Jump to content


SPAM frauds, fakes, and other MALWARE deliveries...

  • Please log in to reply
1450 replies to this topic

#1451 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 9,532 posts

Posted Today, 03:29 AM


Fake 'Privacy Policy' SPAM – malware
- http://myonlinesecur...butors-malware/
28 April 2015 - "An email in garbled English about a database of contributors and their Privacy Policy with a subject of 'RE: Hello' pretending to come from Chanda <faucibus.id@ aliquet .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear user! We consider a database of contributors and we found that we have signed with you our “Privacy Policy” and that we have an updated CV. We will be audited in the near future, and we need to update the record. For this reason, is attached to this e-mail confidentiality agreement that we pray thee firm and return them by email or fax as soon as possible. We also need you, please send us your resume updated for inclusion in the database. If you have any questions, please contact me.
    With great respect !

28 April 2015: Privacy Policy.zip: Extracts to: Privacy Policy.doc.scr
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will pretend to be a word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430201347/
... Behavioural information
UDP communications https://www.virustot...68/information/

Fake 'INVOICE PD' SPAM - malicious attachment
- http://blog.dynamoo....-will-comm.html
28 April 2015 - "This malicious spam does not come from Will Communications but is instead a simple -forgery- with a malicious attachment.
    From:    richard will [contactwill@ hotmail .com]
    Date:    28 April 2015 at 09:05
    Subject:    INVOICE PD Will Comm
    Thank-you for your payment!
    Richard Will
    Will Communications, Inc.
    richard@ willcommunications .com

The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56* and it contains this malicious macro... In this case, the macro downloads a component from:
http ://massachusettsselfstorage .com/62/927.exe
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53**. There may well be other documents that download from -other- locations, but the binary will be the same in all cases. Automated analysis tools... show that it attempts to communicate with the following IP: (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56***."
* https://www.virustot...sis/1430209748/

** https://www.virustot...sis/1430209765/

*** https://www.virustot...sis/1430210575/

massachusettsselfstorage .com: https://www.virustot...29/information/

- http://myonlinesecur...dsheet-malware/
28 April 2015 : Orion_PD_INV_12138.doc - Current Virus total detections: 4/54* downloads & executes http ://muebleseviajan .com/62/927.exe ..."
* https://www.virustot...sis/1430207999/

muebleseviajan .com: https://www.virustot...96/information/

Bad Actor using Fiesta exploit kit
- https://isc.sans.edu...l?storyid=19631
2015-04-28 - "... a criminal group using the Fiesta exploit kit (EK) to infect Windows computers... The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain.  I'm calling this group the "BizCN gate actor" because all its gate domains are registered through Chinese registrar www .bizcn .com, and they all reside on a -single- IP address... Earlier this month, the BizCN gate actor changed its gate IP to [3].  We're currently seeing the gate lead to Fiesta EK on Below is a flow chart for the infection chain:
> https://isc.sans.edu...ry-image-01.jpg
... Passive DNS on shows at least 100 domains registered through www .bizcn .com hosted on this IP address. Each domain is paired with a -compromised-  website... Since their information is now public through this diary entry, the actor will likely change the gate's IP address and domains again. Unless there's a drastic change in their pattern of operations, this BizCN gate actor will be found relatively soon after any upcoming changes..."
3] http://urlquery.net/...q= https://www.virustot...14/information/ https://www.virustot....9/information/

Fake 'NatWest' SPAM – chm malware
- http://myonlinesecur...43-chm-malware/
28 Apr 2015 - "'NatWest Secure Message' pretending to come from NatWest .co.uk <secure.message@ natwest .com> with a zip attachment that extracts to a malicious chm (windows help file) is another one from the current bot runs... The email looks like:
    You have received a secure message.
    Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.  
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3532.
    First time users – will need to register after opening the attachment...

There is also a separate set of emails being spammed out with the -same- malware attachment with a subject of 'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com>...
Please check attached file(s) for your latest account documents regarding your online account.
Russel Whitlock
Level III Account Management Officer
817-267-1542 office
817-573-8940 cell
Russel.Whitlock@ jpmorgan .com
Investments in securities and insurance products are:
2015 JPMorgan Chase & Co...

All of these use random names at the relevant banks...
Update: there is a second set of these being spammed out with a plain chm attachment that is -not-  inside a zip. Outlook (and some other email clients) block chm files by default so you will be protected from automatically opening or running this.
Todays Date: SecureMessage.zip: Extracts to: SecureMessage.chm
Current Virus total detections: 1/53* . The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430217439/

Fake 'BACS payment' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a  zip attachment is another one from the current bot runs... The email looks like:
    Please find downloaded notification of your BACS payment from Essex County Council.  
    If you require further information please refer to the contact details in the attached document.
    BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
    Paramat 60
    85 rue des jacobins
    60740 Saint maximin
    Tel :

28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430219199/
... Behavioural information
TCP connections https://www.virustot...45/information/ https://www.virustot...65/information/ https://www.virustot...42/information/
UDP communications https://www.virustot...44/information/

Fake 'Email Locked' SPAM - contains trojan
- http://blog.mxlab.eu...ontains-trojan/
Apr 28, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “[Issue 243061763D7F320] Account #735811402519 Temporarily Locked”. Different spoofed addresses are used a from email address and with each email, the content and the attached trojan is -different- to avoid detection by virus engines. Some examples:
    Dear user,
    We detect unauthorized Login Attempts to your ID #735811402519 from other IP Address.
    Please re-confirm your identity. See attached docs for full information.
    Evie Maccarter
    King Yvonne M Dr
    70 Exhibition Street, Kentville, NS B4N 4K9

The attached file 735811402519.zip contains the 102 kB large file 735811402519.scr. The trojan is known as UDS:DangerousObject.Multi.Generic, Heur.I or Trojan.Win32.Qudamah.Gen.3. At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1430215524/

:ph34r:  :grrr:

Edited by AplusWebMaster, Today, 09:49 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

7 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users

    Magpie (2)
Member of ASAP and UNITE
Support SpywareInfo Forum - click the button