Fake 'Insurance' SPAM - doc malware
19 Jan 2016 - "The Dridex bots are still having problems again today. Their latest attempt is an email with the subject of 'Thank you for purchasing from Cheaper Travel Insurance – 14068156' pretending to come from info87@ Resellers.insureandgo .com (the info number is random) with a malicious word doc attachment is another one from the current bot runs... While they appear to have fixed the malware attachments, they instead have introduced a new bug and are sending broken emails with -garbled- content... when corrected it will look something like this:
19 January 2016: 14068156.doc - Current Virus total detections 4/55*
[MALWR**] attempts to download Dridex banking malware from
http :// www .cnbhgy .com/786585d/08g7g6r56r.exe but seems to be having problems and timing out... Update: it eventually downloaded (VirusTotal 2/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
19 Jan 2016 - "This -fake- financial spam comes with a malicious attachment:
Header screenshot: http://www.insureand...aper_header.jpg
Your policy number: MF/CP/205121/14068156
Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Quote number: 21272810
Policy number: MF/CP/205121/14068156 ...
The sender appears to be from info[some-random-number]@ Resellers.insureandgo .com, but it is just a simple forgery. Attached is a malicious Word document that I have seen -five- different versions... download locations as:
www .cnbhgy .com/786585d/08g7g6r56r.exe
seaclocks .co .uk/786585d/08g7g6r56r.exe
This has a VirusTotal result of 3/54*.... combined with this Hybrid Analysis** show traffic to:
126.96.36.199 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
188.8.131.52 (Bulgarian Academy Of Sciences, Bulgaria)
184.108.40.206 (Triara.com, S.A. de C.V., Mexico)
220.127.116.11 (Ignum s.r.o, Czech Republic)
18.104.22.168 (Ozhosting.com Pty Ltd, Australia)
22.214.171.124 (TE Data, Egypt)
126.96.36.199 (Linknet, Indonesia)
188.8.131.52 (Network Devices, Turkey)
The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign...
Fake 'Payment overdue' SPAM - malicious attachment
19 Jan 2016 - "This -fake- financial spam does not come from the Daily Mail, but is instead a simple -forgery- with a malicious attachment:
From Raashida Sufi [Raashida.Sufii@ dmgmedia .co.uk]
Date Tue, 19 Jan 2016 11:40:37 +0300
Subject Daily Mail - Payment overdue
I have currently taken over from my colleague Jenine so will be your new POC going
I have attached an invoice that is currently overdue for £360.00. Kindly email me
payment confirmation today so we can bring your account up to date?
Rash Sufi ...
I have seen -three- different versions of the malicious attachment Invoice.doc (VirusTotal results 4/53...). The Malwr analysis of these documents ... shows that the payload is identical to the Dridex banking trojan described here*."
19 Jan 2016 - "... an email with the subject of 'Daily Mail – Payment overdue'... with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
19 January 2016: Invoice.doc - Current Virus total detections 4/53*
This will download Dridex banking malware [ http :// www .cnbhgy .com/786585d/08g7g6r56r.exe ] which is the same location and malware as today’s earlier malspam run**..."
Fake 'Remittance Advice' SPAM - malicious attachment
19 Jan 2016 - "This -fake- financial does not come from Bellingham + Stanley but is instead a simple -forgery- with a malicious attachment. Reference numbers and sender names will vary.
From: Adeline Harrison [HarrisonAdeline20@ granjacapital .com.br]
Date: 19 January 2016 at 09:45
Subject: Remittance Advice 1B859E37
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Adeline Harrison ...
I have seen at least -four- different variations of the attachment, named in the format remittance_advice14DDA974.doc ... Malwr reports... show those samples communicating with:
http :// 184.108.40.206/victor/onopko.php
http :// 220.127.116.11/victor/onopko.php
Those IPs are:
18.104.22.168 (Veraton Projects, Netherlands)
22.214.171.124 (ITL Company, Ukraine)
UPDATE 1: this related spam run also downloads from:
This is allocted to "Private Person Anton Malyi" in Ukraine. A file aarab.exe is dropped... [VT 4/53*] which appears to communicate** with:
126.96.36.199 (OVH, Canada)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
UPDATE 2: This other Dridex 120 spam run uses different download locations:
The dropped "aarab.exe" file is also different... and a detection rate of just 2/54***.
19 Jan 2016 - "Dridex is definitely back with a vengeance today. The latest one of a long line is an email with the subject of 'Remittance Advice For Invoice 04050722' from C-Tech (random numbers) pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Carey Lucas <LucasCarey44@ search4what .com>
Date: Tue 19/01/2016 09:41
Subject: Remittance Advice For Invoice 04050722 From C-Tech
Please find attached our current remittance advice.
Carey Lucas MAAT
Accounts Assistant ...
19 January 2016: C-Tech Remittance04050722.doc - Current Virus total detections 3/55*
downloads an -updated- Dridex banking malware from the ones described in this earlier run** from
http :// 188.8.131.52 /aleksei/smertin.php or http :// 184.108.40.206 /aleksei/smertin.php (VirusTotal 2/54***)
Each attempt at download seems to give me a -different- named file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
Twitter is back up ...
Jan 19 2016 - "... Twitter was down for a decent time this morning. Long enough for people to start noticing and complaining about it on things like Facebook and in person... Twitter's status page*, which is presented through Yahoo's Tumblr, shows a trio of recent incidents..."
2016 Cisco Annual Security Report
Jan 19, 2016 - "Our just-released 2016 Cisco Annual Security Report (ASR*) presents a challenging cybersecurity landscape: cyber defense teams are fighting to keep up with rapid global digitization while trying to integrate dozens of vendor solutions, speed up detection, and educate their organizations from top to bottom... attackers grow more bold, flexible, and resilient by the day, setting up professional infrastructures that look a lot like what we’d find in legitimate businesses. On the global front, we see fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks... This years’ ASR reveals that attackers increasingly use legitimate online resources to launch their malicious campaigns. Though the news might speak to zero-day attacks, hackers also continue to deploy age-old malware to take advantage of weak spots such as unpatched servers. Aging infrastructure opens up green-field attack surfaces while uneven or inconsistent security practices remain a challenge... Other key insights from the 2016 ASR include a growing encryption trend (particularly HTTPS) for web traffic, which often provides a false sense of security to users—and for companies, potentially cloaks suspicious activity. We are also seeing more use of compromised WordPress servers to support ransomware, bank fraud, and phishing attacks. Alarmingly, between February and October 2015, the number of compromised WordPress installations used by cybercriminals grew by more than 221%... Increased attention, measurable results, added resilience, and focusing on what we can control are all possible now – so let’s capitalize on the moment before it’s too late."
(More detail at the cisco URL above.)
Edited by AplusWebMaster, 19 January 2016 - 04:24 PM.