With great respect !
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will pretend to be a word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
... Behavioural information
Fake 'INVOICE PD' SPAM - malicious attachment
28 April 2015 - "This malicious spam does not come from Will Communications but is instead a simple -forgery- with a malicious attachment.
From: richard will [contactwill@ hotmail .com]
Date: 28 April 2015 at 09:05
Subject: INVOICE PD Will Comm
Thank-you for your payment!
Will Communications, Inc.
richard@ willcommunications .com
The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56* and it contains this malicious macro... In this case, the macro downloads a component from:
http ://massachusettsselfstorage .com/62/927.exe
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53**. There may well be other documents that download from -other- locations, but the binary will be the same in all cases. Automated analysis tools... show that it attempts to communicate with the following IP:
18.104.22.168 (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56***."
massachusettsselfstorage .com: 22.214.171.124: https://www.virustot...29/information/
28 April 2015 : Orion_PD_INV_12138.doc - Current Virus total detections: 4/54* downloads & executes http ://muebleseviajan .com/62/927.exe ..."
muebleseviajan .com: 126.96.36.199: https://www.virustot...96/information/
Bad Actor using Fiesta exploit kit
2015-04-28 - "... a criminal group using the Fiesta exploit kit (EK) to infect Windows computers... The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain. I'm calling this group the "BizCN gate actor" because all its gate domains are registered through Chinese registrar www .bizcn .com, and they all reside on a -single- IP address... Earlier this month, the BizCN gate actor changed its gate IP to 188.8.131.52 . We're currently seeing the gate lead to Fiesta EK on 184.108.40.206. Below is a flow chart for the infection chain:
... Passive DNS on 220.127.116.11 shows at least 100 domains registered through www .bizcn .com hosted on this IP address. Each domain is paired with a -compromised- website... Since their information is now public through this diary entry, the actor will likely change the gate's IP address and domains again. Unless there's a drastic change in their pattern of operations, this BizCN gate actor will be found relatively soon after any upcoming changes..."
Fake 'NatWest' SPAM – chm malware
28 Apr 2015 - "'NatWest Secure Message' pretending to come from NatWest .co.uk <secure.message@ natwest .com> with a zip attachment that extracts to a malicious chm (windows help file) is another one from the current bot runs... The email looks like:
You have received a secure message.
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3532.
First time users – will need to register after opening the attachment...
There is also a separate set of emails being spammed out with the -same- malware attachment with a subject of 'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com>...
Please check attached file(s) for your latest account documents regarding your online account.
Level III Account Management Officer
Russel.Whitlock@ jpmorgan .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
2015 JPMorgan Chase & Co...
All of these use random names at the relevant banks...
Update: there is a second set of these being spammed out with a plain chm attachment that is -not- inside a zip. Outlook (and some other email clients) block chm files by default so you will be protected from automatically opening or running this.
Todays Date: SecureMessage.zip: Extracts to: SecureMessage.chm
Current Virus total detections: 1/53* . The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
Fake 'BACS payment' SPAM – PDF malware
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a zip attachment is another one from the current bot runs... The email looks like:
Please find downloaded notification of your BACS payment from Essex County Council.
If you require further information please refer to the contact details in the attached document.
BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
85 rue des jacobins
60740 Saint maximin
Tel : 03.44.66.03.47
28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
... Behavioural information
Fake 'Email Locked' SPAM - contains trojan
Apr 28, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “[Issue 243061763D7F320] Account #735811402519 Temporarily Locked”. Different spoofed addresses are used a from email address and with each email, the content and the attached trojan is -different- to avoid detection by virus engines. Some examples:
We detect unauthorized Login Attempts to your ID #735811402519 from other IP Address.
Please re-confirm your identity. See attached docs for full information.
King Yvonne M Dr
70 Exhibition Street, Kentville, NS B4N 4K9
The attached file 735811402519.zip contains the 102 kB large file 735811402519.scr. The trojan is known as UDS:DangerousObject.Multi.Generic, Heur.I or Trojan.Win32.Qudamah.Gen.3. At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total*..."
Edited by AplusWebMaster, Today, 09:49 AM.