Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1528 replies to this topic

#1501 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 13 July 2015 - 11:26 AM

FYI...

Fake 'Criminal prosecution' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 July 2016 - "The latest email being sent by the criminal gangs trying to infect you with an Upatre downloader tries to convince you that you are being investigated by the police for a Criminal offence prosecution. Don’t open the attachment - it will infect you. The email looks like:
     It has been detected that via Your e-mail account are being mailed materials including discriminatory propaganda.
    Please note that mentioned actions are to be qualified as criminal offence forbidden by legislation.
    Police will conduct according investigation as a result of which You   to five years.
    If You had not mailed mentioned materials as sson as possible execute enclosed declaration and forward the scan-copy


13 July 2015: statement_to_be_filed.zip : Extracts to:  statement_to_be_executed.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1436803275/
 

:ph34r: :ph34r:   :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1502 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 14 July 2015 - 03:49 PM

FYI...

IE 0-day added to mix...
- http://blog.trendmic...y-added-to-mix/
July 14, 2015 - "... -another- vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065*. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability..."
* https://technet.micr...curity/MS15-065
July 14, 2015

> https://support.micr...n-us/kb/3065822
Last Review: 07/14/2015 - Rev: 1.0
Applies to:
    Internet Explorer 11
    Internet Explorer 10
    Windows Internet Explorer 9
    Windows Internet Explorer 8
    Windows Internet Explorer 7
    Microsoft Internet Explorer 6.0

> https://web.nvd.nist...d=CVE-2015-2425
Last revised: 07/14/2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 15 July 2015 - 06:49 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1503 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 16 July 2015 - 08:55 AM

FYI...

Fake 'Perfect job' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 July 2015 - "An email with subjects like 'Perfect achievement !  / Perfect job !  / Great work !' coming from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Congratulations ! You will take a 30% rake-off for the latest selling. Please overlook the attached documents to know the entire sum you’ve received.
    Every day you demonstrate that you are the superior strength of our crew in the market. I am elate and appreciative to get such a capable and experienced subordinate. Keep up the good achievements.
    With the best regards.
    Michelle Silva General manager

-Or-
    Congratulations ! You will receive a 30% commission for the previous disposition. Please check out the enclosed documents to find out the whole amount you’ve won.
    Everyday you prove that you are the major force of our crew in the trading. I am sublime and appreciative to get such a capable and skilled workman. Continue the great job.
    All the best.
    Kathryn Brooks Company management

-Or-
    Congratulations ! You will win a 40% commission for the latest realization. Please overlook the next documentation to get to know the whole amount you’ve won.
    Everyday you demonstrate that you are the major strength of our team in the world of trade. I am sublime and appreciative to have such a capable and proficient subordinate. Proceed the good achievements.
    All the best.
    Sharon Silva General manager

-Or-
    Congratulations ! You will gain a 45% rake-off for the last disposal. Please overlook the following documentation to know the whole amount you’ve won.
    Everyday you convince that you are the best power of our team in the market. I am sublime and beholden to have such a clever and able sub. Continue the perfect job.
    With best wishes.
    Kathryn Pearson General manager


And others with similar wording... If you are unwise enough to try to open the word doc, you will see this message:
> http://myonlinesecur...osition_doc.png
Do -not- follow their suggestions to enable editing  or content, otherwise you will be infected...

25 February 2015: total_sum_from_latest_disposition.doc - Current Virus total detections: 4/55*
... This tries to connect to 2 web sites:
thereis.staging.nodeproduction .com/wp-content/uploads/78672738612836.txt
... which downloads an encrypted text file... and to
www.buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt which gives the web address of http ://midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe. This file is an Upatre downloader for the typical Dyre banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1437049226/

** https://www.virustot...sis/1437046046/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
93.185.4.90: https://www.virustot...90/information/
176.36.251.208: https://www.virustot...08/information/
88.221.14.249: https://www.virustot...49/information/

nodeproduction .com: 72.10.52.104: https://www.virustot...04/information/

buildingwalls .co.za: 196.220.41.72: https://www.virustot...72/information/

midwestlabradoodles .com: 72.167.131.160: https://www.virustot...60/information/

- http://blog.dynamoo....t-job-good.html
16 July 2015
"... Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction .com
www.buildingwalls .co.za
midwestlabradoodles .com
"
___

Fake 'About your suggestions' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 July 2016 - "'About your suggestions' pretending to come from emaillambflan <emaillambflan@ totalnetwork .it> with a zip attachment is another one from the current bot runs... The email looks like:
    We chatted few hours ago. We have thought about your programs how to perfect our work and financial profit. Your suggestions seem extremely inspiring and we undoubtedly want such a genius like you. We consider your plans are feasible and would like to implement them. Attached are our progression charts and processes directory. Please look through them and if you will have some questions ask about it. Also make a succinct plan thus we will confer about the elements of every step./r/n We are waiting for your reply soon !

16 July 2015: figures_and_guide.zip: Extracts to: figures_and_directory.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1437056410/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
109.86.226.85: https://www.virustot...85/information/
23.14.92.65: https://www.virustot...65/information/
___

Sales Commission Spam
- http://threattrack.t...commission-spam
July 16, 2015 - "Subjects Seen
    Good achievement !
Typical e-mail details:
    Congratulations ! You will win a 43% commission for the last sale. Please see the next documents to get to know the whole sum you’ve obtained.
    Daily you prove that you are the best power of our team in the world of commerce. I am proud and grateful to get such a gifted and experienced worker. Go on the excelent job.
    With best wishes.
    Kathryn Brooks Director


Screenshot: https://41.media.tum...1r6pupn_500.png

Malicious File Name and MD5:
    amount_from_last_realization.scr (1e314705c1f154d7b848fcc20bfcd5e8)


Tagged: Sales Commission, Upatre
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 16 July 2015 - 01:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1504 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 17 July 2015 - 08:19 AM

FYI...

Fake 'eFax' SPAM - leads to malware
- http://blog.dynamoo....om-unknown.html
17 July 2015 - "This -fake- fax spam leads to malware:

Screenshot: https://2.bp.blogspo...00/fake-fax.png

Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but -hacked- site at:
breedandco .com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of 6/55* and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55**. Automated analysis... shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90 :12325/ETK7//0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90 :12325/ETK7//41/5/1/GKBIMBFDBEEE
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip .dyndns .org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55***] and vastuvut.exe [VT 6/55****].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106
"
* https://www.virustot...sis/1437133169/

** https://www.virustot...sis/1437133178/

*** https://www.virustot...sis/1437135014/

**** https://www.virustot...sis/1437135026/
___

Fake 'You've earned it' SPAM - malware
- http://blog.dynamoo....d-it-youve.html
17 July 2015 - "This is another randomly-generated round of malware spam, following on from this one[1].
1] http://blog.dynamoo....t-job-good.html

     Date:    16 July 2015 at 12:53
    Subject:    Excelent job !
    Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
    Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
    All the best.
    Michelle Curtis Company management
    ---------------------
    Date:    16 July 2015 at 11:53
    Subject:    Good achievement !
    Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
    Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
    With the best regards.
    Sharon Silva Company management
...

Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc
Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55*. Inside the document is this malicious macro... which according to Hybrid Analysis downloads several components (scripts and batch files) from:
thereis.staging .nodeproduction .com/wp-content/uploads/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt
These are executed, then a malicious executable is downloaded from:
midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe
This has a VirusTotal detection rate of 8/55** and that report plus other automated analysis tools... phones home to the following malicious URLs:
93.185.4.90 :12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90 :12319/LE2/<MACHINE_NAME>/41/7/4/
That IP belongs to C2NET in the Czech Republic. It also sends non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.
This malware drops the Dyre banking trojan.
Recommended blocklist:
93.185.4.90
thereis .staging.nodeproduction .com
www .buildingwalls .co.za
midwestlabradoodles .com

* https://www.virustot...sis/1437053265/

** https://www.virustot...sis/1437054039/
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 17 July 2015 - 11:30 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1505 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 27 July 2015 - 06:54 AM

FYI...

Fake 'copy' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 July 2015 - "An email with a subject simply saying 'copy' pretending to come from belinda.taylor@ bssgroup .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email body simply says: copy

27 July 2015 : 13409079779.docm - Current Virus total detections: 4/56*
Downloads Dridex banking malware from:
 terrasses-de-santeny .com/yffd/yfj.exe . Other versions of this downloader will download the -same- Dridex banking malware from alternative locations. So far we have seen
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://terrasses-de-santeny .com/yffd/yfj.exe  
http ://blog.storesplaisance .com/yffd/yfj.exe
http ://telechargement.storesplaisance .com/yffd/yfj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1437987707/

terrasses-de-santeny .com: 94.23.55.169: https://www.virustot...69/information/

madagascar-gambas .com: 'Could not find an IP address for this domain name' (May have been taken-down)

technibaie .net: 94.23.1.145: https://www.virustot...45/information/

storesplaisance .com: 94.23.1.145: FR / 16276 (OVH SAS)
___

Fake 'Order Confirmation' SPAM - malicious attachment
- http://blog.dynamoo....mation-ret.html
27 July 2015 - "This spam does not come from Royal Canin, but is instead a simple -forgery- with a malicious attachment:
    From     "[1NAV PROD RCS] " [donotreply@ royal-canin .fr]
    Date     Mon, 27 Jul 2015 18:49:16 +0700
    Subject     Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
    Please find attached your Sales Order Confirmation
    Note: This e-mail was sent from a notification only e-mail address that
    cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.


Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55*, which in turn contains a malicious macro... which downloads an executable from one of the following locations (there are probably more):
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://blog.storesplaisance .com/yffd/yfj.exe
This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55**. Automated analysis tools... show that it attempts to phone home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)..."

* https://www.virustot...sis/1437999231/

** https://www.virustot...sis/1437999249/

> http://myonlinesecur...dsheet-malware/
27 July 2015: Order Confirmation RET-396716 230715.xml - Current Virus total detections: 1/56*
... Which downloads an updated version of Dridex banking malware..."
* https://www.virustot...sis/1437997926/
___

Fake 'Loan service' – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 July 2015 - "'New Loan service nearby' with a zip attachment is another one from the current bot runs... Alternative subjects for this malspam run include: 'New Credit service near you'. The email looks like:
    We are happy to inform you that we are founding a affiliate in your vicinity next week. We are credit services firm with more than 15 years practice , and several branches in the region. We give help to individuals and corporations in profiting money for the objective. We provide all the acts , consisting of bringing the money source that sets the lowest percentage and the best conditions of pays , all the paperwork , and etc.
    We are enclosing the invite ticket for the opening celebration and service’s accommodation schedule. Wish to see you on our opening.
    Give us a chance to maintain you!
    Thanks,
    Truly yours,
    Mike Ward General management Info

-Or-
    We are happy to announce you that we are opening a branch in your area soon. We are loan accommodations firm with more than 25 years workmanship, and several offices in the region.
    We provide help to ordinary people and corporations in availing money for the objective.
    We ensure all the actions, consisting of bringing the fiscal source that offers the lowest commissions and the best terms of payment, all the papers, and so on.
    We are applying the engagement card for the opening and organization’s accommodation schedule. Hope to see you on that day.
    Give us a chance to serve you!
    Thanking you,
    Yours truly,
    Mike Ward General management Superior


And the usual other variety of computer bot generated wording that doesn’t quite read as proper English.
27 July 2015: invitation_and_accommodations.zip: Extracts to: call_and_accommodations.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438000007/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
173.248.31.6: https://www.virustot....6/information/
2.18.213.48: https://www.virustot...48/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 July 2015 - 11:09 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1506 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 28 July 2015 - 06:52 AM

FYI...

Fake 'suspicious account activity' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "'Important Notice: Detecting suspicious account activity' pretending to come from 'Service Center' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Subject: Important Notice: Detecting suspicious account activity
    Date:   Mon, 27 Jul 2015 22:51:16 +0000 (GMT)
    From:   Service Center <redacted >
    Detecting suspicious account activity
    <https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
    The attachment contain steps to secured your account. If you are viewing
    this email on a mobile phone or tablets, please save the document first
    and then open it on your PC.
    Click Here to download attachment.
    <https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
    Thanks,
    Account Service


If you are unwise enough to follow the links then you will end up with a word doc looking like:
> http://myonlinesecur...ctivity_doc.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named Account Details.exe which has an icon of an Excel spreadsheet to fool you into thinking it is innocent and infect you.
28 July 2015 : Email activity.doc Current Virus total detections: 21/55*
... Downloads https ://onedrive.live .com/download?resid=9AC15691E4E70C4D!123&authkey=!AL1jJDlqNUg-vAM&ithint=file%2cexe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438037595/

** https://www.virustot...sis/1438062482/
___

Fake 'Please Find Attached' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "'Please Find Attached – Report form London Heart Centre' pretending to come from lhc.reception@ heart. org.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...eart-Centre.png

28 July 2015: calaidzis, hermione.docm - Current Virus total detections: 9/55*
... Downloads what looks like Dridex banking malware from http ://chloedesign .fr/345/wrw.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438067899/

** https://www.virustot...sis/1438068193/
... Behavioural information
TCP connections
93.171.132.5: https://www.virustot....5/information/
2.18.213.25: https://www.virustot...25/information/

chloedesign .fr: 85.236.156.24: https://www.virustot...24/information/
___

Fake 'Air France' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
28 June 2015 - "'Your Air France boarding documents on 10Jul' pretending to come from Air France <cartedembarquement@ airfrance .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ts-on-10Jul.png

28 July 2015: Boarding-documents.docm - Current Virus total detections: 9/55*
... which downloads Dridex banking malware from http ://laperleblanche .fr/345/wrw.exe which is the -same- malware as in today’s earlier malspam run using malicious word docs with macros**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438071620/

** http://myonlinesecur...rd-doc-malware/

laperleblanche .fr: 94.23.1.145: https://www.virustot...45/information/

- http://blog.dynamoo....e-boarding.html
28 June 2015 - "... -same- exact payload as this earlier attack* today..."
* http://blog.dynamoo....d-attached.html
"... phones home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
I recommend that you -block- that IP. The malware is the Dridex banking trojan..."
___

Fake 'Invoice notice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "A series of emails with subjects of: 'Invoice delivery / Invoice notice / Receipt alert / DHL notice / UPS notification / Invoice information' and numerous -other- similar subjects with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    You had got the bill !
    Delivered at: Tue, 28 Jul 2015 16:15:36 +0500.
    Number of sheets: 0.
    Mailer ID: 3.
    Delivery number: 843.
    Kindly be advised that attached is photo-copy of the 1st page alone.
    We are going to mail the originals to You at the address indicated already.

-Or-
    You have received the bill !
    Received at: Tue, 28 Jul 2015 11:43:15 +0000.
    Amount of sheets: 9.
    Addresser ID: 79187913.
    Delivery order: 6199843296.
    Kindly be advised that attached is scan-copy of the 1st page alone.
    We are going to dispatch the originals to You at the location mentioned earlier.


And multiple similar content. If you are unwise enough to open the attachment then you will end up with a word doc looking like this:
> http://myonlinesecur..._6199843296.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named word.exe which has an icon designed to fool you into thinking it is innocent and infect you. These emails have attachments with names like Invoice_number_6199843296.doc / Order_No._843.doc / Bill_No._95.doc and -multiple- variations of the names and numbers.
28 July 2015 : Invoice_number_6199843296.doc - Current Virus total detections:7/56*
... goes through a convoluted download procedure giving you http ://bvautumncolorrun .com/wp-content/themes/minamaze/lib/extentions/prettyPhoto/images/78672738612836.txt which is a base 64 encoded file that transforms into a password stealer. It also goes to http ://iberianfurniturerental .com/wp-content/plugins/nextgen-gallery/admin/js/Jcrop/css/fafa.txt which automatically downloads http ://umontreal-ca .com/word/word.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438080189/

** https://www.virustot...sis/1438081346/

bvautumncolorrun .com: 184.168.166.1: https://www.virustot....1/information/

iberianfurniturerental .com: 173.201.169.1: https://www.virustot....1/information/

umontreal-ca .com: 89.144.10.200: https://www.virustot...00/information/
___

Fake 'Voice Message' SPAM – wav malware
- http://myonlinesecur...ke-wav-malware/
28 July 2015 - "'Voice Message Attached from 08439801260' pretending to come from voicemessage@ yourvm .co.uk with a wav (sound file) attachment is another one from the current bot runs... The email looks like:

    Time: Jul 28, 2015 3:08:34 PM
    Click attachment to listen to Voice Message


28 July 2015: 08439801260_20150725_150834.wav - Current Virus total detections: 2/55*
... Which downloads Dridex banking malware from laurance-primeurs .fr/345/wrw.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438082138/

laurance-primeurs .fr: 94.23.1.145: https://www.virustot...45/information/
___

Fake 'Incoming Fax' SPAM - malware
- http://blog.dynamoo....ernal-only.html
28 July 2015 - "This -fake- fax message leads to malware:
    From:    Incoming Fax [Incoming.Fax@ victimdomain]
    Date:    18 September 2014 at 08:39
    Subject:    Internal ONLY
    **********Important - Internal ONLY**********
    File Validity: 28/07/2015
    Company : http ://victimdomain
    File Format: Microsoft word
    Legal Copyright: Microsoft
    Original Filename: (#2023171)Renewal Invite Letter sp.doc
    ********** Confidentiality Notice ********** ...
    (#2023171)Renewal Invite Letter sp.exe


Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
http ://umontreal-ca .com/word/word.exe ... This has a VirusTotal detection rate of 2/55*.
umontreal-ca .com (89.144.10.200 / ISP4P, Germany) is a -known- bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
UPDATE: This Hybrid Analysis report shows traffic to the following IPs:
67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)
Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208
"
* https://www.virustot...sis/1438087963/
___

Fake 'cash prizes for shopping' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 July 2015 - "Another set of emails with subjects including 'Get cash prizes for shopping' and 'Get cash payments for purchasing' with a zip attachment is another one from the current bot runs... The email looks like:
    Love purchasing? We have something special for you!
    Do you want to get cash compensations on buys you make in your favorite stores? Just get our debit card to make your purchases, and then you will commence enhancing the rewards. Bear in mind only one rule – the more you use it – the more you receive. So kindly check out the applied info to learn how this offer proceeds and how to open your bank account.
    It was never so pure, fast and so close to your dreams. Don’t lose your time. Join us, keep to us and shopping will give!

-Or-
    Being fond of shopping? We propose something special for you!
    Do you want to get cash rewards on purchases you make in your favorite shops? Just use our debit card to make your purchases, and then you will start increasing the  remunerations. Bear in mind one rule – the more you use it – the more you get. So please read the enclosed documentations to see how it operates and how to open your account.
    It was never so elementary, fast and so close to your dreams. Don’t lose your chance. Join us, stick to us and shopping will pay!


And numerous other similar computer generated text...
28 July 2015: bank_offering_and_card_information.zip: Extracts to: special_offering_and_card_details.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438090452/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
24.33.131.116: https://www.virustot...16/information/
95.100.255.176: https://www.virustot...76/information/
___

Russian Underground - Revamped
- http://blog.trendmic...round-revamped/
July 28, 2015 - "When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices. News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence. 2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot. The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?... right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc... several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of -fresh- credit card leaks... Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement..."
> https://www.trendmic...isticated-tools
July 28, 2015
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 28 July 2015 - 11:12 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1507 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 29 July 2015 - 07:05 AM

FYI...

Fake 'New mobile banking app' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "Today’s set of Upatre downloaders come with an email subject of 'New mobile banking application / The latest mobile banking application / Renewed mobile banking app' with a zip attachment is another one from the current bot runs... The email looks like:
    Dear patron!
    We would like to introduce you new mobile banking app for our bank patrons. Our mobile banking options help you to enter your bank account safely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial operations. Our application is simple to use and highly safe.
    To learn more about application features and work, please view the enclosed info. Download link is also included.

-Or-
    Dear client!
    We would like to introduce you new mobile banking app for our bank customers. Our mobile banking services help you to access your bank account securely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial procedures. Our application is toiless to use and extremely safe.
    To know more about application details and work, please see the attached information. Download link is also inside.

-Or-
    Dear patron!
    We are glad to present you new mobile banking app for our bank patrons. Our mobile banking accommodations help you to enter your bank account safely any place you want. A quick and simple registration is all you need to begin using mobile banking options. With mobile banking, you can realize most of all bank operations. Our app is toiless to use and very safe.
    To know more about application details and functioning, kindly view the affixed document. Download link is also inside.


 And numerous very similar computer generated versions of the above.
29 July 2015: id697062389app_features.doc.zip: Extracts to:  app_brochure.exe
Current Virus total detections: 0/55*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438168067/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
176.36.251.208: https://www.virustot...08/information/
95.101.72.123: https://www.virustot...23/information/
___

Fake 'Get our deposit card' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "The latest upatre downloader to hit the presses is an email with a subject of 'Get our deposit card and receive 067' (varying amounts) pretending to come from jesse_rice with a zip attachment is another one from the current bot runs... The email looks like:
    Deposit card containing many profitable features is new extraordinary proposal of ours.
    One of the great items that will actually intrigue you is the 98 money back pize. When you outlay 300 USD or more within 3,2,5,4,6 months buying by this card, you will earn a 23 award. There is also 5% cash back award function that give you opportunity to take 5% cash back on up to 1500 USD during each three month quarter. It’s not a disposable prize. You will turn on your feature every 3 month quarter without any extra fees! There are a lot of other bonuses that you will have. You can browse them in the applied to learn more about it and find all details. Feel free to to ask if you have any questions.
    We sincerely look forward to your response


29 July 2015: 220317964deposit_card_features_details.zip: Extracts to: card_features_details.exe
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438176115/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.185.4.90: https://www.virustot...90/information/
69.144.171.44: https://www.virustot...44/information/
2.20.143.37: https://www.virustot...37/information/
___

USA TODAY Fantasy Sports... serves Malware
- https://blog.malware...serves-malware/
July 28, 2015 - "... We routinely detect infections coming from forums during our daily crawl of potentially malicious URLs. One of the reasons for this comes from the underlying infrastructure that powers those sites. Indeed, server side pieces of software such as Apache or vBulletin are often abused by cyber criminals who can easily exploit security holes especially if these applications are not kept up to date. Case in point, the Fantasy Sports discussion forum part of USA TODAY Sports Digital Properties was recently redirecting members towards scam sites and even an exploit kit that served malware. The forum statistics show a total of 117,470 threads, 3,348,218 posts and 18,447 members.
> https://blog.malware...15/07/graph.png
...  domain is involved in multiple nefarious activities via -malvertising- such as -fake- Flash Player applications, tech support scams or exploit kits. In some cases, all of the above combined...
> https://blog.malware...07/scampage.png
Nuclear exploit kit: Probably the worst case scenario is to be -redirected- to an exploit kit page and have your computer infected.
> https://blog.malware...7/Fiddler21.png
In this particular instance, we were served the Nuclear EK, although given the URL pattern it would have been very easy to call this one Angler EK. This change was noted by security researcher @kafeine* about a week ago...
* https://twitter.com/...564043345858562
Had the exploit been successful, a piece of malware known as Glupteba (VT link**) would have been dropped and executed. Compromised machines are enrolled into a large botnet that can perform many different malicious tasks... We have notified USA Today about this security incident..."
** https://www.virustot...sis/1437954473/
... Behavioural information
TCP connections
195.22.103.43: https://www.virustot...43/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 29 July 2015 - 09:07 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1508 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 30 July 2015 - 06:35 AM

FYI...

Fake 'settlement failure' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "Today’s first set of Upatre downloaders come with email subjects that include 'Calculated response settlement failure / Estimated response settlement failure / Estimated response payment default / Calculated invoice payment default' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ent-failure.png

30 July 2015: official_document_copies_id942603754.pdf.zip: Extracts to: public_order_copies.exe
Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438249041/
___

Fake 'ADP Payroll' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "'Invoice #[random numbers]' pretending to come from ADP – Payroll Services <payroll.invoices@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Attached are the latest statements received from your bank.
    Please print this label and fill in the requested information. Once you have filled out
    all the information on the form please send it to payroll.invoices@adp.com.
     For more details please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
     Thank you ,
    Automatic Data Processing, Inc.
    1 ADP Boulevard
    Roseland
    NJ 07068
    © Automatic Data Processing, Inc. (ADP®) . All rights reserved...


30 July 2015: ADP_Invoice _0700613.zip : Extracts to: ADP_Invoice.scr
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438267744/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
178.222.250.35: https://www.virustot...35/information/
2.18.213.56: https://www.virustot...56/information/
___

Fake 'check returned' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "'Your cheque has been returned' pretending to come from jobs-asia with a zip attachment is another one from the current bot runs... The email looks like:
    I enclose a check that has been returned unpaid for occasions shown there.
    We have written off you with the sum.
    If you have any questions, kindly write to us. We’ll endeavor to help you.
    Faithfully,
    Lloyd Bailey
    Service department


30 July 2015: cheque_and_description_i4Aev0CF.zip: Extracts to: cheque_and_explanation.exe

Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438267061/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.185.4.90: https://www.virustot...90/information/
67.221.195.6: https://www.virustot....6/information/
2.18.213.24: https://www.virustot...24/information/
___

Fake 'Income tax settlement failure' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "'Income tax settlement failure sent id: [number]' with a zip attachment is another one from the current bot runs... The email looks like:
    In accordance with taxing authority information You have defaulted a term to settle the estimated tax sums.
    Kindly see attached the official order from the revenue service.
    Furthermore please be noted of the fact that additory penalties would be applied unless the debt amounts are not remitted within four working days.
    Regard this reminder as highly important.
    Rebecca Crouch Tax Department


29 July 2015: public_order_scan713432229.zip: Extracts to: official_order_copies.exe
Current Virus total detections: 3/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438208026/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
87.249.142.189: https://www.virustot...89/information/
88.221.14.145: https://www.virustot...45/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 30 July 2015 - 11:42 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1509 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 31 July 2015 - 07:04 AM

FYI..

Fake 'Chess Bill' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
31 July 2015 - "'Your latest Chess Bill Is Ready' pretending to come from  CustomerServices@ chesstelecom .com with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    Your bill summary
    Account number: 24583
    Invoice Number: 2398485
    Bill date: July 2015
    Amount: £17.50
    How can I view my bills?
    Your Chess bill is ready and waiting for you online. To check out your detailed bill, previous bills and any charges you’ve incurred since your last bill, just sign into My Account www .chesstelecom .com/myaccount ...


31 July 2015 : 2015-07-Bill.docm - Current Virus total detections: 5/56*
Downloads Dridex banking malware from:
http ://laboaudio .com/4tf33w/w4t453.exe
http ://chateau-des-iles .com/4tf33w/w4t453.exe
http ://immobilier-ctoovu .com/4tf33w/w4t453.exe
http ://delthom .eu.com/4tf33w/w4t453.exe
http ://ctoovu .com/4tf33w/w4t453.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438334839/

laboaudio .com: 94.23.55.169: https://www.virustot...69/information/
chateau-des-iles .com: 94.23.1.145: https://www.virustot...45/information/
immobilier-ctoovu .com: 94.23.55.169
delthom .eu.com: 94.23.1.145
ctoovu .com: 94.23.55.169
___

Apple Care – phish
- http://myonlinesecur...-care-phishing/
31 July 2015 - "'Apple Care' pretending to come from Apple <secure@ appletechnicalteam .com> is one of the latest phish attempts to steal your Apple Account and your Bank, credit card and personal details...

Screenshot: http://myonlinesecur.../Apple-Care.png

... The actual site this sends you to is http ://applesurveillance .com/account/?email=a@a.a which can very easily be mistaken for a genuine Apple site. To make it even worse, the phishers have gone to the effort of setting up the domain properly and are using an email address to send from “Apple <secure@ appletechnicalteam .com> ” which has the correct domainkeys and SPF records so it doesn’t look like spam and will be allowed past most spam filters. They have also set up the applesurveillance .com site so that it appears to a security researcher or investigator that the account has been suspended by the hosting provider, when it actually is -live- when you put any email address into the url:
> http://myonlinesecur...fy_apple_ID.png
When you fill in your user name and password you get a page looking very similar to this one ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur..._apple_ID_2.png
...
> http://myonlinesecur..._apple_ID_3.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 31 July 2015 - 07:25 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1510 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 01 August 2015 - 01:26 PM

FYI...

Countrywide Money Ltd SPAM
- http://blog.dynamoo....-money-ltd.html
1 Aug 2015 - "You know things must be desperate when a business turns to spam. Here's a dubious-looking spam that seems to be presenting itself in a way that looks like a get-rich-quick scheme:
From:    Countrywide Money [info@ countrywidemoney .co.uk]
Reply-To:    Info@ countrywidemoney .co.uk
Date:    1 August 2015 at 05:11
Subject:    Extra Income FOR YOU!...
... to Unsubscribe Click Here!

Screenshot: https://1.bp.blogspo...countrywide.jpg

... the Unsubscibe link doesn't work. Tsk tsk. Now, I'm sure this is a legitimate business offer and not some sort of scam. But all those banknotes and the general pitch seems to suit an operation in Lagos rather than one in the UK... A non-trading individual? Let's look at that web site for a moment:
> https://1.bp.blogspo...ountrywide2.jpg

Well, it doesn't look like a personal homepage to me... It turns out that the sole director is one "Tony Edwards"... A little bit more digging at DueDil* shows some equally disappointing looking financials...  I'm not sure why this person feels that promoting their business through -spam- is appropriate. I certainly won't be signing up to this scheme."
* https://www.duedil.c...e-money-limited
___

Your Files Are Encrypted with a 'Windows 10 Upgrade'
- http://blogs.cisco.c...tb-locker-win10
July 31, 2015 - 'Update 8/1: To see a video of this -threat- in action click here:
> http://cs.co/ctb-locker-video
Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a -spam- campaign that was taking advantage of a different type of current event. Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign:
> https://blogs.cisco....blacked_out.png
Email Message: The email message above is a sample of the type of messages that users are being presented with. There are a couple of key indicators in the message worth calling out.
First, the from address, the adversaries are spoofing the email to look like it is coming directly from Microsoft (update<at>microsoft.com). This is a simple step that tries to get users to read further:
> https://blogs.cisco....in10_header.png
However, a quick look at the email header reveals that the message actually originated from IP address space allocated to Thailand. Second, the attackers are using a similar color scheme to the one used by Microsoft. Third, there are a couple of red flags associated with the text of the email. As you can see below, there are several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email:
> https://blogs.cisco....cter_errors.png
... Payload: Once a user moves past the email, downloads the zip file, extracts it, and runs the executable, they are greeted with a message similar to the following:
>> https://blogs.cisco..../CTB-Locker.png
The payload is CTB-Locker, a ransomware variant. Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk...
Conclusion: The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise. As a defense, users are encouraged to backup their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers.  Adversaries are always looking to leverage current events to get users to install their malicious payloads. This is another example, which highlights the fact that technology upgrades can also be used for malicious purposes..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 01 August 2015 - 03:00 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1511 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 03 August 2015 - 05:47 AM

FYI...

Bogus Win10 'activators'
- http://net-security....ews.php?id=3082
03.08.2015 - "... bogus Windows 10 "activators".
* http://www.net-secur...ld.php?id=17960

> https://blog.malware...ps-and-surveys/
___

Fake 'E-bill' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
3 Aug 2015 - "'E-bill : 6200228913 – 31.07.2015 – 0018' pretending to come from  noreply.UK.ebiller@ lyrecobusinessmail .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    Please find enclosed your new Lyreco invoicing document nA^ 6200228913 for a total amount of 43.20 GBP, and  due on 31.08.2015
    We would like to remind you that all of your invoices are archived electronically free of charge and can be reviewed by  you at any time.
    For any questions or queries regarding your invoices, please contact Customer Service on Tel : 0845 7676999*.
    Your Lyreco Customer Service
    *** Please do not reply to the sender of this email...


3 August 2015: 0018_6200228913.docm - Current Virus total detections: 5/55*
Downloads Dridex banking malware from http ://immobilier-roissyenbrie .com/w45r3/8l6mk.exe or http ://scootpassion .com/w45r3/8l6mk.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438596426/

** https://www.virustot...sis/1438596617/

immobilier-roissyenbrie .com: 94.23.55.169: https://www.virustot...69/information/

scootpassion .com: 37.0.72.24: https://www.virustot...24/information/

- http://blog.dynamoo....3-31072015.html
3 Aug 2015
"... Recommended blocklist:
46.36.219.141
94.23.55.169
"
___

DHL DELIVERY - phish ...
- http://myonlinesecur...ils-_-phishing/
3 Aug 2015 - "'DHL DELIVERY DETAILS' pretending to come from noreply@ dhl .com is one of the latest attempts to steal your email account details...

Screenshot: http://myonlinesecur...phish_email.png

... click-the-link (DON'T) in the email you will be sent to http ://cherysweete1843 .org/DHL%20_%20Tracking/DHL%20_%20Tracking.htm (or whichever other site the phishers have set up to steal your information). The site looks like:
> http://myonlinesecur...8/dhl_phish.png
... entering an email address and password, just gives you a download of the image that was originally in the email. It just looks like the phishers are trying to get email account details and hoping that an unwary user will be unwise enough to give them the password for their email account so it can be used for sending more spam. Of course there will be a few users who genuinely have DHL accounts and the log in details might be enough to compromise the account and use the account to send stolen or illegal items through the DHL network with minimum risk to the criminals. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

cherysweete1843 .org: 178.217.186.27: https://www.virustot...27/information/
___

First Firmware Worm That Attacks Macs
- http://www.wired.com...m-attacks-macs/
8.03.15 - "... when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked... The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware... findings on August 6 at the Black Hat security conference in Las Vegas. A computer’s core firmware — also referred to at times as the BIOS, UEFI or EFI—is the software that boots a computer and launches its operating system. It can be infected with malware because most hardware makers don’t cryptographically sign the firmware embedded in their systems, or their firmware updates, and don’t include any authentication functions that would prevent any but legitimate signed firmware from being installed... it operates at a level below the level where antivirus and other security products operate and therefore does not generally get scanned by these products, leaving malware that infects the firmware unmolested. There’s also no easy way for users to manually examine the firmware themselves to determine if it’s been altered... malware infecting the firmware can maintain a persistent hold on a system throughout attempts to disinfect the computer. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate malicious code, the malicious firmware code will remain intact..."
___

Fake Android Virus Alert(s)...
- https://blog.malware...hinese-hackers/
Aug 3, 2015 - "... messages of impending doom on a mobile device are always more worrying than on a desktop, because many device owners may not be locking down their phones the way they do their PCs. It’s even worse if on a mobile data package, because nobody wants to end up on premium rate services or websites and contend with spurious charges. Once the popups and redirects take hold, it’s sometimes hard to keep your composure and get a handle on multiple tiny screens doing weird things. In the above case, there’s no infection to worry about so no need to panic. Advert redirects to unwanted locations are always a pain – especially if younger members of your family happen to be on the phone at the time the -redirects- happen – but you’ve generally got to work at it to infect a mobile device with something bad. Keeping the “Allow installs from unknown sources” checkbox -unticked- and the “Very Apps” checkbox -ticked- won’t make your phone bulletproof, but it will go a long way towards keeping you secure."
___

Fake 'pictures' SPAM - JS malware
- http://myonlinesecur...ion-js-malware/
2 Aug 2015 - "'my relaxation' pretending to come from Facebook <update+pw_k1-d2r1@ facebookmail .com> with a zip attachment is another one from the current bot runs... The email looks like:

    Here are some pictures!!
    See you later! I love you.


2 August 2015: File_7866.zip: Extracts to: File_7866.js - Current Virus total detections: 10/56*
Downloads Adobe_update-86R8IJHUY0CCI.exe from http ://kheybarco .com and also downloads a genuine PDF file which is a German language hotel invoice from HRS group (this is an updated version of this Malspam run** from last week)...
** http://myonlinesecur...oup-js-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438493868/

kheybarco .com: 176.9.8.205: https://www.virustot...05/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 03 August 2015 - 01:19 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1512 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 04 August 2015 - 06:31 AM

FYI...

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
4 Aug 2015 - "'INVOICE HH / 114954' pretending to come from haywardsheath@ hpsmerchant .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find attached INVOICE HH / 114954
    Automated mail message produced by DbMail.
    Registered to Heating & Plumbing Supplies, License MBS2009358.


4 August 2015: R-20787.doc - Current Virus total detections: 5/56*
... downloads Dridex banking malware from http ://ilcasalepica .it/45g33/34t2d3.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438684390/

** https://www.virustot...sis/1438684442/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustot...57/information/
8.254.218.142: https://www.virustot...42/information/

ilcasalepica .it: 195.234.171.179: https://www.virustot...79/information/

- http://blog.dynamoo....-hh-114954.html
4 Aug 2015 - "... The payload is the Dridex banking trojan.
Recommended blocklist:
194.58.111.157
62.210.214.106
31.131.251.33
"
___

Malware spam: "Need your attention"
- http://blog.dynamoo....-attention.html
4 Aug 2015 - "A variety of malicious spam messages are in circulation, each with "Need your attention" in the subject. Each message has a different sender, attachment name and reference number in the subject along with some other variations. Here is an example:
     From:    Hilda Buckner
    Date:    4 August 2015 at 13:29
    Subject:    Need your attention: OO-6212/863282
    Greetings
    Hope you are well
    Please find attached the statement that matches back to your invoices.
    Can you please sign and return.


In that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro... What that macro does (other ones may be slightly different) is download a VBS script from pastebin .com/download.php?i=0rYd5TK3... which is then saved as %TEMP%\nnjBHccs.vbs. That VBS then downloads a file from 5.196.241.204 /bt/bt/ched.php which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero* (MD5 = 00dca835bb93708797a053a3b540db16). The Malwr report indicates that this phones home to 80.247.233.18 (NFrance Conseil, France). The payload is probably the Dridex banking trojan. Note that the malware also sends apparantly non-malicious traffic to itmages .ru , for example:
itmages .ru/image/view/2815551/2b6f1599
itmages .ru/image/view/2815537/2b6f1599
Therefore I would suggest that monitoring for traffic to itmages .ru is a fairly good indicator of compromise."
* https://www.virustot...sis/1438693059/
... Behavioural information
TCP connections
23.14.92.97: https://www.virustot...97/information/
178.255.83.2: https://www.virustot....2/information/
80.247.233.18: https://www.virustot...18/information/

5.196.241.204: https://www.virustot...04/information/

itmages .ru: 176.9.0.165: https://www.virustot...65/information/

comment: Derek Knight said...
"It is -ransomware- not Dridex this time and the most evil thing about it, is it uses a legitimate digital signature so it will blow past antiviruses and operating system protections. Correctly digitally signed files are treated as good."
4 Aug 2015
___

Fake 'AMEX Alert' SPAM - Phish... malware
- http://myonlinesecur...ssible-malware/
4 Aug 2015 - "'Account Alert: IMPORTANT CardMembership Notification' pretending to come from American Express <AmericanExpress@ aecom .com> with an html webpage attachment... seems to be a malware downloader...

Screenshot: http://myonlinesecur...otification.png

The attached webpage looks like:
> http://myonlinesecur...ification_1.png
4 August 2015: AYNEUS018829.html - Current Virus total detections: 4/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
https://www.virustot...sis/1438622967/
___

Malvertising Campaign Takes on Yahoo!
- https://blog.malware...takes-on-yahoo/
Aug 3, 2015 - "June and July have set new records for malvertising attacks. We have just uncovered a large scale attack abusing Yahoo!’s own ad network. As soon as we detected the malicious activity, we notified Yahoo! and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at the time of publishing this blog.
This latest campaign started on July 28th, as seen from our own telemetry. According to data from SimilarWeb, Yahoo!’s website has an estimated 6.9 Billion visits per month making this one of the largest malvertising attacks we have seen recently... As with the previous reported cases this one also leverages Microsoft Azure websites... We did not collect the payload in this particular campaign although we know that Angler has been dropping a mix of ad fraud (Bedep) and ransomware (CryptoWall)... Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain. The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns."
> http://bits.blogs.ny...y-in-yahoo-ads/

- http://net-security....ews.php?id=3083
04.08.2015 - "... In the first half of this year the number of malvertisements has jumped 260 percent compared to the same period in 2014. The sheer number of unique malvertisements has climbed 60 percent year over year... fake Flash updates have replaced fake antivirus and fake Java updates as the most commonly method used to lure victims into installing various forms of malware including ransomware, spyware and adware..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 04 August 2015 - 10:30 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1513 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 05 August 2015 - 07:18 AM

FYI...

Fake 'Ofcom Spectrum' SPAM - doc/xls malware
- http://myonlinesecur...rd-doc-malware/
5 Aug 2015 - "'IMPORTANT – Document From Ofcom Spectrum Licensing' pretending to come from Spectrum.licensing@ ofcom. org.uk with a malicious word doc/xls attachment is another one from the current bot runs... The email looks like:
    Dear Sir/Madam,
    Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.
    Please read the document carefully and keep it for future reference.
    If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee’s responsibility to ensure all information we hold is correct and current.
    If you have any enquiries relating to this document, please email
    spectrum.licensing@ ofcom .org.uk
    Yours faithfully,
    Ofcom Spectrum Licensing ...


5 August 2015: logmein_pro_receipt.xls - Current Virus total detections: 6/55*
Downloads Dridex banking malware from http ://naturallyconvenient .co.za/75yh4/8g4gffr.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438771928/

** https://www.virustot...sis/1438771421/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustot...57/information/
2.18.213.40: https://www.virustot...40/information/

naturallyconvenient .co.za: 197.221.14.220: https://www.virustot...20/information/

- http://blog.dynamoo....ument-from.html
5 Aug 2015
"... downloads a malware executable from:
naturallyconvenient .co.za/75yh4/8g4gffr.exe
... phoning home to:
194.58.111.157 (Reg.RU, Russia)
That IP has been used for badness a few times recently and I definitely recommend that you block traffic to it..."
___

Fake 'Booking Confirmation' SPAM – doc malware
- http://myonlinesecur...dsheet-malware/
5 Aug 2015 - "'Booking Confirmation – Accumentia (16/9/15)' pretending to come from <david.nyaruwa @soci .org> with a malicious word doc is another one from the current bot runs... The email looks like:
    Please find attached a proforma invoice for Accumentia’s booking of the council room on 16/09/15. The deposit to confirm the booking is 25% (ie £205.50) with the balance due by the date of the meeting.
    Regards,
    David Nyaruwa
    Project Accountant ...


5 August 2015: Accumentia Booking (16-9-15).doc - Current Virus total detections: 7/55*
Downloads -same- Dridex banking malware as today’s other 2 malspam runs [1] [2]
1] http://myonlinesecur...rd-doc-malware/
...
2] http://myonlinesecur...rd-doc-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438773636/

- http://blog.dynamoo....nfirmation.html
5 Aug 2015 - "... Accumentia Booking (16-9-15).doc which comes in at least two different versions [VirusTotal results 6/56* and 7/56**]...  download -malware- from the following locations:
hunde-detektive .de/75yh4/8g4gffr.exe
naturallyconvenient .co.za/75yh4/8g4gffr.exe
This file has a detection rate of 4/55*** and the Malwr report shows that it phones home to the familiar IP of:
194.58.111.157 (Reg.RU, Russia)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan..."
* https://www.virustot...005eb/analysis/

** https://www.virustot...5bff2/analysis/

*** https://www.virustot...sis/1438773952/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustot...57/information/
2.18.213.40: https://www.virustot...40/information/

hunde-detektive .de: 81.169.145.89: https://www.virustot...89/information/
___

Fake 'passport' SPAM – JS malware cryptowall/fareit
- http://myonlinesecur...uez-js-malware/
5 Aug 2015 - "'My passport – Reginald Vazquez' pretending to come from Reginald Vazquez <Reginald.Vazquez@ iconbrandingsolutions .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please find attached copy of the passport for my wife and daughter as requested. please note we need to complete on the purchase in 4 weeks from the agreed date.
    Kind regards,
    Reginald Vazquez


5 August 2015: Reginald Vazquez.zip - Extracts to: Reginald Vazquez.js
Current Virus total detections: 0/55*. Downloads 2 files from 31072015a .com 1 is -cryptowall-, the second is -fareit- VirusTotal [1] [2]. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustot...sis/1438775249/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustot...84/information/
5.196.199.72: https://www.virustot...72/information/
45.56.87.253: https://www.virustot...53/information/
103.28.39.102: https://www.virustot...02/information/
81.218.71.215: https://www.virustot...15/information/
212.90.148.43: https://www.virustot...43/information/
184.168.47.225: https://www.virustot...25/information/
198.211.120.49: https://www.virustot...49/information/
98.130.136.200: https://www.virustot...00/information/

2] https://www.virustot...sis/1438775261/
... Behavioural information
TCP connections
192.186.240.131: https://www.virustot...31/information/
82.208.47.134: https://www.virustot...34/information/
160.153.34.130: https://www.virustot...30/information/
50.62.121.1: https://www.virustot....1/information/
192.254.185.141: https://www.virustot...41/information/
50.63.93.1: https://www.virustot....1/information/

31072015a .com:
> http://centralops.ne...ainDossier.aspx
Registrant Country: RU
Admin Country: RU
Tech State/Province: RU ...
route:          178.151.105.0/24
descr:          Kiev,  Troyeshchyna
origin:         AS13188
AS13188: https://www.google.c...c?site=AS:13188
...
89.185.15.235: https://www.virustot...35/information/
94.45.73.242: https://www.virustot...42/information/
46.119.54.121: https://www.virustot...21/information/
31.43.132.156: https://www.virustot...56/information/
217.73.85.49: https://www.virustot...49/information/
62.244.60.154: https://www.virustot...54/information/
194.242.102.188: https://www.virustot...88/information/
176.111.43.241: https://www.virustot...41/information/
95.47.4.154: https://www.virustot...54/information/
194.44.37.3: https://www.virustot....3/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 05 August 2015 - 08:49 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1514 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 06 August 2015 - 07:52 AM

FYI...

Fake 'Voice message' SPAM – malware
- http://myonlinesecur...ke-wav-malware/
6 Aug 2015 - "'RE: Voice message from 07773403290 pretending to come from tel: 07773403290 <non-mail-user@ voiplicity .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...07773403290.png

6 August 2015: message_01983527496.wav.zip: Extracts to: message_01983527496.exe
Current Virus total detections: 0/58* . Downloads other files from mastiksoul .org or wedspa .su which appear to be Dridex/Cridex banking malware and posts stolen information to wedspa .su  (VirusTotal**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438846882/

** https://www.virustot...sis/1438847706/
... Behavioural information
TCP connections
212.47.196.149: https://www.virustot...49/information/
8.254.218.94: https://www.virustot...94/information/

mastiksoul .org: 74.220.207.107: https://www.virustot...07/information/

wedspa .su:
94.229.22.39: https://www.virustot...39/information/
94.242.58.226: https://www.virustot...26/information/
185.26.113.229: https://www.virustot...29/information/

- http://blog.dynamoo....ssage-from.html
6 Aug 2015 - "... Recommended blocklist:
185.26.113.229
212.47.196.149
"
___

Chinese Actors Copy/Paste HackingTeam 0-Days in Site Hack
- https://blog.malware...s-in-site-hack/
Aug 6, 2015 - "... The HackingTeam archive provided very easy to reuse zero-days that even contained instructions. Exploit kit authors still repackaged the exploits to their liking from the original copies, simply reusing the same vulnerability. Not all threat actors did that though. We found a particular attack on a Chinese website where the perpetrators literally copied and pasted the exploit code from HackingTeam, and simply replaced the default ‘calc.exe’ payload with theirs:
> https://blog.malware...8/copypaste.png
... The only thing that really differs is the payload... malicious binaries.
Files used:
mogujie.exe: https://www.virustot...sis/1438875540/
desktop.exe: https://www.virustot...sis/1438875538/
SWF(1): https://www.virustot...sis/1438459365/
SWF(2): https://www.virustot...sis/1438534343/..."

210.56.51.74: https://www.virustot...74/information/
___

Malware-injecting 'man-in-the-cloud' attacks
- http://www.theinquir...e-cloud-attacks
Aug 06 2015 - "... Imperva has revealed a new type of attack called 'man-in-the-cloud' (MITC) that allows hackers to access cloud storage services without the need for a password. The research was unveiled at the Black Hat security conference in Las Vegas, and shows how the attack enables hackers to hijack users of cloud-based storage services, such as Box, Dropbox, Google Drive and Microsoft OneDrive, without their knowledge. Imperva said that the hacker gains authentication to the cloud service by stealing a token that is generated the first time a cloud syncing service is used on a PC, without compromising the user's cloud account username or password. From here, an attacker can access and steal a user's files, and even add malware or ransomware to the victim's cloud folder. Imperva said in some cases "recovery of the account from this type of compromise is not always feasible"..."

- http://www.darkreadi.../d/d-id/1321501
8/5/2015
___

Threat Group-3390 Targets Organizations for Cyberespionage
- http://www.securewor...cyberespionage/
5 Aug 2015 - "... TG-3390 is known for compromising organizations via SWCs and moving quickly to install backdoors on Exchange servers. Despite the group's proficiency, there are still many opportunities to detect and disrupt its operation by studying its modus operandi. The threat actors work to overcome existing security controls, or those put in place during an engagement, to complete their mission of exfiltrating intellectual property. Due to TG-3390's determination, organizations should formulate a solid -eviction- plan before engaging with the threat actors to prevent them from reentering the network..."
(More detail at the URL above.)
* http://www.securewor...respionage/#r01
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 06 August 2015 - 02:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1515 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 07 August 2015 - 08:32 AM

FYI...

Fake ad 'Sleek Granite Computer' SPAM - malicious attachment
- http://blog.dynamoo....e-computer.html
7 Aug 2015 - "What the heck is a Sleek Granite Computer? As clickbait it is kind of weird.. but perhaps interesting enough to get people to click on the malicious attachment it comes with:
     From:    mafecoandohob [mafecoandohob@ bawhhorur .com]
    To:    Karley Pollich
    Date:    7 August 2015 at 13:17
    Subject:    Sleek Granite Computer
    Good day!
    If you remember earlier this week we discussed with You our new project which we intend to start next month.
    For Your kind review we enclose here the business plan and all the related documents.
    Please send us an e-mail in case You have any comments or proposed changes.
    According to our calculations the project will start bringing profit in 6 months.
    Thanks in advance.
    Karley Pollich
    Dynamic Response Strategist
    Pagac and Sons
    Toys, Games & Jewelery
    422-091-2468


The only sample of this I had was -malformed- and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe. This has a VirusTotal detection rate of 4/55* with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre/Dyre traffic pattern to:
195.154.241.208 :12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208 :12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM
This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom .eu. Traffic is also spotted to:
37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)
There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.
Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50
"
* https://www.virustot...sis/1438950940/
___

Fake 'Tax Refund' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 Aug 2015 - "Amongst all of today’s usual bunch of spoofed HMRC tax refund phishing attempts, we are seeing an email tonight saying 'Tax Refund New Message Alert!' pretending to come from HM Revenue & Customs <security.custcon@ hmrc .gsi .gov .uk> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear Customer,
    After the last anual calculations of your fiscal activity we have discovered
    that you are eligible to receive a tax refund of GBP 1048.55.
    Kindly complete the tax refund request and allow 1-15 working days to process it.
    Please download the document attached to this email and confirm your tax refund.
    A refund can be delayed for a variety of reasons.
    For example: Submitting invalid records or applying after the deadline.
    Yours sincerely, Edward Troup
    Tax Assurance Commissioner.
    Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.


7 August 2015: TaxRefund0036192.zip - Extracts to: TaxRefund0036192.pdf.exe
Current Virus total detections: 4/56* which looks to be this rather nasty ransom ware Trojan**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438968024/

** https://usa.kaspersk...at#.VcURnHnbK70
"... via the Andromeda botnet"
___

Updates in... Ransomware
- http://blog.trendmic...-of-ransomware/
Aug 7, 2015 - "...  ransomware variants have evolved to do more than just encrypt valuable system files. CryptoFortress targeted files in shared network drives while TeslaCrypt targeted gamers and mod users. Now we are seeing another feature rapidly gaining ground in the world of ransomware: the ability to increase the ransom price on a deadline... A recent attack on an Australian company revealed a new TorrentLocker variant that can double the price of decryption after a deadline of five days. The cyber attack started with a business email. We noted a TorrentLocker spam run targeting Australia that probably delivered the infected email. TorrentLocker is a persistent threat in the region... After clicking on one of these infected emails, a manager’s system ended up with the crypto-ransomware TROJ_CRYPLOCK.XW. Nothing happened at first. The manager deleted the email and thought nothing of it until hours later. By then, it was too late. The malware had already encrypted 226 thousand files before it popped the warning and all IT admins can do is stare at a screen asking them for AU $640 in five days, after which the price will double to AU $1280:
> https://blog.trendmi..._updates_01.png
...  Continuing upgrades in crypto-ransomware show that users need to be vigilant with attack vectors that may be used to get the malware in their machines. While installing security software to protect all endpoints is paramount to security, it is equally important to use a multi-layered approach.
- Always have a -backup- strategy, most efficiently by following the 3-2-1 rule*...
- Trust products proven to detect ransomware before it reaches your system—either as a bad URL, a malicious email, or via unpatched exploits.
- Noting the way that the Australian company was hacked, it pays to also educate employees about safe email and Web browsing procedures..."
* http://blog.trendmic...the-3-2-1-rule/
"... backup best practices is the three-two-one rule. It can be summarized as: if you’re backing something up, you should have:
    At least three copies,
    In two different formats,
    with one of those copies off-site..."
___

RIG Exploit Kit 3.0 - 1 Million Strong and Growing
- https://atlas.arbor....ndex#1344414045
Elevated Severity
Aug 6, 2015 - "The RIG exploit kit, used to deliver various forms of -malware- onto compromised systems, has seen a recent surge in victims. The surge, impacting more than 1.25 million systems globally, is spreading via a large -malvertising- campaign at an average rate of 27,000 new victims a day*..."
* https://www.trustwav...puters-Per-Day/
___

Google, Samsung to issue monthly Android security fixes
- http://www.reuters.c...N0QC00320150807
Aug 6, 2015 8:03pm EDT - "... As with Apple's iPhones, the biggest security risk comes with apps that are not downloaded from the official online stores of the two companies... a key avenue was to convince targets to download legitimate-seeming Android and iPhone apps from imposter websites."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 08 August 2015 - 05:57 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1516 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 10 August 2015 - 07:28 AM

FYI...

Fake 'Your order' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
10 Aug 2015 - "'Your order 10232 from Create Blinds Online: Paid' pretending to come from orders@ createblindsonline .co.uk with a malicious word doc attachment  is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
... The email looks like:
    We would like to thank you for your recent order. Order Status updated on: 10/08/2015 Your Customer ID: 1761 Your Order ID: 10232
    Invoice Number: 10232
    Delivery Note:   We received your order and payment on Aug/102015 Your order details are attached:
    Kind regards
    Create Blinds Online Team ...


Screenshot: http://myonlinesecur...inds-Online.png

10 August 2015: invoice-10232.doc  Current Virus total detections: 5/55*  Downloads Dridex banking malware from http ://mbmomti .com.br/435rg4/3245rd2.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439189964/

** https://www.virustot...sis/1439190149/
... Behavioural information
TCP connections
78.47.119.85: https://www.virustot...85/information/
191.234.4.50: https://www.virustot...50/information/

mbmomti .com.br: 187.17.111.99: https://www.virustot...99/information/

- http://blog.dynamoo....10232-from.html
10 Aug 2015 - "... attempts to download a -malicious- binary from one of the following locations:
mbmomti .com.br/435rg4/3245rd2.exe
j-choi .asia/435rg4/3245rd2.exe
... generates traffic to 78.47.119.85 (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan."
j-choi .asia: 153.122.0.184: https://www.virustot...84/information/
___

Fake 'MI Package' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Aug 2015 - "'Premium Charging MI Package for Merchant 17143013' pretending to come from GEMS@ Worldpay .com with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecur...w-macros_21.png
... The email looks like:
    *** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.

10 August 2015: 17143013 01.docm - Current Virus total detections: 5/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439196186/

- http://blog.dynamoo....harging-mi.html
10 Aug 2015 - "... one sample with named 17143013 01.docm ...  detection rate of 5/55* and it contains this malicious macro... which then downloads a component from:
gardinfo .net/435rg4/3245rd2.exe
This is exactly the -same- payload as seen in this spam run** also from this morning."
* https://www.virustot...sis/1439198630/

** http://blog.dynamoo....10232-from.html

gardinfo .net: 62.210.16.61: https://www.virustot...61/information/
___

Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo....iel-resume.html
10 Aug 2015 "This fake résumé comes with a malicious attachment:
    From:    alvertakarpinskykcc@ yahoo .com
    Date:    10 August 2015 at 19:40
    Subject:    Resume
    Signed by:    yahoo .com
    Hi my name is Gabriel Daniel doc is my resume
    I would appreciate your immediate attention to this matter
    Kind regards
    Gabriel Daniel


Interestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro... which has a VirusTotal detection rate of 2/56*. As far as I can tell, it appears to download a disguised JPG file from 46.30.43.179/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on:
> https://1.bp.blogspo.../cryptowall.png
So, it is pretty clear that the payload here is -Cryptowall- (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?v=c91jzn46yr
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?b=86v97tziud5m
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?o=ups5xom3u2sb01
It also directs the visitor to various personalised ransom pages hosted on 80.78.251.170 (Agava, Russia).
Recommended blocklist:
46.30.43.179
80.78.251.170
conopizzauruguay .com
"
*https://www.virustot...sis/1439219044/

conopizzauruguay .com: 208.113.240.70: https://www.virustot...70/information/
___

.COM.COM Used For Malicious Typo Squatting
- https://isc.sans.edu...l?storyid=20019
2015-08-10 - "... domains ending in ".com.com" are being -redirected- to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous "com.com" domain name was sold by CNET to known typo squatter dsparking .com [1]. Apparently, dsparking .com paid $1.5 million for this particular domain. Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazon's cloud. All .com.com hostnames appear to resolve to 54.201.82.69, also hosted by Amazon (amazon .com .com is also directed to the same IP, but right now results in more of a "Parked" page, not the -fake- anti-malware as other domains). The content you receive varies. For example, on my first hit from my Mac to facebook .com .com , I received the following page:
> https://isc.sans.edu... 2_34_58 PM.png
And of course the -fake- scan it runs claims that I have a virus :) . As a "solution", I was offered the well known scam-app "Mackeeper". Probably best to -block- DNS lookups for any .com.com domains. The IP address is likely going to change soon, but I don't think there is any valid content at any ".com.com" host name. The Whitehat article does speak to the danger of e-mail going to these systems... Amazon EC2 abuse was notified."
1] https://blog.whiteha...ould-scare-you/

54.201.82.69: https://www.virustot...69/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 10 August 2015 - 03:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1517 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 11 August 2015 - 08:02 AM

FYI...

Fake 'Website Invoice' SPAM – PDF malware
- http://myonlinesecur...ce-pdf-malware/
11 Aug 2015 - "'Here is your BT Website Invoice. pretending to come from btd.billing.noreply@ bt .com with a PDF attachment is another one from the current bot runs... The email comes in corrupt... There is an HTML attachment which contains what the actual email should read:
***Please do not reply to this automated e-mail as responses are not read***
    Hello
    Here is your latest billing information from BT Directories – please check the details carefully.
    If you need to contact us then you’ll find the numbers in the attachment.
    Kind Regards
    BT Directories Billing & Credit Management ...


And there is a PDF attachment which contains the malware:
11 August 2015 : DirectDebit Invoice_5262307_011220140151449702826.pdf
Current Virus total detections: 4/56*  which is a PDF containing a word doc with embedded macros in the same way as described in today’s earlier malspam run**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439286155/

** http://myonlinesecur...ts-pdf-malware/
11 Aug 2015 - "'Interparcel Documents' pretending to come from Interparcel <bounce@ interparcel .com> with a PDF attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...l-Documents.png

11 August 2015: Shipping Labels (938854744923).pdf - Current Virus total detections: 4/57*
... downloads Dridex from http ://sonicadmedia .com/334f3d/096uh5b.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439281100/

** https://www.virustot...sis/1439284911/

sonicadmedia .com: 192.185.5.3: https://www.virustot....3/information/
___

Fake 'Congratulations on your purchase Windows' SPAM – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Aug 2015 - "'Congratulations on your purchase Windows' with a zip attachment is another one from the current bot runs... The email looks like:
    The invoice for the license windows 10.
    Invoice id: 5661255582
    License number: 211883074666
    License serial number: XXXXXX-XXXXXX-XXXXXX-QF7303-DG7S86
    Details of the attachment.
    THANKS A LOT FOR BEING WITH US.


Todays Date: Invoice Windows10 1648726511-en.zip:
Extracts to: Invoice Windows10 7848342350-en.exe
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439303996/
___

Asprox botnet... disappears
- http://www.infoworld...disappears.html
Aug 11, 2015 - "The Asprox botnet, whose malware-spamming activities have been followed for years by security researchers, appears to be gone... the botnet seemed to be shut down, wrote Ryan Olson, intelligence director for Palo Alto Networks, in a blog post:
> http://researchcente...e-after-kuluoz/
Olson wrote that Palo Alto thought the botnet's operators may have changed their tactics, and Palo Alto missed the shift. But they verified that Asprox's command-and-control structure shut down - at least for now... Earlier this year, Brad Duncan, a security researcher at Rackspace, also noticed a change:
> https://isc.sans.edu...x Botnet/19435/
... Spam that appeared stylistically close to that sent by Asprox had -different- malware. Asprox has taken a hit before. In November 2008, it was one of several botnets affected by the shutdown of McColo, a notorious California-based ISP that was providing network connectivity for cybercriminals. The shutdown of McColo dramatically cut the amount of spam, but Asprox as well as other botnets came back. The most frequent malware now seen by Palo Alto is Upatre. That malware downloads other harmful programs to a computer, and Palo Alto has seen it involved in installing a banking trojan called Dyre and the Cryptowall ransomware..."
>> http://researchcente...08/kuluoz-2.png
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 11 August 2015 - 11:04 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1518 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 12 August 2015 - 08:06 AM

FYI...

Fake 'Invoices payable' SPAM – JAVA malware
- http://myonlinesecur...e-java-malware/
12 Aug 2015 - "'RE: Re: Invoices payable' with a jar attachment pretending to come from info@ fulplanet .com is another one from the current bot runs...

Screenshot: http://myonlinesecur...ces-payable.png

12 August 2015: Invoice.jar - Current Virus total detections: 4/57*
Luckily, Outlook (as you can see from the screenshot above) and many other email clients automatically -block- java jar files from being accessed or opened in the email client. Webmail clients are more at risk as most allow any attachment. Java is a crossbrowser and cross OS program and that is why it is so dangerous. Malicious Java files can infect and compromise ANY computer whether it is windows or Apple or Android or Linux. You will not be infected and cannot be harmed if you do -not- have Java installed on the computer.  
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown instead of the java executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439362101/
___

Fake 'list attached' SPAM – PDF drops word doc – malware
- http://myonlinesecur...rd-doc-malware/
12 Aug 2015 - "'list attached as requested' pretending to come from Danielle | CC Signs Ltd. <orders@ ccsigns .co.uk> with a malicious PDF attachment that drops a word doc is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email has a -blank- body with just this image inside it and looks like:
> http://myonlinesecur...C-Signs-Ltd.jpg

12 August 2015: smo.pdf - Current Virus total detections: 5/56*
... which drops/creates 4.docm (VirusTotal**) which contains a macro that connects to  http ://konspektau.republika .pl/07jhnb4/0kn7b6gf.exe and downloads Dridex banking malware (VirusTotal***). Other download locations include http ://madrigalchor-schloss-benrath .de/07jhnb4/0kn7b6gf.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439370949/

** https://www.virustot...sis/1439371138/

*** https://www.virustot...sis/1439372114/
... Behavioural information
TCP connections
74.119.194.18: https://www.virustot...18/information/
95.101.128.113: https://www.virustot...13/information/

konspektau.republika .pl: 213.180.150.17: https://www.virustot...17/information/

madrigalchor-schloss-benrath .de: 81.169.145.158: https://www.virustot...58/information/
___

Fake 'Invoice for 415 Litmus' SPAM – doc malware
- http://myonlinesecur...itmus-word-doc/
12 Aug 2015 - "'Invoice for 415 Litmus' pretending to come from angela_lrc088128@ btinternet .com  (the lrc088128 is random and I am seeing -hundreds- of lrc******@ btinternet .com being -spoofed- as the from addresses) with a malicious word doc attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png

Screenshot: http://myonlinesecur...-415-Litmus.png

12 August 2015: 415 Litmus Cleaning invoice.docm - Current Virus total detections: 6/56*
The -malicious- macro inside this version of the word doc connects to and downloads Dridex banking malware from http ://madrigalchor-schloss-benrath .de/07jhnb4/0kn7b6gf.exe (Virus Total**) Which is the -same- malware as described in today’s other Malspam run[1] containing malicious PDF dropping word docs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439371782/

** https://www.virustot...sis/1439372114/
... Behavioural information
TCP connections
74.119.194.18: https://www.virustot...18/information/
95.101.128.113: https://www.virustot...13/information/

madrigalchor-schloss-benrath .de: 81.169.145.158: https://www.virustot...58/information/

1] http://myonlinesecur...rd-doc-malware/
___

Fake 'transferred into Your account HSBC' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2015 - "A series of emails on the theme of 'This is to confirm that amounts were transferred into Your account' with subjects like 'Payment affirmation' or 'Conducted transaction information' with an email -link- to entice you into downloading a zip attachment is another one from the current bot runs... Some of the subjects include:
    Conducted transaction information
    Deposited funds receipt
    Fund transfer receipt
    Deposited funds acknowledgment
    Transaction statement
    Transfer verification
    Deposited funds affirmation
    Deposited funds statement
    Balance change receipt
The senders pretend to be bank employees from HSBC and include such titles as:
    Forward Applications Strategist
    Principal Assurance Developer
    Corporate Web Architect
    Principal Factors Director
And hundreds of other similar style of seemingly important sounding titles. The sender matches the job title in the body of the email although the names are totally random...

Screenshot: http://myonlinesecur...affirmation.png

12 August 2015: invoice.pdf.zip: Extracts to: invoice.pdf.exe*
Current Virus total detections: 3/56*. These -Upatre- downloaders normally download either Dridex or Dyreza banking malware. So far the automatic tools haven’t managed to get any actual download. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439376577/
___

Fake 'Important documents BoA' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2015 - "'FW: Important documents' pretending to come from Guadalupe Aldridge <Guadalupe.Aldridge@ bankofamerica .com> or Mariano Cotton <Mariano.Cotton@ bankofamerica .com> (and probably loads of other random names @ bankofamerica .com) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...t-documents.png

12 August 2015: AccountDocuments.zip: Extracts to: AccountDocuments.scr
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439398277/
___

Win10 Store, Mail client down for some
- http://www.zdnet.com...-down-for-some/
Updated Aug 10, 11 - "... having problems accessing the Windows 10 Store and a number of Store apps, including Microsoft's new Mail client, for more than a day:
> http://zdnet2.cbsist...10storedown.jpg "
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 12 August 2015 - 02:05 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1519 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 13 August 2015 - 07:52 AM

FYI...

Fake 'Invoice Bristan' SPAM – PDF malware
- http://myonlinesecur...nvoice-malware/
13 Aug 2015 - "'Invoice I623792760' (Random characters and numbers) pretending to come from Bristan Documents <Prism@ bristan .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-I623792760.png

13 August 2015: INVOICE_I623792760.zip: Extracts to: INVOICE_I9288320.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439455676/
___

Fake 'Incident' RBS SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
13 Aug 2015 - "'RE: Incident IM07298646' (random numbers) pretending to come from RBS <secure.message@ rbs .co.uk> with a malicious word doc attachment is another one from the current bot runs... This particular version pretends to be signed with an RSA secure key and you need to enable editing and macros to see the content... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecur...tected-view.png

13 August 2015: AccountDocuments.doc - Current Virus total detections: 5/56*
This goes through a convoluted download procedure linking to: http ://hutsul .biz/administrator/components/com_joomlaupdate/rara.txt which is just a simple instruction to download what looks like -Upatre- downloader which will eventually download  Dridex banking malware from http ://klosetaffair .com/scripts/jquery-1.8.3.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439461278/

** https://www.virustot...sis/1439461900/

hutsul .biz: 144.76.80.78: https://www.virustot...78/information/

klosetaffair .com: 192.185.48.205: https://www.virustot...05/information/

- http://threattrack.t...re-webmail-spam
Aug 13, 2015 - Subjects Seen:
    RBC Secure Webmail/Courriel secure
Typical e-mail details:
    Hello  
    You have received a secure e-mail, which may contain personal/confidential information.
    To read and/or reply to the secure e-mail, please follow the simple steps below:
    ·  Double click on the attached Click2View.zip
    IMPORTANT:
    1.) You must be connected to the Internet to view the secure e-mail.
    2.) Please ONLY reply from the above link. DO NOT reply by clicking the “reply” option as this will not be secured.


Malicious File Name and MD5:
    Click2View.scr (51cabd5eb93920043db1b18cf163b108)


Tagged: RBC, Upatre
___

Fake 'Notice of payment' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Aug 2015 - "'Notice of payment' pretending to come from sac.sbi@ sibn .bnc.ca with a zip attachment is another one from the current bot runs... The email looks like:
    You can view and print the notice of payment using the Netscape or Microsoft
    Explorer browsers, versions 6.2 and 5.5. You can export and store the
    notice of payment data in your spreadsheet by choosing the attached file in
    pdf format “.pdf”.
    If you have received this document by mistake, please advise us immediately
    and return it to us at the following E-mail address: “sac.sbi@ sibn .bnc .ca“.
    Thank you.
    National Bank of Canada
    600 de La Gauchetire West, 13th Floor
    Montreal, Quebec H3B 4L2 ...


13 August 2015: PaymentNotice.zip: Extracts to: PaymentNotice.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439483960/
___

SSL Malvertising Campaign Continues
- https://blog.malware...aign-continues/
Aug 13, 2015 - "The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites. We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers:
- drudgereport .com 61.8M visits per month
- wunderground .com 49.9M visits per month
- findagrave .com 6M visits per month
- webmaila.juno .com 3.6M visits per month
- my.netzero .net 3.2M visits per month
- sltrib .com 1.8M visits per month
The malvertising is loaded via AdSpirit .de and includes a -redirection- to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer:
> https://blog.malware...alvertising.png
Redirection chain
    Publisher’s website
    https ://pub.adspirit .de/adframe.php?pid=[redacted]
    https ://pr2-35s.azurewebsites .net/?=pr2-35s-981ef52345
    abcmenorca .net/?xvQtdNvLGcvSehsbLCdz
    Angler Exploit Kit...
We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down."

Update 08/14: The campaign has -moved- to another advertiser (AOL) and new Azure domain:
> https://blog.malware...vertisement.png

abcmenorca .net: 88.198.188.158:
- https://www.virustot...58/information/
Country: DE
Autonomous System: 24940 (Hetzner Online AG)
Diagnostic page for AS24940 (HETZNER-AS)
- https://www.google.c...c?site=AS:24940
"... over the past 90 days, 2335 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2015-08-13, and the last time suspicious content was found was on 2015-08-13... this network has hosted sites that have distributed malicious software in the past 90 days. We found 224 site(s)... that infected 837 other site(s)..."
 

:ph34r:   :grrr:


Edited by AplusWebMaster, 15 August 2015 - 04:50 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1520 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 14 August 2015 - 09:51 AM

FYI...

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
14 Aug 2015 - "'Invoice Bristol Rope & Twine Co' pretending to come from Roger Luke <rogerluke@ bristolrope .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email looks like:
    Thank you for your order. Your Invoice – 14/0238 – from Bristol Rope &
    Twine Co is attached.


14 August 2015: 140238.XLS - Current Virus total detections: 6/57*
... Downloads Dridex banking malware from http ://buero-kontierservice .de/7656/4563.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439545269/

** https://www.virustot...sis/1439545437/
... Behavioural information
TCP connections
62.152.36.25: https://www.virustot...25/information/
2.18.213.90: https://www.virustot...90/information/

buero-kontierservice .de: 81.169.145.157: https://www.virustot...57/information/
___

Fake 'Account management' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Aug 2015 - "'Account management was limited' pretending to be a message from JPMorgan Chase Bank with a zip attachment is another one from the current bot runs... Other subjects in this malware run include:
    Personal account access has been minimized
    Bank account control has been minimized
    Personal account management had been restricted
    Bank account access was blocked ...
The email looks like:
     Dear Bank member,
    Please consider this e-mail alert highly urgent. Kindly note that our
    security department has detected the attempt to withdraw money from Your
    account without confirmation.
    As a security measure the bank had to restrict access to the account
    until we get relevant request from the signatory. Please see attached
    the document to be filled in order to get full access to the account.
    Peter Malcolm,
    Security Department Specialist
    JPMorgan Chase Bank PLC


14 August 2015: Formsheet_to_be_filled in_.zip: Extracts to: Formsheet_to_be_executed_.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439572799/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 14 August 2015 - 01:46 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1521 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 19 August 2015 - 06:43 AM

FYI...

Fake 'SHIPMENT NOTICE' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Aug 2015 - "'SHIPMENT NOTICE' pretending to come from serviceuk@ safilo .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...MENT-NOTICE.png

19 August 2015: ship20150817.zip: Extracts to: ship20150817.exe
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439977857/

- http://blog.dynamoo....ent-notice.html
19 Aug 2015 - "... the malware attempts to phone home to:
megapolisss006 .su/go/gate.php
.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to -all- of them. This domain is hosted on the following IPs:
195.2.88.196 (Zenon N.S.P., Russia)
94.229.22.39 (Bashrtcomm LIR, Russia)
94.229.22.42 (Bashrtcomm LIR, Russia)
You might want to consider blocking:
195.2.88.0/24
94.229.16.0/21

This though is the recommended minimum blocklist:
195.2.88.196
94.229.22.39
94.229.22.42
..."
___

Fake 'lawsuit' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
19 Aug 2015 - "'wtf is this?lawsuit?' coming from random names and random email addresses with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email looks like:
    why have you sued me? wtf is this?
    i am attaching the subpoena


19 August 2015: subpoena.doc - Current Virus total detections: 5/54*
Connects to http ://bigdiscountsonline .info/css/_notes/rara.txt which is a simple text instruction to download Dridex banking malware from http ://allthatandmore .info/css/_notes/pa.exe (VirusTotal**). It also connects to http ://bigdiscountsonline .info/css/_notes/8179826378126.txt which is a VBS downloader (VirusTotal***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439998392/

** https://www.virustot...sis/1439996382/
... Behavioural information
TCP connections
148.251.34.82: https://www.virustot...82/information/
62.149.142.168: https://www.virustot...68/information/

*** https://www.virustot...sis/1439995932/

bigdiscountsonline .info: 97.74.4.87: https://www.virustot...87/information/
allthatandmore .info: 97.74.4.87
___

Out of band I/E patch - all versions...
- http://myonlinesecur...18-august-2015/
18 Aug 2015

>> http://www.spywarein...15/#entry795701
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 August 2015 - 12:36 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1522 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 20 August 2015 - 05:46 AM

FYI...

Fake 'Shared from Docs app' SPAM – xls Malware
- http://myonlinesecur...dsheet-malware/
20 Aug 2015 - "'Shared from Docs app' coming  from Admin at random email addresses with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The Excel spreadsheet in this one looks like this... DO NOT follow their suggestion and enable editing or macros:
> http://myonlinesecur...4_jpg-2.xls.png
The email is very plain and terse and simply says :

    Sent from Mail for Windows 10

20 August 2015: LIST_141114_jpg (2).xls - Current Virus total detections: 4/56*
So far automatic analysis hasn’t retrieved any payload so we are waiting for a manual analysis to be performed. These normally download Dridex banking malware...
Update: we now have managed to get an automatic analysis[2] which gave us: ceece.exe that looks like Dridex but no download location for it (VirusTotal)[3]... We always have problems with automatic analysis when the Doc or LS file is in Russian language and character set... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440065594/

2] https://malwr.com/an...ThlNGU0MTcwMzQ/

3] https://www.virustot...sis/1440066467/
... Behavioural information
TCP connections
62.152.36.25: https://www.virustot...25/information/
191.234.4.50: https://www.virustot...50/information/
___

Fake 'new ID and password' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Aug 2015 - "'Your new ID and password' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    Your ID name and password has been changed according to your request dated August 19, 2015. Check attachment to view the renewed information.

20 August 2015: doc_ad78120.zip : Extracts to: doc_in30541.exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440069970/
___

Fake 'order not avaliable' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
20 Aug 2015 - "An email saying 'We are sorry but the product you’ve ordered is not avaliable now'  with a subject of Order #y0CD3mxQizcBk88ovaw [random characters] coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    Good afternoon,
    We are sorry but the product you’ve ordered is not avaliable now.
    Please fill up the attached form of refund and choose a gift as a token
    of our apology for the inconvenience.
    Order #fNcszeK2PW9J1rjN
    Date sent: Thu, 20 Aug 2015 11:42:51 +0100
    Mariam Olson Sr...

-Or-
Good afternoon,
We are sorry but the product you’ve ordered is not avaliable now.
Please fill up the attached form of refund and choose a gift as a token
of our apology for the inconvenience.
Order #4y3Rs24VDxJ8BBW8
Date sent: Thu, 20 Aug 2015 11:45:02 +0100
Carolyn Raynor...


20 August 2015: Order Beier-Swaniawski_fNcszeK2PW9J1rjN.zip: Extracts to: order id283694136_Angus Ferry.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word document instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440070000/
___

Fake 'Transport for London' SPAM - malicious attachment
- http://blog.dynamoo....nsport-for.html
20 Aug 2015 - "This -fake- TfL spam comes with a malicious attachment:
    From     "Transport for London" [noresponse@ cclondon .com]
    Date     Thu, 20 Aug 2015 17:04:26 +0530
    Subject     Email from Transport for London
    Dear Customer
    Please open the attached file(7887775.zip) to view correspondence from Transport
    for London.
    If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
    this attachment. If you require Adobe Acrobat Reader this is available at no cost...
    Thank you for contacting Transport for London.
    Business Operations
    Customer Service Representative...


The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56* and 1/57**... Hybrid Analysis reports... show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:
93.185.4.90 :12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90 :12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM
These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you -block- it."
* https://www.virustot...sis/1440071767/

** https://www.virustot...sis/1440071784/
___

Fake 'ACH failed' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
20 Aug 2015 - "'ACH failed due to technical error' pretending to come from The Electronic Payments Association with a malicious word doc attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
This malicious word doc has what pretends to be a RSA encrypted security key and it wants you to enable editing to see the content. This is almost identical to this slightly older version with a different date. Once again DO NOT not enable editing or macros:
> http://myonlinesecur...tected-view.png
The email looks like:
    ACH PAYMENT REJECTED
    The ACH Payment (ID: 49583071624518), recently initiated from your savings account (by you or any other person), was REJECTED by other financial institution.
    Rejection Reason: See details in the attached report.
    Payment Report: report_49583071624518.doc (Microsoft Word)
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    2014 NACHA – The Electronic Payments Association


20 August 2015 : report_49583071624518.doc - Current Virus total detections 16/57*
... connects to http ://luckytravelshop .info/wp-content/uploads/2015/05/sasa.txt which tells it to download a Dridex banking malware from http: //tadarokab .com/temp/recent.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440087068/

** https://www.virustot...sis/1440081269/

luckytravelshop .info: 23.229.232.199: https://www.virustot...99/information/

tadarokab .com: 38.110.76.140: https://www.virustot...40/information/
___

Fake 'ACH Payment' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Aug 2015 - "'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a zip attachment is another one from the current bot runs...
The email looks like:
    LOGICEASE SOLUTIONS INC       Vendor:10288253   Pay Dt: 20150820 Pay Ref Num: 2000542353
    Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
    The net amount deposited to account number ending   XXXX8014 designated by you is           $1843.73
    IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
    Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.6174...


20 August 2015: Pay_Advice.zip: Extracts to: Pay_Advice.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440085153/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 20 August 2015 - 12:49 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1523 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 21 August 2015 - 07:15 AM

FYI...

Fake 'bank birthday bonus' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Aug 2015 - "A series of emails saying 'Our bank have a birthday today so we would like to give you some bonuses as you’re the most valuable client of ours' with a subject of 'You are our most valued customer. Your ID 23428458 [random numbers]' coming from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ID-23428458.png

All these emails have random senders & companies, random phone numbers but the alleged sender matches the name in the body of the email and the name of the attachment.
21 August 2015: Bank-Reagan Bashirian DDS_(278) 789-4975_client-268119023428458.zip:
Extracts to: Bank Client992322638_West Jermainemouth.exe - Current Virus total detections: 2/57*.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440154416/
___

Fake 'translator job' SCAMs
- http://myonlinesecur...ator-jobs-scam/
21 Aug 2015 - "We all see thousands of adverts and get loads of emails offering us jobs. This one caught my eye earlier:
'Earn Up To $315 A Day Translating Words'. Sent by Real Translator Jobs <realtranslatorjobs@ freonjob .org>
The email reads like a godsend for somebody who speaks an extra language and needs a few $$ or ££ but has all the hallmarks of a scam/multi level marketing/pyramid scheme.

Screenshot: http://myonlinesecur...or-job-scam.png

... If you follow the links to the website you see http ://www.realtranslatorjobs .com/ and a referrer link at the end of the url. I have blanked out the referrer link so he/she doesn’t get any income from the scam by following links from here:
> http://myonlinesecur...obs-website.png
... The first thing that jumps out at you is:
> http://myonlinesecur...-checklist2.jpg
... The only people who get rich and make a lot of money are the originators for this scam and the “affiliates” who promote it and get a commission on every sign up or click through to the website... it will cost you $68 to sign up but there is a special offer for today only for $34 dollars (save 50%!)... don’t fall for it and don’t waste your money. You won’t earn a thing..."
___

Fake 'invoice 2018' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Aug 2015 - "'invoice 2018' pretending to come from Garry White <garry@ whitechappell .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nvoice-2018.png

21 August 2015 : CRFC, Invoice 2018.pdf.zip: Extracts to: CRFC, Invoice 2018.pdf.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440155507/
___

What is event.swupdateservice .net?
- http://blog.dynamoo....servicenet.html
21 Aug 2015 - "...  I saw some mysterious outbound traffic to event.swupdateservice .net/event (138.91.189.124 / Microsoft, US). Googling around for the domain came up with some references to malware, but nothing very conclusive. The WHOIS details for the domain are -anonymised- (never a good sign), and the IP address is also used by event.ezwebservices .net which uses similarly -hidden- details. Team Cymru have an analysis* of what is being phoned home to this mystery server, and I found an existing Malwr analysis** referencing the alternate domain. I eventually found the mystery executable in C:\Users\[username]\AppData\Local\SoftUpdate\SoftUpdate.exe on the afflicted machine... The binary itself does not identify its creator. I found various references (such as in this report***) linking this software and the domains to Emaze .com (a "free" presentation tool)... Neither domain identifies itself through the WHOIS details, nor can I find any contact details on either site... I don't like sharing data with commercial operations who are not prepared to fully reveal their identity, and I personally recommend -blocking- traffic to:
visualbee .com: 168.62.20.37: https://www.virustot...37/information/
emaze .com: 54.83.51.169: https://www.virustot...69/information/
swupdateservice .net
ezwebservices .net  "
* https://totalhash.cy...cfd89b27bc51970

** https://malwr.com/an...TE3MWUzNWNhZjE/

*** https://www.hybrid-a...environmentId=1

138.91.189.124: https://www.virustot...24/information/
___

Fake Malwarebytes?...
- https://blog.malware...ows-10-website/
Aug 21, 2015 - "Here at Malwarebytes, we offer support for a wide variety of Windows Operating Systems – from XP right up to Windows 10. The latter OS is the starting point for this blog post, with a website located at: malwarebytes-windows10(dot)com which seemed to offer up a “Windows 10 ready” version of Malwarebytes Anti-Malware:

Screenshot: https://blog.malware.../08/mbam101.jpg

This installer is -not- ours, so it’s clear that this is a download manager of some sort, and – one would hope – gave the downloader a copy of MBAM at the end of the process. However, the download kept breaking, so we couldn’t get any further than the initial installer splash...
Since we started looking into this, the site has also now apparently rolled down the shutters:
> https://blog.malware.../08/mbam104.jpg
However, the EULA / Privacy Policy on the installer took us to a site located at
qpdownload(dot)com which also offered up a variety of programs including Adblock Plus and yet another MBAM:
> https://blog.malware.../08/mbam105.jpg
... Users of Malwarebytes Anti-Malware will find we detect the “Download Manager” as PUP.Optional.InstallCore.A. Download sites can be cool, but it seems counter-intuitive to offer products designed to reduce advertisements / advertising software on your desktop alongside... adverts..."

malwarebytes-windows10(dot)com: 107.180.24.239: https://www.virustot...39/information/

qpdownload(dot)com: 96.43.136.163: https://www.virustot...63/information/
___

Malvertising on Telstra Media Homepage ...
- https://blog.malware...s-malvertising/
Aug 21, 2015 - "The media home page of Australia’s -largest- telecommunications company, Telstra, was pushing some malvertising similar to the attack we just documented*...
* https://blog.malware...e-plentyoffish/
The infection chain goes like this:
    media.telstra .com.au/home.html (Publisher)
    frexw .co.uk/public/id-55048502/300×250.php (Malvertising)
    gp-urti .info/bard-vb4735/vcyz-46820t.js (Malicious redirector)
    goo .gl/s3LrVw (Abuse of Google URL shortener to load an exploit kit)
    augpdoiof .info/document.shtml?AfWlx={redacted} (Nuclear Exploit Kit)
>> https://blog.malware...lstra_graph.png
While we did not collect the particular sample dropped in this campaign, it is quite likely to be the Tinba banking Trojan... The Google link has now been disabled:
> https://blog.malware...5/08/google.png
The malvertising attack lasted for a few days and was last seen on the 17th."

augpdoiof .info: 45.32.238.228: https://www.virustot...28/information/

gp-urti .info:
  104.24.120.10: https://www.virustot...10/information/
  104.24.121.10: https://www.virustot...10/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 21 August 2015 - 01:06 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1524 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 23 August 2015 - 06:28 PM

FYI...

Neutrino Campaign leveraging WordPress, Flash for CryptoWall
- http://research.zsca...-wordpress.html
Aug 20, 2015 - "Neutrino Exploit Kit... in the past few days we've seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises...  the image below illustrates the components involved in this campaign:
> https://4.bp.blogspo...trino_nexus.PNG
...  there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino... The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page... the primary IP for the observed Neutrino landing pages is '185.44.105.7' which is owned by VPS2DAY .com. Many of the domains pointing to that IP utilize 'xyz', 'ga', 'gq', and 'ml' TLDs. Taking a look at the whois data for some of these domains, a common attribute seems to be the name 'Max Vlapet' for .XYZ domains... This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena..."
- http://it.slashdot.o...rino-ek-traffic
Aug 22, 2015

185.44.105.7: https://www.virustot....7/information/
 

:ph34r: :ph34r:   :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1525 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 24 August 2015 - 07:10 AM

FYI...

Fake 'Message from scanner' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Aug 2015 - "'Message from scanner' pretending to come from scanner.coventrycitycentre@ brianholt .co.uk with a zip attachment but a completely -empty/blank- body of the email is another one from the current bot runs...

Screenshot: http://myonlinesecur...rom-scanner.png

24 August 2015: Sscanner15081208190.zip: Extracts to:  Sscanner15081208190.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440408248/

- http://blog.dynamoo....om-scanner.html
24 Aug 2015 - "... malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54*. The Hybrid Analysis report** shows the malware POSTing to:
smboy .su/mu/tasks.php
.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The  network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to -block- the whole range to be on the safe side. The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware."
* https://www.virustot...sis/1440414098/

** https://www.hybrid-a...environmentId=1

95.172.146.73: https://www.virustot...73/information/
___

German site dwdl .de -hacked- serving malware via 94.142.140.222
- http://blog.dynamoo....lde-hacked.html
24 Aug 2015 - "... German media website dwdl .de has been -hacked- and is serving up malware, according to this URLquery report*. URLquery's IDS function detects what looks like the RIG Exploit kit:
> https://3.bp.blogspo...600/dwdl-de.png
The exploit is injected code pointing to a server at 94.142.140.222 (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops .com which is a -hijacked-  GoDaddy domain. The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:
> https://3.bp.blogspo...n_graph.php.gif
VirusTotal** gives an overview of other malicious domains on this server. It indicates that the following domains have been -hijacked- and malicious subdomains set up..."
(Long list at the dynamoo URL - top of this post.)
* http://urlquery.net/...d=1440424952903

** 94.142.140.222: https://www.virustot...22/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 24 August 2015 - 09:37 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1526 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 25 August 2015 - 05:56 AM

FYI...

Fake 'Visa Card' SPAM - malicious attachment
- http://blog.dynamoo....d-aug-2015.html
25 Aug 2015 - "This -fake- financial spam does not come from Ellesemere Engineering but is in fact a simple forgery with a malicious attachment:
    From     [david@ ellesmere .engineering]
    To     "'Sharon Howarth'" [sharon@ ellesmere .engineering]
    Date     Tue, 25 Aug 2015 09:52:47 +0200
    Subject     Visa Card Aug 2015
    Visa Card payments this month
    ---
    This email has been checked for viruses...


Attached is a document Visa Card Aug 2015.docm which I have seen in three different versions, containing one of -three- malicious macros... that then attempt to download a malicious binary from one of the following locations:
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
This executable has a detection rate of just 1/55* and the Malwr report** shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- that IP address. The payload to this is almost definitely the Dridex banking trojan."
* https://www.virustot...sis/1440489790/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustot....9/information/
191.234.4.50: https://www.virustot...50/information/

** https://malwr.com/an...jdjMjRjODg5NDY/

internetdsl .pl: 80.48.169.1: https://www.virustot....1/information/

free .fr: 212.27.48.10: https://www.virustot...10/information/

- http://myonlinesecur...-macro-malware/
25 Aug 2015
Screenshot: http://myonlinesecur...rd-Aug-2015.png
25 August 2015: Visa Card Aug 2015.docm - Current Virus total detections 7/55*
Downloads Dridex banking malware.
* https://www.virustot...sis/1440499540/
___

Fake 'Dropbox' SPAM - leads to malware
- http://blog.dynamoo....chedule092.html
25 Aug 2015 - "This -fake- Dropbox email leads to malware, hosted on the sharing service sugarsync .com.
    From:    June Abel via Dropbox [no-reply@ dropbox .com]
    Date:    25 August 2015 at 12:59
    Subject:    June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you
        June used Dropbox to share a file with you!
    Click here to download.     
        © 2015 Dropbox


I have seen three different samples with different download locations:
https ://www.sugarsync .com/pf/D3941255_827_052066225?directDownload=true
https ://www.sugarsync .com/pf/D160756_82_6104120627?directDownload=true
https ://www.sugarsync .com/pf/D2694666_265_638165437?directDownload=true
In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55*. Analysis is pending, but the payload appears to be the Dyre banking trojan.
UPDATE: The Hybrid Analysis report** shows traffic to 197.149.90.166 (Cobranet, Nigeria) which I recommend you block."
* https://www.virustot...sis/1440506327/

** https://www.hybrid-a...environmentId=1

sugarsync .com: 74.201.86.21: https://www.virustot...21/information/

197.149.90.166: https://www.virustot...66/information/
___

Fake 'Invoice 26949' SPAM - malicious attachment
- http://blog.dynamoo....from-i-spi.html
25 Aug 2015 - "My spam traps did not collect the body text from this message, so all I have is headers. However, this -fake- financial email is not from i-Spi Ltd and is instead a simple forgery with a malicious attachment:
    From     [sales@ ispitrade .com]
    Date     Tue, 25 Aug 2015 20:37:09 +0800
    Subject     Invoice 26949 from I - SPI Ltd


Attached is a file Inv_26949_from_I__SPI_Ltd_7888.doc which actually comes in several different versions... which contains a malicious macro... that downloads an executable from one of the following locations:
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://claudio.locatelli.free .fr/45gf3/7uf3ref.exe
http ://spitlame.free .fr/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
This Hybrid Analysis report* shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
This is the same bad IP as found in this earlier spam run**, I recommend that you block it. The payload here is almost definitely the Dridex banking trojan."
* https://www.hybrid-a...environmentId=1

** http://blog.dynamoo....d-aug-2015.html

- http://myonlinesecur...-macro-malware/
25 August 2015: Inv_26949_from_I__SPI_Ltd_7888.doc "... Downloads the -same- Dridex banking malware as described in today’s earlier malspam run of malicious word docs*..."
* http://myonlinesecur...-macro-malware/
___

Browsefox variant High Stairs - browser hijackers
- https://blog.malware...nt-high-stairs/
Aug 25, 2015 - "Browsefox aka Sambreel aka Yontoo is a family of browser hijackers. When advertised they promise to “customize and enhance your interaction with the websites you visit”, but in reality they are almost never a users choice install. They come -bundled- with other software at many major download sites and at best you will see this screen when the installation starts:
> https://blog.malware...15/08/main1.png
High Stairs is one of the latest additions to this family. It is being offered as a browser extension -without- making clear what it does for the user. If you want to have a look at the EULA and Privacy Policy you will have to visit their website:
> https://blog.malware...015/08/EULA.png
... The EULA clearly states that it allows the “Software” to use -any- means imaginable to deliver advertisements and that it will collect your data. The Privacy Policy lets you know that they will use, share and sell those data to any and all parent, subsidiary or affiliate companies. Bottom line, as long as it brings in cash. Browser hijackers of this family are VM aware, meaning they will not do a full install if they detect they are run on a Virtual Machine. Sometimes the files are downloaded and put in place, but the extensions are not installed and enabled. The -hijackers- from this family do provide browser extensions for IE, Firefox, Chrome and Opera (and probably more)... invisible iframes can be used to deliver anything and everything to your computer, ranging from advertisements (which is very likely in this case) to (in theory) exploit kits. In theory in this case means, that we haven’t seen any exploit kits being delivered through the advertisements these PUPs deliver, but  if the PUP has a vulnerability or their network is compromised a third party could use this in the same manner as has been done with malvertisements on legitimate sites. This browser hijacker is relatively easy to remove. Other variants have been known to install services as well, making them a bit harder to tackle. Unfortunately “High Stairs” is not alone. We see a new Sanbreel variant at least a few times every week. The installer and the installed files are all detected as 'PUP.Optional.HighStairs.A'. Logs, more screenshots and removal instructions for “High Stairs” can be found on our forums*..."
* https://forums.malwa...or-high-stairs/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 25 August 2015 - 01:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1527 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 26 August 2015 - 06:32 AM

FYI...

Fake 'Scanned image - MX-2600N' SPAM  – doc/xls malware
- http://myonlinesecur...-macro-malware/
26 Aug 2015 - "'Scanned image from MX-2600N' pretending to come from  noreply@ your email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email looks like:
    Reply to: noreply@ securityandprivacy .co.uk <noreply@ securityandprivacy .co.uk>
    Device Name: Not Set
    Device Model: MX-2600N
    Location: Not Set
    File Format: DOC MMR(G4)
    Resolution: 200dpi x 200dpi
     Attached file is scanned image in DOC format.
    Use Microsoft®Word® of Microsoft Systems Incorporated to view the document.


26 August 2015: noreply@securityandprivacy.co.uk_20150826_181106.doc
Current Virus total detections 7/57*:
Downloads Dridex banking malware from one of these locations:
detocoffee.ojiji .net/45ygege/097uj.exe  (virus Total**)
students.johnbryce .co.il/nagare/45ygege/097uj.exe
groupedanso .fr/45ygege/097uj.exe
asterixpr.republika .pl/45ygege/097uj.exe
fotolagi .com/45ygege/097uj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440582748/

** https://www.virustot...sis/1440583201/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustot....9/information/
191.234.4.50: https://www.virustot...50/information/

- http://blog.dynamoo....ge-from-mx.html
26 Aug 2015 - "... The email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@ victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros... which attempt to download a malicious component from one of the following locations:
http ://fotolagi .com/45ygege/097uj.exe
http ://asterixpr.republika .pl/45ygege/097uj.exe
http ://detocoffee.ojiji .net/45ygege/097uj.exe
This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis... shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in several attacks recently. The payload is almost definitely the Dridex banking trojan."
1] https://www.virustot...sis/1440583485/

2] https://www.virustot...sis/1440583498/

3] https://www.virustot...sis/1440583515/
___

Fake 'invoice A4545945' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Aug 2015 - "'Copy of invoice A4545945. Please find your invoice attached' pretending to come from Screwfix Direct <online@ screwfix .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear Customer
    Thank you for shopping at Screwfix.
    As requested please find attached a copy of invoice: A4545945.
    You will require a PDF file reader in order to view and print the invoice. Should your invoice not be attached please email invoice@ screwfix .com ensuring that you quote your order reference.
    Please do not reply to this e-mail.
    If you have any queries, please quote the Invoice Number: A4545945, when contacting us:
    Phone:       0500 41 41 41 (03330 112 320 from a mobile) UK based Contact Centre
    E-mail:     online@ screwfix .com
    Write to:   Screwfix, Trade House, Mead Avenue, Yeovil, BA88 8RT ...


26 August 2015: Invoice_A3176864.zip: Extracts to: Invoice.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440580919/
___

Fake 'Invoices from UBM' SPAM - PDF malware
- http://myonlinesecur...-pdf-malware-2/
26 Aug 2015 - "'Your Invoices from UBM' pretending to come form UBM (UK) Limited <ubm@ ubm .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please find attached your invoice(s) from UBM. If you have any queries regarding the invoice, payment or service delivered please don’t hesitate to contact us on the details below.
Regards,
UBM Receivables Team.
Tel     : +44 207 921 8506 (21627)
Email : bogumila.murzyn@ ubm .com
Fax   :
****PLEASE DO NOT REPLY TO THE EMAIL ADDRESS ubm@ ubm .com AS IT IS NOT MONITORED**** ...


26 August 2015:65550757_Invoices_26-AUG-2015.zip:
Extracts to:   65550757_Invoices_26-AUG-2015.scr ... which is the -same- Upatre malware that is described in today’s other malspam run with Zip attachments*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
___

Fake 'new fax delivery svc' – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Aug 2015 - "A series of emails saying 'We are a new fax delivery service' with the subject reading Fax #[ random characters] from [random name] with a zip attachment is another one from the current bot runs... The email looks like:
    You have a fax.
    Data sent: Wed, 26 Aug 2015 14:08:41 +0000
    TO: [redacted]
    *********************************
    We are a new fax delivery service – Walker-Gerlach.
    Our company develops rapidly and services remain fastest and open to everyone.
    As our slogan goes: “Fast. Cheap. Best quality.”
    *********************************

-Or-
    You have a fax.
    Data sent: Wed, 26 Aug 2015 14:06:21 +0000
    TO: [REDACTED]
     *********************************
    We are a new fax delivery service – Hirthe-Bayer.
    Our company develops rapidly and services remain fastest and open to everyone.
    As our slogan goes: “Fast. Cheap. Best quality.”
    *********************************


26 August 2015: fax_jxJ3O9_Walker-Gerlach_Colton Leffler.zip
Extracts to: Invoice East Marta.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440598735/

- http://blog.dynamoo....le-senders.html
26 Aug 2015 - "... - fake- fax spam comes from random senders - company names and attachment names vary from spam to spam... Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56* detection rate at VirusTotal. The Hybrid Analysis report** shows it phoning home to:
197.149.90.166 /260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166 /260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.*** "
* https://www.virustot...sis/1440599515/

** https://www.hybrid-a...environmentId=1

*** http://blog.dynamoo....chedule092.html
___

Bank of America Invoice Spam
- http://threattrack.t...ca-invoice-spam
Aug 26, 2015 - "Subjects Seen
    Invoice Annabell Yost
Typical e-mail details:
    Dear Customer,
    Invoice14768170 from Annabell Yost.
    Sincerely,
    Ellsworth Abbott
    1-100-532-7314
    Bank of America PLC.


Screenshot: https://40.media.tum...1r6pupn_500.png

Malicious File Name and MD5:
    InvoiceFaker__Number.number(5)info_324986219861.exe (276646dc44bb3a2e4bf7ba21f207b5be)


Tagged: bank of america, Upatre
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 26 August 2015 - 01:14 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1528 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 27 August 2015 - 06:05 AM

FYI...

Angler Exploit Kit strikes MSN.com via Malvertising Campaign
- https://blog.malware...ising-campaign/
Aug 27, 2015 - "The same ad network – AdSpirit .de – which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN .com. This is the work of the -same- threat actors that were behind the Yahoo! malvertising. The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers. The ad request came from AppNexus, which loaded the booby-trapped advert from AdSpirit and the subsequent malvertising chain.
Infection chain:
    msn .com/en-us/news/politics/dozens-of-clinton-emails-were-classified-from-the-start-us-rules-suggest/ar-BBlXPkl?ocid=iehp (publisher)
    lax1.ib.adnxs .com/{redacted} (AppNexus Ad network)
    pub.adspirit .de/adframe.php?pid=7&ord=[timestamp]prdclick_0 (AdSpirit Ad network)
    trkp-a1009.rhcloud .com/?tr28-0a22 (OpenShift redhat Redirection)
    fox23tv .com/?cn67CuYcDcbvV (Same ad but with redirection to malicious URL)
    abbezcqerrd.irica.wieshrealclimate .com (iframe to exploit kit)
    hapme.viwahcvonline .com (Angler EK landing page)
> https://blog.malware.../redir_flow.png
This time, rogue actors are leveraging RedHat’s cloud platform, rhcloud .com to perform multiple -redirections- to the Angler exploit kit (in the previous attack they were using Microsoft’s Azure). While we did not collect the malware payload associated with this campaign, we believe it is either Ad fraud or ransomware, Angler’s trademark. Angler has been acting up strange lately, for instance last week it fell out of favour briefly for the Neutrino EK when compromised sites decided to redirect to the latter. Following our report, AppNexus -deactivated- the creative in question and said they were investigating this issue in greater depth..."

viwahcvonline .com: 141.8.224.93: https://www.virustot...93/information/

> https://www.virustot...f2078/analysis/
___

Fake 'resume' SPAM leads to Cryptowall
- http://blog.dynamoo....e-leads-to.html
26 Aug 2015 at 22:48 - "This -fake- resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware. In the only sample I saw, the spam looks like this:
    From:    emmetrutzmoser@ yahoo .com
    To:   
    Date:    26 August 2015 at 23:29
    Subject:    RE:resume
    Signed by:    yahoo .com
    Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply
    Best regards
    Janet Ronald


Attached was a file Janet_Ronald_resume.doc [VT 5/56*] which contains a malicious macro... The format of this message is very similar to this other fake resume spam seen recently[1], and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
1] http://blog.dynamoo....iel-resume.html
Deobfuscating the macro shows that a file is downloaded from http :// 46.30.46.60 /444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report** shows some of this in action, but Techhelplist[2] did the hard work of decrypting it..
> https://4.bp.blogspo.../cryptowall.png
...
2] https://twitter.com/...633492441268224
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report*** on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report[3] which has some nice screenshots.
3] https://www.hybrid-a...environmentId=2
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
46.30.46.60 (Eurobyte, Russia)
linecellardemo .net / 23.229.194.224 (GoDaddy, US)
You might want to block the entire 46.30.46.0/24 range because.. well, Russia really."
* https://www.virustot...sis/1440622900/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...22920/#comments
___

Fake 'Attachement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 Aug 2015 - "A -blank- email with the subject of 'Attachement' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email has a totally empty-blank body and just an XLS Excel spreadsheet attachment:

27 August  2015 : 20131030164403.xls - Current Virus total detections 4/57*
Downloads Dridex banking malware from http ://pintart .pt/43t3f/45y4g.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440669673/

** https://www.virustot...sis/1440670039/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustot...45/information/
23.14.92.27: https://www.virustot...27/information/

pintart .pt: 80.172.241.24: https://www.virustot...24/information/
___

Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Aug 2015 - "'Payslip for period end date 27/08/2015' pretending to come from noreply@ fermanagh. gov.uk with a zip attachment is another one from the current bot runs... The email looks like:
    Dear administrator
    Please find attached your payslip for period end 27/08/2015
    Payroll Section ...


Some emails have arrived malformed-and-damaged and look like:
    This is a multi-part message in MIME format.
    ——————=_Next_25232_7367279505.4684370133215
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    Dear ae48852507a
    Please find attached your payslip for period end 27/08/2015
    Payroll Section ...


27 August 2015: payslip.zip: Extracts to: payslip.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...65298/analysis/

- http://blog.dynamoo....period-end.html
27 Aug 2015 - "... Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly. This executable has a detection rate of 3/56* and the Hybrid Analysis report** indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking."
* https://www.virustot...sis/1440677452/

** https://www.hybrid-a...environmentId=1

197.149.90.166: https://www.virustot...66/information/
___

Fake 'Girls List' Spam ...
- https://blog.malware...g-in-mailboxes/
Aug 27, 2015 - "... spammers are changing up their dating site spam tactics a little bit in the wake of the continued Ashley Madison fallout, with the below curious missives landing in spamtraps over the last day or so:
> https://blog.malware.../crowdspam1.jpg
... emails are identical, and read as follows:
> https://blog.malware.../crowdspam2.jpg
... well, they -would- read as follows if they had any text in them to read. The emails are entirely -blank- instead offering up two attachments called “girls_list”. A “girl list” would seem to conjure up visions of swiped data and things you’re not supposed to have access to; as it turns out, opening up the .HTML attachment -redirects- you in a browser to a -porn- dating site which splashes... many nude photos around the screen... These emails are already caught by Gmail as spam, but other providers may -not- be flagging them yet. While I’m sure there are lots of fun things you can do with a list, allowing yourself to be redirected-to-porno-spam is probably not one of them and you should avoid these mails. With websites and services jumping on the AM data bandwagon*, it’s clear that anything involving dating and lists is going to be a hot topic for some time to come. Don’t fall for it."
* http://www.troyhunt....sites-like.html
24 Aug 2015 - "... harvesting email addresses and spamming searched victims..."
___

Malvertising campaigns increase 325%
- http://net-security....ews.php?id=3088
26.08.2015 - "Cyphort* investigated the practices used by cyber criminals to inject malicious advertisements into legitimate online advertising networks. Researchers found that malvertising campaigns carried out by hackers increased 325 percent in the past year... The problem of malvertising isn’t going away and cyber criminals will continue finding ways to monetize their attacks. According to the Association of National Advertisers, ad-fraud will cost global advertisers more than $6 billion in 2015..."
* http://www.cyphort.c...y/malvertising/
 

:ph34r:   :grrr: :grrr:


Edited by AplusWebMaster, 27 August 2015 - 12:49 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1529 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,733 posts

Posted 28 August 2015 - 06:13 AM

FYI...

Fake 'Payment Receipt' SPAM – xls malware
- http://myonlinesecur...dsheet-malware/
28 Aug 2015 - "'Payment Receipt' pretending to come from donotreply@ dartford-crossing-charge.service .gov.uk with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png

Screenshot: http://myonlinesecur...ent-Receipt.png

28 August 2015: PaymentReceipt.xls - Current Virus total detections 5/56*:
Downloads Dridex banking malware from http ://cheaplaptops.pixub .com/3453/5fg44.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440757199/

** https://www.virustot...sis/1440756592/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustot...45/information/
23.14.92.35: https://www.virustot...35/information/
91.239.232.9: https://www.virustot....9/information/
31.131.251.33: https://www.virustot...33/information/

pixub .com: 93.188.160.103: https://www.virustot...03/information/
___

Dropbox Spam
- http://threattrack.t...83/dropbox-spam
Aug 28, 2015 - "Subjects Seen:
    Brad Waters shared “TP Resignation Letter 2.pdf” with you
    Reed Contreras shared “TP Resignation Letter 2.pdf” with you

Typical e-mail details:
    Brad used Dropbox to share a file with you!
    Click here to view.


Screenshot: https://40.media.tum...1r6pupn_500.png

Malicious URLs:
    newyearpartyistanbul .com/securestorage/getdocument.html
Malicious File Name and MD5:
     TP Resignation Letter 2.scr (90a60d95b2f0db6722755e535e854e82)


Tagged: Dropbox, Upatre

newyearpartyistanbul .com: 93.89.224.6: https://www.virustot....6/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 28 August 2015 - 07:58 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





4 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users


    Bing (1)
Member of ASAP and UNITE
Support SpywareInfo Forum - click the button