Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1633 replies to this topic

#1601 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 19 December 2015 - 08:14 AM

FYI...

PUPs Masquerade as Installer for Antivirus and Anti-Adware
- https://blog.malware...nd-anti-adware/
Dec 18, 2015 - "... two pieces of programs claiming to be two different security software, being housed in a domain purporting to be a safe antivirus download hub. The destination in question, however, has been known to serve a -fake- Malwarebytes installer. The domain is antivirus-dld[DOT]com, and users must avoid visiting it or -block- it with their browsers. Below are screenshots of its subdomains where users can supposedly download the AVG and AdwCleaner programs:
1. https://blog.malware...2015/12/avg.png
...
2. https://blog.malware.../adwcleaner.png
... -both- installers show differences in file names and hashes, they exhibit more identical markings than what we see on the surface... AV engines detect these as variants of the SoftPulse family... As this “Thank you” GUI window is displayed, the supposed program, in this case AVG, is then downloaded and installed automatically. Users can’t see this happening at first because the installer’s GUI is overlaying the real program’s GUI:
> https://blog.malware...15/12/avg05.png
Immediately after installation, the default browser opens to reveal an advertisement of an online dating site. We reckon that various ads are randomized:
> https://blog.malware...15/12/avg06.png
Clicking -any- of these links directs users to magno2soft[DOT]com, a domain that the Google Chrome browser blocks, tagging it as malicious. Additionally, we did a quick look up of their “24/7 free support” phone number—(+1) 844 326 2917—to see if something comes up. It turns out that this number is also used by -other- domains... We have also noted that their contents are also identical to Magno2soft’s. Be advised to -not- visit these sites as some of them automatically download an executable file... Domains like antivirus-dld[DOT]com may only appear legitimate, but they’re just hubs distributing pieces of software you may not want lurking in your hard drive."

antivirus-dld[DOT]com: 23.229.195.163: https://www.virustot...63/information/

magno2soft[DOT]com: 178.33.154.37: https://www.virustot...37/information/
> https://www.virustot...d9b8c/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 December 2015 - 11:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1602 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 20 December 2015 - 07:42 AM

FYI...

Angler EK drops TeslaCrypt via recent Flash Exploit
- https://blog.malware...are-newexploit/
Dec 19, 2015 - "On December 18, security company Fortinet blogged* about a possible new variant of the CryptoWall ransomware distributed via spam. Around the same time we discovered that the Angler exploit kit was also pushing this new ‘variant’. However it is not CryptoWall... but rather TeslaCrypt. Files are encrypted and appended with a .vvv extension. In order to recover those files, victims must pay $500USD or face the risk of seeing this amount double within less than a week...
> https://blog.malware...wcryptowall.png
Angler EK uses a very recently patched flaw in Adobe Flash Player up to version 19.0.0.245** (CVE-2015-8446), making it the most lethal exploit kit at the moment..."
> https://www.virustot...sis/1450545960/
TCP connections
78.47.139.102: https://www.virustot...02/information/
107.180.50.210: https://www.virustot...10/information/
109.232.216.57: https://www.virustot...57/information/

* http://blog.fortinet...ant-in-the-wild

** http://malware.dontn...sh-1900245.html

>> http://www.spywarein...vulns/?p=796776

*** https://www.adobe.co...re/flash/about/
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1603 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 21 December 2015 - 08:04 AM

FYI...

Fake 'INVOICE' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
21 Dec 2015 - "... An email with the subject of 'Invoice' pretending to come from Brenda Howcroft <accounts@ swaledalefoods .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-1024x778.png

21 December 2015: Invoice 14702.doc - Current Virus total detections 1/53*
... waiting for analysis to complete on this but it is almost certain to be a downloader for Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450699970/

- http://blog.dynamoo....a-howcroft.html
21 Dec 2015 - "This -fake- financial spam does not come from Swaledale Foods but is instead a simple -forgery- with a malicious attachment.
    From:    Brenda Howcroft [accounts@ swaledalefoods .co.uk]
    Date:    21 December 2015 at 10:46
    Subject:    INVOICE
    Your report is attached in DOC format.
    To load the report, you will need the free Microsoft® Word® reader, available to download...
 Many thanks,
Brenda Howcroft
Office Manager
t 01756 793335 sales
t 01756 790160 accounts ...


Attached is a file Invoice 14702.doc which comes in at least -9- different versions... sources say that at least some versions download from the following locations:
110.164.184.28 /jh45wf/98i76u6h.exe
getmooresuccess .com/jh45wf/98i76u6h.exe
rahayu-homespa .com/jh45wf/98i76u6h.exe
This dropped file has a detection rate of 6/54*. The Hybrid Analysis report** plus some other sources indicate network traffic to:
199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is the Dridex banking trojan...
Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169
"
* https://www.virustot...sis/1450707029/
TCP connections
199.7.136.88
13.107.4.5


** https://www.hybrid-a...environmentId=1
___

Backdoors in Juniper's firewalls ...
- http://net-security....ld.php?id=19259
21 Dec 2015

>> https://isc.sans.edu...l?storyid=20521
Last Updated: 2015-12-21 - "We decided to move to raise our "Infocon" to yellow over the backdoor in Juniper devices. We decided to do this for a number of reasons:
- Juniper devices are popular, and many organizations depend on them to defend their networks
- The "backdoor" password is now -known- and exploitation is trivial at this point. [2]
- With this week being a short week for many of us, addressing this issue -today- is critical.
Who is effected by this issue? Juniper devices running ScreenOS 6.3.0r17 through 6.3.0r20 are affected by the -fixed- backdoor password (CVE-2015-7755). [1]
Juniper devices running ScreenOS 6.2.0r15 through 6.2.0r18 and ScreenOS 6.3.0r12-6.3.0r20 are affected by the VPN decryption problem (CVE-2015-7756). [1] ... There are two distinct issues. First of all, affected devices can be accessed via telnet or ssh using a specific "backdoor" password. This password can not be removed or changed unless you apply Juniper's patch..."
(More detail at the isc URL above.)
1] https://kb.juniper.n...713&actp=search

2] https://community.ra...cation-backdoor

Other references:
> https://www.imperial...19/juniper.html

>> https://gist.github....350f2a91bd8ed3f

- https://www.us-cert....visory-ScreenOS
Dec 17, 2015

 

Exploit attempts - Juniper Backdoor...
- https://isc.sans.edu...l?storyid=20525
Last Updated: 2015-12-22 00:19:29 UTC - "We are detecting numerous login attempts against our ssh honeypots using the ScreenOS backdoor password. Our honeypot doesn't emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be "manual" in that we do see the attacker trying different commands. We saw the first attempt at 17:43:43 UTC..."
___

DHL - Phish...
- http://myonlinesecur...l-dhl-phishing/
21 Dec 2015 - "An email with the subject of 'SHIPPING DOCUMENT & INV-BL' coming from Ionel Ghenade <ionel_ghenade@ yahoo .com> is a phishing attempt to gain log in details for your DHL account...  I don’t suppose many recipients will actually have a DHL account, although some will. This email does come from Yahoo. I do not know whether the sender has had his account hacked or it is a yahoo account created just for this phishing attempt. If your DHL account does get compromised, they will use it to send illegal and -stolen- goods at your expense and you will be held responsible for that... The email has a mass of recipients in the to: box (about 100) so that is the first warning or a mass spam and something wrong. The content simply says:
    Hello,
    THE DHL DOCUMENT HAS BEEN SENT TO YOU AS AS DIRECTED.
    Regards


... And has a html attachment to the email that at first glance appears to be a PDF attachment. If you are unwise enough to open the attachment. the first thing you see is a JavaScript pop up alerting you with this message:
    Encripted DHL file, Your Email has been configured To view Document information, Sign in to continue!
> http://myonlinesecur...hl_js_popup.png
Press OK and you get:
> http://myonlinesecur...in-1024x917.png
Which of course looks like a DHL log in page, if you don’t look at the web address in the URL bar. In this case it is a local file on your computer, not a webpage. If you enter any email address and password, you are then sent to the genuine DHL site. This scam works because of the windows default behaviour to hide file extensions. In this case without the final extension HTML showing, you are mislead into thinking that it is a PDF file... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .html file it really is, so making it much more likely for you to accidentally open it..."
___

Password checks... ??
- http://myonlinesecur...sswords-secure/
21 Dec 2015 - "We keep seeing sites that offer to check your passwords and make sure they are safe and secure. One that popped up on Twitter today is:
- http://www.sbrcentre...r_Password.html
This aims to educate you and suggest how long it would take to crack your password. Entering -any- password on any of these sites is a total mistake. All these sites that tell you how long and secure your password is, are pure snake oil and a high rating means absolutely -nothing- in the real world. First look at the site. It uses standard HTTP -not- an encrypted HTTPS connection, so in the event you have any problems on your network, anything you send to that site can be easily intercepted. Secondly, even though they say that they do not retain any passwords, how do you know that is true. A misconfiguration can easily store every password in plain text for any hacker to obtain and potentially track back to you. I made up a password to test it:
> http://myonlinesecur..._1-1024x546.png
...
> http://myonlinesecur..._2-1024x548.png
... Check it out with a -fake- password but don’t rely on being safe because of that fake password. Most breaches come because of errors or user interaction not having a short password. Having a long, complicated password that would, take 17 trillion years to crack does not mean you are safe. A high proportion of password hacks either come from the website that holds your password and it doesn’t matter if it is 2 characters long or 20000 characters long, if the site doesn’t encrypt stored passwords and keep them in plain text for any hacker to get hold of via security holes in that site.
The other primary password loss method is YOU, when you enter details on a -fake- website or respond to a -phishing- email and give away all your passwords or log in information’s. In many cases a long complicated password is a detriment because you cannot remember it and write it down on a sticky note pinned to the monitor for everyone to see. Either use a password manager or use an easy to remember pass -phrase- or combination or words that mean something to you & no-one else, rather than a single word."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 22 December 2015 - 12:08 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1604 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 22 December 2015 - 07:59 AM

FYI...

Fake 'fax' SPAM - JS malware
- http://myonlinesecur...ine-js-malware/
22 Dec 2015 - "An email with the subject of 'You have received fax, document 00979545' [random numbered]  pretending to come from Interfax Online <incoming@ interfax .net> with a zip attachment is another one from the current bot runs... The content of the email says :
    A new fax document for you.
    You can find your fax document in the attachment.
    Scanned in:           50 seconds
    File name:             task-00979545.doc
    Sender:               Gerald Daniels
    File size:             252 Kb
    Pages sent:           3
    Resolution:           200 DPI
    Date of scan:         Mon, 21 Dec 2015 19:39:17 +0300
    Thank you for using Interfax!


2 September 2015: task-00979545.zip: Extracts to: task-00979545.doc.js
Current Virus total detections 10/54*. MALWR shows us it downloads -2- malware files 3009102.exe (virus total 4/53**) and 1af9fcbe48b1f[1].gif (VirusTotal 5/52***) and 1 innocent file from http ://martenmini .com/counter/? (long list of random characters). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1450770443/

** https://www.virustot...sis/1450751819/

*** https://www.virustot...sis/1450771087/
___

Fake 'New Account' SPAM - malicious attachment
- http://blog.dynamoo....-gas-ac-no.html
22 Dec 2015 - "This -fake- financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple -forgery- with a malicious attachment.
    From:    trinity [trinity@ topsource .co.uk]
    Date:    22 December 2015 at 10:36
    Subject:    British Gas - A/c No. 602131633 - New Account
    Hi ,
    Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.
    Thanks & Regards,
    Pallavi Parvatkar ...


Attached is a file British Gas.doc with... a VirusTotal detection rate of 2/54*. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.
UPDATE: These automated analyses [1] [2] show that the malicious document downloads from:
weddingme .net/786h8yh/87t5fv.exe
This has a VirusTotal detection rate of 3/54**. All those reports indicate malicious traffic to:
199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
The payload looks like Dridex...
Recommended blocklist:
199.7.136.88
151.80.142.33
"
* https://www.virustot...sis/1450781888/

1] https://www.hybrid-a...environmentId=2

2] https://malwr.com/an...jRkZjk4OTJkNWQ/

** https://www.virustot...sis/1450782995/
TCP connections
199.7.136.88
90.84.59.19


- http://myonlinesecur...dsheet-malware/
22 Dec 2015
Screenshot: http://myonlinesecur...nt-1024x690.png

22 December 2015 : British Gas.doc - Current Virus total detections 2/54*
Reverse it** shows a download of what looks like Dridex banking Trojan from
weddingme .net/786h8yh/87t5fv.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450781888/

** https://www.reverse....environmentId=1

*** https://www.virustot...sis/1450781177/
TCP connections
199.7.136.88
90.84.59.19

___

Fake 'PAYMENT RECEIVED' SPAM - malicious attachment
- http://blog.dynamoo....t-received.html
22 Dec 2015 - "This -fake- financial spam does not come from Les Caves de Pyrene but is instead a simple -forgery- with a malicious attachment.
    From:    Avril Sparrowhawk [Avril.Sparrowhawk@lescaves.co.uk]
    Date:    22 December 2015 at 11:14
    Subject:    CWIH8974 PAYMENT RECEIVED
    Good afternoon
    Thanks very much for your payment we recently from you, however there was a missed invoice.  Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?
    I have attached the invoice for your reference.
    Kind regards
    Avril
    Avril Sparrowhawk
    Credit Controller
    Les Caves De Pyrene
    Pew Corner
    Old Portsmouth Road
    Artington
    Guildford
    GU3 1LP
    ' +44 (0)1483 554784
    6 +44  (0)1483 455068 ...


Attached is a malicious document CWIH8974.doc of which I have seen just a single sample with a VirusTotal detection rate of 2/54*. There may be other variations of the document, but in this case it downloads a malicious binary from:
secure.novatronica .com/786h8yh/87t5fv.exe
This has a VirusTotal detection rate of 2/53** and is the -same- payload as found in this earlier spam run***, leading to the Dridex banking trojan."
* https://www.virustot...sis/1450784063/

** https://www.virustot...sis/1450784374/
TCP connections
199.7.136.88
90.84.59.19


*** http://blog.dynamoo....-gas-ac-no.html

- http://myonlinesecur...wnloads-dridex/
22 Dec 2015
Screenshot: http://myonlinesecur...ED-1024x753.png

22 December 2015: CWIH8974.doc - Current Virus total detections *
 Payload Security Hybrid analysis** shows it downloads a Dridex banking Trojan from
 secure.novatronica .com/786h8yh/87t5fv.exe which is the -same- payload as today’s earlier malspam run***..."
* https://www.virustot...sis/1450784063/

** https://www.hybrid-a...environmentId=2

*** http://myonlinesecur...dsheet-malware/
___

Fake 'new payment terms' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Dec 2015 - "An email with various subjects based around the theme of invoices or payments coming from random email addresses and senders with a zip attachment is another one from the current bot runs... Some of the subjects seen include:
    ATT: / new payment terms and payment
    Invoice Updated: # 15/12/2015 from DXB International, Inc.
    FW: Payment for Invoice

The contents of the emails vary with each email and it is totally -random- which combination of subject and email body you will get. The attachment name remains consistent. Some of the ones I have seen include:
    We appreciate your business.
    Kind Regards,
    Marketing and Sales Manager
    Jimmie McCoy

-Or-
    Receipts attached. Thank you
Sales Manager
Peter Skinner

-Or-
    I have two sets as samples ready to ship Invoice # 0311683, 1 box, 1 lbs, $46.28 Please let us know how you want us to ship these goods.
    Thanks & Best Regards,
    Payroll Supervisor
    Frederick Castillo ...


22 December 2015: Inv#186;-1089-12-2015_PDF.zip: Extracts to: Inv._Nº-1089-12-2015_PDF.exe
Current Virus total detections 2/54*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1450791506/
___

Fake 'MUST READ' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
22 Dec 2015 - "An email with the subject of 'MUST READ! Police hunt missing terror suspect last seen in Camden!' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...en-1024x712.png

22 December 2015: suspect details 44165680.doc - Current Virus total detections 4/54*
MALWR** shows a download from http ://31.41.44.224 /portal/portal.php which is named as govuk .exe
(VirusTotal 2/54***). I am not certain what the payload actually is yet and am awaiting full analysis.
Update: fast work from the host of 31.41.44.224 https ://www .cishost .ru/ who took down the malware very quickly... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450796426/

** https://malwr.com/an...2M4NTU0YjFmN2M/

*** https://www.virustot...sis/1450796555/
portal.exe

31.41.44.224: https://www.virustot...24/information/
___

HSBC - Phish...
- https://blog.malware...rrently-locked/
Dec 22, 2015 - "Customers of HSBC should -avoid- the following URL, which is (most likely) part of an email based phishing campaign. While we don’t have an example of an email to hand, we can certainly shine some light on the website itself which is:
hsbc-message(dot)com
... in the hopes of helping you to avoid a nasty surprise this holiday season:
> https://blog.malware...hsbclocked1.jpg
... They urge visitors to click next (because hey, that form expires today!) and continue with the process, which is little more than a straight lunge for payment information:
> https://blog.malware...hsbclocked2.jpg
... To be specific: Card number, expiration date, card verification code, and finally the ATM PIN number. After this, the victim is shown a “We’ll get back to you in 24 hours” message before being forwarded on to a HSBC website:
> https://blog.malware...hsbclocked3.png
From a quick scan of various websites, it seems HSBC scams are all the rage right now [1], [2], [3], [4] so please be extra careful with your logins. Scammers are always looking for a way to grab some fast cash, and regardless of whether they approach you by email, SMS or phonecall..."
1] https://twitter.com/...108831940870144

2] https://www.instagra...m/p/_XvF5ypr4M/

3] https://www.instagra...m/p/_W6zn3nX-A/

4] http://www.scamcallf...raud-35513.html

hsbc-message(dot)com: 98.139.135.129: https://www.virustot...29/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 December 2015 - 11:58 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1605 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 23 December 2015 - 08:54 AM

FYI...

Fake 'invoice' SPAM - malicious attachment
- http://blog.dynamoo....industrial.html
23 Dec 2015 - "This -fake- invoice has a malicious attachment:
    From:    Rachael Murphy
    Date:    23 December 2015 at 13:05
    Subject:    Christmas Industrial Decorating invoice-50473367)
    Good afternoon,
    Please find attached 1 invoice for processing.
    Regards and Merry Christmas!
    Rachael Murphy
    Financial Manager ...
    This email has been scanned by the Symantec Email Security.cloud service.


The sender's name and reference number varies, the attachment is in the format invoice45634499.doc and it comes in at least -three- different versions (VirusTotal results [1] [2] [3]). Analysis is pending, the payload is likely to be the Dridex banking trojan."
1] https://www.virustot...8920d/analysis/

2] https://www.virustot...5a591/analysis/

3] https://www.virustot...5d665/analysis/

- http://myonlinesecur...dsheet-malware/
23 Dec 2015 - "An email with the subject of 'Christmas Industrial Decorating invoice-22306947)' pretending to come from random senders and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    From: Tony Monroe <MonroeTony50@ bors-spic .ro>
    Date: Wed 23/12/2015 12:56
    Subject: Christmas Industrial Decorating invoice-22306947) (random numbers)
    Good afternoon,
    Please find attached 1 invoice for processing.
    Regards and Merry Christmas!
    Tony Monroe
    Financial Manager ...


23 December 2015: invoice22306947.doc - Current Virus total detections 2/54*
... automatic analysis is inconclusive but it appears to have the same payload as described in THIS post** which is most likely to be Dridex banking Trojan..."
* https://www.virustot...sis/1450875552/

** http://myonlinesecur...dsheet-malware/
___

Fake 'Fee Invoice' SPAM - malicious attachment
- http://blog.dynamoo....ian-acc-no.html
23 Dec 2015 - "This -fake- financial spam comes with a malicious attachment. The sender's name and reference number is randomly generated.
    From:    Josie Ruiz
    Date:    23 December 2015 at 11:38
    Subject:    FW: Meridian (Acc. No. 51588088) - Professional Fee Invoice
    Dear Sir/Madam,
    Re:  Meridian Professional Fees
    Please find attached our fee note for services provided, which we trust meets with your approval.
    Payment should be made to Meridian International VAT Consulting Ltd. within the agreed payment terms.
    We look forward to your remittance in due course.
    Yours sincerely
    Josie Ruiz
    Financial CEO ...


The attachment has the same reference number as the subject, and there are at least -five- different versions... likely to be the Dridex banking trojan.
UPDATE 1: Hybrid Analysis of some of the samples [1] [2] shows some download locations:
146.120.89.92 /volkswagen/bettle.php
109.234.34.164 /volkswagen/bettle.php
Those IPs belong to:
146.120.89.92 (Ukrainian Internet Names Center LTD, Ukraine)
109.234.34.164 (McHost.Ru Inc, Russia)
This is actually an executable with a detection rate of 4/53*. The purpose of this executable is unknown, but it is certainly malicious. Analysis is still pending.
UPDATE 2: This Threat Expert report** and this Hybrid Analysis*** both report traffic to a presumably hacked server at:
104.131.59.185 (Digital Ocean, US)
Recommended blocklist:
104.131.59.185
146.120.89.92
109.234.34.164
"
* https://www.virustot...sis/1450879468/

** http://www.threatexp...a19fd795a748e57

*** https://www.hybrid-a...environmentId=4

1] https://www.hybrid-a...environmentId=1

2] https://www.hybrid-a...environmentId=4

- http://myonlinesecur...dsheet-malware/
23 Dec 2015
Screenshot: http://myonlinesecur...ce-1024x771.png

23 December 2015: invoice63835341.doc - Current Virus total detections 2/54*
... according to Dynamoo** this downloads from 109.234.34.164 /volkswagen/bettle.php which gave me a file called bettle.exe (VirusTotal ***)..."
* https://www.virustot...sis/1450873882/

** http://blog.dynamoo....ian-acc-no.html

*** https://www.virustot...sis/1450879468/
___

Fake 'Invoice 70146427' SPAM - malicious attachment
- http://blog.dynamoo....e-70146427.html
23 Dec 2015 - "This -fake- financial spam comes with a malicious attachment. It does -not- come from uksafetymanagement .co.uk but is instead a simple forgery.
    From:    Claire Carey
    Date:    23 December 2015 at 12:01
    Subject:    UKSM Invoice 70146427
    Good time of day,
    Thank you for choosing UK Safety Management Ltd. to carry out your Portable Appliance Testing.
    Please find enclosed your invoice.
    Claire Carey...


The sender's name and reference number are randomly generated. Attached is a file in the format invoice29111658.doc which comes in at least -three- different versions... Analysis of the documents is pending. However, this is likely to be the Dridex banking trojan. The payload appears to be the -same- as the one found in this spam run*."
* http://blog.dynamoo....ian-acc-no.html
___

Fake 'chasing payment' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
23 Dec 2015 - "An email with the subject of 'REAL Digital chasing payment 6910.47' pretending to come from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nt-1024x589.png

23 December 2015: invoice21891491.doc - Current Virus total detections 2/53*
ReverseIt analysis** is inconclusive and doesn’t show any payload, However it is likely to be the Dridex banking trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450873320/

** https://www.reverse....environmentId=4
___

Tis the season for shipping and phishing
- https://securelist.c...g-and-phishing/
Dec 23, 2015 - "... delivery services send email notifications and provide shipment tracking systems. However, this type of communication also creates the ideal conditions for cybercriminals to send phishing messages in the name of major delivery services, and we end up with an increase in the number of these messages. The fraudsters have a clear aim: to trick unwitting users into downloading a malicious program or entering their confidential data on a phishing site. For example, one scam message detected by Kaspersky Lab asked the user to fill in and sign a delivery form in order to receive a shipment. The message had a DOC file attached to it containing the exploit Exploit.MSWord.Agent.gg, which allowed the cybercriminal to, among other things, gain remote access to the infected computer:
> https://securelist.c...shing_eng_1.png
In another -scam- message the fraudsters write that the shipment is already at a DHL office, but the courier cannot deliver it because the delivery address is unclear. The recipient is asked to follow a link within 48 hours and enter the shipment number on the tracking page; otherwise, the shipment will be returned to the sender:
> https://securelist.c...shing_eng_2.png
A closer inspection reveals that none of the links in the message lead to the DHL site; instead they all point to the same URL packed with the help of a URL shortening service. Another typical fraudster trick is also used in the email – the victim is warned there is a limited amount of time to react (in this case, 48 hours). If the user fails to follow the link in time, the shipment will be returned to the sender. The plan is simple – distract users with warnings about the urgency of doing something quickly rather than giving them time to think things through logically. If unwitting users follow the link, they are taken to a specially crafted site in the corporate style of DHL, and are prompted to type in their login credentials to enter the shipment tracking system:
> https://securelist.c...shing_eng_3.png
... A similar situation exists around FedEx, another large delivery service provider. Kaspersky Lab has detected multiple phishing messages sent in the name of this company:
> https://securelist.c...shing_eng_4.png
There’s nothing new about this scheme – the victim enters account credentials on a crafted site in order to view information about a shipment:
> https://securelist.c...shing_eng_5.png
The fact that this site is -fraudulent- and has nothing to do with FedEx is clear from the URL in the browser address bar. The conclusion that can be made from the examples given above is that you shouldn’t be too trusting or inattentive while you are online. Never follow links in email messages; it’s safer if you manually type the URL of the required site in your browser address bar. Whenever a page prompts you to enter confidential data, always check the URL in the address bar first. If anything looks suspicious in the URL or in the website design, think-twice before entering any personal data. Last but not least, always keep your security software up to date; it should also include an anti-phishing tool that will help you keep your data confidential, and your money safe. That way, you will be in a good mood for the holidays."
___

Joomla 3.4.7 released
- https://www.joomla.o...7-released.html
21 Dec 2015 - "Joomla! 3.4.7 is now available. This is a -security- release for the 3.x series of Joomla which addresses a -critical- security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.6 release..."

Installing Joomla
> https://docs.joomla....stalling_Joomla

Upgrade Packages
> https://github.com/j...eases/tag/3.4.7

- https://www.us-cert....rity-Update-CMS
Dec 22, 2015
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 23 December 2015 - 05:10 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1606 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 24 December 2015 - 08:26 AM

FYI...

Domain renewal SCAM
- http://myonlinesecur...n-renewal-scam/
24 Dec 2015 - "Many (almost all of us) that have websites and .com domain names and haven’t chosen to use domain privacy will regularly get -scam- messages like this one, trying to fool us into thinking we have to pay these scammers to renew our domain name. They deliberately make it look & sound like a genuine domain renewal and hope that you won’t look carefully at the small print and see it is an SEO scam.
-Don’t- pay it and dump it in the bin:
Screenshot: http://myonlinesecur...domain_scam.png "
___

PayPal phish ...
- http://myonlinesecur...aypal-phishing/
24 Dec 2015 - "A slightly different PayPal phishing spam run today saying 'Your Access Is restricted ✔' pretending to come from PayPal <jhon@ cilegonfab.co.id>. There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like :
    Urgent: Your card has been stopped !
    Your Access Is restricted ✔
    Your PayPal account has been limited
    You sent a payment of $xxxx USD/GBP/ Euro to some company or person
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    Confirmation of Order
...

Screenshot: http://myonlinesecur...ed-1024x773.png

The link in this case goes to https ://updateinfo .fwd.wf/gb-uk/scr/?q=login&email=youremail@example .com
Note: the HTTPS Secure SSL login which is unusual for a phishing site and shows the effort that the phishers are starting to go to, in order to persuade you to give them your details:
> http://myonlinesecur...sh-1024x575.png
Which is a typical phishing page that looks very similar to a genuine PayPal log in page, if you don’t look carefully at the URL in the browser address bar. One feature of note is the way the phishers try to block known anti-phishing or antivirus companies from getting to the page. I used the default email address they conveniently inserted and invented a random password and ended up with this 404 page... If I use a “genuine” email with a random password, I get this page (split into 2 screenshots for clarity):
> http://myonlinesecur..._3-1024x541.png
...
> http://myonlinesecur..._4-1024x568.png
... This one wants your personal details, your Paypal account log in details and your credit card and bank details along with mother’s maiden name and other info to steal your identity. Many of them are also designed to specifically steal your facebook and other social network log in details..."
___

Tesco bank phish ...
- http://myonlinesecur...-bank-phishing/
24 Dec 2015 - "An email with the subject 'Your Recent Attempt to Transfer Funds' pretending to come from Tesco Bank is a currently spreading a phishing attempt. There are a few major common subjects in a phishing attempt. Lots of them are involve your Bank or Credit Card... This particular phishing campaign starts with an email with a link (all the social media icons in the email do go to genuine Tesco bank social media sites or to a company called Payoneer who say “Payoneer empowers global commerce by connecting businesses, professionals, countries and currencies with its innovative cross-border payments platform.”):

Screenshot: http://myonlinesecur...ds-1024x636.png
Sends you to:
> http://myonlinesecur...sh-1024x602.png
If you fill in a user name you get a page asking for password and security number:
> http://myonlinesecur..._1-1024x561.png
Fill in that and you get to a typical phishing page.This one wants your personal details, your account log in details and your credit card and bank details. Many of them are also designed to specifically -steal- your email, Facebook and other social network log in details:
> http://myonlinesecur..._2-1024x693.png
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 24 December 2015 - 09:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1607 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 27 December 2015 - 11:50 AM

FYI...

Fake 'WhatsApp' SPAM - malware
- http://myonlinesecur...ed-aud-malware/
27 Dec 2015 - "An email appearing to be a WhatsApp notification with the subject of 'A sound memo has been received aud' pretending to come from WhatsApp <peter.kroell@ towncountry .at> (random email addresses) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ud-1024x585.png

27 December 2015: mabella12.zip: Extracts to: gully.exe - Current Virus total detections 19/54*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1451228525/
TCP connections
50.63.202.44: https://www.virustot...44/information/
98.139.135.129: https://www.virustot...29/information/
108.166.170.106: https://www.virustot...06/information/
208.100.26.234: https://www.virustot...34/information/
141.8.225.124: https://www.virustot...24/information/
173.201.93.128: https://www.virustot...28/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 December 2015 - 12:01 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1608 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 28 December 2015 - 01:57 PM

FYI...

AMEX - Phish...
- http://myonlinesecur...g-attempt-fail/
28 Dec 2015 - "... An email with the subject of 'Confirm Your Account Profile! 12/28/2015' pretending to come from American Express Online <narobiprojectors@ inbox .com> (I have received several this afternoon/evening, all pretending to come from different names @ inbox .com)...

Screenshot: http://myonlinesecur...15-1024x563.png

The -attached- HTML page which is complete with bad spelling mistakes and looks glaringly wrong would attempt to send your information (-if- you were unwise enough to fill in the page) to
http ://fantasticvacationhomes .com/verification3.php
> http://myonlinesecur...sh-1024x693.png "

fantasticvacationhomes .com: 192.185.141.50: https://www.virustot...50/information/
___

Straight2Bank - Phish...
- http://myonlinesecur...anges-phishing/
28 Dec 2015 - "An email saying 'Straight2Bank Website changes' pretending to come from Straight2Bank <Milan.Colquhoun@ s2b.standardchartered .com> is one of today’s phishing attempts. I have received loads of these this morning and they are using several -different- phish sites... The link in the email directs you to a -fake site-, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):

Screenshot: http://myonlinesecur...ty-1024x758.png

... previous versions of phish attempts against this bank they only asked for passwords, log in details and pin numbers and didn’t ask for any other personal information... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1609 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 02 January 2016 - 03:31 PM

FYI...

Most vulnerabilities in 2015: Mac OS X, iOS, and Flash
- http://venturebeat.c...-ios-and-flash/
Dec 31, 2015 - "Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities. Rounding out the top five are Adobe’s Flash Player, with 314 vulnerabilities; Adobe’s AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities.
For comparison, last year the top five (in order) were: Microsoft’s Internet Explorer, Apple’s Mac OS X, the Linux Kernel, Google’s Chrome, and Apple’s iOS. These results come from CVE Details*, which organizes data provided by the National Vulnerability Database (NVD). As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures... the 2015 list of the top 50 software products** in order of total distinct vulnerabilities..."
* http://www.cvedetail...s.php?year=2015

** http://1u88jj3r4db2x...top_50_2015.png

Top 50 list of products categorized by company - Graphic:
> http://1u88jj3r4db2x...ompany_2015.png
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 02 January 2016 - 04:28 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1610 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 04 January 2016 - 11:43 AM

FYI...

Evil network: 199.195.196.176/29...
- http://blog.dynamoo....7629-roman.html
4 Jan 2016 - "199.195.196.176/29 is a small bunch of IPs hosting browser-hijacker sites, belonging to Hosting Services, Inc. in Utah and suballocated to a customer. Several domains are flagged by Google as leading to PUAs or malware [1] [2] [3] [4] [5] [6], and almost all those domains also have anonymous registrations... Blocking 199.195.196.176/29 or monitoring traffic to it might detect infected hosts, that appear to have a bunch of per-install crapware and other stuff installed."
(More detail at the dynamoo URL above.)
1] https://www.google.c...edownloader.biz

2] https://www.google.c...smile-files.com

3] https://www.google.c...press-files.com

4] https://www.google.c...edownloader.com

5] https://www.google.c...own4loading.net

6] https://www.google.c...-downloader.net

> http://centralops.ne...ainDossier.aspx
network:Network-Name:Dedicated Server
network:IP-Network:199.195.196.176/29
network:IP-Network-Block:199.195.196.176 - 199.195.196.183
network:Org-Name:Alyabiev, Roman
network:Street-Address:pr. Molodeznoi 7 kv. 101
network:City:Kemerovo
network:State:
network:Postal-Code:650044
network:Country-Code:RU ...
___

Ransom32: The first javascript ransomware
- https://isc.sans.edu...l?storyid=20569
2016-01-04 - "... new variant and this one has been built using javascript. This malware -fakes- the NW.js framework. Once installed, connects to its C&C server on TOR network port 85 to get the bitcoin address and the crypto key used for encryption. This trend is not new and we have seen how malware is being built more and more sophisticated to avoid being detected by any antimalware control at the endpoint. You have to integrate endpoint security with network security and correlate any possible alerts that might indicate an incident happening, like a computer being connected to TOR network."
More info at: http://blog.emsisoft...ipt-ransomware/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 04 January 2016 - 05:04 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1611 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 06 January 2016 - 06:46 AM

FYI...

Fake 'Invoice' SPAM -  malicious attachment
- http://blog.dynamoo....1-49934798.html
6 Jan 2016 - "This -fake- financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:
    From:    Bertha Sherman
    Date:    6 January 2016 at 09:29
    Subject:    Invoice-205611-49934798-CROSSHILL SF
    Dear Customer,
    Please find attached Invoice 02276770 for your attention.
    Should you have any Invoice related queries please do not hesitate to
    contact either your designated Credit Controller or the Main Credit Dept. on
    01635 279370.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Credit Dept' ...


I have seen at least -four- different attachments with names in a format similar to invoice40201976.doc... Malwr reports... show that the malware contained within POSTs to:
37.46.130.53 /jasmin/authentication.php
179.60.144.21 /jasmin/authentication.php
195.191.25.138 /jasmin/authentication.php
Those reports also show communication to other suspect IPs, giving:
94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)
This Hybrid Analysis* also shows similar characteristics. The macro drops a file tsx3.exe with a detection rate of 7/55**. The Malwr report*** doesn't give any particlar insight as to what this is, but it is likely to be a banking trojan or ransomware. There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost .RU IP in Russia:
109.234.34.224 /jasmin/authentication.php ...
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224
"
* https://www.hybrid-a...environmentId=2

** https://www.virustot...sis/1452075219/

*** https://malwr.com/an...DlkMmRhMmZjZWY/

1] http://blog.dynamoo....ia20114520.html

2] http://blog.dynamoo....ation-from.html

- http://myonlinesecur...dsheet-malware/
6 Jan 2016 - "An email with the subject of 'Invoice-205611-88038421-CROSSHILL SF' coming from random email addresses and senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

6 January 2016: invoice88038421.doc - Current Virus total detections 2/56*
MALWR** shows tsx3.exe downloaded from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal 6/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452072516/

** https://malwr.com/an...DI1YzExMWZjNGY/

*** https://www.virustot...sis/1452073223/
___

Fake 'Penalty Charge Notice' SPAM - malicious attachment
- http://blog.dynamoo....ia20114520.html
6 Jan 2016 - "This -fake- financial spam comes with a malicious attachment. The sender's name, reference numbers and attachment names vary. It seems to be closely related to this spam run*.
     From:    Viola Carrillo
    Date:    6 January 2016 at 09:53
    Subject:    Invoice for IA20114520
    To Whom It May Concern,
    Please find attached an invoice relating to Penalty Charge Notice Number IA20114520 along with a copy of the contravention.
    In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.
    Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.
    Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.


I have seen two variants of the attachment (VirusTotal results [1] [2]) and these two Malwr reports [3] [4] indicate identical characteristics to the payload in this spam run* which is also being sent out today."
* http://blog.dynamoo....1-49934798.html

1] https://www.virustot...sis/1452076482/

2] https://www.virustot...sis/1452076495/

3] https://malwr.com/an...DFhMGY0OWUxNGQ/
195.191.25.138
78.47.119.93
13.107.4.50


4] https://malwr.com/an...GNmMDYwMzNlNWQ/
195.191.25.138
78.47.119.93
13.107.4.50


- http://myonlinesecur...dsheet-malware/
6 Jan 2016 - "The second of today’s Dridex downloaders... pretends to be a penalty-charge-notification is an email with the subject of 'Invoice for IA20122439' (random numbers) pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

6 January 2016 : invoice20122439.doc - Current Virus total detections 2/56*  
MALWR** shows us a download of tsx3.exe from http :// 109.234.34.224/jasmin/authentication.php
... this is the -same- Dridex payload as described in today’s slightly earlier Malspam run***..."
* https://www.virustot...sis/1452076028/

** https://malwr.com/an...zhmNjFkY2JjZjc/
109.234.34.224
78.47.119.93
13.107.4.50


*** http://myonlinesecur...dsheet-malware/
___

Fake 'Payment notification' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
6 Jan 2016 - "The Third of today’s Dridex downloaders... pretends to be an energy statement is an email with the subject of 'Payment notification from Third Energy Services Limited' coming from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Blair Maldonado <MaldonadoBlair76939@ ewb-mn .org>
Date: Wed 06/01/2016 10:29
Subject: Payment notification from Third Energy Services Limited
Body content:
    Payment notification from Third Energy Services Limited
    Third Energy Services Limited
    Registered in England & Wales. Registered number: 50380220.
    Registered office: 7th Floor. Portland House, Bressenden Place, London, UK, SW1E 5BH
    Tel: 01944 759904 ot 0207 0420 800
    This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Third Energy. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone...


6 January 2016: remit50380220.doc - Current Virus total detections 2/55*
MALWR** once again shows a download of tsx3.exe from http :// 195.191.25.138/jasmin/authentication.php which is the -same- Dridex banking malware as described in today’s earlier malspam runs [1] [2]..."
* https://www.virustot...sis/1452076128/

** https://malwr.com/an...WY0NWM2YmMxMjM/
195.191.25.138
94.158.214.45
78.47.119.93
13.107.4.50
2.61.168.116


1] http://myonlinesecur...dsheet-malware/

2] http://myonlinesecur...dsheet-malware/

- http://blog.dynamoo....ation-from.html
6 Jan 2016 - "This -fake- financial email comes with a malicious attachment.
    From:    Addie Caldwell
    Date:    6 January 2016 at 10:31
    Subject:    Payment notification from Third Energy Services Limited
    Payment notification from Third Energy Services Limited...


... -three- different versions of the attachment (in the format remit85752524.doc or similar)... similar characteristics to this spam run* plus this additional URL:
109.234.34.224 /jasmin/authentication.php
This IP is allocated to McHost .RU in Russia and can be considered as malicious. The payload is unknown, but is possible Dridex.
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224
"
* http://blog.dynamoo....1-49934798.html
___

Fake 'BACS PAYMENT' SPAM - malicious attachment
- http://blog.dynamoo....cs-payment.html
6 Jan 2016 - "This -fake- financial spam comes with different sender names, reference details and attachment names. However, in all cases the attachment is malicious.
    From:    Forrest Cleveland
    Date:    6 January 2016 at 11:23
    Subject:    STA19778072 - BACS PAYMENT
    Importance: High
    Hello,
    Wasn’t sure who to email.
    I don’t know if you have been asked but Statestrong Products Ltd are making one payment today for two cars. Could you let me know when it is in the account please as these are both collections tomorrow...


So far I have seen -three- different attachment variants... same general characteristics as this spam run*. However in this case the dropped file tsx3.exe has been updated and the -new- version has a detection rate of 6/54**. The Malwr report*** indicates very similar traffic to before.
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224
"
* http://blog.dynamoo....1-49934798.html

** https://www.virustot...sis/1452080581/

*** https://malwr.com/an...2I1NjIxYjcyNTc/
78.47.119.93
165.254.102.181


- http://myonlinesecur...dsheet-malware/
6 Jan 2016 - "The 4th of today’s Dridex malspam downloaders... email with the subject of 'STA37626091 – BACS PAYMENT' (random numbers) coming from random email addresses and senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...NT-1024x535.png

6 January 2016: remit37626091.doc - Current Virus total detections *
MALWR** shows us it once again downloads tsx3.exe which looks like Dridex banking malware from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal ***) this looks like an updated version from earlier, but Dridex is known to update at frequent intervals throughout the day, often as frequently as -hourly- ..."
* https://www.virustot...sis/1452079135/

** https://malwr.com/an...TY2NzAzODk3NTA/
37.46.130.53
78.47.119.93
13.107.4.50


*** https://www.virustot...sis/1452078831/
___

Fake 'Unilet Invoice' SPAM - malicious attachment
- http://blog.dynamoo....e-67940597.html
6 Jan 2016 - "This fake invoice seems to be a bit confused as to who is sending it. It has a malicious attachment.
    From:    Desiree Doyle
    Date:    6 January 2016 at 12:29
    Subject:    Unilet Invoice 67940597
    Hello,
    Please find attached another invoice to pay please by BACS.
    Thanks
    Desiree Doyle
    Accounts Department
    -----Original Message-----
    From: Desiree Doyle
    Sent: 06 January 2016 12:30
    To: Desiree Doyle
    Subject: Scanned from a Xerox Multifunction Device
    Please open the attached document. It was scanned and sent to you using a Xerox Multifunction Device.
    Attachment File Type: pdf, Multi-Page
    Multifunction Device Location: Melbury House-MG01
    Device Name: 7225 ...


The attachment has a random name in the format remit41071396.doc and I have seen -three- different versions with quite low detection rates [1] [2] [3]. The Malwr reports for these [4] [5] [6] indicate that it has the -same- behaviour as the spam documented here*, dropping a file tsx.exe ..."
1] https://www.virustot...sis/1452084584/

2] https://www.virustot...sis/1452084616/

3] https://www.virustot...sis/1452084631/

4] https://malwr.com/an...WQ3NWI1ZDQ5MGQ/
37.46.130.53
2.61.168.116
78.47.119.93
13.107.4.50
94.158.214.45


5] https://malwr.com/an...TU4YTNhNzVmNjY/
179.60.144.21

6] https://malwr.com/an...2EwNGE4NzQxZDU/
37.46.130.53
78.47.119.93
13.107.4.50


* http://blog.dynamoo....1-49934798.html

- http://myonlinesecur...rd-doc-malware/
6 Jan 2016 - "Yet another Dridex downloader coming in an email with the subject of 'Unilet Invoice 58520927' (random numbers) pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...27-1024x518.png

6 January 2016: remit58520927.doc - Current Virus total detections 2/56*
MALWR** once again shows us tsx3.exe being downloaded from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal 6/54***) -Same- Dridex Banking malware as THIS earlier malspam[4]..."
* https://www.virustot...sis/1452083864/

** https://malwr.com/an...2JjYjk5ODBlNGI/
37.46.130.53
78.47.119.93
13.107.4.50


*** https://www.virustot...sis/1452083988/

4] http://myonlinesecur...dsheet-malware/
___

Facebook “Page Disabled” Phish - wants your Card Details
- https://blog.malware...r-card-details/
Jan 6, 2015 - "Fake Facebook Security pages are quite a common sight, and there’s a “Your page will be disabled unless…” -scam- in circulation at the moment on random Facebook comment sections which you should steer clear of. The scam begins with a message like this:
Warning!!!
Your page will be disabled.
Due to your page has been reported by other users.
Please re-confirm your page in order to avoid blocking. You violate our terms of service. If you are the original owner of this account, please re-confirm your account in order to avoid blocking.

If the multiple exclamation marks and generally terrible grammar didn’t give the game away, the following request certainly might:
To complete your pages account please confirm Http below:
https(dot)lnkd(dot)in/bNF9BUY?Facebook.Recovery.page
"Attention"
If you do not confirm, then our system will automatically block your account and you will not be able to use it again.
Thank you for the cooperation helping us improve our service.
The Facebook Team


... Google Safe Browsing flags the final destination as a dubious website: and fires up a “Deceptive site ahead” warning:
> https://blog.malware...kefacebook1.jpg
... After harvesting your Facebook credentials, they then go after payment information:
> https://blog.malware...kefacebook3.jpg
... Should the victim enter their information and hit the button, they’ll be -forwarded- on to the real Facebook Security Facebook page. There’s also a “Confirm Paypal” button which leads to a phish for -that- service, too:
> https://blog.malware...kefacebook4.jpg
The above page is located at:
report-fanpage(dot)gzpot(dot)com/Next/paypal(dot)com(dot)htm
Make no mistake, this is one phishing scam that could cost you a lot more than your Facebook login. Should you be sent any attempts at panicking you into entering your logins on a so-called “Security Page”, you should give both destination URL and comment sender a very wide berth."

> https://www.virustot...7d6a8/analysis/

report-fanpage.gzpot .com: 31.170.166.81: https://www.virustot...81/information/
> https://www.virustot...796a9/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 06 January 2016 - 01:44 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1612 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 07 January 2016 - 06:24 AM

FYI...

Malvertising - Pop-under Ads sends CryptoWall4
- https://blog.malware...s-cryptowall-4/
Jan 7, 2016 - "We have caught a new malvertising campaign on the PopAds network launching the Magnitude exploit kit via pop-under ads. A pop-under is an ad window that appears behind the main browser window and typically remains open until the user manually closes it. Unsuspecting victims running -outdated- versions of the Flash Player were immediately infected with the CryptoWall ransomware. This campaign started around January 1st with ads mostly placed on various adult and video streaming sites and lead to an increase in Magnitude EK activity. Infection flow overview:
    serve.popads .net/servePopunder.php?cid={redacted}
    {redacted}.name/
    Magnitude EK domain ...
According to our data, this attack mainly targeted European users:
> https://blog.malware.../01/graphic.png
CryptoWall 4 infection: Once a system is infected, personal files are encrypted and usable as indicated in the dreaded CryptoWall ransom page:
> https://blog.malware.../ransompage.png
To recover pictures, documents and other import files, users are asked to pay in order to receive a “decryption” key... Prevention: Ransomware is one particular type of malware where prevention and backups are more important than ever. Since this particular attack relies on web exploits to infect the machine, it is crucial to keep your browser and related plugins up-to-date. You may also want to consider disabling or removing the Flash Player altogether since it has suffered a high number of zero-day exploits in recent history (even the latest version was vulnerable)..."
popads .net: 184.154.76.140: https://www.virustot...40/information/

- http://www.csoonline...ts-encrypt.html
Jan 7, 2016
___

Fake 'Angel Springs' SPAM - malicious attachment
- http://blog.dynamoo....ments-from.html
7 Jan 2016 - "This -fake- financial spam comes with a malicious attachment. The name of the sender varies, as does the reference number in the subject field that matches the attachment name.
    From:    Leonor Stevens
    Date:    7 January 2016 at 10:13
    Subject:    Your Latest Documents from Angel Springs Ltd [1F101177]
    Dear Customer,
    Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.
    Here's a few ways we've made it easier for you:
        Your new documents are now attached to your email. You don't have to follow a link now to get to your documents...


The three samples I have sent for analysis... show an initial communication with:
176.103.62.108 /ideal/jenny.php
91.223.88.205 /ideal/jenny.php
These IPs belong to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
I note that 91.223.88.204 also hosts some bad things.. and the entire 176.103.48.0/20 block has a history of evil-ness... Note that there are probably other download locations. Check back later if you are interested.
These malicious documents drop a binary geroin.exe which has a detection rate of 3/54*. The Malwr report** for this shows it phoning home to:
78.47.119.93 (Hetzner, Germany)...
Recommended blocklist:
176.103.48.0/20
91.223.88.204/30
78.47.119.93
"
* https://www.virustot...sis/1452162035/

** https://malwr.com/an...DdjZTdmZGM4NDQ/

- http://myonlinesecur...dsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Your Latest Documents from Angel Springs Ltd [090190F1]' (random characters) pretending to come from random names and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From:Shanna Bolton <BoltonShanna6995@ dsldevice .lan>
Date:Thu 07/01/2016 08:57
Subject: Your Latest Documents from Angel Springs Ltd [090190F1] ...
    Dear Customer,
    Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we’ve invested in upgrading our billing systems to make things a little easier for you.
    Here’s a few ways we’ve made it easier for you:
    Your new documents are now attached to your email. You don’t have to follow a link now to get to your documents...


7 January 2016: 090190F181854503.doc - Current Virus total detections 2/54*
... downloads geroin.exe which looks like Dridex banking malware from http ://91.223.88.205 /ideal/jenny.php (VirusTotal 3/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452161327/

** https://www.virustot...sis/1452162035/
___

Fake 'Ibstock Group Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Invoice 38178369 19/12 4024.80' pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...80-1024x746.png

7 January 2016: invoice38178369.doc - Current Virus total detections *
Downloads the -same Dridex banking malware from http ://193.201.227.12 /ideal/jenny.php as described in this slightly earlier post:
> http://myonlinesecur...dsheet-malware/
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452163655/

- http://blog.dynamoo....47665-1912.html
7 Jan 2016 - "This -fake- financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam* which was sent out earlier today.
    From:    Amber Smith
    Date:    7 January 2016 at 10:38
    Subject:    Invoice 01147665 19/12 £4024.80 ...
Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.
Its invoice  01147665  19/12  £4024.80  P/O ETCPO 35094
Can you have a look at it for me please?
Thank-you !
Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group ...


The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far... show these documents communicating with:
193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
IPs are allocated to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)
As before, a binary geroin.exe is dropped which communicates with:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post*."
* http://blog.dynamoo....ments-from.html
___

Fake 'Close Invoice Finance Limited' SPAM - malicious attachment
- http://blog.dynamoo....ce-finance.html
7 Jan 2016 - "This fake financial spam comes with a malicious attachment:
    From:    Carey Cross
    Date:    7 January 2016 at 11:35
    Subject:    Close Invoice Finance Limited Statement 1/1
    Dear Customer,
    Please find attached your latest statement from Close Brothers Invoice Finance.
    Your username is 05510/0420078
    Your password should already be known to you...
    Regards
    Close Brothers Invoice Finance


The sernder's name will vary, as will the attachment name. I have only seen a single sample at the moment with a detection rate of 2/54*. Functionally, the payload is identical to that found in this earlier spam run**, and it drops the Dridex banking trojan."
* https://www.virustot...sis/1452167385/

** http://blog.dynamoo....ments-from.html

- http://myonlinesecur...dsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Close Invoice Finance Limited Statement 1/1' pretending to come from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

7 January 2016: invEF362145.doc - Current Virus total detections 2/56*
Downloads the -same- Dridex banking malware from http :// 193.201.227.12/ideal/jenny.php as described in today’s earlier posts  [1] [2]..."
* https://www.virustot...sis/1452168289/

1] http://myonlinesecur...dsheet-malware/

2] http://myonlinesecur...dsheet-malware/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 07 January 2016 - 12:56 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1613 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 08 January 2016 - 06:55 AM

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
8 Jan 2016 - "An email with the subject of 'Invoice from DSV 7FF6AB68, ARIA (UK) LTD, 61694956, Customer ref: ALEX MUNRO, SE/GB' pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Melba Schneider <SchneiderMelba36@ euro-net .pl>
Date: Fri 08/01/2016 10:47
Subject: Invoice from DSV 7FF6AB68 , ARIA (U K) LTD, 61694956, Customer ref: ALEX MUNRO, SE/GB
    Invoice/Creditnote no.:           7FF6AB68
    Total Amount: GBP 60,00
    Due Date:                    28.01.2016
    If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
    Please see attached document.
    Best Regards
    Melba Schneider
    DSV Road Limited
    Scandinavia House ...


8 January 2016: logmein_pro_receipt.xls - Current Virus total detections 1/54*  
MALWR** shows us a download of hram.exe from http :// 194.28.84.79/softparade/spanish.php which looks like Dridex banking malware (virusTotal 4/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452250187/

** https://malwr.com/an...Dc2NDJjOThkYmI/
194.28.84.79
78.47.119.93


*** https://www.virustot...sis/1452250858/

- http://blog.dynamoo....v-723a36b7.html
8 Jan 2016 - "This -fake- financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.
    From:    Hoyt Fowler
    Date:    8 January 2016 at 10:49
    Subject:    Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
    Invoice/Creditnote no.: 723A36B7
    Total Amount:   GBP 60,00
    Due Date:               28.01.2016
    If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
    Please see attached document.
    Best Regards
    Hoyt Fowler
    DSV Road Limited
    Scandinavia House ...


... In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55*. According to this Malwr report**, the sample attempts to download a further component:
194.28.84.79 /softparade/spanish.php
There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too. A file named hram.exe is dropped onto to target system with a detection rate of 4/54***. The Malwr report indicates that this communicates with:
78.47.119.93 (Hetzner, Germany)
This is a -critical- IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan...
Recommended blocklist:
78.47.119.93
194.28.84.79
"
* https://www.virustot...sis/1452252108/

** https://malwr.com/an...TFkYTFiY2RmODQ/
194.28.84.79
78.47.119.93


*** https://www.virustot...sis/1452252679/
___

'Let’s Encrypt'... abused by Malvertisers
- http://blog.trendmic...y-malvertisers/
Jan 6, 2016 - "... the potential for 'Let’s Encrypt' being -abused- has always been present. Because of this, we have kept an eye out for -malicious- sites that would use a Let’s Encrypt certificate. Starting on December 21, we saw activity going to a malvertising server, with traffic coming from users in Japan. This campaign led to sites hosting the Angler Exploit Kit, which would download a banking Trojan (BKDR_VAWTRAK.AAAFV) onto the affected machine:
Daily hits to malvertising server:
> https://blog.trendmi...ncrypt-2-01.png
... The malvertisers used a technique called “domain shadowing”. Attackers who have gained the ability to create subdomains under a legitimate domain do so, but the created subdomain leads to a server under the control of the attackers. In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site... Traffic to this created subdomain was protected with HTTPS and a Let’s Encrypt certificate... The domain hosted an ad which appeared to be related to the legitimate domain to disguise its traffic. Parts of its redirection script have also been moved from a JavaScript file into a .GIF file to make identifying the payload more difficult. Anti-AV code similar to what we found in the September attack is still present. In addition, it uses an open DoubleClick -redirect- ... users should also be aware that a “secure” site is -not- necessarily a safe site, and we also note that the best defense against exploit kits is still keeping software up-to-date to minimize the number of vulnerabilities that may be exploited..."

> http://news.netcraft...fraudsters.html

> http://news.netcraft...2016/09/pie.png

Fraudulent Digital Certificates
- https://technet.micr...ty/2607712.aspx

> https://www.fdic.gov...4/fil2704a.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 08 January 2016 - 12:21 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1614 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 09 January 2016 - 02:11 PM

FYI...

Russian ISP prevents Cisco from Shutting Down Cybercriminal Gang
- http://yro.slashdot....ercriminal-gang
Jan 09, 2016 - "Cisco's Talos research team* has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign**. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware."
* http://blog.talosint...compromise.html
Jan 7, 2016 - "... when a provider is notified of malicious activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response led Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough."

** http://news.softpedi...ng-498667.shtml
___

LLoyds bank - 'update to our mobile banking app' – Phish
- http://myonlinesecur...-phishing-scam/
9 Jan 2016 - "... Today’s example is an email received with a subject of 'UPDATE NOTIFICATION' pretending to come from Lloyds plc <info@ glc .com>. Mobile apps and mobile banking is the new big thing and banks are encouraging users to use mobile banking... This one wants your personal bank log-in details in order to steal all your money. Many of them are also designed to specifically steal your email, facebook and other social network log in details... The original email looks like this, It will NEVER be a genuine email from Your bank, or any other financial body so don’t ever follow the link or fill in the html (webpage) form that comes attached to the email... If you are unwise enough to follow the link which goes to http ://toxicwingsli .com/op.htm and then -redirects- you to http ://joelcomm .net/wp-content/l10yds/1e9644d8cb4d7dc77c5770ae1b84b3fa/ you see a webpage looking like the genuine Lloyds log in page, look carefully at the url in the top bar and you can see it isn’t Lloyds at all but a fake site:

Screenshot: http://myonlinesecur...sh_webpage1.png

If you still haven’t realised that it is a phishing attempt and give them your username & password, you will be sent to the next page which asks for your memorable information. You then get bounced on to the genuine Lloyds Bank site..."

toxicwingsli .com: 166.62.118.179: https://www.virustot...79/information/

joelcomm .net: 23.235.226.77: https://www.virustot...77/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 10 January 2016 - 11:09 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1615 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 11 January 2016 - 06:55 AM

FYI...

Fake 'latest invoice' SPAM - malicious attachment
- http://blog.dynamoo....voice-from.html
11 Jan 2016 - "This -fake- financial spam does not come from UKFast but is instead a simple -forgery- with a malicious attachment.
    From     UKFast Accounts [accounts@ ukfast .co.uk]
    Date     Mon, 11 Jan 2016 11:00:10 +0300
    Subject     Your latest invoice from UKFast No.1228407


I am unable to determine what the body text is at the moment. In this case, the attachment was named Invoice-1228407.doc and has a VirusTotal detection rate of 3/54*. The Malwr report** shows that the malicious macro... downloads an executable from:
www .vmodal .mx/5fgbn/7tfr6kj.exe
This binary has a detection rate of 2/54***... This Malwr report[4] for the dropped file indicates network traffic to:
114.215.108.157 (Aliyun Computing Co, China)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustot...sis/1452505104/

** https://malwr.com/an...zgxNGVmYzQyZDU/
185.21.134.14
114.215.108.157
13.107.4.50


*** https://www.virustot...sis/1452505941/
TCP connections
114.215.108.157: https://www.virustot...57/information/
8.253.82.158: https://www.virustot...58/information/
110.77.142.156: https://www.virustot...56/information/

4] https://malwr.com/an...TE4ZWQ1NTA2Mzg/

- http://myonlinesecur...dsheet-malware/
11 Jan 2016 - "An email with the subject of 'Your latest invoice from UKFast No.1228407' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: UKFast Accounts <accounts@ukfast.co.uk>
Date: Mon 11/01/2016 09:00
Subject: Your latest invoice from UKFast  No.1228407
    Hi,
    Thank you for choosing UKFast. Please find attached your latest invoice. You can also download it.
    As you have chosen to pay by Direct Debit there’s nothing more you need to do, payment will be taken on or after the date stated on your invoice.
    Should you have any queries relating to this invoice please raise an invoice query from within MyUKFast. Alternatively you can contact us on 0845 458 3535.
    Remember you can view all your invoices, set who should receive these alerts and much more all via MyUKFast.
    Kind Regards ...


11 January 2016: Invoice-1228407.doc - Current Virus total detections 3/54*  
downloads Dridex banking malware from http ://www .vmodal .mx/5fgbn/7tfr6kj.exe (VirusTotal 1/55**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452505104/

** https://www.virustot...sis/1452507654/
TCP connections
114.215.108.157: https://www.virustot...57/information/
8.253.82.158: https://www.virustot...58/information/
110.77.142.156: https://www.virustot...56/information/
___

Fake 'E-Service' SPAM - malicious attachment
- http://blog.dynamoo....europe-ltd.html
11 Jan 2016 - "This -fake- financial spam does not come from E-Service (Europe) Ltd but is instead a simple -forgery- with a malicious attachment:
    From     Andrew Williams [andrew.williams@ eurocoin .co.uk]
    Date     Mon, 11 Jan 2016 17:07:38 +0700
    Subject     E-Service (Europe) Ltd Invoice No: 10013405
    Dear Customer,
    Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
    to make payment for all transactions on or before their due date.
    Please contact E-Service (Europe) if you have any issues or queries preventing your
    prompt payment ...


E-Service have been exceptionally quick about posting an update on their Twitter page*.
* https://twitter.com/...496655831625728
However, they have -not- been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan. So far, I have seen -five- different versions of the attachment, all named Invoice 10013405.XLS ... The Malwr reports for the attachment... show that the macro in the spreadsheet downloads a file from the following locations:
arellano .biz/5fgbn/7tfr6kj.exe
pastorsschoolinternational .org/5fgbn/7tfr6kj.exe
www.c0-qadevtest .net/5fgbn/7tfr6kj.exe
This dropped file has a detection rate of 1/55**. It is the -same- binary as found in this earlier spam run*** which phones home to:
114.215.108.157 (Aliyun Computing Co, China)
This is an IP that I strongly recommend blocking..."
** https://www.virustot...sis/1452509215/
TCP connections
114.215.108.157
8.253.82.158
110.77.142.156


*** http://blog.dynamoo....voice-from.html

- http://myonlinesecur...dsheet-malware/
11 Jan 2016 - "An email with the subject of 'E-Service (Europe) Ltd Invoice No: 10013405' pretending to come from  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Andrew Williams <andrew.williams@ eurocoin .co.uk>
Date: Mon 11/01/2016 10:22
Subject: E-Service (Europe) Ltd Invoice No: 10013405
    Dear Customer,
    Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you to make payment for all transactions on or before their due date.
    Please contact E-Service (Europe) if you have any issues or queries preventing your prompt payment...


11 January 2016: loInvoice 10013405.XLS - Current Virus total detections 7/54*
Downloads from http ://arellano .biz/5fgbn/7tfr6kj.exe which the -same- Dridex banking malware as described in this slightly earlier post**..."
* https://www.virustot...sis/1452509257/

** http://myonlinesecur...dsheet-malware/
___

Fake 'Kaseya Invoice' SPAM - malicious attachment
- http://blog.dynamoo....e-1ed0c068.html
11 Jan 2016 - "This -fake- financial email has a malicious attachment:
    From:    Terry Cherry
    Date:    11 January 2016 at 10:48
    Subject:    Kaseya Invoice - 1ED0C068
    Dear Accounts Payable,
    Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.
    Our bank details for wire transfer are included on the attached invoice.
    Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@ kaseya .com) for assistance with adding card details through our portal.
    Please do not hesitate to let us know if you have any questions.
    Thanks again for your patronage.
    Sincerely,
    Terry Cherry
    Kaseya Customer Invoicing ...


The sender's name, references and attachments may vary. This appears to be a spam from Dridex 120, and it is a characteristic that there is a very-large-number-of-variants of the attachments. In this case, I analysed three different attachments with detection rate of about 2/55 [1].. and which according to these Malwr reports [4]..  downloads a binary from the following locations:
5.189.216.10 /montana/login.php
77.246.159.154 /montana/login.php
109.234.39.40 /montana/login.php
All of these IPs should be considered to be malicious:
5.189.216.10 (LLHost Inc, Netherlands)
77.246.159.154 (JSC Server, Russia)
109.234.39.40 (McHost.ru, Russia)
A binary named trap.exe ... a detection rate of 5/54[7] is downloaded. According to this Malwr report[8] the executable phones home to:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan.
Recommended blocklist:
78.47.119.93
5.189.216.10
77.246.159.154
109.234.39.0/24
"
1] https://www.virustot...sis/1452510008/

4] https://malwr.com/an...TdkM2UwM2FjY2M/

7] https://www.virustot...sis/1452510360/

8] https://malwr.com/an...mNmNWU4ZjQyOWM/

- http://myonlinesecur...dsheet-malware/
11 Jan 2016 - "An email with the subject of 'Kaseya Invoice – DD5A9977' pretending to come from random names, companies and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Alvin Fry <FryAlvin59518@ attrazioneviaggi .it>
Date: Mon 11/01/2016 11:00
Subject: Kaseya Invoice – DD5A9977
    Dear Accounts Payable,
    Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.
    Our bank details for wire transfer are included on the attached invoice.
    Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@ kaseya .com) for assistance with adding card details through our portal.
    Please do not hesitate to let us know if you have any questions.
    Thanks again for your patronage...


11 January 2016: Invoice-19071543.doc - Current Virus total detections 2/55*
downloads the -same- Dridex banking malware form the same locations as described in THIS post**..."
* https://www.virustot...sis/1452515923/

** http://myonlinesecur...dsheet-malware/
___

Fake 'Invoice-11JAN15' SPAM - leads to malware
- http://blog.dynamoo....3771728-gb.html
11 Jan 2016 - "This rather generic looking spam email leads to malware:
    From:    Raleigh Frazier [FrazierRaleigh8523@ amnet .net.au]
    Date:    11 January 2016 at 11:20
    Subject:    Invoice-11JAN15-53771728-GB
    Dear Customer,
    Please find attached Invoice 53771728 for your attention.
    Should you have any Invoice related queries please do not hesitate to
    contact either your designated Credit Controller or the Main Credit Dept. on
    02051 2651180.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Credit Dept'


The name of the sender, references and attachment name varies. There are at least -three- different variations of the attachment, probably more. Detection rates are approximately 2/55*... and these Malwr reports [4].. indicate that the behaviour is very similar to the one found in this spam run**."
* https://www.virustot...sis/1452511471/

4] https://malwr.com/an...jgyMmIxZDBiODc/

** http://blog.dynamoo....e-1ed0c068.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 11 January 2016 - 08:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1616 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 12 January 2016 - 07:02 AM

FYI...

Fake 'Lattitude Invoice' SPAM - malicious attachment
- http://blog.dynamoo....ude-global.html
12 Jan 2016 - "This -fake- financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple -forgery- with a malicious attachment.
    From:    Darius Green
    Date:    12 January 2016 at 09:33
    Subject:    Lattitude Global Volunteering - Invoice - 3FAAB65
    Dear customer,
    Please find attached a copy of your final invoice for your placement in Canada.
    This invoice needs to be paid by the 18th January 2016.
    Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer  our bank details are.
    You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.
    Account Name:  Lattitude Global Volunteering
    Bank:                        Barclays Bank
    Sort Code:              20-71-03
    Account No.           20047376
    IBAN:                        GB13BARC20710320047376
    SWIFBIC:                  BARCGB22
    Kind regards
    Luis Robayo
    Accounts Department
    Lattitude Global Volunteering ...


I have personally only seen two samples so far with detection rates of 2/55 [1] [2]. These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:
31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php
This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be -malicious- and should be blocked.
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)
A file kfc.exe is dropped onto the target system which has a detection rate of 6/52*... Those previous Malwr reports indicate that it phones home to a familiar IP of:
78.47.119.93 (Hetzner, Germany)
Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84
"
1] https://www.virustot...sis/1452594409/

2] https://www.virustot...sis/1452594427/

3] https://malwr.com/an...ThhZmQyMDYxMjM/

4] https://malwr.com/an...TMxM2Q2NjM3ZjM/

* https://www.virustot...sis/1452595124/

- http://myonlinesecur...dsheet-malware/
12 Jan 2016 - "An email with the subject of 'Lattitude Global Volunteering – Invoice – AF6643A' (random numbers) pretending to come from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

12 January 2016: Invoice – AF6643A.doc - Current Virus total detections 2/54*
MALWR analysis** shows it downloads Dridex banking malware from http :// 5.149.254.84/shifaki/indentification.php named as 120CR.exe Which looks suspiciously familiar from recent days (VirusTotal 6/54***)..."
* https://www.virustot...sis/1452591731/

** https://malwr.com/an...WE5MDRkZDE0MGU/
5.149.254.84
78.47.119.93


*** https://www.virustot...sis/1452592072/
___

Fake 'payment' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
12 Jan 2016 - "An email with the subject on the -theme- of payment, transaction, Transfer coming from random email addresses and random people with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These malicious word docs appear to based on the Black Energy dropper described HERE:
> https://isc.sans.edu... Dropper/20601/
The email looks like:
From: Random senders like Hermione Acevedo <info@ gistparrot .com> or Avye Brown <werbeteam@ gmx .de>
Date: Tue 12/01/2016 06:02
Subject: Random subjects like Fwd: MGU  Transaction, AI  Transaction, VL  Payment, AJ  Transfer
    Good morning
    Please find the receipt attached to this message. The Transaction will be posted on your account in two days.  
    Regards
    Hermione Acevedo

-Or-
    Good Day
    Please check the invoice enclosed with this message. The Transaction will be posted on your bank within 1-2 days.  
    Best regards
    Avye Brown


12 January 2016: 51U5P05W22P34.doc - Current Virus total detections 1/54*  
ReverseIT analysis**. These are very -different- to previous macro word docs. This one contacts
crechemploi .be/wpl.jpg?ICpz8scC0AI=35 (VirusTotal 0/54***) and downloads an -image- file wpl.jpg which is extremely large 245kb for a small image. It looks like it has embedded -malware- inside it which in this example is named 3088239.exe (VirusTotal 2/55[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452581898/

** https://www.reverse....environmentId=1
195.154.231.179: https://www.virustot...79/information/
104.224.128.163: https://www.virustot...63/information/

*** https://www.virustot...sis/1452584610/

4] https://www.virustot...sis/1452585387/

crechemploi .be: 195.154.231.179: https://www.virustot...79/information/
___

Fake 'Payment Advice' SPAM - malicious attachment
- http://blog.dynamoo....0002014343.html
12 Jan 2016 - "This -fake- financial spam is not from Wipro but is instead a simple -forgery- with a malicious attachment.
    From:    Bhavani Gullolla [bhavani.gullolla1@ wipro .com]
    Date:    12 January 2016 at 09:51
    Subject:    Payment Advice - 0002014343
    Dear Sir/Madam,
    This is to inform you that we have initiated the electronic payment through our Bank.
    Please find attached payment advice which includes invoice reference and TDS deductions if any.
    Transaction Reference :
    Vendor Code :9189171523
    Company Code :WT01
    Payer/Remitters Reference No :63104335
    Beneficiary Details :43668548/090666
    Paymet Method : Electronic Fund Transfer
    Payment Amount :1032.00
    Currency :GBP
    Processing Date :11/01/2016 ...


The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54 [1] [2], and according to the Malwr reports [3] [4] they both download a -malicious- binary from:
hotpointrepair .info/u5y4g3/76u54g.exe
This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55* and this Malwr report** shows network traffic to:
199.231.189.9 (Interserver Inc, US)
I strongly recommend that you -block- this IP address..."
1] https://www.virustot...sis/1452596943/

2] https://www.virustot...sis/1452596954/

3] https://malwr.com/an...zA0NWIwOGJlZDg/
66.147.242.93
199.231.189.9
8.254.249.78


4] https://malwr.com/an...mY2OGExYWVmZjk/
66.147.242.93
199.231.189.9
184.28.188.195


* https://www.virustot...sis/1452597607/

** https://malwr.com/an...zNhOWM3MmZlMDU/
199.231.189.9
13.107.4.50


hotpointrepair .info: 66.147.242.93: https://www.virustot...93/information/
> https://www.virustot...611b3/analysis/
___

Fake 'Sales Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
12 Jan 2016 - "An email with the subject of 'Sales Invoice SIN040281 from Charbonnel et Walker Limited' pretending to come from Corinne Young <corinne.young@ charbonnel .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ed-1024x464.png

12 January 2016: SIN040281.DOC - Current Virus total detections 4/55*
Downloads Dridex banking malware from http ://hotpointrepair .info/u5y4g3/76u54g.exe (VirusTotal 1/55**)
-same- Dridex malware as other malspam runs. Note: Dridex updates frequently during the day, so you might get a different malware version... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452601210/

** https://www.virustot...sis/1452599104/
TCP connections
199.231.189.9: https://www.virustot....9/information/
13.107.4.50: https://www.virustot...50/information/

hotpointrepair .info: 66.147.242.93: https://www.virustot...93/information/
> https://www.virustot...611b3/analysis/
___

'LloydsLink online website changes' - PHISH
- http://myonlinesecur...anges-phishing/
12 Jan 2016 - "... Today’s example is an email received with a subject of 'LloydsLink online website changes' pretending to come from LloydsLink online <Hugo.Batzold@ lloydslink.online .lloydsbank .com>.
We have been seeing these sort of emails for -numerous- banks recently... Note the 0 instead of the o in the second Lloyds. you see a webpage looking identical to the genuine Lloydslink log-in page, look carefully at the url in the top bar and you can see it isn’t Lloyds at all but a -fake- site:

Screenshot: http://myonlinesecur...am-1024x365.png

If you still haven’t realised that it is a phishing attempt and give them your username & password, you will then get bounced on to the -genuine- Lloyds Bank site:
> https://lloydslink.o...gon/Logon.xhtml
... and think that you just didn’t enter details correctly or mistyped a digit and need to re-enter them and won’t even pay any attention, until you get the dreaded letter or phone call saying someone has emptied your bank account. All of these emails use Social engineering tricks to persuade you to follow the links or open the attachments that come with the email..."
___

Ransom32 – the malicious package
- https://blog.malware...icious-package/
Jan 11, 2016 - "Ransom32 is a new ransomware implemented in a very atypical style. Emisoft provides a good description of its functionality here:
> http://blog.emsisoft...ipt-ransomware/
... we will focus on some implementation details of the malicious package. Ransom32 is delivered as an executable, that is in reality a autoextracting WinRAR archive. By default it is distributed as a file with .scr extension:
> https://blog.malware...ansom32_scr.png
The WinRAR script is used to drop files in the specified place and autorun the unpacked content... Installation directory created in %TEMP%... The unpacked content consist of following files:
> https://blog.malware...m32_content.png
chrome.exe spoofs Google’s browser, but in reality it is an element responsible for preparing and running the Node JS application (that is the -main- part of the ransomware). After the chrome.exe is run from the %TEMP% folder, it installs the above files into %APPDATA% -in folder Chrome Browser:
> https://blog.malware...1/installed.png
... After encrypting the files, the ransom nag-window is displayed. The gui is generated by javascript, with the layout defined by the included CSS:
> https://blog.malware...om32_screen.png
The internet connection is operated via included Tor client – renamed to rundll32.exe ...
Conclusion: In the past, malware authors cared mostly about small size of their applications – that’s why early viruses were written in assembler. Nowadays, technologies used and goals have changed. The most important consideration is not the size, but the ability to imitate legitimate applications, for the purpose of avoiding detection. Authors of Ransom32 went really far in this direction. Their package is huge in comparison to typical samples. It consists of various elements, including legitimate applications – i.e the tor client (renamed to rundll32.exe). The technology that they have chosen for the core – Node JS – is a complete change of direction from the malware written in low-level languages. However, compiled Java Script (although it works about 30 percent slower than not compiled) is not very popular and there is lack of tools to analyze it – which makes it a good point for malware authors, who gain some level of code protection..."
(More detail at the malwarebytes URL at the top.)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 12 January 2016 - 09:15 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1617 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 13 January 2016 - 06:01 AM

FYI...

MS account security info verification – Phish
- http://myonlinesecur...ation-phishing/
13 Jan 2016 - "... phishing attempts against Microsoft office and outlook accounts. This one starts with an email with the subject 'Microsoft account security info verification' pretending to come from Microsoft <security-noreply@ account .microsoft .com> . One of the major common subjects in this sort of phishing attempt is 'Your password will expire soon' or 'update your email' or something very similar. This one wants only wants your  email / Microsoft account log in details...

Screenshot: http://myonlinesecur...on-1024x550.png

The link behind the 'Upgrade Now' is http ://tenga .my/wp-content/outnew/index.php?email=victim@doamain.com. If you are unwise enough to follow the link you see a webpage looking like:
> http://myonlinesecur...in-1024x542.png
... which is a very good imitation of a genuine Microsoft 365 log on page. If you do fill in the email and password, you immediately get sent to the genuine Office 365 log on page and you just think that you might have entered the email or password incorrectly and do it again. All of these emails use Social engineering tricks to persuade you to follow links or open the attachments that come with the email..."

tenga .my: 181.224.159.177: https://www.virustot...77/information/
> https://www.virustot...my/information/
___

Fake 'Scanned Document' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
13 Jan 2016 - "An email with the subject of 'Scanned Document MRH Solicitors' pretending to come from Color @ MRH Solicitors <color93@ yahoo .co.uk> (random color numbers) with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email looks like:
From: Color @ MRH Solicitors <color93@ yahoo .co.uk>
Date: Wed 13/01/2016 08:26
Subject: Scanned Document
    Find the attachment for the scanned Document


13 January 2016: ScannedDocs122151.xls - Current Virus total detections 7/54*
Downloads Dridex banking malware from http ://armandosofsalem .com/l9k7hg4/b4387kfd.exe (VirusTotal 3/56**)...
DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...achment_id=5895
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452675230/

** https://www.virustot...sis/1452675552/

armandosofsalem .com: 192.254.189.167: https://www.virustot...67/information/

- http://blog.dynamoo....-color-mrh.html
13 Jan 2016 - "... The Hybrid Analysis* of the dropped binary shows attempted network traffic to the following domains:
exotelyxal .com
akexadyzyt .com
ekozylazal .com
These are hosted on an IP worth blocking:
158.255.6.128 (Mir Telematiki Ltd, Russia)"
* https://www.hybrid-a...environmentId=4
b4387kfd.exe
___

Fake 'Order' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
13 Jan 2016 - "An email with the subject of 'Order 0046/033777 [Ref. MARKETHILL CHURCH]' pretending to come from JOHN RUSSELL <John.Russell@ yesss .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...CH-1024x966.png

13 January 2016: Order 0046_033777 [Ref. MARKETHILL CHURCH].doc - Current Virus total detections 6/55*
MALWR** shows a download from http ://amyzingbooks .com/l9k7hg4/b4387kfd.exe which will be a Dridex banking malware (VirusTotal 2/55***). This site was used in earlier Dridex downloads today but -different- versions were offered... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452694400/

** https://malwr.com/su...mQ4YTdhOWY2NDA/

*** https://www.virustot...sis/1452695776/
TCP connections
85.25.200.103: https://www.virustot...03/information/

- http://blog.dynamoo....033777-ref.html
13 Jan 2016 - "... This binary has a detection rate of 4/53*. The Hybrid Analysis** shows the malware phoning home to:
85.25.200.103 (PlusServer AG, Germany)
I recommend that you -block- traffic to that IP."
* https://www.virustot...sis/1452699929/

** https://www.hybrid-a...environmentId=1
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 13 January 2016 - 11:32 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1618 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 14 January 2016 - 07:11 AM

FYI...

Fake 'scanner' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
14 Jan 2016 - "An empty or blank email with the subject of 'Message from local network scanner' pretending to come from jpaoscanner at your own email domain with a malicious word doc attachment is another one from the current bot runs... The attachment to these are named Scann16011310150.docf . Note the F after the doc which effectively makes them useless because windows doesn’t know what to do with them and asks you. They will open in Word, if you tell them to, and do contain a malicious macro that will infect you.  
Update: a second batch a few minutes after the first run now has a proper word doc attachment, although the body is still -blank- . The email looks like:
From: jpaoscanner@ ....co.uk
Date:Thu 14/01/2016 10:52
Subject: Message from local network scanner


Body content: EMPTY

12 January 2016: Scann16011310150.docf - Current Virus total detections 2/53*  
downloads Dridex banking malware from 199.59.58.162 :80 /~admin1/786h5g4/9787g4fr4.exe (VirusTotal 3/56**)
(reverseIT***)
12 January 2016: Scann16011310150.doc - Current Virus total detections 3/54[4]
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452768488/

** https://www.virustot...sis/1452770219/

*** https://www.reverse....environmentId=1
Contacted Hosts:
199.59.58.162: https://www.virustot...62/information/
188.138.88.14: https://www.virustot...14/information/

4] https://www.virustot...sis/1452769443/

- http://blog.dynamoo....al-network.html
14 Jan 2016 - "This -fake- document scan comes with a malicious attachment.
    From:    jpaoscanner@ victimdomain .tld
    Date:    14 January 2016 at 10:45
    Subject:    Message from local network scanner


There is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a file Scann16011310150.docf which comes in at least -five- different versions... Hybrid Analysis shows one of the samples in action, downloading a binary from:
www .willsweb .talktalk .net/786h5g4/9787g4fr4.exe
This has a detection rate of 3/55*. That same analysis reports that it phones home to:
188.138.88.14 (PlusServer AG, France)...I strongly recommend that you -block- traffic to that IP..."
* https://www.virustot...sis/1452771350/
TCP connections
188.138.88.14: https://www.virustot...14/information/
13.107.4.50: https://www.virustot...50/information/
___

800 risk experts from 40 countries identify the top global business risks
- http://net-security....ld.php?id=19327
14 Jan 2016
> http://www.net-secur...cs-012016-1.jpg

>> http://www.net-secur...cs-012016-2.jpg
___

Evil network: 46.30.40.0/21...
- http://blog.dynamoo....te-llc-and.html
13 Jan 2016 23:23 - "... From looking around, it seemed that whoever Eurobyte rented servers to had an unhealthy interest in CryptoWall and the Angler EK. Eurobyte is a Russian hosting company, which in turn is a customer of Webzilla in the Netherlands... there are -thousands- of subdomains hosted in the 46.30.40.0/21 range, where the main domain (e.g. www) is hosted in a completely -different- location. The subdomains are then used to host malware such as the Angler Exploit Kit... What appears to be going on here is a domain shadowing attack on a massive scale[1], primarily leading victims to exploit kits. There do appear to be some genuine Russian-language sites hosted in this block. But if you don't tend to send visitors to Russian sites, I would very strongly recommend -blocking- 46.30.40.0/21 from your network... The attack is known sometimes as 'domain shadowing'... While researching this topic, I discovered that Talos had done some similar work* which also pointed a finger at Eurobyte and their very lax control over their network."
* http://blog.talosint...compromise.html
Jan 7, 2016 - "... when a provider is notified of -malicious- activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response lead Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough."

1] http://blogs.cisco.c...owing#shadowing
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 14 January 2016 - 05:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1619 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 15 January 2016 - 08:48 AM

FYI...

Fake 'order #7738326' SPAM - malicious attachment
- http://blog.dynamoo....38326-from.html
15 Jan 2016 - "This -fake- financial spam does not come from The Safety Supply Company but is instead a simple -forgery- with a malicious attachment:
    From:    Orders - TSSC [Orders@ thesafetysupplycompany .co.uk]
    Date:    15 January 2016 at 09:06
    Subject:    Your order #7738326 From The Safety Supply Company
    Dear Customerl
    Thank you for your recent purchase.
    Please find the details of your order through The Safety Supply Company attached to this email.
    Regards,
    The Sales Team


So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55*... likely to be the Dridex banking trojan. This Hybrid Analysis** on the first sample shows it downloading from:
149.156.208.41 /~s159928/786585d/08g7g6r56r.exe
That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:
216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)
I have now seen another version of the DOC file [VT 4/54***] which has similar characteristics[4]... This related spam run gives some additional download locations:
nasha-pasika .lviv .ua/786585d/08g7g6r56r.exe
arm .tv/786585d/08g7g6r56r.exe
Sources also tell me that there is one at:
204.197.242.166 /~topbun1/786585d/08g7g6r56r.exe
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41
"
* https://www.virustot...sis/1452849120/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...sis/1452849706/

4] https://www.hybrid-a...environmentId=1

- http://myonlinesecur...dsheet-malware/
15 Jan 2016 - "An email with the subject of 'Your order #7738326 From The Safety Supply Company' pretending to come from 'Orders – TSSC <Orders@ thesafetysupplycompany .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Orders – TSSC <Orders@ thesafetysupplycompany .co.uk>
Date: Fri 15/01/2016 09:20
Subject: Your order #7738326 From The Safety Supply Company
    Dear Customerl
    Thank you for your recent purchase.
    Please find the details of your order through The Safety Supply Company attached to this email.
    Regards,
    The Sales Team


15 January 2016: Order.doc - Current Virus total detections 4/54*
downloads Dridex banking malware from 149.156.208.41 /~s159928/786585d/08g7g6r56r.exe (VirusTotal 2/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452851905/

** https://www.virustot...sis/1452851228/
___

SPAM with damaged or broken office doc or XLS attachments
- http://myonlinesecur...xls-attachment/
15 Jan 2016 - "The Dridex bots are still not having a good day today. The -3rd- malformed/damaged/broken malspam is an email with the subject of 'Statement pretending to come from Kelly Pollard <kelly.pollard@ carecorner .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... Some malformed  or misconfigured email servers might attempt to fix the broken email and actually deliver a working copy.
The damaged/broken attachment has a name something like Statement 012016.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc, unlike the earlier ones. VirusTotal Detections 7/55* which will attempt to download Dridex banking malware... (waiting for analysis) please check back later..."
* https://www.virustot...sis/1452864034/
Statement 012016.doc

- http://blog.dynamoo....ment-kelly.html
15 Jan 2016 - "This fake financial spam is meant to have a malicious attachment, but it is corrupt:
   From     Kelly Pollard [kelly.pollard@ carecorner .co.uk]
    Date     Fri, 15 Jan 2016 13:56:01 +0200
    Subject     Statement
    Your report is attached in DOC format.
    Kelly Pollard
    Marketing Manager ...


The attachment is named Statement 012016.doc but due to an error in the email it is corrupt, and is either zero length or will produce garbage. If it were to work, it would produce a payload similar to that found here* and here**, namely the Dridex banking trojan. This is the -third- corrupt Dridex run today..."
* http://blog.dynamoo....ge-from-mx.html
15 Jan 2015
** http://blog.dynamoo....eservation.html
15 Jan 2015
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 15 January 2016 - 11:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1620 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 18 January 2016 - 07:58 AM

FYI...

Fake 'Invoice January' SPAM - malicious attachment
- http://blog.dynamoo....uary-baird.html
18 Jan 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers but is instead a simple -forgery- with a malicious attachment.
    From     "A . Baird" [ABaird@ jtcp .co.uk]
    Date     Mon, 18 Jan 2016 16:17:20 +0530
    Subject     Invoice January
    Hi,
    We have been paid for much later invoices but still have the attached invoice as
    outstanding.
    Can you please confirm it is on your system and not under query.
    Regards
      Alastair Baird
      Financial Controller ...


Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday... The payload is meant to be the Dridex banking trojan...
UPDATE: A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo .com/786585d/08g7g6r56r.exe
esecon .com.br/786585d/08g7g6r56r.exe
outago .com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54*. The same source identifies the following C2 servers which are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173
"
* https://www.virustot...c4bcf/analysis/
TCP connections
192.232.204.53: https://www.virustot...53/information/
13.107.4.50: https://www.virustot...50/information/

- http://myonlinesecur...xls-attachment/
18 Jan 2016 - "The Dridex bots are -still- not having a good day today. On Friday they sent -3- different  malformed/damaged /broken malspams. Today, the first damaged/malformed broken one is an email with the subject of 'Invoice January- pretending to come from A . Baird <ABaird@ jtcp .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The -damaged/broken- attachment has a name something like INV-IN174074-2016-386.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc..
VirusTotal Detections 5/55* which will attempt to download Dridex banking malware from
[emirelo .com/786585d/08g7g6r56r.exe] (VirusTotal 3/54**)  Payload Security /Reversit Analysis***
The email looks like:
From: A . Baird <ABaird@ jtcp .co.uk>
Date: Mon 18/01/2016 09:45
Subject: Invoice January
    Hi,
    We have been paid for much later invoices but still have the attached invoice as outstanding.
    Can you please confirm it is on your system and not under query.
    Regards
    Alastair Baird
    Financial Controller ...


This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you. Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you...
By default protected view is enabled and  macros are disabled, UNLESS you or your company have enabled them.  If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1453114324/

** https://www.virustot...sis/1453115492/
192.232.204.53: https://www.virustot...53/information/
13.107.4.50: https://www.virustot...50/information/

*** https://www.reverse....environmentId=1
Contacted Hosts
194.24.228.5: https://www.virustot....5/information/
192.232.204.53: https://www.virustot...53/information/
___

Fake 'Statements' SPAM - malicious attachment
- http://blog.dynamoo....nts-alison.html
18 Jan 2016 - "This -fake- financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
    From     Alison Smith [ASmith@ jtcp .co.uk]
    Date     Mon, 18 Jan 2016 18:27:36 +0530
    Subject     Statements
    Sent 12 JAN 16 15:36
    J Thomson Colour Printers
    14 Carnoustie Place
    Glasgow
    G5 8PB ...


Attached is a file S-STA-SBP CRE (0036).xls which is actually -corrupt- due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since -Friday- the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one*, also spoofing the same company."
* http://blog.dynamoo....uary-baird.html

- http://myonlinesecur...xls-attachment/
18 Jan 2016 - "...  damaged/broken attachment has a name something like S-STA-SBP CRE (0036).xls ... it would if fixed, download -Dridex- from the same locations as today’s earlier malspam runs..."
___

LastPass - Phish...
- https://www.seancass...e/lostpass.html
2016-01-18 - "... discovered a -phishing- attack against LastPass that allows an attacker to steal a LastPass user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. I call this attack 'LostPass'... Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well:
> https://www.seancass...tpass_login.png
...
> https://www.seancass...astpass_2fa.png
... Here's an image of LastPass and LostPass for Firefox on Windows 8 side-by-side. Which one is which?:
> https://www.seancass...ass_firefox.png "
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 18 January 2016 - 10:39 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1621 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 19 January 2016 - 09:16 AM

FYI...

Fake 'Insurance' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
19 Jan 2016 - "The Dridex bots are still having problems again today. Their latest attempt is an email with the subject of 'Thank you for purchasing from Cheaper Travel Insurance – 14068156' pretending to come from info87@ Resellers.insureandgo .com (the info number is random) with a malicious word doc attachment is another one from the current bot runs... While they appear to have fixed the malware attachments, they instead have introduced a new bug and are sending broken emails with -garbled- content... when corrected it will look something like this:

Screenshot: http://myonlinesecur...APER-TRAVEL.png

19 January 2016: 14068156.doc - Current Virus total detections 4/55*
[MALWR**] attempts to download Dridex banking malware from
http :// www .cnbhgy .com/786585d/08g7g6r56r.exe but seems to be having problems and timing out... Update: it eventually downloaded (VirusTotal 2/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453193244/

** https://malwr.com/an...mQ1MDFjYmNiNDc/
123.1.157.76
216.59.16.175
13.107.4.50


*** https://www.virustot...sis/1453194356/
TCP connections
216.59.16.175
8.254.218.14


- http://blog.dynamoo....purchasing.html
19 Jan 2016 - "This -fake- financial spam comes with a malicious attachment:

Header screenshot: http://www.insureand...aper_header.jpg
Your policy number: MF/CP/205121/14068156
Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156 ...


The sender appears to be from info[some-random-number]@ Resellers.insureandgo .com, but it is just a simple forgery. Attached is a malicious Word document that I have seen -five- different versions... download locations as:
www .cnbhgy .com/786585d/08g7g6r56r.exe
seaclocks .co .uk/786585d/08g7g6r56r.exe
mosaicambrosia .com/786585d/08g7g6r56r.exe
This has a VirusTotal result of 3/54*.... combined with this Hybrid Analysis** show traffic to:
216.59.16.175 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
200.57.183.176 (Triara.com, S.A. de C.V., Mexico)
62.109.133.248 (Ignum s.r.o, Czech Republic)
103.23.154.184 (Ozhosting.com Pty Ltd, Australia)
41.38.18.230 (TE Data, Egypt)
202.137.31.219 (Linknet, Indonesia)
176.53.0.103 (Network Devices, Turkey)
The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign...
Recommended blocklist:
216.59.16.175
195.96.228.199
200.57.183.176
62.109.133.248
103.23.154.184
41.38.18.230
202.137.31.219
176.53.0.103


* https://www.virustot...sis/1453194985/
TCP connections
216.59.16.175
8.254.218.14


** https://www.hybrid-a...environmentId=4
___

Fake 'Payment overdue' SPAM -  malicious attachment
- http://blog.dynamoo....nt-overdue.html
19 Jan 2016 - "This -fake- financial spam does not come from the Daily Mail, but is instead a simple -forgery- with a malicious attachment:
    From     Raashida Sufi [Raashida.Sufii@ dmgmedia .co.uk]
    Date     Tue, 19 Jan 2016 11:40:37 +0300
    Subject     Daily Mail - Payment overdue
    Hi,
    I have currently taken over from my colleague Jenine so will be your new POC going
    forward.
    I have attached an invoice that is currently overdue for £360.00. Kindly email me
    payment confirmation today so we can bring your account up to date?
    Kind Regards
    Rash Sufi ...


I have seen -three- different versions of the malicious attachment Invoice.doc (VirusTotal results 4/53[1]...). The Malwr analysis of these documents [4]... shows that the payload is identical to the Dridex banking trojan described here*."
1] https://www.virustot...sis/1453197760/

4] https://malwr.com/an...WI0MGM2ODM3ZGY/
23.229.242.73
216.59.16.175
13.107.4.50


* http://blog.dynamoo....purchasing.html

- http://myonlinesecur...rd-doc-malware/
19 Jan 2016 - "... an email with the subject of 'Daily Mail – Payment overdue'... with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ue-1024x775.png

19 January 2016: Invoice.doc - Current Virus total detections 4/53*
This will download Dridex banking malware [ http :// www .cnbhgy .com/786585d/08g7g6r56r.exe ] which is the same location and malware as today’s earlier malspam run**..."
* https://www.virustot...sis/1453195633/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo....e-1b859e37.html
19 Jan 2016 - "This -fake- financial does not come from Bellingham + Stanley but is instead a simple -forgery- with a malicious attachment. Reference numbers and sender names will vary.
    From:    Adeline Harrison [HarrisonAdeline20@ granjacapital .com.br]
    Date:    19 January 2016 at 09:45
    Subject:    Remittance Advice 1B859E37
    For the attention of Accounts Receivable,
    We are attaching an up to date remittance advice detailing the latest payment on your account.
    Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
    Kind regards,
    Adeline Harrison ...


I have seen at least -four- different variations of the attachment, named in the format remittance_advice14DDA974.doc ... Malwr reports... show those samples communicating with:
http :// 179.60.144.19/victor/onopko.php
http :// 5.34.183.127/victor/onopko.php
Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)
UPDATE 1:  this related spam run also downloads from:
91.223.88.206/victor/onopko.php
This is allocted to "Private Person Anton Malyi" in Ukraine. A file aarab.exe is dropped... [VT 4/53*] which appears to communicate** with:
198.50.234.211 (OVH, Canada)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
UPDATE 2: This other Dridex 120 spam run[1] uses different download locations:
46.17.100.209 /aleksei/smertin.php
31.131.20.217 /aleksei/smertin.php
The dropped "aarab.exe" file is also different... and a detection rate of just 2/54***.
Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217
"
* https://www.virustot...sis/1453202263/

** https://malwr.com/an...TcxZmNhYjNkNjk/
198.50.234.211
13.107.4.50


1] http://blog.dynamoo....advice-for.html

*** https://www.virustot...sis/1453211427/

- http://myonlinesecur...rd-doc-malware/
19 Jan 2016 - "Dridex is definitely back with a vengeance today. The latest one of a long line is an email with the subject of 'Remittance Advice For Invoice 04050722' from C-Tech (random numbers) pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Carey Lucas <LucasCarey44@ search4what .com>
Date: Tue 19/01/2016 09:41
Subject: Remittance Advice For Invoice 04050722 From C-Tech
    Dear Accounts
    Please find attached our current remittance advice.
    Kind Regards
    Carey Lucas MAAT
    Accounts Assistant ...


19 January 2016: C-Tech Remittance04050722.doc - Current Virus total detections 3/55*
downloads an -updated- Dridex banking malware from the ones described in this earlier run** from
 http :// 46.17.100.209 /aleksei/smertin.php or http :// 31.131.20.217 /aleksei/smertin.php (VirusTotal 2/54***)
Each attempt at download seems to give me a -different- named file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453211898/

** http://myonlinesecur...dsheet-malware/

*** https://www.virustot...sis/1453211427/
aarab.exe

46.17.100.209: https://www.virustot...09/information/

31.131.20.217: https://www.virustot...17/information/
___

Twitter is back up ...
- http://www.theinquir...er-major-outage
Jan 19 2016 - "... Twitter was down for a decent time this morning. Long enough for people to start noticing and complaining about it on things like Facebook and in person... Twitter's status page*, which is presented through Yahoo's Tumblr, shows a trio of recent incidents..."
* http://twitterstatus.tumblr.com/
___

2016 Cisco Annual Security Report
- http://blogs.cisco.c...security-report
Jan 19, 2016 - "Our just-released 2016 Cisco Annual Security Report (ASR*) presents a challenging cybersecurity landscape: cyber defense teams are fighting to keep up with rapid global digitization while trying to integrate dozens of vendor solutions, speed up detection, and educate their organizations from top to bottom... attackers grow more bold, flexible, and resilient by the day, setting up professional infrastructures that look a lot like what we’d find in legitimate businesses. On the global front, we see fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks... This years’ ASR reveals that attackers increasingly use legitimate online resources to launch their malicious campaigns. Though the news might speak to zero-day attacks, hackers also continue to deploy age-old malware to take advantage of weak spots such as unpatched servers. Aging infrastructure opens up green-field attack surfaces while uneven or inconsistent security practices remain a challenge... Other key insights from the 2016 ASR include a growing encryption trend (particularly HTTPS) for web traffic, which often provides a false sense of security to users—and for companies, potentially cloaks suspicious activity. We are also seeing more use of compromised WordPress servers to support ransomware, bank fraud, and phishing attacks. Alarmingly, between February and October 2015, the number of compromised WordPress installations used by cybercriminals grew by more than 221%... Increased attention, measurable results, added resilience, and focusing on what we can control are all possible now – so let’s capitalize on the moment before it’s too late."
(More detail at the cisco URL above.)
* http://www.cisco.com...yCode=001031952
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 January 2016 - 04:24 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1622 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 20 January 2016 - 06:34 AM

FYI...

 

The 25 worst passwords of 2015
- https://nakedsecurit...-make-the-list/
20 Jan 2016
> https://sophosnews.f...d-rank-list.png
___
 

Fake 'Tax Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
20 Jan 2016 - "The Dridex bots seem to have fixed their problems with this email pretending to be a tax invoice with the subject of 'Tax Invoice IN092649' pretending to come from Karin Edwards <karin.edwards@ batonlockuk .com> with a malicious word doc or Excel XLS spreadsheet attachment which downloads Dridex banking Trojan/Malware... The email looks like:
From: Baton Lock Ltd <karin.edwards@ batonlockuk .com>
Date:Wed 20/01/2016 10:36
Subject: Tax Invoice IN092649
    Tax Invoice IN092649 from Baton Lock Ltd.
    Best Regards
    Karin Edwards
    Baton Lock Ltd


20 January 2016: Tax Invoice IN092649.DOC - Current Virus total detections 3/54*
Downloads Dridex banking malware... [I expect it to be the same locations as this earlier run[1] and will update if there is any difference]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453285912/

1] http://myonlinesecur...xls-attachment/

- http://blog.dynamoo....2649-karin.html
20 Jan 2016 - "This -fake- financial spam is not from Baton Lock Ltd but is instead a simple -forgery- with a malicious attachment.
    From:    Karin Edwards [karin.edwards@ batonlockuk .com]
    Date:    20 January 2016 at 09:34
    Subject:    Tax Invoice IN092649
    Tax Invoice IN092649 from Baton Lock Ltd.
    Best Regards
    Karin Edwards
    Baton Lock Ltd


Attached is a file Tax Invoice IN092649.DOC which comes in at least two different versions (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads from:
www .lassethoresen .com/98jh6d5/89hg56fd.exe
www .helios .vn/98jh6d5/89hg56fd.exe
The dropped file is Dridex, the same as used in this campaign*."
* http://blog.dynamoo....on-its-way.html

1] https://www.virustot...sis/1453286684/

2] https://www.virustot...sis/1453286698/

3] https://malwr.com/an...WRjMmMwM2MyNTE/
198.173.254.216
37.49.223.235
62.221.68.80
216.224.175.92
13.107.4.50


4] https://malwr.com/an...jI3NDgzZTNiOGY/
103.28.38.14
216.224.175.92
13.107.4.50

___

Fake 'Invoice / Credit Note' SPAM - malicious attachment
- http://blog.dynamoo....redit-note.html
20 Jan 2016 - "This -fake- financial spam is not from Express Newspapers but is instead a simple -forgery- with a malicious attachment:
    From:    georgina.kyriacoumilner@ express .co.uk
    Reply-To:    hannah.johns@ express .co.uk
    Date:    20 January 2016 at 14:28
    Subject:    Invoice / Credit Note Express Newspapers (S174900)
    Please find attached Invoice(s) / Credit Note(s) from Express Newspapers...
    N.B. Please do not reply to this email address as it is not checked.
    Kind Regards,
    Express Newspapers...


Attached is a file S174900.DOC which comes in at least three different versions... and the Malwr reports for those... shows the following download locations:
www .helios .vn/98jh6d5/89hg56fd.exe [404 error]
202.191.112.60 /~n02022-1/98jh6d5/89hg56fd.exe
www .lassethoresen .com/98jh6d5/89hg56fd.exe
These are the same locations as seen here*, but now the payload has -changed- ... and a detection rate of 1/54**. The malware still phones home to
216.224.175.92 (SoftCom America Inc, US) which I recommend you -block-"
* http://blog.dynamoo....on-its-way.html

** https://www.virustot...sis/1453307125/
TCP connections
216.224.175.92
13.107.4.50


- http://myonlinesecur...-macro-malware/
20 Jan 2016 - "... an email that pretends to be an invoice/credit note from express newspapers with the subject of 'Invoice / Credit Note Express Newspapers (S174900)' pretending to come from georgina.kyriacoumilner@ express .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...00-1024x609.png

20 January 2016: S174900.DOC - Current Virus total detections 1/53*
Downloads Dridex from www .lassethoresen .com/98jh6d5/89hg56fd.exe and I am sure other versions of this attachment will download from all the other Dridex locations today** ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453306851/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Letter-response' SPAM - malicious attachment
- http://blog.dynamoo....205-letter.html
20 Jan 2016 - "...  this -fake- financial email isn't from Tim or Plan4Print (aka Excel Colour Print) at all, but is a simple -forgery- with a malicious attachment.
    From     Tim Speed [Tim@ plan4print .co.uk]
    Date     Wed, 20 Jan 2016 14:33:24 +0300
    Subject     Emailing: 120205 Letter-response A3 2-2
    Hi
    Please find estimate attached for Letter-response A3 2-2
    Kind regards
    Tim Speed
    Estimator / Account Handler ..


Attached is a file 120205 Letter-response A3 2-2.doc of which I have seen just a single sample, with a VirusTotal result of 3/54*. The Malwr report** shows it downloading from:
www .lassethoresen .com/98jh6d5/89hg56fd.exe
This is the same malicious binary as used in this earlier attack***. The payload is the Dridex banking trojan."
* https://www.virustot...sis/1453293437/

** https://malwr.com/an...zc5Y2UyYjFiMjc/
198.173.254.216
216.224.175.92
8.253.44.158


*** http://blog.dynamoo....on-its-way.html

- http://myonlinesecur...rd-doc-malware/
20 Jan 2016 - "... an email with the subject of 'Emailing: 120205 Letter-response A3 2-2' pretending to come from Tim Speed <Tim@plan4print .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-2-1024x676.png

20 January 2016: 120205 Letter-response A3 2-2.doc - Current Virus total detections 3/54*
Downloads an -updated- Dridex version from today’s earlier ones from http ://www.helios .vn/98jh6d5/89hg56fd.exe (VirusTotal 1/54**) I am sure all the other same locations*** will also be used in different version of this attachment..."

* https://www.virustot...sis/1453296447/

** https://www.virustot...sis/1453296242/
TCP connections
216.224.175.92: https://www.virustot...92/information/
13.107.4.50: https://www.virustot...50/information/

*** http://myonlinesecur...xls-attachment/
___

Fake 'Order Confirmation' SPAM - doc/xls attachment
- http://myonlinesecur...xls-attachment/
20 Jan 2016 - "The Dridex bots are back to having another bad day. Over the last few days they have sent numerous different malformed/damaged/broken malspams. Today, the first one is a damaged/malformed/broken one is an email with the subject of 'Emailed Order Confirmation – 94602:1' pretending to come from DANE THORNTON <dane@ direct-electrical .com> with a damaged attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The damaged/broken attachment has a name something like Order_94602~1.doc . It would if fixed, download Dridex. The email looks like:
From: DANE THORNTON <dane@ direct-electrical .com>
Date: Wed 20/01/2016 08:55
Subject: Emailed Order Confirmation – 94602:1
DANE THORNTON


This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

- http://blog.dynamoo....iled-order.html
20 Jan 2016 - "This -fake- financial spam is meant to have a malicious attachment.
    From     "DANE THORNTON" [dane@ direct-electrical .com]
    Date     Wed, 20 Jan 2016 16:31:21 +0800
    Subject     Emailed Order Confirmation - 94602:1
    --
    DANE THORNTON


Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up..."
___

MSN - More Malware via Malvertising
- https://blog.malware...a-malvertising/
Jan 19, 2015 - "Malvertisers are once again abusing ad technology platform AdSpirit and exposing visitors of the MSN homepage to malware. These attacks appeared to have been primarily focused on Germans users via an ad for Lidl, one of the Germany’s leading supermarkets. This is not the first time we have caught malvertising on MSN or via AdSpirit. Each time, we spot telltale signs of suspicious activity with advertiser domains freshly created a few days prior the attack or hiding behind the CloudFlare service.
Perhaps the only surprise here was to find -different- exploit kits than the usual Angler EK to carry out the execution to the malware payload. In two separate incidents, we observed the RIG and Neutrino exploit kits... While we did not collect the payload in these specific attacks, other similar captures of RIG during the same time frame show that -CryptoWall-ransomware- was downloaded onto vulnerable machines:
> https://blog.malware..._Cryptowall.png
We immediately notified AdSpirit about those incidents which were confirmed and addressed promptly. AppNexus also deactivated the offending ad objects and will be doing a further review about these attacks. To prevent these malvertising infections please ensure that your computer is up-to-date and that you are running the right security tools to mitigate those attacks..."
___

Trojan for Linux takes screenshots
- https://news.drweb.c...&c=5&lng=en&p=0
Jan 19, 2016 - "Malware for Linux becomes more and more diverse. Among them are spyware programs, ransomware, and Trojans designed to carry out DDoS attacks. Doctor Web security researchers examined yet another cybercriminals’ creation dubbed Linux.Ekoms.1. This Trojan can periodically take screenshots and download different files to a compromised machine. Once launched, Linux.Ekoms.1 checks whether one of subfolders in the home directory contains files with specified names. If it fails to find any, it randomly chooses a subfolder to save its own copy there. Then, the Trojan is launched from new location. If successful, the malicious program establishes connection to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted. Every 30 seconds the Trojan takes a screenshot and saves it to a temporal folder in the JPEG format. If the file is not saved, the Trojan tries to save it in the BMP format. The temporary folder is downloaded to the server in specified intervals..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 20 January 2016 - 04:12 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1623 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 21 January 2016 - 08:06 AM

FYI...

Fake Facebook emails deliver malware / phish ...
- http://net-security....ews.php?id=3191
21.01.2016 - "A new spam campaign is targeting Facebook users. It uses the same approach as the recent one aimed at WhatsApp users, and Comodo researchers* believe that the authors of both campaigns are likely the same. The -fake- emails are made to look like an official communication from the popular social network, and their goal is to make the victims believe they have received a voice message..."
* https://blog.comodo....malware-attack/
Jan 21, 2016 - "... As part of a random -phishing- campaign, cybercriminals were sending -fake- emails representing the information as official WhatsApp content to spread malware when the attached “message” was clicked on. Now, researchers at the Threat Research Lab have identified a very similar phishing campaign targeted at businesses and consumers who use Facebook – most likely designed by the same cyber criminals who developed the WhatsApp malware. And just like the WhatsApps malware, the new Facebook malware tries to represent itself as an email from Facebook which states there is a new message for the recipient. The email address and sender’s name tries to brand itself as Facebook, but the sender’s email address is from different domains and not in any way related with the Facebook company... The malware in the email itself is in a .zip file, sent as an attachment. Inside the zip file there is an executable file. Upon executing the file (e.g. clicking on the attachment), the malware will automatically replicate itself into “C:\” directory and add itself into an auto-run in the computer’s registry, spreading the malware. Additionally, like the WhatsApp malware, the engineers have Comodo have also identified this new Facebook malware as a variant of the “Nivdort” malware** family... A screen grab of the -malicious- email has been captured below:
> https://blog.comodo....ads/Nivdort.png

** https://file-intelli...81d3f0dbad90efd
___

Fake '201552 ebill' SPAM - malicious attachment
- http://blog.dynamoo....invoicecom.html
21 Jan 2016 - "This -fake- financial email comes with a malicious attachment.
    From     invoices@ ebillinvoice .com
    Date     Thu, 21 Jan 2016 15:13:36 +0530
    Subject     201552 ebill
    Customer No         : 8652
    Email address       : [redacted]
    Attached file name  : 8652_201552.DOC
    Dear customer
    Please find attached your invoice for 201552.
    To manage your account online - please visit Velocity...


There are at least -three- different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:
phaleshop .com/8h75f56f/34qwj9kk.exe
bolmgren .com/8h75f56f/34qwj9kk.exe
return-gaming .de/8h75f56f/34qwj9kk.exe
montaj-klimat .ru/8h75f56f/34qwj9kk.exe [spotted here*]
This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54**. Those reports indicate that it phones home to.
216.224.175.92 (SoftCom America Inc., US)
A contact (thank you) also pointed out some other locations the malware phones home to
216.59.16.175 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
216.117.130.191 (Advanced Internet Technologies Inc., US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
The payload is the Dridex banking trojan, being sent by botnet 220.
Recommended blocklist:
216.224.175.92
216.59.16.175
216.117.130.191
202.69.40.173
"
1] https://www.virustot...sis/1453373816/

2] https://www.virustot...sis/1453373886/

3] https://www.virustot...sis/1453373898/

4] https://malwr.com/an...2ExNGEyMThlODk/

5] https://malwr.com/an...jNlNDQ2OTlmZjE/

6] https://malwr.com/an...GE2NDAwODY3OWU/

* http://blog.dynamoo....ntkeyscouk.html

** https://www.virustot...sis/1453374873/
TCP connections
216.224.175.92: https://www.virustot...92/information/

- http://myonlinesecur...rd-doc-malware/
21 Jan 2016 - "An email with the subject of '201552 ebill' pretending to come from invoices@ ebillinvoice .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: invoices@ ebillinvoice .com
Date: Thu 21/01/2016 09:37
Subject: 201552 ebill
    Customer No         : 8652
    Email address       : rob@ securityandprivacy .co.uk
    Attached file name : 8652_201552.DOC
    Dear customer
    Please find attached your invoice for 201552.
    To manage your account online – please visit Velocity...


21 January 2016: 8652_201552.DOC - Current Virus total detections 4/54*
... this will download Dridex banking malware from [ return-gaming .de/8h75f56f/34qwj9kk.exe ]  (VirusTotal 2/55**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453370622/

** https://www.virustot...sis/1453371930/
TCP connections
216.224.175.92: https://www.virustot...92/information/
13.107.4.50: https://www.virustot...50/information/
___

Fake 'Telephone Bill' SPAM - malicious attachment
- http://blog.dynamoo....phone-bill.html
21 Jan 2016 - "This -fake- financial spam has a malicious attachment.
    From     "The Billing Team" [noreply@ callbilling .co.uk]
    Date     Thu, 21 Jan 2016 11:44:19 +0100
    Subject     Your Telephone Bill Invoices & Reports
    Please see the attached Telephone Bill & Reports.
    Please use the contact information found on the invoice if you wish to contact your
    service provider.
    This message was sent automatically...


I have only seen a single sample of this email, with an attachment Invoice_316103_Jul_2013.doc which has a detection rate of 2/53*. The Malwr report** for that document shows a download location of:
bolmgren .com/8h75f56f/34qwj9kk.exe
That is one of the locations found with this earlier spam run***, and the payload is the Dridex banking trojan."
* https://www.virustot...sis/1453376703/

** https://malwr.com/an...GE0Y2JlZWY0Y2Q/
195.128.175.9
216.224.175.92
13.107.4.50


*** http://blog.dynamoo....invoicecom.html

- http://myonlinesecur...dsheet-malware/
21 Jan 2016 - "An email with the subject of 'Your Telephone Bill Invoices & Reports' pretending to come from The Billing Team <noreply@ callbilling .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: The Billing Team <noreply@ callbilling .co.uk>
Date: Thu 21/01/2016 10:20
Subject: Your Telephone Bill Invoices & Reports
    Please see the attached Telephone Bill & Reports.
    Please use the contact information found on the invoice if you wish to contact your service provider.
    This message was sent automatically...


21 January 2016: Invoice_316103_Jul_2013.doc - Current Virus total detections 2/54*
This will also download Dridex banking malware from
http ://return-gaming .de/8h75f56f/34qwj9kk.exe which is the -same- download site as today’s other concurrent malspam run**..."
* https://www.virustot...sis/1453371806/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Replacement Keys' SPAM - malicious attachment
- http://blog.dynamoo....ntkeyscouk.html
21 Jan 2016 - "This spam has a malicious attachment. It does not come from admin@ replacementkeys .co.uk but is instead a simple -forgery- with a malicious attachment.
    From     Replacement Keys [admin@ replacementkeys .co.uk]
    Date     Thu, 21 Jan 2016 17:15:08 +0530
    Subject     =?utf-8?B?TmV3IE9yZGVyICMgMTAwMTE0MDAw?=
    Order Received!
    We will send you another email when it has been dispatched . If you have any questions about your order please reply to this email. Your order confirmation is below. Thank you for ordering from us.
    Thank you again,
    Replacement Keys


Attached is a file INVOICEPaid_100114000.xls of which I have only seen a single variant. The VirusTotal detection rate is 4/53* and the Malwr report** indicates a download location from:
montaj-klimat .ru/8h75f56f/34qwj9kk.exe
The binary dropped is identical to the one in this earlier spam run*** and it leads to the Dridex banking trojan."
* https://www.virustot...sis/1453377591/

** https://malwr.com/an...mQ5NTU0NjcyZGY/

*** http://blog.dynamoo....invoicecom.html

- http://myonlinesecur...dsheet-malware/
21 Jan 2016 - "An email with the subject of 'New Order # 100114000' pretending to come from Replacement Keys <admin@ replacementkeys .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Replacement Keys <admin@ replacementkeys .co.uk>
Date: Thu 21/01/2016 12:21
Subject: New Order # 100114000
    Order Received!
    We will send you another email when it has been dispatched ...


21 January 2016: logmein_pro_receipt.xls - Current Virus total detections 4/52*
Downloads Dridex from http ://www .bridge-freunde-colonia .de/8h75f56f/34qwj9kk.exe (VirusTotal 1/49**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453379373/

** https://www.virustot...sis/1453382710/
___

Fake 'Healthcare' SPAM - malicious attachment
- http://blog.dynamoo....thcare-ltd.html
21 Jan 2016 - "This -fake- financial spam does not come from Gompels Healthcare Ltd but is instead a simple -forgery- with a malicious attachment.
    From:    Gompels Healthcare ltd [salesledger@ gompels .co.uk]
    Date:    21 January 2016 at 12:57
    Subject:    Gompels Healthcare Ltd Invoice
    Hello
    Please see attached pdf file for your invoice
    Thank you for your business [/i]

The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:
return-gaming .de/8h75f56f/34qwj9kk.exe
phaleshop .com/8h75f56f/34qwj9kk.exe
That marks it out as Dridex 220, similar to this spam run*. However, the executable has -changed- from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal**. However, the malware still phones home to the same IP of 216.224.175.92 as before."
1] https://www.virustot...sis/1453381421/

2] https://www.virustot...sis/1453381734/

3] https://malwr.com/an...jAzNTg1ZDNjNjE/
82.165.218.65
216.224.175.92
8.254.249.78


4] https://malwr.com/an...2EyZWU3M2VjNmU/
112.78.2.113
216.224.175.92
184.28.188.186


* http://blog.dynamoo....invoicecom.html

**  https://www.virustot...sis/1453381954/

216.224.175.92: https://www.virustot...92/information/

phaleshop .com: 112.78.2.113: https://www.virustot...13/information/

- http://myonlinesecur...rd-doc-malware/
21 Jan 2016 - "An email with the subject of 'Gompels Healthcare Ltd Invoice' pretending to come from Gompels Healthcare ltd <salesledger@ gompels .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Gompels Healthcare ltd <salesledger@gompels.co.uk>
Date: Thu 21/01/2016 13:12
Subject: Gompels Healthcare Ltd Invoice
Hello
Please see attached pdf file for your invoice
Thank you for your business


21 January 2016: fax00375039.DOC - Current Virus total detections 5/54*
Downloads Dridex banking malware from
http ://phaleshop .com/8h75f56f/34qwj9kk.exe which is the -same- Dridex payload as described HERE**..."
* https://www.virustot...sis/1453383052/

** http://myonlinesecur...dsheet-malware/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 21 January 2016 - 12:17 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1624 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 22 January 2016 - 06:33 AM

FYI...

Fake 'scanner' SPAM - malicious attachment
- http://blog.dynamoo....icaminolta.html
22 Jan 2016 - "At the moment there is a heavy spam run pushing the Dridex banking trojan, pretending to be from a multifunction device or scanner.
    Subject:    Message from KONICA_MINOLTA
    Subject:    Message from MFD
    Subject:    Message from scanner

The spam appears to come from within the victim's own domain, from one of the following email addresses:
    MFD@ victimdomain .tld
    scanner@ victimdomain .tld
    KONICA_MINOLTA@ victimdomain .tld
This is just a simple forgery. It doesn't mean that you organisation has been compromised.. it really is a very simple trick. In all cases the attachment is named SKM_4050151222162800.doc, which appears to come in -three- versions... reports... indicate executable download locations at:
www .showtown-danceband .de/ghf56sgu/0976gg.exe
ausonia-feng-shui .de/ghf56sgu/0976gg.exe
gahal .cz/ghf56sgu/0976gg.exe
This binary has a detection rate of 1/54* and that VirusTotal report plus this Malwr report** show it phoning home to:
192.241.207.251 (Digital Ocean Inc., US)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220."
* https://www.virustot...sis/1453454938/
TCP connections
192.241.207.251: https://www.virustot...51/information/
89.149.175.18: https://www.virustot...18/information/

** https://malwr.com/an...mM5NzA0ODM2NmQ/
192.241.207.251: https://www.virustot...51/information/
8.254.207.46: https://www.virustot...46/information/

- http://myonlinesecur...rd-doc-malware/
22 Jan 2016 - "An email with the subject of 'Message from KONICA_MINOLTA' (or Message from MFD or any other scanner or printer) pretending to come from scanner@ <your email domain> on behalf of MFD@ <victim domain> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: scanner@ malware-research .co.uk; on behalf of; MFD@ malware-research .co.uk
Date: Fri 22/01/2016 08:56
Subject: Message from KONICA_MINOLTA or Message from MFD or Message from Scanner


Body content: totally empty body
22 January 2016: SKM_4050151222162800.doc - Current Virus total detections 3/54*
Downloads Dridex banking malware from http ://ausonia-feng-shui .de/ghf56sgu/0976gg.exe
(VirusTotal **). Other download locations from different versions of this maldoc attachment are: www .showtown-danceband .de/ghf56sgu/0976gg.exe and gahal .cz/ghf56sgu/0976gg.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453452819/

** https://www.virustot...sis/1453453469/
TCP connections
192.241.207.251: https://www.virustot...51/information/
89.149.175.18: https://www.virustot...18/information/
___

Fake 'mathforum' SPAM - JS malware
- http://myonlinesecur...org-js-malware/
22 Jan 2016 - "An email with the subject of 'hi' coming from gshatford <gshatford@ mathforum .org> (probably -compromised- servers, that will be sending these out from multiple email addresses) with a zip attachment is another one from the current bot runs... The content of the email simply says:
    DATE:1/22/2016 7:47:24 AM

22 January 2016: yu.zip: Extracts to: invoice_SCAN_1pMVj.js - Current Virus total detections 5/53*
[MALWR**] [WEPAWET***] which downloads 80.exe (virus total 2/55[4]) from a combination of these sites memyselveandi .com/80.exe | deempheal .com/80.exe - These have previously been teslacrypt/cryptowall or similar ransomware... it definitely is a password stealer and ransomware version [MALWR[5]].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an innocent file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1453449215/

** https://malwr.com/an...mY0MzViM2IwMDg/
51.255.10.132

*** https://wepawet.isec...3fd0932&type=js

4] https://www.virustot...sis/1453449556/
TCP connections
144.76.253.225: https://www.virustot...25/information/
182.50.147.1: https://www.virustot....1/information/

5] https://malwr.com/an...DdhNjkyZjNjOTI/
144.76.253.225
182.50.147.1
185.24.99.98
176.106.190.60
94.23.247.172
104.28.5.189
69.73.182.201

___

Fake 'tracking info' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
22 Jan 2016 - "An email with the subject of 'UKMail 988271023 tracking information' pretending to come from no-reply@ ukmail .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: no-reply@ ukmail .com
Date: Fri 22/01/2016 12:15
Subject: UKMail 988271023 tracking information
    UKMail Info!
    Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
    Please view the information about your parcel, print it and go to the post office to receive your package.
    Warranties
    UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
    Where the law prevents such exclusion and implies conditions and warranties into this contract,
    where legally permissible the liability of UKMail for breach of such condition,
    guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
Best regards,
UKMail


22 January 2016: 988271023-PRCL.xls - Current Virus total detections 4/55*
This will download Dridex banking malware from
http ://www .stijnminne .be/ghf56sgu/0976gg.exe (VirusTotal 1/54**)... Dridex malware was seen in some examples of THIS earlier malspam run***, which was malspammed out in -several- waves throughout the morning. Note: Dridex updates frequently throughout the day..."
* https://www.virustot...sis/1453464516/

** https://www.virustot...sis/1453462957/
0976gg.exe
TCP connections
192.241.207.251: https://www.virustot...51/information/
89.149.175.18: https://www.virustot...18/information/

*** http://myonlinesecur...rd-doc-malware/

- http://blog.dynamoo....3-tracking.html
22 Jan 2016 - "This -fake- delivery email is not from UKMail but is instead a simple -forgery- with a malicious attachment:
   From:    no-reply@ ukmail .com
    Date:    22 January 2016 at 12:14
    Subject:    UKMail 988271023 tracking information
    UKMail Info!
    Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
    Please view the information about your parcel, print it and go to the post office to receive your package...
    If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
    You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
    Best regards,
    UKMail


The attachment is named 988271023-PRCL.xls which appears to come in at least two variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a malicious executable from:
www .stijnminne .be/ghf56sgu/0976gg.exe
raeva .com.ua/ghf56sgu/0976gg.exe
This binary has a detection rate of 4/54*. It is the -same- payload as found in this earlier spam run**."
1] https://www.virustot...sis/1453467080/

2] https://www.virustot...sis/1453467094/

3] https://malwr.com/an...jcxNjM4MDBlZDg/
91.234.32.117
192.241.207.251
13.107.4.50


4] https://malwr.com/an...WFkN2Q5Nzc1Mjg/
195.130.132.84
192.241.207.251
184.25.56.42


* https://www.virustot...sis/1453467328/
0976gg.exe
TCP connections
192.241.207.251: https://www.virustot...51/information/
89.149.175.18: https://www.virustot...18/information/

** http://blog.dynamoo....icaminolta.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 January 2016 - 09:09 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1625 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 24 January 2016 - 08:28 AM

FYI...

Fake 'E-mail-Account Update' SPAM – PHISH ...
- http://myonlinesecur...pdate-phishing/
24 Jan 2016 - "A slightly different -phishing- email today, that pretends to be a notice from your email provider saying that you 'need to update your email'. All the ones I have seen are addressed to different names at different email domains...

Screenshot: http://myonlinesecur...te-1024x615.png

The links behind all the links go to http ://www .clavadelriverlodge .co.za/images/upgrade/index.php?email=name@ victimdomain .com, where they have set up rather a clever attempt to get your email log in details. They already have your email address and want the -password- to go along with it.
The site does a fairly good imitation of a Cpanel page with a processing bar that gradually increases to 100%. The name on the page is dynamically created based on the email address in the referral. The phishers have gone to quite a lot of trouble and effort with this one. Luckily Internet Explorer smart filter knows about it & warns you with a bright red Address bar in your browser. Unfortunately Chrome & Firefox haven’t caught up yet:
> http://myonlinesecur...ge-1024x599.png

... Watch for -any- site that invites you to enter ANY personal, log in or financial information... All of these emails use Social engineering tricks to persuade you to open the -attachments- or follow the -links- that come with the email..."

clavadelriverlodge .co.za: 192.185.174.108: https://www.virustot...08/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 24 January 2016 - 08:36 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1626 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 25 January 2016 - 06:50 AM

FYI...

Fake 'Direct Debit' SPAM - doc/xls malware
- http://myonlinesecur...rd-doc-malware/
25 Jan 2016 - "... mass Dridex malspams. The first is an email with random  subject of 'Direct Debit Mandate' from [random companies] pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Ezekiel Holcomb <HolcombEzekiel7086@ acttv .in>
Date: Mon 25/01/2016 09:10
Subject: Direct Debit Mandate from Thames Water Authority
    Good morning
    Please attached Direct Debit Mandate from Thames Water Authority;
    complete, sign and scan return at your earliest convenience.
    Kind regards,
    Ezekiel Holcomb
    TEAM SUPPORT
    Thames Water Authority ...


25 January 2016 : SharpC1889@acttv.in_4430446.doc - Current Virus total detections 3/52*
MALWR** shows it downloads Dridex from http ://109.234.35.80 /konfetka/roschen.php which gave me a file named mancity.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453712908/

** https://malwr.com/an...DljYTIyMjUzMDM/
109.234.35.80

*** https://www.virustot...sis/1453713995/

109.234.35.80: https://www.virustot...80/information/
___

Fake 'Order PO' SPAM - malware
- http://myonlinesecur...000731-malware/
25 Jan 2016 - "An email with the subject of Order PO # 10000731' pretending to come from Parkcom Co.ltd <simpark@ parkcom .co.kr> with a zip attachment is another one from the current bot runs... The email looks like:
From: Parkcom Co.ltd <simpark@ parkcom .co.kr>
Date: Mon 25/01/2016 03:39
Subject: Order PO # 10000731
Attachment:  PO _ 10000731.zip
Body content:
    Dear Customer,
    Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment,We need this Order urgently. kindly confirm the PO and send PI asap.
    Thank you.
    Ms. Sim Park ...


Todays Date: PO _ 10000731.zip: Extracts to: PO # 10000731.exe - Current Virus total detections 9/54*
I don’t actually know what this one does. The detections are all generic detections. MALWR crashed.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1453717414/
TCP connections
23.206.38.87: https://www.virustot...87/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 January 2016 - 03:11 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1627 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 26 January 2016 - 06:17 AM

FYI...

Payment data security - at risk...
- http://net-security....ld.php?id=19369
26 Jan 2016 - "With acceptance of mobile and other new forms of payments expected to double in the next two years, a new global study shows a critical need for organizations to improve their payment data security practices. This is according to a recent survey of more than 3,700 IT security practitioners from more than a dozen major industry sectors conducted by the Ponemon Institute for Gemalto*... 54% of those surveyed said their company had a security or data breach involving payment data, four times in past two years in average. This is not surprising given the security investments, practices and procedures highlighted by the surveyed respondents:
- 55% said they did -not- know where all their payment data is stored or located.
- Ownership for payment data security is -not- centralized with 28% of respondents saying responsibility is with the CIO, 26% saying it is with the business unit, 19% with the compliance department, 15% with the CISO, and 14% with other departments.
- 54% said that payment data security is -not- a top five security priority for their company with only one third (31%) feeling their company allocates enough resources to protecting payment data.
- 59% said their company -permits- third party access to payment data and of these only 34% utilize multi-factor authentication to secure access.
- Less than half of respondents (44%) said their companies use end-to-end encryption to protect payment data from the point of sale to when it is stored and/or sent to the financial institution.
- 74% said their companies are either -not- PCI DSS compliant or are only partially compliant.
...  the study found that nearly three quarters (72%) of those surveyed believe these new payment methods are putting payment data at risk and 54% do not believe or are unsure their organization’s existing security protocols are capable of supporting these platforms..."

* http://blog.gemalto....obile-payments/
26 Jan 2016
___

Fake 'Refund' SPAM - JS malware
- http://myonlinesecur...hen-js-malware/
26 Jan 2016 - "Another run of Nemucod downloaders today starting with an email with the subject of 'Refund for the Purchase' – Kevin Cohen [random names] pretending to come from random senders and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Kevin Cohen <fonenzo@ teletu .it>
Date: Tue 26/01/2016 06:21
Subject: Refund for the Purchase – Kevin Cohen.
Attachment: Kevin Cohen.zip
    We are sorry to tell you, however, the item you have purchased is not available at the moment. In the file enclosed you can see the details about the refund policy.


26 January 2016: Kevin Cohen.zip - Extracts to: Kevin Cohen.js - Current Virus total detections 6/55*  
which WEPAWET** shows us downloads 3 files
http ://dertinyanl .com/img/script.php?tup1.jpg which is renamed to 3330263.exe (VirusTotal 4/54[3])
http ://dertinyanl .com/img/script.php?tup2.jpg which is renamed to 4441845.exe (VirusTotal 3/53[4])
http ://dertinyanl .com/img/script.php?tup3.jpg which is renamed to 5553619.exe (VirusTotal 3/54[5])
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an innocent file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453800745/

** https://wepawet.isec...011c552&type=js

3] https://www.virustot...sis/1453801558/

4] https://www.virustot...sis/1453801571/

5] https://www.virustot...sis/1453801579/

Nemucod malware spreads ransomware Teslacrypt:
- http://www.welivesec...t-around-world/
___

Fake 'Bill' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 Jan 2016 - "An email with the subject of 'Fwd: Bill to Grant Morgan' coming from random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Grant Morgan <rafael.kamal@ compume .com.eg>
Date: Tue 26/01/2016 05:25
Subject: Fwd:Bill to Grant Morgan.
Attachment: 20MEPRZ8WBE.doc
Body content:
    Hello.
    Please check the report attached. In order to avoid fine for delay you need to pay within 48 hours.
    Best regards
    Grant Morgan

-or-
    Good morning.
    Please see the invoice in attachment. In order to avoid penalty for delay you should pay in 24 hours.
    Thanks
    Barrett Watkins


26 January 2016: 20MEPRZ8WBE.doc - Current Virus total detections 2/54*
... Hybrid Analysis** eventually gave me 209743.exe (VirusTotal 3/45***) downloaded from
 icenails .ro/imgwp.jpg?LJGKKxdZEHWYMi=38 .
>> http://myonlinesecur...01/WP_image.png
The bad actors behind this campaign are using a new-macro-style which is long and even more complicated than previous ones... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453787886/

** https://www.hybrid-a...environmentId=1
Contacted Hosts
188.214.17.162
110.138.108.142


*** https://www.virustot...sis/1453812606/

icenails .ro: 188.214.17.162: https://www.virustot...62/information/
> https://www.virustot...cbceb/analysis/
___

Fake 'Heating Invoice' SPAM - malicious attachment
- http://blog.dynamoo....innovation.html
26 Jan 2016 - "This -fake- financial email is not from Alpha Heating Innovation but is instead a simple
-forgery- with a malicious attachment:
    From     Kurt Sexton
    Date     Tue, 26 Jan 2016 10:59:05 -0500
    Subject     =?UTF-8?B?UmVtaXR0YW5jZSBBZHZpY2UgNTk2M0U5?=
    For the attention of Accounts Receivable,
    We are attaching an up to date remittance advice detailing the latest payment on
    your account.
    Please contact us on the email address below if you would like your remittance sent
    to a different email address, or have any queries regarding your remittance.
    Kind regards,
    Kurt Sexton
    Best Regards,
    Kurt Sexton
    Credit Controller - Alpha Heating Innovation ...


The names of the sender and reference numbers will vary. I have only seen -two- different variants of the attachment, in the format remittance_advice5963E9.doc (VirusTotal [1] [2]) but there are probably more. Analysis is pending... It does seem to have some characterstics of a Dridex downloader."
1] https://www.virustot...sis/1453824210/
4/54 - remittance_adviceB177B0.doc

2] https://www.virustot...sis/1453824233/
4/54 - remittance_advice5963E9.doc

Labels: DOC, Dridex, Malware, Spam, Viruses

- http://myonlinesecur...rd-doc-malware/
26 Jan 2016 - "An email with the subject of 'Remittance Advice 17B6D1' (random numbers) pretending to come from random email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Leonardo Bryan <BryanLeonardo1689@ thedogofnashville .com>
Date: Tue 26/01/2016 14:57
Subject: Remittance Advice 17B6D1
Attachment: remittance_advice00AAD7.doc
    For the attention of Accounts Receivable,
    We are attaching an up to date remittance advice detailing the latest payment on your account.
    Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
    Kind regards,
    Leonardo Bryan
    Best Regards,
    Leonardo Bryan
    Credit Controller – Alpha Heating Innovation...


26 January 2016: remittance_advice00AAD7.doc - Current Virus total detections 4/54*
Waiting for analysis. It is likely to be the Dridex banking malware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453825399/
___

TurboTax Phish
- https://security.int...alert.php?a=329
1/25/2016 - "People are receiving -fake- emails with the title containing their name. Below is a copy of the email people are receiving:
> https://security.int...sh201252016.jpg
... Do -not- open the attachment in the email... attempts to fraudulently obtain sensitive information..."

- https://security.int...alert.php?a=328
1/25/2016 - " People are receiving -fake- emails with the title "Access to prior year returns is locked". Below is a copy of the email people are receiving:
> https://security.int...sh101252016.jpg
... Do -not- open the attachment in the email... attempts to fraudulently obtain sensitive information..."

... more here:
>> https://security.int...rity-alerts.php
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 26 January 2016 - 03:16 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1628 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 27 January 2016 - 08:07 AM

FYI...

Fake 'New Order' SPAM - malicious attachment
- http://blog.dynamoo....lle-ludlow.html
27 Jan 2016 - "This -fake- financial spam does not come from DS Smith Plc, but is instead a simple forgery with a malicious attachment.
    From     Michelle Ludlow [Michelle.Ludlow@ dssmith .com]
    Date     Wed, 27 Jan 2016 17:27:22 +0800
    Subject     New Order
    Hi
    Please see attached for tomorrow.
    Thanks
    Michelle Ludlow
    Customer Services Co-Ordinator - Packaging Services
    Packaging Division ...


So far I have seen two different variants of the attachment doc4502094035.doc (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] download a malicious executable from the following locations:
vinagps .net/54t4f4f/7u65j5hg.exe
trendcheckers .com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 5/53*. Those two Malwr reports and the VirusTotal report show the malware phoning home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
I strongly recommend that you -block- traffic to that IP. The payload is probably the Dridex banking trojan and this looks consistent with botnet 220 activity."
1] https://www.virustot...sis/1453887313/

2] https://www.virustot...sis/1453887331/

3] https://malwr.com/an...DZhYjNiNGZjN2I/

4] https://malwr.com/an...2I0M2U3MDM0MmY/

* https://www.virustot...sis/1453887706/
TCP connections
119.160.223.115: https://www.virustot...15/information/
104.86.110.240: https://www.virustot...40/information/

- http://myonlinesecur...dsheet-malware/
27 Jan 2016 - "An email with the subject of 'New Order' pretending to come from Michelle Ludlow <Michelle.Ludlow@ dssmith .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...er-1024x650.png

27 January 2016: doc4502094035.doc - Current Virus total detections 5/53*  
MALWR** - Downloads http ://vinagps .net/54t4f4f/7u65j5hg.exe
It is almost certain to be Dridex banking Trojan  (VirusTotal 4/54***)
I am informed that an alternate download site is trendcheckers .com/54t4f4f/7u65j5hg.exe
[The Auto Analysers at payload security are under very-heavy-load this morning with hundreds of files queued and long delays. I assume the bad actors are deliberately flooding them to slow down analysis] ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453886419/

** https://malwr.com/an...DZhYjNiNGZjN2I/
112.213.95.154
119.160.223.115
13.107.4.50


*** https://www.virustot...sis/1453886821/
TCP connections
119.160.223.115: https://www.virustot...15/information/
104.86.110.240: https://www.virustot...40/information/
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
27 Jan 2016 - "An email with the subject of 'Invoice 9210' pretending to come from Dawn Salter <dawn@ mrswebsolutions .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...er-1024x802.png

27 January 2016: 9210.doc - Current Virus total detections 1/55*
This downloads Dridex banking Trojan from
http ://www .hartrijders .com/54t4f4f/7u65j5hg.exe (VirusTotal 1/55**)
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453901338/

** https://www.virustot...sis/1453902011/


- http://blog.dynamoo....awn-salter.html
27 Jan 2016 - "... The attachment is named 9210.doc which I have seen come in -three- versions... The Malwr reports for those... shows executable download locations at:
www .cityofdavidchurch .org/54t4f4f/7u65j5hg.exe
www .hartrijders .com/54t4f4f/7u65j5hg.exe
grudeal .com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 1/53*... Hybrid Analysis of the binary shows that it phones home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
This is the -same- IP as seen in this earlier spam run**, I recommend you -block- it."
* https://www.virustot...sis/1453903737/

** http://blog.dynamoo....lle-ludlow.html
___

Fake 'Enterprise Invoices' SPAM - malicious attachment
- http://blog.dynamoo....e-invoices.html
27 Jan 2016 - "This -fake- financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple -forgery- with a malicious attachment.
    From:    Vicki Harvey
    Date:    27 January 2016 at 15:30
    Subject:    Enterprise Invoices No.91786
    Please find attached invoice/s from
    Enterprise Security Distribution (South West) Limited
    Unit 20, Avon Valley Business Park
    St Annes Road
    St Annes
    Bristol
    BS4 4EE
    Vicki Harvey
    Accountant ...


The name of the sender and references will vary. There seem to be -several- different versions of the attachment named in a format Canon-mf30102A13A@ altel .kz_2615524.xls ... Analysis of the attachments is pending... attempted downloads from:
109.234.35.37 /californication/ninite.php
5.189.216.105 /californication/ninite.php
This binary has a -zero- detection rate at VirusTotal*. That VirusTotal report and this Malwr report** indicate network traffic to:
8.254.218.46 (Level 3, US)
I strongly recommend that you -block- traffic to that IP. This will be some variant of the Dridex banking trojan."
* https://www.virustot...sis/1453913182/
ninite.exe

** https://malwr.com/an...zZkYzc0NGRkM2E/
109.234.35.37
103.224.83.130
8.254.249.78


- http://myonlinesecur...dsheet-malware/
27 Jan 2016 - "... garbled mishmash with an email with no subject coming from random senders with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... All the attachments start with the name of a scanner or multifunctional printer/scanner device, then have the -alleged- senders email domain and then random numbers so this one is called twist-scanA56CC@ fotosdeguarras .com_2782255.xls . The email looks like:
From: Maggie Nolan <NolanMaggie95043@ fotosdeguarras .com>
Date: Wed 27/01/2016 16:25
Subject: Enterprise Invoices No.84984  ( random numbers)
Attachment: twist-scanA56CC@ fotosdeguarras .com_2782255.xls
Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE
Maggie Nolan
Accountant ...


27 January 2016: twist-scanA56CC@ fotosdeguarras .com_2782255.xls - Current Virus total detections 0/52*
MALWR** shows a download from http ://109.234.35.37 /californication/ninite.php which gave me FCGVJHads.exe
(VirusTotal 0/55***) the file looks wrong for Dridex, so I will be guided by antivirus responses as to what it actually is... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453912101/

** https://malwr.com/an...jAxYmNjODY0NmU/
109.234.35.37
103.224.83.130
13.107.4.50


*** https://www.virustot...sis/1453912539/
TCP connections
103.224.83.130: https://www.virustot...30/information/
8.254.218.46: https://www.virustot...46/information/
___

'WorldRemit Transaction' phish
- http://myonlinesecur...ction-phishing/
27 Jan 2016 - "A high proportion of phishing attempts involve PayPal, your Bank, Credit Card or another money transfer service. This one is a money transfer service that I have never previously heard of: 'WorldRemit'...

Screenshot: http://myonlinesecur...l2-1024x455.png

The Second one pretends to be a request to review your service on Trust Pilot:

Screenshot: http://myonlinesecur...l1-1024x550.png

-All- the links in -both- emails go to http ://www.simplyyankeecosmetics .com/wellsfargo.com/cgi-bin/direct.php  which -redirects- to either http ://syscross .com/fb/inc/index.html or http ://www.cinit .com.mx/cli/httpswww .worldremit.comsend/LoginPage.htm
[I am sure that as the actual phish sites get blocked or taken down, these phishers will set up, yet another redirect from the first site]... Where you end up on a webpage looking like this, where some of the links are part of the phish, but some go to the genuine https ://www.worldremit .com/  web site:
> http://myonlinesecur...sh-1024x546.png
If you fill in the email-address and password you get -bounced- on to the genuine site..."

simplyyankeecosmetics .com: 192.185.78.193: https://www.virustot...93/information/
>> https://www.virustot...19560/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 January 2016 - 12:45 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1629 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 28 January 2016 - 08:21 AM

FYI...

Fake 'Purchase Order' SPAM - doc malware
- http://myonlinesecur...malware-dridex/
28 Jan 2016 - "An email with the subject of 'IKEA Purchase Order [2001800526]' with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: order@ ibxplatform .com
Date: Thu 28/01/2016 10:24
Subject: IKEA Purchase Order  [2001800526]
Attachment: Purchase_Order_Number__2001800526.doc
    This message contains a Purchase Order from IKEA. If you have any questions regarding this Purchase Order and its contents, we kindly ask you to contact your customer directly.
    If this message is incomplete or not readable, feel free to refer to our contact details below.
    Please do not reply to this message! ...


28 January 2016: Purchase_Order_Number__2001800526.doc - Current Virus total detections 2/54*
MALWR shows a download of Dridex Banking malware from
 http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
 http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe (VirusTotal 5/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453980691/

** https://www.virustot...sis/1453981023/
TCP connections
198.50.234.210
5.178.43.10: https://www.virustot...10/information/
119.160.223.115: https://www.virustot...15/information/

astigarragakomusikaeskola .com: 82.98.134.155: https://www.virustot...55/information/

ponpes-alhijrah .sch.id: 119.235.255.242: https://www.virustot...42/information/
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 Jan 2016 - "An email with the subject of 'Invoice' pretending to come from Hayley Stoakes <hayley@ whirlowdale .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Hayley Stoakes <hayley@ whirlowdale .com>
Date: Thu 28/01/2016 11:44
Subject: Invoice
Attachment: 96413.DOC
    Thank you for your order. Your Invoice – 96413 – is attached.


26 January 2016: 96413.DOC - Current Virus total detections 2/54*
.. which is exactly the -same- malware downloader as described in this earlier post** and downloads the -same- Dridex banking Trojan from the -same- locations
 http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
 http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe ..."
* https://www.virustot...sis/1453986418/

** http://myonlinesecur...malware-dridex/
___

Fake 'PAYMENT CONFIRMATION' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 Jan 2016 - "An email with the subject of 'PAYMENT CONFIRMATION' pretending to come from Lesley Mawson <LMawson@ agrin .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Lesley Mawson <LMawson@ agrin .co.uk>
Date: Thu 28/01/2016 13:11
Subject: PAYMENT CONFIRMATION
    For the attention of the accounts department.
    Please find attached a copy of our payment to you.
    Kind regards
    Lesley
    Lesley Mawson
    A.I.P. Ltd
    9 Wassage Way, Hampton Lovett Ind Estate, Droitwich. WR9 0NX


28 January 2016: PAYMENT VOUCHER.DOC - Current Virus total detections 2/54*
.. which is exactly the -same- malware downloader as described in this earlier post** and downloads an
-updated- Dridex banking Trojan
from the -same- locations
 http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
 http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe (VirusTotal 2/53***) which despite comments on VT shows none of the typical characteristics of common ransomware and looks much more like a Dridex banking Trojan..."
* https://www.virustot...sis/1453986418/

** http://myonlinesecur...malware-dridex/

*** https://www.virustot...sis/1453986791/
___

iCloud Phish - used to activate Stolen iPhones
- https://blog.malware...olen-iphones-2/
Jan 28, 2016 - "... Losing a device or getting it stolen can be disastrous, way beyond the monetary loss. Apple has a nifty feature which allows to remotely erase-and-lock your phone if you ever faced that problem and wanted to make sure your personal information would not fall into the wrong hands. At the same time, this renders the device -useless- for those not in possession of your ID and password:
> https://blog.malware...01/activate.png
'Find My iPhone Activation Lock'
> https://support.appl.../en-ca/HT201365
This is an -inconvenience- for thieves who may want to resell those stolen phones on the black market, but crooks never lack imagination and seem to have found a way to circumvent this protection... a user claimed that -after- her iPhone was stolen, she proceeded to wipe-it and put it in 'Lost Mode', to prevent anyone from using it. Shortly after, she received a message letting her know the phone had been found -but- that she needed to go to a website and verify her Apple ID first. The site was an almost exact -replica- of Apple’s official iCloud.com and loaded fine in Safari (-no- security/phishing warning):
>> https://blog.malware...6/01/safari.png
... not many people would suspect this is a -fraudulent- website. Add to this the euphoria of knowing your precious phone was allegedly found, and proceeding to enter your Apple ID and password seems like a no brainer - Sadly, the website is a -fake- and the information entered in it is directly relayed to the crooks who stole your phone... There were several other domains residing on the same server (104.149.141.56):
    find.apple-service .me
    www .my-icloud .help
    your.icloud-service .help
We have reported this phishing scam to Apple since Safari did -not- flag the website as -dangerous- at the time of writing... Users should be particularly careful of schemes that leverage the emotions involved with the theft or loss of their devices. Online crooks have no shame in abusing their victims twice to get what they want."

104.149.141.56: https://www.virustot...56/information/
___

Business Email Compromise - Fraud ...
- http://blog.trendmic...w-do-you-start/
Jan 26, 2016 - "What will you do if an executive in your company gives you instructions to wire money for a business expense? On email? In a world where cybercriminals devise devious social engineering and computer intrusion schemes to fool employees into wiring money, enterprises run a very serious -risk- of getting -scammed- via email. This emerging global threat is known as the 'business email compromise (BEC)' and it has already victimized 8,179 companies in 79 countries between October 2013 and August 2015 alone*:
* https://www.ic3.gov/...827-1.aspx#ref2
... Multiple warnings were issued by the FBI as to these types of emails in the past year alone. The FBI notes the targets to be companies working with foreign suppliers and/or those that regularly perform wire transfer payments. By February last year, the total number of reported victims had reached 2,126 and the money lost amounted to roughly US $215 million. Come August, the victim numbers have ballooned to 8,179, the money lost added to nearly US $800 million. How can you protect your company from becoming a part of this statistic?
- Know the Basics...
- Familiarize with Past Scams...
- Gear Up Against BEC Threats...
... install email security solutions to block known BEC-related malware before they come in..."
(More detail at the trendmicro URL above.).
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 28 January 2016 - 05:01 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1630 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 29 January 2016 - 08:49 AM

FYI...

Fake 'Despatch Note' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2016 - "An email with the subject of 'Despatch Note FFGDES34309' pretending to come from Foyle Food Group Limited <accounts@ foylefoodgroup .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Foyle Food Group Limited <accounts@ foylefoodgroup .com>
Date: Fri 29/01/2016 09:17
Subject: Despatch Note FFGDES34309
Attachment: FFGDES34309.doc
    Please find attached Despatch Note FFGDES34309


29 January 2016: FFGDES34309.doc - Current Virus total detections 5/54*
Downloads Dridex banking malware from jjcoll .in/56gf/g545.exe (VirusTotal 2/54**)
Other download locations include http ://romana .fi/56gf/g545.exe and
 http ://clickchiropractic .com/56gf/g545.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454062970/

** https://www.virustot...sis/1454062183/

jjcoll .in: 198.12.152.113: https://www.virustot...13/information/

romana .fi: 217.78.212.183: https://www.virustot...83/information/

clickchiropractic .com: 50.87.150.204: https://www.virustot...04/information/

- http://blog.dynamoo....fgdes34309.html
29 Jan 2016 - "This -fake- financial spam is not from Foyle Food Group Limited but is instead a simple -forgery- with a malicious attachment:
   From     Foyle Food Group Limited [accounts@ foylefoodgroup .com]
    Date     Fri, 29 Jan 2016 17:58:37 +0700
    Subject     Despatch Note FFGDES34309
    Please find attached Despatch Note FFGDES34309


... The attachment is FFGDES34309.doc which comes in three different variants, downloading from:
jjcoll .in/56gf/g545.exe
romana .fi/56gf/g545.exe
clickchiropractic .com/56gf/g545.exe
This has... a detection rate of 6/49*. According to my contact, this phones home to:
85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)
This drops the Dridex banking trojan. The behaviour is consistent with botnet 220."
Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3
"
* https://www.virustot...09a5f/analysis/
TCP connections
85.143.166.200: https://www.virustot...00/information/
8.254.218.30: https://www.virustot...30/information/
___

Fake 'Scanned image' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2016 - "An email with the subject of 'Scanned image from copier@ victimdomain .tld' pretending to come from copier@ victimdomain .tld with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: copier@ victmdomain .tld
Date: Fri 29/01/2016 11:02
Subject: Scanned image from copier@ victimdomain .tld
Attachment: copier@ ...co.uk_20160129_084903.doc
Body content:
    Reply to: copier@ ...co.uk <copier@ ...co.uk>
    Device Name: COPIER
    Device Model: MX-2310U
    File Format: DOC (Medium)
    Resolution: 200dpi x 200dpi
    Attached file is scanned document in DOC format...


29 January 2016: copier@ ...co.uk_20160129_084903.doc - This is exactly the -same- malware which downloads the -same- Dridex banking malware from the -same- locations as described in this earlier post*..."
* http://myonlinesecur...rd-doc-malware/
___

Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo....-resumertf.html
29 Jan 2016 - "This spam leads to malware:
    From:    Laurena Washabaugh [washabaugh .1946@ rambler .ru]
    Date:    29 January 2016 at 10:10
    Subject:    Quick Question
    Signed by:    rambler .ru
    What's going on?
    I was visting your website on 1/29/2016 and I'm very interested.
    I'm currently looking for work either full time or as a intern to get experience in the field.
    Please review my CV and let me know what you think.
    Best regards,
    Laurena Washabaugh


The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro... the document has a VirusTotal detection rate of 9/54*... but these automated analyses [1] [2] [3] show it phoning home to:
89.248.166.131 (Quasi Networks, Seychelles)
I recommend that you -block- traffic to that IP..."
* https://www.virustot...sis/1454068566/

1] https://malwr.com/an...zkxZDEzNWM1Y2U/

2] https://www.hybrid-a...environmentId=1

3] https://www.hybrid-a...environmentId=4

89.248.166.131: https://www.virustot...31/information/

- http://myonlinesecur...dsheet-malware/
29 Jan 2016 - "An email with the subject of 'Quick Question' pretending to attach a -resume- coming from random senders with a malicious word rtf attachment which is actually a word docx file is another one from the current bot runs... The email looks like:
From: Robbi Aguinaldo <aguinaldo.1993@ rambler .ru>
Date: Fri 29/01/2016 08:18
Subject: Quick Question
Attachment: Resume.rtf
    Howdy
    I was visting your website on 1/29/2016 and I’m very interested.
    I’m currently looking for work either full time or as a intern to get experience in the field.
    Please review my CV and let me know what you think.
    In appreciation,
    Robbi Aguinaldo


29 January 2016: Resume.rtf - Current Virus total detections 0/55*

* https://www.virustot...sis/1449129718/
.. which downloads the following files:
http ://89.248.166.131/jer.jpg?810  (Currently unavailable)

> 89.248.166.131: https://www.virustot...31/information/
http ://91.224.161.116/clv002/f32.bin (VirusTotal 0/55**) which the malicious macro alters/decodes/creates several of the below files:
> cccyk7m15911_1.exe
- https://www.virustot...sis/1454087239/

> http ://192.227.181.211/foru.exe saved as: cigiquk79yycc7.exe
- https://www.virustot...sis/1454087310/

>FASDA.exe
- https://www.virustot...sis/1454087462/

> http ://89.248.166.131/1.exe saved as: m3q3c5s79uy5k95.exe
- https://www.virustot...sis/1454087618/

> MQERY.exe
- https://www.virustot...sis/1454087665/

... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... DO NOT click on it or try to open it..."
** https://www.virustot...sis/1449129718/

rambler .ru: 81.19.93.6: https://www.virustot....6/information/
81.19.77.5: https://www.virustot....5/information/
81.19.77.6: https://www.virustot....6/information/
81.19.93.5: https://www.virustot....5/information/
> https://www.virustot...894bd/analysis/
0/66
___

HSBC internet banking services down after cyber attack
- http://www.reuters.c...r-idUSKCN0V71BO
Jan 29, 2016 - "HSBC is working with law enforcement to catch those behind a cyber attack that forced its personal banking websites in the UK to shutdown, its second major service outage this month, the bank said on Friday. Europe's largest lender said it had "successfully defended" its systems against a distributed denial of service (DDoS) attack but it was experiencing fresh threats, impeding full restoration of its services... The outage began on Friday morning and online services were still down by 1630 GMT (11:30 a.m. ET). DDoS attacks are often used by cyber criminals trying to disrupt businesses and companies with significant online activities..."
___

GitHub Blog:
Update on 1/28 service outage:
- https://github.com/b...-service-outage
Jan 29, 2016 - "On Thursday, January 28, 2016 at 00:23am UTC, we experienced a severe service outage that impacted GitHub.com... A brief power disruption at our primary data center caused a cascading failure that impacted several services critical to GitHub.com's operation. While we worked to recover service, GitHub.com was unavailable for two hours and six minutes. Service was fully restored at 02:29am UTC. Last night we completed the final procedure to fully restore our power infrastructure..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 29 January 2016 - 03:12 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1631 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 01 February 2016 - 08:06 AM

FYI...

Fake 'Order Processed' SPAM - malicious attachment
- http://blog.dynamoo....ed-noreply.html
1 Feb 2016 - "This -fake- financial spam does not come from Duration Windows but is instead a simple -forgery- with a malicious attachment:
    From     NoReply-Duration Windows [noreply@ duration .co.uk]
    Date     Mon, 01 Feb 2016 04:21:03 -0500
    Subject     Order Processed.
    Dear Customer,
    Please find details for your order attached as a PDF to this e-mail.
    Regards,
    Duration Windows
    Sales Department ...


I have only seen a single sample of this spam with an attachment V9568HW.doc which has a detection rate of 5/54*... likely to be the Dridex banking trojan.
UPDATE: The Malwr analysis** shows that the document downloads a malicious executable from:
www .peopleond-clan .de/u56gf2d/k76j5hg.exe
This has a VirusTotal detection rate of 4/54*** and those reports plus this Hybrid Analysis[4] show it phoning home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustot...sis/1454322319/

** https://malwr.com/an...DZlYjk0YzlhOWU/

*** https://www.virustot...sis/1454323739/

4] https://www.hybrid-a...environmentId=4

- http://myonlinesecur...rd-doc-malware/
1 Feb 2016 - "An email with the subject of 'Order Processed' ... with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: NoReply-Duration Windows <noreply@ duration .co.uk>
Date: Mon 01/02/2016 10:16
Subject: Order Processed.
Attachment: V9568HW.doc
    Dear Customer,
    Please find details for your order attached as a PDF to this e-mail.
    Regards, Duration Windows Sales Department ...


1 February 2016: V9568HW.doc - Current Virus total detections 4/55*  
MALWR** shows downloads Dridex banking malware from
 http ://iamnickrobinson .com/u56gf2d/k76j5hg.exe (VirusTotal 3/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454322062/

** https://malwr.com/an...GZlZDdhMzY3NmQ/
74.86.19.136: https://www.virustot...36/information/
185.24.92.236: https://www.virustot...36/information/
13.107.4.50: https://www.virustot...50/information/

*** https://www.virustot...sis/1454325006/
TCP connections
185.24.92.236: https://www.virustot...36/information/
2.22.22.113: https://www.virustot...13/information/
___

Fake 'Invoice INV19' SPAM - malicious attachment
- http://blog.dynamoo....23456-from.html
1 Feb 2016 - "This spam appears to originate from a -variety- of companies with -different- references. It comes with a malicious attachment.
    From:    Marisol Barrett [BarrettMarisol04015@ victimdomain .tld]
    Date:    1 February 2016 at 08:39
    Subject:    Invoice 48014 from JKX OIL & GAS
    Dear Customer,
    Your invoice appears below. Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Marisol Barrett ...

From:    Oswaldo Browning [BrowningOswaldo507@ victimdomain .tld]
Date:    1 February 2016 at 09:38
Subject:    Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Oswaldo Browning
J P MORGAN PRIVATE EQUITY LTD ...


The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the -fake- reference number). There are at least -three- different versions...
UPDATE 2: The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:
31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php
These IPs can be considered as -malicious- and belong to:
31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)
This drops a -malicious- binary with a detection rate of 2/53*. This phones home to:
185.24.92.229 (System Projects, LLC, Russia)
This spam appears to be the Dridex banking trojan (botnet 120 perhaps).
Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23
"
1] https://malwr.com/an...TViOGNlMzQyMWE/

2] https://malwr.com/an...DM3MWU0OTI2YTk/

3] https://malwr.com/an...TA1OWQ5YTA0OWE/

* https://www.virustot...8b31/analysis/#

- http://myonlinesecur...malware-broken/
1 Feb 2016 - "An email with the subject of 'Invoice' (random number) from Random companies pretending to come from random names at your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

1 February 2016: INV19 – 882596.doc - Current Virus total detections 2/54*  
MALWR** shows a download from http ://31.41.45.23/indiana/jones.php
which gave me crypted120med.exe (VirusTotal 2/53***)..."
* https://www.virustot...sis/1454319886/

** https://malwr.com/an...zM0Zjg1ZmM1NGU/

*** https://www.virustot...sis/1454322842/
___

Fake 'Scanned image' SPAM - malicious attachment
- http://blog.dynamoo....image-from.html
1 Feb 2016 - "This -fake- document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple -forgery- with a malicious attachment.
From:    copier@ victimdomain .tld
Date:    1 February 2016 at 12:11
Subject:    Scanned image from copier@ victimdomain .tld
Reply to: copier@ victimdomain .tld [copier@ victimdomain .tld]
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format...


I have seen two different versions of the attached document, named in a format copier@ victimdomain .tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report* for one of them shows the macro downloading from:
dulichando .org/u56gf2d/k76j5hg.exe
This executable has a detection rate of 4/53** and the Hybrid Analysis reports*** that it phones home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you -block- traffic to that IP. The payload is Dridex, as seen here****."
1] https://www.virustot...sis/1454332258/

2] https://www.virustot...sis/1454332268/

* https://malwr.com/an...mZiZTM0NDY3YjY/

** https://www.virustot...sis/1454332659/

*** https://www.hybrid-a...environmentId=4

**** http://blog.dynamoo....ed-noreply.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 01 February 2016 - 10:56 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1632 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 02 February 2016 - 05:22 AM

FYI...

Fake 'Order Dispatch' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
2 Feb 2016 - "An email with the subject of 'Order Dispatch: AA608034' (random order numbers) pretending to come from aalabels <customercare45660@ aalabels .com> (random customercare numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...34-1024x549.png

2 February 2016: invoice_AA608034.doc - Current Virus total detections 4/52*
Downloads Dridex Banking malware from
hebenstreit .us.com/5h4g/0oi545gfgf.exe (VirusTotal 3/51**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

* https://www.virustot...347d8/analysis/

** https://www.virustot...sis/1454402505/
TCP connections
91.239.232.145: https://www.virustot...45/information/
90.84.59.9: https://www.virustot....9/information/

- http://blog.dynamoo....h-aa207241.html
2 Feb 2016 - "This -fake- financial spam is not from aalabels .com but is instead a simple -forgery- with a malicious attachment.

Screenshot: https://3.bp.blogspo...40/aalabels.png

The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least -three- different versions... Malwr reports... show the macro in the documents downloading from one of the folllowing locations:
timestyle .com.au/5h4g/0oi545gfgf.exe
hebenstreit .us.com/5h4g/0oi545gfgf.exe
fillingsystem .com/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/52*... Malwr reports show it phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I would strongly recommend -blocking- traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects."
* https://www.virustot...sis/1454404870/
91.239.232.145: https://www.virustot...45/information/
90.84.59.9: https://www.virustot....9/information/
___

Fake 'New order' SPAM - malware
- http://myonlinesecur...206754-malware/
2 Feb 2016 - "An email with the subject of 'New order Enquiry 206754' pretending to come from Corcom Co ltd <corcom@ bnisyariah .co.id> with a zip attachment is another one from the current bot runs... The email looks like:
From: Corcom Co ltd <corcom@ bnisyariah .co.id>
Date: Tue 02/02/2016 03:13
Subject:  New order Enquiry 206754
Attachment: Enquiry 206754.zip
    Dear Customer,
    Find attached our purchase order. Kindly quote us best price and send
    us proforma invoice asap, so that we can proceed with the necessary
    payment,We need this Order urgently. kindly confirm the PO and send PI
    asap.
    Thank you.
    Ms. Sim Rabim
    Jl. M.H. Thamrin 59 Jakarta 10350 ? Indonesia ...


2 February 2016: Enquiry 206754.zip: Extracts to: Enquiry 206754.exe - Current Virus total detections 14/52*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will be hidden instead of showing it as the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454400171/
___

Fake 'PURCHASE' SPAM - malicious attachment
- http://blog.dynamoo....2016-d1141.html
2 Feb 2016 - "This spam does not come from Flower Vision but is instead a simple -forgery- with a malicious attachment:
    From:    sales@ flowervision .co.uk
    Date:    2 February 2016 at 08:28
    Subject:    PURCHASE 02/02/2016 D1141
    FLOWERVISION
    Internet Order Confirmation
    Page
    1/1 ...


Attached is a file SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of 1/50*. This Hybrid Analysis** shows the macro in the spreadsheet downloading from:
www .torinocity .it/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/51***, and is the same payload as seen earlier****."
* https://www.virustot...sis/1454406875/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...sis/1454407813/
TCP connections
91.239.232.145: https://www.virustot...45/information/
90.84.59.9: https://www.virustot....9/information/

**** http://blog.dynamoo....h-aa207241.html

- http://myonlinesecur...malware-dridex/
2 Feb 2016 - "An email with the subject of 'PURCHASE 02/02/2016 D1141' pretending to come from sales@ flowervision .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...41-1024x586.png

25 February 2015: SALES_D1141_02022016_164242.xls ...
Downloads Dridex from same locations as today’s earlier Malspam*. This one is
http ://www .fabian-enkenbach .de/5h4g/0oi545gfgf.exe (VirusTotal 5/51**)..."
* http://myonlinesecur...dsheet-malware/

** https://www.virustot...sis/1454407813/
TCP connections
91.239.232.145: https://www.virustot...45/information/
90.84.59.9: https://www.virustot....9/information/
___

Fake 'RB0081 INV' SPAM - malicious attachment
- http://blog.dynamoo....2039-sales.html
2 Feb 2016 - "This -fake- financial spam does not come from Leathams but is instead a simple -forgery- with a malicious attachment.
    From:    Sales invoice [salesinvoice@ leathams .co.uk]
    Reply-To:    "no-reply@ leathams .co.uk" [no-reply@ leathams .co.uk]
    Date:    2 February 2016 at 13:15
    Subject:    RB0081 INV2372039
    Dear Sir/Madam,
    Please find attached your sales invoice(s) for supplied goods.  Please process for payment as soon as possible.
    In the event that you have a query - please direct your query...


Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least -two- different versions... The Malwr analysis for one of those samples shows a download from:
fillingsystem .com/5h4g/0oi545gfgf.exe
This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero*... The payload is the Dridex banking trojan.
UPDATE: Automated analysis [1] [2] shows the executable phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend -blocking- traffic to that IP, or the whole /22 in which it resides."
* https://www.virustot...sis/1454419546/
0/53

1] https://malwr.com/an...GQyMzM5YWZhMTM/

2] https://www.hybrid-a...environmentId=1

- http://myonlinesecur...rd-doc-malware/
2 Feb 2016 - "An email with the subject of 'RB0081 INV2372039' pretending to come from Sales invoice <salesinvoice@ leathams .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Sales invoice <salesinvoice@ leathams .co.uk>
Date: Tue 02/02/2016 12:13
Subject: RB0081 INV2372039
Attachment: Leathams Ltd_INV2372039.doc
    Dear Sir/Madam,
    Please find attached your sales invoice(s) for supplied goods. Please process for payment as soon as possible.
    In the event that you have a query – please direct your query...


2 February 2016: Leathams Ltd_INV2372039.doc - Current Virus total detections 4/54*
downloads Dridex banking malware from the same locations as today’s earlier malspams**. This example connects to http ://fillingsystem .com/5h4g/0oi545gfgf.exe which delivers an updated Dridex version to the earlier ones (VirusTotal 0/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454417962/

** http://myonlinesecur...dsheet-malware/

*** https://www.virustot...sis/1454419046/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 02 February 2016 - 10:45 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1633 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 03 February 2016 - 06:38 AM

FYI...

Turning Off Specific Files from Previewing in the Microsoft Outlook Reading Pane
- http://windowsitpro....ok-reading-pane

Block Certain File Types from Opening in Associated Office Applications
- http://windowsitpro....ce-applications

>> http://myonlinesecur...-macro-viruses/
3 Feb 2016
___

Security flaws discovered in smart toys and kids' watches
- http://net-security....ld.php?id=19404
3 Feb 2016 - "Rapid7 researchers* have unearthed serious flaws in two 'Internet of Things' devices:
• The Fisher-Price Smart Toy, a "stuffed animal" type of toy that can interact with children and can be monitored via a mobile app and WiFi connectivity, and
• The hereO GPS Platform, a smart GPS toy watch that allows parents to track their children's physical location.
In both cases the problem was with the authentication process, i.e. in the platform's web service (API) calls. In the first instance, the API calls were not appropriately verified, so an attacker could have sent unauthorized requests and extract information such as customer details, children's profiles, and more... In the second instance, the flaw allowed attackers to gain access to the family's group by adding an account to it, which would allow them to access the family member's location, location history, etc. "We have once again been able to work with vendors to resolve serious security issues impacting their platforms and hope that vendors considering related products are able to take note of these findings so that the overall market can improve beyond just these particular instances," noted Mark Stanislav, manager of global services at Rapid7*... "
* https://community.ra...eo-gps-platform
Feb 2, 2016
___

Fake 'Free Travel Lottery' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
3 Feb 2016 - "An email with the subject of 'Free Travel Lottery Drawing' pretending to come from VIATOR.COM <winners@ viator .com> with a malicious word doc attachment is another one from the current bot runs.. The email looks like:
From: VIATOR .COM <winners@ viator .com>
Date: Wed, 3 Feb 2016 16:14
Subject: Free Travel Lottery Drawing
Attachment: winner_81.doc
    ATripAdvisor®Company
    Unforgettable time in the place where summer never ends!
    We held a lottery drawing among the customers of our travel agency Viator!
    Free travel for 2 persons to a Paradise Island Koh-Samui, in Kingdom of Thailand for 10 days! Travel insurance included!
    2,500,000 our customers took participation in the lottery. Only 250 winners!
    To learn more about the tour and your Winner Bonus become familiar with the attached document...


3 February 2015: winner_81.doc - Current Virus total detections 1/54*
MALWR** shows downloads http ://finiki45toget .com/post/511plvk.exe (virustotal 2/52***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454514245/

** https://malwr.com/an...2Y5NzZiNzc3ODg/
163.20.136.189: https://www.virustot...89/information/
>> https://www.virustot...d588a/analysis/

*** https://www.virustot...sis/1454512889/
___

Fake 'Invoice (SI-523)' SPAM - malicious attachment
- http://blog.dynamoo....invoice-si.html
3 Feb 2016 - "This -fake- financial spam does not come from GS Toilet Hire but is instead a simple -forgery- with a malicious attachment. In other words, if you open it.. [don't].
    From:    GS Toilet Hire [donotreply@ sageone .com]
    Date:    3 February 2016 at 09:12
    Subject:    GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016
    Good morning
    Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.
    Full details, including payment terms, are included.
    If you have any questions, please don't hesitate to contact us.
    Kind regards,
    Linda Smith
    Office, GS Toilet Hire ...


I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates... containing some highly obfuscated scripts... which... downloads a binary from one of the following locations:
obstipatie..nu/43rf3dw/34frgegrg.exe
bjhaggerty..com/43rf3dw/34frgegrg.exe
(also www .ni-na27.wc.shopserve .jp/43rf3dw/34frgegrg.exe ...)
This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro. The binary... shows the malware phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.
UPDATE: The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:
xinchunge .com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband .com/43rf3dw/34frgegrg.exe
This is a different binary from before, with a detection rate of 4/53*. It still phones home to the same location."
1] https://www.virustot...sis/1454494549/

2] https://www.virustot...sis/1454494559/

3] https://malwr.com/an...WZhMTkwZmRlYzE/
98.143.159.150
91.239.232.145
13.107.4.50


4] https://malwr.com/an...mQwMGQwZjczZDU/
192.186.239.3
91.239.232.145
184.25.56.44


* https://www.virustot...f3f67/analysis/

- http://myonlinesecur...ding-to-dridex/
3 Feb 2016 - "... an email with the subject of 'GS Toilet Hire – Invoice (SI-523) for £60.00, due on 28/02/2016' pretending to come from GS Toilet Hire <donotreply@ sageone .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...60-1024x515.png

- or: http://myonlinesecur...on-1024x515.png

3 February 2016: Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip - Extracts to: invoice_id2677432297.js
Current Virus total detections 2/54*. MALWR**
3 February 2016: Sales_Invoice_SI-523_GS Toilet Hire.doc - VirusTotal 3/52***
downloads what looks like -Dridex- from xinchunge .com/xinchunge.com/43rf3dw/34frgegrg.exe
(VirusTotal 4/53[4])
obstipatie .nu/43rf3dw/34frgegrg.exe
bjhaggerty .com/43rf3dw/34frgegrg.exe
taukband .com/43rf3dw/34frgegrg.exe
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454491705/

** https://malwr.com/an...mFiN2FjNjdiYjA/
46.17.1.250

*** https://www.virustot...sis/1454492103/

4] https://www.virustot...sis/1454493882/
___

Fake 'Invoice MOJU' SPAM - malicious attachment
- http://blog.dynamoo....9-accounts.html
3 Feb 2016 - "This -fake- financial spam comes with a malicious attachment. It does not come from Moju Ltd but is instead a simple -forgery- with a malicious attachment:
    From:    Accounts [message-service@ post.xero .com]
    Date:    3 February 2016 at 09:04
    Subject:    Invoice MOJU-0939
    Hi,
    Here's invoice MOJU-0939 for 47.52 GBP. For last weeks delivery.
    The amount outstanding of 47.52 GBP is due on 25 Feb 2016.
    If you have any questions, please let us know.
    Thanks,
    Moju Ltd


I have only seen one sample of this, with an attachment named Invoice MOJU-0939.zip containing a malicious script invoice_id4050638124.js that has detection rate of 2/53* and which according to this Malwr report** downloads a binary from:
www .ni-na27.wc.shopserve .jp/43rf3dw/34frgegrg.exe
This payload is the -same- as seen in this concurrent spam run***."
* https://www.virustot...4b867/analysis/

** https://malwr.com/an...jdlYmU4NWFhNDQ/
210.160.220.144

*** http://blog.dynamoo....invoice-si.html

- http://myonlinesecur...malware-dridex/
3 Feb 2016 - "An email with the subject of 'Invoice MOJU-0939' pretending to come from Accounts <message-service@ post.xero .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...39-1024x497.png

3 February 2016:  Invoice MOJU-0939.zip: Extracts to: invoice_id6174018044.js
Current Virus total detections 2/52*. MALWR** which downloads what looks like Dridex banking malware from http ://obstipatie .nu/43rf3dw/34frgegrg.exe  (VirusTotal 3/54***)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454489431/

** https://malwr.com/an...mFiN2FjNjdiYjA/

*** https://www.virustot...sis/1454490157/
TCP connections
91.239.232.145: https://www.virustot...45/information/
13.107.4.50: https://www.virustot...50/information/
___

Fake 'Attached Image' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
3 Feb 2016 - "... another email with the subject of 'Attached Image' pretending to come from canon@ victimdomain .tld with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: canon@ victimdomain .tld
Date: Wed 03/02/2016 10:38
Subject: Attached Image
Attachment: 1690_001.xls


Body content: Blank

3 February 2016: 1690_001.xls - Current Virus total detections 2/52*
.. same Dridex macro dropper, downloading the -same- Dridex banking malware that was described in this earlier post** from -same- locations. This one was from
best-drum-set .com/43rf3dw/34frgegrg.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454500546/

** http://myonlinesecur...ding-to-dridex/

- http://blog.dynamoo....from-canon.html
3 Feb 2016 - "This spam pretends to come from the victim's own domain, but it doesn't. Instead it is a simple -forgery- with a malicious attachment.
    From:    canon@ victimdomain .tld
    Date:    3 February 2016 at 12:09
    Subject:    Attached Image


There is no body text. Attached is a file 1690_001.xls of which I have seen a single variant with a detection rate of 9/54*. The Hybrid Analysis** shows it downloading an executable from:
best-drum-set .com/43rf3dw/34frgegrg.exe
This has a detection rate of 6/51 and is the -same- binary as used in this other spam attack today***."
* https://www.virustot...sis/1454501819/

** https://www.hybrid-a...environmentId=4
192.254.190.17

*** http://blog.dynamoo....invoice-si.html
___

Tesco 'shop for free' – phish
- http://myonlinesecur...-free-phishing/
3 Feb 2016 - "An email saying 'Tesco is giving you a chance to shop for free' pretending to come from Tesco .com <info@ sets .com> is one of the latest phishing emails trying to -steal- your Tesco bank details... This one -only- wants your personal details, Tesco log-in details and your credit card and bank details... some of the screen shots are from this new phish, but others have been re-used from  older versions that I have already blogged about, but are identical except for the site name in the URL bar. If you follow that link you see a webpage looking like:
> http://myonlinesecur...s1-1024x606.jpg
Then you get a page asking to verify your mobile phone number:
>> http://myonlinesecur..._2-1024x689.png
After filling in that page you then get this one:
>>> http://myonlinesecur...-1-1024x517.png
Then this comes up... Any 5 digit number entered in the box gets you to the next page:
>>>> http://myonlinesecur..._4-1024x568.png
Then you get a page asking for password and Security number... After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... eventually it auto -redirects- you to the genuine Tesco bank site... -All- of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 03 February 2016 - 02:32 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1634 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,031 posts

Posted 04 February 2016 - 07:16 AM

FYI...

Fake 'January balance' SPAM - malicious attachment
- http://blog.dynamoo....nce-alison.html
4 Feb 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers, but is instead a simple -forgery- with a malicious attachment:
    From     Alison Smith [ASmith056@ jtcp .co.uk]
    Date     Thu, 04 Feb 2016 10:52:21 +0300
    Subject "January balance £785"
    Hi,
    Thank you for your recent payment of £672.
    It appears the attached January invoice has been missed off of your payment. Could
    you please advise when this will be paid or if there is a query with the invoice?
    Regards
    Alison Smith
    Assistant Accountant ...


The poor company being spoofed has already been hit by this attack recently... The email address of the sender varies from message to message. Attached is a file IN161561-201601.js which comes in at least -five- different versions (VirusTotal 0/53[1]..). This is a highly obfuscated script... and automated analysis of the various scripts [6].. shows that the macro downloads from the following locations (there may be more):
ejanla .co/43543r34r/843tf.exe
cafecl .1pworks.com/43543r34r/843tf.exe
This binary has a detection rate of 2/52* and phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220."
1] https://www.virustot...sis/1454576263/

6] https://www.hybrid-a...environmentId=1

* https://www.virustot...sis/1454577822/
TCP connections
62.76.191.108
13.107.4.50


- http://myonlinesecur...ers-js-malware/
4 Feb 2016 - "... once again spoofing Alison Smith of J Thomson Colour Printers with an email with the subject of  'January balance £785' pretending to come from Alison Smith <ASmith5AC@ jtcp .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...85-1024x761.png

4 February 2016: IN161561-201601.js - Current Virus total detections 0/52*
MALWR** shows a download from http ://ejanla .co/43543r34r/843tf.exe which is highly likely to be Dridex banking malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454576306/

** https://malwr.com/an...DdhNWE5OGEzN2Y/
23.229.207.163
62.76.191.108
13.107.4.50

___

Fake 'Swift Copy' SPAM - doc malware
- http://myonlinesecur...4-1761-exploit/
4 Feb 2016 - "An email with the subject of 'Re: Swift Copy' pretending to come from Kim Raymonds <kimraymonds@ sssup .it> (probably random email addresses) with a malicious word doc attachment is another one from the current bot runs... This is using CVE-2014-1761 exploit* in unpatched versions of office and it doesn’t matter if you have macros turned off or not. If you are -not- patched, then you WILL be infected by this.  
* https://web.nvd.nist...d=CVE-2014-1761 - 9.3 (HIGH)
You also need to read the bottom paragraph of THIS page** to use additional settings to protect yourself against this & similar exploits...
** http://myonlinesecur...-macro-viruses/
The email looks like:
From: Kim Raymonds <kimraymonds@ sssup .it>
Date: Thu 04/02/2016 10:27
Subject: Re:Swift Copy
Attachment: Swift Copy.doc
    Dear
    My boss requested i should send the swift copy to you.
    Pls see the attached.
    Have a great day!
    Thanks,
    Kim Raymonds
    Office Manager


4 February 2016 : Swift Copy.doc - Current Virus total detections 23/52*
MALWR** shows it downloads http ://andersonken479 .pserver .ru/doc.exe (VirusTotal 16/54***) which is some sort of banking Trojan and password stealer. One additional trick being played on you to infect you, is the downloaded doc.exe has an icon looking like a word doc, so if you accidentally open the original swift copy.doc, the doc.exe gets silently downloaded in background and is supposed to autorun..."
* https://www.virustot...sis/1454405380/

** https://malwr.com/an...zlmMzBmYjg0MTU/
91.202.12.139: https://www.virustot...39/information/
>> https://www.virustot...9d4c3/analysis/

*** https://www.virustot...sis/1454514020/
___

Fake 'Fuel Card E-bill' SPAM - malicious attachment
- http://blog.dynamoo....ard-e-bill.html
4 Feb 2016 - "This -fake- financial spam does not come from Fuel Card Services Ltd but is instead a simple
-forgery- with a malicious attachment:
    From     "Fuel Card Services" [adminbur@ fuelcardgroup .com]
    Date     Thu, 04 Feb 2016 04:29:24 -0700
    Subject     BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016 ...
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click ...
If you would like to order more fuel cards please click ...
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin.
Fuel Card Services Ltd ...


I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro... which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:
www .trulygreen .net/43543r34r/843tf.exe
... also reported is as a download location is:
www .mraguas .com/43543r34r/843tf.exe
If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52* and according to this Hybrid Analysis** shows that it phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too.
* https://www.virustot...8bc6d/analysis/

** https://www.hybrid-a...environmentId=4

- http://myonlinesecur...dsheet-malware/
4 Feb 2016 - "... an email with the subject of 'BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016' pretending to come from 'Fuel Card Services <adminbur@ fuelcardgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Fuel Card Services <adminbur@ fuelcardgroup .com>
Date: Thu 04/02/2016 12:31
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016
Attachment: ebill0200442.xls ...
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click ...
If you would like to order more fuel cards please click ...
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin...


4 February 2016: ebill0200442.xls - Current Virus total detections 4/52*
This will download Dridex banking Trojans from
http ://www .mraguas .com/43543r34r/843tf.exe  (VirusTotal 4/52**)
Other locations so far discovered include
http ://clothesmaxusa .com/43543r34r/843tf.exe
http ://cluster007.ovh .net/~lelodged/43543r34r/843tf.exe
http ://69.61.48.46 /43543r34r/843tf.exe
http ://www .trulygreen .net/43543r34r/843tf.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454588668/

** https://www.virustot...sis/1454588381/
___

Fake Amazon Mail - Phish ...
- https://blog.malware...nt-information/
Feb 4, 2016 - "From the mailbox: a -fake- Amazon mail which attempts to persuade the lucky recipient that they have the chance to win £10 in return for completing a quick survey. The mail, titled “ΙD: 569369943” and claiming to be from “members support” / message@ notice-amazon(dot)com, reads as follows:
'As a valued customer we would like to present you with an opportunity to make a quick buck. We are offering £10 each to a selected number of customers in exchange for completing a quick survey relating to our service. Your opinions and thoughts are vital in order for us to provide the best possible service..'
> https://blog.malware...amznsignin0.jpg
... the link directed eager clickers from what looked to be a compromised home and gardens website (now offline) to:
amazon-update-account-awd547324897457(dot)tube-gif-converter(dot)com/Login(dot)php
... where the site asked for Amazon login credentials:
>> https://blog.malware...amznsignin1.jpg
After this, the next page requested full-payment-information including address, phone number, credit card details, sort code / bank-account-number and “security question” too. At time of writing, both the initial redirection site and the phishing page(s) are both down for the count. Of course, scammers will likely resurrect this fake Amazon £10 survey reward / swipe your banking information tactic elsewhere so it pays to have an idea what they’re up to at all times. At this point, we’d usually suggest looking out for the green padlock / verified identity advice typically given near the end of a “Don’t get phished” blog. However, HTTPS isn’t deployed across the entirety of Amazon – only the pages where it’s really needed, such as login / payment and so on. All the same, it’s good practice to check for a green padlock / identity information anytime you’re asked to login or submit potentially sensitive data. Follow these simple steps, and you’re probably going to be safe from this type of attack. As a final tip, be very wary around emails claiming you’ve been entered into surveys or competitions – and if you see well known brands sending you odd mails about “making a quick buck”, you may want to run the other way."

notice-amazon(dot)com: 172.99.89.200: https://www.virustot...00/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 04 February 2016 - 12:42 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button