Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1841 replies to this topic

#1751 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 21 July 2016 - 04:22 PM

FYI...

'Authorize your Twitter account' - phishing scam
- https://blog.malware...-phishing-scam/
July 21, 2016 - "... a phish targeting people who desire Twitter verification. The fake site, located at
twitterverifiy(dot)verifiy(dot)ml
... poses as an app to be authorised, but is simply out to -steal- login credentials. Take note of the rather unique spelling of “verify” in the URL, too:
> https://blog.malware...itter-phish.jpg
After hitting the “Authorize app” button, the victim is redirected off to the real Twitter website. At this point, the scammers are free to do what they like with the stolen account. One assumes the scammers behind this one aren’t really paying attention to who they send their messages to (and the screenshot cuts off the username of the spam account, so we can’t see what else they’re up to). Suffice to say, if you have your Direct Messages open to all then potentially you could receive a missive such as the one above. Verification has a specific process attached to it, and although it’s currently changing, you definitely won’t get  a blue tick next to your Username by giving permission to phish pages posing as non-existent apps. No matter who you are, now matter how involved in issues of privacy and / or security you may be, there’s always the possibility you could get caught out by a clever scam. Keep your wits about you, and steer clear of “too good to be true” offers..."
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1752 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 22 July 2016 - 10:16 AM

FYI...

Fake 'sorry' SPAM - malicious attachment
- http://blog.dynamoo....rry-that-i.html
22 July 2016 - "This spam has a malicious attachment:
    From: "Lizzie Carpenter"
    Subject: sales report
    Date: Fri, 22 Jul 2016 21:38:25 +0800
    I am truly sorry that I was not available at the time you called me yesterday.
    I attached the report with details on sales figures.
    Best of luck,
    Lizzie Carpenter
    SCHRODER GLOBAL REAL ESTATE SEC LTD ...


The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report". In a change from recent malware runs, the script does -not- directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script. This executable has a detection rate of 4/54* and trusted analysis says that it is Locky ransomware, phoning home to:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51
"
* https://virustotal.c...sis/1469197692/
___

Fake 'Fedex label' SPAM - .docm leads to Locky
- https://myonlinesecu...cky-ransomware/
22 July 2016 - "An email with the subject of 'PO5' pretending to come from Mary Leons <mary.leons@ airmenzies .com> with a malicious word doc attachment which downloads Locky ransomware... The email looks like:
From: Mary Leons <mary.leons@ airmenzies .com>
Date: Fri 22/07/2016 10:04
Subject: PO5
Attachment: 906569711935.docm
    Hi
    Please see Fedex label as attached
    Kindest Regards
    Mary Leons
    Customer Service Supervisor | Air Menzies International ...


22 July 2016: 906569711935.docm - Current Virus total detections 10/55*
.. MALWR** shows a download from http ://dillerator.chat .ru/09yhbvt4 (VirusTotal 6/53***).
Other download locations for today’s Locky version include [duplicate's removed]:

    http ://allmusic .c0.pl/09yhbvt4
allmusic .c0.pl: 95.211.144.65: https://www.virustot...65/information/
    http ://delta5.homepage.t-online .de/09yhbvt4
t-online .de:
2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92
217.6.164.162
: https://www.virustot...62/information/
62.153.159.92: https://www.virustot...92/information/
    http ://dillerator.chat .ru/09yhbvt4
chat .ru: 195.161.119.85: https://www.virustot...85/information/
    http ://files.igamingbusiness .co.uk/09yhbvt4
igamingbusiness .co.uk: 109.108.132.162: https://www.virustot...62/information/
    http ://fotouniek.grafi-offshore .com/09yhbvt4
grafi-offshore .com: 85.214.152.145: https://www.virustot...45/information/
    http ://hxt.50webs .com/09yhbvt4
50webs .com: 198.23.53.64: https://www.virustot...64/information/
    http ://mizosiri3.web.fc2 .com/09yhbvt4
fc2 .com: 52.41.146.181: https://www.virustot...81/information/
54.187.26.65: https://www.virustot...65/information/
    http ://okumachiryouin.yu-yake .com/09yhbvt4
yu-yake .com: 112.140.42.29: https://www.virustot...29/information/
    http ://pamm-invest .ru/09yhbvt4
pamm-invest .ru: 81.177.135.251: https://www.virustot...51/information/
    http ://tattoo-studio .nl/09yhbvt4
tattoo-studio .nl: 80.69.86.210: https://www.virustot...10/information/
    http ://www.gerichtszeichnungen .de/09yhbvt4
gerichtszeichnungen .de: 2a01:238:20a:202:1148::
81.169.145.148: https://www.virustot...48/information/
    http ://www.moran10.karoo .net/09yhbvt4
karoo .net: Could not find an IP address for this domain name.
    http ://www.silvotecna .co.cl/09yhbvt4
silvotecna .co.cl: Could not find an IP address for this domain name.
    http ://www.sirigor.republika .pl/09yhbvt4
republika .pl: 213.180.150.17: https://www.virustot...17/information/
 

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1469178299/

** https://malwr.com/an...DdjODViYmNiOGU/
Hosts
195.161.119.85

*** https://www.virustot...sis/1469188310/
 
dillerator.chat .ru: 195.161.119.85: https://www.virustot...85/information/
>> https://www.virustot...6bb6c/analysis/
___

Fake 'Invoice/Credit/Statement' SPAM - leads to Locky
- https://myonlinesecu...leads-to-locky/
22 July 2016 - "... an email with the subject of 'VP Invoice/Credit/Statement – H10040' pretending to come from Prism Server Account <accounts@ vpplc .com> with a malicious word doc attachment which downloads Locky ransomware...
The email looks like:
From: Prism Server Account <accounts@ vpplc .com>
Date: Fri 22/07/2016 10:27
Subject: VP Invoice/Credit/Statement – H10040
Attachment: INVOICE.DOCM
    Please find document(s) attached.
    The attached file(s) are in Adobe PDF format. Use Adobe Acrobat Reader or equivalent to view the file(s)...


This attachment downloads the same Locky ransomware as described in this post* from the same locations... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://myonlinesecu...cky-ransomware/

___

HelpDesk Upgrade Outlook Web - PHISH
- https://myonlinesecu...b-app-phishing/
22 July 2016 - "... many small companies and even ISPs do outsource IT support and email to 3rd parties and an end user never really is sure who the email provider actually is... slightly more believable than many others and it is quite easy to fall for it...

Screenshot: https://myonlinesecu...il-1024x676.png

The -link- in the email goes to:
  http ://xprs.imcreator .com/free/icthelpdesk/password
... which looks like this:
> https://myonlinesecu...te-1024x535.png "

imcreator .com: 97.74.141.1: https://www.virustot....1/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 July 2016 - 12:43 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1753 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 25 July 2016 - 08:00 AM

FYI...

Fake 'Emailing: Photo - Document' SPAM - malicious attachment
- http://blog.dynamoo....25-07-2016.html
25 July 2016 - "This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
    From:    Rebeca [Rebeca3@ victimdomain .tld]
    Date:    25 July 2016 at 10:16
    Subject:    Emailing: Photo 25-07-2016, 34 80 10
    Your message is ready to be sent with the following file or link
    attachments:
    Photo 25-07-2016, 34 80 10 ...


Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".
An alternative -variant- comes with a malicious -Word- document:
    From:    Alan [Alan306@ victimdomain .tld]
    Date:    25 July 2016 at 12:40
    Subject:    Emailing: Document 25-07-2016, 72 35 48
    Your message is ready to be sent with the following file or link
    attachments:
    Document 25-07-2016, 72 35 48 ...


The attachment is this case is a .DOCM filed named in a similar way as before. This analysis is done by my usual trusted source (thank you). These scripts and macros download a component... The payload here is Locky ransomware, and it phones home to the following addresses:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
"

77.222.54.202: https://www.virustot...02/information/
>> https://www.virustot...cfca9/analysis/
194.1.236.126: https://www.virustot...26/information/
>> https://www.virustot...5138c/analysis/
185.117.153.176: https://www.virustot...76/information/
>> https://www.virustot...d49bd/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 July 2016 - 08:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1754 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 26 July 2016 - 06:51 AM

FYI...

Fake 'Attached Image' SPAM - leads to Locky
- http://blog.dynamoo....e-leads-to.html
26 July 2016 - "This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.
    From:    victim@ victimdomain .tld
    To:    victim@ victimdomain .tld
    Date:    26 July 2016 at 10:27
    Subject:    Attached Image ...


Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number... In this example* the script downloads a malicious binary from:
www .isleofwightcomputerrepairs .talktalk .net/okp987g7v
There will be -many- other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54**. The Hybrid Analysis*** for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216
"
* https://malwr.com/an...WY0ZmFhZjEzZWY/
Hosts
62.24.202.31

** https://virustotal.c...daf25/analysis/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.234.35.216
31.41.47.41


- https://myonlinesecu...-email-address/
26 July 2016 - "An email with the subject of 'Attached Image' pretending to come from your own email address with a zip attachment which downloads Locky Ransomware... One of the  emails looks like:
From: your own email address
Date: Tue 26/07/2016 10:22
Subject: Attached Image
Attachment: 0324923_02.zip ...


26 July 2016: 0324923_02.zip: Extracts to: 753707_02.js - Current Virus total detections 8/54*
.. MALWR** shows a download of xxxx from
 http ://exploromania4x4club .ro/okp987g7v?tKLWyjuj=PrkWVPasbrS which gave me lnHLopubGiz.exe (VirusTotal 5/54***).
Hybrid Analysis[4] . This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1469524580/

** https://malwr.com/an...DdkMTNhNGY2OWM/
Hosts
89.42.216.118
*** https://www.virustot...sis/1469524971/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.42.216.118: https://www.virustot...18/information/
>> https://www.virustot...ac66e/analysis/
31.41.47.41: https://www.virustot...41/information/
91.234.35.216: https://www.virustot...16/information/
___

Fake 'list of activities' SPAM - leads to Locky
- http://blog.dynamoo....ties-leads.html
26 July 2016 - "This -fake- business spam has a malicious attachment:
    From     "Penelope Phelps"
    Date     Tue, 26 Jul 2016 23:02:43 +1100
    Subject     list of activities
    Hello,
    Attached is the list of activities to help you arrange for the coming presentation.
    Please read it carefully and write to me if you have any concern.
    Warm regards,
    Penelope Phelps
    ALLIED MINDS LTD
    Security-ID ...


The sender's name, company and 'Security-ID' vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script... This Malwr report* and this Hybrid Analysis** show this particular sample downloading from:
akva-sarat.nichost .ru/bokkdolx
There will be -many- other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55***. Further analysis is pending, however it is quite likely that this sample uses the -same- C2 servers as seen earlier today[4]."
* https://malwr.com/an...TdiYzRjMmY0NjQ/
Hosts
195.208.0.150

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.208.0.150: https://www.virustot...50/information/
>> https://www.virustot...0300d/analysis/

*** https://virustotal.c...429e2/analysis/

4] http://blog.dynamoo....e-leads-to.html
___

Ransomware 2.0 ...
- http://www.techrepub...the-enterprise/
July 26, 2016 - ... profits from ransomware are making it one of the fastest growing types of malware and new versions could negatively impact entire industries, according to a Cisco report
"... Cisco used data from its customers to create the report, since there are more than 16 billion web requests that go through the Cisco system daily, with nearly 20 billion threats blocked -daily- and with more than 1.5 million unique malware samples daily, which works out to 17 new pieces of malware every second..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 26 July 2016 - 02:14 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1755 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 27 July 2016 - 05:33 AM

FYI...

Fake 'Sent from my Samsung' SPAM - leads to Locky
- http://blog.dynamoo....samsung_27.html
27 July 2016 - "This spam comes in a few different variations:
    From:    Lottie
    Date:    27 July 2016 at 10:38
    Subject:    scan0000510
    Sent from my Samsung device


The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component... The dropped file is Locky ransomware and it has a detection rate of 2/52*. It phones home to the following locations:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
(Thank you to my usual source for this data) There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.
Recommended blocklist:
5.9.253.160/27
178.62.232.244
"
* https://www.virustot...7dfda/analysis/

5.9.253.173: https://www.virustot...73/information/
>> https://www.virustot...5d145/analysis/
178.62.232.244: https://www.virustot...44/information/
>> https://www.virustot...e9b6e/analysis/
___

Fake 'updated details' SPAM - malicious attachment
- http://blog.dynamoo....is-updated.html
27 July 2016 - "This spam has a malicious attachment:
    Subject:     updated details
    From:     Faith Davidson (Davidson.43198@ optimaestate .com)
    Date:     Wednesday, 27 July 2016, 11:13
    Attached is the updated details about the company account you needed
    King regards
    Faith Davidson ...


The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample* shows the script download from:
beauty-jasmine .ru/6dc2y
There will be -many- more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55**. Analysis of this payload is pending, however the C2 servers may well be the same as found here***."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.208.1.120: https://www.virustot...20/information/
>> https://www.virustot...0ed8c/analysis/

** https://virustotal.c...a5de3/analysis/

*** http://blog.dynamoo....samsung_27.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 July 2016 - 02:46 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1756 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 28 July 2016 - 05:58 AM

FYI...

Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo....k-attached.html
28 July 2016 - "This -fake- financial spam leads to malware:
    Subject:     Invoice
    From:     Kendall Harrison (Harrison.59349@ chazsmedley .com)
    Date:     Thursday, 28 July 2016, 10:33
    Hello,
    Please check the attached invoice and confirm me if I sent the right data
    Yours sincerely,
    Kendall Harrison
    320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3


The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted". The Malwr analysis* for the partially deobfuscated script and this Hybrid Analysis** show this particular sample downloading from:
83.235.64.44/~typecent/xvsb58
This drops a malicious Locky ransomware binary with a detection rate of 7/55***. Analysis of this binary is pending.
UPDATE: Thank you to my usual source for this analysis... C2 locations:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)
Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0
"
* https://malwr.com/an...mM5Y2Q3NGQwNmM/
Hosts
83.235.64.44

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.235.64.44: https://www.virustot...44/information/
>> https://www.virustot...fe541/analysis/

*** https://virustotal.c...23f9e/analysis/
___

Fake 'Self Billing Statement' SPAM - leads to Locky
- http://blog.dynamoo....-statement.html
28 July 2016 - "This -fake- financial spam comes with a malicious attachment:
    From     Kathryn Smith [kathryn@ powersolutions .com]
    Date     Thu, 28 Jul 2016 16:21:41 +0530
    Subject     Self Billing Statement


I do not know if there is any body text at present. Attached is a file with a name similar to 'Self Billing Statement_431.zip' which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js).
Analysis by a trusted party shows that these scripts download a component...
This originally dropped this payload* since updated to this payload**, both of which are Locky ransomware.
The C2 servers to -block- are exactly the -same- as found in this earlier spam run***."
* https://www.virustot...95000/analysis/

** https://www.virustot...1f36d/analysis/

*** http://blog.dynamoo....k-attached.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 28 July 2016 - 07:48 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1757 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 29 July 2016 - 06:25 AM

FYI...

Fake 'Bank account record' SPAM - leads to Locky
- http://blog.dynamoo....cord-leads.html
29 July 2016 - "This -fake- financial spam leads to malware:
    Subject:     Bank account record
    From:     Stephen Ford (Ford.24850@ aworkofartcontracting .com)
    Date:     Friday, 29 July 2016, 10:56
    Good morning,
    Did you forget to finish the Bank account record?
    Read the attachment and let me know if there is anything I didn't make clear.
    Yours sincerely,
    Stephen Ford
    57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe


The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attached is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record"...

According to the Hybrid Analysis* on that script and Malwr report** on a partly deobfuscated version the script downloads a binary from:
oleanderhome .com/q59ldt5r
This dropped binary has a detection rate of 5/55*** and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2]. The is also traffic to kassa.p0 .ru which is more of a puzzle and doesn't look particularly malicious****. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs. If I get more information on this I will post it here."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.216.243.102
107.180.50.233


** https://malwr.com/an...DY4MzFlMTJhNGE/
Hosts
195.216.243.102: https://www.virustot...02/information/
107.180.50.233: https://www.virustot...33/information/
>> https://www.virustot...c0e6e/analysis/

*** https://virustotal.c...b0c13/analysis/

**** https://urlquery.net...d=1469786112022

1] https://www.hybrid-a...vironmentId=100

2] https://malwr.com/an...zVmOTE5MjZjMzA/

UPDATE: My trusted source (thank you) gives the following... C2 servers are the same as found here*.
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139
"
* http://blog.dynamoo....-anonymous.html
29 July 2016
___

Fake 'Voicemail' SPAM - leads to Locky
- http://blog.dynamoo....-anonymous.html
29 July 2016 - "This -fake- voicemail spam has a malicious attachment:
    From     SureVoIP [voicemailandfax@ surevoip .co.uk]
    Date     Fri, 29 Jul 2016 17:47:41 +0700
    Subject     Voicemail from Anonymous <Anonymous> 00:02:15
    Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
    00:02:37Account: victimdomain .tld


The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf...
The downloaded binary is Locky ransomware, phoning home to:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139
"

178.62.232.244: https://www.virustot...44/information/
>> https://www.virustot...e9b6e/analysis/
91.195.12.143: https://www.virustot...43/information/
>> https://www.virustot...257dd/analysis/
91.230.211.139: https://www.virustot...39/information/
>> https://www.virustot...d29a4/analysis/
___

Recent Activity - RIG Exploit Kit
- https://atlas.arbor....index#233459834
July 28, 2016 - "... Analysis: In the wake of the disappearance of the previously successful Angler exploit kit and Nuclear Exploit Kit, cybercrime continues through other kits such as Neutrino, RIG, Sundown and others although campaign activity as recently as June has been lower volume compared to the time period when Angler and Nuclear were active... It is likely that this exploit kit traffic will increase over time, as prior users of other exploit kits migrate."
> https://blog.malware...-kit-campaigns/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 30 July 2016 - 08:47 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1758 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 01 August 2016 - 08:28 AM

FYI...

Fake 'Corrected report' SPAM - leads to Locky
- http://blog.dynamoo....w-attached.html
1 Aug 2016 - "This spam comes with a malicious attachment:
    Subject:     Corrected report
    From:     Joey Cox (Cox.48@ sodetel .net.lb)
    Date:     Monday, 1 August 2016, 13:37
    Dear webmaster,
    Please review the attached corrected annual report.
    Yours faithfully
    Joey Cox


The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware (MANY locations listed)...
The dropped binary then attempts to phone home to:
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
The host for that last one comes up over and over again, it's time to -block- that /22.."
Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22
"

91.230.211.139: https://www.virustot...39/information/
>> https://www.virustot...d29a4/analysis/
37.139.30.95: https://www.virustot...95/information/
>> https://www.virustot...d5508/analysis/
91.219.29.48: https://www.virustot...48/information/
>> https://www.virustot...c8257/analysis/
___

Google featured snippets abused by SEO scammers
- https://blog.malware...y-seo-scammers/
Aug 1, 2016 - "... online crooks are abusing Google’s featured snippets via compromised-websites that -redirect- to -bogus- online stores. A featured snippet is triggered when a user types in a question via a standard search. Google will display a block with a summary of the answer and a link to the site, on top of the regular search results. Because of this prominent placement, Blackhat SEO miscreants are extremely interested in featured snippets as they can capture a large amount of traffic and redirect it to any site of their choosing. In this particular case, a hacked Hungarian sports site (which has nothing to do with software or license keys) is used to game Google’s algorithm which programmatically determines that a page contains a likely answer to the user’s question. People who click-on-the-link will be -redirected- to cheapmicrosoftkey[.]com a site that offers various license keys for Microsoft products at ‘discounted’ prices. Buying from such dubious online shops is -never- a good idea as you might actually purchase stolen merchandise, or worse, get completely scammed:
> https://blog.malware...low_snippet.png
... In an added twist, if you visited the Hungarian website directly, you would be -redirected- to the Neutrino exploit kit and get infected with the CrypMIC ransomware. This is a good example of the multiple ways criminals can monetize a -hacked- site. It is quite likely in this case that the site was hacked several different times in unrelated automated attacks, perhaps even via the same vulnerability... As an end user, beware of online deals that sound too good to be true. This example is particularly tricky as people would be inclined to trust their search engine for showing them the answer to their question. We have reported this particular abuse to the Google team."
IOC:
IP: 185.139.238.210: https://www.virustot...10/information/

cheapmicrosoftkey[.]com: 185.139.238.210
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 02 August 2016 - 06:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1759 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 02 August 2016 - 07:38 AM

FYI...

Fake 'Paid bills' SPAM - leads to Locky
- http://blog.dynamoo....ached-last.html
2 Aug 2016 - "This -fake- financial spam has a malicious attachment:
    From:    Nathanial Lane
    Date:    2 August 2016 at 12:05
    Subject:    Paid bills
    Hello [redacted],
    Please see the attached last month’s paid bills for the company
    Best regards
    Nathanial Lane


The name of the sender varies. It appears that these are being sent out in very-high-volumes. Attached to the email message is a randomly-named ZIP file which contains a malicious .js script beginning with "sales charts".
Thank you to my usual source for this analysis: the script downloads... (from MANY locations)...
The payload is Locky ransomware, phoning home to:
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy .ru]
93.170.128.249/upload/_dispatch.php (Krek Ltd, Russia)
Recommended blocklist:
37.139.30.95
93.170.128.249
"

37.139.30.95: https://www.virustot...95/information/
>> https://www.virustot...d5508/analysis/
93.170.128.249: https://www.virustot...49/information/
Country: RU
___

Fake 'Unable to deliver' SPAM - leads to ransomware
- http://blog.dynamoo....liver-your.html
2 Aug 2016 - "This -fake- FedEx email has a malicious attachment.
    From:    FedEx International Ground [terry.mcnamara@ luxmap .com]
    Date:    2 August 2016 at 18:53
    Subject:    [REDACTED], Unable to deliver your item, #000179376
    Dear [Redacted],
    This is to confirm that one or more of your parcels has been shipped.
    Please, open email attachment to print shipment label.
    Thanks and best regards,
    Terry Mcnamara,
    Support Manager.


Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis* on the sample shows that the script downloads -ransomware- from opros.mskobr .ru but a quick examination of the code reveals several download locations:
opros.mskobr .ru
alacahukuk .com
www .ortoservis .ru
aksoypansiyon .com
samurkasgrup .com
Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:
195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)
A couple of binaries are dropped onto the system, a.exe (detection rate 2/53)** [may not be malicious] and a2.exe (detection rate 7/53)***.
The payload seems to be Nemucod/Crypted or some related ransomware.
Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.208.64.20

** https://www.virustot...sis/1470163333/

*** https://www.virustot...sis/1470163336/
___

Tech Support Scams - two for one ...
- https://blog.malware...e-price-of-one/
Aug 2, 2016 - "... Running an executable file posing as an installer for “VMC Media Player”, we were greeted by these prompts telling us we were going to be logged off:
> https://blog.malware.../warning1-1.png
..
> https://blog.malware...07/warning3.png
— and this site opening in our default browser:
> https://blog.malware.../warning2-1.png
Since yolasite .com offers users the option to track visitors to their sub-domain, we suspect this site to be built to keep track of the people that installed the “software”. We have reported this site to Yola and are awaiting a reply. This sequence of events is programmed in a simple batch file that opens the site and commands the computer to shut down in 5 minutes... Once the victims log back on, they will be confronted with this -fake- BSOD screen:
> https://blog.malware...6/07/main-2.png
The screen’s text rambles a lot about errors and Trojans and displays the phone-number they would like you to call. It also shows a seemingly unrelated prompt to “get the product key”, which we will discuss later on, and a button labeled “Microsoft Help” that opens the site www[dot]microsoft[dot]aios[dot]us:
> https://blog.malware...016/07/site.png
Here you can download remote administration tools to get ”support” for a great variety of products. We have seen complaints about the people running this site and its predecessors for at least two years. The site shows a prompt that is a bit unclear about your options:
> https://blog.malware.../07/choices.png
The listed options are YES to “Start Support Session” or NO to “Browse Support Site”, but the buttons are labeled OK and Cancel. I tested for you, and Cancel gets rid of the pop-up. And if you allow more pop-ups and click OK a few times, you will eventually get the option to download the legitimate remote administration tool TeamViewer.
And the second Tech Support Scam? Ah yes, let’s circle back to the prompt that promised us a product key:
> https://blog.malware.../getthenext.png
Click OK on that one, and you will see a download prompt for a file called license_key.exe:
> https://blog.malware...loadfromrun.png
This file has been reported to Mediafire. If you run this file, you may get some déjà vu feelings as you will see the “Thank you” prompt to notify that you will be logged off and visit another Yola site, this time it’s thankyou1234[dot]yolasite[dot]com using the URL shortener lnk.direct. Statistics of the URL shortener showed it was created 06/29/2016 and had 1143 visitors over the past month... The relatively good news about this repetition is that it will get rid of the fake BSOD for you because it alters the Winlogon Shell registry value yet again, only to replace it with -another- Tech Support Scammers -lock-screen- however. This time one that looks a lot like some of the earlier ones. A phone number and a form requesting “a product key”:
> https://blog.malware...6/07/main-3.png
Only this time it looks like you are completely -stuck- without any option. The part of the form that you would expect to fill out and the “Cancel” button are both unresponsive, so most people will end up having to use Ctrl-Alt-Del to get out of this. The name of the running processes for both rounds is fatalerror(.exe). We have dubbed the second one “Product Key” as that is the name of the folder it creates in Program Files (x86). But for the benefit of the Tech Support Scammers there is an “Easter egg” hidden in this screen. If you click -anywhere- in the 5th line (the one starting with the words “PRODUCT KEY”) you will go to this screen:
> https://blog.malware...heretheyare.png
... Summary: In what must be an attempt to drive victims crazy enough to call one of their numbers, Tech Support Scammers replace one logon lock-screen with another... save yourself the hassle and get protected."

yolasite[dot]com: 2400:cb00:2048:1::6810:69f9
2400:cb00:2048:1::6810:68f9
2400:cb00:2048:1::6810:67f9
2400:cb00:2048:1::6810:6af9
2400:cb00:2048:1::6810:6bf9

104.16.105.249: https://www.virustot...49/information/
104.16.106.249: https://www.virustot...49/information/
104.16.103.249: https://www.virustot...49/information/
104.16.107.249: https://www.virustot...49/information/
104.16.104.249: https://www.virustot...49/information/

aios[dot]us: 107.180.21.20: https://www.virustot...20/information/
>> https://www.virustot...a8b79/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 02 August 2016 - 04:50 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1760 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 03 August 2016 - 04:43 AM

FYI...

Fake 'project status report' SPAM - leads to Locky
- http://blog.dynamoo....ect-status.html
3 Aug 2016 - "This spam leads to Locky ransomware:
    From:    Keri Jarvis [Jarvis.64030@ bac.globalnet .co.uk]
    Date:    2 August 2016 at 22:13
    Subject:    report
    Hi,
    I attached the project status report in order to update you about the last meeting
    Best regards,
    Keri Jarvis


Attached is a randomly named ZIP file containing a malicious .js script beginning with the word "report". This downloads an evil binary... (MANY locations listed)...
(Thank you to my usual source for this data). The malware phones home to:
37.139.30.95/php/upload.php (Digital Ocean, Netherlands) [hostname: belyi.myeasy .ru]
93.170.128.249/php/upload.php (Krek Ltd, Russia)
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm .in]
Recommended blocklist:
37.139.30.95
93.170.128.249
93.170.104.20
"

37.139.30.95: https://www.virustot...95/information/
>> https://www.virustot...210fa/analysis/
93.170.128.249: https://www.virustot...49/information/
>> https://www.virustot...1a6b6/analysis/
93.170.104.20: https://www.virustot...20/information/
>> https://www.virustot...6537f/analysis/
___

Fake 'New invoices' SPAM - leads to Locky
- http://blog.dynamoo....ted-i-send.html
3 Aug 2016 - "Another day, another Locky ransomware run:
    From:    Marian Mcgowan
    Date:    3 August 2016 at 11:15
    Subject:    Fw: New invoices
    As you directed, I send the attachment containing the data about the new invoices


Attached is a randomly-named ZIP file which contains a highly obfuscated .js script which according to this Malwr analysis downloads a binary from..
blog-aida .cba .pl/2zensi7t
..when decrypted it creates a binary with a detection rate of 4/54*. That same Malwr analysis shows it phoning home to:
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm .in]
This IP was seen last night** and it seems that there is a concurrent Locky spam run phoning home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv .com]
Both those IPs are in known-bad-blocks.
Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24
"
* https://virustotal.c...sis/1470220208/

** http://blog.dynamoo....ect-status.html

93.170.104.20: https://www.virustot...65/information/
>> https://www.virustot...6537f/analysis/

185.129.148.19: https://www.virustot...19/information/
89.108.127.160: https://www.virustot...60/information/
___

Fake 'Confirmation letter' SPAM - leads to Locky
- http://blog.dynamoo....tter-leads.html
3 Aug 2016 - "Another -spam- run leading to Locky ransomware..
    From:    Mavis Howe [Howe.4267@ croestate .com]
    Date:    3 August 2016 at 13:32
    Subject:    Confirmation letter
    Hi [redacted],
    I attached the employment confirmation letter I prepared.
    Please check it before you send it out.
    Best regards
    Mavis Howe


The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here*."
* http://blog.dynamoo....ted-i-send.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 03 August 2016 - 09:01 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1761 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 04 August 2016 - 05:32 AM

FYI...

Fake 'business card' SPAM - leads to Locky
- http://blog.dynamoo....ard-i-have.html
4 Aug 2016 - "This spam email has a malicious attachment:
    From:    Glenna Johnson
    Date:    4 August 2016 at 10:18
    Subject:    Business card
    Hello [redacted],
    I have attached the new business card design.
    Please let me know if you need a change
    King regards,
    Glenna Johnson
    c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7


Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card"... The payload appears to be Locky ransomware. This Hybrid Analysis* of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
escapegasmech .com/048220y5
goldjinoz .com/0a3tg
platimunjinoz .ws/13fo8lnl
regeneratewert .ws/1qvvu9lu
traveltotre .in/2c4ykij7
This drops a binary with a detection rate of 8/54**. The earlier Hybrid Analysis report shows it phoning home to:
31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost .ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers .com]
All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.
Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22
"
* https://www.hybrid-a...vironmentId=100

** https://virustotal.c...sis/1470304914/
___

Fake 'Sheet/Document/Invoice' SPAM - .docm leads to Locky
- http://blog.dynamoo....t-document.html
4 Aug 2016 - "This malware-laden spam comes with a variety of subjects, for example:
Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf

There is -no- body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component... (Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here*."
* http://blog.dynamoo....ard-i-have.html
___

Fake 'Please sign' SPAM - leads to Locky
- http://blog.dynamoo....gn-receipt.html
4 Aug 2016 - "Yet another Locky campaign today..
    From:    Erica Hutchinson
    Date:    4 August 2016 at 12:34
    Subject:    please sign
    Dear [redacted]
    Please sign the receipt attached for the arrival of new office facilities.
    Best regards,
    Erica Hutchinson


This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run*."
* http://blog.dynamoo....ard-i-have.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 04 August 2016 - 07:57 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1762 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 05 August 2016 - 06:01 AM

FYI...

Zeus Panda variant targets Brazil - wants to steal everything
- https://www.helpnets...als-everything/
Aug 5, 2016 - "A new Zeus Trojan variant dubbed Panda Banker has been specially crafted to target users of 10 major Brazilian banks, but also other locally popular services. 'Zeus Panda’s Brazilian configuration file has a notable local hue. Aside from including the URLs of major banks in the country, Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce', IBM researchers* have found..."
* https://securityinte...ls-into-brazil/
Aug 4, 2016

Top Financial Malware per Attack Volume (Source: IBM Trusteer)
> https://static.secur...16_families.png
___

Fake Apple ‘Thank You For Your Order’ Phish
- http://www.hoax-slay...der-scam-email/
Aug 5, 2016 - "Email purporting to be from the Apple Store thanks you for your order of an iPhone and notes that you can click a cancel link if you did not make the order... The email is -not- from Apple and it does not reference a real Apple Store order. Instead, it is a phishing scam designed to steal your Apple ID and password, your credit card details, and other personal information:
> https://i0.wp.com/ww...rder-scam-2.jpg
According to this email, which purports to be from the Apple Store, your order of an Apple iPhone 5c is about to be dispatched. The email does not contain your shipping and billing address but rather those of a person you do not know. It also includes a ‘cancel order’ link’ . The email features the Apple logo and is quite professionally presented. However, the email is not from Apple. Instead, it is a phishing scam designed to steal your personal and financial information. When you receive the email, you may mistakenly believe that the person named as the recipient of the iPhone has hijacked your Apple Account and made purchases in your name. Therefore, your first reaction might be to click the ‘cancel’ link in the hope of dealing with the issue. If you do click-the-link, you will be taken to a fraudulent website designed to emulate the genuine Apple website. Once on the -fake- site, you will be asked to ‘login’ with your Apple ID and password. Next, you will be taken to a -bogus- ‘Cancel Order’ form that asks you to provide your credit card details and other personal and financial information. After submitting the requested information, you may be told that you have successfully cancelled the order. But, now, the criminals can steal the information that you supplied and use it to -hijack- your Apple account, commit credit card fraud in your name, and attempt to steal your identity..."
___

Walmart phish ...
- https://bgr.com/2016...ery-email-scam/
Aug 5, 2016 - "Over the past couple of days*, Walmart users have been seeing unsolicited password recovery emails pop up in their inboxes. There’s clearly something 'phishy' going on, but it doesn’t seem to be a simple hack: it’s likely the precursor to an ambitious phishing attack on Walmart .com users... a Walmart spokesperson confirmed that there’s an increase in password recovery emails, but doesn’t think that any accounts have been compromised — yet. Instead, Walmart thinks that a hacker is using Walmart’s password recovery system to prepare for a -future- phishing attack. Walmart’s password recovery system is like most others: input an email address, and it sends a recovery code to that email address. But unlike some others, Walmart’s system confirms or denies whether there’s a Walmart .com account associated with that email... Seeing the groundwork for a phishing attack being laid is worrying, but the steps for customers to remain safe are simple... Walmart’s spokesperson also emphasized that it’s 'very unlikely' that any user accounts have been breached so far, and all customers need to do in the future is remain vigilant. If you’re particularly concerned, you can change the email address and password associated with your Walmart account."
* https://bgr.com/2016...password-reset/
Aug 4, 2016
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 05 August 2016 - 03:33 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1763 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 08 August 2016 - 06:06 AM

FYI...

Fake 'Fraud Policy, Exceeded send Limit' SPAM - lead to Java Adwind Trojan
- https://myonlinesecu...malspam-emails/
8 Aug 2016 - "We continue to be plagued daily by fake financial themed emails containing java adwind attachments. I mentioned these HERE*. We have been seeing those emails almost every day and there was nothing to update. Today’s have stepped up a notch with multiple emails, subjects and slightly different subjects and email content to previous ones. There are 2 different Java Adwind versions in these emails...
* https://myonlinesecu...malspam-emails/
The first one of the  emails looks like:
From: admin@moneygram .ae
Date: Mon 08/08/2016 06:20
Subject: Attention To All Agents (Fraud Policy)
Attachment: Antifraud-policy.zip ( extracts to 2 identical files Antifraud-Agent-User-manual.jar and Antifraud-policy..jar )
Dear Agent,
Please find attached a self-explanatory letter and the Dodd-Frank Compliance,
Fraud Policy and Procedures which will be in effect from 20th January, 2016.
Please do not hesitate to revert to us should you require any further information.
Regards,
Senzo Dlamini
Regional Operations Executive
MoneyGram International ...


The next example looks like:
From: XM Accounts & Finance <xm.accounts@ xpressmoney .com>
Date: Mon 08/08/2016 07:58
Subject: Exceeded send Limit
Attachment: Settlement Sheet – Exceeded send Limit.zip ( extracts to Sendout Limit Exceded.jar and index.jpg which is a logo image for xpressmoney .com )
    Dear Sir/ Madam,
    It came to our notice that your agent terminal exceeded it’s send limit.
    As a result of this, We want you to verify your transaction report as attached.
    Respond urgently if you feel there is an error during our server computation.
    XM Accounts & Finance
    Xpress Money Services Ltd. | 8th Floor, Al Ameri Building TECOM
    P.O. Box 643996, Sheikh Zayed Road, Dubai, UAE ...


8 August 2016: Payment_Details_00H675B0017485.jar (119kb) - Current Virus total detections 30/55*  Payload Security**

8 August 2016: Antifraud-Agent-User-manual.jar (235kb) - Current Virus total detections 12/55***  Payload Security[4]

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1470633115/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.231.23.176: https://www.virustot...76/information/

*** https://www.virustot...sis/1470633100/

4] https://www.hybrid-a...vironmentId=100
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 08 August 2016 - 06:10 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1764 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 09 August 2016 - 07:03 AM

FYI...

Fake 'Documents Requested' SPAM - leads to Locky
- https://myonlinesecu...pto-ransomware/
9 Aug 2016 - "An email with the subject of 'FW: Documents Requested' pretending to come from a random name at your own email domain with a malicious word doc attachment is another Locky/zepto ransomware dropper...
The email looks like:
From: random name at-your-own-domain
Date: Tue 09/08/2016 09:50
Subject: FW: Documents Requested
Attachment: Untitled(1).docm
    Dear [ your name ] ,
    Please find attached documents as requested.
    Best Regards,
    Lizzie


9 August 2016: Untitled(1).docm - Current Virus total detections 5/55*.. Payload security** shows a download of the encrypted Locky/zepto binary from www .fliegendergaertner .at/09uh8ny which gets converted to a working .exe file by the malicious macro in the original word doc. to give zorgins .exe
(VirusTotal 4/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1470732585/

** https://www.reverse....vironmentId=100
Contacted Hosts
81.19.145.43: https://www.virustot...43/information/
>> https://www.virustot...a2078/analysis/
159.203.182.129: https://www.virustot...29/information/
>> https://www.virustot...e23e6/analysis/
185.129.148.19: https://www.virustot...19/information/
>> https://www.virustot...760ca/analysis/
188.166.150.176: https://www.virustot...76/information/
>> https://www.virustot...26e20/analysis/

*** https://www.virustot...sis/1470733027/
___

Facebook Scams ...
- https://blog.malware...-hits-facebook/
Aug 9, 2016 - "... yet another celebrity death hoax. This time, the personality in question is Will Smith’s son, Jaden. Using one of our test accounts, below is a captured screenshot of what this Facebook post would look like if a user sees it in their feed:
> https://blog.malware...b-hoax-post.png
... (and) iwilltryeverything[DOT]site (pictured below), and clicking any of the five boxes claiming to contain the same news:
> https://blog.malware...eel-600x396.png
Also, clicking anywhere on the page redirects users to ads, which may not be ideal if you’re worried about malvertising. Users are then directed to a goaheadnow[DOT]press page. From here, two things can happen: one, the user may choose to scroll down and check out the video on that page or, two, the user can choose to -share- the -false- news straight away... Choosing to share the news straight away directs users to Facebook’s login page for them to enter their credentials, if they’re not logged in it already. And then, the site asks for the user permission to post on their wall:
> https://blog.malware...2016/08/005.png
... As more people share and spread such false news, the likelihood of others falling for online threats like scams and malware, or signing up for something they’d regret in the end also increases.If you see the Jaden Smith death “news” in your feed, inform the sharer that it’s a -hoax- and avoid sharing it further."

iwilltryeverything[DOT]site: 192.138.19.74: https://www.virustot...74/information/
>> https://www.virustot...43b86/analysis/

goaheadnow[DOT]press: 192.138.19.74

“Five Free Tickets” Facebook Scam
- http://www.hoax-slay...-facebook-scam/
Aug 8, 2016 - "Post being shared on Facebook claims that you can click to get 5 free tickets from UK based cinema chain Vue Cinemas. The post is fraudulent. It is not associated with Vue Cinemas and participants will never receive the promised movie tickets. The post is a -scam- designed to trick people into divulging their personal information on suspect survey websites:
> https://i2.wp.com/ww...book-scam-1.jpg
...  the post has no connection to the UK based cinema chain and those who participate will never receive the promised tickets. The post is designed to trick you into firstly spamming your friends with the same fraudulent giveaway and then submitting your personal information via decidedly dodgy “survey” websites..."
> https://i1.wp.com/ww...book-scam-2.jpg
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 09 August 2016 - 02:24 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1765 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 11 August 2016 - 07:59 AM

FYI...

Fake 'Scanned' SPAM - leads to Locky
- http://blog.dynamoo....scanned-by.html
11 Aug 2016 - "This spam has a malicious attachment:
    From:    Ashley [Ashley747@ victimdomail .tld]
    Date:    11 August 2016 at 11:13
    Subject:    New Doc 6-6
    Scanned by CamScanner
    Sent from Yahoo Mail on Android


The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis* of one sample shows a download location of fcm-makler .de/4GBrdf6 and my sources (thank you) tell me that there are -many- others, giving the following list:
151 .ru/4GBrdf6
antonello.messina .it/4GBrdf6
fcm-makler .de/4GBrdf6
iceninegr.web.fc2 .com/4GBrdf6
mccrarys .us/4GBrdf6
momoselok .ru/4GBrdf6
sando.oboroduki .com/4GBrdf6
www .EastsideAutoSalvage .com/4GBrdf6
www .fasulo .org/4GBrdf6
www .halloweenparty.go .ro/4GBrdf6
www .tommasobovone .com/4GBrdf6
The malware is Locky ransomware, and it phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife .net]
136.243.237.197/php/upload.php (Hetzner, Germany)
Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
217.119.54.192: https://www.virustot...92/information/
>> https://www.virustot...5da1f/analysis/
185.129.148.19: https://www.virustot...19/information/
>> https://www.virustot...16e32/analysis/
195.16.90.23: https://www.virustot...23/information/
>>> https://www.virustot...69bf5/analysis/
136.243.237.197: https://www.virustot...97/information/
>> https://www.virustot...a2e73/analysis/
___

Fake 'Dear client' SPAM - malicious link
- https://myonlinesecu...k-word-malspam/
11 Aug 2016 - "A series of emails saying 'Dear client! We have detected the attempt of transaction from your bank account', coming from random senders with a -link- to a malicious word doc is another one from the current bot runs... Some of the subjects seen include:
    Detected suspicious transaction on your account
    Locked transaction
    Online Banking informs
    Barclays Personal Banking
    Incomplete transaction

One of the emails looks like:
From: yvvelez@ gracehill .org
Date:
Subject:  Detected suspicious transaction on your account
Attachment ( link ):  payment.doc
    Hello!
    Dear client! We have detected the attempt of transaction from your bank
    account. You may find details of the transaction in the
    http ://vividlightingandliving .com.au/bank-info/payment.doc
    Please download this document. If this transaction was yours, please,
    contact us via contacts in the loaded file. If this transaction was not
    yours, notify our safety service shortly. Contacts of the safety service
    may be found in the loaded file. Also, you can contact us through the
    Personal Account of your bank.
    Attention: if you ignore our request, your account will be blocked on
    20.08.2016.


Alternative download locations from other emails include:
 http ://guestlistalamode .com/bank/payment.doc: 192.185.75.239: https://www.virustot...39/information/
>> https://www.virustot...efe50/analysis/
 http ://www.1800cloud .com/infos/report.doc: 65.49.52.99: https://www.virustot...99/information/
>> https://www.virustot...51a04/analysis/
 http ://www.monparfum .it/payments/info.doc: 80.88.88.149: https://www.virustot...49/information/
>> https://www.virustot...7c39a/analysis/

11 August 2016: payment.doc - Current Virus total detections 2/53*.  MALWR** shows a download from
 http ://88.119.179.160 /1biycuhoqetzowaawneab.exe (VirusTotal 7/53***) MALWR[4]..

Update: I am informed that it appears to be 'Panda Banker' which is a banking password/credential stealer.
See Proofpoint[5] and Arbor[6] for more details of this new threat..."
5] https://www.proofpoi...hits-the-market
"... Some of the Panda Banker C&C servers use Fast flux DNS, and have numerous IP addresses associated with a single malicious domain, making the malware more resistant to counter-measures..."

6] https://www.arbornet...zeus-zeus-zeus/
"... Not only is it built on a proven banking malware platform (Zeus), there are already a number of samples and botnets in the wild. In addition, Panda Banker is actively being developed with 9 distinct versions known..."

* https://www.virustot...sis/1470917056/

** https://malwr.com/an...WM4NGYzZGJiNDU/
Hosts
88.119.179.160: https://www.virustot...60/information/
>> https://www.virustot...ecf53/analysis/

*** https://www.virustot...sis/1470916592/

4] https://malwr.com/an...zYzOTgwNGE0YzU/
Hosts
No hosts contacted.

vividlightingandliving .com.au: 192.185.37.232: https://www.virustot...32/information/
>> https://www.virustot...83754/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 11 August 2016 - 04:07 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1766 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 12 August 2016 - 06:40 AM

FYI...

Fake 'Xpress Money Certificate' SPAM - leads to JAVA Jacksbot
- https://myonlinesecu...ey-certificate/
12 Aug 2016 - "An email with the subject of 'New Xpress Money Certificate' pretending to come from akash.kushwah@xpressmoney .com <xm.ca@ xpressmoney .com> with a zip attachment which downloads a JAVA Jacksbot... This is a slight change to the usual java.jar files that are normally attached to these emails. Today’s version has a .exe file which is actually a SFX (self extracting RAR file) which extracts to an identically named .exe file which in turn when run drops the java files and runs them. AV detections call this one a Java Jacksbot rather than the “normal” Java Adwind we have been seeing in this sort of financial malspam.
One of the emails looks like:
From: akash.kushwah@ xpressmoney .com <xm.ca@ xpressmoney .com>
Date: Thu 16/06/2016 11:09
Subject: New Xpress Money Certificate
Attachment: New Xpress Money Certificate Signed And Sealed.exe
Dear Agent,
We have attached the New Certificate with installation details , Sign the branch seal on the attach authorization for security updates.
Best regards,
AKASH KUSHWAH | Xpress Money Operations
Xpress money services Ltd| P.O. Box 170,
Tel: +971 2 6580989 |Ex: 371 | Fax: +971 2 989564 ...


12 August 2016: New Xpress Money Certificate Signed And Sealed.exe - Extracts to: New Xpress Money Certificate Signed And Sealed..exe - Current Virus total detections 29/55*. MALWR**
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1470995213/

** https://malwr.com/an...TdmMWFkZWViYjc/
___

Fake 'scanner' SPAM - leads to Locky
- http://blog.dynamoo....-sent-from.html
12 Aug 2016 - "This spam comes with a malicious attachment:
    Subject:     Message from "CUKPR0317276"
    From:     scanner@ victimdomain .tld (scanner@ victimdomain .tld)
    To:     webmaster@ victimdomain .tld
    Date:     Friday, 12 August 2016, 14:00
    This E-mail was sent from "CUKPR0329001" (Aficio MP C305).
    Scan Date: 17.11.2015 09:08:40 (+0000)
    Queries to: <scanner@ victimdomain .tld


The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to
doc(171)-12082016.wsf . This Hybrid Analysis* shows the script downloading a file from www .hi-segno .com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2 .com and www .homesplus .nf.net) but a trusted source tells me that the following download locations appear in different scripts... (see URL above for long list).
The malware phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
That Latvian network range is -all- bad, I recommend that you -block- the lot. The payload is Locky ransomware.
Recommended blocklist:
185.129.148.0/24
138.201.56.190
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.205.40.169
138.201.56.190
185.129.148.19
208.71.106.49
216.251.43.11

___

ITunes, Netflix phishing
- https://myonlinesecu...tflix-phishing/
12 Aug 2016 - "The latest Apple/ITunes phish pretends to be confirmation of an ITunes order for Netflix.

Screenshot: https://myonlinesecu...ix-06285490.png

The links go to
 http ://hiperkarma .hu/download/g.html  where you are -redirected- to
 http ://margotbai .com/UnitedKingdom/Itunes/apple/ and see a page looking like this, where if you fill in the ID and password then asks for all other financial information:
> https://myonlinesecu...apple_phish.png "

hiperkarma .hu: 87.229.45.133: https://www.virustot...33/information/
>> https://www.virustot...6835f/analysis/
margotbai .com: 67.212.91.221: https://www.virustot...21/information/
>> https://www.virustot...b4543/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 12 August 2016 - 12:43 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1767 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 13 August 2016 - 09:41 AM

FYI...

Beware of browser hijacker - comes bundled with legitimate software
- https://www.helpnets...jacker-bing-vc/
Aug 12, 2016 - "Lavians, a 'small software vendor team' is packaging its offerings with a variant of browser-hijacking malware Bing .vc. The company sells and offers for free different types of software (drivers and other kinds of utilities) on their own website*, but also on popular download sites. Unfortunately, most of them come bundled with the aforementioned malware, which installs itself into Internet Explorer, Firefox, and Chrome -without- the user’s consent..."
* http:// www. lavians .com/product/

lavians .com: 45.79.77.19: https://www.virustot...19/information/
>> https://www.virustot...32bc3/analysis/
bing .vc: 65.75.147.228: https://www.virustot...28/information/
>> https://www.virustot...b46ed/analysis/
2016-08-13
___

Visa Alert - Oracle POS Breach
- http://krebsonsecuri...-oracle-breach/
Aug 13, 2016 - "Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle‘s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang:
> http://krebsonsecuri.../VSA-oracle.png
The Visa alert is the first substantive document that tries to help explain what malware and which malefactors might have hit Oracle — and by extension many of Oracle’s customers... MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels. In short, tens of millions of credit cards are swiped at MICROS terminals monthly, and a breach involving the theft of credentials that might have granted remote access to even just a small percentage of those systems is potentially a big and costly problem for all involved:
> http://krebsonsecuri...osp-580x476.png "
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 13 August 2016 - 06:08 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1768 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 15 August 2016 - 06:06 AM

FYI...

Fake 'Order Confirmation' SPAM - leads to Locky
- http://blog.dynamoo....onesabcouk.html
15 Aug 2016 - "This -fake- financial spam does -not- come from ESAB but is instead a simple -forgery- with a malicious attachment.
    From:    orderconfirmation@ esab .co.uk
    Date:    15 August 2016 at 10:37
    Subject:    Order Confirmation-7069-2714739-20160815-292650 ...


Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component...
The payload is Locky ransomware with a very low detection rate* at present. It phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)
The MWTV block is -all- bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77
"
* https://www.virustot...e21c5/analysis/
File name: ferdoxs.exe
Detection ratio: 1/55

138.201.56.190: https://www.virustot...90/information/
>> https://www.virustot...0c05b/analysis/
46.148.26.77: https://www.virustot...77/information/
>> https://www.virustot...cd79a/analysis/

- https://myonlinesecu...cky-ransomware/
15 Aug 2016 - "An email with the subject of 'Order Confirmation-9355-8379094-20160815-474623' pretending to come from orderconfirmation@ esab .co.uk with a malicious word doc attachment downloads Locky ransomware...
The email looks like:
From: orderconfirmation@ esab .co.uk
Date: Mon 15/08/2016 10:33
Subject: Order Confirmation-9355-8379094-20160815-474623
Attachment: Order Confirmation-9355-8379094-20160815-474623.docm ...


15 August 2016: Order Confirmation-9355-8379094-20160815-474623.docm - Current Virus total detections 7/56*
There are several different versions of this Locky downloader which all download an encrypted data file that is transformed by the macro to the same Locky Ransomware (virustotal 4/54*)..."
* https://www.virustot...sis/1471258818/

** https://www.virustot...e21c5/analysis/
___

Fake from 'Emma Critchley' SPAM - leads to Locky
- http://blog.dynamoo....-critchley.html
15 Aug 2016 - "This -fake- financial spam has a malicious attachment. It does -not- come from Advantage Finance but is instead a simple forgery.
    Subject:     Emailing - 9104896607509
    From:     Emma Critchley (emmacritchley@ advantage-finance .co.uk)
    Date:     Monday, 15 August 2016, 13:28
    Hi
    Vicky has asked me to forward you the finance documents (Please see attached)
    Many Thanks 


Attached is a DOCM file with a name that matches the subject. There are various versions, all of which download Locky ransomware... This phones home to the same servers as mentioned in this post*."
* http://blog.dynamoo....onesabcouk.html
___

Fake 'Documents' SPAM - leads to Locky
- http://blog.dynamoo....-officecom.html
15 Aug 2016 - "These -fake- financial documents have a malicious attachment:
    From:    Jen [Jen@ purple-office .com]
    Date:    15 August 2016 at 14:10
    Subject:    Documents from Purple Office - IN00003993
    Please find attached invoice/credit from Purple Office.
    Best regards,
    Purple Office


Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here[1] and here[2]."
1] http://blog.dynamoo....-critchley.html

2] http://blog.dynamoo....onesabcouk.html

- https://myonlinesecu...cky-ransomware/
15 Aug 2016
> https://malwr.com/an...GFiOGMwNWViNzI/
Hosts
80.150.6.138: https://www.virustot...38/information/
>> https://www.virustot...d79d7/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 15 August 2016 - 11:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1769 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 16 August 2016 - 05:36 AM

FYI...

Fake 'Scan/Document/Receipt' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
16 Aug 2016 - "Today’s first Locky ransomware example is a blank/empty email with the subject saying something like 'File: Scan(86)' or 'Emailing: Document(2)' or 'Emailing: Receipt(8)' [random numbered] or other similar generic subjects pretending to come from random names at your own email domain with a zip attachment containing a random numbered WSF (script file) which downloads an encrypted Locky ransomware version that gets converted by the script file to a fully working .exe... One of the emails looks like:
From: Random names at your own email domain or company
Date: Tue 16/08/2016 10:11
Subject: File: Scan(86)
Attachment: Scan(86).zip


Body content: Totally blank/empty

16 August 2016: Scan(86): Extracts to: 572310451803.wsf - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these 3 locations (there will be multiple others) that is transformed by the script to eaoJlwhPcR.exe (random depending on the version you get) (VirusTotal 3/56***)
http ://zarexbytonia.cba .pl/nJHbj0266b?coHDErXiOn=ldRhoj
http ://fereastrazmeilor .go.ro/nJHbj0266b?coHDErXiOn=ldRhoj
http ://www .lefaos.50webs .com/nJHbj0266b?coHDErXiOn=ldRhoj
... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1471338738/

** https://malwr.com/an...WFmYjJhYmJiNTA/
Hosts
192.151.153.26
81.196.20.134
95.211.144.65


*** https://www.virustot...sis/1471340178/
___

ITunes Phish
- https://myonlinesecu...lot-premium-hd/
16 Aug 2016 - "The latest Apple/ITunes phish pretends to be confirmation of an ITunes order for CoPilot premium HD.

Screenshot: https://myonlinesecu...ot-1024x654.png

The links go to
 http ://monthlyincomeformula .com/.GB/db/ where you are -redirected- to
 http ://missclaudia .net/.GB/apple-store-refund/appsrefund/ and see a page looking like this, where -if- you fill in the ID and password then asks for all other financial information:
> https://myonlinesecu...st-1024x555.png "

monthlyincomeformula .com: 162.144.84.124: https://www.virustot...24/information/

missclaudia .net: 174.136.50.43: https://www.virustot...43/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 16 August 2016 - 06:37 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1770 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 17 August 2016 - 06:43 AM

FYI...

Cerber ransomware ...
- https://www.helpnets...mware-campaign/
Aug 17, 2016 - "Check Point’s research team has analysed the inner workings of Cerber, the world’s biggest ransomware-as-a-service scheme:
> https://www.helpnets...int-cerber2.jpg
... Cerber is set up to enable non-technical criminals to take part in the highly profitable business and run independent campaigns, using a set of command and control servers and an easy-to-use control interface available in 12 different languages... The Bitcoin is transferred to the malware developer and affiliates by flowing through thousands of Bitcoin wallets, making it almost impossible to trace individual payments... The overall profit made by Cerber in July was $195,000. The malware developer received approximately $78,000 and the rest was split between the affiliates, based on successful infections and ransom payments for each campaign. On a yearly basis, the estimated monthly profit for the ransomware author would be $946,000. 'This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry' said Maya Horowitz, group manager, Research & Development, Check Point*. 'Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily. As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections'.”
* http://blog.checkpoi.../16/cerberring/
"... researchers have managed to break the encryption of Cerber and provide a free decryption tool**..."
** https://www.cerberde...DecryptionTool/

Exploit Kit Country Distribution Map: https://blog.checkpo.../08/Figure9.jpg
___

'Bogus blue verified checkmark' SCAM - on Twitter
- https://www.hotforse...tter-16373.html
Aug 17, 2016 - "... Take, for instance, this -scam- which was being played out on Twitter last week:
> https://www.hotforse...scam-tweet.jpeg
If you saw it in your Twitter timeline, you might very well click on the link without thinking – imagining that the account is run by Twitter. After all, it is displaying the same avatar as the one used by the legitimate @verified account. And clicking on the link *does* take you to a website which – at first glance – might look like a genuine Twitter property to those -lacking- in caution:
> https://www.hotforse...-scam-site.jpeg
Clicking further, however, takes you to a form which should instantly set your alarm bells ringing. It asks you to enter information such as your email address and your number of followers (both pieces of information that Twitter should -already- know) as well as your username and password:
> https://www.hotforse...cam-site-2.jpeg
Once you fill your details in this form, they are instantly transmitted to the hackers – who can then use your credentials to hijack your account for the purposes of spam or spreading malicious links. Furthermore, if you have made the mistake of reusing your Twitter password elsewhere on the net there is a good chance that you may have other online accounts compromised by the hackers in follow-up attacks. I reported the phishing URL to Google, and I’m pleased to report that it is now being blocked by most browsers:
> https://www.hotforse...rome-block.jpeg
The offending Twitter account has also been suspended. There are a few lessons here...
Firstly, always be careful about where you enter your login credentials. Make sure that you are on the proper website by examining-the-URL-closely, and consider that one of the benefits of running a good password manager is that it will not let you easily fill in your password unless it recognises it.
Secondly, never-reuse-passwords on multiple websites. If one site gets hacked, online criminals will often try to use the same credentials to unlock your other online accounts.
Thirdly, harden your defences. Where available (as it is on Twitter) enable two-step verification or two-factor authentication to provide an additional layer of defence for your accounts. With 2SV or 2FA in place, hackers will need more than your password to break into your accounts making it – in most cases – something that they’ll simply not bother with, as they move to find softer targets."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 17 August 2016 - 08:43 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1771 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 18 August 2016 - 09:40 AM

FYI...

Fake 'UPS' SPAM - leads to Locky
- http://blog.dynamoo....-is-having.html
18 Aug 2016 - "This -fake- UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.
    From     "Laurence lumb" [Laurence.lumb25@ ups .de]
    Date     Thu, 18 Aug 2016 17:35:21 +0530
    Subject     Emailing: Label
    Good afternoon
    The office printer is having problems so I've had to email the UPS label,
    sorry for the inconvenience.
    Cheers
    Laurence lumb


Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware... (according to my trusted source)... This dropped binary has a detection rate of 6/54*. It phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)
Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183
"
* https://www.virustot...7e84e/analysis/
___

Locky Ransomware via DOCM attachments - latest Email campaigns
- https://www.fireeye....somwaredis.html
Aug 17, 2016 - "Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware. The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry:
Top 10 affected industries
> https://www.fireeye....achong/Fig1.png
Numerous countries are affected, with the United States, Japan, and Republic of Korea topping the list:
Top affected countries
> https://www.fireeye....achong/Fig2.png
... Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August. This marks a change from the large campaigns we observed in March, where a JavaScript based downloader was generally being used to infect systems. These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick:
Massive DOCM related campaigns on Aug. 9, Aug. 11 and Aug. 15, 2016
> https://www.fireeye....achong/Fig3.png
Our analysis showed high similarity in the macro code that was used in the Aug. 9, Aug. 11 and Aug. 15 campaigns... The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing. In this instance, we are seeing a shift from using a JavaScript based downloader to infect victims to using the DOCM format. On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking trojans, as the former appears to be more lucrative. These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 18 August 2016 - 10:11 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1772 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 19 August 2016 - 04:50 AM

FYI...

Fake 'Payment Receipt' SPAM - leads to locky
- https://myonlinesecu...cky-ransomware/
19 Aug 2016 - "... a long line of generic emails delivering Locky ransomware is an email with the subject of  'Payment Receipt' pretending to come from random companies and email addresses with a malicious word doc attachment... One of the emails looks like:
From:  Payment Receipt
Date: Fri 19/08/2016 10:43
Subject:  Payment Receipt
Attachment: PaymentReceipt.docm
    Attached is the copy of your payment receipt.


19 August 2016: PaymentReceipt.docm - Current Virus total detections 7/55*.. MALWR shows a download of an encrypted file from http ://wzukoees.homepage.t-online .de/897fyDnv which is converted by the malicious macro in the word doc to C:\DOCUME~1\User\LOCALS~1\Temp\sys48.tmp (VirusTotal 4/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1471600737/

** https://www.virustot...sis/1471600926/

t-online .de: 2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92

217.6.164.162: https://www.virustot...62/information/
62.153.159.92: https://www.virustot...92/information/
___

Fake 'Report' SPAM - leads to Java Adwind Trojan
- https://myonlinesecu...rs-java-adwind/
19 Aug 2016 - "We continue to see Java Adwind Trojans daily. Today’s example is a slight change to the delivery method from previous Malspam emails that have been using Moneyexpress .com or MoneyGram or other middle eastern money exchange bodies. This one is an email with the subject of 'Unclaimed Commission Report-WUBS' pretending to come from  Shiella F. Doria <shiella.doria@ westernunion .com> with a zip attachment which contains a Java.jar file & an image to make it look “respectable” and genuine. We have seen various -spoofed- Western Union malspam...

Screenshot: https://myonlinesecu...BS-1024x646.png

The image from inside the zip is:
- https://myonlinesecu...ment-Sheet.jpeg

19 August 2016: Unclaimed Commission Report.zip - Extracts to: UN-PROCESSED COMMISSION.jar
Current Virus total detections 30/56*. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1471508188/
___

Ransomware round up
- https://atlas.arbor....ndex#-198932443
Aug 18, 2016 - "... Analysis: ... ransomware developers and infrastructure providers who deliver the packages are continuing to refine their crafts. The addition of a RAT used to target potential banking elements instead of going forward with ransomware -extortion- is a smart addition. Most threat actors behind ransomware tend to utilize one flat ransom across their victim pool. However, some, notably those behind Locky, have paid attention to some of their victims and were able to extort larger sums than the original request once they identified the overall value of the victimized systems. A RAT could allow a smart threat actor to better access their target and move forward with requesting larger sums of money. However, it could simply allow threat actors to leverage more traditional capabilities by capturing banking credentials which in turn could allow them to perform fraudulent withdrawals with potentially larger payouts than had they attempted simple extortion efforts. Nemucod and Locky continue to change their overall operating procedures. The addition of ad-click and backdoor functionality to a ransomware operation can lead to additional revenue streams for threat actors, especially if the ransomware does not impact the -additional- malicious packages, allowing for them to operate unencumbered while the victim decides what course of action to take in response to the ransomware. Most ransomware is best defended against by -never- enabling-macros unless you implicitly trust the source... and maintaining up-to-date backups that are stored offline..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 August 2016 - 03:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1773 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 22 August 2016 - 08:02 AM

FYI...

Fake 'fax' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
22 Aug 2016 - "... first example of malspam word docs with macros delivering Locky ransomware is an email with the subject of 'Today’s fax' pretending to come from random names at your own email domain... The email looks like:
From: name/number at your own email domain
Date: Mon 22/08/2016 10:37
Subject: Today’s fax
Attachment: FAX_5542.DOCM


Body content:  Totally blank/empty

22 August 2016: FAX_5542.DOCM - Current Virus total detections 4/55*.. MALWR** shows a download of an encrypted file from http ://seiwa1202.web. fc2.com/HfgfvhTR5 that is converted by the malicious macro in the word doc to axilans.exe (VirusTotal 4/55***). Payload Security[4] shows this has anti-analysis protection... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1471858624/

** https://malwr.com/an...DRjMTY1N2ZlOGQ/
Hosts
208.71.106.61: https://www.virustot...61/information/
>> https://www.virustot...32839/analysis/

*** https://www.virustot...sis/1471859596/

4] https://www.hybrid-a...vironmentId=100
___

Fake 'Hello' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
22 Aug 2016 - "... next batch of malspam emails delivering locky ransomware is a series of emails with subjects like “Hi”, “Hi There” or “Hello” coming from random names, companies and email addresses with a zip attachment containing a WSF (Windows Scripting File)... The body has various generic phrases as the contents along the lines of:
“Please see the attached report about the monthly progress of our department”
“I am sending you the bills of the goods we delivered to you in the attachment"


22 August 2016: 5772ac1553.zip: Extracts to: export_pdf_ 2c23a43a~.js - Current Virus total detections 2/56*
.. MALWR was unable to get any content from the heavily encoded WSF file (waiting for other analysis but almost certain to be the same locations as Today’s Word version Malware delivery[1]). Payload Security** shows a load of connections to various sites... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1471860907/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.217.149.4
213.229.74.92
185.129.148.19
185.51.247.211
194.67.210.183
51.254.55.171
91.201.202.125


1] https://myonlinesecu...cky-ransomware/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 August 2016 - 08:22 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1774 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 23 August 2016 - 08:04 AM

FYI...

Fake 'Voice Message Notifications' deliver Ransomware
- https://isc.sans.edu...l?storyid=21397
2016-08-23 - "... a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a 'voice mail notification'. Even residential systems can deliver voice message notifications. Here is an example displayed in Microsoft Outlook:
> https://isc.sans.edu...t-voice-msg.gif
Today, I received a wave of emails like the following:
From: voicemail@ rootshell .be
To: [redacted]
Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25
Dear [redacted]:
There is a message for you from 01422520472, on 2016/08/23 15:55:25 .
You might want to check it when you get a chance. Thanks!


The sender is spoofed with the victim domain name.... file was attached to the message... '.wav.zip' extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]. Vigor is UK company building ADSL residential modems[2]. This tends to think that the new wave is targeting residential customers. Here are the C2 servers (for your IDS):
89.42.39.81
213.205.40.169
51.254.55.171
194.67.210.183
185.51.247.211
185.129.148.19
91.201.202.125
"

[1] https://www.virustot...sis/1471949327/
File name: 614007286106.wsf
Detection ratio: 6/55

[2] http://www.draytek.c...gacy/vigor-2820
___

More Fake 'voice mail messages' SPAM - delivers Locky/Zepto
- https://myonlinesecu...pto-ransomware/
23 Aug 2016 - "Today’s Locky/Zepto ransomware malspam emails have come steadily in waves all day long. There have been 2 distinct different subjects and themes, one pretending to be a voice message from your own email domain or company, with the second pretending to be an audit report from a random company. The first is an email with the subject of '[Vigor2820 Series] New voice mail message' from 01443281097 on 2016/08/23 21:01:59 [random telephone number and date/time] pretending to come from voicemail @ your own email address with a zip attachment named something like 'Message_from_01443281097.wav.zip' where the attachment number matches the telephone number in the subject line. The Vigor 2820 Series is an older ADSL Router Firewall aimed at small business users, so we can quite easily see that this campaign of malware spreading is directly aimed at the small business user...

Screenshot: https://myonlinesecu...97-1024x426.png

The second campaign has a subject of 'Audit Report' coming from random senders with a content looking like the below. The name in the body of the email matches the spoofed sender. One of the  emails looks like:
From: Omer Scott <Scott.58115@ bambit .de>
Date: Tue 23/08/2016 15:3
Subject: Audit Report
Attachment: 83543cd11db.zip
    Dear lie
    The audit report you inquired is attached in the mail. Please review and transfer it to the related department.
    King regards,
    Omer Scott


23 August 2016: Message_from_01443281097.wav.zip: Extracts to: 44077640409.wsf
Current Virus total detections 23/56*.. MALWR** shows a download of an encrypted file from either
 http ://danzig.vtrbandaancha .net/HJghjb54?PqzwogvtP=xYWWDkr -or-
 http ://backyard004.web. fc2.com/HJghjb54?PqzwogvtP=xYWWDkr (in this example) which gets converted by the script to wKoYWwOtQ.exe (VirusTotal 6/56***)

23 August 2016: 83543cd11db.zip: Extracts to: audit report 316dd5a1.js
Current Virus total detections 23/56[4].. MALWR[5] shows a download of an encrypted file from either
 http ://sb-11856.fastdl-server .biz/688dak3, http ://newt150.tripod .com/idyeb9 -or-
 http ://dl.sevenseals .ru/ehaq1zw (in this example) which gets converted by the script to NCPcpOkuUfr5AA0.dll (VirusTotal 18/56[6])... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441173827/

** https://malwr.com/an...DVhZmE2NTcxZGM/
Hosts
200.83.4.62
185.129.148.19
208.71.106.40


*** https://www.virustot...sis/1471961322/

4] https://www.virustot...sis/1441173827/

5] https://malwr.com/an...mNkNzA3MjA4NzM/
Hosts
109.230.252.172
52.52.39.236
77.221.140.226


6] https://www.virustot...sis/1471962605/
___

Fake 'Cancellation' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
23 Aug 2016 - "The next in the series of today’s Locky downloaders is an email with the subject of  'Cancellation' pretending to come from random senders with a zip attachment containing a JavaScript file that pretends to be a pdf... One of the emails looks like:
From: Zachary Flynn <Flynn.94@ football-stats .org>
Date: Tue 23/08/2016 19:00
Subject: Cancellation
Attachment: 2c122b8fa354.zip
    Dear rob,
    Attached is the paper concerning with the cancellation of your current credit card.
    Confirm to us for receiving.
    King regards,
    Zachary Flynn
    Account Manager ...


23 August 2016: 2c122b8fa354.zip: Extracts to: card_cancellation_pdf 5a59aad3.js
Current Virus total detections 4/56*.. MALWR** shows a download of an encrypted file from one of these locations
 http ://sopranolady7 .wang/1cntwk5 | http ://www.leuchten-modelle .de/ink36
 http ://download.apf .asso .fr/87aktsv | http ://gromasgboleslawiec .cba .pl/09n7n
... that is decrypted and transformed into P6dtp6pov8qB.dll (VirusTotal 6/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine  DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1471975535/

** https://malwr.com/an...zU0YTkzZTYyMTU/
Hosts
95.211.144.65
212.18.0.4
91.223.89.200
195.154.81.86


*** https://www.virustot...sis/1471977294/
___

File-in-the-middle Browser hijackers
- https://blog.malware...ddle-hijackers/
Aug 23, 2016 - "We are not sure if this is going to be a new trend among browser-hijackers, but it seems more than a coincidence that we found -two- browser hijackers using a very similar approach to reach their goal of taking victims to the sites of their choice. Both are using one of their own files to act as a file-in-the-middle between the user and the browser... Dotdo Audio: Dotdo is a strain of hijackers that we have discussed before for using different and more “out of bounds” methods to get the job done. I named this variant “audio” because it uses audio advertisements. But that is not our focus here. It’s the replacement of browser executables with their own that raised our interest. The installer -renames- the files firefox.exe and chrome.exe, if present, and adds a number to the filename. It then hides these renamed files and replaces them with its own files:
> https://blog.malware...8/hiddenexe.png
The screenshot above shows you the hidden and renamed Chrome file, in the same folder as the replacement. I changed the settings for hidden files so that we can see them. In a similar screenshot below we can see that the same was done for Firefox:
> https://blog.malware.../hiddenexe2.png
The browsers are -hijacked- to open with traffic-media[dot]co by altering the browser shortcuts for:
    Chrome
    Firefox
    Internet Explorer
    Opera
    Yandex
... Summary: We discussed two hijackers from very different families and using different methods, but they also had a few things in common. They want the victims to hear/see their advertisements and they used a file-in-the-middle between the browser shortcuts and the actual browser in order to alter the browsers behavior to meet their goals..."

traffic-media[dot]co: 195.154.46.150: https://www.virustot...50/information/
>> https://www.virustot...28854/analysis/
___

Email - Security battleground
- http://blog.trendmic...line-extortion/
Aug 23, 2016 - "Emails have become the battleground for the first half of the year in terms of security. It is the number one infection vector that have ushered in 2016’s biggest threats so far — ransomware and business email compromise (BEC). Ransomware infections normally start via email. Based on our findings, -71%- of the known ransomware families’ delivery method is through spam. Looking at the threat trends so far, both ransomware and BEC have proved profitable across the world:
Regional breakdown by volume of ransomware threats:
> https://blog.trendmi...61h-roundup.jpg
Regional breakdown by volume of organizations affected by BEC scams:
> https://blog.trendmi...61h-roundup.jpg
Our telemetry shows that ransomware’s scope is more widespread than BEC as it targets countries in Europe, Middle East, and Africa. The prevalence of BEC scams are higher in the North American region, with fewer countries but more targeted — attackers behind BEC scams most often impersonate and target C-level executives... 58% of the nearly 80 million ransomware threats Trend Micro blocked from January to June 2016 are email-borne ransomware. BEC scams, on the other hand, -all- arrive via email. These factors make the two threats quite formidable, as email remains a firm staple in everyday business. They both also utilize social engineering. In ransomware’s case, it’s for the user to click and run the ransomware attached to their opening email. For BECs, it’s to trick the targeted officer into thinking that their request for a money transfer is legitimate, without the usual malware payload... Knowing that these threats use email as an attack vector, companies should strengthen employee education and invest smartly in email protection. With these, the threat of ransomware and BEC attacks can be greatly reduced..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 23 August 2016 - 04:03 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1775 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 24 August 2016 - 05:44 AM

FYI...

Fake 'Statement' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
24 Aug 2016 - "This morning’s first Locky ransomware delivering malspam is an email with the subject of 'Statement' coming from random senders, companies and email addresses with a random named zip attachment  containing a JavaScript file that pretends to be a financial statement... One of the  emails looks like:
From: Ella Gonzales <Gonzales.169@ airtelbroadband .in>
Date: Wed 24/08/2016 10:34
Subject: Statement
Attachment: 25b8ae3a4d.zip
    Hi,
    The monthly financial statement is attached within the email.
    Please review it before processing.
    King regards,
    Ella Gonzales ...


24 August 2016: 25b8ae3a4d.zip: Extracts to: monthly_financial_scan aa9140e0.js
Current Virus total detections 2/56*.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://rejoincomp2 .in/117uuf5h | http ://dokcool.atspace .org/jltqouz
 http ://smilehomeutsumi504.web. fc2.com/by11k6r ... that is converted by the JavaScript to o2OoILn8OHU.dll and autorun (VirusTotal 6/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1472031010/

** https://malwr.com/an...WFkNDQxNDgwYmE/
Hosts
82.197.131.109
208.71.106.49
213.229.74.92


*** https://www.virustot...sis/1472033919/
___

Fake 'Emailing: Image' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
24 Aug 2016 - "A blank email with the subject of 'Emailing: Image15.jpg' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted  HTA file... This set of emails has a zip attachment that extracts to a HTA file... One of the  emails looks like:
From: Raymon <Raymon237@ Your email domain >
Date: Wed 24/08/2016 12:04
Subject: Emailing: Image15.jpg
Attachment: Image15.zip


Body content: Totally blank/Empty

24 August 2016: Image15.zip: Extracts to: 100966743304.hta - Current Virus total detections 2/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to xUztoLUte.exe by the instructions inside the HTA/JavaScript (VirusTotal 2/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1472036751/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
112.140.42.29
213.205.40.169
200.83.4.62
185.129.148.19
51.254.55.171
185.51.247.211
194.67.210.183
91.226.92.208


*** https://www.virustot...sis/1472037488/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 24 August 2016 - 08:29 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1776 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 25 August 2016 - 04:44 AM

FYI...

Fake 'Fraud Notice' SPAM - Java Adwind Trojans
- https://myonlinesecu...c-xpress-money/
25 Aug 2016 - "... Java Adwind Trojans being delivered by various financial themed emails, we are seeing a new method of distribution of the Java Adwind Trojan using these financial themed emails with the subject of 'Request for Amendment'-XPIN- 2401200221508974 & 2401240241500561 (11) pretending to come from xm.support@ xpressmoney .com <XM SUPPORT> with a word doc attachment that contains the Java Adwind Trojan as an embedded OLE object... One of the emails looks like:
From: xm.support@ xpressmoney .com <XM SUPPORT>
Date: Request for Amendment-XPIN- 2401200221508974 & 2401240241500561 (11)
Subject: Request for Amendment-XPIN- 2401200221508974 & 2401240241500561 (11)
Attachment: Fraud Notice XM.doc
    Dear Sir/Madam,
    We would like to inform you that the transaction mentioned have been flagged from our system although the Xpress Money account is still under review. Please cancel and amend these transactions from your system at the earliest. Details of Transactions is been attached
    Thanks & Warm Regards,
    Prasanth Vasanth Pai
    Specialist Customer Support
    Xpress Money Services Ltd.
    PO Box 170, Abu Dhabi, UAE ...


Screenshot of attached word doc: https://myonlinesecu...oc-1024x419.png

25 August 2016: Fraud Notice XM.doc -  Current Virus total detections 23/56*. MALWR**
If you are unwise enough to double click the alleged pdf files that are -embedded- inside the word doc, then a JAVA.jar – Jacob.jar file will open & run (VirusTotal 23/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472103111/

** https://malwr.com/an...zVkMjc1YzJlYTQ/

*** https://www.virustot...sis/1472103307/

Earlier 'Java Adwind' posts: https://myonlinesecu.../?s=Java Adwind
___

BEC scams and ransomware
- https://www.helpnets...ware-bec-scams/
Aug 25, 2016 - "Trend Micro analyzed the trends in attacks and vulnerabilities seen throughout the first half of this year*, and found a rise and impact of attacks, such as a -172- percent increase in ransomware and $3 billion in losses due to business email compromise (BEC) scams so far in 2016..."
(More detail at the URL above.)
Charted: https://www.helpnets...ransomware1.jpg
* http://blog.trendmic...line-extortion/
Aug 23, 2016 - "... Based on our findings, 71% of the known ransomware families’ delivery method is through spam..."
* https://www.trendmic...reports/roundup
Aug 23, 2016 - "... The number of new ransomware families we saw in the first half of 2016 alone has already eclipsed the total 2015 volume by 172%. With ransomware attacks becoming more and more sophisticated and prevalent, we believe that the threat will potentially cause more damage going into the second half of the year..."
___

Tech support scams and Google Chrome tricks
- https://blog.malware...-chrome-tricks/
Aug 25, 2016 - "Tech support scams coming as phishing pages that contain -fake- alerts urging you to call for immediate assistance are common place these days. We collect -hundreds- of such URLs each day and have observed countless tricks to fool users...  for years we have been telling people to double check the URL in the address bar to know if a website is really what it claims to be. When this scam page loads it runs in full-screen mode and prevents the user from easily closing it with an infinite loop of alerts.
Now take a look at the address bar. For all intents and purposes it does look like the legitimate Microsoft website, although the ‘ru-ru’ (Russia) portion of the URL is a fail in an otherwise clever design. (There are other bits of Russian here and there in the source code, which perhaps link to the original author?):
> https://blog.malware...016/08/scam.png
... Tech support -scams- have similar alert windows except we found some that are completely made up. Putting a checkmark and clicking OK actually produces the opposite result of what you’d expect, to keep you more frustrated and ready to throw your computer out the window... It’s safe to say that browser-based tech support scams are not going anywhere any time soon. Sadly, most browsers are brought to their knees with simple bits of JavaScript and non savvy users will simply give up and call the toll free number for assistance (we forgot to mention that all this while a very annoying audio track plays in the background). Call centres located in India (for the most part) are receiving thousands of calls each day from desperate victims prime to be -defrauded- of hundreds of dollars by rogue operators playing the Microsoft technician game. Spotting those scams isn’t always easy though and that is why it’s important to expose them to show their inner workings. To learn more about tech support scams and consult our blacklist of known offenders, please check out our resource page here*."
* https://blog.malware...-support-scams/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 August 2016 - 02:10 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1777 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 26 August 2016 - 10:53 AM

FYI...

Fake 'Voice Message' SPAM - delivers Locky/Zepto
- https://myonlinesecu...rs-locky-zepto/
26 Aug 2016 - "An email with the subject of 'Voice Message from Outside Caller (3m 54s) [random length]'  pretending to come from Peach Telecom <peach_necsv06@ hotmail .com> (random number after peach_necsv) with a zip attachment which downloads Locky/Zepto ransomware... One of the  emails looks like:
From: Peach Telecom <peach_necsv06@ hotmail .com>
Date: Fri 26/08/2016 12:21
Subject: Voice Message from Outside Caller (3m 54s)
Attachment: Outside Caller 08-26-2016 9aaf18b.zip
    Voice Message Arrived on Friday, Aug 26 @ 6:26 AM
    Name: Outside Caller
    Number: Unavailable
    Duration: 3m 54s ...


26 August 2016: Outside Caller 08-26-2016 9aaf18b.zip: Extracts to: 08-26-2016 36ptor06.wsf
Current Virus total detections 9/56*.. MALWR** shows a download of an encrypted file  from one of these locations:
 http ://sewarte.homepage. t-online .de/nb20gjBV?xJNXYWEr=xnGdqHz |
 http ://theramom.web. fc2 .com/nb20gjBV?xJNXYWEr=xnGdqHz |
 http ://seishinkaikenpo .com/nb20gjBV?xJNXYWEr=xnGdqHz
which is transformed by the script to LHOyUOaiiss1.dll (VirusTotal ***). All versions send info back to the control centre at http ://51.254.55.171/data/info.php ...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472210401/

** https://malwr.com/an...2QwYjdlOGNhMTI/
Hosts
210.157.30.70
208.71.106.46
80.150.6.138
51.254.55.171


*** https://www.virustot...sis/1472214673/
___

Fake 'P.O.' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
26 Aug 2016 - "The second batch of today’s Locky ransomware malspam emails is an email with the subject of
'office equipment' coming from random senders with a zip attachment... One of the  emails looks like:
From: Jillian Kirby <Kirby.84@ phantomes .com>
Date: Fri 26/08/2016 11:41
Subject: office equipment
Attachment: 609c171b94a.zip
    Dear wh,
    Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.
    Best regards,
    Jillian Kirby
    Sales Manager


26 August 2016: 609c171b94a.zip: Extracts to: office_equipment ~bced3628.js
Current Virus total detections 4/56*.. MALWR** shows a download of an encrypted file from one of these locations,
 http ://onlybest76 .xyz/1rkyye | http ://all-rides .com/i0gih |
 http :// provincialpw .com/crgrapy | http ://www.mediawareonline .it/yvg6cw |
 http ://www.jansen-consultancy-machines .be/nvbd7rme that is transformed by the script to deliver AzWzM3LegeEcV6.dll (VirusTotal 14/58***). Payload Security[4].. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472209948/

** https://malwr.com/an...WE3MDhiYmZjODA/
Hosts
195.130.132.84
104.232.35.136
160.153.54.35
173.255.129.128
212.104.43.3


*** https://www.virustot...sis/1472217004/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
160.153.54.35
212.104.43.3
188.127.249.203
138.201.191.196
51.254.55.171
91.226.92.208

___

Fake 'monthly report' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
26 Aug 2016 - "The third of today’s Locky ransomware malspam deliveries is an email with the subject of 'monthly report' coming from random senders, companies and email addresses with a zip attachment... One of the  emails looks like:
From: Tasha Ray <Ray.05187@ flamingjewellery .co.uk>
Date: Fri 26/08/2016 18:16
Subject: monthly report
Attachment: c1195a3663e.zip
    Good evening hyperbolasmappera,
    There were some errors in the monthly report you submitted last week.
    See the highlights in the attachment and please fix as soon as possible.
    Best regards,
    Tasha Ray
    Account Manager ... 


28 August 2016: c1195a3663e.zip: Extracts to: monthly_report_pdf (~41e8df8a).js
Current Virus total detections 6/56*.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://berndburgdorf .de/5x6vdaw | http ://www.valmon .it/ndxec | http ://rejoincomp2 .in/3dv7n |
 http ://abufarha .net/80d4a1j  which is transformed by the script to lh7pIFrXtoRVDe.dll (VirusTotal 19/58***)...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472235308/

** https://malwr.com/an...Tg2NmJjMGE0ZmU/
Hosts
212.40.179.94
104.232.35.136
213.205.40.169
66.147.240.193


*** https://www.virustot...sis/1472237184/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 26 August 2016 - 03:48 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1778 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 29 August 2016 - 06:57 AM

FYI...

Fake 'Commission' SPAM - leads to Locky
- https://myonlinesecu...delivers-locky/
29 Aug 2016 - ".. the -Locky- onslaught continues its daily attacks with an email with the subject of 'Commission' coming from random companies and senders with a zip attachment that despite the message in the email body saying it is an Excel file actually contains a JavaScript file, although they have half tried to disguise it as an excel file commission_xls (~2a4bfa91).js ... One of the  emails looks like:
From: Minerva Bridges <Bridges.033@ aprilwilkins .com>
Date: Mon 29/08/2016 10:20
Subject: Commission
Attachment: 9dc078a8d54e.zip
    Good morning rob,
    Here is the excel file of the commission you earned last month. Please analyze
    the attachment to confirm the amount.
    Regards,
    Minerva Bridges


29 August 2016: 9dc078a8d54e.zip: Extracts to: commission_xls (~2a4bfa91).js - Current Virus total detections 4/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
  http ://xelagon.50webs .org/8rxv3 | http ://209.237.142.197/~p27j55uk/von90s
  http ://ach-dziennik.cba .pl/kag7pe6 | http ://wangmewang .name/5tr5xeey which is transformed into a working Locky Ransomware file by the JavaScript file yzASo9ubY.dll (VirusTotal 9/58***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472462471/

** https://malwr.com/an...jMwMzNlMTk3OWI/
Hosts
192.151.153.26
213.229.74.92
95.211.144.65
209.237.142.197


*** https://www.virustot...sis/1472464805/
___

Fake 'invoice' SPAM - leads to ransomware
- https://myonlinesecu...pto-ransomware/
39 Aug 2016 - "... series of Locky/Zepto ransomware malspams... an email with the subject of 'Please find attached invoice no: 9087773449' [random numbered] pretending to come from document@ your own email domain with a zip attachment containing a WSF file... One of the  emails looks like:
From: document@ your own email domain
Date: Mon 29/08/2016 10:21
Subject: Please find attached invoice no: 9087773449
Attachment: 03A137a21.zip
    Attached is a Print Manager form.
    Format = Portable Document Format File (PDF) ...


29 August 2016: 03A137a21.zip: Extracts to: sedFki.wsf - Current Virus total detections 7/56*
.. MALWR** shows a download of an encrypted file from one of these locations
 http ://www.imaginarium .home.ro/78yhuinFYs?AUURTj=HtKvHtW
 http ://abcbureautique.abc.perso. neuf .fr/78yhuinFYs?AUURTj=HtKvHtW
 http ://dussartconsulting .com/78yhuinFYs?AUURTj=HtKvHtW ...  which is transformed by the script file to atuBFcBCz1.dll and automatically run (VirusTotal 4/58***). All the versions post home to the control centre at http ://51.255.107.30 /data/info.php to get & store the encryption key used to encrypt your files... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472462824/

** https://malwr.com/an...zUzZGRkYWIwYmE/
Hosts
86.65.123.70
81.196.20.133
91.216.107.228
51.255.107.30


*** https://www.virustot...sis/1472465136/
___

Fake 'mortgage documents' SPAM - lead to Locky
- https://myonlinesecu...delivers-locky/
29 Aug 2016 - "... Locky ransomware malspams... email with the subject of 'mortgage documents' with a zip attachment  containing a WSF file... One of the  emails looks like:
From: Edison Montgomery <Montgomery.25@ cable .net .co>
Date: Mon 29/08/2016 20:16
Subject: mortgage documents
Attachment:
    Dear cazzo, I am attaching the mortgage documents relating to your department.
    They need to be signed in urgent manner.
    Regards,
    Edison Montgomery


29 August 2016: 9aaea06c022a.zip: Extracts to: mortgage_documents.c40bf5a3.wsf
Current Virus total detections 5/56*.. MALWR** seems unable to analyse these and Payload Security has 150+ files in the queue...
Edit: Payload security*** eventually gave me www .qualityacoustic.comcastbiz .net/53ky07h2 which is an encrypted flle which gets transformed by the script to a Locky/Zepto file. Unfortunately Payload security does not give me that file...  This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472498468/

** https://malwr.com/an...2JhNjMxOGY2ODQ/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.87.186.101
51.255.107.30
188.127.249.203
195.64.154.114
138.201.191.196
69.195.129.70
91.226.92.208

___

Locky downloaded as encrypted DLLs
- http://blog.trendmic...encrypted-dlls/
Aug 29, 2016 - "... Locky has, over time, become known for using a wide variety of tactics to spread – including macros, VBScript, WSF files, and now DLLs...  we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign:
> https://blog.trendmi...locky-dll-1.png
... Using a DLL file in this way represents an attempt to try and -evade- behavior monitoring features that are now part of modern endpoint security products. Running as a DLL prevents a new process from being started, making it harder to detect. Other ransomware families (like CrypMIC/CryptXXX) have used this tactic as well, although for Locky this is new. The use of encryption is also meant to strengthen this malware’s ability to hide itself. Without receiving the right parameters from the downloader, no actual malicious file is actually decrypted (and theoretically, detected)..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 29 August 2016 - 07:16 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1779 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 30 August 2016 - 09:00 AM

FYI...

Fake 'Body content Blank/empty' SPAM - leads to Locky
- https://myonlinesecu...rs-locky-zepto/
30 Aug 2016 - "The latest of Today’s Locky/Zepto malspams is a -blank- empty email pretending to come from random names at your own email domain with the -subject- similar to 'document, File, Picture, Photo, Image' etc. with a zip attachment containing a WSF file... One of the  emails looks like:
From: random name @ your own email domain
Date:
Subject: Photo
Attachment: PC_20160830_05_84_67_Pro.zip


Body content: Blank/empty

11 May 2016: PC_20160830_05_84_67_Pro.zip: Extracts to: XfTxmMOc.wsf - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from
 http ://gerochan.web. fc2 .com/987nkjh8?RlUTbYrVI=TMGiBgFtfwB amongst others which eventually gets transformed by the script file to XWYLtzfQg1.dll (VirusTotal 5/58***). C2 control which determines the encryption key is
 http ://188.127.249.32 /data/info.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472566396/

** https://malwr.com/an...GRlZTk2MTcwYjU/
Hosts
85.12.197.61
208.71.106.49
208.71.106.45
51.255.107.30
188.127.249.32


*** https://www.virustot...sis/1472562174/
___

Fake 'Final payment' SPAM - leads to malware
- https://myonlinesecu...ads-to-malware/
30 Aug 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ hmrcgovuk121 .pw> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky or numerous Cryptolocker versions... The email looks like:
From: angela.fynan@ hmrc.gsi .gov.uk <info@ hmrcgovuk121 .pw>
Date: Tue 30/08/2016 15:08
Subject: Final payment request
Attachment: hmrc_doc_083016_848347734.docm
    Date of issue 30 august 2016
    Reference       K 2058964946
    Sir/Madam
    Final payment request GBP 5,961.34.
    Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you.
    We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe.
    As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money.
    For more information and how to pay us please see attached statement.
    We’ll continue to add interest to the original debt until you pay in full.
    Debt Management
    G McLean
    HMRC ...


Screenshot: https://myonlinesecu...st-1024x562.png

30 August 2016: hmrc_doc_083016_848347734.docm - Current Virus total detections 4/55*
.. MALWR** shows a download from http ://ivanovimportexportltd. co.uk/4.exe (VirusTotal 4/57***) MALWR[4]
... likely to be a password stealer of some sort. Payload Security[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472565604/

** https://malwr.com/an...jJjMzNlYzBhMGM/
Hosts
137.74.172.30

*** https://www.virustot...sis/1472566995/

4] https://malwr.com/an...2Y3NWRlNTk5NGE/

5] https://www.reverse....vironmentId=100
Contacted Hosts
137.74.172.30
___

Fake 'paycheck' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
30 Aug 2016 - "... series of Malspam delivering -Locky- ransomware is an email with the subject of 'paycheck' coming from random senders, companies and email addresses with a zip attachment... One of the emails looks like:
From: Isabella Holman <Holman.114@ profilerhs .com>
Date: Tue 30/08/2016 18:38
Subject: paycheck
Attachment:
    Hey gold, as you requested, attached is the paycheck for your next month�s salary in advance.
    Sincerely yours,
    Isabella Holman


30 August 2016: e3fa12b0575f.zip: Extracts to: paycheck_pdf_de64ad80.js - Current Virus total detections 6/54*
.. MALWR** shows a download of an encrypted file  from one of these locations:
 http ://malwinstall .wang/1xiolv6 | http ://specialist.homepage. t-online .de/pgtv2
 http ://kikital.web. fc2 .com/amqq7aq6 | http ://solesdearequito. tripod .com/f1bii
 http ://vinciunion. co.th/gfp87 that is converted by the script to a working Locky ransomware 6e8kHAmEE5.dll
  that gets run automatically (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472578893/

** https://malwr.com/an...jRjZGVjNzMyZjA/
Hosts
80.150.6.138
52.52.40.206
208.71.106.48
45.59.114.100
103.246.18.22


*** https://www.virustot...sis/1472579254/
___

Fake 'Server Update' SPAM - drops Java Adwind or Jacksbot
- https://myonlinesecu...nd-or-jacksbot/
30 Aug 2016 - "An email with the subject of 'Unity Link New Server Update' pretending to come from  xm.nl@ unitylink .com <abelen@ unitylink .com> with a zip attachment which contains an executable file 'Updated Unityink Server..exe' and an image, which drop/create various Java.jar files. This is likely to be a Java Adwind or Java Jacksbot version... One of the  emails looks like:
From: xm.nl@ unitylink .com <abelen@ unitylink .com>
Date: Tue 30/08/2016 07:13
Subject: Unity Link New Server Update
Attachment: Unity Link New Server Update.zip
    Dear Agent,
    Find attach New update details with password, kindly sign and branch seal on the attach authorization for security updates.
    Best regards,
    ALAA ELDIN BEBARS
    | Unity Link Operations
    Unity Link services Ltd| P.O. Box 170 ...


Screenshot of image file inside zip: https://myonlinesecu...rver-Update.png

30 August 2016: Unity Link New Server Update.zip: Extracts to: Updated Unityink Server..exe
Current Virus total detections 15/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472556607/

** https://malwr.com/an...mI1NzYwNjI3OGI/
___

Opera server breach ...
> https://www.opera.co...reach-incident/
Aug 26, 2016 - "Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised. Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution. We have also sent emails to all Opera sync users to inform them about the incident and ask them to change-the-password for their Opera-sync-accounts. In an abundance of caution, we have encouraged users to also reset-any-passwords to third-party-sites they may have synchronized with the service. To obtain a new password for Opera sync, use the password resetting page:
- https://auth.opera.c...t/lost-password "
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 30 August 2016 - 01:30 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1780 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 31 August 2016 - 04:25 AM

FYI...

Fake 'Scan' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
31 Aug 2016 - "... received a massive malspam run of an email with the subject of 'FW: [Scan] 2016-08-13 15:49:12' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... One of the emails looks like:
From: Bertha <Bertha34@ your own email domain>
Date: Wed 31/08/2016 06:14
Subject: FW: [Scan] 2016-08-13 15:49:12
Attachment: 2016-08-30 436 663 415.zip
   From: “Bertha” <Bertha34@[REDACTED]>
    Sent: 2016-08-13 15:49:12
    To: [REDACTED]
    Subject: [Scan] 2016-08-13 15:49:12
    Sent with Genius Scan for iOS ...


31 August 2016: 2016-08-30 436 663 415.zip: Extracts to: Yd95ozed8.hta - Current Virus total detections 9/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to QXkcpj1.dll by the instructions inside the HTA/JavaScript (VirusTotal 19/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472620428/

** https://www.reverse....vironmentId=100
Contacted Hosts
210.157.28.18
80.150.6.138
195.208.0.137
95.85.19.195
188.127.249.32
58.158.177.102


*** https://www.virustot...sis/1472623964/
___

Fake 'bank transactions' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
31 Aug 2016 - "... Locky continues with an email with the subject of 'bank transactions' coming from random senders, companies and email addresses with a random named zip attachment containing a JS file... One of the emails looks like:
From: Marlene Carrillo <Carrillo.170@ veloxzone. com.br>
Date: Wed 31/08/2016 07:35
Subject: bank transactions
Attachment: b231f370cf0.zip
    Good morning gold.
    Attached is the bank transactions made from the company during last month.
    Please file these transactions into financial record.
    Yours truly,
    Marlene Carrillo


31 August 2016: b231f370cf0.zip: Extracts to: CC1BB558_bank_transactions.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://www.instalacionesjosearteaga .com/s7yy5 | http ://enigmes4saisons.perso. sfr .fr/dilveh
 http ://mambarambaro .ws/1m202 | http ://www.meta. metro .ru/uumr65 which gets transformed into the Locky ransomware by the script KzgOzqkkKOZ.dll (VirusTotal 7/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472629007/

** https://malwr.com/an...jc4OGI3NTk5MzU/
Hosts
62.42.230.17
86.65.123.70
195.91.160.34
45.59.114.100
158.69.147.88


*** https://www.virustot...sis/1472629326/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.42.230.17
86.65.123.70
95.85.19.195
188.127.249.203
138.201.191.196
188.127.249.32
91.223.180.66


- http://blog.dynamoo....ansactions.html
31 Aug 2016 - "This -fake- financial spam comes with a malicious attachment:
    From:    Rueben Vazquez
    Date:    31 August 2016 at 10:06
    Subject:    bank transactions
    Good morning petrol.
    Attached is the bank transactions made from the company during last month.
    Please file these transactions into financial record.
    Yours truly,
    Rueben Vazquez


The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js ... According to the Malwr report of these three samples [1] [2] [3] the scripts download... Each one of those samples drops a -different- DLL... these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain .in .ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers .com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl .ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24
"
1] https://malwr.com/an...Dk0ZmVmZjE5Mzg/

2] https://malwr.com/an...2RmNWEwZDFjY2E/

3] https://malwr.com/an...DViOWM4YTNmOTQ/
___

Fake 'flight tickets' SPAM - delievers Locky
- https://myonlinesecu...delivers-locky/
31 Aug 2016 - "This latest Locky ransomware malspam is a little bit more believable than some recent attempts and might actually fool a few recipients. An email with the subject of 'flight tickets' pretending to come from random companies, senders and email addresses with a random name zip attachment containing a JavaScript file... One of the emails looks like:
From: Wallace Hampton <Hampton.7365@writers-india.com>
Date: Wed 31/08/2016 18:37
Subject: flight tickets
Attachment: 4e0302044044.zip
    Good evening admin.
    I am sending you the flight tickets for your business conference abroad next month.
    Please see the attached and note the date and time.
    Respectfully,
    Wallace Hampton


31 August 2016: 4e0302044044.zip: Extracts to: CE14A812_flight_tickets.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://roger.pierrieau.perso. sfr .fr/68d8ti | http ://virmalw .name/31fwt4cs
 http ://simo62.web. fc2 .com/yywcdpbu | http ://www.francogatta .it/npoa0lzw which is converted to a working Locky ransomware file & autorun by the script 20mrgwO23alMfJvj.dll (VirusTotal 8/58***). Payload Security[4]...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472665164/

** https://malwr.com/an...2Q2OWU2N2VmOGQ/
Hosts
158.69.147.88
208.71.106.61
195.78.215.76
86.65.123.70


*** https://www.virustot...sis/1472665518/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.99.111.28
208.71.106.61
95.85.19.195
138.201.191.196
188.127.249.203
188.127.249.32
91.223.180.66
69.195.129.70

___

SWIFT discloses more cyber thefts, pressures banks on security
- http://www.reuters.c...t-idUSKCN11600C
Aug 31, 2016 - "SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank... The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers... A SWIFT spokeswoman declined to elaborate on the recently uncovered incidents or the security issues detailed in the letter, saying the firm does not discuss affairs of specific customers. All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter. Accounts of the attack on Bangladesh Bank suggest that weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers. The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police..."
___

Hacks steal account details for 60M Dropbox Users
- https://it.slashdot....n-dropbox-users
Aug 31, 2016 - "Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard* obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts..."
* https://motherboard....ropbox-accounts
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 31 August 2016 - 04:23 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1781 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 01 September 2016 - 06:23 AM

FYI...

Fake 'Shipping info' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
1 Sep 2016 - "... the Locky onslaught continues with ever increasing frequency and complexity. The first of today’s Malspam is an email with the subject of 'Shipping information' coming from random names, companies and email addresses with a random named zip attachment containing a heavily obfuscated/encrypted JavaScript file... One of the  emails looks like:
From: Celina Mccarty <Mccarty.8737@ spebs .com>
Date: Thu 01/09/2016 09:12
Subject: Shipping information
Attachment: 2020f266fc.zip
    Dear customer,
    Our shipping service is sending the order form due to the request from your company.
    Please fill the attached form with precise information.
    Very truly yours,
    Celina Mccarty


1 September 2016: 2020f266fc.zip: Extracts to: 91CF4D63_shipping_service.js - Current Virus total detections 4/56*
.. MALWR* shows a download of an encrypted file from one of these locations:
 http ://www.oltransservice .org/wxyig4v | http ://kreativmanagement.homepage. t-online .de/anlaok1d
 http ://mambarambaro .ws/1zvqoqf which is transformed by the script to naXFQvt9.dll (VirusTotal 11/58***)
Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472717463/

** https://malwr.com/an...mQwY2JmNWIwOGM/
Hosts
213.205.40.169
192.99.111.28
80.150.6.138


*** https://www.virustot...sis/1472718234/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.205.40.169
95.85.19.195
212.109.192.235
5.34.183.211
188.127.249.32
188.127.249.203
91.223.180.66


- http://blog.dynamoo....service-is.html
1 Sep 2016 - "This -fake- shipping email comes with a malicious attachment:
    Subject:     Shipping information
    From:     Charles Burgess
    Date:     Thursday, 1 September 2016, 9:30
    Dear customer,
    Our shipping service is sending the order form due to the request from your company.
    Please fill the attached form with precise information.
    Very truly yours,
    Charles Burgess


The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js. Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome .de/430j1t
ngenge.web. fc2 .com/vs1qc0
mambarambaro .ws/1zvqoqf
timetobuymlw .in/2dlqalg0
peetersrobin.atspace .com/t2heyor1
www .bioinfotst. cba .pl/u89o4
Between those four reports, there are three -different- DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis* shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24
"
1] https://malwr.com/an...jlhYjlhNDQ0YjA/
Hosts
82.165.58.83
192.99.111.28
208.71.106.37


2] https://malwr.com/an...zNhZDJjMTUxNTE/
Hosts
82.197.131.109
158.69.147.88
95.211.144.65


3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.165.58.83

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.197.131.109
95.85.19.195
5.34.183.211
212.109.192.235
188.127.249.203
188.127.249.32
91.223.180.66


5] https://virustotal.c...sis/1472720135/

6] https://virustotal.c...sis/1472720153/

7] https://virustotal.c...08380/analysis/

* https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.197.131.109
95.85.19.195
5.34.183.211
212.109.192.235
188.127.249.203
188.127.249.32
91.223.180.66

___

Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo....d-attached.html
1 Sep 2016 - "This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.
    Subject:     Please find attached invoice no: 329218
    From:     victim@ victimdomain .tld
    To:     victim@ victimdomain .tld
    Date:     Thursday, 1 September 2016, 12:42
    Attached is a Print Manager form.
    Format = Portable Document Format File (PDF)
    Disclaimer ...


Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download... The payload appears to be Locky ransomware... This is similar to the list here*.
Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24
"
* http://blog.dynamoo....service-is.html
1 Sep 2016
___

Fake 'Travel expense sheet' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
1 Sep 2016 - "... never ending series of Locky downloaders is an email with the subject of 'Travel expense sheet' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the  emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: ea00ba32a5.zip
    Dear karen,
    Here is the travel expense sheet for your upcoming company field trip. Please write down the approximate costs in the attachment.
    Warm wishes,
    Hilario Walton


1September 2016: ea00ba32a5.zip: Extracts to: Travel_expense_sheet_E492D6CB.js - Current Virus total detections 6/56*
.. MALWR shows a download of an encrypted file from one of these locations:
 http ://www .cortesidesign .com/v1vmxyj | http ://www .aktion-zukunft-gestalten .info/hfgo3x
 http ://portadeenrolar .ind.br/rbfr26 | http ://timetobuymlw .in/57h8t6it which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 21/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472753839/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250


*** https://www.virustot...sis/1472755942/
___

Cerber dropped via Malvertising
- http://blog.trendmic...a-malvertising/
Aug 31, 2016 - "... The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits. Users are typically -redirected- to these exploit kit servers via ads appearing in a pop-up window after clicking a video to play. This ultimately leads to the download of Cerber. While this malvertisment campaign has affected several countries already, the attack is heavily concentrated in Taiwan. And although this malvertising campaign has been running for months, it was only now that it dropped Cerber 3.0 as its payload. In the case of Magnitude, a simple redirect script was used. Rig, on the other hand, opened a website in the background that contained a screenshot of legitimate US clothing shopping sites, perhaps to make the ad look less suspicious... Cerber demands 1.24 BTC (~US$523, as of March 4, 2016) and gave affected entities seven days. Cerber 3.0 asks for 1 BTC right away, but if the user waits more than five days the ransom doubles to 2 BTC:
> https://blog.trendmi...cerber-v3-3.png
... The most fundamental defense against ransomware is still backing up. With proper backups in place, organizations need not worry about any data loss that may be incurred. At the very least, important files should be backed up on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location. A good defense against malvertising (and exploit kits in general) is to keep the software in use up-to-date with all security patches. This will reduce the risk against a wide variety of attacks, not just ransomware. This includes both the operating system and any applications in use. A security solution that can proactively provide defense against attacks targeting vulnerabilities in the system’s software is also recommended..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 01 September 2016 - 02:59 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1782 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 02 September 2016 - 06:22 AM

FYI...

Fake 'old office facilities' SPAM - leads to Locky
- http://blog.dynamoo....facilities.html
2 Sep 2016 - "This spam has a malicious attachment:
    Subject:     old office facilities
    From:     Kimberly Snow (Snow.741@ niqueladosbestreu .com)
    Date:     Friday, 2 September 2016, 8:55
    Hi Corina,
    Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
    Best wishes,
    Kimberly Snow


The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number. Analysis is pending, but this Malwr report* indicates attempted communications to:
malwinstall .wang
sopranolady7 .wang
..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
UPDATE 1: According to this Malwr report** it drops a DLL with a detection rate of 10/58***. Also those mysterious .wang domains appear to be multihomed on the following IPs:
23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)
Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28
"
* https://malwr.com/an...zA3YWRkMzZmNGE/
Hosts
66.85.27.250
23.95.106.195


** https://malwr.com/an...jBhM2I4MTE0OTE/
Hosts
66.85.27.250
23.95.106.195


*** https://virustotal.c...0c5c7/analysis/
VQpnPCqe.dll

- https://myonlinesecu...delivers-locky/
2 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'old office facilities' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Angelina Nielsen <Nielsen.83382@ parklawnsprinklers .com>
Date: Fri 02/09/2016 08:27
Subject: old office facilities
Attachment: 1fade4423b3a.zip
    Hi Chasity,
    Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
    Best wishes,
    Angelina Nielsen


2 September 2016: 1fade4423b3a.zip: Extracts to: office_facilities_059AB2E9.js - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from http ://malwinstall .wang/ezr08tjd which is transformed by the script to VQpnPCqe.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472801143/

** https://malwr.com/an...jg4OGVhMzAyMDQ/
Hosts
23.95.106.195
66.85.27.250


*** https://www.virustot...sis/1472801991/
___

Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo....image-from.html
2 Sep 2016 - "This -fake- document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.
    Subject:     Scanned image from MX2310U@ victimdomain .tld
    From:     office@victimdomain.tld (office@ victimdomain .tld)
    To:     webmaster@victimdomain.tld;
    Date:     Friday, 2 September 2016, 2:29
    Reply to: office@ victimdomain .tld [office@ victimdomain .tld]
    Device Name: MX2310U@victimdomain.tld
    Device Model: MX-2310U
    Location: Reception
    File Format: PDF MMR(G4)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in PDF format.
    Use Acrobat®Reader® ...


Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component... The payload is Locky ransomware, phoning home to:
212.109.192.235/data/info.php [hostname: take. ru .com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers .xyz] (EDIS, Austria)
Recommended blocklist:
212.109.192.235
149.154.152.108
"
___

Fake 'Body content empty/blank' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-zepto/
2 Sep 2016 - "... Locky/Zepto downloaders... empty/blank email with the subject random numbers and either .jpg, gif, pdf, img, docx, tif, png etc. coming as usual from random names @ icloud .com  with a random named zip attachment that is named the -same- as the numbers in the subject line containing a wsf file... One of the emails looks like:
From: Alejandra_6526@ icloud .com
Date: Fri 02/09/2016 12:27
Subject: 26889jpg
Attachment: 26889.zip


Body content: Empty/blank

2 September 2016: 26889.zip: Extracts to: W64pP.wsf - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://maxshoppppsr .biz/js/y54g3tr?NxMSERb=asaGYkQ | http ://illaghettodelcircoletto .it/flkekqs?NxMSERb=asaGYkQ
 http ://vimp.hi2 .ro/xqbqjyn?NxMSERb=asaGYkQ which is transformed by the script to vTFEncqFbOk1.dll (VirusTotal 5/58***)
All of them contact the C2 centre http ://149.154.152.108 /data/info.php to get & store the encryption key that is used to encrypt your files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472815578/

** https://malwr.com/an...TljNjI1ODBjNTY/
Hosts
89.42.39.81
195.110.124.188
66.85.27.252
149.154.152.108


*** https://www.virustot...sis/1472817060/
___

Bogus Windows error site - for iPad
- https://blog.malware...indows-fakeout/
2 Sep 2016 - "... The bogus error site is located at:
ipad-error-9023(dot)com
Given the URL, you’d expect to see some sort of iPad related shenanigans taking place –  an interesting twist on the well worn theme of tech-support-scams. Who needs Windows desktops when you can go after the tablet market, right? Unfortunately for our scammers, it all goes a bit wrong in terms of being convincing with that whole iPad URL thing. Let me count the ways... text reads as follows:
    Windows Security Error !
    Your Hard drive will be DELETED if you close this page
    You have a ZEUS virus! Please call Support Now!
    Call Now to Report This Threat.
    Do not Click ‘OK’ button below, doing so will start the hacking process.

... 'didn’t put much thought into this whole iPad thing, did they?...
> https://blog.malware...nal-dialogs.jpg
... a “prevent additional dialog” message from the browser? I’m guessing my PC hasn’t exploded yet. Maybe if I close the box and then hit the OK button:
> https://blog.malware...page-locked.jpg
... While the attempted fakeout up above isn’t one of the best ones we’ve seen, there are plenty out there which succeed in their attempts at convincing device owners that they have a problem. From there, phone calls to “tech support” and payments to have the non-existent virus cleaned up are only a hop, step and jump away. If you think you may have been targeted by such scams – or just want to avoid such antics in the future – feel free to give our guide to Tech Support Scams* a read. It could well save you time and money – and a lot of increasingly infuriating phone calls..."
* https://blog.malware...-support-scams/

ipad-error-9023(dot)com: 107.180.21.58: https://www.virustot...58/information/
>> https://www.virustot...55616/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 02 September 2016 - 12:54 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1783 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 05 September 2016 - 06:17 AM

FYI...

Fake 'Credit card receipt' SPAM - leads tp Locky
- https://myonlinesecu...oft-netmsg-dll/
5 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'Credit card receipt' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the  emails looks like:
From: Wilda Hayden <Hayden.80411@ monicamatthews .com>
Date: Mon 05/09/2016 08:29
Subject: Credit card receipt
Attachment: 6aec8732b803.zip
    Dear mrilw,
    We are sending you the credit card receipt from yesterday. Please match the card number and amount.
    Sincerely yours,
    Wilda Hayden
    Account manager


5 September 2016: 6aec8732b803.zip: Extracts to: credit_card_receipt_9F44E80E.js - Current Virus total detections 6/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://darkestzone2 .wang/1i0i75gq | http ://canonsupervideo4k .ws/1bcpr7xx
.. which is transformed by the script to aXZnmnI3ES.dll (VirusTotal 9/57***). This is also downloading the genuine Microsoft netmsg.dll in an attempt to confuse antiviruses and researchers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473060526/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250


*** https://www.virustot...sis/1473062169/

- http://blog.dynamoo....you-credit.html
5 Sep 2016 - "This -fake- financial spam has a malicious attachment:
    From:    Tamika Good
    Date:    5 September 2016 at 08:43
    Subject:    Credit card receipt
    Dear [redacted],
    We are sending you the credit card receipt from yesterday. Please match the card number and amount.
    Sincerely yours,
    Tamika Good
    Account manager


The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k .ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary) ...
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57*. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt .pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
"
1] https://malwr.com/an...TlhYzZlNGExZjg/
Hosts
107.173.176.4

2] https://malwr.com/an...GIyOTk2MDcyNTk/
Hosts
23.95.106.206
107.173.176.4


3] https://malwr.com/an...GM1NjY0MGNlYWE/
Hosts
107.173.176.4

* https://virustotal.c...7c2f6/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55


5] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
91.211.119.71
185.162.8.101
158.255.6.109
185.154.15.150
188.120.232.55


6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
158.255.6.109
185.154.15.150
185.162.8.101
91.211.119.71

___

Malware in '.pub files' SPAM
- https://isc.sans.edu...l?storyid=21443
2016-09-05 - "While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it also supports macros. By using .pub files, attackers make one step forward because potential victims don't know the extension ".pub" (which can be interpreted as "public" or "publicity" and make the document less suspicious), Spam filters do -not- block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze! A sample of a malicious .pub file is already available on VT[4] with a low detection score (5/55). Stay safe!"
[1] https://isc.sans.edu...nsomware/21397/
[2] https://isc.sans.edu...ipt File/21423/
[3] https://products.off...om/en/publisher
[4] https://www.virustot...f37fd/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 05 September 2016 - 11:00 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1784 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 06 September 2016 - 06:46 AM

FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
6 Sep 2016 - "... series of Locky downloaders... an email with the subject of 'Invoice INV0000385774' (random numbers)  coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the  emails looks like:
From: Earlene conyers <Earlene859@ pickledlizards .com>
Date: Tue 06/09/2016 10:27
Subject: INV0000385774
Attachment: ea00ba32a5.zip
    Please find our invoice attached.


6 September 2016: Invoice_INV0000385774.zip: Extracts to: 14Tf5zYWx67.wsf - Current Virus total detections 6/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://around4percent.web .fc2 .com/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
 http ://zse2 .pl/j8fn3rg3?jXRJazVGV=TBojQIxnjJC | http ://marcotormento .de/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
which is transformed by the script to pfRMaJgsGEL1.exe (VirusTotal 4/58***) which according to MALWR[4] creates/downloads/ drops another encrypted file... Payload Security reports [5] [6]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472753839/

** https://malwr.com/an...TBkNzFhOTgyNWM/
14Tf5zYWx67.wsf
Hosts
208.71.106.48
66.85.27.108
13.107.4.50
216.126.225.149
93.157.100.25
81.169.145.157


*** https://www.virustot...sis/1473154258/

4] https://malwr.com/an...TBiZDk3MWJlMmI/
pfRMaJgsGEL1.exe
Hosts
66.85.27.108
13.107.4.50
216.126.225.149


5] https://www.reverse....vironmentId=100
14Tf5zYWx67.wsf
Contacted Hosts
216.239.120.224
208.71.106.48
66.85.27.108
216.126.225.149


6] https://www.reverse....vironmentId=100
pfRMaJgsGEL1.exe
Contacted Hosts
66.85.27.108
___

Fake 'August invoice' SPAM - Locky
- https://myonlinesecu...ppears-to-fail/
6 Sep 2016 - "... next in the never ending series of Locky downloaders is an email with the subject of 'August invoice' coming as usual from random companies, names and email addresses with a random named zip attachment  containing 2 identical .JS files... One of the emails looks like:
From: Douglas Holmes <Holmes.850@ redbridgeconcern .org>
Date: Tue 06/09/2016 09:50
Subject:  August invoice
Attachment: fe1afed4aa6f.zip
    Hello montag, Brigitte asked me to send you invoice for August. Please look over the attachment and make a payment ASAP.
     Best Regards,
     Douglas Holmes


6 September 2016: fe1afed4aa6f.zip: Extracts to: August_invoice 2AAB15F0. pdf~.js - Current Virus total detections 4/56*
..Update: it looks like Payload security** have tweaked their system and managed to bypass the protection elements in today’s Locky and are now finding & getting the payloads... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473151857/

** https://www.reverse....vironmentId=100
Contacted Hosts
107.173.176.4
23.95.106.220
192.3.150.178
91.211.119.71
158.255.6.109
185.162.8.101
185.154.15.150
188.120.232.55

___

Fake 'Message.. scanner' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
6 Sep 2016 - "... Locky downloaders.. email with the subject of 'Message from “CUKPR0959703' pretending to come from scanner @ your own email domain with a random named zip attachment based on todays date containing a WSF file... One of the  emails looks like:
From: scanner@ ...
Date: Tue 06/09/2016 16:11
Subject: Message from “CUKPR0959703”
Attachment: 20160906221127.zip
    This E-mail was sent from “CUKPR0959703” (Aficio MP C305).
    Scan Date: Tue, 06 Sep 2016 22:11:27 +0700
    Queries to: <scanner@ ...


6 September 2016: 20160906221127.zip: Extracts to: 18YrNk1xk28.wsf - Current Virus total detections 16/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://www.alpstaxi .co .jp/j8fn3rg3?IxurVQb=sHiOGcukdY
 http ://zui9reica.web .fc2 .com/j8fn3rg3?IxurVQb=sHiOGcukdY
which is transformed by the script to mUExMjQPwmL1.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473175613/

** https://malwr.com/an...WIzYjFkNGJiOTI/
Hosts
208.71.106.45
216.126.225.149
8.254.207.14
211.134.181.38

___

Fake 'Suspected Purchases' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
6 Sep 2016 - "... Locky downloaders... email with the subject of 'Suspected Purchases' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files starting with random characters and then Suspected_Purchases_PDF.js ... One of the  emails looks like:
From: Alyssa English <English.55@ heritagehomebuyers .net>
Date: Thu 01/09/2016 19:22
Subject:  Suspected Purchases
Attachment: 3adec1d16a7e.zip
    Dear enrico,
    We have suspected irregular purchases from the company’s account.
    Please take a look at the attached account balance to see the purchase history.
    Best Regards,
    Alyssa English
    Support Manager


6 September 2016: 3adec1d16a7e.zip: Extracts to: FAAD4310 Suspected_Purchases_PDF.js
Current Virus total detections 3/55*. MALWR** shows a download of an encrypted file from one of these locations:
  http ://canonsupervideo4k .ws/2sye3alf
  http ://virmalw .name/uw2vyhpd
  http ://tradesmartcoin .xyz/rwevvv3a
which is transformed by the script to 4fWrgKKcG.dll (VirusTotal 9/58***). This also downloads the genuine Microsoft  netmsg.dll... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473179859/

** https://malwr.com/an...TYzMTFiMWFiNjU/
Hosts
51.255.227.230
185.101.218.49
107.173.176.24


*** https://www.virustot...sis/1473180787/
___

Paypal - PHISH
- https://myonlinesecu...oqued-phishing/
6 Sep 2016 - "... daily -phishing- emails trying to steal your PayPal account. This one is worth mentioning because of the bad spelling and grammar that proves this does not come from an English speaking criminal. The original email looks like this:

Screenshot: https://myonlinesecu...ed-1024x563.png

From: no-reply@ paypal .com
Date: Tue 06/09/2016 14:59
Subject: Your PayPal access bloqued
    
    Dear Customer,
    Your account is temporarily suspended.
    We are working to protect our users against fraud!
    Your account has been selected for verification, we need to confirm that you are the real owner of this account
    To conclude the recovery of his account and service interruption card with number 4*** **** **** ****..
    Please consider that if you do not confirm your data now, we are forced to lock this account for your protection
    Must follow two steps, in case you have any questions during the execution of this process can be supported support team .
    Confirm account NAW
Regards,
Eduard Swards...


The link behind 'confirm account NAW' goes to a well known-phishing-site, which has been reported so many times..
  http ://paypal-securidad .com/informations/l/l/Index/
This one wants your personal details, your Paypal account log in details and your credit card and bank details..."

paypal-securidad .com: 192.185.128.24: https://www.virustot...24/information/
>> https://www.virustot...a59e6/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 06 September 2016 - 01:05 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1785 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 07 September 2016 - 05:50 AM

FYI...

Fake 'Agreement form' SPAM - leads to Locky
- https://myonlinesecu...leads-to-locky/
7 Sep 2016 - "... series of Locky downloaders... email with the subject of 'Agreement form' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the  emails looks like:
From: Staci Cruz <Cruz.5000@ stluc-esa-bxl .org>
Date: Wed 07/09/2016 09:06
Subject: Agreement form
Attachment: 23ad34e21057.zip
    Hi there,
    [ random name] assigned you to make the payment agreement for the new coming employees.
    Here is the agreement form. Please finish it urgently.
    Best Regards,
    Staci Cruz
    Support Manager


7 September 2016: 23ad34e21057.zip: Extracts to: C3AB68A4 agreement_form_doc.js - Current Virus total detections 3/56*
.. MALWR** was unable to get any downloads but shows connections to
  tradesmartcoin .xyz  216.244.68.195
  virmalw .name  51.255.227.230
  listofbuyersus .co .in
  brothermalw .ws

Payload Security analysis*** which took an extremely long time (unusually) also doesn’t show any direct downloads or files. This is likely to mean that the Locky gang are using an ever more restrictive anti-analysis protection. Payload did detect some more unusually Apt named domains. Contacted Domains: tradesmartcoin .xyz, listofbuyersus .co.in, malwinstall .wang, brothermalw .ws, virmalw .name . Contacted Hosts: 216.244.68.195, 51.255.227.230 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473235341/

** https://malwr.com/an...TY0ZDQ5MWUzZjk/
Hosts
51.255.227.230
216.244.68.195


*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.244.68.195
51.255.227.230


- http://blog.dynamoo....m-probably.html
7 Sep 2016 - "This -fake- financial spam leads to malware:
    Subject:     Agreement form
    From:     Marlin Gibson
    Date:     Wednesday, 7 September 2016, 9:35
    Hi there,
    Roberta assigned you to make the payment agreement for the new coming employees.
    Here is the agreement form. Please finish it urgently.
    Best Regards,
    Marlin Gibson
    Support Manager


The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..
308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js
Automated analysis [1] [2] shows that the scripts... attempt to download a binary from one of the following locations:
donttouchmybaseline .ws/ecf2k1o
canonsupervideo4k .ws/afeb6
malwinstall .wang/fsdglygf
listofbuyersus .co .in/epzugs
Of those locations, only the first three resolve, as follows:
donttouchmybaseline .ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k .ws   51.255.227.230 (OVH, France / Kitdos)
malwinstall .wang       51.255.227.230 (OVH, France / Kitdos) ...
The following also presumably evil sites are also hosted on those IPs:
bookinghotworld .ws
clubofmalw .ws
darkestzone2 .wang
donttouchmybaseline .ws
canonsupervideo4k .ws
malwinstall .wang
wangmewang .name
tradesmartcoin .xyz
virmalw .name

Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:
51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld .ws
clubofmalw .ws
darkestzone2 .wang
donttouchmybaseline .ws
canonsupervideo4k .ws
malwinstall .wang
wangmewang .name
tradesmartcoin .xyz
virmalw .name
"
1] https://malwr.com/an...GZlMTc5Yzk0NTE/
Hosts
216.244.68.195
51.255.227.230


2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
51.255.227.230
216.244.68.195


'UPDATE: My trusted source (thank you) says that it phones home to the following IPs and URLs:
91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota .org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg .work/data/info.php
balichpjuamrd .work/data/info.php
mvvdhnix .biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti .work/data/info.php
iruglwxkasnrcq .pl/data/info.php
xketxpqxj .work/data/info.php
qkmecehteogblx .su/data/info.php
bbskrcwndcyow .su/data/info.php
nqjacfrdpkiyuen .ru/data/info.php
ucjpevjjl .work/data/info.php
nyxgjdcm .info/data/info.php
In -addition- to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
'
___

Fake 'Invoice' SPAM - JS malware attachment
- https://myonlinesecu...signed-malware/
7 Sep 2016 - "An email with the subject of 'Invoice 00014904; From CHALICE GOLD MINES LIMITED' [random numbered]  pretending to come from CHALICE GOLD MINES LIMITED <AccountRight@ appsmyob .com> with a link in the email body to  download a zip file containing a .JS file. The .js file downloads a digitally signed .exe file...

Screenshot: https://myonlinesecu...ED-1024x647.png

7 September 2016: 00014904.zip: Extracts to: 00014904.js - Current Virus total detections 2/55*
.. Payload Security**  shows a download from
 littlelionstudio .com/images/LLS-Landing-Image2.jpg which is actually a -renamed- .exe file which gets copied to 2 other file names and locations on the victim computer (VirusTotal 6/57***) |  Payload Security[4]
This file is digitally signed with a valid signature so Windows will allow it to run without alerts from smart screen or other security software:
> https://myonlinesecu...-1-1024x713.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473221665/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
209.51.136.27
62.75.195.103
178.255.83.2
91.213.126.113
62.75.195.118
91.213.126.113


*** https://www.virustot...sis/1473215063/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.75.195.103
178.255.83.2
91.213.126.113
62.75.195.118
91.213.126.113

___

Fake 'Free sports player' SPAM - delivers malware via hta files
- https://myonlinesecu...-via-hta-files/
7 Sep 2016 - "... I have seen 3 distinct subject lines:
    ****Dont’t miss this fantastic free sport media player****
    **** You wished you had this sport media player sooner****
    Amazing**** Free “Sport media Player”**

All the emails come from Splayer XXXXX where XXXX can be team, company, player, command, online or any other similar word. The rest of the email address is -spoofed- and random...

Screenshot: https://myonlinesecu...r.-1024x556.png

... I have only found 3 base domains that contain the downloads, with hundreds of different random named folders and player versions. Each version appears to have a slightly different .hta file inside the zip and a strong warning should be given that they are using an unusual method of zipping the hta file so it extracts to computer-root and possibly/probably -autoruns- when you double click the zip:
    http ://splayering .pw/download/ziefmz8dgi7/splayer-rc10.zip
    http ://softship .online/download/6243onsblfasbatsr/splayer-rc21.zip
    http ://itgnome .online/download/bm437mgs37khxmfzdivv/splayer-rc1.zip
> https://myonlinesecu...zip_warning.png

... analysed 1 version of the .hta file so far but I am sure all the others will give similar results.
7 September 2016: splayer-rc10.zip: Extracts to: splayer.hta - Current Virus total detections 2/56*
.. Payload Security** shows a download from splayeracy .online/50d5fdc6-7ed5-4272-b148-fcade183219e/splayer.bin
(VirusTotal 16/58***). Payload Security[4] which shows this is using the same file, file names & behaviour that was described in THIS post[5] which look like some sort of password stealer and backdoor trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473198884/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.3.150.197

*** https://www.virustot...sis/1473199782/

4] https://www.hybrid-a...vironmentId=100

5] https://myonlinesecu...signed-malware/

splayering .pw: 192.3.150.197: https://www.virustot...97/information/
>> https://www.virustot...6761e/analysis/

softship .online: 192.3.150.197: https://www.virustot...97/information/
>> https://www.virustot...e44b3/analysis/

itgnome .online: 192.3.150.197: https://www.virustot...97/information/
>> https://www.virustot...e44b3/analysis/

// … as of 9/8/2016.
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 08 September 2016 - 07:28 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1786 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 08 September 2016 - 08:40 AM

FYI...

Fake 'voice mail' SPAM - Locky
- http://blog.dynamoo....-new-voice.html
8 Sep 2016 - "This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.
    Subject: [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
    From: voicemail@ victimdomain .tld (voicemail@ victimdomain .tld)
    To: webmaster@ victimdomain .tld
    Date: Thursday, 8 September 2016, 13:15
    Dear webmaster :
        There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
    You might want to check it when you get a chance.Thanks!


Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:
158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman .web .fc2.com/g76gyui
dcqoutlet .es/g76gyui
dpskaunas .puslapiai .lt/g76gyui
fidelitas .heimat .eu/g76gyui
gam-e20 .it/g76gyui
ghost-tony .com.es/g76gyui
josemedina .com/g76gyui
kreativmanagement.homepage. t-online .de/g76gyui
olivier.coroenne.perso .sfr .fr/g76gyui
portadeenrolar .ind .br/g76gyui
sitio655.vtrbandaancha .net/g76gyui
sp-moto .ru/g76gyui
srxrun.nobody .jp/g76gyui
thb-berlin.homepage .t-online .de/g76gyui
tst-technik .de/g76gyui
unimet.tmhandel.com/g76gyui
www .agridiving .net/g76gyui
www .alanmorgan .plus.com/g76gyui
www .aldesco .it/g76gyui
www .alpstaxi .co.jp/g76gyui
www .association-julescatoire .fr/g76gyui
www .bytove.jadro .szm .com/g76gyui
www .ccnprodusenaturiste .home .ro/g76gyui
www .gebrvanorsouw .nl/g76gyui
www .gengokk .co .jp/g76gyui
www .hung-guan .com .tw/g76gyui
www .idiomestarradellas .com/g76gyui
www .laribalta.org/g76gyui
www .mikeg7hen.talktalk .net/g76gyui
www .one-clap .jp/g76gyui
www .radicegioielli .com/g76gyui
www .rioual .com/g76gyui
www .spiritueelcentrumaum .net/g76gyui
www .texelvakantiehuisje .nl/g76gyui
www .threshold-online .co .uk/g76gyui
www .whitakerpd .co.uk/g76gyui
www .xolod-teplo .ru/g76gyui
Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu). Unusually, this version of -Locky- does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above -or- you could monitor for the string g76gyui in your logs.

UPDATE: the Hybrid Analysis of the script can be found here[1]."
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
211.134.181.38
81.24.34.9
62.24.202.31
93.184.220.29
54.192.203.242

___

Fake 'Lloyds Banking' SPAM - .doc malware
- https://myonlinesecu...livers-malware/
8 Sep 2016 - "An email with the subject of 'Lloyds Banking Group encrypted email pretending to come from GRP Lloydsbank Tech <info@ lloydsbanking52 .us> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... A little bit of digging around tells us that lloydsbanking52 .us was registered about 2 weeks ago...

Screenshot: https://myonlinesecu...il-1024x775.png

8 September 2016: PGPMessage04834838.doc - Current Virus total detections 4/56*
.. Payload Security didn’t find any sites to download the malware.. a manual analysis & de-obfuscation of the macro you can see here original on Pastebin** shows a download from http ://aclawgroup .com .au/2.zip which gives 2.exe (VirusTotal 1/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it...

Update: I am being told it is a smoke loader AKA Dofoil[1] which will eventually download another banking Trojan."
1] https://blog.malware...en-still-alive/

* https://www.virustot...sis/1473344346/

** http://pastebin.com/ZuRM9iaN

*** https://www.virustot...sis/1473344266/

aclawgroup .com .au: 50.87.145.150: https://www.virustot...50/information/
>> https://www.virustot...c5872/analysis/
___

Quick look at recent malvertising exploit chains
- https://www.zscaler....-exploit-chains
Sep 7, 2016 - "... during our daily exploit kit (EK) tracking, have been seeing some changes in both RIG and Sundown EKs. We recently encountered a malvertising chain serving both EKs on subsequent visits, and decided to compile a quick look at the these cases:
Graph showing the malvertising chains
> https://cdn-3.zscale...ising-graph.PNG
...  they quickly integrated the exploit into the more typical Sundown landing page format. In a more recent episode, Trustwave's Spiderlabs spotted the addition of a fingerprinting code*, however we have not seen this feature in our captured cycles, so the operators may have opted for the simpler, non-fingerprinted landing page since then...
* https://www.trustwav...Way-to-the-Top/
... In the wake of both Angler and Nuclear disappearing, RIG has taken a dominant position in the EK landscape. The RIG operators appear content, however, to iterate more slowly, with changes to the EK itself happening less frequently. That said, RIG EK authors have now made noticable changes to the landing page structure... At this point, it's clear that the exploit kit landscape has been thoroughly shaken up since the disappearance of Angler and Nuclear (as we have covered in our round-ups and other EK-related blogs). This small update is meant to give a quick look at the latest techniques and trends used by RIG and Sundown. We will continue to monitor the situation, and provide updates to the community as usual."
{More detail at the zscaler blogs URL at the top.)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 08 September 2016 - 01:17 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1787 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 09 September 2016 - 05:37 AM

FYI...

Fake 'Order Confirmation' SPAM - leads to Locky
- https://myonlinesecu...delivers-locky/
9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order Confirmation 9226435' [random number] coming as usual from random companies, names and email addresses with a random named zip attachment containing an HTA file... One of the  emails looks like:
From: Meagan carnochan <Meagan4@ insightsundertwo .com>
Date: Fri 09/09/2016 09:01
Subject: Order Confirmation 9226435
Attachment: Ord9226435.dzip  extracts to 2015jozE.hta
    This message is intended only for the individual or entity to which it is
    addressed and may contain information that is private and confidential. If
    you are not the intended recipient, you are hereby notified that any
    dissemination, distribution or copying of this communication and its
    attachments is strictly prohibited.


9 September 2016: Ord9226435.dzip: Extracts to: 2015jozE.hta - Current Virus total detections 5/55*
.. Payload Security** shows a download of an encrypted file from walkerandhall .co .uk/7832ghd?TtrISozIzi=CemUQBnTyeQ
which is transformed by the script to a working locky version. Unfortunately Payload security isn’t showing the converted /decrypted file amongst the downloads although the screenshots definitely show locky... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473408597/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.10.105.44
52.32.150.180
93.184.220.29
54.192.203.56


- http://blog.dynamoo....tion-xxxxx.html
9 Sep 2016 - "This -fake- financial spam leads to malware:
    From:    Ignacio le neve
    Date:    9 September 2016 at 10:31
    Subject:    Order Confirmation 355050211
     --
    This message is intended only for the individual or entity to which it is
    addressed and may contain information that is private and confidential. If
    you are not the intended recipient, you are hereby notified that any
    dissemination, distribution or copying of this communication and its
    attachments is strictly prohibited.


The name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip. Contained within the ZIP file is a malicious .HTA script with a random name... This simply appears to be an encapsulated Javascript... my trusted source (thank you) says that the various scripts download from...
(many random URLs listed at the dynamoo URL above)...
The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a ...
This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above -or- monitoring/blocking access attempts with 7832ghd in the string.
UPDATE: The Hybrid Analysis* of one of the scripts does not add much except to confirm that this is ransomware."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.196.41
93.114.64.41
50.112.202.19
72.21.91.29
54.192.203.144

___

Fake 'MS account - Unusual sign-in activity' malspam using JSE - delivers Locky
- https://myonlinesecu...delivers-locky/
9 Sep 2016 - "... this being used to spread Locky ransomware is a step in the wrong direction. This sort of email ALWAYS catches out the unwary. To make it even worse a JSE file is an encoded/encrypted jscript file that runs in the computer properly but is unreadable to humans (looks like garbled text) and because of the garbled txt the majority of antiviruses do -not- see it as a threat. Jscript is a Microsoft specific interpretation of JavaScript. They use email addresses and subjects that will entice a user to read the email and open the attachment. Locky tries new techniques on a small scale to “test the waters” - we have seen several similar small scale attacks this week. They will use the results & returns from them to tweak and refine the techniques before mass malspamming them...

Screenshot: https://myonlinesecu...ty-1024x414.png

9 September 2016: 24549.zip: Extracts to: 24549.jse - Current Virus total detections 3/56*
.. Payload Security** shows a download from sonysoftn .top/log.php?f=3.bin which gave me log.exe (VirusTotal 20/57***).
Payload Security[4]. Many antiviruses are only detecting this malware heuristically (generic detections based on the NSIS packer used to create it). All indications suggest that it is a new variant of Locky ransomware. The IP numbers and sites it contacts have been used this week in other Locky ransomware versions. The problems are coming in the anti-analysis protections that Locky appear to have built-in to the new version of their horrifically proliferate ransomware. Although Payload security does show screenshots of a Locky ransomware file. NOTE: For some weird reason screenshots and images on payload security are -not- showing up in Internet explorer, although they do in Chrome and Firefox... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473349038/

** https://www.reverse....vironmentId=100
Contacted Hosts
155.94.209.82
91.211.119.71
158.255.6.109
185.162.8.101
52.32.150.180
93.184.220.29
54.192.203.50


*** https://www.virustot...sis/1473398861/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.162.8.101
158.255.6.109
91.211.119.71
52.34.245.108
93.184.220.29
54.192.203.209
52.33.248.56

___

Fake 'Documents Requested' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Documents Requested' or 'FW: Documents Requested' pretending to come from a random name at your own email domain or company with a zip file named either Untitled(6).zip or newdoc(1).zip containing an HTA file (random numbers)... One of the emails looks like:
From: random name at your own email domain or company
Date: Fri 09/09/2016 14:03
Subject: FW:Documents Requested
Attachment: Untitled(6).zip
    Dear addy,
    Please find attached documents as requested.
    Best Regards,
    Gilbert


9 September 2016: Untitled(6).zip: Extracts to: 2809tib.hta - Current Virus total detections 6/58*
.. Payload Security** shows a download of an encrypted file from stylecode .co .in/7832ghd?KQWbOiH=QuwOGqnGpyL
 which is transformed by the script to UcyxmkpQ1.dll (VirusTotal 21/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473420208/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
43.242.215.197
50.112.202.19
93.184.220.29
54.192.13.29


*** https://www.virustot...sis/1472755942/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 09 September 2016 - 09:13 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1788 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 12 September 2016 - 11:09 AM

FYI...

Fake 'Budget report' SPAM - leads to Locky
- http://blog.dynamoo....t-leads-to.html
12 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    Lauri Gibbs
    Date:    12 September 2016 at 15:11
    Subject:    Budget report
    Hi [redacted],
    I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.
    With many thanks,
    Lauri Gibbs


Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:
921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js
The scripts are highly obfuscated however the Hybrid Analysis* and Malwr report** show that it downloads a component from:
lookbookinghotels .ws/a9sgrrak
trybttr .ws/h71qizc
These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked. A DLL is dropped with a detection rate of about 8/57*** [3] [4] which appears to phone home to:
51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte .ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy .ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia) ...
Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.106.223
95.85.29.208
46.173.214.95
91.214.71.101
51.255.105.2
185.154.15.150


** https://malwr.com/an...TYzZTFkODlmODM/
Hosts
23.95.106.223

1] http://blog.dynamoo....you-credit.html

2] http://blog.dynamoo....facilities.html

*** https://virustotal.c...sis/1473694538/

3] https://virustotal.c...sis/1473694538/

4] https://virustotal.c...sis/1473694540/
___

Avoid: BofA, Wells Fargo - SMS Phishing
- https://blog.malware...o-sms-phishing/
Sep 12, 2016 - "It always pays to be cautious where -unsolicited- text messages are concerned, as conniving phishers don’t always stick to the tried and tested route of email scams. For example, here’s two random texts sent out to one of our burner phones:
> https://blog.malware.../bofa-phish.jpg
...
> https://blog.malware...wells-phish.jpg
The targets here are customers of Bank of America and Wells Fargo. The messages read as follows:
    BofA customer your account has been disabled!!!
    Please read this readmybank0famerica.cipmsg-importantnewalertt(dot)com


I think I’d probably be faintly worried if my otherwise sober and business-like bank started sending out messages with more than two exclamation marks in a sentence, but even without that, observant recipients would notice they also added an extra “t” onto the end of “alert”. The other message reads as follows:
The other message reads as follows:
    (wells fargo) important message from security department! Login
    vigourinfo(dot)com/secure.well5farg0card(dot)html

The above URL -redirects- clickers to the below website:
denibrancheau(dot)com/drt/w311sfg0/
> https://blog.malware...lls-phish-2.jpg
The phishers want a big slice of personal information, including name, DOB, driving license, social security number, mother’s maiden name, address, city, zipcode, card information, ATM PIN number, and even an email address.
All this, from a simple text... SMS phishing is not new, but it does snag a lot of victims. Random messages from your “bank” asking you to visit a link should be treated with suspicion, especially if those links ask you to login. Banks are certainly not the only target of SMS phishers, but they’re one of the more valuable bullseye for scammers to sink their teeth into. Whether receiving messages by email, text, or phone, your logins are only as safe as you make them – don’t make it easy for bank phishers and delete that spam."

readmybank0famerica.cipmsg-importantnewalertt(dot)com: A temporary error occurred during the lookup...

vigourinfo(dot)com/secure.well5farg0card(dot)html: 166.62.26.11: https://www.virustot...11/information/

denibrancheau(dot)com/drt/w311sfg0/ : 173.236.178.135: https://www.virustot...35/information/

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 12 September 2016 - 02:00 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1789 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 13 September 2016 - 05:07 AM

FYI...

Fake 'Tax invoice' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Tax invoice' coming as usual from random companies, names and email addresses  with a random named/numbered zip attachment containing 2 identical .WSF files. Payload Security* shows an error in the downloaded file so it might not actually deliver the Locky ransomware or it might be that it will not run on a sandbox or VM... One of the  emails looks like:
From: Anne Fernandez <Fernandez.8581@ starfamilymedicine .com>
Date: Tue 13/09/2016 10:12
Subject: Tax invoice
Attachment: 1a45b45d76ed.zip
    Dear Client,
    Attached is the tax invoice of your company. Please do the payment in an urgent manner.
    Best regards,
    Anne Fernandez


13 September 2016: 1a45b45d76ed.zip: Extracts to: tax_invoice_scan PDF.316AA.wsf
Current Virus total detections 5/56**.. Payload Security shows a download of an encrypted file from  smilehymy .com/f72gngb which is transformed by the script to c2BwHrtql2.dll (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.249.164.116
95.85.29.208
91.214.71.101
51.255.105.2
185.154.15.150
46.173.214.95
217.187.13.71


** https://www.virustot...sis/1473758776/

*** https://www.virustot...sis/1473759502/

- http://blog.dynamoo....invoice-of.html
13 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject:     Tax invoice
    From:     Kris Allison (Allison.5326@ resorts .com.mx)
    Date:     Tuesday, 13 September 2016, 11:22
    Dear Client,
    Attached is the tax invoice of your company. Please do the payment in an urgent manner.
    Best regards,
    Kris Allison


The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:
adzebur .com/dsd7gk  [37.200.70.6] (Selectel Ltd, Russia)
duelrid .com/b9m1t [not resolving]
madaen .net/e3ib4f   [143.95.252.28] (Athenix Inc, US)
morningaamu .com/6wdivzv [not resolving]
smilehm .com/f72gngb [not resolving]
The payload then phones home... Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71
"
___

Fake 'Accounts Documentation' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Accounts Documentation – Invoices' pretending to come from CreditControl @ your own email domain with a random named zip attachment containing an .HTA file... One of the  emails looks like:
From: CreditControl@...
Date: Tue 13/09/2016 10:22
Subject: Accounts Documentation – Invoices
Attachment: ~0166.zip
    Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
    If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
    Alternatively if you do not know the name of the Credit Controller you can contact us at:
    CreditControl@...
    Please do not reply to this E-mail as this is a forwarding address only.


13 September 2016: ~0166.zip: Extracts to: 22FrDra16.hta - Current Virus total detections 6/56*
.. Payload Security** shows a download of an encrypted file from
 goldenladywedding .com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS which is transformed by the script to a working Locky ransomware (unfortunately Payload Security does not show or allow us to download the actual file)... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1472753839/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.94.100
93.184.220.29
54.192.203.254

___

Fake 'Equipment receipts' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Equipment receipts' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the  emails looks like:
From: Stacey Aguirre <Aguirre.535@ coopenet .com.ar>
Date: Tue 13/09/2016 17:36
Subject: Equipment receipts
Attachment: 5926f98c2d8d.zip
    Good day hyperbolasmappera, Molly asked you to file the office equipment receipts.
    Here is the photocopying equipment receipts purchased last week.
    Please send him the complete file as soon as you finish.
     Best regards,
    Stacey Aguirre


13 September 2016: 5926f98c2d8d.zip: Extracts to: Equipment receipts 66BF9A.wsf - Current Virus total detections 5/55*
.. Payload Security** shows a download of an encrypted file from latexuchee .net/c4i03t which is transformed by the script to B6fKnUsSQfkrS.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473785537/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
31.210.120.153
51.255.105.2
95.85.29.208
217.187.13.71


*** https://www.virustot...sis/1473786095/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 13 September 2016 - 01:38 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1790 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 14 September 2016 - 04:42 AM

FYI...

Fake 'Account report' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Account report' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files...  Payload Security[1] shows an error in running the dll file... One of the emails looks like:
From: Kimberley Witt <Witt.0236@ shopscissors .com>
Date: Wed 14/09/2016 08:31
Subject: Travel expense sheet
Attachment: 667b8951c871.zip
    Dear nohdys, we have detected the cash over and short in your account.
    Please see the attached copy of the report.
    Best regards,
    Kimberley Witt
    e-Bank Manager


14 September 2016: 667b8951c871.zip: Extracts to: Account report 2311EEF4.wsf - Current Virus total detections 5/55**
.. MALWR*** unable to get any content. Payload security[1] shows a download of an encrypted file from
 maydayen .net/l835ztl which is transformed by the script to RjN1UKDIQLzodBg.dll (VirusTotal 21/58[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10

** https://www.virustot...sis/1473838191/

*** https://malwr.com/an...DJlYTkxNTFlYWI/

4] https://www.virustot...sis/1472755942/
___

Fake 'Delivery Confirmation' SPAM - delivers Locky/Zepto
- https://myonlinesecu...ers-lockyzepto/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Delivery Confirmation: 00336499' [random numbers] coming as usual from ship-confirm@ random companies, names and email addresses with a random named zip attachment containing a .JS file. These are slightly better done than some recent ones. The attachment number Shipping Notification matches the subject Delivery Confirmation number... One of the  emails looks like:
From: ship-confirm@ laughlinandbowen .com
Date: Wed 14/09/2016 10:55
Subject: Delivery Confirmation: 00336499
Attachment: Shipping Notification 00336499.zip
    PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
    Attached is a pdf file containing items that have shipped
    Please contact us if there are any questions or further assistance we can provide


14 September 2016: Shipping Notification 00336499.zip: Extracts to: WOIMKE51915.js
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from one of these locations:
 http ://adventurevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU | http ://morerevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU
which is transformed by the script to TKuAgcqe3.dll (VirusTotal 6/57***)... There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473847035/

** https://malwr.com/an...TljOTFmNjkxYTk/
Hosts
204.93.163.87
23.236.238.227


*** https://www.virustot...sis/1473848281/
___

Fake 'Renewed License' SPAM - more Locky
- https://myonlinesecu...delivers-locky/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Renewed License' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the  emails looks like:
From: Stella Henderson <Henderson.70579@ siamesegear .com>
Date: Wed 14/09/2016 17:58
Subject: Renewed License
Attachment: 4614d82776.zip
    Here is the company’s renewed business license.
    Please see the attached license and send it to the head office.
    Best regards,
    Stella Henderson
    License Manager


14 September 2016: 4614d82776.zip: Extracts to: renewed business license 3D956A.wsf
Current Virus total detections 2/55*. MALWR** seems unable to cope with WSF files like this. Payload Security*** shows a download of an encrypted file from moismdheri .net/jqpxub which is transformed by the script to a working locky file, which unfortunately isn’t being shown or made available... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473872609/

** https://malwr.com/an...zM1MzE3ZjhlNzY/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
37.200.70.6
52.32.150.180
93.184.220.29
54.192.203.123

___

Fake 'payment copy' SPAM - delivers Locky/Zepto
- https://myonlinesecu...rs-locky-zepto/
13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'payment copy' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file. The email body has -no- content except 'Best Regards' and the alleged senders name... One of the  emails looks like:
From: Eddie screen <Eddie450@ hidrolats .lv>
Date: Tue 13/09/2016 22:02
Subject: payment copy
Attachment: PID6650.zip
     —
    Best Regards, _________
    Eddie screen


13 September 2016: PID6650.zip: Extracts to: OCRXIB2826.wsf - Current Virus total detections 7/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://allchannel .net/jpqhvig?eGkOBjIQFz=dEVDXjWYjjH | http ://feechka .ru/wdxwxoa?eGkOBjIQFz=dEVDXjWYjjH
 http ://jonathankimsey .com/rptyswr?eGkOBjIQFz=dEVDXjWYjjH
which is transformed by the script to yvXjbqxs1.dll (VirusTotal 7/58***). Payload security[4] is showing a different dll downloaded & converted... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473800782/

** https://malwr.com/an...jIzMjQyNDJmNjk/
Hosts
94.73.146.80
5.61.32.143
143.95.41.185


*** https://www.virustot...sis/1473801197/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.73.146.80
5.61.32.143
143.95.41.185
52.24.123.95
93.184.220.29
54.192.203.254
91.198.174.192
91.198.174.208
52.33.248.56

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 14 September 2016 - 02:49 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1791 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 15 September 2016 - 04:35 AM

FYI...

Fake 'financial report' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
15 Sep 2016 - "...  Locky downloaders... an email with the subject of 'financial report' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the  emails looks like:
From: Lenora Preston <Preston.03846@ tarquinm .com>
Date: Thu 15/09/2016 09:13
Subject: financial report
Attachment: b3fe1958be4e.zip
    Annabelle is urging you to get the financial report done within this week.
    Here are some accounting data I have collected. Please merge it into your report.
    Best regards,
    Lenora Preston


15 September 2016: b3fe1958be4e.zip: Extracts to: financial report 6AD1543.js - Current Virus total detections 3/55*
.. MALWR** shows a download of an encrypted file from http ://wyvesnarl .info/1gtqiyj which is transformed by the script to bNvbVc5R8fy.dll (VirusTotal 15/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473927705/

** https://malwr.com/an...zJlMWZlMTZhNjM/
Hosts
37.200.70.6

*** https://www.virustot...sis/1473928074/
___

Fake 'SCAN' SPAM - delivers Locky/Zepto
- https://myonlinesecu...rs-locky-zepto/
15 Sep 2016 - "... Locky downloaders... an email with the subject of 'SCAN' coming from logistics@ random companies, names and email addresses with a random named zip attachment starting with SCAN _ todays date containing a WSF file... One of the  emails looks like:
From: Elaine woolley <logistics@ kemindo-international .com>
Date: Thu 15/09/2016 10:37
Subject: Scan
Attachment: SCAN_20160915_8952113428.zip
    Elaine woolley
    Logistics Department
    ALGRAFIKA SH.P.K ...


15 September 2016: SCAN_20160915_8952113428.zip: Extracts to: QATZEQE1822.wsf - Current Virus total detections 6/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://lullaby-babies .co.uk/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC
 http ://iassess .net/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC
 http ://techboss .net/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC which is transformed by the script to
 UloAJcCuAfq1.dll (VirusTotal 6/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473932344/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250


*** https://www.virustot...sis/1473932910/
___

Bitcoin Phishing
- https://blog.opendns...hing-next-wave/
Sep 15, 2016 - "... Through this investigation, we found more than 280 Bitcoin phishing domains, so it is clear here that your Bitcoins are under attack. Additionally, criminals are using different methods and tricks to stay under the radar, such as using reverse proxy services to hide the IPs serving the illegal content..."
(More at the opendns URL above.)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 15 September 2016 - 12:02 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1792 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 16 September 2016 - 04:31 AM

FYI...

Fake 'request' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
16 Sep 2016 - "... Locky downloaders... an email with the subject of 'Re: request' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the  emails looks like:
From: Leroy Dillard <Dillard.65@ airtelbroadband .in>
Date: Fri 16/09/2016 08:15
Subject: Re: request
Attachment: 819533a5b1ac.zip
    Dear adkins, as you inquired, here is the invoice from September 2016.
    Let me know whether it is the correct invoice number you needed or not.


16 September 2016: 819533a5b1ac.zip: Extracts to: september_2016_details_~2CB6B4~.js
Current Virus total detections 1/55*. Payload Security** shows a download of an encrypted file from
 satyrwelf .net/27d4l09which is transformed by the script to a working locky ransomware file. Unfortunately Payload security does not show or download the file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474009965/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10
52.32.150.180
93.184.220.29
54.192.203.192
52.33.248.56

___

Fake 'Booking confirmation' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
15 Sep 2016 8:39 pm - "... Locky downloaders... an email with the subject of 'Booking confirmation' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 files. 1 is a .JS file. The other is a 4kb file with a single character name that is full of 0 byte padding... One of the  emails looks like:
From: Avery Moses <Moses.17671@ domainedelunard .com>
Date: Thu 15/09/2016 19:58
Subject: Booking confirmation
Attachment: 426c7ce21e1.zip
    Hi there allan.dickie, it’s Avery. I booked the ticket for you yesterday.
    See the attachment to confirm the booking.
     King regards,
     Avery Moses


15 September 2016: 426c7ce21e1.zip: Extracts to: Booking confirmation ~0D68BA0~.js
Current Virus total detections 1/54*. Payload Security** shows a download of an encrypted file from
 satyrwelf .net/27d4l09 which is transformed by the script to a working locky ransomware file. Unfortunately Payload security does not show or download the file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473966399/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10
52.32.150.180
93.184.220.29
54.192.203.192
52.33.248.56

___

Locky download locations 2016-09-16
- http://blog.dynamoo....2016-09-16.html
16 Sep 2016 - "I haven't had a chance to look at Locky today, but here are the current campaign download locations (thanks to my usual source)..
(Many domain-names shown at the dynamoo URL above.)
The first two lists are legitimate hacked sites, the last list are hosted on the following two IPs which are -definitely- worth blocking:
178.212.131.10 (21 Century Telecom Ltd, Russia)
37.200.70.6 (Selectel Ltd, Russia) "

178.212.131.10: https://www.virustot...10/information/
>> https://www.virustot...94461/analysis/
37.200.70.6: https://www.virustot....6/information/
>> https://www.virustot...f8c1a/analysis/
___

Email tips - from Malwarebytes ...
- https://blog.malware...ware-infection/
"... Read emails with an-eagle-eye. Check the sender’s address. Is it from the actual company he or she claims? Hover over links provided in the body of the email. Is the URL legit? Read the language of the email carefully. Are there weird line breaks? Awkwardly constructed sentences that sound foreign? And finally, know the typical methods of communication for important organizations. For example, the IRS will never contact you via email. When in doubt, call your healthcare, bank, or other potentially-spoofed organization directly.
> Bonus mobile phone tip: Cybercriminals love spoofing banks via SMS/text message or -fake- bank apps. Do not confirm personal data via text, especially social security numbers. Again, when in doubt, contact your bank directly..."
___

Malicious domains to block 2016-09-16
- http://blog.dynamoo....2016-09-16.html
16 Sep 2016 - "These domains are part of a cluster, some of with are serving the EITEST RIG exploit kit (similar to that described here*). They all share nameservers running on 62.75.167.186 and 62.75.167.187.
* http://malware-traff.../31/index2.html
... (Long list of domain-names at the dynamoo URL above.)... Those IPs form part of a range rented from Host Europe Group consisting of the following IPs:
62.75.167.186
62.75.167.187
62.75.167.188
62.75.167.189
62.75.167.190
This is roughly analogous to 62.75.167.184/29 which might be worth blocking, but note that won't stop IP traffic to the EK domains which are on different IPs..."
___

Amex users hit with phish offering anti-phish
- https://www.helpnets...ing-protection/
Sep 15, 2016 - "American Express users are being actively targeted with phishing emails impersonating the company and advising users to create an 'American Express Personal Safe Key' to improve the security of their accounts:
> https://www.helpnets...fekey-email.jpg
Users who fall for the scheme are directed to a -bogus- Amex login page (at http ://amexcloudcervice .com/login/). Once they enter their user ID and password, they are taken to a bogus page that ostensibly leads them trough the SafeKey setup process. The victims are asked to input their Social Security number, date of birth, mother’s maiden name, mother’s date of birth, their email address, the Amex card info and identification number, and the card’s expiration date and 3-digit code on the back of the card:
> https://www.helpnets...bogus-setup.jpg
The victims will be taken through the setup process even if they enter incorrect login credentials. And, after they finish entering all the information asked of them, they are redirected to the legitimate Amex website, making them believe they were using it the whole time..."

amexcloudcervice .com: 104.255.97.117: https://www.virustot...17/information/
104.36.80.16: https://www.virustot...16/information/
___

Ransomware Trends
- https://atlas.arbor....index#337041686
Sep 15, 2016 - "... Analysis: Money is seemingly easy to make with ransomware and more variants continue to appear. $121 million in six months is no longer out of the realm of possibility with larger variants possibly making more and in less time. Developers are keen to exploit large-scale business and hospital networks, in hopes of taking advantage of deeper pockets. As they move forward, more traditional malware spreading methods will likely be employed, including web app vulnerability scanning and SQL database vulnerability scans. Ransomware-as-a-Service is quickly becoming popular. These service offerings significantly lower the barrier of entry so that almost anyone can now take advantage of this criminal activity. Unlike other malware-as-a-service offerings that usually charge fees upfront for access, most ransomware services are simply affiliate based, aiming to gain as many customers as possible in hopes of compromising more victims. These ransomware services have no monetary barrier to entry, only that most of the customers distribute their packages themselves. Ransomware may be growing leaps and bounds but the same basic mitigation principles exist. Users are encouraged to avoid unsolicited emails and attachments, -never- enable macros in documents unless you have a legitimate reason to, maintain up-to-date system backups that are stored offline, and update systems with the latest patches and security elements as quickly as possible..."
___

Azure outage...
- https://azure.micros...status/history/
9/15 ...
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 17 September 2016 - 07:20 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1793 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 19 September 2016 - 04:09 AM

FYI...

Fake 'Express Parcel service' SPAM - leads to Locky
- http://blog.dynamoo....el-service.html
19 Sep 2016 - "This spam has a malicious attachment:
    From:    Marla Campbell
    Date:    19 September 2016 at 09:09
    Subject:    Express Parcel service
    Dear [redacted], we have sent your parcel by Express Parcel service.
    The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
    Thank you.


Attached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing. The Hybrid Analysis* for one sample shows a download location of:
178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)
There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra .pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)
It drops a DLL with a detection rate of 8/54*.

 

UPDATE: These Hybrid Analysis reports of other samples [1] [2]... show -other- download locations... All of these domains are hosted on evil IPs:
178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)...

Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10

91.194.250.131 "
The last one listed in italics is part of the update.

 

* https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.194.250.131
46.38.52.225
195.64.154.202
91.223.88.209


** https://virustotal.c...sis/1474275264/

1] https://www.hybrid-a...vironmentId=100

2] https://www.hybrid-a...vironmentId=100
___

Fake 'Order' SPAM - leads to Locky
- https://myonlinesecu...leads-to-locky/
19 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order: 19487600/00 – Your ref.:11893 [random order number, random reference number] coming as usual from random companies, names and email addresses with a macro enabled word doc attachment...

Screenshot: https://myonlinesecu...93-1024x624.png

19 September 2016: OffOrd_19487600-00-35879-972570.docm - Current Virus total detections 11/55*
.. MALWR** shows a download of an encrypted file from http ://sarayutechnologies .com/67SELbosjc358
 which is transformed by the macro to chrendokss.dll and autorun (VirusTotal 8/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474284844/

** https://malwr.com/an...TY3ZDExNTExM2Q/
Hosts
89.163.249.205

*** https://www.virustot...sis/1474288204/

- http://blog.dynamoo....0-your-ref.html
19 Sep 2016 - "This -fake- financial spam has a malicious attachment that leads to Locky ransomware.
    Subject:     Order: 28112610/00 - Your ref.: 89403
    From:     Melba lochhead (SALES1@ krheadshots .com)
    Date:     Monday, 19 September 2016, 16:05
    Dear customer,
    Thank you for your order.
    Please find attached our order confirmation.
    Should you be unable to open the links in the document, you can download the latest version of Adobe Acrobat Reader for free...
    Should you have any further questions, do not hesitate to contact me.
    Kind Regards,
    Melba lochhead
    Internal Sales Advisor - Material Handling Equipment Parts & Accessories...


I have only seen a single sample so far, but I understand that reference numbers and names vary. Attached is a malicious .DOCM file with a name in the format OffOrd_87654321-00-1234567-654321.docm, my trusted source says that the various versions download a component...
(Many domain-names listed at the dynamoo URL above.)
It drops a DLL which had a moderate detection rate earlier[8/57]*. This version of Locky does -not- communicate with C2 servers, so if you want to block or monitor traffic perhaps you should use the string 67SELbosjc358."
* https://www.virustot...f0417/analysis/
chrendokss.dll.3860.dr
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 September 2016 - 10:33 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1794 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 20 September 2016 - 04:16 AM

FYI...

Fake 'Tracking data' SPAM - leads to Locky
- http://blog.dynamoo....a-leads-to.html
20 Sep 2016 - "This spam has a malicious attachment leading to Locky ransomware:
    From:    Loretta Gilmore
    Date:    20 September 2016 at 08:31
    Subject:    Tracking data
    Good afternoon [redacted],
    Your item #9122164-201609 has been sent to you by carrier.
    He will arrive to you on 23th of September, 2016 at noon.
    The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached. 


The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name...
UPDATE: Hybrid Analysis of various samples [1] [2].. shows the script downloading from various locations... All of these are hosted on:
178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)
The malware then phones home to the following locations:
91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx .xyz/data/info.php  [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)
A DLL is dropped with a detection rate of 13/57*.
Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202
"
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10
91.223.88.205
176.103.56.105
46.38.52.225
195.64.154.202
91.223.88.209


2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10
46.38.52.225
91.223.88.205
176.103.56.105
195.64.154.202
91.223.88.209


* https://virustotal.c...6e7e2/analysis/
RwjjKUw5U4bU.dll
___

Evil network: 178.33.217.64/28 ... exploit kit
- http://blog.dynamoo....6428-et-al.html
20 Sep 2016 - "This customer of OVH appears to be registered with -fake- details, and are distributing-malware via a block at 178.33.217.64/28. Currently, the following IPs are distributing some sort of unidentified exploit kit:
178.33.217.64
178.33.217.70
178.33.217.71
178.33.217.78
178.33.217.79
A list of the domains associated with those IPs can be found here [pastebin*]... Checking the evolution-host .com... an invalid address with a different street number from before and an Irish telephone number... The Evolution Host website appears to have no contact details at all. RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block -all- of them:
91.134.220.108/30
92.222.208.240/28
149.202.98.244/30
176.31.223.164/30
178.33.217.64/28
"
* http://pastebin.com/9QGvmRVt
___

Fake 'documents' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-zepto/
20 Sep 2016 - "... Locky downloaders... an email with the subject of 'documents' pretending to come from random names @ cableone .net with a random named zip attachment containing a WSF file... One of the  emails looks like:
From: Brandi theakston <Brandi.theakston@ cableone .net>
Date: Tue 20/09/2016 14:27
Subject: documents
Attachment: 5040_98991330.zip
    —
    Brandi theakston
    Office Manager
    Box Rentals LLC
    Sanibel Executive Suites
    Crestwood Apts.
    Cleveland Apts...


20 September 2016: 5040_98991330.zip: Extracts to: YPBUJSS17703.wsf - Current Virus total detections 5/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://steyjixie .net/yCTb6zqTQ?bJiuYAR=nFrDER | http ://writewile .su/CTb6zqTQ?bJiuYAR=nFrDER
 http ://wellyzimme .com/CTb6zqTQ?bJiuYAR=nFrDER which is transformed by the script to NTlCmBVJkD1.dll
(VirusTotal 9/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474375101/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250


*** https://www.virustot...sis/1474383107/
___

Fake 'Out of stock' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
20 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Out of stock' coming as usual from random companies, names and email addresses with a random named zip attachment containing a.JS file... One of the  emails looks like:
From: Steven Goodman <Goodman.55291@ 70-static.tedata .net>
Date: Tue 20/09/2016 20:25
Subject: Out of stock
Attachment: 050f0ba31ac.zip
    Dear [REDACTED], we are very sorry to inform you that the item you requested is out of stock.
    Here is the list of items similar to the ones you requested.
    Please take a look and let us know if you would like to substitute with any of them.


20 September 2016: 050f0ba31ac.zip: Extracts to: updated order ~3F369A12~ pdf.js - Current Virus total detections 4/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://vumdaze .com/pknjo995 | http ://youthmaida .net/7ewhtm6  which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474400445/

** https://malwr.com/an...mRlOGY5N2JhODk/
Hosts
95.173.164.205
178.212.131.10


*** https://www.virustot...sis/1474398913/
___

'Just For Men' website - serves malware
- https://blog.malware...serves-malware/
Sep 20, 2016 - "The website for Just For Men, a company that sells various products for men as its name implies, was serving malware to its visitors. Our automated systems detected the drive-by download attack pushing the RIG exploit kit, eventually distributing a password stealing Trojan. In this particular attack chain we can see that the homepage of justformen[.]com has been injected with obfuscated code. It belongs to the EITest campaign* and this gate is used to perform the -redirection- to the exploit kit. EITest is easy to recognize (although it has changed URL patterns) for its use of a Flash file in its redirection mechanism.
* https://blog.malware...lware-campaign/
RIG EK has now taken over Neutrino EK as the most commonly used and seen toolkit in the wild... We replayed the attack in our lab as shown in the video below:
> https://youtu.be/F5uRosn8E58
... We reported this incident to Combe, the parent company for Just For Men. Between the time we collected our traffic capture and writing of this blog, we noticed the site had changed. As of now, the site is running the latest version of WordPress according to this scan from Sucuri** and does not appear to be compromised any more..."
** https://sitecheck.su.../justformen.com
... C2 callbacks:
217.70.184.38: https://www.virustot...38/information/
Country: FR / Autonomous System: 29169 (Gandi SAS)
173.239.23.228: https://www.virustot...28/information/
Country: US / Autonomous System: 27257 (Webair Internet Development Company Inc.)

... see "Latest detected URLs" shown in the virustotal links.
___

Fake AV on Google Play ...
- https://blog.malware...to-google-play/
Sep 19, 2016 - "Every once in a while, a -fake- antivirus pops up on the Google Play store. Most of the time, it’s just a fake scanner that doesn’t detect anything because it doesn’t actually look for anything to detect. Show a scan that simply lists all the apps on your device and it’s pretty easy to look legit. They serve up some -ads- for revenue, and you are given the false sense your phone isn’t infected — kind of a win-win unless you actually want malicious apps to be detected/removed. These apps are often ignored by real AV scanners because, technically, they aren’t doing anything malicious. It’s only when malicious intent is found that these apps are classified as bad. With a clean design and look, Antivirus Free 2016 could very easily be confused for a legitimate AV scanner:
> https://blog.malware...Screenshot1.png
...
> https://blog.malware...Screenshot4.png
Looking deeper though, one would see its true intent. To start, Antivirus Free 2016 is given permission to read, write, send, and receive SMS messages. It isn’t usual for an AV scanner to have receive SMS permission; but to read, write, or send SMS is another story. Unfortunately, any code that deals with SMS has been obfuscated/removed from being seen. The app’s receiver and service names, such as com.xxx.message.service.receiver.SmsReceiver, com.xxx.message.service.receiver.MmsReceiver, and com.xxx.message.service.RespondService, containing these codes raises enough suspicion on their own. What isn’t hidden in the code is the use of a complex decryption algorithm used to
-hide- a URL and a string named “remotePackageName”. This could possibly be used to download and install -other- apps onto the device. According to our records, 'Antivirus Free 2016' is seen in the Google Play Store between August 14th to the 31st of this year, but has been removed since. Because of its extensive malicious intent, we have classified it as Android/Trojan.FakeAV. The act of using a -fake- Antivirus product to infect customers is far from a new trick. Still, it’s scary to think that a product that is meant to protect you can be the one doing the most damage. Make sure to do your research while picking a good AV product..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 20 September 2016 - 03:58 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1795 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 21 September 2016 - 08:28 AM

FYI...

Fake 'Receipt' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
21 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt 40247' from The Music Zoo pretending to come from The Music Zoo <shipping3363@ themusiczoo .com> with a random numbered zip attachment (that matches the subject number) containing a .WSF file... One of the  emails looks like:
From: The Music Zoo <shipping3363@ themusiczoo .com>
Date: Wed 21/09/2016 03:54
Subject: Receipt 40247 from The Music Zoo
Attachment: Receipt 40247.zip
    Thank you for your order!  Please find your final sales receipt attached to
    this email.
    Your USPS Tracking Number is: 1634888147633172932951
    This order will ship tomorrow and you should be able to begin tracking
    tomorrow evening after it is picked up. If you have any questions or
    experience any problems, please let us know so we can assist you.  Thanks
    again and enjoy!
    Thanks,
    The Music Zoo ...


21 September 2016: Receipt 40247.zip: Extracts to: IOABB32501.wsf - Current Virus total detections 17/54*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://awaftaxled .com/JHG67g32udi?DnzmQJqbM=ncEcxrIem | http ://uphershoji .net/JHG67g32udi?DnzmQJqbM=ncEcxrIem
which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474436523/

** https://malwr.com/an...2IxNjUxMGI2ZmY/
Hosts
62.84.69.75: https://www.virustot...75/information/
Domains
awaftaxled .com: 193.150.247.12: https://www.virustot...12/information/
uphershoji .net: 62.84.69.75

*** https://www.virustot...sis/1474435608/
___

Those never-ending waves of Locky malspam
- https://isc.sans.edu...l?storyid=21505
2016-09-21 - "Malicious spam (malspam) campaigns sending Locky ransomware are nothing new. We see reports of it on a near daily basis [1, 2]. But last month, Locky ransomware changed. It used to be downloaded as an executable file, but now it's being implemented as a DLL [3].... The malspam all contained zip archives as file attachments. Those zip archives contained either a .js file or a .wsf file. The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file. The .wsf file extension is used for a Windows Script File. These .wsf files can also be run by double-clicking on them in a Windows environment... some of these emails make it through, and people still get infected.  All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away. A solid strategy for any sort of ransomware is to make-regular-backups of any important files. Remember to test those backups, so you're certain to recover your data. These .js and .wsf files are -designed- to download Locky and run the ransomware as a DLL..."
1] http://blog.dynamoo....rch/label/Locky

2] https://myonlinesecu...o.uk/tag/locky/

3] http://www.bleepingc...led-from-a-dll/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 21 September 2016 - 12:47 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1796 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 22 September 2016 - 04:51 AM

FYI...

Fake 'Receipt of payment' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt of payment' coming as usual from random companies, names and email addresses with a random numbered zip attachment containing a HTA file...

Screenshot: https://myonlinesecu...nt-1024x636.png

22 September 2016: (#721632093) Receipt.zip: Extracts to: A2LOCTI1203.hta - Current Virus total detections 7/54*
.. MALWR** is unable to analyse HTA files. Payload Security*** shows a download of an encrypted file from
 ringspo .com/746t3fg3 which is transformed by the script to a working locky file. Unfortunately Payload security free version does not show us or allow download of the locky ransomware itself... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474506588/

** https://malwr.com/an...jBhZmU3NzExMWI/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.205.36.188
52.24.123.95
93.184.220.29
52.85.173.119

___

Fake 'Package #..' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Package #DH4946376' [random numbers] pretending to come from DHL but actually coming as usual from random email addresses with a random named zip attachment containing a .JS file... One of the  emails looks like:
From: DHL Express <Murray.64@ yj .By>
Date: Thu 22/09/2016 12:03
Subject: Package #DH4946376
Attachment: 4023cd96fe5.zip
    Dear helloitmenice,
    The package #DH4946376 you ordered has arrived today. There is some confusion in the address you provided.
    Please review the address in the attached order form and confirm to us. We will deliver as soon as we receive your reply.
    —–
    Beulah Murray
    DHL Express Support


22 September 2016: 4023cd96fe5.zip: Extracts to: package dhl express ~0EAD6~.js - Current Virus total detections 6/55*
.. MALWR** shows a download of an encrypted file from:
 http ://affordabledentaltours .com/g8xa1lt which is transformed by the script to UNDLiWCqgT.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474542522/

** https://malwr.com/an...jgwN2YwMWYwOTM/
Hosts
69.162.148.70: https://www.virustot...70/information/

*** https://www.virustot...sis/1474544725/
___

RAR to JavaScript: Ransomware - Email attachments
- http://blog.trendmic...il-attachments/
Sep 22, 2016 - "... Based on our analysis, 71% of known ransomware families arrive via email... Over the first half of the year, we observed how cybercriminals leveraged file types like JavaScript, VBScript, and Office files with macros to evade traditional security solutions... Trend Micro has already blocked and detected 80-million-ransomware-threats during the first half of the year; 58% of which came from email attachments. Throughout this year, we followed Locky’s spam campaign and how its ever changing email file attachments contributed to its prevalence. Based on our monitoring, the rising number of certain file types in email attachments is due to Locky. The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky:
> https://blog.trendmi...9/Months-01.jpg
In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download -other- ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments — which could explain how WSF became the second file type attachment most used by threats. With WSF, two different scripting languages can be combined. The tactic makes it difficult to detect since it’s not a file type that endpoint solutions normally monitor and flag as malicious. Cerber was also spotted using this tactic in May 2016:
> https://blog.trendmi...ar-Graph-01.jpg
The latest strains of Locky were seen using DLLs and .HTA file attachments for distribution purposes. We surmise that malware authors abuse the .HTA file extension as it can bypass filters, given that it is not commonly known to be abused by cybercriminals:
> https://blog.trendmi..._copy_locky.jpg
Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat... One critical aspect of a ransomware attack is its delivery mechanism. Once ransomware-laced emails enter the network and execute on the system, they can encrypt important files..."

"The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Rising Tides of SPAM
> http://blog.talosint...es-of-spam.html
Sep 21, 2016 - "...  According to CBL*, the last time spam volumes were this high was back in mid-2010:
* http://www.abuseat.org/totalflow.html
... An internal graph generated by SpamCop which illustrates the overall size of the SpamCop Block List (SCBL) over the past year. Notice how the SCBL size hovers somewhere under 200K IP addresses pre-2016, and more recently averages closer to 400K IP addresses, spiking to over 450K IPs in August:
> https://1.bp.blogspo...640/image01.png
... We cannot predict the future and stop spam attacks before they start. Therefore, in any reasonably well-designed spam campaign there will always exist a very narrow window of time between when that spam campaign begins, and when anti-spam coverage is deployed to counter that campaign. In most anti-spam systems, this "window of opportunity" for spammers may be on the order of seconds or even minutes. Rather than make their email lists more targeted, or deploying snowshoe style techniques to decrease volume and stay under the radar, for these spammers it has become a race. They transmit as much email as cyberly possible, and for a short time they may successfully land malicious email into their victims' inboxes. For evidence of this, we need not look very far. Analyzing email telemetry data from the past week, we can readily see the influence of these high-volume spam campaigns:
> https://4.bp.blogspo...640/image00.jpg
... Conclusion: Email threats, like any other, constantly evolve. As we grow our techniques to detect and block threats, attackers are simultaneously working towards evading detection technology. Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be -critical- to an organization's survival. Restoration plans need to be regularly reviewed -and- tested to ensure no mistakes have been made and that items have not been overlooked. Lastly, reach out to your users and be sure they understand that strange attachments are -never- to be trusted!"
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 September 2016 - 09:46 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1797 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 23 September 2016 - 05:15 AM

FYI...

Fake 'Transactions' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
23 Sep 2016 - "... Locky downloaders... an email with the subject of 'Transactions details' coming as usual from random companies, names and email addresses  with a random named zip attachment containing a .JS file named Transactions details scan {random characters}.js... One of the  emails looks like:
From: Lora Mooney <Mooney.771@ gallerystock .com>
Date: Fri 23/09/2016 06:35
Subject: Transactions details
Attachment: 9fc2fd82d4e.zip
    Dear xerox.774, this is from the bank with reference to your email yesterday.
    As you requested, attached is the scan of all the transactions your account made in September 2016.
    Please let us know if you need further assistance.
    —
    Lora Mooney
    Credit Controller ...


23 September 2016: 9fc2fd82d4e.zip: Extracts to: Transactions details scan 358AD50.js
Current Virus total detections 6/55*. MALWR** shows a download of an encrypted file from
 http ://prospower .com/kqp479c7 which is transformed by the script to L12I1sh9pd9X2.dll (VirusTotal 11/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474609615/

** https://malwr.com/an...WM3YWJjODM0OWQ/
Hosts
207.7.95.142

*** https://www.virustot...sis/1474609924/
___

Fake 'Photo' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-zepto/
23 Sep 2016 - "... Locky downloader with a blank/empty email with the subject of 'Photo from Ryan (random name)' coming as usual from random companies, names and email addresses  with a random named zip attachment named along the lines of  IMG- today’s/yesterday’s date - 2 characters and several numbers .zip containing a WSF file. The “photo from” name  in the subject matches the alleged senders name... One of the  emails looks like:
From: Ryan nock <Ryan9244@ gmail .com>
Date: Fri 23/09/2016 00:51
Subject: Photo from Ryan
Attachment: IMG-20160922-WA000752.zip


Body content: Totally blank/empty

23 September 2016: IMG-20160922-WA000752.zip: Extracts to: AGRN0718.wsf - Current Virus total detections 9/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://allcateringservices .in/8rcybi43?rRffpf=NrdcbOsmH | http ://klop .my/8rcybi43?rRffpf=NrdcbOsmH
 http ://williamstarnetsys .org/8rcybi43?rRffpf=NrdcbOsmH which is transformed by the script to
 raDSyGb1.dll (VirusTotal 8/57***). These WSF files post back to C&C http ://94.242.57.152 /data/info.php
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474598473/

** https://malwr.com/an...zkzZDNlZDA2OTk/
Hosts
103.231.41.127
103.8.25.156
142.4.4.160
94.242.57.152


*** https://www.virustot...sis/1474605834/
___

Fake 'Document' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-zepto/
23 Sep 2016 - "... another set of blank/empty emails with the subject of 'Document from Horacio (random name)' pretending to come from random names @ gmail .com with a malicious word doc attachment delivers Locky ransomware... These are NOT coming from Gmail... One of the email looks like:
From: Horacio minto <Horacio92942@ gmail .com>
Date: Fri 23/09/2016 11:06
Subject: Document from Horacio
Attachment:DOC-20160923-WA0008360.docm


Body content: Totally empty/blank

23 September 2016: DOC-20160923-WA0008360.docm - Current Virus total detections 8/55*. Malwr** shows a download of an encrypted file from http ://rutlandhall .com/bdb37 which is transformed by the macro to hupoas.dll
(VirusTotal 10/57***) posts back to C&C at http ://158.255.6.129 /data/info.php ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.c...0a421/analysis/

** https://malwr.com/an...zE5ZDdjOGUyMzU/
Hosts
217.160.5.7
94.242.57.152
158.255.6.129


*** https://www.virustot...sis/1474629008/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 23 September 2016 - 10:10 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1798 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 26 September 2016 - 07:20 PM

FYI...

Locky changed - now an .odin extension
- https://myonlinesecu...odin-extension/
26 Sep 2016 - "... the file extension to the encrypted files which is now .odin . They are still using .wsf files inside zips today... first series pretends to come from your-own-domain with a subject of:
Re: Documents Requested and the body saying:
    Dear [redacted],
    Please find attached documents as requested.
    Best Regards,
    [redacted]


The second series comes from random senders with a subject of 'Updated invoice #[random number]' and random names, job positions and companies in the body with a body content:
   Our sincere apology for the incorrect invoice we sent to you yesterday.
    Please check the new updated invoice #3195705 attached.
    We apologize for any inconvenience.
    ——-
    Socorro Bishop
    Executive Director Marketing PPS ...


See MALWR* which does show the encrypted files and Payload Security** which does not but shows the downloads...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://malwr.com/an...zY4YmNiZmNmNmI/
Hosts
94.23.97.227
62.173.154.240


** https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.23.97.227
62.173.154.240
5.196.200.247
86.110.118.114
52.34.245.108

 

- https://blog.opendns...latest-persona/
Sep 26, 2016

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 September 2016 - 11:01 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1799 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 27 September 2016 - 04:57 AM

FYI...

Locky malware office rtf files - new delivery method
- https://myonlinesecu...dual-passwords/
27 Sep 2016 - "... a major change this morning in what I assume is a Locky or Dridex delivery system. The files come as RTF files but each rtf file has an individual password. None of the online automatic analysers or Virus Total, see any malicious content, because they cannot get past the password. Once you insert the password, you can then get to the macro, but I haven’t managed to decode it..
Update: I am being told it is Dridex, but am waiting on confirmation via analysis by several other researchers.
Once you insert the password you see a file looking like this. (This was opened in LIbre Office and not Microsoft word for safety reasons, where there is no enable content button):
> https://myonlinesecu...ce-1024x590.png
... Individual passwords for the file names inside the zips are:
Final Notice#i4qb43c.rtf   tRgHs8UOo
Invoice-a00h.rtf    TVOS3v8
Statementj34f-69g_%l13te91u.rtf    xpaGK1x0r

We are seeing various subjects on these emails all using random names in subject line that matches the name of the alleged sender, including:
    Fwd:Invoice from Driscoll Welch
    Fw:Final Notice from Zane Reyes
    Marvin Yates Statement
    Re:Bill from Richard Contreras
    Statement from Lionel Roth
    Howard Cantrell Notice

They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. One of the  emails looks like:
From: Driscoll Welch <emma.qe@ ntlworld .com>
Date: Tue 27/09/2016 08:47
Subject: Fwd:Invoice from Driscoll Welch
Attachment: Invoice-a00h.rtf
    The Transfer should appear within 2 days. Please check the document attached.  
    You may also need Document Pwd: TVOS3v8
    Driscoll Welch


DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake 'Post For Amendment' SPAM - Java Adwind Trojan
- https://myonlinesecu...rs-java-adwind/
27 Sep 2016 - "We continue to see Java Adwind Trojans daily.. This one is an email with the subject of
'Post For Amendment' pretending to come from danny.chunn@ westernunion .com <accounts@ petnet .com.ph> with a genuine PDF attachment which contains a link, that when clicked downloads a rar file containing a Java.jar file... The particular difference is the PDF attachment is a genuine PDF which pretends to be a notice from Google Drive to download another PDF. The actual link-behind-the-download is -not- to Google drive but to a hacked/compromised WordPress site
 https ://www.makgrills .com/wp-content/Transaction-Ref0624193.rar
which downloads the rar file containing the Java Adwind Trojan. Note the HTTPS: The RAR file extracts to Agent Sendout Report.PDF.Doc.XLS.TXT.jar and if you have the windows default setting of “don’t show file extensions” set, you will think it is either a plain text file. The malspammer has added belts & braces though by naming it as report.PDF.Doc.XLS.TXT ... WARNING: Java Adwind is a very dangerous remote access backdoor Trojan, that has cross OS capabilities and can potentially run and infect any computer or operating system including windows, Apple Mac, Android and Linux. It however can only be active or infect you if you have Sun/Oracle Java installed*...
* https://www.theguard...jack-technology
... One of the emails looks like:
From: danny.chunn@ westernunion .com <accounts@ petnet .com.ph>
Date: Mon 26/09/2016 09:41
Subject: Post For Amendment
Attachment: Transaction-Ref06214193.pdf
    Agent,
    View and post request for amendment. The Western union transaction is returned from a recieving agent. Details of the transaction has been attached
    Thanks & Regards,
    Danny Chunn
    Asst Mgr|Operations
    Branch Operations,
    Western Union Money Transfer
    Door – 26,Street- 920,Roudat Al Khail
    P O Box ? 5600,Doha,State of Qatar ...


The PDF when opened looks like this image which pretends to say that you need to click the link to download the PDF from Goggle Drive:
[ spoof_google_drive ]
> https://myonlinesecu...oogle_drive.png

27 September 2016: Transaction-Ref06214193.pdf: downloads: Transaction-Ref0624193.rar which extracts to
  Agent Sendout Report.PDF.Doc.XLS.TXT.jar - Current Virus total detections 16/55* for .jar file...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474955483/
___

Fake 'Attached:Scan' SPAM - leads to Locky
- http://blog.dynamoo....and-others.html
27 Sep 2016 - "This -fake- scanned document leads to Locky ransomware:
    Subject:     Attached:Scan(70)
    From:     Zelma (Zelma937@ victimdomain .tld)
    To:     victim@ victimdomain .tld;
    Date:     Tuesday, 27 September 2016, 14:15


There does not appear to be any body text. My trusted source tells me that the subject is a combination of the words Attached/Copy/File/Emailing and Document/Receipt/Scan plus a random two-digit number. Attached is a ZIP file with a name similar to the subject, containing a malicious .wsf script. This script then downloads components...
(Long list at the dynamoo URL above.)
The payload is Locky ransomware, phoning home to:
5.196.200.247/apache_handler.php (OVH, Ireland / Just Hosting, Russia)
62.173.154.240/apache_handler.php (JSC Internet-Cosmos, Russia)
uiwaupjktqbiwcxr .xyz/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
rflqjuckvwsvsxx .click/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
dypvxigdwyf .org/apache_handler.php  [69.195.129.70] (Joe's Datacenter, US)
ntqgcmkmnratfnwk .org/apache_handler.php
wababxgqgiyfrho .su/apache_handler.php
ytqeycxnbpuygc .ru/apache_handler.php
ocuhfpcgyg .pl/apache_handler.php
cifkvluxh .su/apache_handler.php
sqiwysgobx .click/apache_handler.php
yxmagrdetpr .biz/apache_handler.php
xnoxodgsqiv .org/apache_handler.php
vmibkkdrlnircablv .org/apache_handler.php
Recommended blocklist:
5.196.200.0/24
62.173.154.240
86.110.118.114
"
___

RIG EK on large malvertising campaign
- https://blog.malware...ising-campaign/
Sep 27, 2016 - "... spotted a malvertising attack on popular website answers .com (2 million visits daily) via the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub .com). Some visitors that browsed the knowledge-based website were exposed to the fraudulent and malicious advert and could have been infected -without- even having to click on it:
> https://blog.malware...16/09/flow2.png
... In early September we noticed a change in how RIG drops its malware payload. Rather than using the iexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary... domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to -bypass- traditional defences at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel. Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs... Indicators of compromise:

ads.retradio .com: 184.168.165.1: https://www.virustot....1/information/
63.141.242.35: https://www.virustot...35/information/

RIG Exploit Kit Distributing CrypMIC Ransomware
- https://atlas.arbor....ndex#1789371819
Sep 22, 2016
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 September 2016 - 01:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1800 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,562 posts

Posted 28 September 2016 - 04:06 AM

FYI...

Fake 'Document' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Document No 25845584' (random numbers) pretending to come from  random names at accounts@ your-own-email-domain or company with a random named zip attachment containing an hta file... One of the  emails looks like:
From: random names at accounts@your own email domain or company
Date: Wed 28/09/2016 01:38
Subject: Document No 25845584
Attachment: Document No 25845584.zip
    Thanks for using electronic billing
    Please find your document attached
    Regards
    MAVIS CAWLEY


28 September 2016: Document No 25845584.zip: Extracts to: GVJL2720.hta - Current Virus total detections 16/55*
MALWR** was unable to get any payload or find any download sites. Payload Security*** shows a download of an encrypted filedatalinks .ir/g76vub8 which is transformed by the script to a working Locky binary. (Unfortunately Payload Security does not show the actual file or allow it to be downloaded in the free web version)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475037203/

** https://malwr.com/an...WI5MjI0NmZiZTg/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
144.76.172.200
52.24.123.95
52.85.209.134
52.33.248.56
128.241.90.219

___

Locky download and C2 locations ...
- http://blog.dynamoo....ns-2016-09.html
28 Sep 2016 - "It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.
Binary download locations:
(Long list of domain names at the dynamoo URL above.)...
C2s:
176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh .biz/apache_handler.php  [69.195.129.70] (Joe's Datacenter, US)
rluqypf .pw/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk .biz/apache_handler.php  [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap .info/apache_handler.php
kdbbpmrdfnlno .pl/apache_handler.php
jlhxyspgvwcnjb .work/apache_handler.php
dceaordeoe .ru/apache_handler.php
gisydkcsxosyokkuv .work/apache_handler.php
mqlrmom .work/apache_handler.php
wfgtoxqbf .biz/apache_handler.php
ndyevynuwqe .su/apache_handler.php
vgcfwrnfrkkarc .work/apache_handler.php
Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158
"
___

Fake 'Neopost documents' SPAM - Locky – Odin version
- https://myonlinesecu...y-odin-version/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Neopost documents' 0000888121970 coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file...

Screenshot: https://myonlinesecu...st-1024x730.png

28 September 2016: 0000888121970_statement_000088812197051.zip: Extracts to: ZQSA4705.wsf
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from one of these locations:
 http ://bigballsincowtown .com/67fgbcni?gjGmIb=KpIHjmIwkWU
 http ://lucianasaliani .com/67fgbcni?gjGmIb=KpIHjmIwkWU
which is transformed by the script to aCOldXqKQqm2.dll (VirusTotal 6/57***) posts back to C&C
 http ://194.67.208.69 /apache_handler.php - Payload Security[4] shows a lot more C2 connections... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475081527/

** https://malwr.com/an...WY5NTJjMzA0NGE/
Hosts
69.89.27.246
174.127.104.173
70.40.220.107
176.103.56.98
194.67.208.69


*** https://www.virustot...sis/1475077530/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
69.89.27.246
174.127.104.173
176.103.56.98
194.67.208.69
45.63.98.158
86.110.118.114

___

Something evil on 69.64.63.77
- http://blog.dynamoo....n-69646377.html
28 Sep 2016 - "This appears to be some sort of exploit kit leveraging hacked sites, for example:
    [donotclick]franchidiscarpa[.]com/index.php
    --> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
You can see this EK infecting a legitimate site in this URLquery report*. The IP address appears to be a customer of ServerYou... Country: UA ...
These other domains are hosted on the same IP:
[donotclick]j8le7s5q745e .org
[donotclick]3wdev4pqfw1u .org
[donotclick]fg1238tq38le .net
All of those domains are registered to:
.. Registrant Country: RU ...
It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking."
* http://urlquery.net/...d=1475082161540
77.81.224.215: https://www.virustot...15/information/

69.64.63.77: https://www.virustot...77/information/
>> https://www.virustot...a9a84/analysis/
___

Fake 'Clients accounts' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
27 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Clients accounts' coming as usual from random companies, names and email addresses with a random named zip attachment containing a wsf file... One of the  emails looks like:
From: Lon Kane <Kane.84@ fixed-189-180-187-189-180-32.iusacell .net>
Date: Thu 01/09/2016 19:22
Subject:Clients accounts
Attachment: a966ea5acc18.zip
    Dear monika.griffithe,
    I attached the clients’ accounts for your next operation.
    Please look through them and collect their data. I expect to hear from you soon.
    Lon Kane
    VP Finance & Controller ...


27 September 2016: a966ea5acc18.zip: Extracts to: Clients accounts 32C58E xls.wsf
Current Virus total detections 8/55*. MALWR**... Payload Security*** shows a download of an encrypted file from
 techskillscenter .net/zenl0z which is transformed by the script to 2Ez76BlaytMAH.dll (VirusTotal 6/57[4]) Unusually, Payload Security describes this dll file as informative, rather than malicious, which would normally mean it has some sort of anti-analysis/sandbox protection to it... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474996887/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250


*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.247.251.145
5.196.200.247
94.242.55.225
86.110.118.114
69.195.129.70


4] https://www.virustot...sis/1474997682/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 28 September 2016 - 03:33 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





7 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button