Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1443 replies to this topic

#1401 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 23 February 2015 - 10:35 AM

FYI...

Fake Magazine Invoice SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Feb 2015 - "'Essex Central Magazine Invoice' pretending to come from Essex Central Magazine <darren@ notifications .kashflow .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Please see attached invoice for the upcoming issue of Essex Central
    Magazine.
     Regards,
     Accounts Dept.


23 February 2015: invoice.zip: Extracts to: invoice_pdf.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424701064/

- http://blog.mxlab.eu...-upatre-trojan/
Feb 23, 2014
> https://www.virustot...42b79/analysis/
___

A Week in Security...
- https://blog.malware...rity-feb-15-21/
Feb 23, 2013 - "... fakeouts festooned all over YouTube, claiming to activate Windows 10:
> https://blog.malware...ps-and-surveys/
... rogue tweets on Twitter baiting whoever is interested in Evolve:
> https://blog.malware...ted-by-malware/
... a quite rare phishing campaign that targets accounts of Japanese gamers who have profiles under Square Enix:
> https://blog.malware...x-video-gamers/
... an infection via malicious code injection on the official website of renowned British celebrity chef... the site launches exploits targeting vulnerabilities on Adobe Flash, Silverlight, and Java:
> https://blog.malware...to-exploit-kit/
...  a compromise on RedTube, a top adult entertainment site. It was injected with a rogue iframe that directs visitors to the download and execution of an Angler exploit kit variant. The said EK targets Flash and Silverlight vulnerabilities:
> https://blog.malware...cts-to-malware/
... Malwarebytes Labs Team."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 24 February 2015 - 03:43 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1402 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 24 February 2015 - 07:20 AM

FYI...

Fake Invoice SPAM - doc malware
- http://blog.dynamoo....td-invoice.html
24 Feb 2015 - "This -fake- invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.
    From:    donotreply@ berendsen .co .uk
    Date:    24 February 2015 at 08:09
    Subject:    Berendsen UK Ltd Invoice 60020918 117
    Dear Sir/Madam,
    Please find attached your invoice dated 21st February.
    All queries should be directed to your branch that provides the service. This detail can be found on your invoice.
    Thank you...


I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a -zero- detection rate*. Contained within this is a malicious Word macro which downloads a component from the following location:
http ://heikehall .de/js/bin.exe
This binary has a VirusTotal detection rate of 2/57**. Automated analysis tools... show that it attempts to phone home to:
92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)
MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57***.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156
"
* https://www.virustot...sis/1424770482/

** https://www.virustot...sis/1424770511/

*** https://www.virustot...sis/1424772155/

- http://myonlinesecur...rd-doc-malware/
24 Feb 2015 - "'Izabela Pachucka Arsenal LTD document do confirm' pretending to come from Izabela Pachucka <pachuckaizabela@ arsenalltd .pl>with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecur...la-Pachucka.png
The malware attached to this series of emails is exactly the same as in today’s Berendsen UK Ltd Invoice 60020918 117 – Word doc malware although renamed as roexport.doc* or roexport.xls..."
* http://myonlinesecur...rd-doc-malware/

Screenshot: http://myonlinesecur...en-1024x682.png
___

Fake Order SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
24 Feb 2015 - "'Board Order – PO15028' pretending to come from Andrew Manville <andy@ icotherm .co .uk> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...der-PO15028.png

... exactly the -same- as the attachments to today’s other malicious word and excel macros Izabela Pachucka Arsenal LTD document do confirm – Word doc malware* and Berendsen UK Ltd Invoice 60020918 117 – Word doc malware** although re-named as SCAN_20150224_100752437.doc or SCAN_20150224_100752437.xls ..."
* http://myonlinesecur...rd-doc-malware/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Time Sheet' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Feb 2015 - "'Time Sheet' pretending to come from hartsellb@ mtpleasantnc .us with a zip attachment is another one from the current bot runs... The email looks like:
    Sorry again this time it has a attachment.
    Thanks
    Bobby


24 February 2015: 2-9-15 to 2-15-15.zip: Extracts to: 2-9-15 to 2-15-15.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424785308/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
199.116.77.164: https://www.virustot...64/information/
181.189.152.131: https://www.virustot...31/information/

- http://threattrack.t...time-sheet-spam
Feb 24, 2015
___

Fake 'EFT Notification' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Feb 2015 - "'TOWN OF MT PLEASANT, here is your EFT Notification' pretending to come from finance_ap@ cabarruscounty .us with a zip attachment is another one from the current bot runs... The email is very basic and terse and simply has this in the body :

     live-842000_12-17-2014-PE-E.pdf

24 February 2015: live-842000_12-17-2014-PE-E.zip:
Extracts to:  live-842000_12-17-2014-PE-E.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424793555/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...10/information/
181.189.152.131: https://www.virustot...31/information/
46.30.212.175: https://www.virustot...75/information/
181.189.152.131: https://www.virustot...31/information/
UDP communications
66.228.45.110: https://www.virustot...10/information/
___

Fake FedEx SPAM - trojan
- http://blog.mxlab.eu...ontains-trojan/
Feb 23, 2015 - "... intercepted a new trojan distribution campaign by email with the subjects similar to:
Reese Torres agent Fedex
Dylan Livingstone agent Fedex

This email is sent from the spoofed address “Fedex <fedexservice@ juno .com>” and has the following body:
    Dear Customer,
    We tried to deliver your item on February 22th, 2014, 08:15 AM.
    The delivery attempt failed because the address was business closed or nobody could sign for it.
    To pick up the package,please, print the receipt that is attached to this email and visit Fedex location indicated in the invoice.
    If the package is not picked up within 48 hours, it will be returned to the shipper.
    Label/Receipt Number: 44364578782324455
    Expected Delivery Date: February 22th, 2014
    Class: International Package Service
    Service(s): Delivery Confirmation
    Status: Notification sent
    Thank you
    Copyright© 2015 FEDEX. All Rights Reserved...


The attached file Package.zip contains the 78 kB large file 443645787823424455.scr. The trojan is known as HEUR:Trojan.Win32.Generic or Win32.Trojan.Inject.Auto. At the time of writing, 5 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...cb23b/analysis/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

7,038 new security vulnerabilities - 2014 stats
- http://www.gfi.com/b...ations-in-2014/
Feb 18, 2015 - "... 7,038 -new- security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.
> http://www.gfi.com/b...ities-09-14.jpg
24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has -increased- compared to last year.
> http://www.gfi.com/b...erabilities.jpg
Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.
> http://www.gfi.com/b...roduct-type.jpg
Top operating systems by vulnerabilities reported in 2014
> http://www.gfi.com/b...02/OS-chart.jpg
Top applications by vulnerabilities reported in 2014
> http://www.gfi.com/b...ation-chart.jpg
... Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.
To keep systems secure, it is -critical- that they are fully patched. IT admins should focus on (patch them first):
- Operating systems (Windows, Linux, OS X)
- Web browsers
- Java
- Adobe free products (Flash Player, Reader, Shockwave Player, AIR).
Vulnerability and patch management should be priority tasks for every sysadmin. Microsoft’s updates are -not- enough because third-party applications are just as problematic..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 24 February 2015 - 09:45 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1403 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 24 February 2015 - 08:55 PM

FYI...

 

Fake 'LogMeIn' SPAM - malicious attachment
- http://blog.dynamoo....ro-payment.html
25 Feb 2015 - "This -fake- financial email does not come from LogMeIn, instead it has a malicious attachment:
    From:    LogMeIn .com [no_reply@ logmein .com]
    Date:    25 February 2015 at 08:52
    Subject:    Your LogMeIn Pro payment has been processed!
    Dear client,
    Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
    Your credit card has been successfully charged.
    Date : 25/2/2015
    Amount : $999 ( you saved $749.75)
    The transaction details can be found in the attached receipt.
    Your computers will be automatically upgraded the next time you sign in.
    Thank you for choosing LogMeIn!


Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56*. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:
http ://junidesign .de/js/bin.exe
This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57**. Automated analysis tools... show this calling home to the following IPs:
92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
... The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57***] and a malicious DLL which is probably a Dridex component [VT 4/57****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104
"
* https://www.virustot...sis/1424856686/

** https://www.virustot...sis/1424856906/

*** https://www.virustot...sis/1424858127/

**** https://www.virustot...sis/1424858199/

- http://myonlinesecur...dsheet-malware/
25 Feb 2015
Screenshot: http://myonlinesecur...n-processed.png

Fake emails mimic LogMeIn receipts
- http://blog.logmein....ogmein-receipts
Feb 17, 2015
___

Copy .com used to distribute Crypto Ransomware
- https://isc.sans.edu...l?storyid=19371
2015-02-25 01:04:23 UTC - "Thanks to Marco for sending us a sample of yet another piece of crypto-ransom malware. The file was retrieved after visiting a compromised site (www .my-sda24 .com) . Interestingly, the malware itself was stored on copy .com. Copy .com is a cloud based file sharing service targeting corporate users. It is run by Barracuda, a company also known for its e-mail and web filtering products that protect users from just such malware. To its credit, Barracuda removed the malware within minutes of Marco finding it. At least right now, detection for this sample is not great. According to Virustotal, 8 out of 57 virus engines identify the file as malicious [1]. A URL blacklist approach may identify the original site as malicious, but copy .com is unlikely to be blocked. It has become very popular for miscreants to store malicious files on cloud services, in particular if they offer free trial accounts. Not all of them are as fast as Barracuda in removing these files."

1]  https://www.virustot...6adf4/analysis/

146.185.221.150: https://www.virustot...50/information/
___

Dropbox SPAM - malware
- http://blog.dynamoo....-shared-mt.html
25 Feb 2015 - "This spam leads to a malware download via Dropbox.
    From:    Info via Dropbox
    Reply-To:    hcm0366@ gmail .com
    Date:    25 February 2015 at 05:38
    Subject:    Info Chemicals shared "MT 103_PO_NO!014.zip" with you
    Signed by:    dropbox .com
    From Info:
    "Good day ,
    How are you today
    pls check attached, my manager had requested I email you our new order details together with TT copy of balance payment. Kindly confirm in return.
    regards,
    Frank Manner
    Broad Oak Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
    Registered No. 1971053 England & Wales...


The email has been digitally signed by Dropbox (which means exactly nothing) and is -spoofing- the wholly legitimate Broad Oak Ltd who have been a target of this sort of thing several times before. In this case, the link in the email goes to:
https ://www .dropbox .com/l/dFxVxjuDRo3j2oANVURy2v
and then to
https ://www .dropbox .com/s/fnsprei93c45ts6/MT%20103_PO_NO!014.zip
Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57*. According to the Malwr report it drops another executable with a detection rate of 9/57**. The payload looks similar to the Zeus trojan. Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at
mmc65z4xsgbcbazl .onion .am
onion .am is hosted on 37.220.35.39 (YISP Colo, Netherlands)... Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com ..."
* https://www.virustot...sis/1424849825/

** https://www.virustot...sis/1424850664/
___

Fake 'eFax message' SPAM - malware
- http://myonlinesecur...ke-pdf-malware/
25 Feb 2015 - "'eFax message from “POTS modem 2 ” – 1 page(s), Caller-ID: 1-630-226-2563' pretending to come from message@ inbound .efax .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...OTS-modem-2.png

25 February 2015 : fax_2342.zip: Extracts to:fax_2342.exe
Current Virus total detections: 19/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424883423/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
188.65.112.97: https://www.virustot...97/information/
181.189.152.131: https://www.virustot...31/information/
UDP communications
77.72.169.166: https://www.virustot...66/information/
77.72.169.167: https://www.virustot...67/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 25 February 2015 - 02:41 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1404 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 26 February 2015 - 07:33 AM

FYI...

cPanel ‘Account Suspended’ PHISH serves exploits
- https://blog.malware...erves-exploits/
Feb 26, 2015 - "cPanel is one of the most popular web hosting control panels out there. It allows administrators to manage their website(s) using a graphical front end, perform maintenance and review important logs among other things. cPanel also has a user interface for CGI (short for Common Gateway Interface) typically used to run scripts and generate dynamic content. One such script populates a fairly well-known (and somewhat dreaded) page known as the “Account Suspended” page:
> https://blog.malware.../suspended1.png
Visitors to a site are -redirected- to this screen for one of many reasons ranging from the site owner’s failure to pay for his hosting, violating the Terms and Conditions, or perhaps exceeding their allocated bandwidth... The page itself is made of HTML code, and can be edited by an administrator, often via a Web Host Manager (WHM). Many sites that were once used to distribute malware and have been suspended will sport that kind of page. One would assume that the site would now be harmless, since the hosting provider has already taken action. If you aren’t looking at the URL carefully (the suspended page should be displayed at the root of the domain) and assumed so, you might just run into a case where the site is actually fully compromised and still active... The injected iframe redirects straight to a Fiesta exploit kit landing page. The landing page usually performs various checks and prepares the exploits that are going to get fired at the victim. As is often the case with exploit kits, that page is heavily obfuscated to make identification a little bit more difficult... This case is a reminder not to trust a book by its cover and always exercise caution. Attackers were clever to hide the malicious redirect code where they did because they might trick someone into brushing off the site as “already terminated by the hosting provider”, when in fact it’s not. They might have fooled some, but they didn’t fool us..."
(More detail at the malwarebytes URL at the top.)
___

Fake 'Voice Message' SPAM - wav malware
- http://myonlinesecur...ke-wav-malware/
26 Feb 2015 - "'New Voice Message from No Caller ID on 25/02/2015 at 16:25' pretending to come from notify-uk@ ringcentral .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ice-message.png

26 February 2015: NoCallerID-1218-162550-153.wav.zip:
Extracts to:  NoCallerID-1218-162550-1536.wav.exe
Current Virus total detections: 0/57* . The extracted file name is actually NoCallerID-1218-162550-153б.wav.exe  (if you look closely, you can see that the 6 is not the number six at all but a foreign language character that looks like a number 6) This can cause analysis problems with some of the auto analysers which have crashed trying to analyse this one and an error on some windows systems, possibly leading to the file auto-running. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (voice or music) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424938264/
... Behavioural information
TCP connections
81.177.139.53: https://www.virustot...53/information/
95.211.144.65: https://www.virustot...65/information/
92.63.87.13: https://www.virustot...13/information/
80.150.6.138: https://www.virustot...38/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'Copy Invoices' SPAM - malicious attachment
- http://blog.dynamoo....s-christou.html
26 Feb 2015 - "This -fake- invoice spam comes with a malicious attachment:
    From:    Chris Christou [chris.christou@ greysimmonds .co.uk]
    Date:    26 February 2015 at 10:45
    Subject:    Copy invoices
    Hello ,
    Please find copy invoices attached as per our telephone conversation.
    Kind regards,
    Chris
    Chris Christou
    Credit Control
    Grey Simmonds
    Cranes Point
    Gardiners Lane South
    Basildon
    Essex SS14 3AP
    Tel:  0845 130 9070
    Fax: 0845 370 9071...


It does -NOT- come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery. I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57*] which contains this malicious macro... which downloads a further component from:
http ://xomma .net/js/bin.exe
This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56**. Automated analysis tools... show it attempting to phone home to the following IPs:
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)
This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57***] and 1997b0031ad702c8347267db0ae65539 [VT 4/57****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119
"
* https://www.virustot...sis/1424948249/

** https://www.virustot...sis/1424948263/

*** https://www.virustot...5553d/analysis/

**** https://www.virustot...faccb/analysis/


- http://myonlinesecur...dsheet-malware/
26 Feb 2015
Screenshot: http://myonlinesecur...py-invoices.png
___

Fake email SPAM - malware attached
- http://myonlinesecur...ke-pdf-malware/
26 Feb 2015 - "'NicolaR RA 069767 (random numbers)' pretending to come from NicolaR@ jhs. co.uk with  a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...2/RA-069767.png

26 February 2015: RA_New.zip: Extracts to: RA_New.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424955113/
___

Fake 'Sales Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Feb 2015 - "'Your Sales Invoice' pretending to come from donotreply@ worldwind .co .uk with  a zip attachment is another one from the current bot runs... The email looks like:

     Your document is attached with our regards.
    The document is in PDF format and requires Adobe Reader to view ...


26 February 2015: 131234.zip: Extracts to: 131234.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424964940/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
89.248.61.60: https://www.virustot...60/information/
181.189.152.131: https://www.virustot...31/information/
UDP communications
217.10.68.152: https://www.virustot...52/information/
217.116.122.136: https://www.virustot...36/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 26 February 2015 - 04:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1405 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 27 February 2015 - 07:29 AM

FYI...

Bogus Search Engine leads to Exploits
- https://blog.malware...ds-to-exploits/
Feb 27, 2015 - "... Sadly, devious software makers are using all the tricks in the books to fool users into installing their programs. Even when you take all the precautions necessary and never download anything from an untrusted source, you could still end up with Adware. The recent Lenovo/Superfish fiasco is a good example of that. Brand new computers were pre-installed with Adware that surreptitiously injected ads into the browser by introducing vulnerabilities, in an almost undetectable way. Adware is not only annoying but can also weaken a computer’s security status. Today, we have another case to prove that point. Potentially Unwanted Programs often install a search assistant (or rather a browser and search -hijacker-) on people’s machines:
> https://blog.malware...ebfindfast2.png
The idea is simple: To redirect people’s searches to affiliates or other sponsors and earn pay-per-click commissions. This one is hosted at webfindfast .com*:
> https://blog.malware...02/searches.png
For the end-user, the search experience is simply terrible but yet not the end of their troubles. In this case, clicking on any link results in a -redirection- to an exploit kit landing page, quickly followed by malware... As usual, after several convoluted redirects, the user ends up on the door step of the famous Angler exploit kit... Vulnerable computers are infected with a piece of malware detected as Trojan.Crypt.NKN by Malwarebytes Anti-Malware. It will install a rogue Antivirus program known as 'Malware Defender 2015' and pull up a purchase page from an IP address located in Istanbul (176.53.125.20)**... The lesson to learn from this is to once again stay away from bundled software and other programs that appear to be free but come with a catch. Also, if you’re starting to see a different home page or search engine than you used to, you should make sure your browser has not been altered in some way."
* 136.243.24.248: https://www.virustot...48/information/

** 176.53.125.20: https://www.virustot...20/information/
___

Fake 'Invoice' SPAM - doc malware
- http://blog.dynamoo....-inv650988.html
27 Feb 2015 - "This -fake- invoice email is not from Dennys but is a simple forgery with a malicious attachment. Dennys are not sending the spam, and their systems have not been compromised in any way.
    From:    accounts@ dennys .co.uk
    Date:    27 February 2015 at 09:14
    Subject:    Dennys Invoice INV650988
    To view the attached document, you will need the Microsoft Word installed on your system.


So far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero*. This contains this malicious macro... which downloads another component from the following location:
http ://hew.homepage.t-online. de/js/bin.exe
This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57**.
According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
http ://apartmentprofile .su/conlib.php
http ://paczuje.cba .pl/java/bin.exe
It drops several files, KB2896~1.EXE [VT 3/57***], edg2.exe [VT 3/57****] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday)... Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
198.52.200.15 (Centarra Networks, US)
95.211.144.65 (Leaseweb, Netherlands)
195.114.0.64 (SuperHost.pl, Poland)
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
59.97.137.171 (Broadband Multiplay Project, India)
104.232.32.119 (Net 3, US)
Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
198.52.200.15
78.140.164.160
59.97.137.171
104.232.32.119
"
* https://www.virustot...sis/1425029078/

** https://www.virustot...sis/1425029464/

*** https://www.virustot...sis/1425031075/

**** https://www.virustot...sis/1425031099/


- http://myonlinesecur...dsheet-malware/
27 Feb 2015
> https://www.virustot...sis/1425027918/
___

Fake 'Offer Sheet' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Feb 2015 - "'Pearl Summer Offer Sheet' pretending to come from maikel.theunissen@ pearleurope .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Offer-Sheet.png

27 February 2015: Pearl UK Summer Offer Sheet 2015.zip: Extracts to: Pearl UK Summer Offer Sheet 2015.exe
Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425039221/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
192.185.86.160: https://www.virustot...60/information/
181.189.152.131: https://www.virustot...31/information/
UDP communications
107.23.150.92: https://www.virustot...92/information/
107.23.150.99: https://www.virustot...99/information/
___

Fake 'eFax message' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Feb 2015 - "'eFax message from “unknown” – 1 page(s), Caller-ID: 1-219-972-8538' pretending to come from message@ inbound .efax .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...wn-1024x610.png

27 February 2015: FAX_20150226_1424989043_176.zip: Extracts to:  FAX_20150226_1424989043_176.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425056870/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
192.185.106.103: https://www.virustot...03/information/
UDP communications
217.10.68.152: https://www.virustot...52/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 27 February 2015 - 06:59 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1406 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 01 March 2015 - 11:57 AM

FYI...

Fake 'Order/ Payment' SPAM – Java malware
- http://myonlinesecur...t-java-malware/
1 Mar 2015 - "'lucy C Ulngaro New Order/ Payment' pretending to come from Admin <tareq@ msp .com.sa> with a jar attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...der-Payment.png

1 March 2015: PO-2015-0123.jar: Current Virus total detections: 22/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a zip file instead of the java file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425193109/
___

Fake job offer SPAM
- http://blog.dynamoo....uctioncouk.html
28 Feb 2015 - "This -fake- job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction .co .uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are -not- involved in this scam at all.

    From:    JOB ALERT [klakogroups@ gmail .com]
    Reply-To:    klakogroups@ gmail .com
    To:    Recipients [klakogroups@ gmail .com]
    Date:    27 February 2015 at 18:37
    Subject:    NEW JOB VACANCIES IN LONDON.
    Trade Construction Company,
    L.L.C,
    70 Gracechurch Street.
    EC3V 0XL, London. UK
    We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
    as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.
    Available Positions...


... The tradeconstruction .co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction .com website.
> https://4.bp.blogspo...nstruction1.jpg
... Nothing about this job offer is legitimate. It does -not- come from who it appears to come from and should be considered to be a -scam- and avoided."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 01 March 2015 - 02:58 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1407 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 02 March 2015 - 02:48 PM

FYI...

Fake 'Secure Message' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
2 Mar 2015 - "'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please check attached file(s) for your latest account documents regarding your online account.
    Forrest Blackwell
    Level III Account Management Officer
    817-140-6313 office
    817-663-8851 cell
    Forrest .Blackwell@ jpmorgan .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    2015 JPMorgan Chase & Co...


2 March 2015: JP Morgan Access – Secure.zip : Extracts to: JP Morgan Access – Secure.scr
Current Virus total detections: 9/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425314842/
 

:ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1408 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 03 March 2015 - 08:28 AM

FYI...

Fake 'Apple ID' – phish...
- http://myonlinesecur...le-id-phishing/
2 Mar 2015 - "'Your recent download with your Apple ID' pretending to come from Apple iTunes <orders@ tunes .co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details... This one has a short url link in the email which -redirects- you...

Screenshot: http://myonlinesecur...ur-Apple-ID.png

If you follow-the-link (don't) you see a webpage looking like:
> http://myonlinesecur...fy_apple_ID.png
... fill in your user name and password you get a page looking very similar to this one (split into sections), where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format.
> http://myonlinesecur..._apple_ID_2.png
...
> http://myonlinesecur..._apple_ID_3.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fraud Alert: Unauthorised Appstore Payment – phish
- http://myonlinesecur...yment-phishing/
3 Mar 2015 - "Fraud Alert: Unauthorised Appstore Payment' pretending to come from iTunes <datacareapsecurity@ apple. co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details...

Screenshot: http://myonlinesecur...ore-Payment.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Worm.Gazon: Want Gift Card? Get Malware
- http://www.adaptivem...ard-get-malware
2 Mar 2015 - "... A simple piece of -malware- is on the way to become one of the 'spammiest' mobile malware outbreaks seen yet. This malware we have dubbed Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page:

Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https ://bit .ly/ getAmazon[redactedD]
> http://www.adaptivem...on-download.jpg

The malware passes itself as an app that gives Amazon rewards. However, the only thing it actually does is pulling up a scam page inside the app which asks you to participate in the -survey- ... Each of the options below ends up taking you to either another scam page or asks you to download a game in the Google Play. While you are busy clicking through pages the author just earns money through your clicks as we have seen in other pieces of mobile malware.
> http://www.adaptivem...gazon-scam1.png
However, in the background this malware harvests all your contacts and sends a -spam- message to each of them with the URL pointing to the body of the worm... Thousands of people have seemingly installed this malware and been a victim. We are seeing over 4k infected devices in all of the major networks in North America, and we've blocked over 200k spam messages generated by these infected devices. Stopping the spread via messaging is critical as each one of these messages was an attempt to spread the app to an infected user's contacts. Based on click-throughs from the shortened URL it also seems this malware has been encountered in multiple other countries as well, worldwide. At the moment none of the AV engines detect this malware according to VirusTotal.
> http://www.adaptivem...-virustotal.png
... users should be aware of this -scam- and as always, be careful clicking on links in text messages that seem suspect. In this case, like other worm malware we have seen recently, even messages your contacts send you may not be safe. The malware can be removed using standard Android app uninstall utilities..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 03 March 2015 - 10:47 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1409 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 04 March 2015 - 06:55 AM

FYI...

Fake no body text SPAM - malicious attachment
- http://blog.dynamoo....ohn-donald.html
4 Mar 2015 - "This rather terse email comes with a malicious attachment:
    From:    John Donald [john@ kingfishermanagement .uk .com]
    Date:    4 March 2015 at 09:09
    Subject:    Document1


There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors*, in turn it contains this malicious macro... which downloads another component from the following location:
http ://retro-moto .cba .pl/js/bin.exe
Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show attempted network traffic to the following IPs:
92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)
According to the Malwr report it also drops another version of itself with a detection rate of just 1/57*** plus a DLL with a detection rate of 7/56****.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33
"
* https://www.virustot...sis/1425464228/

** https://www.virustot...sis/1425464153/

*** https://www.virustot...sis/1425466045/

**** https://www.virustot...sis/1425466059/

- http://myonlinesecur...dsheet-malware/
4 Mar 2015
> Document1.docx: https://www.virustot...sis/1425459634/
> https://www.virustot...sis/1425460757/
... Behavioural information
TCP connections
92.63.87.13: https://www.virustot...13/information/
___

Fake 'Remittance advice SPAM – word doc or excel xls malware
- http://myonlinesecur...dsheet-malware/
4 Mar 2015 - "'Remittance advice [Rem_5556YJ.xml] (random numbers)' pretending to come from random addresses and random companies with a malicious word doc or Excel XLS spreadsheet attachment, these are actually XLM word files is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them... The email looks like:
    Good morning
    You can find remittance advice [Rem_5556YJ.xml] in the attachment
    Kind Regards
    Lenny Madden
    GLAXOSMITHKLINE


4 March 2015 : Rem_5892GV.xml  Current Virus total detections: 0/56* | 0/56**
So far I have only  seen 2 versions of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1425470968/

** https://www.virustot...sis/1425471785/

- http://blog.dynamoo....ystery-xml.html
4 Mar 2015
"... recommend blocking them:
62.76.176.203
46.30.42.171
74.208.68.243
37.139.47.111
"
___

Fake 'UPS Tracking' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 Mar 2015 - "'UPS Ship Notification, Tracking Number 1Z06E18A6840121864 pretending to come from UPS <no-replay@ upsi .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...A6840121864.png

04 March 2015: Details.zip: Extracts to: Details.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425482799/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
190.111.9.129: https://www.virustot...29/information/
108.174.149.222: https://www.virustot...22/information/
190.111.9.129: https://www.virustot...29/information/
UDP communications
212.79.111.155: https://www.virustot...55/information/
212.79.111.156: https://www.virustot...56/information/
___

Fake 'invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 Mar 2015 - "'RMPD#7989 – invoices' pretending to come from Rothn-Ron <ron@ bellsouth .net> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...89-invoices.png

04 March 2015: RMPD#7989 INVOICES.zip: Extracts to: RMPD#7989 INVOICES.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425486885/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
190.111.9.129: https://www.virustot...29/information/
108.174.149.222: https://www.virustot...22/information/
190.111.9.129: https://www.virustot...29/information/
UDP communications
217.10.68.152: https://www.virustot...52/information/
217.116.122.136: https://www.virustot...36/information/
___

Many common sites might be temporarily offline
- http://myonlinesecur...rarily-offline/
4 Mar 2015 - "... Amazon and Rackspace have both announced that they will need to -reboot- some of their servers to address the issue before March 10, when the Xen Project plans to disclose the latest bugs*. Details of the vulns are being withheld for now, to give the cloud vendors time to patch. In a FAQ** about the upcoming maintenance, Amazon Web Services said that only some of its earliest Elastic Compute Cloud (EC2) customers should be affected."
* http://xenbits.xen.org/xsa/

** https://aws.amazon.c...enance-2015-03/

- http://blog.trendmic...ker-encryption/
Mar 4, 2015 - "... We advise Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected. According to Deep Security Labs Director Pawan Kinger, FREAK is a serious and very real vulnerability which may require some level of sophistication to exploit. However, its sophistication won’t dissuade determined attackers. Carrying out a FREAK exploit requires attackers to be able to first create a man-in-the-middle (MITM) attack against the servers. It would also require the ability to control an SSL session between client and server and then force that session to downgrade to the lower encryption level. Then, the attacker would have to take the weakly encrypted traffic and perform a brute force attack against it that would take several hours, as opposed to days or weeks with higher encryption... Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test*..."
* https://www.ssllabs.com/ssltest/

- http://www.bloomberg...eak-attack-hole
Mar 4, 2015 - Video 2:40
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 04 March 2015 - 07:54 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1410 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 05 March 2015 - 07:27 AM

FYI...

Fake 'Brochure' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
5 Mar 2015 - "'Brochure2.doc' pretending to come from  Bobby Drell <rob@ abbottpainting .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please change the year to 2015.
    Please confirm receipt
    Thanks
    Bobby Drell


5 March 2015 : Brochure2.doc - Current Virus total detections: 1/57* ... the malicious macro connects to & downloads data.gmsllp.com/js/bin.exe (dridex banking Trojan) which is saved as %Temp%\324235235.exe that has a virus total rate of 2/57** ... So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1425549729/

**  https://www.virustot...sis/1425550694/

- http://blog.dynamoo....obby-drell.html
5 Mar 2015
"... Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
"
___

Fake Natwest SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
5 Mar 2015 - "'RE: Incident IM00491288' pretending to come from Kevin Otero <Kevin.Otero@ bankline .natwest .com> with a zip attachment is another one from the current bot runs... different random names. So far names and email addresses seen are
    Kevin Otero <Kevin.Otero@ bankline .natwest .com>
    Collin Stovall <Collin.Stovall@ bankline .natwest .com>
    Lavern Olsen <Lavern.Olsen@ bankline .natwest .com>
    Rae Bouchard <Rae.Bouchard@ bankline .natwest .com>
    Nadine Kerr <Nadine.Kerr@bankline .natwest .com>
... The email looks like:
Good Afternoon ,
 Attached are more details regarding your account incident.
 Please extract the attached content and check the details.
 Please be advised we have raised this as a high priority incident and will endeavour to resolve it as soon as possible. The incident reference for this is IM00491288.
 We would let you know once this issue has been resolved, but with any further questions or issues, please let me know.
 Kind Regards,
 Kevin Otero
 Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th Floor, 1 ...


5 March 2015: Incident IM00491288.zip: Extracts to:  IM0743436407_pdf.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425548558/
___

Fake Invoice SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
5 Mar 2015 - "'Alpro Invoice(s): 7985974765' pretending to come from Alpro <carmel@ alpro .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...15/03/Alpro.png

5 March 2015 : invoice7985974765.zip: Extracts to:  invoice7985974765.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425547819/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 05 March 2015 - 07:50 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1411 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 06 March 2015 - 06:09 AM

FYI...

Fake IRS SPAM - doc malware
- http://blog.dynamoo....ctronic-ip.html
6 Mar 2015 - "This -fake- IRS email comes with a malicious attachment.
    From:    Internal Revenue Service [refund.noreply@ irs .gov]
    Date:    6 March 2015 at 08:48
    Subject:    Your 2015 Electronic IP Pin!
    Dear Member
    This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.
    Please kindly download the microsoft file to securely review it.
    Thanks
    Internal Revenue Service ...


... attachment TaxReport(IP_PIN).doc ... there are usually several different versions[1]. Currently this is -undetected- by AV vendors*. This contains a malicious macro... which downloads a component from the following location:
http ://chihoiphunumos .ru/js/bin.exe
There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55**. Automated analysis tools... show attempted connections to:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
According to the Malwr report this executable drops another version of itself [VT 1/56***] and a malicious DLL [VT 2/56****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103
"

* https://www.virustot...sis/1425632162/

** https://www.virustot...sis/1425632174/

*** https://www.virustot...sis/1425632946/

**** https://www.virustot...sis/1425632950/

1] http://myonlinesecur...dsheet-malware/
6 Mar 2015
Screenshot: http://myonlinesecur...onic-IP-Pin.png
___

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
6 Mar 2015 - "'Mick George Invoice 395687 for Dudley Construction Ltd' pretending to come from Mick George Invoicing <mginv@ mickgeorge .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These emails today, so far, are all malformed and broken. Every copy that I have received appears garbled and doesn’t actually have an attachment. Some mail servers will be configured to repair the damage and deliver the email in its full glory, where it will potentially infect you. This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus...

Screenshot: http://myonlinesecur...rge-invoice.png

... the malware payload will be identical to today’s other malicious office document run Internal Revenue Service Your 2015 Electronic IP Pin! – word doc or excel xls spreadsheet malware*. We do notice that the bad guys are using 2 or 3 subjects and email templates but using the same malware that has been -renamed- ...
Edit: I have managed to extract the malware payload from a quarantined copy on the server and can confirm that it is the -same- malware payload as today’s other run although renamed as Invoice395687.DOC . So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
* http://myonlinesecur...dsheet-malware/

- http://blog.dynamoo....ice-395687.html
6 Mar 2015 - "This -malformed- spam is meant to have a malicious attachment... This malware and the payload it drops is identical to the one found in this -fake- IRS spam run* earlier today..."
* http://blog.dynamoo....ctronic-ip.html
___

Fake Bankline SPAM - malware
- http://blog.dynamoo....ceived-new.html
6 Mar 2015 - "This -fake- banking spam leads to malware.
    From:    Bankline [secure.message@ business .natwest .com]
    Date:    6 March 2015 at 10:36
    Subject:    You have received a new secure message from BankLine
    You have received a secure message.
    Your Documents have been uploaded to Cubby cloud storage.
    Cubby cloud storage  is a cloud data service powered by LogMeIn, Inc.
    Read your secure message by following the link bellow: ...
    <redacted> ...
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 8719.
    First time users - will need to register after opening the attachment...


This downloads a ZIP file from cubbyusercontent .com which contains a malicious executable Business Secure Message.exe which has a VirusTotal detection rate of just 1/57*. Automated analysis tools... show attempted connections to the following URLs:
http ://all-about-weightloss .org/wp-includes/images/vikun.png
http ://bestcoveragefoundation .com/wp-includes/images/vikun.png
http ://190.111.9.129 :14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://190.111.9.129 :14249/0603no11/HOME/41/7/4/
It also appears that there is an attempted connection to 212.56.214.203.
Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to -block-.
It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns .org to work out the IP address of the infected machine, it is worth checking for traffic to this domain. The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57**."
* https://www.virustot...sis/1425640773/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
190.111.9.129: https://www.virustot...29/information/
192.254.186.169: https://www.virustot...69/information/
46.151.254.183: https://www.virustot...83/information/
5.178.43.49: https://www.virustot...49/information/
212.56.214.203: https://www.virustot...03/information/
UDP communications
74.125.200.127: https://www.virustot...27/information/

** https://www.virustot...sis/1425641282/
___

Fake HSBC SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
6 Mar 2015 - "'HSBC Payment' pretending to come from HSBC <no-replay@ hsbc .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...SBC-Payment.png

6 March 2015: HSBC-2739.zip: Extracts to: HSBC-2739.exe
Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425636158/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
190.111.9.129: https://www.virustot...29/information/
5.10.69.232: https://www.virustot...32/information/
190.111.9.129: https://www.virustot...29/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
77.72.169.167: https://www.virustot...67/information/
77.72.169.166: https://www.virustot...66/information/
___

Fake Gateway SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
6 Mar 2015 - "'Your online Gateway .gov .uk Submission' pretending to come from Gateway .gov.uk <ruyp@ bmtrgroup .com> with a link to download a zip attachment is another one from the current bot runs... The email looks like:
Your online Gateway .gov.uk Submission
Government Gateway logo
Electronic Submission Gateway
Thank you for your submission for the Government Gateway.
The Government Gateway is the UK’s centralized registration service for e-Government services.
To view/download your form to the Government Gateway please visit http ://www.gateway .gov.uk/
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov .uk - the best place to find government services and information - Opens in new window
The best place to find government services and information


The link in the email leads to... the same malware as today’s run of 'You have received a new secure message from BankLine' -fake- PDF malware*.
* http://myonlinesecur...ke-pdf-malware/
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Cryptowall, again!
- https://isc.sans.edu...l?storyid=19427
Last Updated: 2015-03-06 - "A new variant of Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems. According to net-security.org*, Bitdefender labs has found a -spam- wave that spread a malicious .chm attachments. CHM is the compiled version of html that support technologies such as JavaScript which can -redirect- a user to an external link. “Once the content of the .chm archive is accessed, the malicious code downloads from this location http :// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process”..."
* http://net-security....ews.php?id=2981
Mar 5, 2015
> http://www.net-secur...towall-calc.jpg
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 06 March 2015 - 05:46 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1412 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 09 March 2015 - 08:29 AM

FYI...

Fake 'Statement' SPAM - doc malware
- http://myonlinesecur...ke-pdf-malware/
9 Mar 2015 - "'Statement from MARKETING & TECHNOLOGY GROUP, INC. pretending to come from TECHNOLOGY GROUP <rwilborn@ mtgmediagroup .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer :
Your statement is attached. Please remit payment at your
earliest convenience.
Thank you for your business – we appreciate it very
much.
Sincerely,
MARKETING & TECHNOLOGY GROUP, INC

 

9 March 2015: docs2015.zip: Extracts to:  docs2015.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425899308/
___

Fake 'Credit Application' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Mar 2015 - "'Emailing: Serv-Ware Credit Application.pdf' with a zip attachment pretending to come from clint@ servware .com is another one from the current bot runs... The email looks like:

Thanks,
Clint Winstead
Manager
Serv-Ware Products
clint@ servware .com
phone: 800.768.5953
fax   : 800.976.1299 ...


9 March 2015: Serv-WareCreditApplication.zip: Extracts to: Serv-WareCreditApplication.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425915088/
... Behavioural information
TCP connections
75.127.114.162: https://www.virustot...62/information/
UDP communications
77.72.174.163: https://www.virustot...63/information/
77.72.174.162: https://www.virustot...62/information/
___

Paypal PHISH
- http://myonlinesecur...ow‏-phishing/
8 Mar 2015 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
    Confirmation of Order
    your PayPal account is limited – take action now‏


Screenshot: http://myonlinesecur...-action-now.png

This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 09 March 2015 - 11:22 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1413 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 10 March 2015 - 09:56 AM

FYI...

Fake 'PMQ agreement' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 Mar 2015 - "'2015 PMQ agreement' pretending to come from linda@ pmq .com with a zip attachment is another one from the current bot runs... The email looks like:
HI
I have Not received your signed contract for the 2015 ad campaign. If you would please sign and return.
Thank you
Linda

Watch our 2015 PMQ Media Kit here ...
PMQ Pizza Magazine
Linda Green / Co-Publisher
(662)234-5481 ext 121 / linda.pmq@ gmail .com
cell (662)801-5495
PMQ Pizza Magazine Office: 662-234-5481 x121 / Fax: 662-234-0665
605 Edison Street, Oxford, MS 38655 ...
Don’t forget to renew your subscription to the magazine at ...


10 March 2015 : American_Wholesale.zip: Extracts to: American_Wholesale.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425997192/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
95.181.53.78: https://www.virustot...78/information/
122.155.1.42: https://www.virustot...42/information/
77.85.204.114: https://www.virustot...14/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
208.91.197.54: https://www.virustot...54/information/
173.194.71.127: https://www.virustot...27/information/
___

Fake Companies House Spam
- http://threattrack.t...nies-house-spam
Mar 10, 2015 - "Subjects Seen
    IMPORTANT - Confidential documents
Typical e-mail details:
    To: <email address>
    Case: C6964454
    Please scan attached document and fax it to +44 (0)303 1234 538 .
    All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +44 (0)303 1234 592 or email enquiries@ gov.uk This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message.
    Yours faithfully
    Craig Fitzgerald
    Senior Manager
    Companies House


Malicious File Name and MD5:
    CASE_CAN-03219.exe (254A312A0D8217BED3FA4F4AE3863E37)


Screenshot: https://gs1.wac.edge...QEJE1r6pupn.png

Tagged: Companies House, Upatre
___

Apple Watch Giveaway Spam Clocks In on Twitter
- https://blog.malware...-in-on-twitter/
Mar 10, 2015 - "Twitter users should be aware that mentioning the new Apple Watch could result in -spam- headed their way:
> https://blog.malware...3/watchspm0.jpg
... The so-called Apple Giveaways profile says the following in its Bio space:
> https://blog.malware...3/watchspm6.jpg
It may sound promising, but what follows is a semi-exhausting jaunt around a couple of different websites with instructions to follow along the way... What we do end up with is a wall of text on a Facebook page with some very specific hoops to jump through in order to obtain the watch... they claim they’ll direct message within 72 hours with a “confirmation link”. The creation date for the website is listed as March 9th, and the Whois details are hidden behind a Whoisguard so there’s no way to know who you’re sending your information to... this seems like a long shot in terms of “winning” the incredibly expensive watch..."
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 10 March 2015 - 04:21 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1414 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 11 March 2015 - 07:31 AM

FYI...

Fake 'Tax rebate' SPAM – doc or xls malware
- http://myonlinesecur...dsheet-malware/
11 Mar 2015 - "'Your Tax rebate' pretending to come from HMRC Revenue&Customs with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
HM revenue
Dear ...
After the last yearly computations of your financial functioning we have defined that you
have the right to obtain a tax rebate of 934.80.
Please confirm the tax rebate claim and permit us have
6-9 days so that we execute it.
A rebate can be postponed for a variety of reasons.
For instance confirming unfounded data or applying
not in time.
To access the form for your tax rebate, view the report attached. Document Reference: (983EMI).
Regards,
HM Revenue Service. We apologize for the inconvenience...


The malware payload with this template is same as today’s "Your Remittance Advice [FPAEEKBYQU] – Word doc malware"* . So far I am only seeing 1 version of this malware..."
* http://myonlinesecur...rd-doc-malware/

- http://blog.dynamoo....nce-advice.html
11 Mar 2015
"... Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177
"
___

Fake 'Remittance' SPAM - doc or xml malware
- http://myonlinesecur...rd-doc-malware/
11 Mar 2015 - "'Your Remittance Advice [FPAEEKBYQU] (random characters)' coming from random names and email addresses with a malicious word doc or xml attachment is another one from the current bot runs... The email looks like:
Good Morning,
Please find attached the BACS Remittance Advice for payment made by FORUM ENERGY.
Please note this may show on your account as a payment reference of FPANJRCXFM.
Kind Regards
Marilyn Aguilar
Accounts Payable


11 March 2015 : Rem_7656CN.xml - Current Virus total detections: 2/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426068203/
___

Fake blank body SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
11 Mar 2015 - "'inv.09.03' pretending to come from Jora Service <jora.service@ yahoo .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally empty-body with just the attachment.

11 March 2015 : INV 86-09.03.2015.doc - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
* https://www.virustot...sis/1426067908/
___

Fake 'admin.scanner' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
11 Mar 2015 - "'Message from RNP0026735991E2' pretending to come from admin.scanner@ <your own email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    This E-mail was sent from “RNP0026735991E2″ (MP C305).
     Scan Date: 11.03.2015 08:57:25 (+0100)
    Queries to: admin.scanner@ ...


11 March 2015 : 201503071457.xls - Current Virus total detections: 0/56*
This looks like it is the same malware payload as today’s 'inv.09.03 Jora Service' – word doc or excel xls spreadsheet malware**..."
* https://www.virustot...sis/1426068752/

** http://myonlinesecur...dsheet-malware/

- http://blog.dynamoo....ssage-from.html
11 Mar 2015
"... Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159
"
___

Fake 'Rate Increase' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Mar 2015 - "'Please' pretending to come from Phoenix <phoenix@ pnjinternational .com> with a zip attachment is another one from the current bot runs... The email looks like:
Good Afternoon,
Please find attached notice regarding carriers pre-filing for an additional General Rate Increase for effective date of April 9, 2015. Please note, we are advising you of this filing in order to comply with FMC regulations. However, we feel it is unlikely that the carriers will be successful in implementing this increase, especially since the March 9th GRI has already been postponed to March 17th.  We will continue to keep you updated as we receive additional information pertaining to these filed rate increases.
Phoenix Zhang-Shin
Director
P & J International Ltd
Calverley House, 55 Calverley Road
Tunbridge Wells, Kent, UK TN1 2TU ...


11 March 2015: documents-id323.zip: Extracts to: documents-id323.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426081018/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustot...70/information/
95.181.53.78: https://www.virustot...78/information/
209.126.254.152: https://www.virustot...52/information/
185.30.40.44: https://www.virustot...44/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
74.125.204.127: https://www.virustot...27/information/
___

Fake Voicemail SPAM - malicious attachment
- http://blog.dynamoo....il-message.html
11 Mar 2015 - "When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
     From:     Voicemail admin@ victimdomain
    Date:     11/03/2015 11:48
    Subject:     Voicemail Message (07813297716) From:07813297716
    IP Office Voicemail redirected message
    Attachment: MSG00311.WAV.ZIP


The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57*. According to the Malwr report, it pulls down another executable and some config files from:
http ://wqg64j0ei .homepage.t-online .de/data/log.exe
http ://cosmeticvet .su/conlib.php
This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.
The executable it drops has a detection rate of 2/54**... Malwr reports ... show a further component download from:
http ://muscleshop15 .ru/js/jre.exe
http ://test1.thienduongweb .com/js/jre.exe
This component has a detection rate of 5/57***. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57**** which is the same Dridex binary we've been seeing all day. Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
... Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159
"
* https://www.virustot...sis/1426091260/

** https://www.virustot...sis/1426091556/

*** https://www.virustot...sis/1426092316/

**** https://www.virustot...sis/1426093429/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 11 March 2015 - 02:27 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1415 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 12 March 2015 - 07:17 AM

FYI...

Fake Invoice SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
12 Mar 2015 - "'Invoice [random numbers] for payment to <random company>' coming from random names and companies  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a totally blank-body and just a word or excel attachment with a random name...

11 March  2015 : 6780MHH.doc - Current Virus total detections: 0/56*
... which connects to & downloads https ://92.63.88.102 /api/gb1.exe which in turn is saved as %temp%\dsfsdfsdf.exe (virus total**). So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426151513/

** https://www.virustot...sis/1426156982/
... Behavioural information
TCP connections
95.163.121.33: https://www.virustot...33/information/

92.63.88.102: https://www.virustot...02/information/

- http://blog.dynamoo....234xyz-for.html
12 March 2015
"...Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24
"
___

Fake Voicemail SPAM - malware
- http://myonlinesecur...e-mail-malware/
12 Mar 2015 - "'You have received a voice mail' pretending to come from Voicemail Report <no-reply@ voicemail-delivery .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-voice-mail.png

12 March 2015: VOICE8411-263-481.zip: Extracts to:  VOICE8411-263-481.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper sound file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426165959/
___

Facebook Worm variant leverages Multiple Cloud Services
- https://blog.malware...cloud-services/
Mar 12, 2015 - "... We came across a worm that we think belongs to the -Kilim- family and whose purpose is to compromise a user and spread via Facebook. The lure is the promise of pornographic material that comes as what appears to be a video file named Videos_New.mp4_2942281629029.exe, which in reality is a malicious program. Once infected, the victim spreads the worm to all of his contacts and groups that he belongs to... The bad guys have built a multi-layer redirection architecture that uses the ow .ly URL shortener, Amazon Web Services and Box .com cloud storage.
> https://blog.malware...015/03/flow.png
... We identified three domains involved in the configuration and update mechanism for the worm:
- videomasars .healthcare | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
- porschealacam .com | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
- hahahahaa .com | Enom, whoisguard Protected, Panama |AS13335 CLOUDFLARENET
... This is a malicious file (Trojan) hosted on the popular cloud storage Box. Malwarebytes Anti-Malware detects it as Trojan.Agent.ED (VirusTotal link*). This binary is responsible for downloading additional resources (the worm component) from another resource (porschealacam .com). Here we find a malicious Chrome extension (VirusTotal link**) and additional binaries (scvhost.exe*** and son.exe****). Additional code is retrieve by the piece of malware (perhaps in case the user does not have the Chrome browser) from a third site, hahahahaa .com, to spread the worm via Facebook ... a rogue Chrome extension is injected but that is not all. The malware also creates a shortcut for Chrome that actually launches a malicious app in the browser directly to the Facebook website... In this ‘modified’ browser, attackers have full control to capture all user activity but also to restrict certain features. For example, they have disabled the extensions page that once can normally access by typing chrome://extensions/, possibly in an attempt to -not- let the user disable or remove the malicious extension. Clearly, the crooks behind this Facebook worm have gone to great lengths to anonymize themselves but also to go around browser protection by creating their own booby-trapped version.
We have reported the various URLs to their respective owners and some have already been shutdown. However, we still urge caution before clicking on any link that promises free prizes or sensational items. Once again the bad guys are leveraging human nature and while we do not know how many people fell for this threat, we can guess that it most likely affected a significant number of Facebook users."
(More detail at the malwarebytes URL above.)
* https://www.virustot...sis/1426093312/

** https://www.virustot...sis/1426051972/

*** https://www.virustot...sis/1426093308/

**** https://www.virustot...sis/1426093310/

91.121.114.211: https://www.virustot...11/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 12 March 2015 - 04:04 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1416 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 13 March 2015 - 08:31 AM

FYI...

Malware targets home networks/router
- https://isc.sans.edu...l?storyid=19463
2015-03-13 - "Malware researchers at Trend Micro* have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to C&C before deleting itself. TROJ_VICEPASS.A** pretends to be an Adobe Flash update, once it's run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If it  succeeds, the malware will scan the network for connected devices. The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11 - this IP range is hard-coded. Once the scans finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a C&C server via HTTP protocol. After sending the results to the Command and Control server (C&C), it will delete itself from the victim’s computer... Such type of malware infection can be avoided using very basic security techniques such as downloading updated software from trusted sources only and changing the default password."
* http://blog.trendmic...r-home-network/
Mar 9, 2015 - "... We recently came across one malware, detected as TROJ_VICEPASS.A**, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer:
Infection chain:
> http://blog.trendmic...3/vicepass1.png
Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update...
Site hosting fake Adobe Flash update:
> http://blog.trendmic...3/vicepass2.png
Fake Flash update:
> http://blog.trendmic...3/vicepass3.png
Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices... The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:
    Find router IP address – start
    Searching in 192.168.0.0 – 192.168.0.11
    [0] connect to 192.168. 0.0
    URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’
    …. (skip)
    Find router IP address – end
We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers..."
(More detail at the trendmicro URLs include usernames and passwords.)
** http://www.trendmicr...troj_vicepass.a
___

Fake Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
13 Mar 2015 - "'Penta Foods Invoice: 2262004' pretending to come from  cc446@ pentafoods .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find attached invoice : 2262004
    Any queries please contact us.
   —
    Automated mail message produced by DbMail.
    Registered to Penta Foods, License MBA2009357.


13 March 2015 : R-1179776.doc  - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426236749/

- http://blog.dynamoo....om-invoice.html
13 Mar 2015
"... Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12
"
___

More Fake Invoice SPAM - malware
- http://blog.dynamoo....032015-for.html
13 March 2015 - "There is a -series- of malware spams in progress in the following format:
Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC


Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run[1] yesterday and one new one with zero detections* which contains (a) malicious macro, which downloads another component from:
http ://95.163.121.186 /api/gbb1.exe
This is saved as %TEMP%\GHjkdfg.exe ... this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53** and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood. The binary also drops a malicious Dridex DLL with a detection rate of 5/56***. This is the same DLL as used in this spam run[2] earlier today.
Recommended blocklist:
95.163.121.0/24 "
* https://www.virustot...sis/1426257108/

** https://www.virustot...sis/1426254512/

*** https://www.virustot...sis/1426257698/

1] http://blog.dynamoo....234xyz-for.html

2] http://blog.dynamoo....om-invoice.html

95.163.121.186: https://www.virustot...86/information/

95.163.121.33: https://www.virustot...33/information/
___

Upatre update: infection chain and affected countries
- http://blogs.technet...-countries.aspx
12 Mar 2015 - "... Detection rates for these countries is as follows:
> http://www.microsoft...UpatreTable.jpg "
 

:ph34r: :grrr: :ph34r:


Edited by AplusWebMaster, 14 March 2015 - 04:02 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1417 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 14 March 2015 - 03:26 PM

FYI...

Quttera - false positives everywhere
- http://blog.dynamoo....-positives.html
14 Mar 2015 - "By chance, I found out that my blog had been blacklisted by Quttera[1]. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also blocks industry-leading sites such as Cisco*, VMWare, Sophos, MITRE, AVG and Phishtank...
* https://1.bp.blogspo...o-blacklist.png
... Now, you can ask Quttera to unblacklist your site for -free- by raising a ticket[2] but the most prominent link leads to a paid service for £60/year. Hmmm.
> https://4.bp.blogspo...600/quttera.png
I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site. I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments..."
1] http://www.quttera.com/

2] https://helpdesk.quttera.com/open.php
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 14 March 2015 - 03:29 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1418 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 16 March 2015 - 08:23 AM

FYI..

Fake Invoice SPAM - PDF malware
- http://myonlinesecur...n-sons-malware/
16 Mar 2015 - "'CREDIT 89371' pretending to come from JamesKernohanandSons <jkernohans62244@ hotmail .com> with a zip attachment is supposed to be another one from the current bot runs...
Screenshot: http://myonlinesecur...REDIT-89371.png

... Update: ... the attached word doc is malicious... It connects to 212.143.213.133 /content/js/bin.exe (Virus Total*)... Further update: ... some copies of this email have the -same- malware attachment as Attached invoice from CMP – fake PDF malware**..."
* https://www.virustot...sis/1426502722/

212.143.213.133: https://www.virustot...33/information/

** http://myonlinesecur...ke-pdf-malware/
16 Mar 2015 - "'Attached invoice from CMP' pretending to come from noreply@ cmpireland .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecur...ce-from-CMP.png

16 March 2015: ICI151586.PDF.ZIP: Extracts to: INVOICE_89371.PDF.exe - Current Virus total detections: 9/57*
Update: Also getting word doc attachments - ICI151586.DOC - Current Virus total detections: 2/57**
(... same malware payload as CREDIT 89371 James Kernohan & Sons – malware... Confirmed as -same- payload although from a different download location 03740b7.netsolhost .com/js/bin.exe which is saved as %temp%\lUtsca32.exe (virus total***) . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426499520/

** https://www.virustot...sis/1426502121/

*** https://www.virustot...sis/1426503751/

208.91.197.128: https://www.virustot...28/information/
___

Fake 'Receipt' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Mar 2015 - "'Successful Receipt of Online Submission for Reference 5071910' [random reference numbers] pretending to come from noreply@ hmrc .gov .uk with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nce-5071910.png

16 March 2015: Ref_5071910.zip: Extracts to: Ref_AN004LO87.scr
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426509399/
___

Fake 'Outstanding Invoices' SPAM - doc malware
- http://myonlinesecur...dsheet-malware/
16 Mar 2015 - "'Outstanding invoices – 672751 February' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Sirs,
     Kindly find attached our reminder and copy of the relevant invoices.
    Looking forward to receive your prompt payment and thank you in advance.
     Kind regards
    Tania Sosa


16 March 2015 : 672751.doc - Current Virus total detections: 0/56*
... previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426514043/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 16 March 2015 - 09:27 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1419 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 17 March 2015 - 08:50 AM

FYI...

Fake Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 Mar 2015 - "'Invoice from Linsen Parts Ltd pretending to come from  Linsen Parts UK Ltd <mark62618@ linsenparts .co.uk> ( random numbers after mark) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...n-Parts-Ltd.png

17 March  2015 : Invoice-3709.doc  Current Virus total detections: 2/57* | 2/57** | 2/57***  which downloads from piotrkochanski .cba.pl/js/bin.exe (and other locations) and is a dridex banking Trojan (VirusTotal)[4].
I am  seeing 3 versions of this malware, but previous campaigns over the last few weeks have delivered 3, 4 or even more  different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426579380/

** https://www.virustot...sis/1426579237/

*** https://www.virustot...sis/1426580404/

4] https://www.virustot...sis/1426578803/
... Behavioural information
TCP connections
78.129.153.12: https://www.virustot...12/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'Payment confirmation' SPAM - doc / xls malware
- http://myonlinesecur...dsheet-malware/
17 Mar 2015 - "'Payment confirmation ABL104' ( random numbers) coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Other subjects in today’s spam run with malicious word macro docs are:
    Transaction confirmation ZLZ240 ( random numbers)
    Confirmation for payment NZV088 ( random numbers)
    RE:Confirmation for payment OXP504  ( random numbers)
    RE:Transaction confirmation YVD711
This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus...

Screenshot: http://myonlinesecur...onfirmation.png

17 March 2015 : ABL104.doc - Current Virus total detections: 2/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426590334/
___

Fake 'Admin Exchange' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 Mar 2015 - "'Administrator – Exchange Email' pretending to come from you and your domain  Administrator@ ron .schorr ... with a zip attachment is another one from the current bot runs... The email pretends to come from the person it is addressed to and from your own email domain so looks like:
    ron.schorr,
     This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.
     Thank you,
    Administrator ...


17 March 2015: Exchange.zip: Extracts to:  Exchange.scr - Current Virus total detections:  5/52*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426607993/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
109.230.131.95: https://www.virustot...95/information/
213.186.33.82: https://www.virustot...82/information/
UDP communications
77.72.174.167: https://www.virustot...67/information/
77.72.174.166: https://www.virustot...66/information/
___

Fake Wells Fargo SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 Mar 2015 - "'FW: Customer account docs' pretending to come from Carrie L. Tolstedt <Carrie.Tolstedt@ wellsfargo .com> with link to a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ccount-docs.png

17 March 2015: SignedDocuments.zip: Extracts to: SignedDocuments.scr
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426610474/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
109.230.131.95: https://www.virustot...95/information/
198.23.48.157: https://www.virustot...57/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
77.72.169.165: https://www.virustot...65/information/
77.72.169.164: https://www.virustot...64/information/
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 17 March 2015 - 02:59 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1420 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 18 March 2015 - 06:16 AM

FYI...

HMRC Tax Refund - Phish ...
- http://myonlinesecur...ation-phishing/
18 Mar 2015 - "'Tax Refund Notification' is an email pretending to come from HM Revenue & Customs. One of the major common subjects in a phishing attempt is Tax returns, where especially in UK, you need to submit your Tax Return online before 31st December each year. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... The original email looks like this, and of course at this time of year (or anytime of year) we all need a few extra pennies and the offer of a tax refund is always welcome. It will NEVER be a genuine email from HMRC so don’t ever fill in the html ( webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine HMRC website. That is also false. This particular email has the entire content in an image and clicking anywhere on the image leads you to http ://taxrefundid778318ok.uleconstruction .com/ which in turn sends you on to http ://refund-hmrc.uk-6159368de39251d7a-login.id-107sbtd9cbhsbtd5d80a13c0db1f546757jnq9j5754675752240566.isteksut .com/IlOyTgNjFrGtHtEwVo/indexx.php
Both urls could easily be mistaken for genuine tax refund sites when you don’t take care and only look at the first part of the url & not the entire url... If you follow the link you see a webpage looking like this where they want your email address, name and date of birth.
> http://myonlinesecur...HMRC_phish1.png
They then pretend to do a search based on your name and email. Then you get sent on to the nitty gritty where they want all your banking and credit information. This obviously was created by a non UK person because the UK uses post codes & not zip codes, which should be an immediate alarm bell to somebody getting this far:
> http://myonlinesecur...-tax-refund.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fake 'Confirmation' SPAM – doc / xls malware
- http://myonlinesecur...dsheet-malware/
18 Mar 2015 - "'NWN Media Ltd Confirmation of Booking' pretending to come from  della.richards4732@ nwn. co.uk <della.richards@ nwn. co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-of-Booking.png

18 March 2015 : NWN Confirmation Letter.doc - Current Virus total detections: 3/57* | 3/57**
One version of this malicious macro tries to download deosiibude .de/js/bin.exe (... this is currently offline and most probably removed by its host). Other download sites are www .asociacecasin .com/js/bin.exe and pmmarkt .de/js/bin.exe both downloading same malware which is saved as %temp%\frexobj86.exe (Virus Total***). So far I am only seeing 2 versions of this malware, but previous campaigns over the last few weeks have delivered 3, 4 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426671991/

** https://www.virustot...sis/1426671176/

*** https://www.virustot...sis/1426674582/

- http://blog.dynamoo....of-booking.html
18 Mar 2015
"... Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24
"
___

Fake 'unpaid invoice' SPAM - doc / xls malware
- http://myonlinesecur...dsheet-malware/
18 Mar 2015 - "'February unpaid invoice notification' pretending to come from numerous email addresses and names  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Alternative subjects seen today so far are:
    February unpaid invoice notification
    January unpaid invoice notification
    December unpaid invoice notification
This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a totally-blank-body with a randomly named word XML doc attachment...

18 March 2015 : 43GEB594.doc - Current Virus total detections: 0/57* | 0/57** |0/57***
So far I am seeing multiple versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426679613/

** https://www.virustot...sis/1426679518/

*** https://www.virustot...sis/1426679965/

- http://blog.dynamoo....id-invoice.html
18 Mar 2015
"... Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244
"
___

Fake 'Gateway gov' SPAM - zip/doc/rtf malware
- http://blog.dynamoo....tewaygovuk.html
18 Mar 2015 - "This spam leads to a malicious ZIP file hosted either on Dropbox or Cubby.
    From:    Gateway .gov .uk
    Date:    18 March 2015 at 13:19
    Subject:    Your online Gateway .gov .uk Submission
    Electronic Submission Gateway
    Thank you for your submission for the Government Gateway.
   The Government Gateway is the UK's centralized registration service for e-Government services.
    To view/download your form to the Government Gateway please visit ...
    This is an automatically generated email. Please do not reply as the email address is not
    monitored for received mail.
    gov .uk - the best place to find government services and information - Opens in new window
    The best place to find government services and information


The link leads to an archive file Avis_De_Paiement.zip which in turn contains a malicious binary Avis_De_Paiement.scr which has a VirusTotal detection rate of 16/57*. ThreatExpert and Comodo CAMAS report that it downloads components from the following locations:
canabrake .com .mx/css/doc11.rtf
straphael .org .uk/youth2000_files/doc11.rtf
My sources indicate that this most likely phones home to 109.230.131.95 (Vsevnet Ltd. Russia) which is a known bad IP that I recommend -blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan."
* https://www.virustot...sis/1426693801/
___

Fake JP Morgan SPAM - malicious attachment
- http://myonlinesecur...ke-pdf-malware/
18 Mar 2015 - "'Carrie L. Tolstedt FW: Customer account docs. pretending to come from JP Morgan Access <Carrie.Tolstedt@ jpmorgan .com> with link to a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-J-P-Morgan.png

The link in the email goes once again to a cubby user content site...
17 March 2015: SignedDocuments.zip: Extracts to: SignedDocuments.scr
Current Virus total detections: 3/56*  which is same malware although renamed as today’s Australia Post Track Advice Notification: Consignment RYR3602120 – fake PDF malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...
* https://www.virustot...sis/1426610474/

** http://myonlinesecur...ke-pdf-malware/

- http://blog.dynamoo....gan-access.html
18 Mar 2015 - "... Carrie L Tolstedt is a real executive... at Wells Fargo*. The lady in the picture is another Wells Fargo employee entirely**...."
* https://www.wellsfar...ficers/tolstedt
** http://www.americanb....html?csite=fsm

109.230.131.95: https://www.virustot...95/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 18 March 2015 - 08:06 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1421 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 19 March 2015 - 06:04 AM

FYI...

Fake Fax SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
19 Mar 2015 - "'Fax from +4921154767199 Pages: 1' pretending to come from  faxtastic! <fax@ faxtastic .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    You have received a new fax. To view it, please open the attachment.
     Did you know we now send? Visit www .faxtastic .co.uk for more details.
     Regards,
     faxtastic Support Team


19 March 2015 : 2015031714240625332.xls - Current Virus total detections: 2/57* | 2/57**  at least one of these malicious macros is contacting meostore .net/js/bin.exe to download the dridex banking Trojan. (VirusTotal***). There will be other download locations... So far I am only seeing 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426754021/

** https://www.virustot...sis/1426753958/

*** https://www.virustot...sis/1426753820/
... Behavioural information
TCP connections
95.163.121.200: https://www.virustot...00/information/
___

Fake 'Order' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
19 Mar 2015 - "'Marflow Your Sales Order' pretending to come from sales@ marflow .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Your order acknowledgment is attached.
     Please check carefully and advise us of any issues.
     Best regards
     Marflow


19 March 2015 : 611866.xls - Current Virus total detections: 2/57* | 2/57**
Although these are -different- macros to the earlier XLS spam macro run today, they appear to be contacting the -same- sites and downloading the same dridex malware / Fax from +4921154767199 Pages: 1 – word doc or excel xls spreadsheet malware:
> http://myonlinesecur...dsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426760344/

** https://www.virustot...sis/1426760388/

- http://blog.dynamoo....wcouk-your.html
19 March 2015
"... Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201
"
___

Fake Solicitors Debt SPAM - malicious attachment
- http://blog.dynamoo....itors-debt.html
19 Mar 2015 - "This spam has a malicious attachment.
    Date:    19 March 2015 at 12:52
    Subject:    Aspiring Solicitors Debt Collection
    Aspiring Solicitors
    Ref : 195404544
    Date : 02.10.2014
    Dear Sir, Madam
    Re: Our Client Bank of Scotland PLC
    Account Number:77666612
    Balance:       2,345.00
    We are instructed by Bank of Scotland PLC in relation to the above matter.
    You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.
    Court Fees  GBP 245.00
    Solicitors Costs  GBP 750.00
    Cheques or Postal Orders should be  made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
    We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
    If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings...


Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5..."

- http://myonlinesecur...dsheet-malware/
19 Mar 2015
Screenshot: http://myonlinesecur...-Collection.png
> https://www.virustot...sis/1426773553/
0 / 57
___

More Fake Invoice SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
19 Mar 2015 - "A whole series of emails with multiple subjects all having random numbers including:
     Invoice ID:77f5451 in attachment
    Your February Invoice ID:58a0834
These all come from multiple random addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The emails all have a completely-empty body.

19 March2015 : 58a0834.doc - Current Virus total detections: 0/57*
These look very similar to Aspiring Solicitors Debt Collection – word doc or excel xls spreadsheet malware:
> http://myonlinesecur...dsheet-malware/
The same warning must apply and opening the malicious doc will infect you, even with macros disabled... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1426778947/
0 / 57

- http://blog.dynamoo....7654321-in.html
19 Mar 2015 - "... contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the -same- as the one used in this attack*..."
* http://blog.dynamoo....itors-debt.html
___

BoA Phish seeks personal data ...
- https://blog.malware...l-data-bonanza/
Mar 19, 2015 - "If you’re a Bank of America customer you’ll want to avoid this phishing URL, located at 74.208.43.206 /html/E-Alert(Dot)html:
> https://blog.malware...5/03/boaph1.jpg
The site says:
"We need you to verify your account information for your online banking to be re-activated"
...and asks visitors to “click-the-download-button to receive your verification file”, then open it in their browser. As it turns out, “downloading the file” means “visit another webpage”:
Alertfb .pw /site/IrregularActivityFile(dot)html
The above site takes those eager to hand over personal information to the cleaners – there’s a wide variety of data harvested including Online ID and passcode, name, DOB, social security number, drivers license number, email address and password. That’s not all – there’s also 3 security questions and payment information / address to complete the carefully laid out steps... That’s a lot of info to hand over to scammers, and anybody who thinks they may have been caught by something similar to the above should contact their bank immediately. Some of the images on the website are apparently broken and none of the URLs look remotely like legitimate BoA URLs so that will hopefully deter a few would be banking disasters. While in the process of drafting this blog we’ve noticed the second site which asks for the bulk of the banking customer information is being -flagged- by Chrome for phishing, so hopefully that will help to reduce the potential victim pool still further. We’ll update the post as we test with different browsers, but for now watch what you click and be very cautious should you see either of the two URLs pop up in an unsolicited email…"
74.208.43.206: https://www.virustot...06/information/

104.219.184.113: https://www.virustot...13/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 19 March 2015 - 01:32 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1422 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 20 March 2015 - 05:31 AM

FYI...

CryptoWall 3.0 Ransomware partners with FAREIT spyware
- http://blog.trendmic...fareit-spyware/
Mar 19, 2015 - "... CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below*, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF.
* http://blog.trendmic...rypWall3-11.jpg
... it will connect to two URLs to download “.JPG” files. But don’t be fooled by the extension — this is an old technique which may bypass poorly designed intrusion detection systems (IDS) by disguising malware as an image file... The JS file will execute the files after a successful download... TROJ_CRYPWAL.YOI will create a new instance of explorer.exe to gain local admin privilege, provided that the victim has admin rights — which is a common setup. Using a legitimate system process like explorer.exe could help the malware bypass scanners that use whitelisting. It will create a new instance of svchost.exe with -k netsvcs arguments which will perform the C&C communication and file encryption. This also gives the malware system service privileges... After receiving the RSA public key for file encryption from its C&C server, as the private key to be used for decryption is stored in the server, it will start encrypting the files with certain file extensions. Targeted files include documents, databases, emails, images, audio, video, and source codes. After encrypting a file using RSA-2048 encryption algorithm, it will append a random file extension to the original file name, and add the “HELP_DECRYPT” files to the directory affected. After its encryption routine, it will open the “HELP_DECRYPT” files to show the victim the dreaded ransom note:
> http://blog.trendmic...CrypWall3-5.jpg
TSPY_FAREIT.YOI  is executed alongside TROJ_CRYPWAL.YOI. While the victim is distracted by CryptoWall’s -extortion- the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets... this is the first time we’ve seen crypto-ransomware team up with spyware. This just shows that the cybercriminals are getting greedier. They are no longer content with the revenue they get from their ransom, around US$500 — which -doubles- after a certain period of time has lapsed:
Ransom fee increases:
> http://blog.trendmic...CrypWall3-6.jpg
...  the threat actors are using an “old business model” as their back-up plan. Even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information. Based on feedback from the Smart Protection Network, the region most affected by CryptoWall 3.0 is Australia/New Zealand, followed by North America and Europe:
Regions affected by CryptoWall 3.0:
> http://blog.trendmic...CrypWall3-7.jpg
Users can protect their important data by regularly backing up their files. They can implement the 3-2-1 rule** for their files. Of course, for threats like crypto-ransomware and spyware, other safety practices are advised... users should -never- open attachments from unknown or unverified senders... ignore or -delete- from unknown senders..."
** http://blog.trendmic...the-3-2-1-rule/
"... The accepted rule for backup best practices is the three-two-one rule. It can be summarized as: if you’re backing something up, you should have:
• At least three copies,
• In two different formats,
• with one of those copies off-site..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 20 March 2015 - 05:31 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1423 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 20 March 2015 - 06:48 AM

FYI...

Something evil on 85.143.216.102 and 94.242.205.101
- http://blog.dynamoo....216102-and.html
20 Mar 2015 - "... I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report*] being reached via 85.143.216.102 (AirISP, Russia) [VT report**]. Whatever it is, it is using subdomains from -hijacked- GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs... For practical purposes though I recommend you block traffic to the IPs rather than the domains.
Recommended blocklist:
85.143.216.102
94.242.205.101
"
* https://www.virustot...01/information/

** https://www.virustot...02/information/

1] http://pastebin.com/MWhk2qy8

2] http://pastebin.com/XdBKFtP8
___

Nuclear EK leverages Flash CVE-2015-0336
- https://blog.malware...-vulnerability/
Mar 19, 2015 - "... Malwarebytes Anti-Exploit* users are already protected against this threat... Adobe has confirmed that a variant of CVE-2015-0336 is being exploited 'in-the-wild'. CVE-2015-0336 was -resolved- in Flash Player 17.0.0.134 (see APSB15-05​**)..."
* http://www.malwareby...rg/antiexploit/

** https://helpx.adobe..../apsb15-05.html

> https://web.nvd.nist...d=CVE-2015-0336 - 9.3 (HIGH)
___

How Victims Are Redirected to IT Support Scareware Sites
- https://isc.sans.edu...l?storyid=19487
2015-03-20 - "In the classic version of tech support scams, the fake technician initiated an unsolicited phone call to the victim. Now the awareness for this scheme has increased, scammers shifted tactics. Their latest approaches involve convincing the potential victim to be the one calling the impostor. I've seen this accomplished in two ways:
• Scammers use bots to respond to Twitter users who mention PC problems or malware. The bots search for the appropriate keyboards and send messages that include a phone number of a tech support firm. I described this approach when exploring how scammers prescreen potential victims.
• Scammers set up scareware websites that are designed to fool people into thinking their PC is infected, compelling visitors to call the fake tech support organization... Let’s take a look a domain redirection variation of this scam below.
In the following example, the victim visited a link that was once associated with a legitimate website: 25yearsofprogramming .com. The owner of the domain appears to have allowed its registration to expire in early 2014. At that point, the domain was transferred to Name Management Group, according to DomainTools Whois records... Name Management Group seems to own over 13,000 domains (according to DomainTools Whois records), including numerous domains that DomainTools classifies as -malicious- ... (Don't visit these domains.)
- Landing on the Fake Malware Warning Site:
Visiting the once-legitimate URL a few days ago landed the victim on a scammy scareware page, designed to persuade the person to contact "Microsoft Certified Live Technicians" at the specified toll-free phone number. The site employed social engineering techniques employed by rogue antivirus tools. Such schemes present victims with fake virus warnings, designed to scare people into submission. The site in our example also played an auditory message, exclaiming:
"This is a Windows system warning! This is a Windows system warning! If you are hearing this warning message, the security of your Windows system has been compromised. Your Windows computer and data might be at risk because of adwares, spywares and malicious pop-ups! Your bank details, credit card information, email accounts, Facebook account, private photos and other sensitive files may be compromised. Please call the number mentioned now to resolve this issue."
To see and hear what the victim experienced... watch it on YouTube:
-
... The companies behind these servers, as well as the firm presently controlling 25yearsofprogramming .com are probably receiving referral fees for role in the redirection scheme. There's much to explore regarding the domain names, systems and companies involved in the schemes outlined above... If you decide to explore any of these systems, do so from an isolated laboratory environment. Also, if you encounter a tech support scam, please register it with our database of such incidents:
- https://isc.sans.edu...rtfakecall.html "
(More detail at the isc diary URL at the top of this post.)
___

Who Develops Code for IT Support Scareware Websites?
- https://isc.sans.edu...l?storyid=19489
2015-03-20
- https://isc.sans.edu...rt-l3-large.png
___

The Manipulative Nature and Mechanics of Visitor Survey Scams
- https://zeltser.com/...r-survey-scams/
March 18, 2015
- Lenny Zeltser
___

Fake pictures SPAM - malware
- https://www.virustot...sis/1426864158/
20 Mar 2015 - "'American Wholesale Pictures' pretending to come from Tod <tod@ awrco .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Hi,
    Sorry for the delay I just received these this morning.
    Here are the pictures of the panels that you requested.
    Thank you,
    Adam
    Office
    Manager
    American Wholesale Co.
    Phone: 216-426-8882
    Fax: 216-426-8883 ...


20 March 2015: 084-16475-4999.zip: Extracts to: img.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1426864158/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
108.174.149.222: https://www.virustot...22/information/
46.249.3.66: https://www.virustot...66/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 20 March 2015 - 01:34 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1424 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 23 March 2015 - 10:34 AM

FYI...

Fake 'Statement' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Mar 2015 - "'Retailer Statement for 19745' (random numbers) pretending to come from user <tod@ awrco .com> with a zip attachment is another one from the current bot runs... The email which has random attachment numbers looks like:
HI,
document as an attachment


23 March 2015 : 587-19745-2563.zip: Extracts to:  document.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427123035/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
217.19.14.37: https://www.virustot...37/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'approval' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Mar 2015 - "'12/31(1/1) approve' pretending to come from Laurie Liggett <lliggett@ niemannfoods .com> with a zip attachment is another one from the current bot runs... The email looks like:

    Your message is ready to be sent with the following file attachment.
     Laurie Liggett
    Buying Office Administrator
    Niemann Foods,
    Inc.


23 March 2015: 705-87633#5042.zip: Extracts to: pic.exe
Current Virus total detections: 1/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427128006/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
94.126.48.158: https://www.virustot...58/information/
46.249.3.66: https://www.virustot...66/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 23 March 2015 - 02:31 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1425 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 24 March 2015 - 04:27 AM

FYI...

Fake Resume SPAM - JavaScript malware
- http://myonlinesecur...ke-pdf-malware/
24 Mar 2015 - "'Resume Bobbie Rocha' pretending to come from Bobbie <BobbieRocha@ businesscommerce .com> with a zip attachment is another one from the current bot runs... The email looks like:
     My name is Bobbie Rocha, attached is my resume.
    I look forward to hearing back from you.
     Thank you,
    Bobbie


24 March 2015: Resume Bobbie Rocha.zip: Extracts to: Resume Bobbie Rocha.js
Current Virus total detections: 12/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427180393/
___

Fake Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
24 Mar 2015 - "'Mary Watkins Ely Design Group Invoice' pretending to come from  Mary Watkins <mary@ elydesigngroup .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hi,
    As promised!
    Mary Watkins
    Office Manager
    Ely Design Group


25 February 2015 : S22C-6e15031710060.doc - Current Virus total detections: 2/55* | 2/55**
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1427186619/

** https://www.virustot...sis/1427186436/

- http://blog.dynamoo....ry-watkins.html
24 Mar 2015 - "This spam email message does not come from Ely Design Group, but is in fact just a simple forgery. Ely Design Group's systems have not been compromised in any way. This email comes with a malicious attachment:
     From:    Mary Watkins [mary@ elydesigngroup .co.uk]
    Date:    24 March 2015 at 07:23
    Subject:    Invoice
    Hi,
    As promised!
    Mary Watkins
    Office Manager
    Ely Design Group


Attached is a Word document named S22C-6e15031710060.doc which has a low detection rate of 2/57* which contains this malicious macro which then downloads a component from the following location:
http ://dogordie .de/js/bin.exe
The file is saved as %TEMP%\PALmisc2.5.2.exe and has a VirusTotal detection rate of 6/57**.
Automated analysis tools... indicate that the binary crashes in those test environments. although whether or not it will work on a live PC is another matter. The payload (if it works) is almost definitely the Dridex banking trojan."
* https://www.virustot...sis/1427189692/

** https://www.virustot...sis/1427189707/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustot...11/information/

dogordie .de: 81.169.145.156: https://www.virustot...56/information/
___

Fake 'Thank you' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Mar 2015 - "'Robinson IGA project Thank you for your business' pretending to come from user <elezaveta@ enewall .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ur-business.png

24 March 2015 : 23807905.zip: Extracts to: doc.exe - Current Virus total detections: 2/56*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427194478/
... Behavioural information
TCP connections
134.249.63.46: https://www.virustot...46/information/
46.249.3.66: https://www.virustot...66/information/
___

Recent Malware Outbreaks
- http://www.senderbas...static/malware/
Last Updated: 2015/03/24 10:59 UTC

Top Malware Senders
- http://www.senderbas.../malware/#tab=1
Last Updated: 2015/03/24 10:03 UTC
___

Fake 'Payment To Skype' - PayPal phish...
- http://myonlinesecur...aypal-phishing/
24 Mar 2015 - "'New Payment To Skype INC' pretending to come from Pay Pal <lordjohn74@ hotmail .co.uk> is one of the latest phish attempts to steal your Paypal account and your Bank, credit card and personal details... don’t click-the-link in the email...

Screenshot: http://myonlinesecur...o-Skype-Inc.png

... the link (takes you to) a webpage looking like:
> http://myonlinesecur...-1-1024x500.png
... the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur...pal-login-2.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

The RATS are free...
- http://www.symantec....e-it-out-gutter
23 Mar 2015 - "... Remote access Trojans, otherwise known as RATs, are nothing new and they frequently grab their fair share of security-related news headlines. Commonly used in both targeted and non-targeted attacks, and even on mobile devices, RATs are a popular tool among cybercriminals; whether for financial gain, espionage, or for something more creepy. Some RATs are more common than others, such as the infamous Blackshades (W32.Shadesrat), PlugX (Backdoor.Korplug), Poison Ivy (Backdoor.Darkmoon), or many others that have made a name for themselves in the cybercriminal underground. However, every once in a while a new RAT tries to emerge out of the unknown and “make it” just like its more common cousins... human nature’s love of cheap or, better yet, free stuff is helping this RAT in its efforts to hit the big time but potentially at a cost to the developer... RATs sold on underground forums can vary in price, ranging anywhere from US$25 to $250. In recent years the security community has seen plenty of new RATs come and go but where things always get dirty is when a cracked version of a RAT is leaked online for free. When this happens, usage of the RAT increases; cybercriminals are (arguably) human after all and love to get things for free... It seems that every time the author tries to develop and improve NanoCore, one of the customers invariably ends up -leaking- a copy of it for free. This surely has to be a major disincentive for the original developer but they seem to possess endless optimism and persist to create new versions with enhanced capabilities, maybe in the hope that eventually enough customers will pay...
Top ten countries affected by Trojan.Nancrat (Jan 2014 to March 2015):
> http://www.symantec....1/Figure3_1.png
... The RAT is being distributed through malicious emails... targeted emails are being sent to energy companies in Asia and the Middle East and the cybercriminals behind the attack are spoofing the email address of a legitimate oil company in South Korea. Attached to the email is a malicious RTF file that exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158*) and drops Trojan.Nancrat... The cracked versions of NanoCore are now not only available on the dark web but also on the visible web. That means it’s not just the more experienced cybercriminals who can easily access this malware for free, but also script kiddies eager to start their cybercriminal careers. The more the NanoCore malware is used and is visible on the underground, the higher the chances that one day it may end up just as well-known as some of the notorious RATs that have come before it..."
* http://www.securityf...2911/references
___

Google warns of OS-trusted but unauthorised digital certificates
Maintaining digital certificate security
- http://googleonlines...e-security.html
March 23, 2015 - "... Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate..."

Firefox 37 ...
Revoking Trust in one CNNIC Intermediate Certificate
- https://blog.mozilla...te-certificate/
Mar 23, 2015 - "... to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37..."
- https://wiki.mozilla...coming_Releases
"... Firefox 37... RELEASE week of March 31, 2015."
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 24 March 2015 - 04:56 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1426 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 25 March 2015 - 08:14 AM

FYI...

Fake 'Payment' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
25 Mar 2015 - "'Payment 1142' pretending to come from James Dudley <James.Dudley@ hitec .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Payment sheet attached.
    James
    T    01353 624023
    F    01353 624043
    E    james.dudley@ hitec .co.uk
    Hitec Ltd
    23 Regal Drive
    Soham
    Ely
    Cambs
    CB7 5BE
    This message has been scanned for viruses and malicious content by Green Duck SpamLab


25 February 2015 : Payment 1142.doc - Current Virus total detections: 2/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427270267/

- http://blog.dynamoo....mes-dudley.html
25 Mar 2015 - "This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.

    From:    James Dudley [James.Dudley@ hitec .co.uk]
    Date:    25 March 2015 at 09:38
    Subject:    Payment 1142
    Payment sheet attached.
    James
    T    01353 624023
    F    01353 624043
    Hitec Ltd
    23 Regal Drive
    Soham
    Ely
    Cambs
    CB7 5BE
    This message has been scanned for viruses and malicious content by Green Duck SpamLab


I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57*. It contains this malicious macro... which attempts to download a component from:
http ://madasi.homepage .t-online .de/dbcfg/32.exe
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57**. Automated analysis of this binary is pending, but is so far inconclusive...
MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf
UPDATE: this interesting new tool from Payload Security[1] gives some insight as to what the malware does. In particular, it phones home to:
50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)
Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24
"
* https://www.virustot...sis/1427293393/

** https://www.virustot...sis/1427293399/

1] https://www.hybrid-a...environmentId=1
___

Fake Citi SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Mar 2015 - "'Citi Merchant Services statements – 05721901-6080' ( random numbers) pretending to come from user <noreply@ efsnb-archive .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Attached is your Merchant Statement. It is secured so that only an
    authorized recipient can open it. To open, click on the attachment.
    In order to view
    the attached PDF file, you need Adobe Acrobat Reader Version 8.0
    installed.
    Click on the following link:
    <http ://www.adobe .com/products/acrobat/readstep2.html> to complete a free
    install or re-install if you have an older version.
    Visit Microsoft’s self
    help website at www .microsoft .com or contact your ISP if you do not
    receive the  attachment.
    Delivering your statements directly to your desktop is just one
    more way we’ve increased the speed of business. Thanks again for
    choosing CTS Holdings, LLC as your merchant processor. CTS Holdings, LLC, you can
    count on us!
    This is a post-only mailing. Please do not respond. To change
    preferences please contact Customer Service at 1-800-238-7675.


25 March 2015 : random zip name : Extracts to: Merchant.exe - Current Virus total detections: 6/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427293896/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
134.249.63.46: https://www.virustot...46/information/

- http://threattrack.t...8/citibank-spam
Mar 25, 2015
Malicious File Name and MD5:
Merchant.exe (4007601E07343ADD409490F572F97D46)

Tagged: Citibank, Upatre
___

Fake 'Invoice ID' SPAM - malicious attachment
- http://blog.dynamoo....12ab34-123.html
25 Mar 2015 - "This terse spam has a malicious attachment:
    From:    Gerry Carpenter
    Date:    25 March 2015 at 12:58
    Subject:    Invoice ID:34bf33
    123


There is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has -zero- detections*. Unlike most recent document-based attacks, this does -not- contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.
> https://1.bp.blogspo...0/excel-ole.png
Automated analysis doesn't show very much, but it does show the screenshots [1] [2]... the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56**, and the Payload Security report shows it communicating with the following IPs:
92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
The payload is most likely Dridex.
Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175

MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088 "
* https://www.virustot...sis/1427298940/

** https://www.virustot...sis/1427296948/

1] https://www.hybrid-a...environmentId=1

2] https://malwr.com/an...TQwNDcxMDBkZjc/
___

Fake 'ACH failure' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Mar 2015 - "'ACH technical failure' pretending to come from The Electronic Payments Association <June.Parks@ nacha .org> [random names nacha .org] at with a link to a zip attachment is another one from the current bot runs... Other subjects in this series of spam malicious emails on the nacha theme are:
    Transaction system failure
    ACH transfer error
    ACH technical failure
    Your transfer failed due to technical failure ...
The email looks like:

    ACH PAYMENT REJECTED
    The ACH Payment (ID: 53213740992857), recently sent from your savings account (by you or any other person), was REJECTED by other financial institution.
    Rejection Reason: See details in the report below
    Payment Report: report_53213740992857.pdf (Adobe Reader PDF)
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    2014 NACHA – The Electronic Payments Association


The link once again goes to a cubby user content site...
25 March 2015: Secure_Message.zip: Extracts to: Secure_Message.exe
Current Virus total detections: 11/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427301251/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
134.249.63.46: https://www.virustot...46/information/
___

Fake DHL SPAM - malware
- http://myonlinesecur...ipment-malware/
25 Mar 2015 - "'DHL AWB# 34 5673 0015 / shipment' pretending to come from DHL Express <info@ dhl .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    The following 1 piece(s) have been sent by a Customer via DHL Express on 22-03-2015 via AWB# 34 5673 0015
    Find attached Scanned copy of the shipping documents and more information about the parcel and confirm if the address is correct for shipment.
    Thank you.


25 March 2015: DOCUMENTS.zip: Extracts to:  DOCUMENTS.exe - Current Virus total detections: 7/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427286243/
... Behavioural information
TCP connections
66.171.248.172: https://www.virustot...72/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'Notice to appear in Court' SPAM - malicious attachment
- http://blog.dynamoo....-notice-to.html
24 Mar 2015 - "These two emails come with a malicious attachment:
    From:    County Court [lester.hicks@ whw0095 .whservidor .com]
    Date:    24 March 2015 at 16:45
    Subject:    AERO, Notice to Appear
    This is to inform you to appear in the Court on the March 31 for your case hearing.
    Please, prepare all the documents relating to the case and bring them to Court on the specified date.
    Note: The case may be heard by the judge in your absence if you do not come.
    You can review complete details of the Court Notice in the attachment.
    Yours faithfully,
    Lester Hicks,
    Court Secretary.
    -------------
    From:    District Court [cody.bowman@ p3nw8sh177 .shr.prod.phx3 .secureserver .net]
    Date:    24 March 2015 at 16:44
    Subject:    AERO, Notice to appear in Court #0000310657
    Dear Aero,
    This is to inform you to appear in the Court on the March 28 for your case hearing.
    You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
    Note: If you do not come, the case will be heard in your absence.
    You can review complete details of the Court Notice in the attachment.
    Sincerely,
    Cody Bowman,
    District Clerk.


In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57*]... and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57**]... respectively. These scripts attempt to download malicious code... Details in the download locations vary, but are in the format:
ilarf .net/document.php?rnd=1161&id=
gurutravel .co .nz/document.php?rnd=3022&id=
This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57*** and 4/56****. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything. The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports... indicate badness on at least the following IPs:
176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25

I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24. I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus[5] software.
MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee "
* https://www.virustot...sis/1427221635/

** https://www.virustot...sis/1427221612/

*** https://www.virustot...sis/1427222714/

**** https://www.virustot...sis/1427223237/

5] http://www.microsoft...e:Win32/Trapwot
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 26 March 2015 - 06:32 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1427 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 26 March 2015 - 09:11 AM

FYI...

Fake 'scanned' results SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Mar 2015 - "'Lou Ann Davis Indus Precision Mfg scanned' pretending to come from user <louann@ indusmfg .com> with a zip attachment is another one from the current bot runs... The email looks like:
    –
     Thank you,
    Lou Ann Davis
    Office Administrator
    Indus Precision Mfg., Inc.
    www .indusmfg .com
    Main: (845)268-0782
    Fax: (845)268-2106


26 March 2015 : Random zip name : Extracts to: scan.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427372574/
___

Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Mar 2015 - "'Yarde Metals Invoice' pretending to come from email.invoice <email.invoice@ yarde .com> with  a zip attachment is another one from the current bot runs... The email looks like:
     Thank you for your order.
    Attached is your original invoice. If you would
    like to pay for
    your order with a wire transfer please contact Angela Palmer
    at 860-406-6311 for bank details.
    Friendly reminder:
    Yarde Metals terms
    are 1/2% 10, Net 30. We appreciate your prompt payment.


26 March 2015: random  zip name: Extracts to:  221324.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427380401/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
46.160.125.167: https://www.virustot...67/information/
91.194.239.126: https://www.virustot...26/information/
93.123.40.17: https://www.virustot...17/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

BoA 'Over Limit' Spam
- http://threattrack.t...over-limit-spam
Mar 26, 2015 - "Subjects Seen
    Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


Malicious File Name and MD5:
    report_77076291400.scr (6B6E3D3FDE233FE75F64B517F2351D97)

.

___

Steam Codes and Countdowns - 'something for nothing'
- https://blog.malware...and-countdowns/
March 26, 2015 - "... 'something for nothing' makes a reappearance in the land of -gaming- with a twist designed to get would-be winners sending messages to their online friends as fast as they possibly can. The site we’re going to examine is located at: steamcode(dot)org
... which claims they have $20 Steam Codes to give away, as the “We’re the people who give away free $20 Steam Codes!” makes clear on the frontpage. We could have an interesting philosophical debate about when free means free, but we could also just chalk it up as “free, as long as you send some links and fill in a bunch of stuff”. Here’s the nicely designed frontpage:
> https://blog.malware...5/03/stmcd1.jpg
Clicking the button reveals two things – a tantalizing glimpse of half a code, and the reveal that you must share a link with 15 people in 45 minutes or else the code will expire. If you don’t have Under Pressure on your playlist, you might want to go dig it out now:
> https://blog.malware...5/03/stmcd2.jpg
Sites don’t normally place a timer on link sending, because not many people immediately whip out a list of likely candidates to start spamming when confronted with a rapidly diminishing timer. Indeed, start quickfiring identikit messages to all and sundry and you may find more than a few of them either think you’ve been hacked or turned into a spambot for the day. Should the required amount of referrals be reached, the end result is a selection of survey pages for the would-be $20 code recipient... There’s -no- guarantee the full code will be released even with a completed survey – the only person who has anything to lose in this situation is the individual filling in whatever forms are presented, working on the basis that they’re simply hoping the website will hand over a code at the end of the process. Freebie sites offering up items such as vouchers, gift cards and game codes typically resort to surveys at some point in the chain – it’s just how they roll. Displaying a portion of the code and adding in a time sensitive instruction to send URLs to all and sundry focuses on the “So near, yet so far” pressure point, and is a great way to ensure people desperate for free game codes start yelling “How high?” before jumping."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 26 March 2015 - 11:40 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1428 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 27 March 2015 - 05:52 AM

FYI...

Fake ebill Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 Mar 2015 - "'UK Fuels ebill for ISO Week 201512' pretending to come from invoices@ ebillinvoice .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Week-201512.png

27 March 2015 : 22328_201512.doc
Current Virus total detections: 3/57* | 2/56** | 2/57*** | 3/57****
... So far I have seen 4 versions of this malware, but previous campaigns over the last few weeks have delivered 2, 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427446840/

** https://www.virustot...sis/1427447362/

*** https://www.virustot...sis/1427447494/

**** https://www.virustot...sis/1427447285/
___

Fake 'NASA MSBA' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 - "'NASA MSBA 27th, 2015' pretending to come from MSBA <NVDB@ nasa .gov> with a zip attachment is another one from the current bot runs... The email looks like:
    Good Afternoon.
    MSFC has posted the upcoming MSBA 27th event on NAIS and
    Fed Biz Ops (Solicitation No.: SB-85515).
    NAIS Posting:
    Please click on
    Mod. 1 Posting.
    Attached is the MSBA Agenda.
    Please join us for this event!


27 March 2015: Random  zip name: Extracts to: MSFC.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427455905/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
UDP communications
23.99.222.162: https://www.virustot...62/information/
___

Fake 'ADP Payroll Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 "'ADP Payroll Invoice for week ending 03/27/2015' pretending to come from user <run.payroll.invoice@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Your ADP Payroll invoice for last week is attached for your review. If
    you have any questions regarding this invoice, please contact your ADP
    service team at the number provided on the invoice for assistance.
     Thank you for choosing ADP Payroll.
     Important: Please do not respond to this message. It comes from an
    unattended mailbox.


27 March 2015: random attachment zip name: Extracts to: ADP.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427467488/
___

Fake 'Information Request' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 - "'Information Request' pretending to come from Nicksen Stone <sale20@ thrivigor .com> with a zip attachment is another one from the current bot runs...
     Hello,
     We specialize in designing and manufacturing high quality metal and
    plastic parts suitable for electronic,industrial,agricultural and
    various applications.
    If you need any parts please feel free to send us drawing or sample for
    free quotes. Thank you.
     With Kind Regards,
    Nicksen Stone, Director
     Ningbo Efforteam Machinery Co.,Ltd
    Phone: +86-13777 101 355


27 March 2015: Random attachment zip name: Extracts to: Information.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427472615/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
66.147.244.169: https://www.virustot...69/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 27 March 2015 - 12:04 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1429 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 30 March 2015 - 07:33 AM

FYI...

Fake 'Vistaprint Invoice' SPAM - pdf malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'Vistaprint VAT Invoice' (random number) pretending to come from Vistaprint <VistaPrint-cc@ vistaprint .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...VAT-Invoice.png

30 March 2015: Random Attachment zip name: Extracts to:  Invoice_1.exe
Current Virus total detections: 1/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427714331/
___

Fake 'ADP invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'ADP invoice for week ending 30/03/2015' pretending to come from  Wilbert.Downs@ adp .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...week-ending.png

30 March 2015: invoice_285699291.zip: Extracts to: invoice_285699291.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427728309/
___

Fake 'PDF SWIFT TT COPY' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'PDF SWIFT TT COPY' pretending to come from soumiya@ ulckuwait .com with a zip attachment is another one from the current bot runs... The email looks like:
    Hello,
    Regarding payments for the outstanding, our accounting department have
    approved immediate payment to your accounts.
    Please attached is the Payment confirmation slip ,Kindly help reply
    urgently to  confirm to us
    Best Regards,
    Kosta Curic
    EVRO – TURS DOO
    Po?e?ka 80, Beograd, Srbija
    Jenneth Setu
    Purchase Manager


30 March 2015: Payment Confirmation pdf.zip: Extracts to:  Payment Confirmation pdf.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427732925/
___

Fake 'Quotation' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'Quotation qzVNVm: (random characters)' pretending to come from Mark Kemsley <mark.kemsley@ energy-solutions .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...3/quotation.png

30 March 2015 : random Attachment zip name: Extracts to: Quotation.exe
Current Virus total detections: 5/50* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427738877/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
79.133.196.204: https://www.virustot...04/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 30 March 2015 - 03:18 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1430 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 31 March 2015 - 07:16 AM

FYI...

Fake 'PO' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Your PO: SP14619' pretending to come from Sam S. <sales@ alicorp .com> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...-PO-SP14619.png

31 March 2015 : APIPO1.doc - Current Virus total detections: 3/52* | 5/57**
...  at least one of the macros downloads http ://probagep.sandbox.proserver .hu/54/78.exe (Virus Total***)... previous campaigns over the last few weeks have delivered 2 or 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427789087/

** https://www.virustot...sis/1427789118/

*** https://www.virustot...sis/1427788227/

- http://blog.dynamoo....4619-sam-s.html
31 Mar 2015
... Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165
95.163.121.178
"
___

Fake 'Latest Docs' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Your Latest Documents from RS Components' coming from random names at random companies from  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-Components.png

31 March 2015: G-A7835690138927462557376-1.doc - Current Virus total detections: 0/56*
... only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427798514/

- http://blog.dynamoo....our-latest.html
31 Mar 2015
... Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169
"
___

Fake 'Passport Copy' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "FW: Passport copy pretending to come from salim@ humdsolicitors .co.uk with what is supposed to be a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ssport-copy.png

31 March 2015 : passport.doc ...

- http://blog.dynamoo....sport-copy.html
31 Mar 2015 - "This fake legal spam comes with a malicious attachment. It appears to be a forwarded message from a solicitors office, but it is just a simple forgery... The attachment is named passport.doc. It is exactly the -same- malicious payload as the one used in this spam run earlier today*, and it drops the Dridex banking trojan on the victim's PC."
* http://blog.dynamoo....4619-sam-s.html
___

Fake 'Debit Note' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Debit Note [random numbers]' information attached to this email coming from random name and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely -blank- body...

31 March 2015 : random name .doc - Current Virus total detections: 0/56* | 0/56** | 0/56*** ..."
* https://www.virustot...sis/1427808913/

** https://www.virustot...sis/1427807988/

*** https://www.virustot...sis/1427808948/

- http://blog.dynamoo....note-12345.html
31 Mar 2015 - "This fake financial spam comes with a malicious attachment. There is -no- body text... The executable downloaded is identical to the one used in this spam run* also taking place today. The payload is the Dridex banking trojan."
* http://blog.dynamoo....our-latest.html
___

Fake 'Your returns label' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
31 Mar 2015 - "'CollectPlus :: Your returns label' pretending to come from info <info@ collectplus .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...turns-label.png

31 March 2015 : Random Attachment zip name: Extracts to:  Reference.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427800182/
___

World Back Up Day ...
- https://blog.malware...e-safety-first/
Mar 31, 2015 - "If your response to the question “When did you last back up?” is something to do with parking your car, then you should really take note of World Back Up Day*...
* http://www.worldbackupday.com/en/
According to the World Back Up Day statistics:
• 30% of people have never backed up their data.
• 113 phones are stolen / lost every minute (Ouch. You may want to invest in some remote wipe technology too).
• 29% of data deletion disasters are caused by accident..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 31 March 2015 - 04:35 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1431 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 01 April 2015 - 05:35 AM

FYI...

Fake 'Tax Refund' SPAM - malware
- http://blog.dynamoo....ion-office.html
1 Apr 2015 - "This fake tax notification spam leads to malware hosted on Cubby.
    From:    Australian Taxation Office [noreply@ ato .gov .au]
    Date:    1 April 2015 at 00:51
    Subject:    Australian Taxation Office - Refund Notification
    IMPORTANT NOTIFICATION
    Australian Taxation Office - 31/03/2015
    After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.
    To view/download your tax notification please click here or follow the link below :
    https ://www .ato .gov .au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003
    Laurence Thayer, Tax Refund Department Australian Taxation Office


The names and the numbers -change- from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent .com (e.g. https ://www.cubbyusercontent .com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download. In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57*. Automated analysis tools... show that it downloads components from:
ebuyswap .co.uk/mandoc/muz3.rtf
eastmountinc .com/mandoc/muz3.rtf
It then attempts to phone home to:
141.105.141.87:13819/3103us13/HOME/41/7/4/
That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip .dyndns .org. Although this is benign, monitoring for it can be a good indicator of infection. These URL requests are typical of the Upatre downloader. According to the Malwr report it drops another binary jydemnr66.exe with a detection rate of 11/55** plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.
Recommended blocklist:
141.105.140.0/22
ebuyswap .co.uk
eastmountinc .com
"
* https://www.virustot...sis/1427874847/

** https://www.virustot...sis/1427876163/
___

Fake 'Delivery Note' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Apr 2015 - "'CIH Delivery Note 0051037484' pretending to come from Batchuser BATCHUSER <ecommsupport@ cihgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD


1 April 2015 :CIH Delivery Note 0051037484.doc
Current Virus total detections: 0/56* | 0/56** | 0/56*** | 0/56****
So far I have seen 4 versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427875359/

** https://www.virustot...sis/1427875359/

*** https://www.virustot...sis/1427875320/

**** https://www.virustot...sis/1427875511/

- http://blog.dynamoo....-batchuser.html
1 Apr 2015 - "The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment...
Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249
"
___

Fake 'Sales_Order' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Apr 2015 - "'Sales_Order_6100152' pretending to come from Hazel Gough <hazel.gough@ kosnic .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...der_6100152.png

1 April 2015 : Sales_Order_6100152.doc ... same malware although renamed as today’s CIH Delivery Note 0051037484 – word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Fake 'Unpaid Invoice' SPAM - vbs malware
- http://myonlinesecur...rs-vbs-malware/
1 Apr 2015 - "'Unpaid Invoice [ID:99846] or This is your Remittance Advice [ID:98943]' (all random ID numbers) coming from -random- email addresses, persons and companies with a zip attachment is another one from the current bot runs... The attachments on these are so tiny at less than 1kb in size, that users will be easily fooled into thinking that they are harmless. The zips contain an encoded vbs script... The email body is totally -blank- ...

1 April 2015: Random Attachment zip name: Extracts to: 83JHE76328475243920_1a.doc.vbs
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427886418/

- http://blog.dynamoo....oice-09876.html
1 Apr 2015 - "... has -no- body text and comes from random senders... It has a ZIP attachment which contains... a malicious VBS script... very similar to the VBA macro used in this spam run yesterday:
> http://blog.dynamoo....our-latest.html
This binary has a detection rate of 4/55*..."
* https://www.virustot...sis/1427886150/
... Behavioural information
TCP connections
188.120.225.17: https://www.virustot...17/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/
___

Fake 'Remittance' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Apr 2015 - "'Your Remittance Advice NB PRIVATE EQUITY PARTNERS LTD'  (the company name is totally random but matches the name in the body) coming from random email addresses from with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The attachment name matches the advice in the body and looks like:

    Dear sir or Madam,
     Please find attached a remittance advice (ZL147QNXM.doc) for your information.
    Should you need any further information, please do not hesitate to contact us.
     Best regards
    NB PRIVATE EQUITY PARTNERS LTD


1 April 2015 : ZL147QNXM.doc - Current Virus total detections: 1/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1427895461/

- http://blog.dynamoo....nce-advice.html
1 Apr 2015 - "... Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78
"
___

Fake 'o/s invoices' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
1 Apr 2015 - "'Van Sweringen o/s invoices' pretending to come from Lisa Anderson <landerson@ homewatchcaregivers .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Outstanding invoices attached!
    Thank you!
    Lisa
    Lisa J. Anderson/Office Manager
    Homewatch CareGivers of
    23811 Chagrin Blvd. Suite 114
    Beachwood, OH 44122 ...


1 Ap[ril 2015: 6100_NULGE.zip : Extracts to:  en_en.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427902354/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/<<<
94.23.6.64: https://www.virustot...64/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/<<<
___

Xtube Exploit leads to Cryptowall Malware
- https://blog.malware...towall-malware/
31 Mar 2015 - "We wrote about the adult site xtube .com being compromised -redirecting- visitors to a landing page for the Neutrino Exploit kit last week*... The malware that dropped from the exploit was found here** and was called xtube.exe... All user files are encrypted using “RSA-2048″ encryption. In order to pay the -ransom- victims are instructed to visit paytoc4gtpn5cz12.torconnectpay .com. A separate address is also provided over the tor network:
> https://blog.malware...ELP_DECRYPT.png
... 'always good to remember that highly ranked websites (including adult content) are a prime target for hackers due to the traffic they get..."
* https://blog.malware...ia-neutrino-ek/

** https://www.virustot...e1357/analysis/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustot...84/information/
93.185.106.78: https://www.virustot...78/information/

- http://blog.trendmic...ds-for-1q-2015/
April 1, 2015 - "Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were -not- limited to that region; Turkey, Italy, and France were also affected by this malware. We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware. These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price..."
(More detail at the trendmicro URL above.)
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 01 April 2015 - 01:54 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1432 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 02 April 2015 - 06:39 AM

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
2 Apr 2015 - "'Invoice Attached' pretending to come from Kayel Brewery Supplies <sales@ kayel .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-Attached.png

23 April 2015 : I32230.doc - Current Virus total detections: 2/57* | 2/56**
... at least one of the macros downloads http ://WORKSPACECEGLARSKI .COM/025/42.exe ... 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1427962106/

** https://www.virustot...sis/1427962238/
___

Fake 'P.O.' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
2 Apr 2015 - "'Purchase Order 4390' pretending to come from Sales R-Tech <sales@ r-techwelding .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...90-1024x738.png

2 April 2015 : Purchase Order 4390.doc* ... same malware and download locations as today’s other macro malware downloaders Invoice Attached Kayel Brewery Supplies Gary Laker – word doc or excel xls spreadsheet malware* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Fake 'Purchase Invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
2 Apr 2015 - "'[426168]( random) Medico-Legal Report Expert Purchase Invoice' pretending to come from case <case@ dasmedical .co.uk> with a zip attachment is another one from the current bot runs... The email looks like:
     Please find the attached documents
     1. The expert Purchase Invoice.


2 April 2015: 426168_Y8b4fBMdb_551D0159.F9F84862@ ....co.uk.zip: Extracts to: invoice.exe
Current Virus total detections: 2/56* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427967925/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
199.189.85.156: https://www.virustot...56/information/
___

Fake 'bank invoice' SPAM - malware
- http://blog.dynamoo....lsterbanki.html
2 Apr 2015 - "This fake banking email leads to malware.
    From:    invoice@bankline.ulsterbank.ie [invoice@ bankline .ulsterbank.ie]
    Date:    2 April 2015 at 11:46
    Subject:    Outstanding invoice
    Dear [victim],
    Please find the attached copy invoice which is showing as unpaid on our ledger.
    To download your invoice please click here
    I would be grateful if you could look into this matter and advise on an expected payment date .
    Courtney Mason
    Credit Control
    Tel: 0845 300 2952


The link in the email leads to a download location at hightail .com (the sample I saw downloaded from https ://www.hightail .com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.
The executable has a VirusTotal detection rate of 3/57* and has characteristics that identify it as Upatre. Automated analysis tools... show that it downloads additional components from:
eduardohaiek .com/images/wicon1.png
edrzambrano .com.ve/images/wicon1.png
It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:
http ://141.105.141.87 :13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57**. This is probably the Dyre banking trojan.
Recommended blocklist:
141.105.140.0/22
eduardohaiek .com
edrzambrano .com

MD5s:
4c666564c1db6312b9f05b940c46fa9a
876900768e06c3df75714d471c192cc6 "

* https://www.virustot...sis/1427971860/

** https://www.virustot...sis/1427972349/
___

Fake 'scanned docs' SPAM - malware
- http://blog.dynamoo....ument-from.html
2 Apr 2015 - "These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.
From:    Cindy Pate [Caroline.dfd@ flexmail .eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]
Reply to: HP-Scanner@ flexmail .eu
Model:KX-240NGZDC
Location: 1st Floor Office
File Format: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document...


I have seen three different malicious attachments with low detection rates... which appear to contain one of two macros... which download a further component from one of the following locations:
http ://93.158.117.163 :8080/bz1gs9/kansp.jpg
http ://78.47.87.131 :8080/bz1gs9/kansp.jpg
Those servers are almost definitely malicious in other ways, the IPs are allocated to:
93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)
This is then saved as %TEMP%\sdfsdffff.exe ... Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.
Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131
..."
___

Fake 'Snap on Tools invoice copies' SPAM - malware
- http://blog.dynamoo....es-snap-on.html
2 Apr 2015 - "This -fake- invoice does not come from Snap On Tools, but is instead a simple forgery.
    From:    Allen, Claire [Claire.Allen@ snapon .com]
    Date:    24 February 2015 at 14:41
    Subject:    Copy invoices Snap on Tools Ltd
    Good Afternoon
    Attached are the copy invoices that you requested.
    Regards
    Claire
    Your message is ready to be sent with the following file or link attachments:
    SKETTDCCSMF14122514571 ...


... attachment SKETTDCCSMF14122514571.doc which contains this malicious macro... which downloads a further component from:
http ://ws6btg41m.homepage. t-online .de/025/42.exe
This executable has a detection rate of 5/57*. Various automated analyses... show attempted communications to the following IPs:
91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)
According to this Malwr report it drops another version of the downloader called edg1.exe [VT 4/57**] and a malicious Dridex DLL [VT 2/57***].
Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227
..."
* https://www.virustot...sis/1427978113/

** https://www.virustot...sis/1427979096/

*** https://www.virustot...sis/1427979103/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 02 April 2015 - 11:37 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1433 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 03 April 2015 - 06:56 AM

FYI...

Fake 'Scanned Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
3 Apr 2015 - "'Scanned Invoice [89412268] from FLYBE GROUP PLC' pretending to come from Warren Horn <Moses.3a@ tcl. net .in> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Location: 1st Floor Office
     File Extension: DOC (Medium)
    Resolution: 300dpi x 300dpi
     Attached file is scanned document in DOC format.
    Warren Horn , FLYBE GROUP PLC


3 April 2015: 89412268.doc - Current Virus total detections: 0/56*
This downloads http ://75.150.62.121 :8080/bz1gs9/kansp1.jpg and then renames it to %temp%\dfsdfff.exe and runs without any further user interaction (VirusTotal**) ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1428054150/

** https://www.virustot...sis/1428057630/
... Behavioural information
TCP connections
151.252.48.36: https://www.virustot...36/information/
185.35.77.12: https://www.virustot...12/information/
199.201.121.169: https://www.virustot...69/information/
193.255.201.86: https://www.virustot...86/information/
188.226.129.49: https://www.virustot...49/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/

75.150.62.121: https://www.virustot...21/information/
___

Fake 'calcs attachments' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Apr 2015 - "'All American C&E/ Nardin' pretending to come from office <office@ energycalcs .net> with a zip attachment is another one from the current bot runs... The email looks like:
     Your completed calcs are attached.
    The first attachment is your Manual J&S Load calcs.
    The second is your Form 405-10 Energy code compliance calc.
    If you have any questions, feel free to call.
    Thank you so much for your business!
    Ed Wolfe- Office Manager
    Energycalcs.net, Inc ...


3 April 2015: Random Attachment zip name: Extracts to:  iDocs.exe
Current Virus total detections: 4/56* . The attachment with this  All American C&E/ Nardin email is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428054460/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 03 April 2015 - 07:15 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1434 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 06 April 2015 - 07:22 AM

FYI...

Fake Barclays SPAM – PDF malware
- http://myonlinesecur...-pdf-malware-3/
6 Apr 2015 - "'Barclays – Important Update, read carefully!' pretending to come from Barclays Online Bank <security-update@ Barclays. co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...d-carefully.png

6 April 2015: Form.zip: Extracts to:  Form.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428321955/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustot...70/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

- http://threattrack.t...ant-update-spam
Apr 6, 2015
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 06 April 2015 - 10:41 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1435 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 07 April 2015 - 07:05 AM

FYI...

Fake 'EBOLA INFO' SPAM - malicious attachment
- http://blog.dynamoo....nformation.html
7 Apr 2015 - "This fake medical email contains a malicious attachment...
    From:    noreply@ ggc-ooh .net
    Reply-To:    noreply@ ggc-ooh .net
    Date:    7 April 2015 at 08:58
    Subject:    EBOLA INFORMATION
    This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ ggc-ooh .net
    PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.
    THANK YOU.


Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro...  which is contains a lot of girls names as variables ... When decoded the macro downloads a component from:
http ://deosiibude .de/deosiibude.de/220/68.exe
VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools... show it phoning home to the following IPs...:
37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)
85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)
According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.
Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18

MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E "
___

Fake 'Invoice Maid of London' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 Apr 2015 - "'March 2015 Invoice' pretending to come from Accounts @ Maid of London <accounts@ maidoflondon .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...d-of-London.png

7 April 2015 : March invoice 811.doc - Current Virus total detections: 0/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1428403055/
___

Fake 'legal claim' SPAM - malicious attachment
- http://blog.dynamoo....has-issued.html
7 Apr 2015 - "This fake legal spam comes with a malicious attachment:
    From:    Isiah Mosley [Rosella.e6@ customer .7starnet .com]
    Date:    7 April 2015 at 14:09
    Subject:    Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]
    Schroders,Isiah Mosley


The company name is randomly chosen. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro... Along with an alternate macro, I can see download locations from:
http ://185.39.149.178 /aszxmy/image04.gif
http ://148.251.87.253 /aszxmy/image04.gif
For the record, 185.39.149.178 is OOO A.S.R.in Russia and 148.251.87.253 is Hetzner in Germany. The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56*. Automated analysis tools... show the malware phoning home to:
151.252.48.36 (Vautron Serverhousing, Germany)
According to the Malwr report, it drops a DLL with a detection rate of 2/56* which is most likely a Dridex DLL.
Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178

MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0"
* https://www.virustot...a0281/analysis/
___

Fake 'Chase Card Services' SPAM – malware
- http://myonlinesecur...ayment-malware/
7 Apr 2015 - "'Thank you for scheduling your online payment' pretending to come from Chase Card Services <no-reply@ alertsp .chase .com> with a zip attachment is another one from the current bot runs...
  Dear Thank you for scheduling your recent credit card payment as an attachment. Your payment in the amount of 3898.96 will be credited to your credit card account (CREDIT CARD) ending in 2143 on 04/07/2015.
Now that you’re making your payment online, are you aware of all the convenient ways you can manage your account online?
    See statements – Choose to stop receiving paper statements, and see up to six years of your statements online.
    See automatic payments – Set up monthly payments to be made automatically.
    Transfer a balance – Transfer a balance to your credit card account.
    Go to Personalized Alerts – Schedule Alerts to remind you of key account activity.
You can also see past payments you’ve made online by logging on to www.chase.com/creditcards and clicking “See/cancel payments” under “I’d like to …”
If you have questions, please call the Customer Service number on the back of your credit card.
Thanks again for using online payments.
Sincerely,
Cardmember Services ...


7 April 2015: payment-2143-wiqr_BSFMN.zip: Extracts to:  payment.exe
Current Virus total detections: 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF or image file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428417618/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
162.252.57.88: https://www.virustot...88/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 07 April 2015 - 10:56 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1436 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 08 April 2015 - 03:33 AM

FYI...

- http://krebsonsecuri...is-defacements/
Apr 7, 2015

Fake Government Websites ...
- https://www.us-cert....rnment-Websites
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has released an alert that warns consumers of fraudulent government-services websites that mimic legitimate ones. Scam operators lure consumers to these -fraudulent- websites in order to steal their personal identifiable information (PII) and collect fees for services that are never delivered. US-CERT encourages users to review the IC3 Alert* for details and refer to the US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* http://www.ic3.gov/m...5/150407-2.aspx
Apr 7, 2015
** https://www.us-cert....s/tips/ST04-014
Apr 7, 2015
___

Web Site Defacements ...
- https://www.us-cert....ite-Defacements
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has issued an alert addressing recently perpetrated Web site defacements. The defacements advertise themselves as associated with the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). However, FBI assesses that the perpetrators are -not- actually associated with this group. The perpetrators exploit WordPress content management system (CMS) vulnerabilities, leading to disruptive and costly effects. Users and administrators are encouraged to review the IC3 Alert* for details and refer to the US-CERT Alert TA13-024A** for information on CMS security."
* http://www.ic3.gov/m...5/150407-1.aspx
Apr 7, 2015
** http://www.us-cert.g...lerts/TA13-024A
Apr 7, 2015
___

Fake 'UNPAID INVOICES' SPAM - malicious attachment
- http://blog.dynamoo....ices-wayne.html
8 Apr 2015 - "This -fake- invoice spam is not from Orion Plastics but is instead a simple forgery with a malicious attachment.
    From:    Wayne Moore [wayne44118@ orionplastics .net]
    Date:    8 April 2015 at 09:03
    Subject:    TWO UNPAID INVOICES
    4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
    INVOICE # 029911  DATED 1/7/15 FOR $840.80
    INVOICE # 030042  DATED 1/30/15 FOR $937.00
    PLEASE ADVISE WHEN  YOU SENT CHECK AND TO WHAT ADDRESS
    I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT
    REGARDS-WAYNE


In this case the email was -malformed- and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56*. Extracting the document revealed this malicious macro... which downloads an additional component from:
http ://fzsv .de/11/004.exe
There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54**. Automated analysis tools... shows it phoning home to the following IPs:
37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)
The Malwr report shows it attempting to connect to a couple of Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:
90.84.136.185
184.25.56.220
According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57**.
Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46

MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877 "
* https://www.virustot...sis/1428485931/

** https://www.virustot...sis/1428485937/
___

Fake 'BACS Transfer' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Apr 2015 - "'BACS Transfer : Remittance for JSAG783GBP' pretending to come from random names and  email addresses at natwest .com with a zip attachment is another one from the current bot runs... The email which has random amounts looks like:

    We have arranged a BACS transfer to your bank for the following amount : 4278.00
    Please find details attached.


8 April 2015: BACS_Transfer_AQ004719.zip : Extracts to:  BACS_Transfer_AQ004719.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428491113/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
66.7.216.61: https://www.virustot...61/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Password Re-activation' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Apr 2015 - "'Bankline ROI – Password Re-activation Form' pretending to come from various names and email addresses @rbs .co .uk with a zip attachment is another one from the current bot runs... The email looks like:
    Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.
    Fax to 1850 262125 or alternatively you may wish to email the completed document, by attaching it to an email and sending it to banklineadministration@ rbs .co .uk
    On receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email.
    <<Bankline_Password_reset_3978322.pdf>>
    Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.
    Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.
    If you are the sole Standard Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in a Standard Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.
    If you require any further assistance then please do not hesitate to contact us on 1850 245140 and one of our associates will be happy to assist you.
    Regards
    Bankline Product Support ...


Same malware payload, although -renamed- as Bankline_Password_reset_0319234.zip (random numbers) as today’s NatWest attempt BACS Transfer : Remittance for JSAG783GBP – fake PDF malware* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
___

Fake 'Invoice' SPAM - malicious doc/xls
- http://blog.dynamoo....mpany-name.html
8 Apr 2015 - "This -Dridex- spam takes a slightly different approach from other recent ones. Instead of -attaching- a malicious Office document, it downloads it from a compromised server instead. The example I saw read:
    From:    Mitchel Levy
    Date:    8 April 2015 at 13:45
    Subject:    Invoice from MOTHERCARE
    Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.
    Download your invoice here.
    Thanks for attention. We appreciate your business.
    If you have any queries, please do not hesitate to contact us.
    Mitchel Levy, MOTHERCARE


The link in the email has an address using the domain afinanceei .com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example: http ://victimbfe .afinanceei .com/victim@ victim .domain/
This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:
> https://4.bp.blogspo...dex-landing.png
... The link in the email downloads a file from:
http ://31.24.30.12 /api/Invoice.xls
At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http ://31.24.30.12 /api/ shows a -fake- page pretending to be from Australian retailer Kogan:
> https://4.bp.blogspo.../fake-kogan.png
As you might guess, Invoice.xls contains a malicious macro... but the real action is some data hidden in the spreadsheet itself... it instructs the computer to download a malicious binary from:
http ://46.30.43.102 /cves/kase.jpg
This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC. This binary has a VirusTotal detection rate of 6/57*. Automated analysis tools... show it communicating with the following IPs:
109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)
In addition there are some Akamai IPs which look benign...
184.25.56.212
184.25.56.205
2.22.234.90
According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack:
> http://blog.dynamoo....ices-wayne.html
Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12

MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478 "
* https://www.virustot...sis/1428499086/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 08 April 2015 - 12:33 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1437 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 09 April 2015 - 04:52 AM

FYI...

Fake 'Credit card transaction' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
9 Apr 2015 - "'Credit card transaction' pretending to come from Matthews, Tina <tina@ royalcarson .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...transaction.png

9 April 2015: 20150326094147512.doc - Current Virus total detections: 0/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1428569272/

- http://blog.dynamoo....thews-tina.html
9 Apr 2015
"...Tina Matthews
... Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24
..."
___

Fake 'sorry you had a problem' SPAM – malware
- http://myonlinesecur...rchase-malware/
9 Apr 2015 - "'We’re sorry you had a problem with your purchase' coming from random email addresses with  a zip attachment is another one from the current bot runs... There are lots of different subjects with this malware spam run today. They include:
    we’re issuing you a refund
    a full refund
    We’re sorry you had a problem with your purchase
    The refund include original shipping
    a payment reminder
    RE: direct debit payment
    direct debit payment
    invoice
    NEW Payment reminder ...
The email looks like:

    'We issued you a full refund of 161.18 on Apr 09, 2015 The refund includes the purchase price plus original shipping.
    Decision:
    This case has been decided in your favor.
    We’re sorry you had a problem with your purchase, and we’re issuing you a refund for this case.'

-Or-

    'Hello, Payment Reminder: your invoice 62169289 dated 07.04.2015 in the amount 573.96'


All the emails have different amounts  and various dates. The attachment names vary. So far I have seen refund_shipping_DOC.xml.exe and invoice.92004711.2015.04.08.doc.exe ...
9 April 2015: refund_shipping_DOC.xml.zip: Extracts to: refund_shipping_DOC.xml.exe
Current Virus total detections: 1/57* - This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428567172/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Trade Confirmation' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Apr 2015 - "'Your Trade Confirmation(s) are Available' pretending to come from noreply@ masteryconnect .com with a zip attachment is another one from the current bot runs... The email looks like:

Please review the attached RFI, Submittal cheatsheet – this update reflects latest changes from RVA.

9 April 2015 : view kklvyg.zip: Extracts to:  view.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428583433/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Fake 'Mail Out Report' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Apr 2015 - "'Mail Out Report Attached' pretending to come from Alert ARC Reports <zen179397@ zen .co .uk> with a zip attachment is another one from the current bot runs... The email looks like:

    From Securitas, please do not reply to this e-mail as it is auto generated.
    For any problems please e-mail derry.andrews@ securitas .co .uk


9 April 2015: Q100219366_Mail Out Report.zip: Extracts to: Q100219366_Mail Out Report.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428580032/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
208.91.198.171: https://www.virustot...71/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Voicemail' SPAM –  wav malware
- http://myonlinesecur...ke-wav-malware/
9 Apr 2015 - "'New message in mailbox 301***200' pretending to come from Voipfone Voicemail <voicemail@ voipfone .co .uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...in-mailbox..png

9 April 2015: msg0005.wav.zip : Extracts to:   msg0005.wav.exe
Current Virus total detections: 2/47* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( voice) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428582133/
... Behavioural information
UDP communications
23.99.222.162: https://www.virustot...62/information/
___

Fake 'incoming wire' – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Apr 2015 - "'Unknown incoming wire pretending to come from random names @metrobankonline .co.uk with a zip attachment is another one from the current bot runs... The email looks like:
     The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
    EFT Amount:                       60,200.00 GBP
    Remitted From: SSA TREAS 310 MISC PAY
    Designated for:                       UNKNOWN
    Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
    If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
    Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00, April 09, 2015.
    Thank you...


9 April 2015: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428584776/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
149.255.58.7: https://www.virustot....7/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Fake 'disneyinteractive' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Apr 2015 - "'yearly Report' pretending to come from apps@ e.disneyinteractive .com with a zip attachment is another one from the current bot runs... The email looks like:

    Annual Report as an attachment

9 April 2015: Annual #Thu, 09 Apr 2015 18_14_02 +0100.cab: Extracts to: Report.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428598594/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
104.156.59.86: https://www.virustot...86/information/
___

Namailu .com SPAM
- http://blog.dynamoo....lucom-spam.html
9 Apr 2015 - "This -spam- has been appearing in my inbox for several days now:
From:    Shana Felton [9k7bf-2976014268@serv .craigslist .org]
Date:    9 April 2015 at 19:10
Subject:    New commitment invitation - [redacted]
Sarah Smith
Hi Namailu User,
You have a commitment invitation from Sarah Smith. To view your commitment invitation please follow this link:
View Invitation
Copyright © 2015, Namailu Online Ltd...

    
Clicking through the link leads to https ://www .namailu .com/Smith.Sarah.206
> https://4.bp.blogspo...00/namailu1.jpg
Obviously we are led to believe that the girl in the picture is sending the message:
> https://3.bp.blogspo...5448322.png.jpg
Reverse image search comes up with -no- matches, unusually. Goodness knows how many people there are called "Sarah Smith" in New Zealand. Probably quite a lot.The spam messages come from a range of IPs that are also used to spam out promotional material for a site called dirtyemojis .com (using a redirector of dirtyemojis .ru). The spam is sent from a range of Chinese IP addresses... In each case the "From" address is -fake- ... A quick search of the body text of the message shows that it has been spammed out quite widely... this clueless approach does -not- bode well for a site that deals in highly personal data and my personal opinion would be to give this particular outfit a very wide berth."
___

Fake 'eFax'message SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Apr 2015 - "'eFax message from “Anna” – 2 page(s), Caller-ID: 1- 920-530-9136' pretending to come from eFax <no-replay@ efax .com> with a zip attachment is another one from the current bot runs... The email looks like:

Logo_eFax     
    JOIN THE eFax COMMUNITY
    Facebook         twitter         google+         youtube
border1
You have a new eFax message. To view your message, see your fax attached or login here.
Fax Details
Caller Id:
Received:
Type:
Number of pages:
Reference #:
920-530-9136
Wed, 08 Apr 2015 18:43:01 +0100
Attached in pdf
2
atl_did9-SK6dCw_1X4W21v_3tk3rGIT
With eFax, did you know you can:
•     Send faxes from your desktop or mobile device
•     Sign and edit faxes with no printing required
•     Send large files by email (up to 1 GB)
Learn more >>
Thank you for using eFax!
Sincerely,
The eFax Team
P.S. Want more solutions to help your business?
Test drive our cloud services from j2 Global with a Free Trial today!
border2
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
© 2015 j2 Cloud Services, Inc. All rights reserved.
eFax is a registered trademark of j2 Cloud Services, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.


8 April 2015: SK6dCw 1X4W21v 3tk3rGIT.zip: Extracts to: chase.exe
Current Virus total detections: 5/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428511349/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
67.222.12.237: https://www.virustot...37/information/
109.237.134.22: https://www.virustot...22/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

Fake 'Chase Card For your account' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Apr 2015 - "'Chase Card For your account' ending pretending to come from Chase <dont@ alertsp .chase .com> with a zip attachment is another one from the current bot runs... Other subjects in this chase card spam malware run are:
    Hi Customer
    For your account ending ...
The email looks like:
 
If you are having trouble viewing this message, please click here.  E-mail Security Information.
    CHASE     
GET ITEMIZED & ORGANIZED
1. Log on to www .chase .com/creditcards.
At the bottom of you statement page, click "year end summary" link.
View,print, or save your summary.
ACTIVATE ALERTS
GO PAPERLESS
Dear Customer,
For your credit card ending in: 0093Your 2015 Year End Summary is now attached and ready for you to view. If you have additional accounts that qualify for a year end summary, you will be notified shortly when they are available.
This year’s summary includes eight categories to provide detail about how you use your card. We hope you find this summary helpful as you prepare your taxes and set your budget for 2016.
See all your transactions by category:
Categories
Sincerely,
sig
Deb Walden
Executive Vice President
Customer Experience
Chase Card Services
spacer
GET YOUR FREE SUMMARY - GO NOW


8 April 2015: Chase_Chase Card_information.zip: Extracts to: Chase_Chase Card_information.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...."
* https://www.virustot...sis/1428505049/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
67.222.12.237: https://www.virustot...37/information/
109.237.134.22: https://www.virustot...22/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 09 April 2015 - 04:46 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1438 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 10 April 2015 - 09:10 AM

FYI...

Fake 'Invoice Payment Confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Apr 2015 - "'Invoice Payment Confirmation' pretending to come from WEBHOSTING UK <billing@ webhosting .uk .com> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email looks like:

Screenshot: http://myonlinesecur...onfirmation.png

10 April 2015 : WHUK2009-160824.doc - Current Virus total detections: 4/57*
... which downloads Dridex from [DO NOT CLICK] architectureetenvironnement .ma/762/532  which is saved as %temp%\miron3.6.exe (virus total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1428669374/

** https://www.virustot...sis/1428673121/
... Behavioural information
TCP connections
37.140.199.100: https://www.virustot...00/information/
90.84.59.66: https://www.virustot...66/information/
185.35.77.250: https://www.virustot...50/information/
94.23.173.233: https://www.virustot...33/information/
94.23.171.198: https://www.virustot...98/information/
87.236.215.151: https://www.virustot...51/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Receipt Request' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Apr 2015 - "'Your Receipt Request' pretending to come from McMaster-Carr <la.sales@ mcmaster .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Hi ,
     I attached the receipts you requested.
    Annette


10 April 2015 : Receipts.doc - Current Virus total detections: 4/57*
This is exactly the same malware as the other office macro malware spreading today WEBHOSTING UK Invoice Payment Confirmation* – word doc or excel xls spreadsheet malware..."
* http://myonlinesecur...dsheet-malware/
 

:ph34r: :ph34r:   :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1439 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 11 April 2015 - 04:57 PM

FYI...

VBS Malware tied to Attacks on French TV Station TV5Monde
- http://blog.trendmic...-media-attacks/
Apr 11, 2015 - "... we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India... this malware is available in underground forums and can be used by anyone. This particular malware can be used as a backdoor into the affected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind KJWORM and BLADABINDI are the same. Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used used by NJWORM). These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region... The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time), when 11 of their channels went off the air... TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published. It should be noted that the technical background of this attack is not yet clear. However, the -RAT- generator is currently available in several hacker forums and can be used by any threat actor... one does not need a lot of technical skill to use it..."
 

:ph34r: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1440 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 13 April 2015 - 09:51 AM

FYI...

Fake 'tax return' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Apr 2015 - "'Your tax return was incorrectly filled out' pretending to come from user <chak.noris@ tax .gov> with a zip attachment is another one from the current bot runs... The email looks like:

    Attention: Owner/ Manager
     We would like to inform you that you have made mistakes while completing
    the last tax form application (ID: 0054206036751) .
    Please follow the advice of our tax specialists:
    http ://clinicaasera .org/FAX.MESSAGE-DATA-STORAGE/incoming-new_message.html
    Please amend the mistakes and send the corrected tax return to your tax
    agent as soon as possible.
    Yours sincerely


13 April 2015: new-message.zip: Extracts to: new-message.exe
Current Virus total detections: 2/57* . This 'Your tax return was incorrectly filled out' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428931605/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
5.141.22.43: https://www.virustot...43/information/
217.160.235.239: https://www.virustot...39/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

Fake 'inTuit Payroll' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Apr 2015 - "'Payroll Received by Intuit' pretending to come from Intuit Payroll Services <IntuitPayrollServices@ payrollservices .intuit .com> with a zip attachment is another one from the current bot runs... The email looks like:

    Dear, info
    We received your payroll on April 13, 2015 at 09:06 AM EST.
    Attached is a copy of your Remittance. Please click on the attachment in order to view it.
    Please note the deadlines and status instructions below:
    If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the date received or on your paycheck date, whichever is later.
    If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking days from the date received or on your paycheck date, whichever is later.
    YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
    Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
    Intuit must receive your payroll by 5 p.m., two banking days before your paycheck date or your employees will not be paid on time.
    Intuit does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Sincerely,
    Intuit Payroll Services ...


13 April 2015: payroll_report_08222014.zip: Extracts to: payroll_report_08222014.exe
Current Virus total detections: 6/57* . This 'Payroll Received by Intuit' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1428945209/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
27.121.64.159: https://www.virustot...59/information/
5.141.22.43: https://www.virustot...43/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Another '419' Spam/Scam
- https://blog.malware...vault-419-spam/
Apr 13, 2015 - "Every now and then a 419 scammer dredges up an old scam mail, gives it a bit of spit and polish then sends it back out into the wild. The “International Reconciliation and Logistics Vault” has been a subject for 419 attempts* for a number of years now, though the typical format of these missives tends to be more like this one. Indeed, here it comes again:
> https://blog.malware...gisticsspam.jpg
... Should you receive this one, feel free to send it right to the trash..."
* https://en.wikipedia.../wiki/419_scams

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 13 April 2015 - 07:10 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1441 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 14 April 2015 - 04:16 AM

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....ren-varker.html
15 Apr 2015 - "This fake invoice has a malicious attachment:

    From: Kairen Varker [mailto:kvarker@ notifications .kashflow .com] On Behalf Of Kairen Varker
    Sent: Tuesday, April 14, 2015 9:26 AM
    Subject: Invoice from
    I have made the changes need and the site is now mobile ready . Invoice is attached


In this case the attachment is called Invoice-83230.xls which is currently undetected* by AV vendors. It contains this malicious macro... which downloads a component from the following location (although there are probably more than this):
http ://925balibeads .com/94/053.exe
This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57**. Automated analysis tools... show the malware phoning home to:
78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)
The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57***.
Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228

MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995 "
* https://www.virustot...sis/1428998998/

** https://www.virustot...sis/1428998395/

*** https://www.virustot...sis/1428999812/

- http://myonlinesecur...dsheet-malware/
14 Apr 2015
> https://www.virustot...sis/1428997086/
___

Fake 'Account reconcilation' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
14 Apr 2015 - "'Account reconcilation statement' from [random company] [random characters] – coming  from random names and email addresses with a zip file attachment that extracts to a malicious word doc and an image of a sales chart is another one from the current bot runs...

Screenshot: http://myonlinesecur...om_version1.png

... Where you can see the name of the alleged sender matches the name in the body of the email and the random characters in the subject match the attachment zip name. Once you extract the content of the zip you get a folder on the computer that is simply named as a number  2 or 8 or 9 etc. opening the folder gives you a malicious word doc and an image of a sales chart like one of these, that are intended to help convince you of the genuine nature of the word doc and entice you to open it and get infected:
> http://myonlinesecur...tion-images.jpg
...
> http://myonlinesecur...isual-graph.jpg
...
> http://myonlinesecur...4/sales-cmp.jpg
... 4 April 2015 : documentation.doc / vs74_stats.doc / cmp static.doc
Current Virus total detections: 0/56* | 0/56** | 0/56***  . So far I have examined 3 different versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429005163/

** https://www.virustot...sis/1429005436/

*** https://www.virustot...sis/1429005436/
___

Fake 'HM Revenue' SPAM - doc/xls malware
- http://myonlinesecur...ke-pdf-malware/
14 Apr 2015 - "'CIS Online submission received by HM Revenue and Customs' pretending to come from helpdesk@ ir-efile .gov .uk with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...and-Customs.png

14 April 2015: Returns_Report.zip: Extracts to:  Returns_Report.exe
Current Virus total detections: 5/57* . This 'CIS Online submission received by HM Revenue and Customs' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...."
* https://www.virustot...sis/1429017381/
___

Fake 'Credit Release' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Apr 2015 - "'RE: Credit Release Request' pretending to come from Bank <tim.redmon@ hsbc .com> ( random names @ hsbc .com) with  a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ase-Request.png

14 April 2015: banP_.zip: Extracts to:   banк.exe
Current Virus total detections: 6/57* . This RE: Credit Release Request is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429017978/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustot...24/information/
90.84.60.97: https://www.virustot...97/information/
5.141.22.43: https://www.virustot...43/information/
___

Fake 'Auto Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
14 Apr 2015 - "'INVOICE BI653133' pretending to come from websales(random number)@autonetplus .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Account: 1164
    From: DORSET AUTO SPARES BLANDFORD
    The following are attached to this email:
    IBI653133.XLS


14 April 2015 : IBI653133.XLS
Current Virus total detections: 0/56* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429017301/
___

CoinVault ransomware: Retrieve data without paying the criminals
- http://net-security....ews.php?id=3017
14.04.2015 - "Victims of the CoinVault ransomware have a chance to retrieve their data -without-  having to pay the criminals, thanks to a repository of decryption keys and a -decryption- application made available online by Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Netherlands’ police:
> https://noransom.kaspersky.com/
CoinVault ransomware has been around for a while, encrypting victims’ files and demanding Bitcoins to unlock them. In order to help victims recover from an attack, the NHTCU and the Netherlands’ National Prosecutors Office obtained a database from a CoinVault command & control sever. This server contained Initialization Vectors (IVs), Keys and private Bitcoin wallets and helped to create the special repository of decryption keys. As the investigation is ongoing, new keys will be added when available. “We have uploaded a huge number of keys onto the site. If we do not currently have records for a particular Bitcoin wallet, you can check again in the near future, because together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information,” - says Jornt van der Wiel, Security Researcher at Kaspersky Lab. CoinVault has infected more than 1,000 Windows-based machines in over 20 countries, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Victims have also been registered in Belgium, Austria, Switzerland, Norway, Sweden, Luxemburg, Denmark, Slovakia, Slovenia, Spain, Italy, Hungary, Ireland, Croatia, Russia, Canada, Israel, the United Arab Emirates, China, Indonesia, Thailand, South Africa, Australia, New Zealand, Panama, the Dominican Republic, and Mexico."
___

Fake 'USPS' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Apr 2015 - "'USPS – Fail to deliver your package' pretending to come from USPS <no-reply@ usps .gov> with  a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...our-package.png

14 April 2015: USPS2335999.zip: Extracts to: USPS04142015.scr
Current Virus total detections: 7/55* . This 'USPS – Fail to deliver your package' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429034017/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustot...24/information/
90.84.60.64: https://www.virustot...64/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 14 April 2015 - 02:33 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1442 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 15 April 2015 - 08:00 AM

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://blog.dynamoo....ving-water.html
15 Apr 2015 - "This -fake- invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.

    From: Natalie [mailto:accounts@living-water.co.uk]
    Sent: Wednesday, April 15, 2015 9:43 AM
    Subject: Invoice from Living Water
    Dear Customer  :
    Your invoice is attached.  Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Living Water
    0203 139 9051


In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55*. This contains a malicious macro... which downloads a file from the following location:
http ://adlitipcenaze .com/353/654.exe
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currently has a detection rate of 6/57**. Automated analysis tools... show attempted connections to the following IPs:
89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100

MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328
* https://www.virustot...sis/1429086775/

** https://www.virustot...sis/1429086792/

*** https://www.virustot...sis/1429088210/


- http://myonlinesecur...dsheet-malware/
15 Apr 2015
> https://www.virustot...sis/1429086260/
___

Fake 'info' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Apr 2015 - "'RE: info' pretending to come from user <michael@ mwrk .co .za> with a zip attachment is another one from the current bot runs...The email looks like:

    Always choose a reliable partner.
    We are those who can offer the best financial proposal to you.
    We can find the best solution to solve your specific problem.
    Details see the attachment.


15 April 2015: New doc(43).zip : Extracts to: partner.exe
Current Virus total detections: 2/57* . This 'RE: info' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429093267/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustot...24/information/
88.221.15.80: https://www.virustot...80/information/
5.141.22.43: https://www.virustot...43/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 15 April 2015 - 10:58 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1443 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 16 April 2015 - 06:59 AM

FYI...

Fake 'Receipt' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Apr 2015 - "'RECEIPT' pretending to come from  Carmen Rodriguez <crodriguez@ hswcorp .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Thank you for your business.
     Carmen Rodriguez
    Administrative Assistant


16 April 2015 : 58173841.doc | Current Virus total detections: 3/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1429173650/
___

Fake ACH SPAM - Malware
- http://blog.dynamoo....tification.html
16, Apr 2015 - "This -fake- ACH spam leads to malware:
    From:    aileen.alberts@ [redacted]
    Date:    16 April 2015 at 15:55
    Subject:    Decisive notification about your Automated Clearing House payment
    The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.
    Rejected ACH payment
    Automated Clearing House transfer Case #     L669461617
    Transaction Total     27504.02 US Dollars
    Email     [redacted]
    Reason of Termination     Download full details
    Please visit the link provided at the top to see more information about this problem.


The link in the email goes to a download location at dropbox .com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro... it is rather different from other offerings. From what I can tell, it downloads an encrypted file... from:
sundsvallsrk .nu/tmp/1623782.txt -or-
hpg .se/tmp/1623782.txt
And some sort of executable from Dropbox with a detection rate of 3/57*. Automated analysis tools are inconclusive at the moment... although the Payload Security report[1] does show several dropped files including two malicious scripts... Of note is that one of the scripts downloads what looks like a PNG from:
savepic .su/5540444.png
For now, I would recommend blocking traffic to
sundsvallsrk .nu
hpg .se
savepic .su
"

1] https://www.hybrid-a...environmentId=2

* https://www.virustot...sis/1429197445/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'IRS tax refund' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Apr 2015 - "'Payment confirmation for tax refund request # 3098-2344342' pretending to come from Internal Revenue Service <office@ irs .gov> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...und-request.png
"... Payment method : Wire transfer..."

16 April 2015 : confimation_3098-2344342.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429207628/

- http://www.irs.gov/t...pics/tc152.html
"There are -three- options for receiving your federal individual income tax refund:
- The fastest way is by direct deposit (electronic funds transfer) into your checking or savings account, including an individual retirement arrangement (IRA);
- By purchase of U.S. Series I Savings Bonds; or
- By paper check sent to the address listed on your return..."
... 'Wire Transfer' is -not- an option.
___

SCAM lures Facebook Users with “Hot Video”, Drops Trojan
- https://blog.malware...o-drops-trojan/
Apr 16, 2015 - "... as more and more users are creating, sharing, and viewing videos on Facebook now more than ever, we can also expect online criminals to jump in on the bandwagon and attempt to get some of the attention, too... if you see an interesting post on your feed carrying a link to a supposed video that, once visited looks similar to the screenshot below, know that you’re no longer on Facebook but on an imitation page located at http ://storage [dot]googleapis[dot]com/yvideos/video2[dot]html:
> https://blog.malware.../fake-fb-yt.png
The individual or group behind this scam has abused Google’s free online file storage service to house the HTML page that has mimicked Facebook’s interface. This method has been a long-time practice of phishers who use free such services like Dropbox and Google Drive in their campaigns. Once you hit the Play button, an error message appears on top, saying that Flash Player is required to view the video. A file named youtube.scr is downloaded instead:
> https://blog.malware...ke-fb-yt-dl.png
... This file lacks the sophistication to detect virtual environments, so one can easily test it against any free, online sandbox—in this case, I used this one from Payload Security — to see how badly it behaves on a system once executed. Malwarebytes Anti-Malware (MBAM) detects* youtube.scr as Trojan.Ransom.AHK."
* https://www.virustot...sis/1429127928/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Business Support Giveaway - 419 Scam
- https://blog.malware...eaway-419-scam/
Apr 15 - "... we can’t get too excited, because it’s just a fresh run of a 419 scam which has been in circulation in similar forms for about a year or two:
> https://blog.malware...04/unfound1.jpg
... Not the most watertight of scams when your gameplan is effectively “We’re all about solving global problems and saving the world in times of disaster...” Of course, most recipients probably don’t own a bank or a gold-plated yacht and may well throw reason out the window in favour of hitting the -reply- button. As with all mails of this type, the only thing you’re going to get is some identity fraud, financial loss and the possibility of turning yourself into a money mule. It certainly isn’t worth responding to the senders, so feel free to -delete- it and advise any recipients you know to do the same thing. This is one piece of business support you can definitely do without."
 

:ph34r: :grrr:


Edited by AplusWebMaster, 16 April 2015 - 03:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1444 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,512 posts

Posted 17 April 2015 - 06:33 AM

FYI...

 

Fake 'Credit Card Statement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 Apr 2015 - "'Credit Card Statement' pretending to come from Julie Mckenzie <julie38@ swift-cut .co .uk> ( random numbers after Julie) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...d-Statement.png

17 April 2015 : C Swift Credit Card.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429265218/

- http://blog.dynamoo....e-mckenzie.html
17 Apr 2015
"... Attached is a file C Swift Credit Card.doc which comes in at least -four- different versions, all of which are malicious and all of which have a macro... These macros download a file from one of the following locations:
http ://oolagives .com/24/733.exe
http ://derekthedp .com/24/733.exe
http ://sempersleep .com/24/733.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54* (identified clearly as a Dridex component). Automated analysis... shows that it attempts to communicate with:
46.36.219.32 (FastVPS, Estonia)
I recommend that you -block- traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53**."
* https://www.virustot...sis/1429294915/
... Behavioural information
TCP connections
46.36.219.32: https://www.virustot...32/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

** https://www.virustot...sis/1429295949/
___

Fake 'Conference' SCAM
- http://blog.dynamoo....ays-summit.html
17 Apr 2015 - "This spam email forms part of a Conference Scam*:
* http://www.theatlant...r-visas/280445/

    From:    United Nations Summit [no_replytoold@ live .com]
    Reply-To:    unitednation .unt@gmail .com
    Date:    16 April 2015 at 17:59
    Subject:    Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),
    Dear Invitee, Nonprofit/NGO Colleague,
    UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.
    Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.
    The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel...


...  Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." There is -no- hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then -vanish- with your money. There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a -fake- hotel website to make the scam more credible.
Avoid."
___

Flash EK strikes again via Google’s DoubleClick
- https://blog.malware...es-doubleclick/
Apr 16, 2015 - "A few days ago, we blogged about a -malvertising- attack on the HuffingtonPost website* via a major ad network which took advantage of a vulnerability in Flash Player... another major attack was also being carried on around the same time, most likely by the same gang. Working with ClarityAd, we quickly confirmed the malicious activity around 04/11 which showed a well-known ad network (merchenta) with direct ties to Google’s DoubleClick being caught in a large malvertising incident. The latest malvertising attack was carried through merchenta, a company that provides a platform for ad exchange and direct integrations with top publishers. They boast a 28 -billion- monthly impressions for the US alone and work directly with top tier ad networks such as Google’s DoubleClick. The criminals posed as an advertiser, infiltrated the platform via a third party and managed to house a malicious advert directly on merchanta’s ad platform which was fed into Google’s DoubleClick channels. Within minutes, the booby trapped ad had a 95% reach in USA, Europe & UK exposing a huge number of people worldwide:
> https://blog.malware...4/merchenta.png
Although DoubleClick is 'not directly responsible' for loading the malicious ad, it starts the chain of trust with the publisher, which unfortunately has little control over the subsequent transactions taking place:
> https://blog.malware.../04/newflow.png
... this malicious SWF had -zero- detection on VirusTotal** when it was first submitted... All ad networks have been informed, but the attack did last for a few days most likely infecting a significant number of people. This latest example is yet another reminder of one of the big weaknesses with online advertising. Ad networks rely on third parties and the chain of trust can easily be broken when -one- rogue actor joins in... These crooks essentially pose as working for a fortune 500 company and submit a clean advert. The ad network is very interested because that will be a big customer and so they make sure to accommodate the client as much as they can. The advert still goes through quality assurance and security tests before finally getting ready for prime time. Right before that happens, the rogue advertiser sends a -new- version of the ad (with only a minor change they claim) and the ad network, not wanting to lose a client, skips the checks that were already done. It turns out that the new version of the ad is -malicious- and yet has -full- clearance to be displayed via major networks. This is just one of the many tricks rogue advertisers will use to insert themselves in the chain..."
* https://blog.malware...all-ransomware/
Apr 13, 2015

** https://www.virustot...sis/1429069586/
File name: merchenta-flash-malware.swf
Detection ratio: 0/57
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 17 April 2015 - 10:08 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





8 user(s) are reading this topic

0 members, 8 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button