Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1507 replies to this topic

#1501 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,687 posts

Posted 13 July 2015 - 11:26 AM

FYI...

Fake 'Criminal prosecution' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 July 2016 - "The latest email being sent by the criminal gangs trying to infect you with an Upatre downloader tries to convince you that you are being investigated by the police for a Criminal offence prosecution. Don’t open the attachment - it will infect you. The email looks like:
     It has been detected that via Your e-mail account are being mailed materials including discriminatory propaganda.
    Please note that mentioned actions are to be qualified as criminal offence forbidden by legislation.
    Police will conduct according investigation as a result of which You   to five years.
    If You had not mailed mentioned materials as sson as possible execute enclosed declaration and forward the scan-copy


13 July 2015: statement_to_be_filed.zip : Extracts to:  statement_to_be_executed.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1436803275/
 

:ph34r: :ph34r:   :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1502 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,687 posts

Posted 14 July 2015 - 03:49 PM

FYI...

IE 0-day added to mix...
- http://blog.trendmic...y-added-to-mix/
July 14, 2015 - "... -another- vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065*. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability..."
* https://technet.micr...curity/MS15-065
July 14, 2015

> https://support.micr...n-us/kb/3065822
Last Review: 07/14/2015 - Rev: 1.0
Applies to:
    Internet Explorer 11
    Internet Explorer 10
    Windows Internet Explorer 9
    Windows Internet Explorer 8
    Windows Internet Explorer 7
    Microsoft Internet Explorer 6.0

> https://web.nvd.nist...d=CVE-2015-2425
Last revised: 07/14/2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 15 July 2015 - 06:49 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1503 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,687 posts

Posted 16 July 2015 - 08:55 AM

FYI...

Fake 'Perfect job' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 July 2015 - "An email with subjects like 'Perfect achievement !  / Perfect job !  / Great work !' coming from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Congratulations ! You will take a 30% rake-off for the latest selling. Please overlook the attached documents to know the entire sum you’ve received.
    Every day you demonstrate that you are the superior strength of our crew in the market. I am elate and appreciative to get such a capable and experienced subordinate. Keep up the good achievements.
    With the best regards.
    Michelle Silva General manager

-Or-
    Congratulations ! You will receive a 30% commission for the previous disposition. Please check out the enclosed documents to find out the whole amount you’ve won.
    Everyday you prove that you are the major force of our crew in the trading. I am sublime and appreciative to get such a capable and skilled workman. Continue the great job.
    All the best.
    Kathryn Brooks Company management

-Or-
    Congratulations ! You will win a 40% commission for the latest realization. Please overlook the next documentation to get to know the whole amount you’ve won.
    Everyday you demonstrate that you are the major strength of our team in the world of trade. I am sublime and appreciative to have such a capable and proficient subordinate. Proceed the good achievements.
    All the best.
    Sharon Silva General manager

-Or-
    Congratulations ! You will gain a 45% rake-off for the last disposal. Please overlook the following documentation to know the whole amount you’ve won.
    Everyday you convince that you are the best power of our team in the market. I am sublime and beholden to have such a clever and able sub. Continue the perfect job.
    With best wishes.
    Kathryn Pearson General manager


And others with similar wording... If you are unwise enough to try to open the word doc, you will see this message:
> http://myonlinesecur...osition_doc.png
Do -not- follow their suggestions to enable editing  or content, otherwise you will be infected...

25 February 2015: total_sum_from_latest_disposition.doc - Current Virus total detections: 4/55*
... This tries to connect to 2 web sites:
thereis.staging.nodeproduction .com/wp-content/uploads/78672738612836.txt
... which downloads an encrypted text file... and to
www.buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt which gives the web address of http ://midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe. This file is an Upatre downloader for the typical Dyre banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1437049226/

** https://www.virustot...sis/1437046046/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
93.185.4.90: https://www.virustot...90/information/
176.36.251.208: https://www.virustot...08/information/
88.221.14.249: https://www.virustot...49/information/

nodeproduction .com: 72.10.52.104: https://www.virustot...04/information/

buildingwalls .co.za: 196.220.41.72: https://www.virustot...72/information/

midwestlabradoodles .com: 72.167.131.160: https://www.virustot...60/information/

- http://blog.dynamoo....t-job-good.html
16 July 2015
"... Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction .com
www.buildingwalls .co.za
midwestlabradoodles .com
"
___

Fake 'About your suggestions' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 July 2016 - "'About your suggestions' pretending to come from emaillambflan <emaillambflan@ totalnetwork .it> with a zip attachment is another one from the current bot runs... The email looks like:
    We chatted few hours ago. We have thought about your programs how to perfect our work and financial profit. Your suggestions seem extremely inspiring and we undoubtedly want such a genius like you. We consider your plans are feasible and would like to implement them. Attached are our progression charts and processes directory. Please look through them and if you will have some questions ask about it. Also make a succinct plan thus we will confer about the elements of every step./r/n We are waiting for your reply soon !

16 July 2015: figures_and_guide.zip: Extracts to: figures_and_directory.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1437056410/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
109.86.226.85: https://www.virustot...85/information/
23.14.92.65: https://www.virustot...65/information/
___

Sales Commission Spam
- http://threattrack.t...commission-spam
July 16, 2015 - "Subjects Seen
    Good achievement !
Typical e-mail details:
    Congratulations ! You will win a 43% commission for the last sale. Please see the next documents to get to know the whole sum you’ve obtained.
    Daily you prove that you are the best power of our team in the world of commerce. I am proud and grateful to get such a gifted and experienced worker. Go on the excelent job.
    With best wishes.
    Kathryn Brooks Director


Screenshot: https://41.media.tum...1r6pupn_500.png

Malicious File Name and MD5:
    amount_from_last_realization.scr (1e314705c1f154d7b848fcc20bfcd5e8)


Tagged: Sales Commission, Upatre
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 16 July 2015 - 01:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1504 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,687 posts

Posted 17 July 2015 - 08:19 AM

FYI...

Fake 'eFax' SPAM - leads to malware
- http://blog.dynamoo....om-unknown.html
17 July 2015 - "This -fake- fax spam leads to malware:

Screenshot: https://2.bp.blogspo...00/fake-fax.png

Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but -hacked- site at:
breedandco .com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of 6/55* and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55**. Automated analysis... shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90 :12325/ETK7//0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90 :12325/ETK7//41/5/1/GKBIMBFDBEEE
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip .dyndns .org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55***] and vastuvut.exe [VT 6/55****].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106
"
* https://www.virustot...sis/1437133169/

** https://www.virustot...sis/1437133178/

*** https://www.virustot...sis/1437135014/

**** https://www.virustot...sis/1437135026/
___

Fake 'You've earned it' SPAM - malware
- http://blog.dynamoo....d-it-youve.html
17 July 2015 - "This is another randomly-generated round of malware spam, following on from this one[1].
1] http://blog.dynamoo....t-job-good.html

     Date:    16 July 2015 at 12:53
    Subject:    Excelent job !
    Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
    Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
    All the best.
    Michelle Curtis Company management
    ---------------------
    Date:    16 July 2015 at 11:53
    Subject:    Good achievement !
    Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
    Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
    With the best regards.
    Sharon Silva Company management
...

Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc
Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55*. Inside the document is this malicious macro... which according to Hybrid Analysis downloads several components (scripts and batch files) from:
thereis.staging .nodeproduction .com/wp-content/uploads/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt
These are executed, then a malicious executable is downloaded from:
midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe
This has a VirusTotal detection rate of 8/55** and that report plus other automated analysis tools... phones home to the following malicious URLs:
93.185.4.90 :12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90 :12319/LE2/<MACHINE_NAME>/41/7/4/
That IP belongs to C2NET in the Czech Republic. It also sends non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.
This malware drops the Dyre banking trojan.
Recommended blocklist:
93.185.4.90
thereis .staging.nodeproduction .com
www .buildingwalls .co.za
midwestlabradoodles .com

* https://www.virustot...sis/1437053265/

** https://www.virustot...sis/1437054039/
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 17 July 2015 - 11:30 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1505 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,687 posts

Posted 27 July 2015 - 06:54 AM

FYI...

Fake 'copy' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 July 2015 - "An email with a subject simply saying 'copy' pretending to come from belinda.taylor@ bssgroup .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email body simply says: copy

27 July 2015 : 13409079779.docm - Current Virus total detections: 4/56*
Downloads Dridex banking malware from:
 terrasses-de-santeny .com/yffd/yfj.exe . Other versions of this downloader will download the -same- Dridex banking malware from alternative locations. So far we have seen
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://terrasses-de-santeny .com/yffd/yfj.exe  
http ://blog.storesplaisance .com/yffd/yfj.exe
http ://telechargement.storesplaisance .com/yffd/yfj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1437987707/

terrasses-de-santeny .com: 94.23.55.169: https://www.virustot...69/information/

madagascar-gambas .com: 'Could not find an IP address for this domain name' (May have been taken-down)

technibaie .net: 94.23.1.145: https://www.virustot...45/information/

storesplaisance .com: 94.23.1.145: FR / 16276 (OVH SAS)
___

Fake 'Order Confirmation' SPAM - malicious attachment
- http://blog.dynamoo....mation-ret.html
27 July 2015 - "This spam does not come from Royal Canin, but is instead a simple -forgery- with a malicious attachment:
    From     "[1NAV PROD RCS] " [donotreply@ royal-canin .fr]
    Date     Mon, 27 Jul 2015 18:49:16 +0700
    Subject     Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
    Please find attached your Sales Order Confirmation
    Note: This e-mail was sent from a notification only e-mail address that
    cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.


Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55*, which in turn contains a malicious macro... which downloads an executable from one of the following locations (there are probably more):
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://blog.storesplaisance .com/yffd/yfj.exe
This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55**. Automated analysis tools... show that it attempts to phone home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)..."

* https://www.virustot...sis/1437999231/

** https://www.virustot...sis/1437999249/

> http://myonlinesecur...dsheet-malware/
27 July 2015: Order Confirmation RET-396716 230715.xml - Current Virus total detections: 1/56*
... Which downloads an updated version of Dridex banking malware..."
* https://www.virustot...sis/1437997926/
___

Fake 'Loan service' – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 July 2015 - "'New Loan service nearby' with a zip attachment is another one from the current bot runs... Alternative subjects for this malspam run include: 'New Credit service near you'. The email looks like:
    We are happy to inform you that we are founding a affiliate in your vicinity next week. We are credit services firm with more than 15 years practice , and several branches in the region. We give help to individuals and corporations in profiting money for the objective. We provide all the acts , consisting of bringing the money source that sets the lowest percentage and the best conditions of pays , all the paperwork , and etc.
    We are enclosing the invite ticket for the opening celebration and service’s accommodation schedule. Wish to see you on our opening.
    Give us a chance to maintain you!
    Thanks,
    Truly yours,
    Mike Ward General management Info

-Or-
    We are happy to announce you that we are opening a branch in your area soon. We are loan accommodations firm with more than 25 years workmanship, and several offices in the region.
    We provide help to ordinary people and corporations in availing money for the objective.
    We ensure all the actions, consisting of bringing the fiscal source that offers the lowest commissions and the best terms of payment, all the papers, and so on.
    We are applying the engagement card for the opening and organization’s accommodation schedule. Hope to see you on that day.
    Give us a chance to serve you!
    Thanking you,
    Yours truly,
    Mike Ward General management Superior


And the usual other variety of computer bot generated wording that doesn’t quite read as proper English.
27 July 2015: invitation_and_accommodations.zip: Extracts to: call_and_accommodations.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438000007/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
173.248.31.6: https://www.virustot....6/information/
2.18.213.48: https://www.virustot...48/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 July 2015 - 11:09 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1506 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,687 posts

Posted 28 July 2015 - 06:52 AM

FYI...

Fake 'suspicious account activity' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "'Important Notice: Detecting suspicious account activity' pretending to come from 'Service Center' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Subject: Important Notice: Detecting suspicious account activity
    Date:   Mon, 27 Jul 2015 22:51:16 +0000 (GMT)
    From:   Service Center <redacted >
    Detecting suspicious account activity
    <https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
    The attachment contain steps to secured your account. If you are viewing
    this email on a mobile phone or tablets, please save the document first
    and then open it on your PC.
    Click Here to download attachment.
    <https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
    Thanks,
    Account Service


If you are unwise enough to follow the links then you will end up with a word doc looking like:
> http://myonlinesecur...ctivity_doc.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named Account Details.exe which has an icon of an Excel spreadsheet to fool you into thinking it is innocent and infect you.
28 July 2015 : Email activity.doc Current Virus total detections: 21/55*
... Downloads https ://onedrive.live .com/download?resid=9AC15691E4E70C4D!123&authkey=!AL1jJDlqNUg-vAM&ithint=file%2cexe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438037595/

** https://www.virustot...sis/1438062482/
___

Fake 'Please Find Attached' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "'Please Find Attached – Report form London Heart Centre' pretending to come from lhc.reception@ heart. org.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...eart-Centre.png

28 July 2015: calaidzis, hermione.docm - Current Virus total detections: 9/55*
... Downloads what looks like Dridex banking malware from http ://chloedesign .fr/345/wrw.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438067899/

** https://www.virustot...sis/1438068193/
... Behavioural information
TCP connections
93.171.132.5: https://www.virustot....5/information/
2.18.213.25: https://www.virustot...25/information/

chloedesign .fr: 85.236.156.24: https://www.virustot...24/information/
___

Fake 'Air France' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
28 June 2015 - "'Your Air France boarding documents on 10Jul' pretending to come from Air France <cartedembarquement@ airfrance .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ts-on-10Jul.png

28 July 2015: Boarding-documents.docm - Current Virus total detections: 9/55*
... which downloads Dridex banking malware from http ://laperleblanche .fr/345/wrw.exe which is the -same- malware as in today’s earlier malspam run using malicious word docs with macros**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438071620/

** http://myonlinesecur...rd-doc-malware/

laperleblanche .fr: 94.23.1.145: https://www.virustot...45/information/

- http://blog.dynamoo....e-boarding.html
28 June 2015 - "... -same- exact payload as this earlier attack* today..."
* http://blog.dynamoo....d-attached.html
"... phones home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
I recommend that you -block- that IP. The malware is the Dridex banking trojan..."
___

Fake 'Invoice notice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "A series of emails with subjects of: 'Invoice delivery / Invoice notice / Receipt alert / DHL notice / UPS notification / Invoice information' and numerous -other- similar subjects with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    You had got the bill !
    Delivered at: Tue, 28 Jul 2015 16:15:36 +0500.
    Number of sheets: 0.
    Mailer ID: 3.
    Delivery number: 843.
    Kindly be advised that attached is photo-copy of the 1st page alone.
    We are going to mail the originals to You at the address indicated already.

-Or-
    You have received the bill !
    Received at: Tue, 28 Jul 2015 11:43:15 +0000.
    Amount of sheets: 9.
    Addresser ID: 79187913.
    Delivery order: 6199843296.
    Kindly be advised that attached is scan-copy of the 1st page alone.
    We are going to dispatch the originals to You at the location mentioned earlier.


And multiple similar content. If you are unwise enough to open the attachment then you will end up with a word doc looking like this:
> http://myonlinesecur..._6199843296.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named word.exe which has an icon designed to fool you into thinking it is innocent and infect you. These emails have attachments with names like Invoice_number_6199843296.doc / Order_No._843.doc / Bill_No._95.doc and -multiple- variations of the names and numbers.
28 July 2015 : Invoice_number_6199843296.doc - Current Virus total detections:7/56*
... goes through a convoluted download procedure giving you http ://bvautumncolorrun .com/wp-content/themes/minamaze/lib/extentions/prettyPhoto/images/78672738612836.txt which is a base 64 encoded file that transforms into a password stealer. It also goes to http ://iberianfurniturerental .com/wp-content/plugins/nextgen-gallery/admin/js/Jcrop/css/fafa.txt which automatically downloads http ://umontreal-ca .com/word/word.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438080189/

** https://www.virustot...sis/1438081346/

bvautumncolorrun .com: 184.168.166.1: https://www.virustot....1/information/

iberianfurniturerental .com: 173.201.169.1: https://www.virustot....1/information/

umontreal-ca .com: 89.144.10.200: https://www.virustot...00/information/
___

Fake 'Voice Message' SPAM – wav malware
- http://myonlinesecur...ke-wav-malware/
28 July 2015 - "'Voice Message Attached from 08439801260' pretending to come from voicemessage@ yourvm .co.uk with a wav (sound file) attachment is another one from the current bot runs... The email looks like:

    Time: Jul 28, 2015 3:08:34 PM
    Click attachment to listen to Voice Message


28 July 2015: 08439801260_20150725_150834.wav - Current Virus total detections: 2/55*
... Which downloads Dridex banking malware from laurance-primeurs .fr/345/wrw.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438082138/

laurance-primeurs .fr: 94.23.1.145: https://www.virustot...45/information/
___

Fake 'Incoming Fax' SPAM - malware
- http://blog.dynamoo....ernal-only.html
28 July 2015 - "This -fake- fax message leads to malware:
    From:    Incoming Fax [Incoming.Fax@ victimdomain]
    Date:    18 September 2014 at 08:39
    Subject:    Internal ONLY
    **********Important - Internal ONLY**********
    File Validity: 28/07/2015
    Company : http ://victimdomain
    File Format: Microsoft word
    Legal Copyright: Microsoft
    Original Filename: (#2023171)Renewal Invite Letter sp.doc
    ********** Confidentiality Notice ********** ...
    (#2023171)Renewal Invite Letter sp.exe


Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
http ://umontreal-ca .com/word/word.exe ... This has a VirusTotal detection rate of 2/55*.
umontreal-ca .com (89.144.10.200 / ISP4P, Germany) is a -known- bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
UPDATE: This Hybrid Analysis report shows traffic to the following IPs:
67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)
Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208
"
* https://www.virustot...sis/1438087963/
___

Fake 'cash prizes for shopping' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 July 2015 - "Another set of emails with subjects including 'Get cash prizes for shopping' and 'Get cash payments for purchasing' with a zip attachment is another one from the current bot runs... The email looks like:
    Love purchasing? We have something special for you!
    Do you want to get cash compensations on buys you make in your favorite stores? Just get our debit card to make your purchases, and then you will commence enhancing the rewards. Bear in mind only one rule – the more you use it – the more you receive. So kindly check out the applied info to learn how this offer proceeds and how to open your bank account.
    It was never so pure, fast and so close to your dreams. Don’t lose your time. Join us, keep to us and shopping will give!

-Or-
    Being fond of shopping? We propose something special for you!
    Do you want to get cash rewards on purchases you make in your favorite shops? Just use our debit card to make your purchases, and then you will start increasing the  remunerations. Bear in mind one rule – the more you use it – the more you get. So please read the enclosed documentations to see how it operates and how to open your account.
    It was never so elementary, fast and so close to your dreams. Don’t lose your chance. Join us, stick to us and shopping will pay!


And numerous other similar computer generated text...
28 July 2015: bank_offering_and_card_information.zip: Extracts to: special_offering_and_card_details.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438090452/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
24.33.131.116: https://www.virustot...16/information/
95.100.255.176: https://www.virustot...76/information/
___

Russian Underground - Revamped
- http://blog.trendmic...round-revamped/
July 28, 2015 - "When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices. News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence. 2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot. The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?... right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc... several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of -fresh- credit card leaks... Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement..."
> https://www.trendmic...isticated-tools
July 28, 2015
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 28 July 2015 - 11:12 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1507 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,687 posts

Posted 29 July 2015 - 07:05 AM

FYI...

Fake 'New mobile banking app' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "Today’s set of Upatre downloaders come with an email subject of 'New mobile banking application / The latest mobile banking application / Renewed mobile banking app' with a zip attachment is another one from the current bot runs... The email looks like:
    Dear patron!
    We would like to introduce you new mobile banking app for our bank patrons. Our mobile banking options help you to enter your bank account safely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial operations. Our application is simple to use and highly safe.
    To learn more about application features and work, please view the enclosed info. Download link is also included.

-Or-
    Dear client!
    We would like to introduce you new mobile banking app for our bank customers. Our mobile banking services help you to access your bank account securely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial procedures. Our application is toiless to use and extremely safe.
    To know more about application details and work, please see the attached information. Download link is also inside.

-Or-
    Dear patron!
    We are glad to present you new mobile banking app for our bank patrons. Our mobile banking accommodations help you to enter your bank account safely any place you want. A quick and simple registration is all you need to begin using mobile banking options. With mobile banking, you can realize most of all bank operations. Our app is toiless to use and very safe.
    To know more about application details and functioning, kindly view the affixed document. Download link is also inside.


 And numerous very similar computer generated versions of the above.
29 July 2015: id697062389app_features.doc.zip: Extracts to:  app_brochure.exe
Current Virus total detections: 0/55*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438168067/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
176.36.251.208: https://www.virustot...08/information/
95.101.72.123: https://www.virustot...23/information/
___

Fake 'Get our deposit card' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "The latest upatre downloader to hit the presses is an email with a subject of 'Get our deposit card and receive 067' (varying amounts) pretending to come from jesse_rice with a zip attachment is another one from the current bot runs... The email looks like:
    Deposit card containing many profitable features is new extraordinary proposal of ours.
    One of the great items that will actually intrigue you is the 98 money back pize. When you outlay 300 USD or more within 3,2,5,4,6 months buying by this card, you will earn a 23 award. There is also 5% cash back award function that give you opportunity to take 5% cash back on up to 1500 USD during each three month quarter. It’s not a disposable prize. You will turn on your feature every 3 month quarter without any extra fees! There are a lot of other bonuses that you will have. You can browse them in the applied to learn more about it and find all details. Feel free to to ask if you have any questions.
    We sincerely look forward to your response


29 July 2015: 220317964deposit_card_features_details.zip: Extracts to: card_features_details.exe
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438176115/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.185.4.90: https://www.virustot...90/information/
69.144.171.44: https://www.virustot...44/information/
2.20.143.37: https://www.virustot...37/information/
___

USA TODAY Fantasy Sports... serves Malware
- https://blog.malware...serves-malware/
July 28, 2015 - "... We routinely detect infections coming from forums during our daily crawl of potentially malicious URLs. One of the reasons for this comes from the underlying infrastructure that powers those sites. Indeed, server side pieces of software such as Apache or vBulletin are often abused by cyber criminals who can easily exploit security holes especially if these applications are not kept up to date. Case in point, the Fantasy Sports discussion forum part of USA TODAY Sports Digital Properties was recently redirecting members towards scam sites and even an exploit kit that served malware. The forum statistics show a total of 117,470 threads, 3,348,218 posts and 18,447 members.
> https://blog.malware...15/07/graph.png
...  domain is involved in multiple nefarious activities via -malvertising- such as -fake- Flash Player applications, tech support scams or exploit kits. In some cases, all of the above combined...
> https://blog.malware...07/scampage.png
Nuclear exploit kit: Probably the worst case scenario is to be -redirected- to an exploit kit page and have your computer infected.
> https://blog.malware...7/Fiddler21.png
In this particular instance, we were served the Nuclear EK, although given the URL pattern it would have been very easy to call this one Angler EK. This change was noted by security researcher @kafeine* about a week ago...
* https://twitter.com/...564043345858562
Had the exploit been successful, a piece of malware known as Glupteba (VT link**) would have been dropped and executed. Compromised machines are enrolled into a large botnet that can perform many different malicious tasks... We have notified USA Today about this security incident..."
** https://www.virustot...sis/1437954473/
... Behavioural information
TCP connections
195.22.103.43: https://www.virustot...43/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 29 July 2015 - 09:07 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1508 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,687 posts

Posted Yesterday, 06:35 AM

FYI...

Fake 'settlement failure' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "Today’s first set of Upatre downloaders come with email subjects that include 'Calculated response settlement failure / Estimated response settlement failure / Estimated response payment default / Calculated invoice payment default' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ent-failure.png

30 July 2015: official_document_copies_id942603754.pdf.zip: Extracts to: public_order_copies.exe
Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438249041/
___

Fake 'ADP Payroll' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "'Invoice #[random numbers]' pretending to come from ADP – Payroll Services <payroll.invoices@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Attached are the latest statements received from your bank.
    Please print this label and fill in the requested information. Once you have filled out
    all the information on the form please send it to payroll.invoices@adp.com.
     For more details please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
     Thank you ,
    Automatic Data Processing, Inc.
    1 ADP Boulevard
    Roseland
    NJ 07068
    © Automatic Data Processing, Inc. (ADP®) . All rights reserved...


30 July 2015: ADP_Invoice _0700613.zip : Extracts to: ADP_Invoice.scr
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438267744/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
178.222.250.35: https://www.virustot...35/information/
2.18.213.56: https://www.virustot...56/information/
___

Fake 'check returned' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "'Your cheque has been returned' pretending to come from jobs-asia with a zip attachment is another one from the current bot runs... The email looks like:
    I enclose a check that has been returned unpaid for occasions shown there.
    We have written off you with the sum.
    If you have any questions, kindly write to us. We’ll endeavor to help you.
    Faithfully,
    Lloyd Bailey
    Service department


30 July 2015: cheque_and_description_i4Aev0CF.zip: Extracts to: cheque_and_explanation.exe

Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438267061/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.185.4.90: https://www.virustot...90/information/
67.221.195.6: https://www.virustot....6/information/
2.18.213.24: https://www.virustot...24/information/
___

Fake 'Income tax settlement failure' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "'Income tax settlement failure sent id: [number]' with a zip attachment is another one from the current bot runs... The email looks like:
    In accordance with taxing authority information You have defaulted a term to settle the estimated tax sums.
    Kindly see attached the official order from the revenue service.
    Furthermore please be noted of the fact that additory penalties would be applied unless the debt amounts are not remitted within four working days.
    Regard this reminder as highly important.
    Rebecca Crouch Tax Department


29 July 2015: public_order_scan713432229.zip: Extracts to: official_order_copies.exe
Current Virus total detections: 3/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438208026/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
87.249.142.189: https://www.virustot...89/information/
88.221.14.145: https://www.virustot...45/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, Yesterday, 11:42 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button