.55.192 is listed as Malaysia...
19 January 2015: order-slip.rar : Extracts to:  order-slip.exe
Current Virus total detections: 23/56* ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1421652817/
___

Verizon vuln exposed email accounts - “zombie cookies”
- http://www.securityw...-email-accounts
Jan 19, 2015 - "... discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS. While investigating the requests sent by the application, the expert noticed a username parameter called uid. By changing the value of this parameter with a different customer’s username, Westergren got the contents of the targeted user’s email account. The researcher* later determined that other API methods for this particular widget were affected as well. For example, by changing the values of the uid and mid parameters in a certain request, he could read individual emails. even managed to send out an email on another user’s behalf by exploiting the vulnerability... The proof-of-concept was sent to Verizon’s security team on January 14. The telecoms giant -confirmed- the existence of the issue by the next day. The vulnerability was fixed on January 16. For responsibly disclosing the security hole, Westergren was rewarded with free FiOS Internet for one year... had been using so-called “zombie cookies” to track subscribers even if they had used private browsing, cleared their cookies, or if they had opted out. The existence of Verizon’s controversial system came to light last year, but the company -denied- using the tracking method in its own business model. After being exposed... announced on Friday that it will suspend its “zombie cookies” program..."
* http://randywestergr...email-accounts/
___

LockHeedMartin Fax Spam
- http://threattrack.t...martin-fax-spam
Jan 19, 2015 - "Subjects Seen:
     [Lockheed Martin UK Ltd Integrated Systems] New fax message - LFQ.71021C670.3249
Typical e-mail details:
    FAX: +07755-090107
    Date: 2015.01.18 17:33:18 CST
    Pages: 4
    Reference number: LFQ.71021C670.3249
    Filename: curbed.zip
    —
    Lockheed Martin UK Ltd Integrated Systems Michaele Vivas


Malicious URLs:
    breteau-photographe .com/tmp/pack.tar.gz
    voigt-its .de/fit/pack.tar.gz
    maisondessources .com/assets/pack.tar.gz
    pleiade.asso .fr/piwigotest/pack.tar.gz
    scolapedia .org/histoiredesarts/pack.tar.gz
Malicious File Name and MD5:
    curbed .scr (BDFE7EB4A421B9A989C85BFFF7BACE2C)
    1715030703 .exe (4ebd076047a04290f23f02d6ecd16fee)


Screenshot: https://gs1.wac.edge...QaEr1r6pupn.png

Tagged: LockHeedMartin, Citroni, dalexis
___

Fake 'Natwest' SPAM - leads to malware
- http://blog.dynamoo....am-natwest.html
19 Jan 2015 - "This spam claiming to be from NatWest bank (or is it nEtwest?) leads to malware.
    From:    NatWest [donotreply@ netwest .uk]
    Date:    19 January 2015 at 14:02
    Subject:    Important - Please complete attached form ...
    Dear Customer
    Please find below your Banking Form for Bankline.
    <URL redacted>
    Please complete Bankline Banking Form :
    - Your Customer Id and User Id - which are available from your administrator if you have not already received them
    Additionally, if you wish to access Bankline training, simply follow the link below
    <URL redacted>
    If you have any queries or concerns, please telephone your Electronic Banking Help Desk.
    National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.
    Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority...


In this case the link in the email goes to www.ipawclp .com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document .html where it hits a couple of scripts at:
http ://restaurantratiobeach .ro/js/jquery-1.39.15.js
http ://utokatalin .ro/js/jquery-1.39.15.js
In turn, that leads to a ZIP file download which contains an EXE file which is slightly different each time it downloads, with low detection rates in all cases [1] [2] [3]. The name of the ZIP file and EXE varies, but is in the format doc12345.exe and doc54321.zip. Of note is a sort-of-informational screen on the download page:
> https://2.bp.blogspo...ake-natwest.png
Automated analysis is presently inconclusive...
UPDATE:
@snxperxero suggests blocking the following sites:
202.153.35.133
loveshopclothing .com
credit490 .com
"
1] https://www.virustot...sis/1421678510/

2] https://www.virustot...sis/1421678516/

3] https://www.virustot...sis/1421678522/
___

Fake 'Insurance Inspection' SPAM - doc malware
- http://blog.dynamoo....gesfmgcouk.html
19 Jan 2015 - "This spam does -not- come from FMG Support Group Ltd, but instead it is a forgery. FMG are -not- sending out the spam, nor have their systems been compromised in any way. Instead, this spam has a malicious Word document attached.
    From:    repairermessages@ fmg .co.uk
    Date:    19 January 2015 at 07:24
    Subject:    Insurance Inspection Arranged AIG02377973
    FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.
    Have you been impressed by one of our people?
    If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@fmg.co.uk
    FMG Support Group Ltd. Registered in England. No. 06489429.
    Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.
    Tel: 0844 243 8888 ...


Attached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least -two- different versions, neither of which are detected by AV vendors [1] [2]. These documents contain -two- slightly different malicious macros... which attempt to download a further component from:
http ://chilan .ca/js/bin.exe
http ://techno-kar .ru/js/bin.exe
This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57*. The Malwr report shows it attempting to communicate with the following IPs:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These two IP addresses have been used by this -malware- for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53**."
1] https://www.virustot...sis/1421656771/

2] https://www.virustot...sis/1421657737/
___

Fake '19TH JANUARY 2015.doc' SPAM - doc malware
- http://blog.dynamoo....aci-wilson.html
19 Jan 2015 - "This rather terse spam does -not- actually come from Davies Crane Hire, but it is a -forgery- with a malicious Word document attached. Davies Crane Hire have not been hacked or compromised, and they are -not- sending out this spam.
    From:    Traci Wilson [t.wilson@ daviescranehire .co.uk]
    Date:    19 January 2015 at 09:05
    Subject:    19TH JANUARY 2015.doc

 

There is -no- body text, just an attachment called 19TH JANUARY 2015.doc which contains a malicious macro.
The documents in use and the payload are identical to this spam run* that proceeded it. At the moment, everything has a very low detection rate. The payload is the Dridex banking trojan."
* http://blog.dynamoo....gesfmgcouk.html

- http://myonlinesecur...rd-doc-malware/
19 Jan 2015
___

Fake 'tax refund' Phish...
- http://myonlinesecur...yment-phishing/
19 Jan 2015 - "'HM Revenue and Customs – You have received a tax refund payment !' is an email pretending to come from HM Revenue & Customs <tax@ hmrc .gov .uk> . One of the major common subjects in a phishing attempt is -Tax returns- where especially in the UK, you need to submit your Tax Return online before 31st December each year. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... If you follow the link you see a webpage looking like this where they want your email address and name:
> http://myonlinesecur...HMRC_phish1.png
They then pretend to do a search  based on your name and email. Then you get sent on to the nitty gritty where they want -all- your banking and credit information:
> http://myonlinesecur...HMRC_phish2.png
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 19 January 2015 - 03:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1377 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 20 January 2015 - 07:36 AM

FYI...

Fake 'Proforma Invoice' SPAM - macro malware
- http://blog.dynamoo....tzbigkcouk.html
20 Jan 2015 - "This -fake- invoice leads to malware. It is not being sent by Big K Products UK Ltd, their systems have not been hacked or compromised. Instead, the email is a -forgery- designed to get you to click the malicious attachment.
    From:    Monika [monika.goetz@ bigk .co.uk]
    Date:    20 January 2015 at 07:18
    Subject:    Proforma Invoice
    Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.
    Kind regards,
    Monika Goetz
    Sales & Marketing Co-ordinator


The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro... which attempts to download a binary from:
http ://solutronixfze .com/js/bin.exe
..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56* and the Malwr report shows it attempting to phone home to:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These IPs have been used many times in similar recent attacks an I recommend you block them. It also drops a DLL with a VirusTotal detection rate of 2/57**. The payload appears to be the Dridex banking trojan. See also this post*** about a related spam run also in progress this morning."
* https://www.virustot...sis/1421744001/

** https://www.virustot...sis/1421744963/

*** http://blog.dynamoo....comes-with.html

- http://myonlinesecur...rd-doc-malware/
20 Jan 2015
Screenshot: http://myonlinesecur...rma-invoice.png

> https://www.virustot...fcfbb/analysis/
___

Fake 'Barclays Online Bank [security-update]' SPAM
- http://blog.dynamoo....ant-update.html
20 Jan 2015 - "This -fake- Barclays spam leads to malware.
    From:    Barclays Online Bank [security-update@ barclays .com]
    Date:    20 January 2015 at 14:41
    Subject:    Barclays - Important Update, read carefully!
    Dear Customer,
    Protecting the privacy of your online banking access and personal information are our primary concern.
    During the last complains because of online fraud we were forced to upgrade our security measures.
    We believe that Invention of security measures is the best way to beat online fraud.
    Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.
    For security reasons we downloaded the Update Form to security Barclays webserver.
    You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.
    - Please download and complete the form with the requested details: <URL redacted>
- Fill in all required fields with your accurately details (otherwise will lead to service suspension)
Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.
Thank you for your patience as we work together to protect your account.
Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.
Sincerely,
Barclays Online Bank Customer Service
We apologize for any inconvenience this may have caused...


The link in the email varies, some other examples seen are:
http ://nrjchat .org/ONLINE~IMPORTANT-UPDATE/last-update.html
http ://utokatalin .ro/ONLINE-BANKING_IMPORTANT/update.html
http ://cab .gov .ph/ONLINE-IMPORTANT~UPDATE/last~update.html
Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.
The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].
The Malwr report shows traffic to the following URLs:
http ://202.153.35.133 :33384/2001uk11/HOME/0/51-SP3/0/
http ://202.153.35.133 :33384/2001uk11/HOME/1/0/0/
http ://clicherfort .com/mandoc/eula012.pdf
http ://202.153.35.133 :33387/2001uk11/HOME/41/7/4/
http ://essextwp .org/mandoc/ml1from1.tar
Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57* and is identified as Dyreza.C by Norman anti-virus."
1] https://www.virustot...sis/1421768747/

2] https://www.virustot...sis/1421768757/

3] https://www.virustot...sis/1421768766/

* https://www.virustot...sis/1421770305/

202.153.35.133: https://www.virustot...33/information/

- http://myonlinesecur...-pdf-malware-2/
20 Jan 2015
* https://www.virustot...sis/1421769761/

- http://threattrack.t...ant-update-spam
Jan 20, 2015
Tagged: Barclays, Upatre
___

Fake 'Delivery Confirmation' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
20 Jan 2015 - "'mereway kitchens Delivery Confirmation' pretending to come from mereway kitchens <sales.north@ mereway .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... 2 versions of this spreading today. In one version once again the body of the email is completely -blank- ... and the malware is the same as today’s version of Proforma Invoice Monika big K – Word doc malware*. The second version also having the same malware just simply says 'Delivery Confirmation'..."
* http://myonlinesecur...rd-doc-malware/

- http://blog.dynamoo....comes-with.html
20 Jan 2015
1] https://www.virustot...sis/1421745692/

2] https://www.virustot...sis/1421746148/
___

Fake 'Undefined transactions' SPAM - macro malware
- http://blog.dynamoo....ansactions.html
20 Jan 2015 - "This spam comes in a few different variants, however the body text always seems to be the same:
    From:    Joyce Mills
    Date:    20 January 2015 at 10:30
    Subject:    Undefined transactions (need assistance) Ref:1647827ZM
    Good morning
    I have recently found several payments on statement with the incorrect reference. Amounts appear to be from your company, could you please confirm these payments are yours and were made from your company's bank account. If no then please reply me as soon as possible. Thanks.
    P.S. Undefined transactions are included in the attached DOC.
    Regards,
    Joyce Mills
    Senior Accounts Payable
    PAYPOINT


The reference number is randomly generated and changes in each case, attached is a malicious Word document also containing the same reference number (e.g. 1647827ZM.doc). Also the name in the "From" field is consistent with the name on the bottom of the email, although this too seems randomly generated... I have seen two different variants of Word document in circulation, both undetected by AV vendors [1] [2] and each one contains a slightly different malicious macro... which attempt to download from the following locations:
http ://189.79.63.16 :8080/koh/mui.php
http ://203.155.18.87 :8080/koh/mui.php
This file is downloaded as 20.exe and is then copied to %TEMP%\324234234.exe. It has a VirusTotal detection rate of 2/57*. That report indicates that it attempts to phone home to:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP is commonly used in this type of attack, I would strongly recommend you block it. The Malwr report shows that this drops a Dridex DLL with a VirusTotal detection rate of 2/57**, which is the same DLL as seen earlier today***."
1] https://www.virustot...sis/1421750540/

2] https://www.virustot...sis/1421750559/

* https://www.virustot...sis/1421750847/

** https://www.virustot...sis/1421752892/

*** http://blog.dynamoo....tzbigkcouk.html


- http://myonlinesecur...rd-doc-malware/
20 Jan 2015
* https://www.virustot...sis/1421749886/
___

Fake 'IRS' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
20 Jan 2015 - "'Complaint against your company' pretending to come from Internal Revenue Service  <complaints@irs.gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
    Dear business owner,
    A criminal complaint has been filled against your company.
    Your company is being accused of trying to commit tax evasion schemes.
    The full text of the complaint file ( .DOC type ) can be viewed in your
    Microsoft Word, complaint is attached.
    AN official response from your part is required, in order to take further
    action.
    Please review the charges brought forward in the complaint file, and
    contact us as soon as possible by :
    Telephone Assistance for Businesses: Toll-Free, 1-800-829-4933
    Email: complaints@ irs .gov
    Thank you,
    Internal Revenue Service Fraud Prevention Department


20 January 2015 : complaint20150119.doc - Current Virus total detections: 22/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1421772306/
___

Fake 'Bank of Canada' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Jan 2015 - "'National Bank of Canada Notice of payment pretending to come from sac.sbi@ sibn .bnc .ca  with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You can view and print the notice of payment using the Netscape or
    Microsoft Explorer browsers, versions 6.2 and 5.5.  You can export and store the
    notice of payment data in your spreadsheet by choosing the attached file in
    pdf format “.pdf”.
    If you have received this document by mistake, please advise us immediately
    and return it to us at the following E-mail address:
    “sac.sbi@ sibn .bnc .ca”.
    Thank you.
    National Bank of Canada
    600 de La Gauchetire West, 13th Floor
    Montreal, Quebec H3B 4L2 ...


20 January 2015: payment_notice.zip: Extracts to: payment_notice.scr
Current Virus total detections: 13/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1421783533/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 20 January 2015 - 10:59 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1378 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 21 January 2015 - 08:16 AM

FYI...

Fake 'Open24 Service update' Phish ...
- http://myonlinesecur...pdate-phishing/
21 Jan 2015 - "'Open24 Permanent TSB Service update' pretending to come from Open24 <serviceupdates@ gol .net .gy> is one of the latest -phish- attempts to steal your  Open24.ie ( Permanent TSB) Bank, credit card and personal details. This one only wants your personal details, your credit card and bank details... -don’t- click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine bank website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email:

Fwd: Software Upgrade
Dear Open24 Customer,
In order to help us protect our main line of defense against intruders; you will need to update your account through our secured server, in line to safe internet banking regulatory Requirements.
To proceed, simply follow the link below:
service_update
Kind regards
Open24


> Screenshot: http://myonlinesecur...en24_phish1.png
When you fill in your user name and password you get sent on to a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format then you are sent to the genuine open24.ie ( permanent TSB ) bank site:
> http://myonlinesecur...h2-1024x659.png
All of these emails use Social engineering tricks to persuade you to open the attachments (or click-the-link) that come with the email..."
___

Fake inTuit QuickBooks Phish
- https://security.int...alert.php?a=119
1/19/2015 - "People are receiving -fake- emails with the title "Profile Update". These mails are coming from turbotax_infoo01@ grr .la, which is -not- a legitimate email address. Below is a copy of the email people are receiving:
> https://security.int...updatephish.jpg

This is the end of the -fake- email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Do not forward the email to anyone else.
- Delete the email."
___

Flash 0-Day Exploit used by Angler Exploit Kit
- https://isc.sans.edu...l?storyid=19213
2015-01-21 - "The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly. However, the blog post below* shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable... typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly..."
* http://malware.dontn...y-in-flash.html
2015-01-21 - "... Angler EK exploiting last version (16.0.0.257) of Flash..."
Update: "... tested it against the free version of Malwarebytes Anti Exploit* (a product from one of my customers). That stopped it. Well done!..."
* https://www.malwareb...rg/antiexploit/

- http://blog.trendmic...h-new-zero-day/
Jan 22, 2015 - "... Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat..."
Geographic distribution of users affected by Angler
> http://blog.trendmic...y-Angler-01.jpg
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 22 January 2015 - 09:42 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1379 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 22 January 2015 - 09:08 AM

FYI...

Fake 'HMRC Application' SPAM – PDF malware
- http://myonlinesecur...-pdf-malware-2/
22 Jan 2015 - "'HMRC Application – [ your domain name]'  pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This template was used in a malware run back in July 2014 and gets periodically reused HMRC Application – fake PDF malware*...
* http://myonlinesecur...ke-pdf-malware/
The email looks like:
    Please print this information, sign and send to application@ hmrc .gov .uk.
    Date Created:     22 January 2015
    Business name:   ...
    Acknowledgement reference: 3213476
    VAT Registration Number is 3213476.
    Repayment of Input Tax
    Before the business starts to make taxable supplies they may provisionally claim repayment of VAT they are charged as input tax. The general rules about VAT, including Input Tax, Partial Exemption, are explained in VAT Notices 700 and 706, available on the HMRC website
    Repayment of VAT as input tax is subject to the condition, provided for by the Value Added Tax Act 1994, Section 25(6), that HMRC may require them to refund some or all of the input tax they have claimed, if they do not make taxable supplies by way of business, or the input tax they claimed prior to a period in which they make taxable supplies in the course of business does not relate to the taxable supplies they make.
    Change of Circumstances
    If your client no longer intends to make taxable supplies, or there is any other change of circumstances affecting their VAT registration (including any delay in starting to make taxable supplies), they must notify HMRC within 30 days of the change.
    If the application included an enquiry about:
    the Flat Rate Scheme
    the Annual Accounting Scheme
    an Economic Operator Registration and Identification (EORI) number
    HMRC will send your client more information about this separately
    What next?
    Your client will receive their Certificate of Registration (VAT4) in the post in due course.
    Your client can find general information about VAT and a guide to record keeping requirements by following one of the links below...


22 January 2015: Application_3213476.zip (15 kb): Extracts to: Application_891724.pdf.exe
Current Virus total detections: 2/56** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
** https://www.virustot...sis/1421924288/
___

Fake 'Tesco Bank Fix' – Phish ...
- http://myonlinesecur...count-phishing/
22 Jan 2015 - "'Tesco Bank Fix The Error On Your Account' pretending to come from Tesco .com <info@ thf .com> warning of errors on your account is one of the latest phish attempts to steal your Tesco bank Account and your other personal details. This one wants your personal details, Tesco log in details and your credit card and bank details... -don’t- click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html ( webpage) form that comes attached to the email:
    Dear Customer:
    You have an incoming payment slated for your account. This transaction cannot be
    completed due to errors present in your account information.
    You are required to click on the Logon below to fix this problem immediately.
    LOG ON
    Please do not reply to this message. For questions, please call Customer Service at the
    number on the back of your card. We are available 24 hours a day, 7 days a week.
    Regards,
    Tesco Personal Finance.


If you follow the link you see a webpage looking like:
> http://myonlinesecur...s1-1024x606.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecur...o_vouchers2.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur...o_vouchers3.jpg
Then they send you to this page  and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecur...o_vouchers4.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fake (more) MyFax malware SPAM
- http://blog.dynamoo....lware-spam.html
22 Jan 2015 - "There's another batch of "MyFax" spam going around at the moment, for example:
    From:    MyFax [no-replay@ my-fax .com]
    Date:    22 January 2015 at 15:08
    Subject:    Fax #4356342
    Fax message
    http ://[redacted]/.-NEW_RECEIVED.FAX/fax.html
    Sent date: Thu, 22 Jan 2015 15:08:30 +0000


Clicking the link [don't] leads to a page like this:
> http://1.bp.blogspot...1600/upatre.png
The download leads to an EXE-in-ZIP download which is a little different every time [1] [2] [3] [virustotal]. Detection rates are around 6/55.
The Malwr report shows communication with the following URLs:
http ://202.153.35.133 :51025/2201us22/HOME/0/51-SP3/0/
http ://202.153.35.133 :51025/2201us22/HOME/1/0/0/
http ://when-to-change-oil .com/mandoc/story_su22.pdf
http ://202.153.35.133 :51014/2201us22/HOME/41/7/4/
Of these 202.153.35.133 is the essential one to -block- traffic to, belonging to Excell Media Pvt Ltd in India. A file axybT95.exe is also dropped according to the report, which has a detection rate of 7/48*.
I haven't seen a huge number of these, the format of the URLs looks something like this:
http ://[redacted]/.-NEW_RECEIVED.FAX/fax.html
http ://[redacted]/NEW_FAX-MESSAGES/fax.letter.html
http ://[redacted]/_~NEW.FAX.MESSAGES/incoming.html "
1] https://www.virustot...sis/1421943275/

2] https://www.virustot...sis/1421943304/

3] https://www.virustot...sis/1421943319/

* https://www.virustot...sis/1421944232/

- http://myonlinesecur...ke-pdf-malware/
22 Jan 2015
* https://www.virustot...sis/1421940393/
___

Fake 'voice mail' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Jan 2015 - "'You have received a voice mail' pretending to come from Voice Mail <no-reply@ voicemail-delivery .com> with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You received a voice mail : VOICE 837-676-8958.wav (29 KB)
    Caller-Id: 837-676-8958
    Message-Id: KIUB4Y
    Email-Id: [redacted]
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server


22 January 2015 : VOICE837-676-8958.zip (209 kb): Extracts to: VOICE8419-283-481.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1421943742/
0003_.b64.zip-1.exe
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 22 January 2015 - 01:17 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1380 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 23 January 2015 - 08:10 AM

FYI...

Fake 'tax return incorrect' SPAM - doc malware
- http://blog.dynamoo....ment-issue.html
23 Jan 2015 - "This tax-themed spam has a malicious Word document attached. It appears to come in several variants, for example:
    From:    Quinton
    Date:    23 January 2015 at 08:18
    Subject:    2014 Tax payment issue
    According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).
    Regards
    Quinton
    Tax Inspector

    From:    Tara Morris
    Date:    23 January 2015 at 09:28
    Subject:    Your tax return was incorrectly filled out
    Attention: Accountant
    This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
    In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).


Attached is a Word document with a random name, but always starting with "TAX_". Examples include:
TAX_42592OE.doc
TAX_381694AI.doc
TAX_59582FZ.doc
There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros... that download a file 20.exe from the following URLs:
http ://37.139.47.221 :8080/koh/mui.php
http ://95.163.121.82 :8080/koh/mui.php
This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending."
1] https://www.virustot...sis/1422005666/

2] https://www.virustot...sis/1422005678/

37.139.47.221: https://www.virustot...21/information/

95.163.121.82: https://www.virustot...82/information/


- http://myonlinesecur...rd-doc-malware/
23 Jan 2015
> https://www.virustot...sis/1422004558/
TAX_38156WHH.doc
> https://www.virustot...sis/1422007893/
23.01.15_3406ICZ.xls
___

Fake 'Danske Bank' SPAM – PDF malware
- http://myonlinesecur...-pdf-malware-2/
23 Jan 2015 - "'Danske Bank – Potentially fraudulent transaction' pretending to come from Dee Hicks – Danske Bank <Dee.Hicks@ danskebank .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We are contacting you regarding a potentially fraudulent transaction on your account.
    Please check attached file for more information about this specific transaction.
    Dee Hicks
    Senior Account Executive
    Danske Bank
    Dee.Hicks@ danskebank .com
    Tel. +45 33 44 46 77
     CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed...


23 January 2015 : bank_notice2301.zip (12kb): Extracts to: bank_notice2301.scr
Current Virus total detections: 8/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422012240/
___

Fake 'IRS Activity' SPAM - malware
- http://blog.dynamoo....ity-531065.html
23 Jan 2015 - "This fake IRS spam actually does use the irsuk .co domain to host malware.
    From:    IRS [support@ irsuk .co]
    Date:    23 January 2015 at 11:46
    Subject:    IRS Fiscal Activity 531065
    Hello, [redacted].
    We notify you that last year, according to the estimates of tax taxation,
    we had a shortage of means.
    We ask you to install the special program with new digital certificates,
    what to eliminate an error.
    To install the program go to the link <redacted>
    Thanks
    Intrenal Revenue Sevrice...


The ZIP file contains a malicious executable SetupIRS2015.exe  which has a VirusTotal detection rate of 8/53*. The irsuk .co site is hosted on 89.108.88.9 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux .com (78.24.219.6 - TheFirst-RU, Russia)... A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk .co), but the host on the IP identifies itself as ukirsgov .com which is a domain created on the same day (2015-01-19) but has been -suspended- due to invalid WHOIS details (somebody at csc .com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries**. The malware POSTS to garbux .com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF. Overall, automated analysis tools are not very clear about what this malware does... although you can guarantee it is nothing good.
Recommended blocklist:
89.108.88.9
78.24.219.6
109.105.193.99
irsuk .co
garbux .com
ukirsgov .com
updateimage .ru
getimgdcenter .ru
agensiaentrate .it
freeimagehost .ru
"
* https://www.virustot...sis/1422014166/

** 109.105.193.99: https://www.virustot...99/information/
___

Fake AMEX SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Jan 2015 - "'Your Message is Ready' pretending to come from American Express <secure.message@ americanexpresss .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and download the malware zip...

Screenshot: http://myonlinesecur...ge-is-ready.png

When you follow the link you get a page saying "Get file. Your download will start in 5 seconds..." ... which then counts down to zero. You might get the -malware- automatically downloaded or you might have to click-the-direct-link [don't].
23 January 2015: bankline_document_pdf57331.zip  (12 kb): Extracts to:  bankline_document_pdf34929.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422025963/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
192.163.217.66: https://www.virustot...66/information/
___

Fake 'BankLine secure message' SPAM - malware
- http://blog.dynamoo....ceived-new.html
23 Jan 2015 - "... these RBS BankLine spam messages are a popular mechanism for the bad guys to spread malware.
    From:    Bankline [secure.message@ rbs .com .uk]
    Date:    23 January 2015 at 12:43
    Subject:    You have received a new secure message from BankLine
    You have received a secure message.
    Read your secure message by following the link bellow:
    <redacted>
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly...


The link in the email seems to be somewhat dynamic... The landing page looks like this:
> http://4.bp.blogspot...00/fake-rbs.jpg
The link on that landing page goes to http ://animation-1 .com/js/jquery-1.41.15.js?get_message which downloads a ZIP file called Bankline_document_pdf71274.zip (or something similar) containing an executable file named something like Bankline_document_pdf24372.exe. The numbers change in each case, and indeed the executable changes slightly every time it is downloaded. The ThreatExpert report shows that it attempt to communicate with the well-known-bad-IP of 202.153.35.133 (Excell Media Pvt Ltd, India) which is associated with the Dyre banking trojan."

202.153.35.133: https://www.virustot...33/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 23 January 2015 - 12:25 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1381 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 26 January 2015 - 09:45 AM

FYI...

Fake 'HP Scanned Image' SPAM - malware
- http://blog.dynamoo....ce-scanned.html
26 Jan 2015 - "This spam comes with a malicious attachment:
    From:    HP Digital Device [HP_Printer@ victimdomain .com]
    Date:    26 January 2015 at 13:04
    Subject:    Scanned Image
    Please open the attached document.
    This document was digitally sent to you using an HP Digital Sending device...
    This email has been scanned for viruses and spam...


Attached is a file ScannedImage.zip which contains a malicious executable ScannedImage.scr which has a VirusTotal detection rate of 5/56*..."
* https://www.virustot...sis/1422279206/

- http://myonlinesecur...ke-pdf-malware/
26 Jan 2015
> https://www.virustot...sis/1422279206/
___

Fake 'Berendsen Invoice" SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
26 Jan 2015 - "'Berendsen UK Ltd Invoice 60020918 117' pretending to come from donotreply@berendsen.co.uk with -a malicious word doc attachment- is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
        Dear Sir/Madam, Please find attached your invoice dated 1st January. All queries should be directed to your branch that provides the service. This detail can be found on your invoice. Thank you...

26 January 2015: IRN001526_60020918_I_01_01.DOC (39 kb)
Current Virus total detections: 0/55* | IRN001526_60020918_I_01_01.DOC (34kb) 0/56**
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1422258625/

** https://www.virustot...sis/1422258320/

- http://blog.dynamoo....td-invoice.html
26 Jan 2015
> https://www.virustot...sis/1422262884/

- http://blog.mxlab.eu...ord-attachment/
Jan 26, 2015
> https://www.virustot...sis/1422262884/
___

Fake 'CardsOnLine natwesti' SPAM
- http://blog.dynamoo....atwesticom.html
26 Jan 2015 - "This -fake- NatWest email leads to malware:
    From:    CardsOnLine [CardsOnLine@ natwesti .com]
    Date:    26 January 2015 at 13:06
    Subject:    Cards OnLine E-Statement E-Mail Notification
    Body:
    Dear Customer
    Your July 30, 2014 E-Statement for account number xxxxxxxxxxxx6956 from Cards OnLine is now available.
    For more information please check link: <redacted>
    Thank you
    Cards OnLine


    ... Users have recently been targeted through -bogus- E-Mails by fraudsters claiming to be from their bank. These E-Mails ask customers to provide their internet banking security details in order to reactivate their account or verify an E-Mail address. Please be on your guard against E-Mails that request any of your security details... Users who click-the-link see a download page similar to this:
> https://4.bp.blogspo...st-download.png
The link in the email downloads a randomly-named file in the format security_notice55838.zip which contains a malicious binary which will have a name similar to security_notice18074.exe. This binary has a VirusTotal detection rate of 1/56* and is identified by Norman AV as Upatre..."
* https://www.virustot...sis/1422281915/
___

Fake 'Sage Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Jan 2015 - "'RE: Invoice #9836956' pretending to come from Sage .co .uk <no-reply@ sage .co .uk>
[random invoice numbers] with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please remit BACs before 26/01/2015. The document attached.

The malware attached to this email is exactly the same as in today’s Scanned Image – fake PDF malware*.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 26 January 2015 - 10:50 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1382 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 27 January 2015 - 10:33 AM

FYI...

Whatsapp leads to Fake Flash update – malware
- http://myonlinesecur...update-malware/
27 Jan 2015 - "An email pretending to come from somebody you know that appears to be a Whatsapp notification is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...te1-262x300.png

When you press the play button in the email, you get sent to a page looking like:
> http://myonlinesecur...e2-1024x739.png
... if you select the 'upgrade now' button you end up with a fake flash player update and a badly infected computer...
27 January 2015: adobe_flash_player_update.exe . Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422376705/
___

Fake 'invoice' SPAM - malware
- http://blog.dynamoo....ade-r-kern.html
27 Jan 2015 - "Kern Engineering & Mfg Corp. is a wholly legitimate firm, they are not sending out this spam nor have their systems been compromised in any way. Instead, this is a -forgery- which has a malicious Word document attached.
    From:    Eileen Meade [eileenmeade@ kerneng .com]
    date:    27 January 2015 at 08:25
    subject:    inv.# 35261
      Here is your invoice & Credit Card Receipt.
     Eileen Meade
     R. Kern Engineering & Mfg Corp.
    Accounting
    909) 664-2442
    Fax 909) 664-2116


So far, I have seen two different version of the Word document, both poorly detected [1] [2] containing two different macros... These attempt to download a binary from one of the following locations:
http ://UKR-TECHTRAININGDOMAIN .COM/js/bin.exe
http ://schreinerei-ismer.homepage.t-online .de/js/bin.exe
This is saved as %TEMP%\sdfsdferfwe.exe. It has a VirusTotal detection rate of 3/57*..."
1] https://www.virustot...sis/1422351101/

2] https://www.virustot...sis/1422351116/

* https://www.virustot...sis/1422351532/


- http://myonlinesecur...rd-doc-malware/
27 Jan 2015
> https://www.virustot...sis/1422350612/

> https://www.virustot...sis/1422350713/

- http://blog.mxlab.eu...-word-document/
Jan 27, 2015
> https://www.virustot...sis/1422351532/

216.251.43.17: https://www.virustot...17/information/

80.150.6.138: https://www.virustot...38/information/

 

:ph34r:  :grrr:


Edited by AplusWebMaster, 27 January 2015 - 04:40 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1383 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 28 January 2015 - 07:12 AM

FYI...

Fake 'invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 Jan 2015 - "'Windsor Flowers Invoice 1385' pretending to come from Windsor Flowers Accounts <windsorflowersaccounts@ hotmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus... The email looks like:
    Dear Accounts payable
    Please see attached invoice 1385 for flowers within January 15.
    Our bank details can be found at the bottom of the invoice.
    If paying via transfer please reference our invoice number.
    If you have any queries, please do not hesitate to contact me.
    Many thanks in advance
    Connie
    Windsor Flowers
    74 Leadenhall Market
    London
    EC3 V1LT
    Tel: 020 7606 4277...


28 January 23015: Windsor Flowers Invoice 1385 Sheet1.doc (2 different versions)
Current Virus total detections: (76kb) 3/57* | (84 kb) 3/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1422442083/

** https://www.virustot...sis/1422443094/
___

Fake 'RBS' SPAM - pdf-malware
- http://myonlinesecur...-pdf-malware-2/
28 Jan 2015 - "'RBS Morning commentary' pretending to come from RBS .COM <no-replay@ rbs .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please refer to the details below if you are having problems reading the attached file.
    Please do not contact your Treasury Centre for technical issues – these should be routed to RBS FM support.The attached file is in zip format; first you have to unzip it (self-extracting archive, Adobe PDF) and then it can be viewed in Adobe Acrobat Reader 3.0 or above. If you do not have a copy of the software please contact your technical support department...


All the attachment numbers are random but all extract to same -malware- payload.
28 January 2015: attachment3532715.zip: Extracts to: attachment.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422448752/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

xHamster involved in large Malvertising campaign ...
- https://blog.malware...ising-campaign/
Jan 27, 2015 - "... a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month. In the past two days we have noted a 1500% increase in infections starting from xHamster. Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and -exploit- within a rogue ad network... The URL linked to is a simplified landing page hosted by what looks like a rogue ad network. The landing simply consists of preparing for a Flash Player exploit... the Flash exploit itself (0 detection on VT*), again hosted on the same ad network. Depending on your version of Flash you may get the recent 0-day:
> https://blog.malware...ash-300x262.png
Upon successful exploitation, a malicious payload (Bedep) VT 2/57**, is downloaded from:
hxxp ://nertafopadertam .com/2/showthread.php
What we see post exploitation is ad fraud as described here***... While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge."
* https://www.virustot...sis/1422391909/

** https://www.virustot...sis/1422393597/

*** https://blog.malware...nd-in-the-wild/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 28 January 2015 - 08:35 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1384 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted 29 January 2015 - 08:48 AM

FYI...

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2015 - "'Invoice #10413 from SPOTLESS CLEANING pretending to come from paulamatos@ btinternet .com with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This message contains Invoice #10413 from SPOTLESS CLEANING. If you have questions about the contents of this message or Invoice, please contact SPOTLESS CLEANING.
    SPOTLESS CLEANING
    GLYNDEL HOUSE
    BOWER LANE
    DA4 0AJ
    07956 379907


29  January 2015 : SPOTLESS CLEANING-Invoice-10413.doc - Current Virus total detections: 0/57*
... this malicious word doc with macros downloads from www .otmoorelectrical .co.uk/js/bin.exe which is saved as %temp%\hDnyDA.exe (dridex banking Trojan) which has a current detection rate of 2/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1422523082/

** https://www.virustot...sis/1422531540/
___

Fake 'BACS Transfer' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2015 - "'Garth Hutchison BACS Transfer : Remittance for JSAG400GBP' pretending to come from Garth Hutchison <accmng2556@ blumenthal .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We have arranged a BACS transfer to your bank for the following amount : 5821.00
    Please find details attached.


29 January 2015 : BACS_transfer_JS87123781237.doc - Current Virus total detections: 0/57*
...  same malware payload as today’s Invoice #10413 from SPOTLESS CLEANING – Word doc malware** ..."
* https://www.virustot...sis/1422524523/

** http://myonlinesecur...rd-doc-malware/
___

Swiss users inundated with malware-laden SPAM
- http://net-security....ews.php?id=2950
29.01.2015 - "Swiss users are being heavily targeted by a number of spam campaigns delivering the Tiny Banker (TinBa or Busy) e-banking Trojan. Starting with Tuesday, the spammy emails seem to come from email addresses opened with big Swiss free email service providers (bluewin .ch, gmx .ch) and Swiss telecom provider Orange (orange .ch), but actually originate from broadband lines located all over the world. They masquerade as emails containing images sent from iPhones, an MMS sent to the user by Orange, and an application for a job position:
> http://www.net-secur...am-29012015.jpg
Unfortunately for those who fall for these tricks, the attached ZIP files contain only malware. "While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains," noted Swiss security activist Raymond Hussy*. Further investigation revealed that all the sending IP addresses are Cutwail infected IPs, and the malware tries to contact four distinct C&C servers, two of which have already been sinkholed. Hussy recommends to network administrators to block traffic to and from the remaining two active domains (serfanteg .ru, midnightadvantage .ru) and the following IPs: 91.220.131.216 and 91.220.131.61. "In general, 91.220.131.0/24 looks quite suspect. So you may want to block the whole netblock," he pointed out, adding that it would also be a good idea to block filenames with multiple file extentions on their email gateway."
* https://www.abuse.ch/?p=9095

91.220.131.61: https://www.virustot...61/information/

91.220.131.216: https://www.virustot...16/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, Yesterday, 06:41 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1385 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted Yesterday, 07:54 AM

FYI...

Fake 'BACS Transfer' SPAM - doc malware
- http://blog.dynamoo....remittance.html
30 Jan 2015 - "So far I have only seen one sample of this..
    From     "Garth Hutchison"
    Date     21/01/2015 11:50
    Subject     BACS Transfer : Remittance for JSAG400GBP
    We have arranged a BACS transfer to your bank for the following amount : 5821.00
    Please find details attached.


Attached is a malicious Word document BACS_transfer_JS87123781237.doc [VT 1/57*] which contains a macro... which downloads a file from:
http ://stylishseychelles .com/js/bin.exe
This is then saved as %TEMP%\iHGdsf.exe. This has a VirusTotal detection rate of 6/57** identifying it as a Dridex download... Sources indicate that this malware phones home to the following IPs which I recommend you block:
92.63.88.108
143.107.17.183
5.39.99.18
136.243.237.218
"
* https://www.virustot...sis/1422618493/

** https://www.virustot...sis/1422618468/
___

Fake BBB SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Jan 2015 - "'BBB SBQ Form #2508(Ref#61-959-0-4)' pretending to come from Admin <no-replay@ bbbl .org> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...2015/01/BBB.png

30 January 2015: SBQForm-57675.zip ( 13kb) : Extracts to:  doc-PDF.exe
Current Virus total detections:  8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422628270/
... Behavioural information
TCP connections
46.165.223.77: https://www.virustot...77/information/
31.170.162.203: https://www.virustot...03/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
208.91.197.54: https://www.virustot...54/information/
208.97.25.20: https://www.virustot...20/information/
___

Fake 'RE-CONFIRM' SPAM - malware
- http://myonlinesecur...1ll112-malware/
30 Jan 2015 - "'RE-CONFIRM P.O©{XX1ll112}' pretending to come from sensaire@ emirates .net.ae with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...O©XX1ll112.png

30 January 2015: Purchase order(1).zip: Extracts to: Purchase order.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper file with an icon saying A instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422633004/
___

Fake 'Apple Termination' – Phish ...
- http://myonlinesecur...ation-phishing/
30 Jan 2015 - "'Apple Termination' pretending to come from Apple Account <support@ apple-messages .com> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: http://myonlinesecur...Termination.png

If you follow the link you see a webpage looking like with a pre-filled in box with your email address in it:
> http://myonlinesecur...fy_apple_ID.png
When you fill in your user name and password you get a page looking like this ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur..._apple_ID_3.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake 'Tesco Bank' – Phish ...
- http://myonlinesecur...-bank-phishing/
30 Jan 2015 - "'Latest estatement is ready – Tesco Bank' pretending to come from savings@ tescobank .com <pol@ tesco .com> is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one only wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email.
    Certain restriction has been placed on your tesco bank online services
     View your eDocument attached to proceed
     Tesco Bank is a retail bank in the United Kingdom which was formed in 1997,
    and which has been wholly owned by Tesco PLC since 2008
    ©Tesco Personal Finance plc 2014 / ©Tesco Personal Finance Compare Limited 2014.


If you open the attached html form you see this message:
    Your Latest Tesco Bank Saving Account Statement is ready.
    Certain restriction has been placed on your tesco bank online service
    You would be required to re – activate your online banking access to proceed
    Activate Your Online Access


If you follow that link you see a webpage looking like:
> http://myonlinesecur...o_vouchers1.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecur...o_vouchers2.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur...o_vouchers3.jpg
Then they send you to this page  and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecur...o_vouchers4.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, Yesterday, 11:55 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1386 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,343 posts

Posted Today, 12:27 PM

FYI...

Super Bowl Phishing -and- SPAM ...
- https://isc.sans.edu...l?storyid=19261
2015-01-31 - "Beware of Super Bowl spam that may come to your email inbox this weekend. The big game is Sunday and the spam and phishing emails are -pouring- in complete with helpful -links- back-ended by malware and/or credential harvesting:
> https://isc.sans.edu...s/superbowl.PNG
... worth a reminder to friends and family if they see any emails about the Super Bowl that appears to be too-good-to-be-true - delete it..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, Today, 12:58 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





7 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button