Fake 'Receipt of payment' SPAM - delivers Locky
22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt of payment' coming as usual from random companies, names and email addresses with a random numbered zip attachment containing a HTA file...
22 September 2016: (#721632093) Receipt.zip: Extracts to: A2LOCTI1203.hta - Current Virus total detections 7/54*
.. MALWR** is unable to analyse HTA files. Payload Security*** shows a download of an encrypted file from
ringspo .com/746t3fg3 which is transformed by the script to a working locky file. Unfortunately Payload security free version does not show us or allow download of the locky ransomware itself... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
Fake 'Package #..' SPAM - delivers Locky
22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Package #DH4946376' [random numbers] pretending to come from DHL but actually coming as usual from random email addresses with a random named zip attachment containing a .JS file... One of the emails looks like:
From: DHL Express <Murray.64@ yj .By>
Date: Thu 22/09/2016 12:03
Subject: Package #DH4946376
The package #DH4946376 you ordered has arrived today. There is some confusion in the address you provided.
Please review the address in the attached order form and confirm to us. We will deliver as soon as we receive your reply.
DHL Express Support
22 September 2016: 4023cd96fe5.zip: Extracts to: package dhl express ~0EAD6~.js - Current Virus total detections 6/55*
.. MALWR** shows a download of an encrypted file from:
http ://affordabledentaltours .com/g8xa1lt which is transformed by the script to UNDLiWCqgT.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
The latest strains of Locky were seen using DLLs and .HTA file attachments for distribution purposes. We surmise that malware authors abuse the .HTA file extension as it can bypass filters, given that it is not commonly known to be abused by cybercriminals:
Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat... One critical aspect of a ransomware attack is its delivery mechanism. Once ransomware-laced emails enter the network and execute on the system, they can encrypt important files..."
"The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
Rising Tides of SPAM
Sep 21, 2016 - "... According to CBL*, the last time spam volumes were this high was back in mid-2010:
... An internal graph generated by SpamCop which illustrates the overall size of the SpamCop Block List (SCBL) over the past year. Notice how the SCBL size hovers somewhere under 200K IP addresses pre-2016, and more recently averages closer to 400K IP addresses, spiking to over 450K IPs in August:
... We cannot predict the future and stop spam attacks before they start. Therefore, in any reasonably well-designed spam campaign there will always exist a very narrow window of time between when that spam campaign begins, and when anti-spam coverage is deployed to counter that campaign. In most anti-spam systems, this "window of opportunity" for spammers may be on the order of seconds or even minutes. Rather than make their email lists more targeted, or deploying snowshoe style techniques to decrease volume and stay under the radar, for these spammers it has become a race. They transmit as much email as cyberly possible, and for a short time they may successfully land malicious email into their victims' inboxes. For evidence of this, we need not look very far. Analyzing email telemetry data from the past week, we can readily see the influence of these high-volume spam campaigns:
... Conclusion: Email threats, like any other, constantly evolve. As we grow our techniques to detect and block threats, attackers are simultaneously working towards evading detection technology. Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be -critical- to an organization's survival. Restoration plans need to be regularly reviewed -and- tested to ensure no mistakes have been made and that items have not been overlooked. Lastly, reach out to your users and be sure they understand that strange attachments are -never- to be trusted!"
Edited by AplusWebMaster, 22 September 2016 - 08:46 AM.