Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1842 replies to this topic

#1801 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 29 September 2016 - 05:57 AM

FYI...

Fake 'Bill' SPAM - leads to Locky
- http://blog.dynamoo....ments-bill.html
29 Sep 2016 - "This spam leads to Locky ransomware. The sample I have seen have no body text, but have subjects in the format:
Bill for documents 31564-29-09-2016
 Bill for parcel 08388-28-09-2016
 Bill for papers 657-29-09-2016


Each subject has a random number appended by the date. Attached is a RAR archive file with a name similar to Bill 657-29-09-2016.rar containing a malicious .js script which downloads...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following servers:
194.67.208.69/apache_handler.php (Marosnet, Russia)
89.108.83.45/apache_handler.php (Agava, Russia)
Payload detection for the version analysed was 16/56* but there could be an updated payload by now.
Recommended blocklist:
194.67.208.69
89.108.83.45
"
* https://www.virustot...44a00/analysis/

- https://myonlinesecu...ers-locky-odin/
29 Sep 2016 - "... Locky downloaders with a series of blank/empty emails with the basic subject of 'Bill for documents' 57608-28-09-2016 pretending to come from no reply @ random companies, with a semi- random named .rar  attachment containing a .JS file. These are using the new .Odin file extension on the encrypted files.. The MALWR report* shows contact with an attempted download of Net framework and some sort of mapping... The subjects vary with each email. They all start with 'bill' for and either documents, paper or parcel the a series of random numbers and the date, looking something like:
    Bill for documents 57608-28-09-2016
    Bill for papers 9341672-28-09-2016
    Bill for parcel 422-29-09-2016


... One of the  emails looks like:
From: no-reply@ simplyorganic .com
Date: Thu 29/09/2016 00:44
Subject: Bill for documents 57608-28-09-2016
Attachment: Bill 57608-28-09-2016.rar


Body content: totally blank

29 September 2016: Bill 57608-28-09-2016.rar: Extracts to: Bill 5100-4868433109.js
Current Virus total detections 8/53**. MALWR* shows a download of an encrypted file from one of these locations:
 http ://g2cteknoloji .com/8g74crec?rnhaXNpMuW=MWIKgpzUlE which is transformed by the script to ErUxQjD1.dll
(VirusTotal 9/57***) shows C2 on http ://89.108.83.45 /apache_handler.php  and also shows various other script files. Payload Security[4] shows a few other C2 servers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://malwr.com/an...zQ1ZWMyYWMyNWQ/
Hosts
185.26.144.135
194.67.208.69
89.108.83.45


** https://www.virustot...sis/1475114609/

*** https://www.virustot...sis/1475120852/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.26.144.135
89.108.83.45
194.67.208.69
45.63.98.158
69.195.129.70
52.42.26.69
52.84.40.221

___

Fake 'Debit Card blocked' SPAM - leads to Locky
- http://blog.dynamoo....cked-leads.html
29 Sep 2016 - "The attachment on this spam email leads to Locky ransomware:
   From: "Ambrose Clements"
    Subject: Temporarily blocked
    Date: Thu, 29 Sep 2016 13:37:53 +0400
    Dear [redacted]
    this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
    We attached the scan of transactions. Please confirm whether you made these transactions.


Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download...
(Many domain names listed at the dynamoo URL above.)
The decoded malware then phones home to:
195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo .pw/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
gqackht .biz/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
bgldptjuwwq .org/apache_handler.php
cxnlxkdkxxxt .xyz/apache_handler.php
rcahcieii .work/apache_handler.php
uxaoooxqqyuslylw .click/apache_handler.php
vwktvjgpmpntoso .su/apache_handler.php
upsoxhfqut .work/apache_handler.php
nqchuuvgldmxifjg .click/apache_handler.php
ofoclobdcpeeqw .biz/apache_handler.php
kfvigurtippypgw .pl/apache_handler.php
toescilgrgvtjcac .work/apache_handler.php
Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132
"

- https://myonlinesecu...delivers-locky/
29 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Temporarily blocked' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .WSF file... One of the  emails looks like:
From: Jarvis Mason <Mason.2892@ paneltek .ca>
Date: Thu 01/09/2016 19:22
Subject: Temporarily blocked
Attachment: debit_card_4b69ba102.zip
    Dear [redacted],
    this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
    We attached the scan of transactions. Please confirm whether you made these transactions.
    King regards,
    Jarvis Mason
    Technical Manager – Online Banking ...


1 September 2016: ea00debit_card_4b69ba102.zip: Extracts to: debit card details 92CF6066.wsf
Current Virus total detections 6/54*. Payload Security** shows a download of an encrypted file from
 fhgmediaent .com/66aslu which is transformed by the script to 1lenb5SzGBo0mpu.dll (VirusTotal 10/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475140581/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.227.132.66
91.200.14.93
195.123.210.11
185.117.155.20
91.234.33.132


***  https://www.virustot...sis/1475141313/
___

Fake 'Receipt' xls SPAM - Locky
- http://blog.dynamoo....receiptxls.html
29 Sep 2016 - "This spam leads to Locky ransomware:
    From     rosalyn.gregory@ gmail .com
    Date     Thu, 29 Sep 2016 21:07:46 +0800
    Subject     Receipt 103-526


I cannot tell if there is any body text, however there is an -attachment- Receipt.xls which contains malicious code... that in the case of the sample I analysed downloads a binary from:
opmsk .ru/g76ub76
There will be -many- other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:
89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov .example .com] (SKS-LUGAN, Ukraine)
xpcwwlauo .pw/apache_handler.php [hostname: vjc .kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
A malicious DLL is dropped with a detection rate of 6/57*. Malicious IPs and domains overlap quite a bit with this earlier attack**. This version of Locky encrypts files with a .odin extension...
Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132
"
1] https://malwr.com/an...jJjYmZhNTUyN2I/
Hosts
85.17.31.113
89.108.83.45


2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
85.17.31.113
91.200.14.93
89.108.83.45
195.123.210.11
91.234.33.132


* https://www.virustot...sis/1475156266/

** http://blog.dynamoo....cked-leads.html
___

Fake 'New Order' SPAM - delivers Java Adwind
- https://myonlinesecu...rs-java-adwind/
29 Sep 2016 - "We continue to see Java Adwind Trojans daily... This one is an email with the subject of 'New Order' pretending to come from Claudia Schmiesing <claudia.schmiesing@ gmx .net> with a fuzzy unclear embedded image, that has a link hidden behind it, that when-clicked downloads a zip file containing a Java.jar file. This particular version is very badly detected. Java Adwind is normally quite well detected on Virus Total...

Screenshot: https://myonlinesecu...ng-1024x695.png

29 September 2016: flwfbq.zip: Extracts to: ORDER.jar  - Current Virus total detections 4/55*. MALWR**

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1475172675/

** https://malwr.com/an...jZkODJlNWI3Mzg/
Hosts
23.105.131.212
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 29 September 2016 - 03:29 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1802 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 30 September 2016 - 05:04 AM

FYI...

Fake 'Receipt' SPAM - delivers Locky – Odin
- https://myonlinesecu...ers-locky-odin/
30 Sep 2016 - "The Locky ransomware malware gang appear to be copying Dridex this week and going back to using word docs with embedded macros to deliver the ransomware... Locky downloaders.. a blank/empty email with the subject of 'Receipt' 45019-0740 (random numbers) pretending to come from random names at gmail .com with a random named word doc. The doc attachment name matches the subject line... One of the  emails looks like:
From: chandra.har?@ gmail .com
Date: Fri 30/09/2016 10:12
Subject: Receipt 45019-0740
Attachment: Receipt 45019-0740.doc


Body content: Totally Blank/Empty

30 September 2016: Receipt 45019-0740.doc - Current Virus total detections 9/55*
.. MALWR** shows a download of an encrypted file from http ://travelinsider .com.au/021ygs7
 which is transformed by the script to hupoas.dll (VirusTotal 8/57***). C2 is
 http ://149.202.52.215 /apache_handler.php . Payload Security[4] shows the multiple additional C2 sites. Neither online sandbox actually show any Locky screenshots today, but Malwr clearly shows odin files in the lists... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475226679/

** https://malwr.com/an...zRjNjkxNjdmNWE/
Hosts
203.98.84.123
89.108.83.45
149.202.52.215


*** https://www.virustot...sis/1475227548/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.98.84.123
89.108.83.45
91.200.14.93
149.202.52.215
185.43.4.143

___

Fake 'Parcel details' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
30 Sep 2016 - "... Locky downloaders.. an email pretending to be a DHL cannot deliver message with the subject of 'Parcel details' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with DHL_parcel containing a WSF file... fake/spoofed DHL (and other delivery companies) malspam emails... One of the  emails looks like:
From: DHL <Phelps.0827@ parket-ekonom .ru>
Date: Fri 30/09/2016 10:48
Subject: Parcel details
Attachment: DHL_parcel_06cda564b.zip
    Dear berkeley,
    We couldn’t deliver your parcel on September 30th because we couldn’t verify the given address.
    Attached is the shipment label. Please print it out to take the parcel from our office.
    Label-ID: acd8e33709cb62ea9825f9de779d1dfb8f6b566af6779b11928a9e053f
    Best Wishes,
    Reyes Phelps
    DHL Express Service


30 September 2016: DHL_parcel: Extracts to: DHL parcel 25514DCA.wsf - Current Virus total detections 7/55*
.. MALWR** seems unable to decode/decrypt these very heavily obfuscated scripting files. Payload Security*** shows a download of an encrypted file from fernandoarias .org/tmlvg7el which is transformed by the script to
a working Locky file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475228984/

** https://malwr.com/an...zZkODA4ZmU2YjE/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.186.0.7
52.34.245.108
52.222.157.47
52.41.235.21

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 30 September 2016 - 07:39 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1803 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 03 October 2016 - 05:31 AM

FYI...

Fake 'Scan' SPAM - leads to Locky
- http://blog.dynamoo....52626-sent.html
3 Oct 2016 - "This -fake- document scan leads to Locky ransomware:
    From:    DAMON ASHBROOK
    Date:    3 October 2016 at 10:56
    Subject:    [Scan] 2016-1003 15:26:26
    --
    Sent with Genius Scan for iOS.


The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat. This Malwr analysis* shows some of the infection in action. Overall my sources tell me that the various malicious macros download...
(Long list of domain-names listed at the dynamoo URL above.)
C2 locations are:
149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou .info/apache_handler.php
krmwgapkey .work/apache_handler.php
hruicryqytbmc .xyz/apache_handler.php
vswaagv .org/apache_handler.php
smskymrtssawsjb .org/apache_handler.php
wvandssbv .org/apache_handler.php
ytxsbkfjmyxglvt .click/apache_handler.php
rqybmggvssutf .xyz/apache_handler.php
qaemlwlsvqvgcmbke .click/apache_handler.php
btlyarobjohheg .ru/apache_handler.php
civjvjrjjlv .pw/apache_handler.php
xlarkvixnlelbsvxl .xyz/apache_handler.php
A DLL is dropped with a detection rate of 19/57**.
Recommended blocklist:
149.202.52.215
217.12.199.244
"
* https://malwr.com/an...2I1YzIyZWZkNGI/
Hosts
69.89.29.98
149.202.52.215


** https://www.virustot...sis/1475489696/
___

Fake 'please sign' SPAM - leads to Locky
- http://blog.dynamoo....s-to-locky.html
3 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject:     please sign
    From:     Ricardo Buchanan
    Date:     Monday, 3 October 2016, 10:27
    Hi [redacted],
    I have made the paperwork you asked me to prepare two days ago.
    Please check the attachment. It just needs your signature.
    Best Wishes,
    Ricardo Buchanan
    CEO


In the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name... obfuscated script... appears to download Locky ransomware. Analysis is pending.
UPDATE: This Hybrid Analysis* clearly shows Locky in action. According to my sources there are no C2s..."
(Long list of domain-names at the dynamoo URL above.)
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
65.49.80.83
165.246.165.245
52.34.245.108
52.85.184.19
63.245.215.95


- https://myonlinesecu...monday-morning/
3 Oct 2016 - "... loads of Locky today. We are seeing multiple subjects, emails and attachments. We are seeing XLS files and the typical .wsf files inside zips... email looks like:
From: KIETH WOOLDRIDGE <kieth.wooldridge.61@ kimiabiosciences .com> (random senders)
Date: Mon 03/10/2016 08:45
Subject: [Scan] 2016-1003 12:14:45
Attachment: 2016-1003 12-14-45.xls
    —
    Sent with Genius Scan for iOS.


... (another) version is:
From: Anita Ramsey <Ramsey.663@ equestrianarts .org>  (random senders)
Date: Mon 03/10/2016 09:51
Subject: please sign
Attachment: paperwork_scan_35886e2.zip  extracts to paperwork scan ~D45D50C5.wsf
    Hi [redacted],
    I have made the paperwork you asked me to prepare two days ago.
    Please check the attachment. It just needs your signature.
    Best Wishes,
    Anita Ramsey
    Head of Corporate Relations


MALWR [1] [2] [3] | VirusTotal [4][5][6] downloads from
 http ://mmm2.aaomg .com/jhg45s and http ://crossroadspd .com/jhg45s which will be converted to siluans.dll
(Virustotal 14/57*) or from ossiatzki .com/dyke9 which is converted to MMCnbLicrHhc.dll (virusTotal 14/57**)..
 Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://malwr.com/an...jZmYTI0ZWJlYmM/
Hosts
96.0.130.2
217.12.199.244


2] https://malwr.com/an...TNmNmU4ZWRjZmY/
Hosts
208.71.139.66
217.12.199.244


3] https://malwr.com/an...WVjOGJlMWJkMzE/

4] https://www.virustot...sis/1475484796/

5] https://www.virustot...sis/1475484485/

6] https://www.virustot...sis/1475484779/

* https://www.virustot...sis/1475479730/

** https://www.virustot...sis/1475479730/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
111.221.40.34
54.218.66.17
52.85.184.121

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 03 October 2016 - 06:20 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1804 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 04 October 2016 - 05:23 AM

FYI...

Fake 'Refund' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
4 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Refund' pretending to come from various randomly chosen delivery, parcel or postal companies with a semi random named zip attachment starting with refund containing a WSF file... a very small portion of the several hundred received in the last few minutes, so -Any- delivery company is likely to be spoofed.
Royal Mail
PostNL
Schenker AG
Japan Post Group
FedEx
DHL
DHL Express


One of the  emails looks like:
From: Royal Mail <Reynolds.21@ usacabs .com>
Date: Thu 01/09/2016 19:22
Subject: Refund
Attachment: refund_scan_a2e0a7b.zip
    Dear [redacted], please submit the return form to receive the refund.
    The parcel must have its original packaging. The return form is attached in this mail.
    Best regards,
    Elsa Reynolds
    Royal Mail


4 October 2016: refund_scan_a2e0a7b.zip: Extracts to: refund scan 392CDC4.wsf
 Current Virus total detections 8/54*. Payload Security** shows a download of an encrypted file from
 motos13 .com/w0bmffo which is transformed by the script to a working Locky file. Unfortunately Payload Security does not show or allow download of the file in the free web version. This looks like the version with no C2 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475567273/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.93.240.134
52.85.184.21
52.41.235.21

___

Fake 'Bill for parcel' SPAM - delivers Locky – Odin
- https://myonlinesecu...ers-locky-odin/
4 Oct 2016 - "... Locky downloaders.. a -blank- email with the subject of 'Bill for parcel' 064983-04-10-2016 pretending to come  from no-reply @ random email addresses  with a random named zip attachment containing a WSF file. This version of Locky with an Odin-extension is using DLL files, whereas last night’s version* used .exe files.
* https://myonlinesecu...delivers-locky/
The subject line will always start with 'Bill' for then it will be either 'Parcel, Document, Documents, Papers' or other similar words then a random number then today’s date... One of the  emails looks like:
From: no-reply@ speroresources .com
Date: Tue 04/10/2016 08:04
Subject: Bill for parcel 064983-04-10-2016
Attachment: Bill 772-04-10-2016.zip


Body content: totally blank/empty

4 October 2016: Bill 772-04-10-2016.zip: Extracts to: Bill 3609756-04-10-2016.wsf
 Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
 http ://aluvista .com/erg7cbr?QJWtIXrQ=oUDSEKIWsF which is transformed by the script to WkOUeAz1.dll
(VirusTotal 7/56***). C2 is http ://158.255.6.115 /apache_handler.php - other C2 locations are shown in the Payload Security report[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475561395/

** https://malwr.com/an...WIzNmQyM2ViMzk/
Hosts
78.46.34.83
158.255.6.115


*** https://www.virustot...sis/1475567524/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.46.34.83
158.255.6.115
81.177.26.201
52.85.184.9

___

Fake 'Voicemail' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Voicemail' from [random name] [random number] <[random number]> [random time] pretending to come from voicemailandfax@ random email addresses  with a semi-random named zip attachment containing a HTA file... One of the  emails looks like:
From: SureVoIP <voicemailandfax@ nexgtech .com>
Date: Mon 03/10/2016 22:22
Subject: Voicemail from Sherri metcalf 00780261644 <00780261644> 00:01:40
Attachment: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip
    Message From “Sherri metcalf 00780261644” 00780261644
    Created: 2016.10.03 16:23:42
    Duration: 00:01:40 ...


3 October 2016: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip: Extracts to: 0332451600272.hta
 Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
 acaciainvest .ro/98h86f?HmaeXAiu=CQDbSkNs which is transformed by the script to xsyMCaVC1.exe
(VirusTotal 5/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475531086/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.240.2.32
149.202.52.215
81.177.26.201
52.85.184.21


*** https://www.virustot...sis/1475531106/
___

Fake 'Travel Itinerary' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Travel Itinerary' pretending to come from random airline companies with a semi-random named zip attachment starting with 'Travel_Itinerary' containing a WSF file... I have seen these pretend to come from just about every airline in existence. Some received include:
Asiana Airlines <Flynn.92@ dsldevice .lan>
Swiss Air Lines <Hamilton.560@ dsldevice .lan>
Lufthansa <Cardenas.4568@ sewerlinereplacementrichmond .com>
Thai Airways <Mercer.030@ airtelbroadband .in>
Singapore Airlines <Burt.5051@ nbftv .no>
Cathay Pacific <Pacheco.074@ telecomitalia .it>
Turkish Airlines <Barker.585 @sabanet .ir>
Emirates <Flores.935@ deborahkellymft .com>
Virgin Australia <Terry.46@ philipskillman .com>
Qantas Airways <Weiss.213@ ceas .com.ve>


One of the  emails looks like:
From: Asiana Airlines <Flynn.92@ dsldevice .lan>
Date: Mon 03/10/2016 19:09
Subject: Travel Itinerary
Attachment: Travel_Itinerary-a884558.zip
    Dear [redacted]
    Thank you for flying with us! We attached the Travel Itinerary for Your booking number #3FD6F18.
    See the paid amount and flight information.
    Best regards,
    Stephan Flynn
    Asiana Airlines


3 October 2016: Travel_Itinerary-a884558.zip: Extracts to: Travel_Itinerary-4F2AD50.wsf
 Current Virus total detections 5/54*. MALWR is unable to fully analyse these and get any download links or payload. Payload Security** shows a download of an encrypted file from
 onlinesigortam .net/njahqfis which is transformed by the script to a working Locky file...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475518144/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
159.253.36.221
185.135.80.235
91.219.31.49
178.63.238.182
69.195.129.70
50.112.202.19
52.85.184.9

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 04 October 2016 - 07:49 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1805 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 05 October 2016 - 05:02 AM

FYI...

Fake 'Document' SPAM - leads to Locky
- http://blog.dynamoo....m-leads-to.html
5 Oct 2016 - "I have only received a single sample of this spam, presumably it comes from random senders. There is no-body-text in my sample.
    Subject:     Document from Paige
    From:     Paige cuddie (Paige592035@ gmail .com)
    Date:     Wednesday, 5 October 2016, 9:37


In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script... DOC-20161005-WA0002715.wsf. Automated analysis [1] [2] shows this sample downloads from:
euple .com/65rfgb?EfTazSrkG=eLKWKtL
There will be many other locations besides this. Those same reports show the malware (in this case Locky ransomware) phoning home to:
88.214.236.36 /apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100 /apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)
The sample I found downloaded a legitimate binary from ciscobinary.openh264 .org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.
Recommended blocklist:
88.214.236.0/23
109.248.59.0/24
"
1] https://malwr.com/an...mZkYjY3YzEyMWU/
Hosts
23.88.37.83
88.214.236.36


2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.88.37.83
88.214.236.36
109.248.59.100
52.32.150.180
52.85.184.129
52.41.235.21

___

Fake 'complaint letter' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with complaint_letter_ containing a WSF file... note the misspelled/typo error in the email body, 'King regards'. We have seen that quite frequently... One of the  emails looks like:
From: Roxie Davis <Davis.863@ adsl.viettel .vn>
Date: Wed 05/10/2016 10:20
Subject:  complaint letter
Attachment: complaint_letter_cb9d039ea.zip
    Dear [redacted], client sent a complaint letter regarding the data file you provided.
    The letter is attached. Please review his concerns carefully and reply him as soon as possible.
    King regards,
    Roxie Davis


5 October 2016: complaint_letter_cb9d039ea.zip: complaint letter 4A683AD.wsf
Current Virus total detections 8/53*... Payload Security** shows a download of an encrypted file from
 upper-classmen .com/k1hd6 which is transformed by the script to RpKwxNZ92.dll (VirusTotal 8/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1475660416/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.138.189.69
109.248.59.100
88.214.236.36
217.12.223.78
109.248.59.164
91.219.31.49


*** https://www.virustot...sis/1475661773/
___

Fake 'Cancellation request' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Cancellation request' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with  Cancellation_Form_ containing a .JS file... One of the  emails looks like:
From: Katharine Clayton <Clayton.892@ myfghinc .com>
Date: Wed 05/10/2016 19:40
Subject: Cancellation request
Attachment: Cancellation_Form_3805419.zip
    Dear [redacted], to cancel the request you made on October 4th, you need to fill out the cancellation form attached in this email.
    Contact us if you need further assistance.
    Best regards,
    Katharine Clayton
    Clients Support


5 October 2016: Cancellation_Form_3805419.zip: Extracts to: Cancellation Form 4FDE6.js
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from
 http ://noisecontrols .com/dctpl4c which is transformed by the script to CSWzQT0oHGGp27m.dll
 (VirusTotal 11/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475693156/

** https://malwr.com/an...2FkODY5MWI3MjQ/
Hosts
101.100.175.250

*** https://www.virustot...sis/1475694004/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 05 October 2016 - 03:11 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1806 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 06 October 2016 - 04:25 AM

FYI...

Fake 'Your Order' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
6 Oct 2016 - "... Locky downloader.. an email with the subject of 'Your Order' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting order_details_ containing a .JS file... One of the  emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: order_details_bfa256b5.zip
    Your order has been proceeded. Attached is the invoice for your order A-1376657.
    Kindly keep the slip in case you would like to return or state your product’s warranty.


6 October 2016: order_details_bfa256b5.zip: Extracts to: Cancellation Form 0D582E2.js
Current Virus total detections 7/54*. MALWR** shows a download of an encrypted file from
  http ://pioneerschina .com/xwks4 which is transformed by the script to Prxa55gCpc.dll (VirusTotal 12/56***)
C2 http ://217.12.223.78 /apache_handler.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475741537/

** https://malwr.com/an...b86ec016cdab8ad
Hosts
69.195.71.128
217.12.223.78


*** https://www.virustot...sis/1475742167/

- http://blog.dynamoo....inevitable.html
6 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    Adrian Salinas
    Date:    6 October 2016 at 10:13
    Subject:    Your Order
    Your order has been proceeded. Attached is the invoice for your order A-6166964.
    Kindly keep the slip in case you would like to return or state your product's warranty.


Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js
According to my source, these various scripts then download a component...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following IPs (belonging pretty much to the usual suspects):
46.8.44.105 /apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76 /apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21 /apache_handler.php (TheFirst-RU, Russia)
217.12.223.78 /apache_handler.php (ITL, Ukraine)
46.183.221.134 /apache_handler.php (Dataclub, Latvia) ...
Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78
"
___

Fake 'Invoice' SPAM - .doc attachment leads to Locky
- http://blog.dynamoo....6-12345678.html
6 Oct 2016 - "This -fake- financial spam leads to malware:
    From:    invoices@ [redacted] .com
    Date:    6 October 2016 at 07:16
    Subject:    Invoice-365961-42888419-888-DE0628DA
    Dear Customer,
    Please find attached Invoice 42888419 for your attention.
    Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Credit Dept'
    ### This mail has been sent from an un-monitored mailbox ###


The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc... The sample I sent for automated analysis [1] [2] downloads some data from:
eaglemouth .org/d5436gh
... my sources (thank you, you know who you are) that there are additional download locations at:
dabihfluky .com/d5436gh
fauseandre .net/d5436gh
This particular variant of Locky ransomware uses black hat hosting for this download location rather than a -hacked- legitimate site. All these domains are hosted on the following IPs:
62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France) ...
(Many domain-names listed at the dynamoo URL above.) ...
A DLL is dropped with a detection rate of 13/56*.
UPDATE: I completely forgot to include the C2. D'oh.
109.248.59.164 /apache_handler.php (Netart, Russia)
Recommended blocklist:
62.84.69.75
85.118.45.12
109.248.59.164
"
1] https://malwr.com/an...DcwN2E5ODBmMjU/
Hosts
85.118.45.12

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.84.69.75
109.248.59.164
52.32.150.180
54.192.203.206


* https://virustotal.c...sis/1475744035/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 06 October 2016 - 05:27 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1807 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 07 October 2016 - 04:59 AM

FYI...

Fake 'wrong paychecks' SPAM - delivers Locky/Odin
- https://myonlinesecu...ers-locky-odin/
7 Oct 2016 - "... Locky downloader.. an email with the subject of 'wrong paychecks' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with paychecks_  containing a .JS file... One of the  emails looks like:
From: Guy Bennett <Bennett.75@ janicerich .com>
Date: Thu 06/10/2016 22:17
Subject: wrong paychecks
Attachment: paychecks_43b3b18.zip
    Hey [redacted]. They send us the wrong paychecks. Attached is your paycheck arrived to my email by mistake.
    Please send mine back too.
    Best regards,
    Guy Bennett


7 October 2016: ea00paychecks_43b3b18.zip: Extracts to: paychecks exported 5648A20E.js
Current Virus total detections 11/54*. MALWR** shows a download of an encrypted file from
 http ://bdfxb .com/jp0zuso which is transformed by the script to YXljL8XPAjn.dll (VirusTotal 10/56***). Payload Security[4] shows multiple C2 and additional download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475801339/

** https://malwr.com/an...zg0OTJjN2NhMjU/
Hosts
182.92.220.92

*** https://www.virustot...sis/1475820102/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
31.210.120.156
185.82.217.98
185.75.46.122
185.154.13.182
95.213.179.232
69.195.129.70

 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1808 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 11 October 2016 - 04:56 AM

FYI...

Dridex - random subjects with cab files - SPAM
- https://myonlinesecu...with-cab-files/
11 Oct 2016 - "... an email with a variety of subjects along the lines of 'Form Sydnee I. Hahn' (initial word is either Form/Token/License/Certificate or other similar word followed by a name that matches the name in the body of the email, coming as usual from random companies, names and email addresses with a semi-random named cab file attachment (that matches the subject word) containing a .JS file (cab files are Microsoft specific archives (zip files) that are normally used for windows updates. Almost any unzipping tool will extract them, however windows explorer will natively extract and -autorun- any content inside a cab file if double clicked to open them.  This looks like Dridex today, rather than the Locky ransomware...
Update 09.30 UTC: A second run starting with a mix of .cab files and .zip files, possibly because many mail filtering systems including Mail Scanner used on a high proportion of Linux mail servers detects and warns about .cab files by default. Some servers are set to block them automatically. This server is set to warn about potentially dangerous file extensions but not block them (to certain domains only) so I can obtain malware samples to warn/alert and submit to anti-virus companies and help protect everybody. For every cab file that I have received so far, I also got a warning message to my postmaster/admin email address. The sort of subjects we are seeing include:
    Form Sydnee I. Hahn
    Token Jolie T. Barrett
    License Armando H. Bates
    Certificate Brittany T. Beach
    Archive Linda K. McLaughlin
    Papers Sylvia C. Price
    Agreement Dieter U. Vinson
    Report David W. Rogers
    Document Isaac Q. Lucas


One of the  emails looks like:
From: HilariSydnee I. Hahn <rtep.springvale@ ljh .com.au>
Date: Tue 11/10/2016 08:03
Subject: Form Sydnee I. Hahn
Attachment: Form.cab
    Good morning
    Please review your Form.
    I’m waiting for your reply
    Kindest regards
    Sydnee I. Hahn


An alternative body content:
    Hi
    Here is your Token.
    Pls inform me the answer as soon as posible
    Regards
    Jolie T. Barrett


An alternative body content:
    Greetings
    Here is your License.
    I’m still waiting for your answer
    Cain M. Rogers


11 October 2016: Form.cab: Extracts to: 20792.tmp - Current Virus total detections 0/55*
.. MALWR** shows a download from http ://www .mobilemanager .fr/log.khp which gave me 20792.tmp (VirusTotal 6/56***)
Detections are inconclusive but Payload Security[4] indicates that this is most probably Dridex banking Trojan, However that also shows an error in running the file with an unsupported system message. That might mean that there is a fault with the Dridex binary or more likely that the Dridex malware gang have added even more protections to their malware and stopping it running when a sandbox or VM is detected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476169831/

** https://malwr.com/an...jdlOTYxZDc3YmE/
Hosts
217.76.132.43

*** https://www.virustot...sis/1476170061/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
217.76.132.43
195.154.163.166
88.213.204.147

___

Potential Hurricane Matthew Phishing Scams
- https://www.us-cert....-Phishing-Scams
Oct 11, 2016 - "US-CERT warns users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Matthew. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Matthew, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from deceptive charitable organizations commonly appear after major natural disasters.
US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:
- Do not follow unsolicited web links in email messages.
- Use caution when opening email attachments. Refer to the Using Caution with Email Attachments Cyber Security Tip[1] for more information on safely handling email attachments.
- Keep antivirus and other computer software up-to-date.
- Refer to the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip[2] for more information on social engineering attacks.
- Review the Federal Trade Commission information on Charity Scams[3].
- Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. You can find trusted contact information for many charities on the BBB National Charity Report Index[4]."
1] http://www.us-cert.g...s/ST04-010.html

2] http://www.us-cert.g...s/ST04-014.html

3] https://www.consumer...1-charity-scams

4] http://give.org/char...eviews/national
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 11 October 2016 - 01:20 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1809 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 12 October 2016 - 04:03 AM

FYI...

Fake 'Payment - wire transfer' SPAM - delivers Java Adwind
- https://myonlinesecu...rs-java-adwind/
12 Oct 2016 - "... daily.. -fake- financial themed emails containing java adwind attachments...

This article[1] from a couple of years ago explains why you should remove it.

If you cannot remove it then it -must- be kept up-to-date[2] .. be extremely careful with what you download or open...
1] https://www.theguard...jack-technology
2] https://java.com/en/download/
... The email looks like:
From: Account <order@ coreadmin .eficaz .cl>
Date: Wed 12/10/2016 04:56
Subject: RE: Payment
Attachment: Details.zip
    Hi,
    Did you authorize any wire transfer to our account?
    We have received an amount of USD79,948.12 from your account and we do not know what this fund is for.
    We do not have any transaction with your company that we know about. So why making payment to us.
    Please see the attached remittance documents and double-check with your bank.
    We wait for your comment.
    Best Regards,
    Leo Lee,
    Navkar Corporation Ltd
    215 Lumpoo Road, Wadsampraya, Pranakorn
    Bangkok, 10200 Thialand ...


12 October 2016: details.jar (119kb) - Current Virus total detections 5/55*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476250143/

** https://www.hybrid-a...vironmentId=100
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1810 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 13 October 2016 - 06:37 AM

FYI...

WSF email attachments - latest malware delivery vehicle
- https://www.helpnets...lware-delivery/
Oct 13, 2016 - "Most users have by now learned not to open executable (.EXE), various MS Office, RTF and PDF files delivered via -unsolicited- emails, but malware peddlers are always trying out new ways to trick users, email filters and AV software... According to Symantec*, Windows Script Files (WSFs) are the latest file types to be exploited to deliver malware via email...
> https://www.helpnets...attachments.jpg
Number of blocked emails containing malicious WSF attachments by month "

Surge of email attacks using malicious WSF attachments
* https://www.symantec...wsf-attachments
12 Oct. 2016 - "Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files...
Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer...
> Tips on protecting yourself from ransomware
  Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
  Always keep your security software up to date to protect yourself against any new variants of malware.
  Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email."
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1811 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 18 October 2016 - 04:44 AM

FYI...

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
17 Oct 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ websitesage60 .us> with a malicious word doc attachment is another one from the current bot runs... I do not know exactly what malware this downloads... The website that the macro inside the malicious word doc connects to is not owned or controlled by HMRC or any other part of the UK government and has been registered to be used as a malware/fraud site http ://hmrc.gsigov .co.uk using false details:
- http://whois.domaint...om/gsigov.co.uk .. on IP 185.81.113.102 ...

Screenshot: https://myonlinesecu...rc-1024x771.png

The word doc, which falsely states it was created in an earlier version of word and you 'should enable editing to view it', when opened safely pretends to be a VAT notice and surcharge liability and you need to pay £29,678:
> https://myonlinesecu...17-1024x800.png

17 October 2016: 18066000010075130101.doc - Current Virus total detections 4/54*. MALWR** shows a download from
 http ://hmrc.gsigov .co.uk/vat.exe (VirusTotal 4/56***). Payload Security [1] [2] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476717095/

** https://malwr.com/an...DUzNDBiZGU2MTg/
Hosts
185.81.113.102: https://www.virustot...02/information/
> https://www.virustot...b33a8/analysis/

*** https://www.virustot...sis/1476724305/

1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.81.113.102

2] https://www.hybrid-a...vironmentId=100
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 18 October 2016 - 06:28 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1812 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 19 October 2016 - 04:03 AM

FYI...

Fake 'RE: P/O' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
19 Oct 2016 - "We continue to be plagued daily by -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Sales <order@ ncima-holding .ci>
Date: Tue 18/10/2016 18:28
Subject: RE: P/O
Attachment: NEW P.O.zip
    Attached is the Purchase order list
    please confirm so we can proceed.
    Thank you.
    ——————————-
    sent from my iPad ...


19 October 2016: New P.O.jar (273kb) - Current Virus total detections 9/56*. Payload Security**...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476831444/

** https://www.hybrid-a...vironmentId=100
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1813 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 20 October 2016 - 05:19 AM

FYI...

Fake 'Credit Note' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecu...banking-trojan/
20 Oct 2016 - "... an email with the subject of 'Credit Note CN-81553 from Nordstrom Inc (7907)' pretending to come from Accounts <message-service@ post. xero .com> with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the  emails looks like:
From: Accounts <message-service@ post. xero .com>
Date: Thu 20/10/2016 01:21
Subject: Credit Note CN-81553 from Nordstrom Inc (7907)
Attachment:CN_81274.zip
    Hi Orlando,
    Attached document is your credit note CN-81553 for 508.18 AUD.
    This has been allocated against invoice number.
    If you have any questions, please let us know.
    Thanks,
    Staff Leasing Inc.


20 October 2016: CN_81274.zip: Extracts to: CN-81274.scr - Current Virus total detections 17/57*
.. Payload Security** shows a download/drop of another file RXGp0aqU55eY5AnMxB.exe.exe (VirusTotal 8/57***)
Payload Security[4] .. appears to be dyre/trickloader banking Trojan ... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476937031/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.14.29.13
78.47.139.102
91.219.28.77


*** https://www.virustot...sis/1476932944/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77
80.79.114.179

___

Fake 'FedEx' SPAM - delivers ransomware
- https://myonlinesecu...ver-ransomware/
20 Oct 2016 - "We are seeing an uptick in the 'FedEx - unable to deliver' malspam emails this week... they are so common and I always get 1 or 2 every day.. today I am receiving quite an increase in numbers over the usual amount... With the holiday season quickly approaching and many more people shopping online, we will see a dramatic increase in these over the next few weeks and months as more people wait for their deliveries... The sort of subjects that you see with this malspam nemucod ransomware campaign which will always have random numbers include:
    Delivery Notification, ID 00898050
    Shipment delivery problem #0000613766
    Problem with parcel shipping, ID:0000857607
    Problems with item delivery, n.00000693983
    Unable to deliver your item, #0000274397


One of the  emails looks like:
From: FedEx Ground <wade.barry@ hosteriasanpatricio .com .ar> or FedEx 2Day A.M. <ruben.morris@ hosteriasanpatricio .com .ar>
Date: Thu 01/09/2016 19:22
Subject: Shipment delivery problem #0000613766  or Delivery Notification, ID 00898050
Attachment: FedEx_ID_0000613766.zip
    Dear Customer,
    We could not deliver your item.
    Please, open email attachment to print shipment label.
    Sincerely,
    Wade Barry,
    Sr. Support Agent.

Or
    Dear Customer,
    We could not deliver your item.
    Shipment Label is attached to email.
    Warm regards,
    Ruben Morris,
    Sr. Operation Manager.


20 October 2016: FedEx_ID_0000613766.zip: Extracts to: FedEx_ID_0000613766.doc.wsf
Current Virus total detections 25/55*: Payload Security** shows downloads of the usual multiple files from
  www .industrial-automation .at/counter/?ad=17MGS22ZVQcqSyHw4VU2NvC5SL4eCPhCJb&id=LZUB9RUv-KCRW63gDdZ5mD075Y_vJ1F6feiXr_Sv5Nbbhxr8QKIPLwoOhYdjCOIqaWV65TnMZepmeok-Renqlmw1ioeBLbM8&rnd=01
  (with a range from 01–04 that delivers different parts of the malware package)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476944618/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
212.152.181.199
___

Fake 'ACH Payment' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecu...banking-trojan/
20 Oct 2016 - "... an email with the subject of 'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the  emails looks like:
From: ap_vendor_pay2@ bankofamerica .com
Date: Thu 01/09/2016 19:22
Subject: ACH Payment Notification
Attachment: payment002828870.zip
    LOGICEASE SOLUTIONS INC       Vendor:10288253   Pay Dt: 20150903
    Pay Ref Num: 2000548044
    Please download and view payment document attached.
    Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
    The net amount deposited to account number ending   XXXX3195
    designated by you is           $1019.93
    IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
    Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.7486.
    This message, and any attachments, is for the intended recipient’s only, may contain information that is privileged, confidential and/or proprietary and subject to important termsr. If you are not the intended recipient, please delete this message.


20 October 2016: payment002828870.zip: Extracts to: paymen1189d2028.scr . Current Virus total detections 8/56*
.. Payload Security** shows this is likely to be Trickbot/Dyre banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476964410/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 20 October 2016 - 11:25 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1814 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 24 October 2016 - 07:07 AM

FYI...

Fake 'Receipt' SPAM - leads to Locky
- http://blog.dynamoo....t-leads-to.html
24 Oct 2016 - "Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example, spam with a format similar to the following is currently being sent out:
    Date: Mon, 24 Oct 2016 16:03:30 +0530
    From: christa.hazelgreave@ gmail .com
    Subject: Receipt 68-508


Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta. You can see some of the malicious activity in this Hybrid Analysis*...
(List of domain-names at the dynamoo URL above.)
The malware is Locky ransomware phoning home to:
109.234.35.215/linuxsucks .php (McHost.ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy .example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt .work/linuxsucks .php [208.100.26.234] (Steadfast, US) ...
Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
96.0.115.240
107.180.23.49
216.239.139.112
120.117.3.119


- https://myonlinesecu...shit-extension/
24 Oct 2016 - "... Locky downloader.. a blank/empty email with the subject of 'Receipt 00180-6477' (random numbers) pretending to come  from random  names at gmail .com with a semi-random named zip attachment starting with 'receipt' that matches the subject containing a random numbered wsf file starting with 'receipt'... One of the  emails looks like:
From: jennie.winzer@ gmail .com
Date: Mon 24/10/2016 15:05
Subject: Receipt 00180-6477
Attachment: Receipt 00180-6477.zip


Body content: Totally blank/empty

24 October 2016: Receipt 00180-6477.zip: Extracts to: Receipt 83357-830129.wsf
Current Virus total detections 11/55*.. MALWR** shows a download of an encrypted file from
  http ://beyondhorizon .net/076wc?EVgYCyg=JQHYinB which is transformed by the script to uYYRbVgee1.dll
(VirusTotal 6/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477318650/

** https://malwr.com/an...mZlNDhkNzA4Yzc/
Hosts
192.185.96.52

*** https://www.virustot...sis/1477325610/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.96.52
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
208.100.26.234

___

Fake 'Complaint letter' SPAM - leads to Locky
- http://blog.dynamoo....r-leads-to.html
24 Oct 2016 - "This spam leads to Locky ransomware:
    From     "Justine Hodge"
    Date     Mon, 24 Oct 2016 19:27:53 +0600
    Subject     Complaint letter
    Dear [redacted],
    Client sent a complaint letter regarding the data file you provided.
    The letter is attached.
    Please review his concerns carefully and reply him as soon as possible.
    Best regards,
    Justine Hodge


The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS script with a name starting with "saved letter"... scripts download...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to the following URLs:
109.234.35.215/linuxsucks .php (McHost .ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host .ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)...
... Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
81.177.22.221
"

- https://myonlinesecu...shit-extension/
24 Oct 2016 - "... Locky downloader.. an email with the subject of 'Complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with saved_letter containing a js file... One of the  emails looks like:
From: Mia Dickerson <Dickerson.0865@ pipelinemedia .com.au>
Date: Mon 24/10/2016 12:58
Subject: Complaint letter
Attachment: saved_letter_9ff72a60.zip
    Dear [redacted], Client sent a complaint letter regarding the data file you provided. The letter is attached. Please review his concerns carefully and reply him as soon as possible. Best regards, Mia Dickerson


24 October 2016: saved_letter_9ff72a60.zip: Extracts to: saved letter 9A2B8.js
Current Virus total detections 11/55*.. MALWR* shows a download of an encrypted file from
 http ://gruffcrimp .com/352gr0 which is transformed by the script to RuBjy2wiCxyLGr.dll (VirusTotal 9/57***).
Payload security[4] shows the download from
 adultmagstore .com/itc0h81 and the c2 from load of different servers -all- using /linuxsucks .php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477310600/

** https://malwr.com/an...zRiM2U1NTNiNmU/
Hosts
67.171.65.64

*** https://www.virustot...sis/1477329868/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
66.154.71.36
81.177.22.221
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70

___

Trick Bot – spread via malvertising ...
- https://blog.malware...ezas-successor/
Oct 24, 2016 - "... payload was spread via a malvertising campaign, involving Rig Exploit Kit:
> https://blog.malware...ising_chain.png
... After being deployed, Trick Bot copy itself into %APPDATA% and deletes the original sample... Trick Bot is composed of several layers. As usually, the first layer is used for the protection – it carries the encrypted payload and tries to hide it from AV software:
> https://blog.malware...10/schema-1.png
... Below we can see it’s decrypted form revealing the attacked online-banking systems:
> https://gist.githubu...5cb1de/dinj.xml
Conclusion: Trick Bot have many similarities with Dyreza, that are visible at the code design level as well as the communication protocol level. However, comparing the code of both, shows, that it has been rewritten from scratch. So far, Trick Bot does not have as many features as Dyreza bot. It may be possible, that the authors intentionally decided to make the main executable lightweight, and focus on making it dynamically expendable using downloaded modules. Another option is that it still not the final version. One thigh is sure – it is an interesting piece of work, written by professionals. Probability is very high, that it will become as popular as its predecessor."
Appendix: http://www.threatgee...connection.html– analysis of the TrickBot at Threat Geek Blog

'Trickbot C2s:
188.138.1.53 :8082
27.208.131.97 :443
37.109.52.75 :443
91.219.28.77 :443
193.9.28.24 :443
37.1.209.51 :443
138.201.44.28 :443
188.116.23.98 :443
104.250.138.194 :443
46.22.211.34 :443             
68.179.234.69 :443
5.12.28.0 :443
36.37.176.6 :443'
(More detail at the malwarebytes URL at the top of this post.)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 24 October 2016 - 02:32 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1815 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 25 October 2016 - 04:26 AM

FYI...

Fake 'Budget forecast' SPAM - delivers Locky
- https://myonlinesecu...shit-extension/
25 Oct 2016 - "... Locky downloader.. an email with the subject of 'Budget forecast' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with 'budget' containing a vbs file that pretends to be an Excel .XLS file... One of the  emails looks like:
From: Alejandra Rojas <Rojas.2910@ dsldevice .lan>
Date: Mon 24/10/2016 22:38
Subject: Budget forecast
Attachment: budget_xls_b71db945.zip
[redacted] asked me to send you the Budget forecast for next project. Please check and ask him if you are not clear with the task.


25 October 2016: budget_xls_b71db945.zip: Extracts to: budget 34A81F8A xls.vbs
Current Virus total detections 2/55*.. MALWR** shows a download of an encrypted file from
 http ://fannyfuff .com/7qx9pmdt which is transformed by the script to QoTcrNU2qu051Uv0.dll (VirusTotal 21/57***).
Neither MALWR nor Payload Security[4] are showing the encrypted files... That might be due to a sandbox/ VM protection in the malware or it might not have run properly. Earlier versions yesterday [1] [2] using WSF, JS or HTA delivery methods did run fully in the online sandboxes. The vbs versions might not... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477345935/

** https://malwr.com/an...mJkM2YxNGYyYzk/
Hosts
67.171.65.64
77.123.137.221
91.200.14.124
91.226.92.225
185.102.136.77
69.195.129.70


*** https://www.virustot...sis/1477378265/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
201.238.211.140
91.226.92.225
185.102.136.77
77.123.137.221
91.200.14.124
69.195.129.70


1] https://myonlinesecu...shit-extension/

2] https://myonlinesecu...shit-extension/
___

Fake 'Scan Data' SPAM - leads to Locky
- http://blog.dynamoo....file-image.html
25 Oct 2016 - "Perhaps minimalist spam works better - there is currently a Locky spam run with on of the subjects 'Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data' plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript... There is no body text... These automated analyses [1] [2]... show that it is Locky...
(Long list of domain-names at the dynamoo URL above.)
... The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh
A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56*. The malware then phones home to one of the following locations:
185.127.27.100/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks .php (Volia DataCentre, Ukraine)
... Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221
"
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.247.11.115
46.105.246.22
91.200.14.124
185.127.27.100
77.123.137.221


2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.190.54.3
91.200.14.124
77.123.137.221
185.127.27.100


* https://virustotal.c...sis/1477405965/

- https://myonlinesecu...delivers-locky/
25 Oct 2016 - "... Locky downloader... a blank empty email with a variety of subjects like scan, image, pic, doc etc. pretending to come form random names at Gmail .com with a zip attachment that matches the subject containing a js file... Some of the subjects seen include:
    Image 249
    Blank 962
    Document 7
     Pic 3
    Scan Data 405
    Picture 125
     File 11
    Doc 74
    img 7


One of the  emails looks like:
From: HUGH HALVERSON <hughhalverson94@ gmail .com>
Date: Tue 25/10/2016 14:47
Subject: Image 249
Attachment: Image 249.zip


Body content: totally empty/blank

25 October 2016: Image 249.zip: Extracts to: Pic 767.js - Current Virus total detections 9/54*
.. MALWR** shows a download of an encrypted file from
 http ://rajashekharkubasad .com/g76dbf?ettSsUhngke=NlfFMTpqoQa which is transformed by the script to WgNUiSSFP1.dll (VirusTotal 3/56***). Payload Security[4] shows this version is using .thor extension for the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477403985/

** https://malwr.com/an...zk3N2U0YzEyMjc/
Hosts
43.225.54.151

*** https://www.virustot...sis/1477405261/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
43.225.54.151
185.127.27.100
77.123.137.221
91.200.14.124

___

Fake 'Wrong model' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
25 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong model' coming as usual from random companies, names and email addresses with a semi random named zip attachment starting with fixed_invoice containing a vbs file... One of the  emails looks like:
From: Randal Burks <Burks.3744@ pocketgreens .com>
Date: Tue 25/10/2016 19:45
Subject: Wrong model
Attachment: fixed_invoice_74957728.zip
    We apologize for sending the wrong model of the product yesterday. Attached is the new invoice for your product No. 31066460.


25 October 2016: fixed_invoice_74957728.zip: Extracts to: fixed invoice 8A3254C.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
 http ://idesjot .net/3ab4af which is transformed by the script to B0HRoIuyMVXc7V.dll (VirusTotal 13/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477421251/

** https://malwr.com/an...Tc2YjI5MzgxMzA/
Hosts
67.171.65.64

*** https://www.virustot...sis/1477421558/
___

Another Day, Another Spam...
- https://isc.sans.edu...l?storyid=21635
2016-10-25 - "... attackers have always new ideas to deliver their malicious content to us... Attached to this mail, a malicious ZIP file with a .pif file inside. The file is in fact a PE file (MD5: 2aa0d2ae9f8492e2b4acda1270616393). The hash was unknown to VT but once uploaded, it was reported as a very old worm, nothing very malicious... The second example was received by one of our readers is a -fake- SharePoint notification:
> https://isc.sans.edu...epoint-spam.png
The link points to hxxp ://thekchencholing .org/.https/www/sharepoint.com/sites/shareddocument/SitePages/Home.aspx/index.php?wreply=YW5keS5nZXJhZXJ0c0BjZWdla2EuYmUN (the site has been cleaned up in the meantime). SharePoint is a common Microsoft tool used in big organizations and people could be lured by this kind of message. Most spam campaigns are easy to detect but some messages, when properly redacted, may lure the victim easily. We are never far from an unfortunate click. Stay safe!.."

thekchencholing .org: 180.210.205.66: https://www.virustot...66/information/
>> https://www.virustot...9b208/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 October 2016 - 03:43 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1816 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 26 October 2016 - 07:41 AM

FYI...

Fake 'Help Desk' SPAM - leads to Adwind
- http://blog.dynamoo....-help-desk.html
26 Oct 2016 - "Just by way of a change, here's some -malspam- that doesn't lead to Locky:

Screenshot: https://3.bp.blogspo...cB/s1600/wu.png

In this case, the link in the email goes to:
linamhost .com/host/Western_Union_Agent_Statement_and_summary_pdf.jar
This is a Java file - if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it -won't- run. VirusTotal* identifies it as the Adwind Backdoor**. The Malwr report[3] shows it attempting to contact:
boscpakloka .myvnc .com [158.69.56.128] (OVH, US)
A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis[4]. Check the Dropped Files section of the Malwr Report[3] for more. Personally, I recommend blocking -all- dynamic DNS domains such as myvnc .com in corporate environments. At the very least I recommend blocking 158.69.56.128."
* https://virustotal.c...sis/1477480451/

** https://www.f-secure...va_adwind.shtml

3] https://malwr.com/an...mYzMTdmNjg2MDE/
Hosts
158.69.56.128: https://www.virustot...28/information/
>> https://www.virustot...0e69c/analysis/

4] http://www.malware-t.../23/index2.html

myvnc .com: 8.23.224.108: https://www.virustot...08/information/
>> https://www.virustot...01802/analysis/
___

Fake 'Your order' SPAM - leads to Locky
- http://blog.dynamoo....r-has-been.html
26 Oct 2016 - "This curiously worded spam email leads to Locky ransomware:
    Subject:  Your order has been proceeded
    From:     Elijah Farrell
    Date:     Wednesday, 26 October 2016, 12:41
    Your order has been proceeded.
    Attached is the invoice for your order 2026326638.
    Kindly keep the slip in case you would like to return or state your product's warranty.


The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name. The various scripts download a component... (thank you to my usual source for this)
(Long list of domain-names at the dynamoo URL above.)
The downloaded binary then phones home to:
78.46.170.94/linuxsucks .php [hostname: k-42 .ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks .php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost .hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks .php [hostname: weblinks-3424 .ru] (Sobis, Russia)
It also tries to phone home...
Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225
"

- https://myonlinesecu...delivers-locky/
26 Oct 2016 - "... Locky downloader.. which is running concurrently with THIS[1] is an email with the subject of 'Your order has been proceeded' coming as usual from random companies, names and email addresses  with a semi-random named zip attachment starting with order_details containing a vbs file... typical subject line is 'Your order has been processed' -not- 'Your order has been proceeded'...
1] https://myonlinesecu...delivers-locky/
... One of the  emails looks like:
From: Alex Gonzalez <Gonzalez.46337@ solardelaluna .com>
Date: Wed 26/10/2016 12:35
Subject: Your order has been proceeded
Attachment: order_details_56f220432.zip
    Your order has been proceeded. Attached is the invoice for your order 9563076204. Kindly keep the slip in case you would like to return or state your product’s warranty.


26 October 2016: order_details_56f220432.zip: Extracts to: order details 144BAA.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
  http ://hankookm.com/lun77kyf which is transformed by the script to q3SAQ4aZNZ0p.dll ...
C2 are http ://95.46.98.25 /linuxsucks.php and http ://umjjvccteg .biz/linuxsucks.php
Payload Security[3] shows several others as well... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477482479/

** https://malwr.com/an...WRjYjkyMTBlNzE/
Hosts
101.79.129.33
95.46.98.25
78.46.170.94
91.226.92.225
69.195.129.70


3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.254.70.156
95.46.98.25
91.226.92.225
78.46.170.94

___

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
26 Oct 2016 - "... Locky downloader.. an email with the subject of 'Invoice-350797-93872806-090-9B5248A' (random numbers) pretending to come from invoice@ random companies and email addresses with a random numbered invoice zip attachment containing a jse file... One of the  emails looks like:
From: invoices@ greyport .net
Date: Wed 26/10/2016 12:35
Subject:  Invoice-350797-93872806-090-9B5248A
Attachment: 20161026_93872806_Invoice.zip
    Dear Customer,
    Please find attached Invoice 93872806 for your attention.
    Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Credit Dept’ ...


26 October 2016: 20161026_93872806_Invoice.zip: Extracts to: 167402123_Invoice.jse
Current Virus total detections 7/55*. MALWR was unable to show any connections or downloads. Payload Security**  shows a download of an encrypted file from
  glyderm .com.ph/t76f3g?awKAvfeuvvV=PyooUmcME but doesn’t show or allow download of the actual Locky binary... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477481832/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.214.20.198
91.200.14.124
144.76.177.194
185.127.27.100
69.195.129.70
52.32.150.180
54.230.197.227

___

WhatsApp in-the-wild scams
- https://blog.malware...-the-wild-scam/
Oct 26, 2916

Other related post(s):
WhatsApp Elegant Gold Hits the Digital Catwalk
> https://blog.malware...igital-catwalk/
Don’t Get Stuck on WhatsApp Stickers…
> https://blog.malware...tsapp-stickers/
Scams, PUPs Target Would-be WhatsApp Voice Users
> https://blog.malware...pp-voice-users/
WhatsApp Hack Promises Messages, Delivers PUPs
> https://blog.malware...-delivers-pups/
WhatsApp Spam Campaign Leads to Malware
> https://blog.malware...ads-to-malware/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 26 October 2016 - 03:47 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1817 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 27 October 2016 - 04:27 AM

FYI...

Fake 'Bill overdue' SPAM - delivers Locky
- https://myonlinesecu...y-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'Bill overdue' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with detailed_bill containing a vbs file... One of the  emails looks like:
From: Edmund Parks <Parks.390@ airtelbroadband .in>
Date: Thu 27/10/2016 09:11
Subject: Bill overdue
Attachment: detailed_bill_251752d.zip
    This is from the Telephone Company to remind you that your bill is overdue. Please see the attached bill for the fine charge.


27 October 2016: detailed_bill_251752d.zip: Extracts to: detailed bill 1C938E2.vbs
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from
  http ://tahradeep .com/1tuqd which is transformed by the script to yNBjdb1LZklImF.dll (VirusTotal 11/57***).
C2 are http ://83.217.11.193 /linuxsucks.php | http ://91.201.42.24 /linuxsucks.php
Payload Security[4] shows a few different download locations for the encrypted files but no C2... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477556155/

** https://malwr.com/an...TE0YWZiMmM2ODU/
Hosts
67.171.65.64
91.201.42.24
83.217.11.193


*** https://www.virustot...sis/1477557085/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.171.65.64
119.29.37.110
122.114.89.157


- http://blog.dynamoo....-telephone.html
27 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject:     Bill overdue
    From:     Alexandria Maxwell
    Date:     Thursday, 27 October 2016, 9:35
    This is from the Telephone Company to remind you that your bill is overdue.
    Please see the attached bill for the fine charge.


The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script... detailed bill C43A9.vbs. The Malwr Report* and Hybrid Analysis** for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download...
(Long list of domain-names at the dynamoo URL above.)
... A DLL is dropped with a detection rate of 11/56***, and the malware then phones home to:
91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150
"

* https://malwr.com/an...WZkNDI0YTNmMDM/
Hosts
92.53.96.20
91.201.42.24
83.217.11.193


** https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.171.65.64
83.217.11.193
91.230.211.150
91.201.42.24


*** https://virustotal.c...sis/1477560896/
___

Fake 'Account Reactivation' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
27 Oct 2016 - "... -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Npc@ westernunion .com <accounts@ petnet .com .ph>
Date: Thu 27/10/2016 04:56
Subject: Account Reactivation
Attachment: Account Reactivation.zip
    Dear Agent,
    Our security team has detected a hacking attempt on  your account /Terminal . Luckily, the attempt has been blocked and the account/ terminal has been suspended with no financial loss.
    Now in order to reactivate the account and avoid the recurrence of such incident, we strongly recommend that you follow the reactivation process attached and share the outcome with our security team copied.
    Let us know if you have any questions.
    Kind regards,
    Zineb Abdouss
    Sr. Regional Operations Specialist, North, and Western Asia
    Western Union
    7th floor, shore 13
    1100 Boulevard Al Qods-Quartier Sidi Maarouf
    20270 Casablanca –  Morocco ...


27 October 2016: Account Reactivation manual.jar (119kb) - Current Virus total detections 22/56*. MALWR**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477547372/

** https://malwr.com/an...DNlMjZmZGM3MzM/
Hosts
216.107.152.224
___

Fake 'Order Details' SPAM - delivers malware
- https://myonlinesecu...us-office-docs/
27 Oct 2016 - "An email with the subject of 'Re: Order Details' pretending to come from James Correy <jamescorrey@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Update: I am reliably informed it is a pony dropper with the pony binary embedded inside the word doc using
 http ://www .octpendant .org.in/chixthree-18oct-18nov/gate.php

27 October 2016: BL-06038711.DOC - Current Virus total detections 11/54*... a manual analysis of the macro enabled doc shows a connection to http ://travelinsider .com.au/021ygs7 which currently gives a php error... opens in Microsoft word with a message to 'enable editing to see content'... Payload Security** does show an informative download of an .exe file JF.cm d which VirusTotal 15/56*** detects...
> https://myonlinesecu...-1-1024x306.png

Screenshot: https://myonlinesecu...il-1024x621.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477547380/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1477548223/
___

Fake 'E-TICKET' SPAM - leads to Locky
- http://blog.dynamoo....8-leads-to.html
27 Oct 2016 - "More Locky ransomware today..
    From     "Matthew standaloft"
    Date     Thu, 27 Oct 2016 15:20:27 +0530
    Subject     E-TICKET 41648
    Dear Sir ,
    Please find the attached E-ticket as per your requested.
    Thanks & Regards ,
    Matthew standaloft


Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil...  (according to my usual source):
(Long list of domain-names at the dynamoo URL above.)
... This drops a malicious DLL with a detection rate of 9/56*. The following C2 servers are contacts:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks .php (FLP Anoprienko Artem Arkadevich aka host-ua .com, Ukraine)
213.159.214.86/linuxsucks .php (JSC Server, Russia)
Recommeded blocklist (also see this other spam run** today):
83.217.11.193
91.201.202.12
213.159.214.86
"
* https://www.virustot...28277/analysis/

** http://blog.dynamoo....-telephone.html

- https://myonlinesecu...y-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'E-TICKET 0385' (random numbers) coming as usual from random companies, names and email addresses with a semi-random numbered zip attachment that matches the subject number containing a random numbered wsf file... One of the  emails looks like:
From: Jacqueline lewis <Jacqueline.lewis022@ pro-youthrodeo .org>
Date: Thu 01/09/2016 19:22
Subject: E-TICKET 0385
Attachment: 0385.zip
    Dear Sir ,
    Please find the attached E-ticket as per your requested.
    Thanks & Regards ,
    Jacqueline lewis 


27 October 2016: 0385.zip: Extracts to: 8910682.wsf - Current Virus total detections 9/55*
MALWR** shows a download of an encrypted file from http ://139.162.29.193 /g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
which is transformed by the script to mujVqbry1.dll (VirusTotal 9/56***). C2 is:
 http ://83.217.11.193 /linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477560672/

** https://malwr.com/an...jQyZTI2YWRlM2U/
Hosts
139.162.29.193
83.217.11.193


*** https://www.virustot...sis/1477559703/
___

Fake 'Receipt' SPAM - delivers locky
- https://myonlinesecu...y-thor-version/
27 Oct 2016 - "... Locky downloader... a -blank- email with the subject of 'Receipt' 1578-92517 (random numbers) once again pretending to come from random names at Gmail .com with a semi-random named/numbered zip attachment  matching the subject line containing a WSF file... One of the  emails looks like:
From: ashley.baring@ gmail .com
Date: Thu 27/10/2016 15:15
Subject: Receipt 1578-92517
Attachment: Receipt 1578-92517.zip


Body content: completely blank/empty

27 October 2016: Receipt 1578-92517.zip: Extracts to: Receipt 89598-1810311.wsf
Current Virus total detections 13/55*. MALWR** shows a download of an encrypted file from
  http ://www .acclaimenvironmental .co.uk/g67eihnrv?TCwKroMse=uwIrKcwhz which is transformed by the script to TQTOMcCTi1.dll (VirusTotal 7/57***). C2 http ://83.217.11.193 /linuxsucks.php. Payload Security[4] shows additional C2 locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477578664/

** https://malwr.com/an...jNmM2YwNTlhZWY/
Hosts
89.145.76.9
83.217.11.193


*** https://www.virustot...sis/1477579336/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.145.76.9
213.159.214.86
83.217.11.193
91.201.202.12
192.42.116.41
52.32.150.180
54.192.11.30

___

US charges 61 defendants in call center SCAM based in India
- https://www.yahoo.co...-150417258.html
Oct 27, 2016 WASHINGTON (AP) — "It can be a frightening call to get. Callers posing as tax and immigration agents are threatening arrest, deportation or other punishment unless money is sent to help clear up what they say is a deportation warrant or to cover unpaid income taxes. The government says it's a scam — one that's tricked at least 15,000 people into shelling out more than $300 million. Now the Justice Department has charged 61 defendants in the United States and abroad in connection with a call center operation that officials say is based in India. Federal prosecutors have just unsealed an indictment detailing the case. Assistant Attorney General Leslie R. Caldwell says authorities served nine warrants in eight states and arrested 20 people in the international fraud and money laundering scheme investigation. The case includes five call center groups. Caldwell says the scam targeted the elderly and minorities, and extorted thousands of dollars from victims at a time. She says the money was laundered with the help of prepaid debit cards."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 October 2016 - 01:53 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1818 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 28 October 2016 - 06:18 AM

FYI...

Fake 'New fax received' SPAM - delivers Trickbot banking trojan
- https://myonlinesecu...banking-trojan/
28 Oct 2016 - "...  unusual email with the subject of 'Important – New fax received' pretending to come from Administrator <Administrator@ internalfax .net> or Administrator <Administrator@ internalfax .com> with either a malicious word doc attachment or a zip file containing a .js file which downloads Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ed-1024x545.png

Both emails pass all validation checks, SPF & DKIM so blow past spam filters and -both- domains are newly registered -today- with the sole aim of spreading malware. Domains are both registered by and hosted by Godaddy..

28 October 2016: InternalFax.js - Current Virus total detections 3/55*. MALWR** shows a download from
  http ://www .tessaban .com/admin/images/jsjsjsihfsdkq.png which of course is -not- a png but a renamed .exe file. The JavaScript -renames- it to vQjiLVqR.exe and autoruns it. (VirusTotal 26/56***). Payload Security[4] was unable to contact any download sites or download the malware...

28 October 2016: InternalFax.doc - VirusTotal 2/52[5] | Payload Security[6] shows a download from
 futuras.comdodocdoddus .exe which is -renamed- to 10575.exe and autorun by the macro in the word doc
(VirusTotal 8/56[7]) MALWR[8] shows the downloads from either
 http ://futuras .com/dodocdoddus.exe or http ://fax-download .com/lindoc1.exe
(fax-download .com registered -yesterday- 27 October 2016 and hosted on 23.95.37.89  host.colocrossing .com)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

 

futuras .com: 203.199.134.21: https://www.virustot...21/information/
>> https://www.virustot...471fe/analysis/
 

23.95.37.89: https://www.virustot...89/information/
>> https://www.virustot...0d8cd/analysis/

* https://www.virustot...sis/1477673159/

** https://malwr.com/an...zIyYjM1NmUxNzQ/
Hosts
61.19.247.54
78.47.139.102
91.219.28.77
8.254.207.62
193.9.28.24
37.1.209.51
138.201.44.28
188.116.23.98
104.250.138.194
80.79.114.179


*** https://www.virustot...sis/1477671917/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
61.19.247.54
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117


5] https://www.virustot...sis/1477672660/

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.37.89
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117


7] https://www.virustot...sis/1477674272/

8] https://malwr.com/an...zE0ZmVhODZhNmI/
Hosts
210.16.101.168
203.199.134.21
78.47.139.102
54.243.70.107
64.182.208.184
64.182.208.182
64.182.208.181
64.182.208.183
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24

___

Fake 'Payment history' SPAM - delivers Locky
- https://myonlinesecu...y-thor-version/
28 Oct 2016 - "... Locky downloader... an email with the subject of 'Payment history' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with payment_history containing a VBS file... This is very similar to last night’s Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just renames it to the dll name...
1] https://myonlinesecu...y-thor-version/
One of the  emails looks like:
From: Lionel Hall <Hall.748@ nrjleman .com>
Date: Fri 28/10/2016 09:58
Subject: Payment history
Attachment: payment_history_64b96be.zip
    The payment history for the first week of October 2016 is attached as you requested. Please review it and let us know if you have any question.


28 October 2016: payment_history_64b96be.zip: Extracts to: payment history EE5B8 PDF.vbs
Current Virus total detections 8/54*. MALWR** shows a download of a file from
  http ://92hanju .com /utl41nrt which is renamed by the script to r7vl3GrYKGPE0uLB0.dll (VirusTotal 12/56***).
C2 is http ://83.217.11.193 /linuxsucks.php . Payload Security[4] shows alternative download locations & C2 but for some strange reason isn’t showing the downloaded Locky binary as malicious... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477646733/

** https://malwr.com/an...jYwNTc0OTEzNjc/
Hosts
133.130.109.98
185.154.13.79
83.217.11.193


*** https://www.virustot...sis/1477647176/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.176.241.230
185.154.13.79
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150


- http://blog.dynamoo....y-leads-to.html
28 Oct 2016 - "... another spam run pushing Locky ransomware:
    Subject:     Payment history
    From:     Theodore Wilkins
    Date:     Friday, 28 October 2016, 10:09
    The payment history for the first week of October 2016 is attached as you requested.
    Please review it and let us know if you have any question.


The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script... (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].
There are many different variants of the script, downloading components...
(Many domain-names listed at the dynamoo URL above.)
... (Thank you to my usual source for this data). The malware phones home to:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks .php [hostname: tarasik1.infium .net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks .php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks .php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks .php (Dunaevskiy Denis Leonidovich, Ukraine) ...
A DLL is dropped with a detection rate of 12/57*.
Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79
"
1] https://malwr.com/an...TNjZjRjNWQ4MmU/
Hosts
185.2.128.114
46.148.26.99


2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.2.128.114
185.154.13.79
83.217.11.193
194.1.239.152
91.230.211.150
46.148.26.99


* https://virustotal.c...904b6/analysis/
___

Fake 'Document' SPAM - delivers trickbot banking Trojan
- https://myonlinesecu...banking-trojan/
28 Oct 2016 - "An email with the subject of 'Document' from random names pretending to come from random name <random.name@ victim domain .tld> with a malicious word doc attachment delivers a trickbot banking Trojan... This uses a somewhat complicated method of delivery to try to bypass antivirus and content protection, but basically the macro inside the word doc creates a lnk file,  calls on powershell to run the lnk file which connects to the web server to download a file, which is in turn renamed, moved & autorun by the powershell instruction inside the macro. The alleged senders name matches the subject line, the name in the body of the email and the document name... The email looks like:
From: Tommy Griggs <Tommy.Griggs@ oneknight .co.uk>
Date: Fri 28/10/2016 02:37
Subject: Document from Griggs
Attachment: Griggs-2810-824.doc
    My company sent you a document. Check it attached.
    Regards,
    Tommy Griggs
    Challenger Limited


28 October 2016: Griggs-2810-824.doc - Current Virus total detections 3/53*
Payload Security** shows a download from futuras .com/ksdjgdfhmsc.exe (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477637824/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.199.134.21
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117


*** https://www.virustot...sis/1477629101/
___

Dridex - new "0-Day-Distribution" method
- https://payload-secu...ibution_27.html
Oct 27, 2016 - "The banking trojan Dridex (also known as Cridex, Feodo, Geodo, etc.) has been distributed in the past via malicious documents containing macros sent by E-Mail. Just yesterday we discovered a new distribution method that is undetected by the various Sandbox solutions we have access to and all AV engines. We were able to happily share and send those infected files via Skype, Gmail and other platforms. So while Dridex itself isn't new, the distribution method definitely is - and it will be very successful looking at current 0% detection ratio. In a sense, it is a "zero-day-distribution" method so we decided to use that term...
> https://3.bp.blogspo...cB/s1600/vt.png
As has been a recent trend we see for targetted attacks (more on that later), this malicious Office file does not contain any macros (or exploits, actually) to execute the payload... Instead, the document contains an embedded file, which can be extracted from the "oleObject1.bin" file in the "embeddings" folder. In this case, as it is a Word file, the relative pathway would be word/embeddings/oleObject1.bin... Simply opening the document will cause nothing to happen initially. Instead, the embedded file has to be double-clicked. This is the first "hurdle" that most Sandbox systems will have difficulties with:
> https://3.bp.blogspo...as+19.50.17.png
After double-clicking the file - on a default configured system - an additional prompt will have to be passed:
> https://2.bp.blogspo...as+20.26.36.png
... only if we -click- "Open" on that prompt, the actual LNK file and consequently the Command Prompt -> Powershell execution chain will trigger and download Dridex..."
(More detail at the payload-security URL above.)

>> https://myonlinesecu...-macro-viruses/
___

'Your Bill' is -Not- Overdue ... Locky
- https://isc.sans.edu...l?storyid=21647
2016-10-27 - "... It looks like today's ransomware subject is 'Your Bill is Overdue'. But then again, don't bother blocking it. Block ZIP'ed visual basic scripts. This round of Locky makes blocking a tad harder by using 'application/octet-stream' as a Content-Type instead of 'application/zip'...  I received just about 1,000 attachments like that, and about 4000 total..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 28 October 2016 - 04:21 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1819 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 31 October 2016 - 07:27 AM

FYI...

Fake 'Wrong tracking number' SPAM - leads to Locky
- http://blog.dynamoo....ing-number.html
31 Oct 2016 - "This spam email leads to Locky ransomware:
    From     "Samuel Rodgers"
    Date     Mon, 31 Oct 2016 15:21:22 +0530
    Subject     Wrong tracking number
    It looks like the delivery company gave us the wrong tracking number.
    Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.


The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script... named something like tracking number A99DB PDF.vbs... full list of download locations...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to:
91.107.107.241/linuxsucks .php [hostname: cfaer12.example .com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks .php [hostname: shifu05 .ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks .php (Ukrainian Internet Names Center aka ukrnames .com, Ukraine)
194.1.239.152/linuxsucks .php (Internet Hosting Ltd aka majorhost .net, Russia)
5.187.7.111/linuxsucks. php (Fornet Hosting, Spain)
Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152
"

- https://myonlinesecu...delivers-locky/
31 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong tracking number' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with  tracking_number_ containing a VBS file that pretends to be a PDF...  similar to recent Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just renames it to the dll name...
1] https://myonlinesecu...y-thor-version/

31 October 2016: tracking_number_aa587827b.zip: Extracts to: tracking number A1964B3 PDF.vbs
Current Virus total detections 6/55*. Payload Security** seems unable to get any payload from this vbs although manual analysis easily revealed the download locations:
 http ://business-cambodia .com/he8wtc | http ://archilog .at/imwjmt | http ://badznaptak .pl/inlgm49
 http ://aconetrick .com/6yoajl7 | http ://ficussalm .com/8pmjmwp
All these files are executable files and the VBS just renames them to a DLL and autoruns it VirusTotal 14/57[3]...
One of the  emails looks like:
From: Eldridge Beard <Beard.69896@ srimina .com>
Date: Mon 31/10/2016 09:05
Subject: Wrong tracking number
Attachment: tracking_number_aa587827b.zip
    It looks like the delivery company gave us the wrong tracking number. Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.


The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477906017/

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1477908982/
___

Fake 'SureVoIP' SPAM - leads to Locky
- http://blog.dynamoo....email-from.html
31 Oct 2016 - "This -fake- voicemail message leads to Locky ransomware:
    Subject:     Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
    From:     SureVoIP (voicemailandfax@[redacted])
    Date:     Monday, 31 October 2016, 11:17
    Message From "Catalina rigby 02355270166" 02355270166
    Created: 2016.10.31 14:46:53 PM
    Duration: 00:01:22
    Account: voicemailandfax@ [redacted]


Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component...
(Long list of domain-names at the dynamoo URL above.)
The C2 servers overlap with the ones found here.
91.107.107.241/linuxsucks .php [hostname: cfaer12.example .com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks .php [hostname: shifu05 .ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks .php (Ukrainian Internet Names Center aka ukrnames .com, Ukraine)
Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152
"
___

Fake 'electronic billing' SPAM -  delivers Locky
- https://myonlinesecu...delivers-locky/
31 Oct 2016 - "... Locky downloader... an email with the subject of 'Document No 50319282' (random numbers)  pretending to come from accounts @ your own email address with a semi-random named zip attachment starting with  file containing a WSF file... One of the  emails looks like:
From: NANNIE DONNELLY <accounts@ [redacted] .co.uk>
Date: Thu 01/09/2016 19:22
Subject: Document No 50319282
Attachment: File 50319282.zip
    Thanks for using electronic billing
    Please find your document attached
    Regards
    NANNIE DONNELLY


31 October 2016: File 50319282.zip: Extracts to: XY4918-1310.wsf - Current Virus total detections 10/55*
MALWR** shows a download of a file from
  http ://www .shavash .ir/g7cberv?LoeMqQM=BQqhBkykpgn which is renamed by the script to hndYhViGx1.dll
(VirusTotal 8/56***). C2 are http ://95.163.107.41 /linuxsucks.php and http ://tdhyjfxltpj .pw/linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477916645/

** https://malwr.com/an...Dc2ZTdkYzEyMWU/
Hosts
136.243.80.209
146.120.89.98
91.107.107.241
95.163.107.41
192.42.116.41


*** https://www.virustot...sis/1477926737/
___

Fake 'BANK SLIP' SPAM - delivers Tesla keylogger
- https://myonlinesecu...nknown-malware/
31 Oct 2016 - "... malware delivery email... an email with the subject of 'BANK SLIP' coming as usual from what looks like random companies, names and email addresses with a zip attachment that contains some unknown malware. VirusTotal only shows generic detections...
Update: I am being reliably informed that it is Agent Tesla keylogger* that sends info home to aqeel@ ubsrwp .pk . A recent similar attack but using malicious word docs with macros to deliver the payload is described HERE** with screenshots and a good description of the information...
* https://twitter.com/...018062953938944

** https://www.zscaler....-cybersquatting

31 October 2016: Bank Slip.zip: Extracts to: Bank Slip.exe - Current Virus total detections 9/57[3]
 MALWR doesn’t show much [4]. | Payload Security[5]...
3] https://www.virustot...sis/1477892702/

4] https://malwr.com/an...zM5YTkxZDIxZGM/

5] https://www.hybrid-a...vironmentId=100

One of the  emails looks like:
From: wagagrove@ otbsporti.com
Date: Thu 01/09/2016 19:22
Subject: BANK SLIP
Attachment: Bank Slip.zip
    Dear Sir,
    Pleased be informed payment done as attached.
    Regards,
    Waga
    Sales/Account Department
    MOTOTECHNICA SOLUTION LTD.
    GST NO : 0018898212965 ...


The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

ubsrwp .pk: 198.24.190.35: https://www.virustot...35/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 31 October 2016 - 01:14 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1820 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 01 November 2016 - 07:14 AM

FYI...

Fake 'Transaction declined' SPAM - leads to Locky
- https://myonlinesecu...delivers-locky/
1 Nov 2016 - "... Locky downloader... an email with the subject of 'Transaction declined' coming as usual from random companies, names and email addresses  with a semi-random named zip attachment starting with transaction-details_ containing a VBS file that pretends to be a PDF... One of the  emails looks like:
From: Elena Cooper <Cooper52780@ centraldetraducao .com>
Date: Thu 01/09/2016 19:22
Subject:  Transaction declined
Attachment: transaction-details_e78be58f7.zip
    Dear [redacted],
    This is to inform that the transaction you made yesterday is declined.
    Please look through the attachment for the verification of the card details.
    Best Regards,
    Elena Cooper


Manual decoding of this slightly obfuscated vbs script shows Download locations are:
    http ://17173wang .com/f6w0p
    http ://cdxybg .com/iribzm
    http ://51qudu .com/mqy2pj4
    http ://sonsytaint .com/4mgxlrf
    http ://koranjebus .net/4rwg5
1 November 2016: paytransaction-details_e78be58f7.zip: Extracts to: transaction_details_39B163E4_PDF.vbs
 delivers [VirusTotal 8/55*].. f6w0p [VirusTotal 7/55**]. Neither MALWR nor Payload Security[3] seem able to actually get the download locations or any payload in these VBS files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477997125/

** https://www.virustot...sis/1477997325/

3] https://www.hybrid-a...vironmentId=100

17173wang .com: 120.27.107.115: https://www.virustot...15/information/
cdxybg .com: 125.88.190.31: https://www.virustot...31/information/
51qudu .com: 118.123.18.92: https://www.virustot...92/information/
sonsytaint .com: 67.171.65.64: https://www.virustot...64/information/
138.201.244.4: https://www.virustot....4/information/
koranjebus .net: 67.171.65.64: https://www.virustot...64/information/
138.201.244.4: https://www.virustot....4/information/

- http://blog.dynamoo....nform-that.html
1 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject:     Transaction declined
    From:     Chandra Frye
    Date:     Tuesday, 1 November 2016, 10:48
    Dear [redacted],
    This is to inform that the transaction you made yesterday is declined.
    Please look through the attachment for the verification of the card details.
    Best Regards,
    Chandra Frye


The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs)... communicates with the URLs below, but you can be sure that there are many more examples:
51qudu .com/mqy2pj4
bjzst .cn/qgq4dx
danapardaz .net/zrr8rtz
litchloper .com/66qpos7m
creaciones-alraune .es/dx8a5
adasia .my/f5qyi10
alecrim50 .pt/g28w495t
zizzhaida .com/a0s9b
silscrub .net/07ifycb
Hybrid Analysis is inconclusive*.
If I get hold of the C2s or other download locations then I will post them here."
* https://www.hybrid-a...vironmentId=100
UPDATE: My usual reliable source tells me that these are all the download locations...
(Long list of domain-names at the dynamoo URL above.)
... These are the C2s:
91.234.32.202/linuxsucks .php (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
81.177.22.164/linuxsucks .php (NETPLACE, Russia)
Recommended blocklist:
91.234.32.202
81.177.22.164
"
___

Fake 'New Fax' SPAM - leads to TrickBot
- http://blog.dynamoo....ax-message.html
1 Nov 2016 - "This -fake- fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

Screenshot: https://3.bp.blogspo...dential-fax.png

Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54*. Both the Malwr report** and Hybrid Analysis*** give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:
www .tessaban .com/img/safafaasfasdddd.exe
This is a -hacked- legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr[4] and Hybrid Analysis reports[5] give the following suspect traffic:
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)
... 3NT Solutions (aka Inferno Solutions/inferno .name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit... If we excise the domestic IPs and blackhole the 3NT/Inferno/uadomen .com ranges we get a recommended blocklist of:
37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24

However, there's more to this... The original email message is actually signed by local-fax .com and it turns out that this domain was created just -today- with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking. All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously..."
* https://virustotal.c...38347/analysis/

** https://malwr.com/an...TdlMjk1NGEzZjQ/
Hosts
61.19.247.54
78.47.139.102
54.197.246.207
64.182.208.181
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24


*** https://www.hybrid-a...vironmentId=100

4] https://malwr.com/an...TRjODQ1YjRjMzU/
Hosts
78.47.139.102
23.23.107.79
64.182.208.182
64.182.208.184
64.182.208.183
64.182.208.181
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
37.1.209.51


5] https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.219.28.77
193.9.28.24
37.1.209.51
138.201.44.28


- https://myonlinesecu...livers-malware/
1 Nov 2016 - "An email with the subject of 'GDS – New Fax Message' pretending to come from GDS Fax <service@ gov-fax. co .uk> with a malicious word doc containing macros which downloads what looks like Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ge-1024x555.png

1 November 2016: gvt_uk_01112016.doc - Current Virus total detections 3/54*
 MALWR** shows a download from http ://www .tessaban .com/img/safafaasfasdddd.exe (VirusTotal 10/56***)
 Payload Security [1] [2] Dynamoos blog[3] gives details of a slightly different email delivering the same word docs & malware payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1477997908/

** https://malwr.com/an...Tg4YWQxYzM2Mzc/
Hosts
61.19.247.54
78.47.139.102
54.243.164.241
64.182.208.182
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
37.1.209.51


*** https://www.virustot...sis/1478011826/

1] https://www.hybrid-a...vironmentId=100

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.219.28.77
193.9.28.24
37.1.209.51
138.201.44.28


3] http://blog.dynamoo....ax-message.html
___

Fake 'Your Invoice' SPAM - delivers yet more Locky
- https://myonlinesecu...nsomware-today/
1 Nov 2016 - "... Locky downloader... an email with the subject of 'Your Invoice: SIPUS16-953639' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with SIPUS16 containing a wsf file... One of the  emails looks like:
From: invoicing@ costruzionieimpianti .com
Date: Tue 01/11/2016 15:47
Subject: Your Invoice: SIPUS16-953639
Attachment: SIPUS16-953639.zip
    Dear Sirs,
    Please find your invoice enclosed. We kindly ask you to respect our payment terms.
    For questions please contact our sales office.
    Kind regards,
    Dorema UK Ltd.


1 November 2016: SIPUS16-953639.zip: Extracts to: INV_NO_79980148.wsf - Current Virus total detections 11/55*
.. MALWR** shows a download of an encrypted file from

  http ://bappeda .palangkaraya .go.id/87yfhc?xFqceIrSlI=MNKhDTrM

which is transformed by the script to GdxPTYAwwe1.dll (VirusTotal 12/56***). Same malware and delivery method  as this earlier malspam run[4] using fake invoices... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478009132/

** https://malwr.com/an...zJkNTE5YjEzNWU/
Hosts
180.250.3.118
185.82.217.88
51.255.107.20


*** https://www.virustot...sis/1477647176/

4] https://myonlinesecu...delivers-locky/
___

Windows 0-day vuln - CVE-2016-7855
- https://www.helpnets...ndows-zero-day/
Nov 1, 2016 - "Google has disclosed to the public the existence of a Windows zero-day vulnerability (CVE-2016-7855*) that is being actively exploited in the wild... The same vulnerability has been shared with both Microsoft and Adobe on October 21st, as it also affected Flash Player. But while Adobe has already pushed out an update with the patch[1], Microsoft has not been so quick.
1] https://helpx.adobe..../apsb16-36.html
... They have advised users to update Flash and implement the Microsoft patch as soon as it is made available..."
>> https://security.goo...to-protect.html

https://web.nvd.nist...d=CVE-2016-7855
11/01/2016 - "... as exploited in the wild in October 2016.
___

HookAds malvertising ...
- https://blog.malware...ising-campaign/
Nov 1, 2016 - "... we wrote about a new piece of malware called ‘Trick Bot‘ which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered -another- malvertising campaign that started at least in mid August, and which leverages decoy adult portals to spread malware. Internally, we call it the 'HookAds campaign' based on a string found within the delivery URL... upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects... much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month... We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an -iframe- to adult banner is injected dynamically. The ad is served from a third-party server which performs -cloaking- in order to detect whether this is legitimate new traffic or not...
The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in:
> https://blog.malware...2016/10/206.png
185.51.244.206 / 185.51.244.207 / 185.51.244.208
... The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF)...
Conclusion: The HookAds malvertising campaign is -still- running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit..."
IOCs
IPs:
185.51.244.206
185.51.244.207
185.51.244.208
..."
(More detail at the malwarebytes URL above.)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 02 November 2016 - 11:03 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1821 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 02 November 2016 - 06:28 AM

FYI...

Fake 'Transactions' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
2 Nov 2016 - "... Locky downloader... an email with the subject of 'Transactions' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with last_transactions_ containing a VBS file that pretends to be a PDF... One of the  emails looks like:
From: Berry Rutledge <Rutledge35@ shakedownbarvail .com>
Date: Wed 02/11/2016 09:32
Subject: Transactions
Attachment: last_transactions_fb079ee.zip
    Hi [redacted]
    [random name]called me yesterday updating about the transactions on company’s account from last month.
    Examine the attached transaction record. Please let me know if you need more help.
    Best Regards,
    Berry Rutledge


2 November 2016: last_transactions_fb079ee.zip: Extracts to: last_transactions_2EA31C0_PDF.vbs
Current Virus total detections 9/54*. Manual analysis of the vbs shows a download of a file from one of these locations:

  http ://bddja .com/p0u44p8z | http ://akira-sushi34 .ru/przgzq | http ://3rock .ie/qdq1fv4c
  http ://cokealong .com/0l609 | http ://fiveclean .com/14msj3
 which is renamed by the script to a dll and autorun (VirusTotal 7/55**). Neither MALWR nor Payload Security*** ever seem able to display the download URLs or obtain any payload form these VBS scripts, although manual analysis shows it very easily with minimal de-obfuscation of the VBS code...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478080807/

** https://www.virustot...sis/1478083429/

*** https://www.hybrid-a...vironmentId=100
___

Fake 'part 4' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
2 Nov 2016 - "... Locky downloader... an email with the subject of 'part 4' (random numbers between 0 & 9) coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the  emails looks like:
From: TRACIE MACALLISTER <traciemacallister@ perceptualproductions .com>
Date: Thu 01/09/2016 19:22
Subject: part 4
Attachment: JLJEWM918399.zip
    As promised
    TRACIE


2 November 2016: JLJEWM918399.zip: Extracts to: PTKBJH1522.wsf - Current Virus total detections 12/54*
 MALWR** shows a download of an encrypted file from
  http ://aifgroup .jp/43ftybb8?eOcQFhG=ytopbCntxmF which is transformed by the script to BdJXwnO1.dll
(VirusTotal 12/56***). C2 are
 http ://194.28.87.26 /linuxsucks.php | http ://51.255.107.20 /linuxsucks.php
 http ://194.1.239.152 /linuxsucks.php
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478081153/

** https://malwr.com/an...DVlNmI3YmI3NjE/
Hosts
122.200.219.36
194.28.87.26
51.255.107.20
194.1.239.152


*** https://www.virustot...sis/1478084176/
___

Fake 'Companies House' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
2 Nov 2016 - "An email with the subject of 'Companies House – new company complaint' pretending to come from Companies House <noreply@ companieshouses .co.uk> with a malicious word doc with macros delivers Trickbot banking Trojan...

Screenshot: https://myonlinesecu...nt-1024x553.png

2 September 2016: Complaint.doc - Current Virus total detections 4/54*
Payload security** shows a download of sweezy.exe from futuras .com/img/dododocdoc.exe (VirusTotal 6/57***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478089229/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.199.134.21
78.47.139.102
193.107.111.164
91.219.28.58
193.124.177.117
91.219.28.77
193.9.28.24


*** https://www.virustot...sis/1478089108/

- http://blog.dynamoo....-house-new.html
2 Nov 2016 - "This fake Companies House spam leads to TrickBot malware... Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic:

Screenshot: https://2.bp.blogspo...anies-house.png

The sender is either noreply@ companies-house .me.uk or noreply@ companieshouses .co.uk - both those domains have actually been registered by the spammers with -fake- WHOIS details... All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you -block- email traffic from those IPs.
Attached is a Word document Complaint.doc (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55[2]] which according to this Hybrid Analysis[1] downloads a binary from:
futuras .com/img/dododocdoc.exe
This is saved as sweezy.exe and has a detection rate of 7/57[3]. At present that download location is down, probably due to exceeding bandwidth quota. The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday[4]:
78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)
The uadomen .com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.
Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117
"
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.199.134.21
78.47.139.102
193.107.111.164
91.219.28.58
193.124.177.117
91.219.28.77
193.9.28.24


2] https://virustotal.c...eb407/analysis/

3] https://www.virustot...d9c6d/analysis/

4] http://blog.dynamoo....ax-message.html
___

Fake 'DSCF6693' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
1 Nov 2016 - "... Locky downloader... a totally -blank- email with the subject of 'DSCF6693.pdf' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with DSCF that matches the subject containing a wsf file... One of the  emails looks like:
From: ROXIE LANGBAINE <roxie.3506@ madebuynana .nl>
Date: Tue 01/11/2016 19:51
Subject: DSCF6693.pdf
Attachment: DSCF6693.zip


Body content: totally blank/empty

1 November 2016: DSCF6693.zip: Extracts to: DSCF1121.wsf - Current Virus total detections 8/54*
 MALWR** shows a download of a file from
  http ://el-sklep .com/76vvyt?JazeMXLjl=JXhbIC which is transformed by the script to YHvwcTj1.dll
(VirusTotal 5/57***). C2 are
 http ://194.28.87.26 /linuxsucks.php | http ://51.255.107.20 /linuxsucks.php
 http ://qiklchkunuhhbrk .org/linuxsucks.php |  http ://194.1.239.152 /linuxsucks.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477646733/

** https://malwr.com/an...TdiMTdmZWI5ZDc/
Hosts
88.198.110.138
194.28.87.26
51.255.107.20
194.1.239.152
69.195.129.70


*** https://www.virustot...sis/1478031176/
___

Sundown EK ...
- http://blog.talosint...sundown-ek.html
Oct 31, 2016 - "... IOC - Subdomains not included due to usage of domain wildcarding during campaign
Conclusion: The last couple of months have lead to major shifts in the exploit kit landscape with major players disappearing rapidly. We are now in a place where only a handful of exploit kits remain active and kits that would have previously been part of a second tier of EKs have started to rise to prominence. Sundown is a far more widely distributed exploit kit than was initially thought. Even though it doesn't have a huge footprint from an infrastructure perspective, there are lots of users interacting with these kits."
- https://blogs.cisco....sundown_ips.txt
109.236.87.40
109.236.92.187
217.23.7.27
93.190.139.250
217.23.7.26
212.92.127.207
185.106.120.86
185.104.8.168
185.104.8.167
185.104.8.166

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 02 November 2016 - 12:16 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1822 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 03 November 2016 - 06:32 AM

FYI...

Fake 'Urgent payment' SPAM - leads to Locky
- http://blog.dynamoo....nt-request.html
3 Nov 2016 - "This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.
    Subject:     !!! Urgent payment request
    From:     erika.whitwell@ hillcrestlife .org (erika.whitwell@ hillcrestlife .org)
    Date:     Thursday, 3 November 2016, 10:01
    ERIKA WHITWELL ...


Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js)...
UPDATE: This Hybrid Analysis* shows the script downloading from:
dornovametoda .sk/jhb6576?jPUTusVX=GXNaiircxm
There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here):
194.28.87.26/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
109.234.34.227/message.php (McHost .Ru, Russia)
Recommended blocklist:
194.28.87.26
93.170.123.119
109.234.34.0/24
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.0.217.3
194.28.87.26
93.170.123.119
109.234.34.227
54.192.185.153


- https://myonlinesecu...ven-more-locky/
3 Nov 2016 - "... Locky downloader... an email with the subject of '!! Urgent payment request' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .js file... One of the  emails looks like:
From: christi.hayton@ artemisridge .com
Date: Thu 01/09/2016 19:22
Subject: !! Urgent payment request
Attachment: ea05237624050-3072993672-201611145320-0296.zip
      CHRISTI HAYTON Telefon: +49 1743 / 51-9283 Fax: +49 1743 / 5166-9283 ...


3 November 2016: 5237624050-3072993672-201611145320-0296.zip
Extracts to: 2119873724-8372344101-201611211525-3816.js - Current Virus total detections 8/55*
MALWR** shows a download of an encrypted file from
  http ://centinel .ca/jhb6576?rigWApln=iwDykXRT which is converted by the script to lpFtmm1.dll (VirusTotal 9/56***)
C2 http ://194.28.87.26 /message.php . Payload Security[4] shows additional C2... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478165027/

** https://malwr.com/an...Tc5NWI0MzI3Nzg/
Hosts
64.34.157.170
194.28.87.26


*** https://www.virustot...sis/1478166325/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
64.34.157.170
109.234.34.227
93.170.123.119
194.28.87.26
54.192.48.225

___

More Locky ...
- http://blog.dynamoo....2016-11-03.html
3 Nov 2016 - "... Locky runs overnight... here is a data dump of download locations and C2s (at the bottom) from my usual reliable source:
(Long list of domain-names at the dynamoo URL above.)
... C2s:
51.255.107.20 /message .php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
85.143.215.209 /message.php (PrdmService LLC / Comfortel Ltd / Trader soft LLC, Russia)
91.230.211.103 /message .php (Optibit LLC, Russia)
91.239.232.171 /message .php (Hostpro Ltd, Ukraine)
93.170.123.119 /message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
194.28.87.26 /message.php (Hostpro Ltd, Ukraine)
51.255.107.20 /linuxsucks.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
194.1.239.152 /linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
194.28.87.26 /linuxsucks.php (Hostpro Ltd, Ukraine)
Recommended blocklist:
51.255.107.20
85.143.215.209
91.230.211.103
91.239.232.171
93.170.123.119
194.1.239.152
194.28.87.26
"
___

Fake 'Summons' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
3 Nov 2016 - "... updated run of the old 'You’ve been witness summoned to court / You are hereby summoned to appear to court to give evidence' is spreading today... Once you insert the “captcha” numbers into the submit box and press submit, you get a random numbered zip file that extracts to a js.file...

Screenshot: https://myonlinesecu...78-1024x781.png

3 November 2016: 66504.zip: Extracts to: Case Details.js - Current Virus total detections 3/55*
 MALWR** shows a download of a file from
  http ://rudarskiinstituttuzla .ba/modules/mod_stat/bidkemjarf/localbbrs.exe (VirusTotal 4/57***)
Payload Security[4]... earlier this week, this sort of -spoofed- UK Government emails were used to deliver Trickbot banking Trojan. This malware payload looks somewhat different to those: MALWR[5].. Payload Security[6] analysis of downloaded malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478169130/

** https://malwr.com/an...2VmOTlmYzUzZWE/
Hosts
176.9.10.243

*** https://www.virustot...sis/1478169467/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
176.9.10.243
208.118.235.148
148.163.112.203
148.163.112.203


5] https://malwr.com/an...mEzZTg1NmM4NTU/

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
208.118.235.148
148.163.112.203

___

Fake 'Bill' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
3 Nov 2016 - "... Locky downloader... an email telling you to pay your maintenance bill with the subject of 'Bill' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with  november_bill_ containing a VBS file that pretends to be a PDF... One of the  emails looks like:
From: Ericka Oneill <Oneill000@ soundsolutionsrecording .com>
Date: Thu 03/11/2016 13:40
Subject: Bill
Attachment: november_bill_450e7d7f0.zip
    Dear [redacted]
    To continue using our maintenance service, please pay for last month’s fee by 4th of November.
    The bill is attached in the email.
    Please keep it for later purposes.
    King Regards,
    Ericka Oneill


3 November 2016: november_bill_450e7d7f0.zip: Extracts to: TN E3E6314.vbs - Current Virus total detections 8/55*
 Manual analysis shows a download of a file from one of these locations:
 http ://aurora.cdl-sc .org.br/gj789z
 http ://davidart .com.tw/haa4vt4u
 http ://artlab .co.il/hgm0chod
 http ://dingeabyss .com/1jawie
 http ://sehyokette.net/1t6ywcjb
... which is renamed by the script to a DLL (VirusTotal 8/57**). Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478181547/

** https://www.virustot...sis/1478181696/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
220.229.238.7
130.208.19.136
188.127.237.66
195.123.211.65

___

Fake 'Order' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
3 Nov 2016 - "... Locky downloader... an email with the subject of 'Order 903644 (Acknowledgement)' [random numbers]  coming as usual from random companies, names and email addresses with a zip attachment that starts with several random letters then a series of numbers that matches the subject order number containing a VBS file... One of the  emails looks like:
From: CORA FRANZKE <eml@ durellaw .com>
Date: Thu 03/11/2016 14:50
Subject: Order 903644 (Acknowledgement)
Attachment: jf903644.zip
    Please find document attached


3 November 2016: jf903644.zip: Extracts to: KUnyn699-32121.vbs - Current Virus total detections 5/55*
Payload Security**...Manual analysis shows a download of a file from one of these locations
 albakrawe-uae .com/i9jnrc
 cosywall .pl/i9jnrc
 eldamennska .is/i9jnrc
 irk.24abcd .ru/i9jnrc
 schuhdowdy .net/i9jnrc
 teriisawa .com/i9jnrc
(VirusTotal 11/56***). C2 are 109.234.35.230 | 176.103.56.119 /message.php. This also uses the Tor network... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478185057/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.186.246.98
109.234.35.230
176.103.56.119
54.240.184.221
80.239.137.72


*** https://www.virustot...sis/1478192229/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 03 November 2016 - 02:02 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1823 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 04 November 2016 - 06:40 AM

FYI...

Fake 'Please verify' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
4 Nov 2016 - "... Locky downloader... an email that pretends to be about proofreading the technical document you sent with the subject of 'Please verify' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with tech_doc_ containing a VBS file... very similar to recent Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just -renames- it to the -dll- name... Payload Security report[2]...
1] https://myonlinesecu...y-thor-version/
One of the  emails looks like:
From: Coleen Barr <Barr84@ homedesigners171 .com>
Date: Fri 04/11/2016 09:49
Subject: Please verify
Attachment: tech_doc_dc405d482.zip
    Hey [redacted], as you requested, I have proofread the technical document you sent.
    There are some confused parts in it.
    Please verify the parts highlighted in the attached document.
    Best Wishes,
    Coleen Barr


4 November 2016: tech_doc_dc405d482.zip: Extracts to: NRV4MO04.vbs - Current Virus total detections 10/55*
Manual analysis shows a download of a file from one of these locations:
 http ://good-gamess .ru/qz7at0 | http ://astrotranspersonal .com.ar/rhiup3j | http ://goldendogs .nl/s6ymz2k
 http ://bahutnorma .net/2pceo6 | http ://rangyinby .com/3ixr99t (VirusTotal 7/57**)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478253546/

** https://www.virustot...sis/1478253708/

2] https://www.hybrid-a...vironmentId=100
___

Fake 'Payroll Payslip' SPAM - delivers Java Adwind
- https://myonlinesecu...dwind-jacksbot/
4 Nov 2016 - "... fake financial themed emails containing java adwind/Java Jacksbot Trojan attachments... can only be active or infect you -if- you have Sun/Oracle Java installed... The email looks like:
From: wu.paymaster@ westernunion .com <postmaster@ fanavaelecomp .com>
Date: Fri 04/11/2016 06:37
Subject: Payroll Payslip (NO-REPLY)
Attachment: Details.zip
    Dear agent,
    Attached is your payslip for the payroll period of 01 October 2016 to 01 November 2016.To view your Payslip, simply type in your Personal Password when asked for a password. If you did not  submit your personal password, just type in your last name followed by the birthday (Format: MMddyyyy) and the last four (4) digits of your employee id number when asked for a password (e.g., ocampo011320141234). Please make sure to use lowercase letters, no spaces and no special characters when typing your password, name suffix is also part of your lastname...
    Sincerely,
    Accounting Department


4 November 2016: Payrol Payslip.jar (323 kb) - Current Virus total detections 17/56* - Payload Security**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478239741/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.107.152.224
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 04 November 2016 - 07:01 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1824 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 07 November 2016 - 07:04 AM

FYI...

Fake 'Financial documents' SPAM - leads to Locky
- http://blog.dynamoo....ents-leads.html
7 Nov 2016 - "The never-ending Locky ransomware onslaught continues. This -fake- financial spam has a malicious attachment:
    Subject:     Financial documents
    From:     Judy Herman
    To:     [redacted]
    Date:     Monday, 7 November 2016, 10:53
    Hi [redacted],
    These financial documents need to be uploaded on the system.
    Please let me know if you experience any technical problems.
    Best Wishes,
    Judy Herman 


Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs ... This particular script (and there will be others like it) attempts to download from:
http ://coachatelier .nl/lg8s2
http ://bechsautomobiler .dk/m8idi9j
http ://desertkingwaterproofing .com/ma4562
http ://zapashydro .net/6sgto2bd
http ://owkcon .com/6xgohg6i
According to this Hybrid Analysis*, the malware then phones home to:
195.123.211.229 /message .php [hostname: panteleev.zomro .com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102 /message .php [hostname: endgo .ru] (Hostpro Ltd. / hostpro .com.ua, Ukraine)
188.65.211.181 /message .php (Knopp, Russia)
Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
141.138.169.200
195.123.211.229
185.67.0.102
188.65.211.181


- https://myonlinesecu...delivers-locky/
7 Nov 2016 - "... Locky downloader... an email with the subject of 'Financial documents' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with fin_docs_ containing a VBS file... One of the  emails looks like:
From: Delbert Mckay <Mckay8375@ purrfectsports .com>
Date: Mon 07/11/2016 10:57
Subject: Financial documents
Attachment: fin_docs_c605c39a.zip
    Hi [redacted]
    These financial documents need to be uploaded on the system.
    Please let me know if you experience any technical problems.
    Best Wishes,
    Delbert Mckay


7 November 2016: fin_docs_c605c39a.zip: Extracts to: NRV_3O63MI_.vbs - Current Virus total detections 5/54*
Payload Security** shows downloads of  a file from  the same locations which is renamed by the script to qltoUhLp0.dll (VirusTotal 9/57***). C2 are:
 188.65.211.181  | 185.67.0.102 | 195.123.211.229 .. all use /message.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478516808/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.176.241.230
188.65.211.181
185.67.0.102
195.123.211.229


*** https://www.virustot...sis/1478517111/
___

Fake 'Scanned image' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
7 Nov 2016 - "... Locky downloader... an email with the subject of 'Scanned image' from MX2310U@ your-own email domain pretending to come from office@ your-own email domain with a semi-random named zip attachment in the form of office@ your-own email domain _random numbers.zip containing a .JS file... One of the  emails looks like:
From: office@ ...
Date: Mon 07/11/2016 14:16
Subject: Scanned image from MX2310U@ ...
Attachment: office@ ...zip
    Reply to: office@ ... <office@ ...>
    Device Name: MX2310U@ ...
    Device Model: MX-2310U
    Location: Reception
    File Format: PDF MMR(G4)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in PDF format...


7 November 2016: office@ ...zip: Extracts to: JYF16212-1319.js - Current Virus total detections 8/53*
Payload Security** shows a download of an encrypted  file from henrytye .com /hgf65g?ymWrOm=LeFqAxKmfIY
 which is renamed by the script to bRewBexBO1.dll ...
C2: 81.177.180.53 /message.php and 176.103.56.120 /message.php. Unfortunately the free web version of Payload Security does not give the actual downloaded file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478531957/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.6.196.80
81.177.27.222
176.103.56.120
81.177.180.53
52.34.245.108
52.222.171.240

___

Fake 'Scan' SPAM - more Locky
- https://myonlinesecu...ven-more-locky/
7 Nov 2016 - "... Locky downloader... an email with the subject of '[Scan] 2016-1107 17:29:49' coming as usual from random companies, names and email addresses with a zip attachment named after todays date and a time containing a wsf file... One of the  emails looks like:
From: MAURICIO BLUM <mauricio.blum.72@ tullochcapital .com>
Date: Mon 07/11/2016 22:30
Subject:  [Scan] 2016-1107 17:29:49
Attachment: 2016-1107 17-29-49.zip
    Sent with Genius Scan for iOS. 


7 November 2016: 2016-1107 17-29-49.zip: Extracts to: UNA516807-3039.wsf - Current Virus total detections 8/55*
MALWR** and Payload Security*** both show a download of an encrypted file from
  http ://futuregroup .cz/98ynhce?IspgpFMAU=eJftALCrAxBwhich is converted by the script to
 cflaTvC1.dll (VirusTotal 11/56[4]). C2: http ://81.177.27.222 /message.php and 176.103.56.120 /message.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478558924/

** https://malwr.com/an...DMxMjBhZTU3OGU/
Hosts
85.207.99.25
81.177.27.222


*** https://www.reverse....vironmentId=100
Contacted Hosts
85.207.99.25
81.177.27.222
176.103.56.120
52.222.157.74


4] https://www.virustot...sis/1478556970/
___

Fake 'American Express' phish
- https://myonlinesecu...press-phishing/
7 Nov 2016 - "... American Express phishing email...

Screenshot: https://i1.wp.com/my...1223,1033&ssl=1

... shows a website that looks like this included in a frame so it is never actually on your computer at all.
(I had to split the screenshot into 2 parts to get all the information they want, Which is a lot more than normal.)
>> https://i0.wp.com/my...=1024,625&ssl=1

>>> https://i0.wp.com/my...=1024,548&ssl=1

... It will NEVER be a genuine email from American Express or any other bank or credit card company so don’t ever follow the links or fill in the html (webpage) form that comes attached to the email... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email.."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 08 November 2016 - 05:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1825 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 08 November 2016 - 06:23 AM

FYI...

Fake 'Parcel2Go' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
8 Nov 2016 - "An email with the subject of '#25024552 Parcel2go delivery announce' (random numbers) pretending to come from random senders with a -link- to Google Drive that downloads a malicious word doc delivers malware... The link is still live at the time of posting despite being reported yesterday to Google...

Screenshot: https://i2.wp.com/my...=1024,743&ssl=1

8 November 2016: parchel2go567313.doc - Current Virus total detections 3/54*
Both MALWR** and Payload Security*** show a connection to & download from
  http ://findserviceapp .com.br/mr6.exe but only Payload Security actually managed to retrieve the malware but doesn’t describe it as malicious, only describing it as informative... (VirusTotal 6/56[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478535435/

** https://malwr.com/an...zE2ZGRlOWY5MTA/
Hosts
192.185.208.115

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.208.115

4] https://www.virustot...sis/1478602406/
___

Fake 'Statement' SPAM - leads to Locky
- http://blog.dynamoo....s-to-locky.html
8 Nov 2016 - "Another terse fake financial spam leading to Locky ransomware:
    Subject:     Statement
    From:     accounts@ somedomain .tld
    Date:     Tuesday, 8 November 2016, 10:59
    For your Information.


The sender domain varies. Attached is a ZIP file with a name similar to Statement PDF - 56765041263.zip which in turn contains a malicious WSF script... named in a format similar to SLM245260-0214.wsf. Hybrid Analysis* of this one sample shows a download occurring from:
gpstrackerbali .com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG
There will no doubt be many other locations, if I get more information then I will post it here. The script drops a DLL with a detection rate of 14/56** and the malware appears to phone home to:
185.118.66.90 /message.php (vpsville.ru, Russia)
158.69.223.5 /message.php (OVH, Canada)
Recommended blocklist:
185.118.66.90
158.69.223.5
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
219.83.68.90
185.118.66.90
158.69.223.5
52.34.245.108
52.85.209.44


** https://virustotal.c...sis/1478605400/

- https://myonlinesecu...delivers-locky/
8 Nov 2016 - "... Locky downloader... an email with the subject of 'Statement' coming from accounts@ random companies, names and email addresses  with a semi-random named zip attachment starting with Statement PDF  containing a WSF file... One of the  emails looks like:
From: accounts@ energycontrol .gr
Date: Tue 08/11/2016 10:58
Subject: Statement
Attachment: Statement PDF – 9022558992.zip
    For your Information.


8 November 2016: Statement PDF – 9022558992.zip: Extracts to: SLM245260-0214.wsf - Current Virus total detections 9/55*
Payload Security** shows a download of an encrypted  file from
  http ://gpstrackerbali .com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG which is converted by the script to
GMbsdHBsIX1.dll (VirusTotal 14/56***)... A list of alternative download sites so far discovered by another researcher[4] has been posted on pastebin[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478604149/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
219.83.68.90
185.118.66.90
158.69.223.5
52.34.245.108
52.85.209.44


*** https://www.virustot...sis/1478604056/

4] https://twitter.com/...949000352497664

5] http://pastebin.com/VGvZafjs
___

Fake 'Suspicious movements' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
8 Nov 2016 - "... Locky downloader... an email that pretends to be a notification from U.S. Office of Personnel Management with the subject of 'Suspicious movements' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of pdf_recipients name_random numbers.zip containing a .JS file... One of the emails looks like:
From: Cristobal Johns <Johns.Cristobal@ autoimmunkrankheit .de>
Date: Tue 08/11/2016 12:17
Subject: Suspicious movements
Attachment: pdf_forum_534e144e2.zip
    Dear[redacted], Angel from the bank notified us about the suspicious movements on out account.
    Examine the attached scanned record. If you need more information, feel free to contact me.
     —
    King regards,
    Cristobal Johns
    Account Manager ...
    U.S. Office of Personnel Management
    1265 E Street, NW
    Washington, DC 20415-1000


8 November 2016: pdf_forum_534e144e2.zip: Extracts to: NRV_AM00I_.js - Current Virus total detections 6/55*
MALWR** shows a download of a file from http ://dowfrecap .net/3muv7 which is renamed by the script to a DLL and autorun (VirusTotal 9/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478607538/

** https://malwr.com/an...zhhMDYzN2Q0Nzk/
Hosts
67.171.65.64

*** https://www.virustot...sis/1478609031/

- http://blog.dynamoo....ents-leads.html
8 Nov 216 - "This fake financial spam leads to Locky ransomware:
    Subject:     Suspicious movements
    From:     Marlene Parrish
    Date:     Tuesday, 8 November 2016, 12:52
    Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
    Examine the attached scanned record. If you need more information, feel free to contact me.
    ---
    King regards,
    Marlene Parrish
    Account Manager...
    U.S. Office of Personnel Management
    1189 E Street, NW
    Washington, DC 20415-1000


The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js)... That particular script downloads a malicious component from one of the following locations:
vexerrais .net/6sbdh
centinel .ca/wkr1j6n
3-50-90 .ru/u4y5t
alpermetalsanayi .com/vuvls
flurrbinh .net/6mz3c5q
There will probably be other download locations. This Hybrid Analysis* and this Malwr report** show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56***."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.171.65.64
52.34.245.108
52.85.184.253


** https://malwr.com/an...jI1YzEwMTZmNzc/
Hosts
213.176.241.230

*** https://virustotal.c...sis/1478613989/
___

Fake 'Order' SPAM - more Locky
- https://myonlinesecu...ven-more-locky/
8 Nov 2016 - "... Locky onslaught continues... an email with the extremely generic subject of 'Order 88222889 ( random numbers)' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the  emails looks like:
From: TUAN LILLIE <eml@ woolleymarket .com>
Date: Tue 08/11/2016 16:12
Subject: Order 88222889
Attachment: jAlR88222889.zip
    Please find document attached


8 November 2016: jAlR88222889.zip: Extracts to: XWZ429433-2034.wsf - Current Virus total detections 10/55*
MALWR** shows a download of an encrypted file from
 http ://inzt .net/67j5hg?nrxLhJ=HYkWYO -or- http ://all-kaigo .com/67j5hg?nrxLhJ=HYkWYO
which is converted by the script to woxUgKy2.dll (VirusTotal 12/56***). C2: http ://158.69.223.5 /message.php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478621842/

** https://malwr.com/an...WE2NjM2YmI5NTE/
Hosts
219.94.203.182
193.24.220.4
185.118.66.90
158.69.223.5


*** https://www.virustot...sis/1477647176/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 08 November 2016 - 12:00 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1826 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 09 November 2016 - 06:02 AM

FYI...

Fake 'Amazon order' SPAM - leads to Locky
- http://blog.dynamoo....-order-has.html
9 Nov 2016 - "Overnight there has been a massive -fake- Amazon spam run leading to Locky ransomware:
    From:    Amazon Inc [auto-shipping27@ amazon .com]
    Date:    8 November 2016 at 23:10
    Subject:    Your Amazon .com order has dispatched (#021-3323415-8170076)
    Dear Customer,
    Greetings from Amazon.com,
    We are writing to let you know that the following item has been sent using  DHL Express.
    For more information about delivery estimates and any open orders, please visit...
    Your order #021-3323415-8170076 (received November 8, 2016)
    Your right to cancel ...


All the versions I have seen contain those same formatting errors. Details vary from message to message (e.g. carrier, reference numbers). Attached is a malicious ZIP file (e.g. ORDER-608-0848796-6857907.zip) containing a malicious javascript file (e.g. F-9295287522-9444213500-201611165156-2601.js)... My usual source (thank you) tells me that the various scripts download a component...
(Long list of domain-names at the dynamoo URL above.)
... It appears to drop a malicious DLL with a detection rate of 32/56*. The following C2 servers have been identified:
85.143.212.23 /message.php (PrdmService LLC, Russia)
158.69.223.5 /message.php (OVH, Canada)
UPDATE: According to the Hybrid Analysis** the dropped Locky binary actually has an MD5 of ad6fb318002df4ffc80795cc31d529b4 and a detection rate of 28/56***.
Recommended blocklist:
85.143.212.23
158.69.223.5
"
* https://virustotal.c...60007/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.9.189.68
85.143.212.23
158.69.223.5
52.34.245.108
52.222.157.37
61.213.151.43


*** https://virustotal.c...sis/1478684633/

- https://myonlinesecu...delivers-locky/
8 Nov 2016 - "... Locky downloader... an email with the subject of 'Your Amazon .com order has dispatched (#324-3101580-5413719) [random numbers]' pretending to come from Amazon .com <auto-shipping6@ amazon .com>... The js file inside the zip and the downloaded Locky file are identical to this slightly earlier malspam run[1]...
1] https://myonlinesecu...delivers-locky/
One of the  emails looks like:
From: Amazon .com <auto-shipping6@ amazon .com>
Date: Thu 01/09/2016 19:22
Subject: Your Amazon .com order has dispatched (#324-3101580-5413719)
Attachment: ORDER-324-3101580-5413719.zip
    Dear Customer,
    Greetings from Amazon .com,
    We are writing to let you know that the following item has been sent using DHL Express.
    For more information about delivery estimates and any open orders, please visit...
    Your order #324-3101580-5413719 (received November 8, 2016)
    Your right to cancel...


1] 8 November 2016: F-9456818814-1332384076-201611050929-1010.zip: Extracts to: F-8526972159-4046871521-201611111127-2039.js
Current Virus total detections 12/55*. MALWR** shows a download of an encrypted file from
 http ://masiled .es/7845gf?ukORpqyil=ukORpqyil which is converted by the script to
ukORpqyil1.dll (VirusTotal 14/57***). C2 http ://158.69.223.5 /message.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478643166/

** https://malwr.com/an...GM3YWVkZjJlNTQ/
Hosts
185.76.77.219
158.69.223.5


*** https://www.virustot...sis/1478643306/
___

Fake 'FedEx' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
9 JNov 2016 - "... Locky downloader... an email with the subject of 'We could not deliver your parcel, #551196' (random numbers) pretending to come from -FedEx- Standard Overnight with a malicious word doc downloading Locky... The email looks like:
From: FedEx Standard Overnight <cbrecareers@ cbre .com>
Date: Wed 09/11/2016 07:50
Subject: We could not deliver your parcel, #551196
Attachment: FedEx.doc
    Hello,
    We could not deliver your item. Please, download Delivery Label attached to this email.
    Kaja Helscher – Area Manager FedEx , CA
    Regards


9 November 2016: FedEx.doc - Current Virus total detections 18/55*
Payload Security** shows a download from http ://perfectionbm .top/ll/ldd.php which is saved as 0.7055475 and autorun by the macro (VirusTotal 9/55***). Payload Security[4]. C2 are 51.255.107.6 /message.php and
 81.177.27.222 /message.php... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478674872/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.22.220.32
51.255.107.6
81.177.27.222


*** https://www.virustot...sis/1478676422/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
51.255.107.6
81.177.27.222

___

Fake 'Account temporarily suspended' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
9 Nov 2016 - "... Locky downloader... an email with the subject of 'Account temporarily suspended' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of recipients name_random numbers.zip containing a .JS file... One of the  emails looks like:
From: Ethan Talley <Talley.Ethan@ glycomicscenter .com>
Date: Wed 09/11/2016 09:43
Subject: Account temporarily suspended
Attachment: ea00ba32a5.zip
    Dear Customer.
    You have exceeded the limit of operations on your credit card.
    Thus, we have temporarily blocked your account.
    The full itemization of transactions and instructions are given in the document attached to this message.
     Best regards.


9 November 2016: hp_printer_e1b837ff1.zip: Extracts to: 6011290KI.js - Current Virus total detections 8/55*
MALWR** shows a download of a file from  http ://locook .com/n8kacjjc which is renamed by the script to hC0VoiB2fRYyoJt8.dll (VirusTotal 9/57***). Payload security[4] shows C2 81.177.26.136 | 185.118.164.125
95.46.8.109
/message.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478684678/

** https://malwr.com/an...2MwODRlODM5YTQ/
Hosts
123.57.33.148

*** https://www.virustot...sis/1478685279/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
123.57.33.148
67.171.65.64
81.177.26.136
185.118.164.125
95.46.8.109


- http://blog.dynamoo....emporarily.html
9 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    Nicole Roman
    Date:    9 November 2016 at 10:44
    Subject:    Account temporarily suspended
    Dear Customer.
    You have exceeded the limit of operations on your credit card.
    Thus, we have temporarily blocked your account.
    The full itemization of transactions and instructions are given in the document attached to this message.
    Best regards.


The name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script... That particular script attempts to download a binary... This Hybrid Analysis* and this Malwr report** show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56***..."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.171.65.64
52.32.150.180
54.230.197.17
63.245.215.95
52.35.54.251


** https://malwr.com/an...TY3MDMzNzA4NGQ/
Hosts
67.171.65.64

*** https://virustotal.c...sis/1478689362/
___

Fake 'E-bill' SPAM - leads to Locky
- http://blog.dynamoo....ard-e-bill.html
9 Nov 2016 - "This spam has an interestingly malformed subject, however the attachment leads to Locky ransomware:
    Subject:     Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016
    From:     KELLY MOORHOUSE (kelly.moorhouse@ edbn .org)
    Date:     Wednesday, 9 November 2016, 12:52
    KELLY MOORHOUSE
    Last & Tricker Partnership
    3 Lower Brook Mews
    Lower Brook Street
    Ipswich Suffolk IP4 1RA
    T: 01473 252961  F: 01473 233709  M: 07778464004 ...


Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf)... For one sample script, the Hybrid Analysis* and Malwr report** indicate a binary is downloaded from one of the following locations:
alamanconsulting .at/0ftce4?aGiszrIV=gRLYYDHSna
naka-dent .mobi/0ftce4?aGiszrIV=gRLYYDHSna
This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56***.
85.143.212.23 /message.php (PrdmService LLC, Russia)
158.69.223.5 /message.php (OVH, Canada)
These are the same C2s as seen here[4]."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.98.7.100
120.136.10.80
85.143.212.23
158.69.223.5
52.32.150.180
52.85.184.199


** https://malwr.com/an...mNjMGM5YmRjMTU/
Hosts
185.98.7.100
120.136.10.80
85.143.212.23
158.69.223.5


*** https://virustotal.c...sis/1478698613/

4] http://blog.dynamoo....-order-has.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 09 November 2016 - 11:35 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1827 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 10 November 2016 - 07:09 AM

FYI...

Fake 'Receipt' SPAM - delivers Locky
- https://myonlinesecu...mail-addresses/
10 Nov 2016 - "... Locky downloader... a -Blank- email with the subject of 'Receipt 93-241363' (random numbers) pretending to come from random names @ Gmail.com with a zip attachment containing a WSF file... One of the  emails looks like:
From: brianna.simister@ gmail .com
Date: Thu 10/11/2016 10:14
Subject: Receipt 93-241363
Attachment: Receipt 93-241363.zip


Body content: Totally empty/Blank

10 November 2016: Receipt 93-241363.zip: Extracts to: FGNTHQ253308.wsf - Current Virus total detections 8/55*
MALWR** shows a download of an encrypted file from http ://livinghealthyworld .com/845yfgh?nivGYcwhUYT=mCDCzF
which is converted by the script to idJsCdj1.dll (VirusTotal 8/55***). C2 http ://107.181.174.34 /message.php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478772972/

** https://malwr.com/an...TE5MmU2ZGU0ZDE/
Hosts
104.37.35.78
107.181.174.34


*** https://www.virustot...sis/1478773545/
___

Fake 'Document' SPAM - more Locky
- https://myonlinesecu...mail-addresses/
10 Nov 2016 - "... Locky downloader... a -blank- email with the subject of 'Document from Amparo' (random names) pretending to come from random names @ Gmail .com with a zip attachment containing a WSF file... One of the emails looks like:
From: Amparo ormerod <Amparo734987@ gmail .com>
Date: Thu 10/11/2016 14:38
Subject: Document from Amparo
Attachment: DOC-20161110-WA000458.zip


Body content: Totally empty/blank

10 November 2016: DOC-20161110-WA000458.zip: Extracts to: RPPMS171825.wsf - Current Virus total detections 8/55*
Payload Security** shows a download of an encrypted file from
 project-group .pro/845yfgh?eKSrkxbtC=rewwnkHmjMh which is converted by the script to idJsCdj1.dll
(VirusTotal 11/56***). C2 107.181.174.34 /message.php and others... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478793348/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.43.5.211
188.127.237.175
86.110.117.244
107.181.174.34
85.143.212.23
69.195.129.70
52.84.13.31
74.216.233.251
52.35.54.251
71.19.173.112
165.254.32.128
23.4.187.27


*** https://www.virustot...sis/1478794808/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 10 November 2016 - 12:55 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1828 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 11 November 2016 - 08:01 AM

FYI...

Fake 'Tech Support Order' SPAM - delivers Locky
- https://myonlinesecu...-support-order/
11 Nov 2016 - "... Locky downloader... an email with the subject of 'Order' pretending to come from Technical Support at random companies, and email addresses with zip attachment in the format of order_ < recipients name >.zip containing a .js file... One of the  emails looks like:
From: Technical Support <Hogan.Terrance@ dl0349 .screaming .net>
Date: Fri 11/11/2016 11:42
Subject: Order
Attachment: order_scans.zip
    Dear Customer
    The item you’ve ordered is on delay due to the unknown problem regarding your bank account you paid from.
    Please check you data in the attachment as soon as you can.
    Best Wishes,
    Terrance Hogan
    Technical Support


11 November 2016: order_scans.zip: Extracts to: -91Q99QFW2H2-.js - Current Virus total detections 7/55*
Manual analysis shows a download of a file from one of these locations:
  http ://g2el .com/grj2qqih | http ://gusi .biz/gu7h38t | http ://nsrcconsulting .com/dumu1sl
  http ://thirlnak .net/5crdsr | http ://scupwail .com/5ghkmmf which is renamed by the script and autorun
(VirusTotal 10/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478866769/

** https://www.virustot...sis/1478865179/

g2el .com: 167.88.3.113: https://www.virustot...13/information/
gusi .biz: 88.85.81.9: https://www.virustot....9/information/
nsrcconsulting .com: 113.197.39.189: https://www.virustot...89/information/
thirlnak .net: 67.171.65.64: https://www.virustot...64/information/
213.176.241.230: https://www.virustot...30/information/
scupwail .com: 213.176.241.230
67.171.65.64
___

Blank or NO subject SPAM - malformed/broken email delivers Locky
- https://myonlinesecu...ith-no-subject/
11 Nov 2016 - "... Locky downloader... a damaged/malformed/broken email with either a -blank- subject line or the subject of <no subject> coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of todays date and loads of random numbers containing a .JS file. Despite the delivered email being malformed or damaged, the actual attachment works fine and will encrypt your computer if you open or run the .js file inside the zip...

Screenshot: https://i1.wp.com/my...=1024,965&ssl=1

11 November 2016: 20161111174617885403.zip: Extracts to: 201611111333125461862851.js
Current Virus total detections 10/55*. MALWR** shows a download of an encrypted file from
  http ://ibluegreen .com/487ygfh?hpuarlLJK=hpuarlLJK which is converted by the script to hpuarlLJK1.dll
(VirusTotal 9/57***). C2: http ://85.143.212.23 /message.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478868610/

** https://malwr.com/an...DRlYjBjMDMzZGQ/
Hosts
222.231.31.195: https://www.virustot...95/information/
85.143.212.23: https://www.virustot...23/information/

*** https://www.virustot...sis/1478867406/
___

Fake 'Virtual card' SPAM - delivers Locky
- https://myonlinesecu...l-card-malspam/
11 Nov 2016 - "... Locky downloader... an email with the subject of 'Virtual card' coming as usual from random companies, names and email addresses with a zip attachment in the format of virtualcard_recipient name.zip containing a .js file... One of the  emails looks like:
From: Carmella Sandoval <Sandoval.Carmella@ usstidewater .org>
Date:Fri 11/11/2016 18:37
Subject: Virtual card
Attachment: virtualcard_wellsybolujou.zip
    Dear Client! A virtual card you have ordered is now ready but not active.
    In order to activate it, please open the attached document and specify your personal data when it’s possible.


11 November 2016: virtualcard_wellsybolujou.zip: Extracts to: 6KO1G7XU-3827P1594ZITKI6G51.js
Current Virus total detections 7/55*. Manual analysis shows a download of a file from one of these locations:
 spoiltgirlsclub .com/x6usth1 | eddermiaul .net/2yr5egml | mangdesign .com/ud7gv4 | hzcysw .net/u1qmyaw
 darbyreis .com/39hv30q9 which is renamed by the script (VirusTotal 11/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478889495/

** https://www.virustot...sis/1478889911/

spoiltgirlsclub .com: 64.69.219.91: https://www.virustot...91/information/
eddermiaul .net: 213.176.241.230: https://www.virustot...30/information/
67.171.65.64: https://www.virustot...64/information/
mangdesign .com: 121.40.24.159: https://www.virustot...59/information/
hzcysw .net: 116.255.152.112: https://www.virustot...12/information/
darbyreis .com: 213.176.241.230
67.171.65.64
___

Malicious SPAM volume hits two year high
- https://www.helpnets...us-spam-volume/
Nov 11, 2016 - "According to the Kaspersky Lab Spam and Phishing in Q3 report*, the company’s products blocked 73,066,751 attempts to attack users with malicious attachments. This is the largest amount of malicious spam since the beginning of 2014 and is a 37 percent increase compared to the previous quarter. The majority of those attachments were ransomware Trojan downloaders:
> https://www.helpnets...112016-spam.jpg
... the percentage of spam in global email traffic in September hit an all-time high for the year so far at 61.25 percent..."
* https://securelist.c...ing-in-q3-2016/
Proportion of spam in email traffic
> https://cdn.secureli...2016_eng_11.png
Sources of spam by country
>> https://cdn.secureli...2016_eng_12.png
Countries -targeted- by malicious mailshots
>>> https://cdn.secureli...2016_eng_15.png
___

Ransomware doesn’t mean 'game over'
- https://blog.malware...mean-game-over/
Nov 10, 2016 - "... Over the course of just a few years, this threat has evolved from an annoying pop-up to a screen freezer that utilizes disturbing imagery to a sophisticated malicious program that encrypts important files. New technologies are popping up all the time that combat the ransomware issue, however most (if not all) require active protection -before- you get infected. But what do you do if your company has already been infected?... at least in the criminal’s eyes, once a user gets infected, there is no recovery option other than paying the ransom. Also, victims actually pay-the-ransom directly to the criminal, cutting out any need for middlemen or having to sell piles of stolen credit card information on darknet forums... It’s likely that the future of ransomware will include things like blackmail (threats to post trade secrets or company intel online or releasing customer information), more aggressive infection and AV evasion techniques, and better target identification—all techniques that we know how to combat. However, while the news of how to stop the malware is spreading, millions of people are still going to get infected because they didn’t 'get the memo'...
> Option 1: Backups: ... make -sure- you keep some kind of file history enabled in your -backup- solution so you can revert to a previous backup if necessary. Also, utilize off-site and/or cloud backups[1] rather than storing everything on a network drive, since many ransomware families are capable of reaching through mapped connections and connected drives to encrypt files outside of the victim HD...
1] http://www.csoonline...ransomware.html
> Option 2: Decryption: ...  If you get hit once, your files are encrypted and there is nothing you can do about it — or so many people think. Thanks to the diligent efforts of our information security community, there are actually many decryptors available online[2]. This software, when matched with the correct ransomware family, can decrypt files for free...
2] https://www.nomoreransom.org/
> Option 3: Negotiate: ... At the end of the day, the bad guys just want to get paid, which means that historically they have been open to negotiating and returning a few files for a smaller amount of profit. To be absolutely clear, I do -not- endorse or support paying cybercriminals the ransom. However, it has to be understood that for some folks, the loss of files would be far more damaging than just paying the ransom fee...
> Conclusion: So there you have it, the three methods, outside of utilizing modern anti-ransomware security software to prevent infection, that can help you recover from a ransomware attack. They might not be absolute solutions, but anything is better than losing valuable data to cybercriminals. Maybe knowing how disappointing the recovery methods are for a ransomware attack will motivate some folks to actually use proactive protection and anti-ransomware technology, which remains the best option for fighting ransomware infection* -not- allowing the malware to encrypt your files in the first place."
* https://www.malwareb...m_medium=social
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 11 November 2016 - 02:47 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1829 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 12 November 2016 - 11:24 AM

FYI...

Fake -Blank- SPAM - delivers Locky
- https://myonlinesecu...ped-attachment/
12 Nov 2016 - "... Locky downloader... a blank email with the subject of '18026 sandra' pretending to come from  r.gaffney@ mmu. ac.uk with a zip attachment containing -another- zip that eventually extracts to a .JS file that delivers Locky... One of the  emails looks like:
From: r.gaffney@ mmu. ac.uk
Date: Thu 01/09/2016 19:22
Subject: 18026 sandra
Attachment: MESSAGE_43437218629_sandra.zip


Body content: completely empty/blank

12 November 2016: MESSAGE_43437218629_sandra.zip: which extracts to ALERT_23367_ZIP.zip which in turn extracts to: ALERT_23367.js - Current Virus total detections 7/54*
Payload Security shows a download of a file from www .parametersnj .top/user.php?f=1.dat which gave user.exe (VirusTotal 3/57**). Payload Security***. C2 107.181.174.34 | 85.143.212.23 | 185.82.217.29 | 107.181.174.34
 all using /message.php...  The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1478957028/

** https://www.virustot...sis/1478957725/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
107.181.174.34
85.143.212.23
185.82.217.29
52.32.150.180
52.222.171.99
35.160.111.237
77.109.131.232

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 12 November 2016 - 11:27 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1830 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 15 November 2016 - 06:47 AM

FYI...

Fake 'EFax' SPAM - delivers Trickbot banking Trojan
- https://myonlinesecu...-email-address/
15 Nov 2016 - "An email pretending to be an EFax delivery message with the subject of 'You have recevied a message' pretending to come from Fax Scanner <scanner@ victim domain .tld> with a malicious word doc delivers  the latest Trickbot banking Trojan...

Screenshot: https://i1.wp.com/my...=1024,373&ssl=1

15 November 2016: Message efax system-1332.doc - Current Virus total detections 4/54*
Payload Security shows a download from ‘http :// www .tessaban .com/admin/images/ldjslfjsnot.png’ which is renamed by the macro script to wer5.exe and autorun (Payload Security **) (VirusTotal 9/56***)
 tessaban .com  61.19.247.54 has been used for malware spreading for some time now and really needs blocking
[1] [2] [3] [4]... DO NOT follow the advice they give to enable macros or enable editing to see the content...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479191384/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.47.139.102
193.107.111.164
81.177.13.236
185.86.77.224


*** https://www.virustot...sis/1479185920/

1] https://virustotal.c...sis/1479194525/

2] http://95.34.115.158...d=1478197500549
IP: 61.19.247.54

3] https://virustotal.c...sis/1479194687/

4] http://95.34.115.158...d=1479194667714
IP: 61.19.247.54
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1831 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 16 November 2016 - 07:36 AM

FYI...

Fake 'MoneyGram' SPAM - deliver java jacksbot
- https://myonlinesecu...tional-malspam/
16 Nov 2016 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... The email looks like:
From: GGCC Payment Discrepancy <GGCCPaymentDiscrepancy@ gmail .com>
Date: Wed 16/11/2016 06:08
Subject: Second request of Confirmation of payment, ref 3748155
Attachment: REVIEW AND RELEASE TRANSACTION.zip (contains 2 identical java.jar files Branch Spreadsheet.jar and Cash Report.jar)
    Good afternoon,
    We need your assistance in obtaining documents for this transaction.  The customer claims the funds were not received and we are conducting an investigation.  Please provide the following documents:
    Receive documents
    Customers identification (if available)
    Any other information the agent may have
    Attached are the transaction details.
    In order to satisfy the customers claim we must receive the documentation no later than 18th November 2016.  Failure to do so may result in a debit to your account. Please notify us immediately should you encounter any delays.
    *Also be sure to include the reference number in the subject field/body of email to avoid duplicate emails.*
    Thank you,
    Ilona Karamon
    Resolution Assurance Analyst I
    MoneyGram International
    P: 18003285678 ext: 582134
    MoneyGram International
    KBC, Konstruktorska 13
    Warsaw, 02-673 Poland ...


16 November 2016: Branch Spreadsheet.jar (323 kb) - Current Virus total detections 22/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479280071/
___

Fake 'QuickBooks' SPAM - delivers Dridex
- https://myonlinesecu...ndom-companies/
16 Nov 2016 - "... an email with the subject of 'Invoice 00482' from Orrell Filtration Ltd (random companies) with a -link- in the email body to download a zip file that downloads Dridex banking Trojan... which delivers Invoice 00482.zip which extracts to Invoice 00482.js...

Screenshot: https://i2.wp.com/my...=1024,688&ssl=1

16 November 2016: Invoice 00482.zip: Extracts to: Invoice 00482.js - Current Virus total detections 2/54*
Payload Security** shows a download of a file from  www .rtbh.bravepages .com/images/Manual.pdf  which is -not- a pdf but a renamed .exe file which in turn is renamed by the script to GYGMgcC.exe (VirusTotal 10/56***). (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479298844/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
69.27.174.10
45.124.64.220
110.138.108.142
72.249.45.71
216.234.115.137


*** https://www.virustot...sis/1479299700/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
45.124.64.220
110.138.108.142
72.249.45.71
216.234.115.137

___

Fake 'Tax Refund' Phish
- http://blog.dynamoo....nd-service.html
16 Nov 2016 - "Microsoft Office 365 offering a tax refund service? Really? No, of course not, it's a phishing scam..

Screenshot: https://4.bp.blogspo...ice-365-tax.png

The link in the email leads to updatemicrosoftonline .com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page:
> https://1.bp.blogspo.../hmrc-phish.png
This multi-phish page has -twelve- UK banks set up on it:
Barclays, Halifax, HSBC, Lloyds Bank, NatWest, Royal Bank of Scotland, Santander, TSB, Metro Bank, Clydesdale Bank, The Co-Operative Bank, Tesco Bank..
Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft. The screenshots below are the sequence if you choose TSB bank:
> https://4.bp.blogspo...tsb-phish-1.png
(More examples shown at the 1st dynamoo URL at the top.)
... Once you have entered all the information, the process appears to -fail- and you are directed to a genuine HMRC site instead. A list of sites found in 89.248.168.0/24 can be found... I suggest that the entire network range looks questionable and should be -blocked-."
___

'Mega' attacks on the Rise
- http://fortune.com/2...ai-ddos-report/
Nov 15, 2016 - "... hackers knocking websites offline with massive floods of Internet traffic is nothing new. But the pattern of these so-called DDoS attacks (for “distributed denial of service”) is changing, according to a new report* from internet provider Akamai...
* https://content.akam...oti-report.html
... the overall number of DDoS attacks has not risen significantly in 2016, but that the force of these attacks is increasing. Akamai says it confronted 19 “mega attacks” in the third quarter of this year, including the two biggest it has ever encountered in history... The prime targets for the -19- “mega” attacks, which Akamai defines as those that reach over 100 Gbps, were media and entertainment companies, though gaming and software firms were also hit. The two record-breaking attacks, reaching 623 Gbps and 555 Gbps, were directed at security blogger Brian Krebs. The attacks succeeded in taking down Krebs’ website until Jigsaw, a unit of Google’s parent company Alphabet... deployed its Project Shield service to deflect the attack. The reason for this recent surge in mega attacks is tied to security defects in the 'Internet of things'. This involves hackers taking over millions of everyday devices connected to the Internet — especially DVRs, security cameras and home routers — and conscripting them to be part of a botnet army, known as Mirai. Mirai gained widespread notoriety in October, after hackers briefly used it to obstruct consumers’ access to popular sites like Amazon and Twitter, and many of the devices under its control are still compromised. As Akamai suggests, the 'Internet of Things' problem may just be beginning..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 16 November 2016 - 12:23 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1832 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 17 November 2016 - 07:18 AM

FYI...

Fake 'Sage Invoice' SPAM - delivers Trickbot
- https://myonlinesecu...tdated-invoice/
17 Nov 2016 - "An email with the subject of ' pretending to come from 'Sage Invoice' with a malicious word doc delivers  Trickbot banking Trojan... sageinvoices .com / sage-invoice .com /sage-invoices .com are all newly created -yesterday- ... domains sending these emails include:
Sage Invoice <service@ sage-invoices .com>
Sage Invoice <service@ sage-invoice .com>
Sage Invoice <service@ sageinvoice .com> ...

Screenshot: https://i0.wp.com/my...=1024,689&ssl=1

17 November 2016: SageInvoice.doc - Current Virus total detections 3/54*
Payload Security** shows a download from http ://delexdart .com/images/gfjfgklmslifdsfnln.png which is not a png file but a renamed .exe file which is renamed by the macro to scsadmin.exe and auto run using PowerShell (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479380615/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
182.50.132.43
78.47.139.102
193.107.111.164
81.177.13.236
185.86.77.224


*** https://www.virustot...sis/1479381072/

sage-invoices .com: 50.63.202.56: https://www.virustot...56/information/
sage-invoice .com: 184.168.221.34: https://www.virustot...34/information/
sageinvoice .com: 50.63.202.34: https://www.virustot...34/information/
//

- http://blog.dynamoo....ervicesage.html
17 Nov 2016 - "This -fake- financial spam leads to Trickbot banking trojan...

Screenshot: https://3.bp.blogspo...ge-trickbot.png

Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54*. Hybrid Analysis** shows malicious network traffic to:
substan.merahost .ru/petrov.bin [185.86.77.224] (Mulgin Alexander Sergeevich aka gmhost .com.ua, Ukraine)
A malicious file scsnsys.exe is dropped with a detection rate of 8/53***.
The domain sage-invoices .com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication... I recommend that you -block- traffic from that domain or check your filters to see who may have it.
Recommended blocklist:
sage-invoices .com
185.86.77.0/24
"
* https://virustotal.c...a0369/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
61.19.247.54
78.47.139.102
193.107.111.164
81.177.13.236
185.86.77.224


*** https://virustotal.c...b4f91/analysis/
___

Fake 'Please check' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
17 Nov 2016 - "... an email with the subject of 'Please check the information-3878358' (random numbers) pretending to come from random names at your-own-email-domain that tries to deliver Trickbot banking Trojan... tessaban .com  61.19.247.54 has been used for malware spreading for some time now and really needs blocking [1]...
1] https://virustotal.c...sis/1479194525/
One of the  emails looks like:
From: Brigitte Guidry <Brigitte.Guidry@ victim domain .tld >
Date: Thu 17/11/2016 02:48
Subject: Please check the information-3878358
Attachment: invoice_2222.zip
    Hi,
    I have attached an invoice-4654 for you.
    Regards,
    Brigitte Guidry


17 November 2016: invoice_2222.zip: Extracts to: invoice_1711.js - Current Virus total detections 2/54*
MALWR** shows an attempted download of a file from http ://www .tessaban .com/admin/images/ospspps.png   currently giving a 404 not found which should be renamed by the script to an .exe file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479370770/

** https://malwr.com/an...jk0ZmZiNWQxYzI/
Hosts
61.19.247.54: https://www.virustot...54/information/
> https://virustotal.c...4077a/analysis/
___

Fake AMEX Phish
- https://myonlinesecu...press-phishing/
17 Nov 2016 - "... The subject is 'Please activate your Personal Security Key' coming from American Express
<welcome@ amex-mails .com>. Additional sending addresses so far found include:
 Amex-mails .com | amexmails .com | amex-emails .com | amexmails .com
were -all- registered -today- by surprise, surprise: Godaddy .com. They currently do not have an IP number associated with them. When they were received, the emails came from:
172.99.87.130 - San Antonio Texas US AS27357 Rackspace Hosting ...
The weird thing is the emails appear -blank- when opened in Outlook, but using view source I can see the email in its full glory, including the links-to-click to get to the-phishing-site... A screenshot of the html is:
> https://i1.wp.com/my...t=678,913&ssl=1
Alternative links in emails go to:
 http :// amexsafekeys .com | http ://americanexpressafekey .com | http ://amex-mails .com  
| http:// amexmails .com
aexpsafekeys .com was registered -yesterday- 16 November 2016 and hosted on these IP addresses:
 95.163.127.249 | 188.227.18.142 which look like they belong to a -Russian- network.
 http ://amexsafekeys .com was also registered -yesterday- by the same Russian name and hosted on same IP addresses: 188.227.18.142 | 95.163.127.249
 http ://americanexpressafekey .com also registered -yesterday- same IP addresses. Following the link to aexpsafekeys .com, you get a typical phishing page like this, where they want all the usual information about you, your family and bank/credit cards etc.:
> https://i2.wp.com/my...=1024,603&ssl=1 "

95.163.127.249: https://www.virustot...49/information/
> https://www.virustot...c2a5d/analysis/
188.227.18.142: https://www.virustot...42/information/
> https://www.virustot...c2a5d/analysis/

104.168.87.178: https://www.virustot...78/information/
> https://www.virustot...c2a5d/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 17 November 2016 - 05:27 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1833 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 18 November 2016 - 05:46 AM

FYI...

Fake 'Western Union' SPAM - delivers jacksbot Trojan
- https://myonlinesecu...g-limit-breach/
18 Nov 2016 - "... an email with the subject of 'FINAL WARNING FOR SENDING LIMIT BREACH' pretending to come from Western Union – Agent Support Team <emeagentsupports.westernunion@ gmail .com> delivers java Adwind / Java Jacksbot...

Screenshot: https://i0.wp.com/my...=1024,624&ssl=1

18 November 2016: Exceeded Limit Spreadsheet.exe - Current Virus total detections 15/57*
Payload Security** shows lots of files being dropped/extracted from this file which is renamed by itself to winlogin.exe and in turn drops a multitude of identical xml files and a java.jar file which is Java Jacksbot (VirusTotal 23/56***)... All 3 links (there is one behind the image) go to:
 http ://webkamagi .com/admin/images/Send Limit Exceeded.html where you see this screenshot that starts off with a circle and the words scanning and ends up looking like this that auto-downloads a file from:
  http ://gicfamily .org/admin/file/Exceeded%20Limit%20Spreadsheet.exe (if for some reason it doesn’t auto-download then the download button delivers the malware):
> https://i1.wp.com/my...png?w=863&ssl=1
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479432563/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.107.152.224

*** https://www.virustot...sis/1479453441/
___

Ransomware hits record levels
- https://www.helpnets...-record-levels/
Nov 18, 2016 - "The amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1:
> https://www.helpnets...me-112016-1.jpg
PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:
Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity.
Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities. Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time. During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible...
> https://www.helpnets...me-112016-2.jpg
While ransomware dominates the headlines, PhishMe’s Q3 Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016. Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns..."
> http://phishme.com/2...malware-review/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 18 November 2016 - 06:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1834 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 21 November 2016 - 07:33 AM

FYI...

Fake 'Spam mailout' SPAM - delievers Locky
- https://myonlinesecu...-notifications/
21 Nov 2016 - "... Locky downloader... an email pretending to come from an ISP, saying that you have been sending spam with the subject of 'Spam mailout' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the form of logs_recipients name.zip... Locky has changed the encrypted file extension to .aesir - See:
- https://myonlinesecu...nged-c2-format/
"... Locky has changed the encrypted file extension to .aesir as well as the C2 to “/information.cgi”. I am also informed there is a slight change to the name of the ransomware notification file that they drop on your desktop. It appears to now be _[number]-INSTRUCTION.html "
One of the  emails looks like:
From: Lula Mcmahon <Mcmahon.Lula@ mtsallstream .net>
Date:Mon 21/11/2016 07:37
Subject: Spam mailout
Attachment: logs_hajighasem1c.zip
    Dear hajighasem1c
    We’ve been receiving spam mailout from your address recently.
    Contents and logging of such messages are in the attachment.
    Please look into it and contact us.
    Best Regards,
    Lula Mcmahon
    ISP Support ...


21 November 2016: logs_hajighasem1c.zip: Extracts to: M9JJW0NTAD20O3-D53D73LEXZG60.js
Current Virus total detections 6/55*. Payload Security** and MALWR*** shows a download of an encrypted file from:
  iproaction .com/utg8md which is renamed by the script to 2INuijvClpaC.dll (VirusTotal 6/57[4]). C2 have changed in these & they now post to 46.8.29.175 /information.cgi. Other C2's in the Payload security report...
... difficult to see the changed extension to .aesir until you look at:
- https://www.hybrid-a...vironmentId=100
 and scroll down to Installation/Persistance and then dropped files...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479717501/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
194.28.173.247
213.32.66.16
91.219.28.51
46.8.29.175
52.32.150.180
54.192.46.61
95.101.81.97


*** https://malwr.com/an...DE0ZTdkZmYyY2U/
Hosts
194.28.173.247

4] https://www.virustot...sis/1479718456/
___

Fake 'Amazon' SPAM - delivers Locky
- https://myonlinesecu...has-dispatched/
21 Nov 2016 - "... email with the subject of 'Your Amazon .com order has dispatched (#713-7377848-7745100)
(random numbers) pretending to come from Amazon Inc <auto-shipping4@ amazon .com> with a zip attachment matching the subject. It looks like -Locky has- changed the encrypted file extension to .aesir as well as the C2 to “/information.cgi”... One of the  emails looks like:
From: Amazon Inc <auto-shipping4 @amazon .com>
Date: Mon 21/11/2016 09:40
Subject: Your Amazon .com order has dispatched (#713-7377848-7745100)
Attachment: ORDER-713-7377848-7745100.zip
    Dear Customer,
    Greetings from Amazon .com,
    We are writing to let you know that the following item has been sent using Royal Mail.
    For more information about delivery estimates and any open orders, please visit...
    Your order #713-7377848-7745100 (received November 20, 2016)
    Note: this e-mail was sent from a notification-only e-mail address that can=
    not accept incoming e-mail. Please do not reply to this message.=20
    Thank you for shopping at Amazon .com ...


21 November 2016: ORDER-713-7377848-7745100.zip: Extracts to: KBDGUB350132.js
Current Virus total detections 11/55*. MALWR** shows a download of an encrypted  file from
  http ://jmltda .cl/hfvg623?wCTlMeE=wCTlMeE which is renamed by the script to wCTlMeE1.dll
(VirusTotal 9/57***). C2 are http :// 89.108.73.124 /information.cgi | http :// 91.211.119.98 /information.cgi
  http ://185.75.46.73 /information.cgi. Payload Security [4]shows the same... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479721475/

** https://malwr.com/an...jdiMGRlMWMzZjY/
Hosts
186.103.213.249
91.211.119.98
185.75.46.73
89.108.73.124


*** https://www.virustot...sis/1479721490/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
186.103.213.249
89.108.73.124
91.211.119.98
185.75.46.73
52.42.26.69
54.192.46.93
35.160.111.237

___

Fake 'LogMein' SPAM - leads to Hancitor/Vawtrak
- http://blog.dynamoo....logmeincom.html
21 Nov 2016 - "This -fake- financial spam leads to malware:
    From:    billing@ secure-lgm .com
    Date:    21 November 2016 at 18:35
    Subject:    Your LogMein.com subscription has expired!
    Dear client,
    You are receiving this message because your subscription for LogMeIn Central has expired.
    We were not able to charge you with the due amount because your credit card was declined.
    You can download the bill directly from the LogMeIn website ...
    Please use another credit card or payment method in order to avoid complete service interruption.
    Event type: Credit Card Declined
    Account email: [redacted] .com
    At: 21/11/2016...
    © LogMeIn Inc


The link in the email actually goes to a page at reg .vn /en/view_bill.php?id=encoded-email-address (where the last part is the email address in Base 64 encoding). It downloads a malicious document lgm_bill69290.doc with a current detection rate of 8/55*. Automated analysis [1] [2] shows malicious network traffic... A malicious executable is dropped with a detection rate of 7/57**. The payload appears to be Hancitor/Vawtrak. The domain secure-lgm .com appears to have been created for the purposes of sending the email... probably fake WHOIS details...
Recommended blocklist:
95.215.111.222
newaronma .com
libinvestusa .com
"
* https://www.virustot...a83ac/analysis/

1] https://malwr.com/an...DNhNTQ1ZGM4YmQ/
Hosts
95.215.111.222
54.197.251.22
69.89.31.104


2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
95.215.111.222
54.235.212.238
69.89.31.104


** https://www.virustot...47dbe/analysis/
inst.exe
___

Something evil on 64.20.51.16/29...
- http://blog.dynamoo....9-customer.html
21 Nov 2016 - "I wrote about this evil network on 64.20.51.16/29 (a customer of Interserver, Inc) over a year ago*, identifying it as a hotbed of fraud. Usually these bad networks don't hang around for very long, but in this case it seems to be -very- persistent. This time it came to notice from a terse spam with a PDF attached:
    From:    Lisa Liang [ineedu98@ hanmail .net]
    To:    me@ yahoo .com
    Date:    20 November 2016 at 23:23
    Subject:    11/21/2016 Amended
    FYI


Attached is a file Amended copy.pdf which when you open it (-not- recommended) looks blurry with "VIEW" in big red letters... The link-in-the-email goes to bit .ly/2fJbyol - if you put the "+" on the end of a Bitly link then you can see the number of -clickthroughs- and what the landing page is (www .serviceupgrade .tech/pdf.php in this case)... Clicking through gives you a login page for "Adobe PDF Online" which is of course a generic -phishing- page... Analysis of the 64.20.51.16/29 range finds -193- sites historically connected with it marked as being -phishing- or some other -malicious- activity. There are at least -284- sites currently within that range, of which the following are -both- hosted in that range currently and are malicious... 11% of the total sites in the range have been tagged by SURBL or Google as being -bad- and to be honest there are probably a LOT more but those services haven't caught up yet. In any case, there seems to be nothing of value in 64.20.51.16/29 and I strongly recommend that you -block- traffic to the entire range."
* http://blog.dynamoo....server-inc.html

i.e.: serviceupgrade .tech: 64.20.51.22: https://www.virustot...22/information/
>> https://www.virustot...e6402/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 21 November 2016 - 05:25 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1835 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 22 November 2016 - 05:54 AM

FYI...

Fake 'Delivery status' SPAM - delivers Locky
- https://myonlinesecu...status-malspam/
22 Nov 2016 - "... Locky downloader... an email with the subject of 'Delivery status' coming as usual from random companies, names and email addresses  with a semi-random named zip attachment in the format of document_recipients name .zip... One of the  emails looks like:
From: Jocelyn Sears <Sears.Jocelyn@ teklinks .net>
Date: Tue 22/11/2016 07:20
Subject: Delivery status
Attachment: document_mrilw.zip
    Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
    In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.


22 November 2016: document_mrilw.zip: Extracts to: R9SZO3SDB89J399GW52V80-N2AXBG71NVG2XT.js
Current Virus total detections 10/55*. MALWR** shows a download of  a file from
  http ://sadhekoala .com/lvqh1 which is converted by the script to 7wYxQEPdqwq.dll (VirusTotal 5/56***).
Payload Security [4]...  The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479802918/

** https://malwr.com/an...jAxOWVkMDMyNzk/
Hosts
67.171.65.64

*** https://www.virustot...sis/1479803154/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.171.65.64
188.120.250.138
213.32.66.16
91.201.202.130
95.213.186.93
52.32.150.180
52.85.184.60
35.160.111.237


- http://blog.dynamoo....s-leads-to.html
22 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject:     Delivery status
    From:     Gilbert Hancock
    Date:     Tuesday, 22 November 2016, 8:51
    Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
    In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.


In the sample I analysed there was an attachment named document_recipientname.zip (i.e. the first part of the recipient's email address was in the name), containing a malicious javascript with a random name. This particular script (and there are probably many others) attempts to download a component... According to this Malwr analysis*, a malicious DLL is dropped with an MD5 of ebf03567c2a907705a026ff0821d8e63 and a detection rate of 6/55**. The Hybrid Analysis*** reveals the following C2 locations:
91.201.202.130 /information.cgi [hostname: dominfo.dp .ua] (FLP Anoprienko Artem Arkadevich aka host-ua .com, Ukraine)
95.213.186.93 /information.cgi [hostname: djaksa.airplexalator .com] (Selectel, Russia)
188.120.250.138 /information.cgi [hostname: olezhkakovtonyuk.fvds .ru] (TheFirst-RU, Russia)
213.32.66.16 /information.cgi (OVH, France)
For those Russian and Ukranian networks I would be tempted to block the entire /24 at least, but this is my minimum recommended blocklist:
91.201.202.130
95.213.186.93
188.120.250.138
213.32.66.16
"
* https://malwr.com/an...TIzNTQ4NTgzZDA/
Hosts
187.45.240.4

** https://virustotal.c...sis/1479806600/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
187.45.240.4
188.120.250.138
91.201.202.130
213.32.66.16
95.213.186.93
52.32.150.180
52.85.184.195

___

Fake 'Invoice' SPAM - delivers Locky
- http://blog.dynamoo....rom-random.html
22 Nov 2016 - "This -fake- financial spam appears to come from a random sender in the victim's-own-domain, but this is just a simple forgery. The payload is Locky ransomware.
    Subject:     Invoice 5639438
    From:     random sender (random.sender@ victimdomain .tld)
    Date:     Tuesday, 22 November 2016, 8:43
    Attached is the document 'Invoice 5639438'.


The reference number varies from email to email, but is consistent in the subject, body and the name of the attachment (e.g. Invoice 5639438.zip). This ZIP file contains a malicious WSF script (e.g. Invoice 7868933153.wsf)... According the the Malwr analysis*, that script downloads from:
manage .parafx .com/98y4h?AdIXigNCmu=UdJVux
There are no doubt many other locations. That same analysis shows a DLL being dropped with an MD5 of de5d8250edf98262f335cd87fe6f6740 and a detection rate of 9/56**. The Hybrid Analysis*** of the same sample shows the malware contacting the following C2 locations:
89.108.73.124 /information.cgi (Agava, Russia)
91.211.119.98 /information.cgi (Zharkov Mukola Mukolayovuch aka 0x2a.com.ua, Ukraine)
94.242.55.81 /information.cgi (RNet, Russia)
Recommended blocklist:
89.108.73.0/24
91.211.119.98
94.242.55.81
"
* https://malwr.com/an...zk5YmRkZTQ1YmE/
Hosts
69.57.3.3
91.211.119.98


** https://virustotal.c...a1ba1/analysis/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
69.57.3.3
94.242.55.81
89.108.73.124
91.211.119.98
35.160.111.237

___

Fake 'Documents Requested' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
22 Nov 2016 - "... Locky downloader... an email with the subject of 'Documents Requested' pretending to come from random names at your-own-email-domain... One of the  emails looks like:
From: Darlene <Darlene2@ victim domain .uk>
Date: Tue 22/11/2016 11:26
Subject: Documents Requested
Attachment: doc(598).zip
    Dear [redacted]
    Please find attached documents as requested.
    Best Regards,
    Darlene


22 November 2016: doc(598).zip: Extracts to: 9932613_EUZCK_6312135.wsf - Current Virus total detections 12/53*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479814057/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
72.51.24.224
94.242.55.81
95.46.114.205
54.240.162.83
35.160.111.237

___

Fake 'tax bill' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-aesir/
22 Nov 2016 - "... Locky downloader... an email pretending to be a tax bill with the subject of 'Please note' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of tax_recipients name.zip... One of the emails looks like:
From: Lance Barron <Barron.Lance@ dramaticallybetterhealth .com>
Date: Tue 22/11/2016 17:41
Subject: Please note
Attachment: tax_goal.zip
    Dear goal
    Your tax bill debt due date is today . Please fulfill the debt.
    All the information and payment instructions can be found in the attached document.
    Best Wishes,
    Lance Barron
    Tax Collector ...


22 November 2016: tax_goal.zip: Extracts to: 6WMK287O33R4XN6.js - Current Virus total detections 6/55*
MALWR** shows a download of an encrypted file from:
 http ://govorokhm .ru/huz9ex2sd8 which is converted by the script to xHVh9Aflvj4.dll (VirusTotal 9/57***)
Payload Security [4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479836521/

** https://malwr.com/an...jAxOWVkMDMyNzk/
Hosts
67.171.65.64

*** https://www.virustot...sis/1479839432/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.142.140.191
195.123.209.8
213.32.66.16
95.213.186.93
52.42.26.69
54.240.162.83
35.160.111.237

___

Fake 'DocuSign' SPAM - delivers ASN1 ransomware
- https://myonlinesecu...sn1-ransomware/
21 Nov 2016 - "An email with the subject of 'You have a new Encrypted Document' pretending to come from DocuSign <service@ docusigndocuments .com> with a malicious macro enabled word doc tries to download ASN1 ransomware... These do -not- come from the genuine DocuSign company. docusigndocuments .com and the other domains listed have been registered -today- and hosted at Godaddy .com with what are probably -fake- details...
The three domains and sending email addresses also used in this malspam ransomware attempt are:
    DocuSign <service@ DOCUSIGN-DOCUMENT .COM>
    DocuSign <service@ docusigndocument .com>
    DocuSign <service@ docusigndocuments .com> ...

Screenshot: https://i0.wp.com/my...=1024,560&ssl=1

The enclosed word doc looks like:
> https://i0.wp.com/my...=1024,911&ssl=1

21 November 2016: EncryptedDocument.doc - Current Virus total detections 18/54*
Both MALWR** & Payload Security*** show it tries to download
 http ://majesticbrass .com/1061911a3e0a74827a76bbd7bfe16d20.exe which is currently giving a 404 not found.  This site was used in an  similar ransomware attack at the end of last week[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479766715/

** https://malwr.com/an...jMyNjFhYWFkN2I/
Hosts
64.176.31.64
184.51.0.241


*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
64.176.31.64

4] https://myonlinesecu...cument-malspam/

64.176.31.64: https://www.virustot...64/information/
> https://www.virustot...45cb0/analysis/
2016-11-22
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 November 2016 - 02:28 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1836 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 23 November 2016 - 06:25 AM

FYI...

Fake 'Pay Attention' SPAM - leads to Locky
- http://blog.dynamoo....tion-leads.html
23 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject:     Please Pay Attention
    From:     Bill Rivera
    Date:     Wednesday, 23 November 2016, 9:45
    Dear [redacted], we have received your payment but the amount was not full.
    Probably, this occurred due to taxes we take from the amount.
    All the details are in the attachment - please check it out.


The name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script... According to this Malwr report* a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56**. The Hybrid Analysis*** clearly shows the ransomware in action and shows it communicating with the following URLs:
95.213.186.93 /information.cgi [hostname: djaksa.airplexalator .com] (Selectel, Russia)
195.123.209.8 /information.cgi [hostname: kostya234.itldc-customer .net] (Layer6, Latvia)
213.32.66.16 /information.cgi (OVH, France)
Recommended blocklist:
95.213.186.93
195.123.209.8
213.32.66.16
"
* https://malwr.com/an...WMwN2UyMTMzYWQ/
Hosts
31.204.153.171

** https://virustotal.c...sis/1479896120/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
31.204.153.171
213.32.66.16
195.123.209.8
95.213.186.93
52.34.245.108
54.240.162.85
92.122.214.10


- https://myonlinesecu...delivers-locky/
23 Nov 2016 - "... Locky downloader... an email pretending to tell you that you haven’t paid the full amount, with the subject of 'Please Pay Attention' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of lastpayment_recipient name.zip... One of the  emails looks like:
From: Gabriela Diaz <Diaz.Gabriela@ deepredmedia .com>
Date: Wed 23/11/2016 08:27
Subject:  Please Pay Attention
Attachment: lastpayment_lickit.zip
    Dear lickit, we have received your payment but the amount was not full.
    Probably, this occurred due to taxes we take from the amount.
    All the details are in the attachment – please check it out.


23 November 2016: payment_history_64b96be.zip: Extracts to: 2BE46B4PX7ZU28.js
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted  file from
 http ://risewh .com/pg31nkp which is renamed by the script to
 W0heF8ZofNrqpj9Z .dll (VirusTotal 5/56***). Payload Security[4]...
Other download sites include:
risewh .com/pg31nkp
jinxlaze .com/rysuuttn
naturalnepodlogi .cba .pl/utnnyduqa
offerrat .com/12mi44q
pineysprat .com/zqdjx ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479894064/

** https://malwr.com/an...TUyNTU3YTE3MzQ/
Hosts
202.103.25.79

*** https://www.virustot...sis/1479894314/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
202.103.25.79
213.32.66.16
95.213.186.93
195.123.209.8
52.42.26.69
54.240.162.221

___

Fake 'Bill' SPAM - delivers more Locky
- https://myonlinesecu...ven-more-locky/
23 Nov 2016 - "... Locky downloader... a -blank/empty- email with the subject of 'Bill-85548' (random numbers) pretending to come from random names at your-own-email-address/company or domain with a totally random numbered zip attachment... One of the  emails looks like:
From: paris hymer <paris.hymer@ victim domain .co .uk>
Date: Thu 01/09/2016 19:22
Subject: paris hymer ...
Attachment: 7c8b9b79dd4ef599dd5d0c6db9b2d530.zip


Body content: totally blank

23 November 2016: 7c8b9b79dd4ef599dd5d0c6db9b2d530.zip: Extracts to: qivrlftajqpvl4kfverdv6vu8ecbwdxe.js
Current Virus total detections 10/55*. MALWR** shows a download of an encrypted file from
  http ://parenclub-devilsenangels .nl/08yhrf3?ELghUu=ELghUu which is converted by the script to
 ELghUu1.dll (VirusTotal 8/55***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479893531/

** https://malwr.com/an...zFjMzYyZGI5YTI/
Hosts
195.211.74.100
94.242.55.81
80.87.202.49


*** https://www.virustot...sis/1479895272/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.211.74.100
80.87.202.49
94.242.55.81
95.46.114.205


- http://blog.dynamoo....ictims-own.html
23 Nov 2016 - "This spam has no-body-text and appears to come from within the sender's-own-domain. It leads to Locky ransomware. For example:
    From:    julia newenham [julia.newenham@ victimdomain .tld]
    Date:    23 November 2016 at 10:44
    Subject:    Bill-76137


There is a randomly-named ZIP (e.g. 589af1aa1aaf4cb9ce571fced687b8ac.zip) containing a randomly-named malicious javascript... A malicious DLL is dropped with an MD5 of 4e207b30c5eae01fa136f3d89d59bbbe and
a detection rate of 9/56*. The malware then communicates with:
80.87.202.49 /information.cgi (JSC Server, Russia)
94.242.55.81 /information.cgi (RNet, Russia)
95.46.114.205 /information.cgi (PE Gornostay Mikhailo Ivanovich aka time-host .net, Ukraine)
Recommended blocklist:
80.87.202.49
94.242.55.81
95.46.114.205
"
* https://virustotal.c...b3d0c/analysis/
___

Fake 'Scanned Documents' SPAM - delivers Trickbot
- https://myonlinesecu...ddress-malspam/
23 Nov 2016 - "An email with the subject of 'Scanned Documents' pretending to come from HP Digital Device <HP_Printer@ victim domain .tld> with a malicious macro enabled word doc delivers Trickbot banking Trojan...
The email looks like:
From: HP Digital Device <HP_Printer@ victim domain .tld>
Date: Wed 23/11/2016 04:27
Subject: Scanned Documents
Attachment: Scan552.doc
    Please open the attached document.
    This document was digitally sent to you using an HP Digital Sending device.
    This email has been scanned for viruses and spam.


23 November 2016: Scan552.doc - Current Virus total detections 11/51*
Payload Security**.. shows downloads from http ://wingsbiotech .com/images/kjcoiejceiwejf.png
 which is -not- an image file but a renamed .exe that the macro renames to newfle.exe and autoruns
(VirusTotal 12/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479879729/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
69.89.31.134
78.47.139.102
193.107.111.164
37.1.213.189
185.86.77.224


*** https://www.virustot...sis/1479882669/
___

Fake 'LETTER' SPAM - delivers Locky
- https://myonlinesecu...ng-locky-aesir/
23 Nov 2015 - "... Locky downloader... an email with the subject of 'Emailing: LETTER 5.pdf' (random numbers)  pretending to come from random names at your-own-email-domain... One of the emails looks like:
From: queen <queen.gaffney@ victim domain .tld >
Date: Wed 23/11/2016 13:39
Subject: Emailing: LETTER 5.pdf
Attachment: LETTER 5.zip
    Please find attachment.
    —
    This email has been checked for viruses by Avast antivirus software.


23 November 2016: LETTER 5.zip: Extracts to: fnpqatfwistcg4r3ccoanyajwkqjlgq7.js
Current Virus total detections 13/55*... Payload Security** shows a download of an encrypted file from
  http ://paulking .it/08yhrf3?yRLXgsuxJ=yRLXgsuxJ which is converted by the script to yRLXgsuxJ1.dll
(VirusTotal 7/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479908406/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
151.1.182.231
95.46.114.205
82.146.32.92
91.107.107.165
52.32.150.180
54.240.162.106


*** https://www.virustot...sis/1479909224/
___

Fake 'subpoena' SPAM - leads to malware
- http://blog.dynamoo....s-subpoena.html
23 Nov 2016 - "This spam purports to come from Michael T Diver who is a real Oklahoma attorney, but it doesn't really and is just a simple forgery:
    From:    MICHAEL T. DIVER [michael -at- lawfirmofoklahoma .com]
    Date:    23 November 2016 at 15:24
    Subject:    RE:RE: financial records subpoena
    See you in court !!!
    Subpoena for server
    Thank you,
    MICHAEL T. DIVER ...


The telephone number and also potentially the email address are genuine, but they are certainly not being sent from this law firm. The link-in-the-email goes to a legitimate but -hacked- Vietnamese site at techsmart .vn/backup2/get.php?id=[base64-encoded-part] (the last bit is a Base 64 representation of the victim's email address). In testing the payload site was -down- but previous emails of this type have lead to the Vawtrak banking trojan."

techsmart .vn: 103.18.6.140: https://www.virustot...40/information/
___

Fake 'Payment confirmation' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-aesir/
23 Nov 2016 - "... Locky downloader... an email with the subject of 'Payment confirmation 7477' (random numbers)  pretending to come from Standard Bank <ibsupport@ standardbank .co .za>...

 

Screenshot: https://i1.wp.com/my...=1024,716&ssl=1

23 November 2016: PaymentConfirmation7477.zip: Extracts to: wbxz7lyfob8mwyygqstzfffj7aere8wz.js
Current Virus total detections 13/54*. MALWR** shows a download of an encrypted  file from
  http ://rdyy .cn/08yhrf3?OYxgQhzazR=OYxgQhzazR which is converted by the script to OYxgQhzazR1.dll
(VirusTotal 12/56***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479919853/

** https://malwr.com/an...TIxMTA5MzViNGQ/
Hosts
103.28.44.206
82.146.32.92
91.107.107.165
95.46.114.205


*** https://www.virustot...sis/1479919518/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.28.44.206
91.107.107.165
82.146.32.92
95.46.114.205

___

Fake 'Attention Required' SPAM - delivers Locky
- https://myonlinesecu...re-locky-today/
23 Nov 2016 - "... Locky malware... with the subject of 'Attention Required' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of receipt_recipient.name.zip... One of the  emails looks like:
From: Angela Holmes <Holmes.Angela@ murilobertini .com>
Date: Wed 23/11/2016 16:14
Subject: Attention Required
Attachment: receipt_xerox.805.zip
    Dear xerox.805, our HR Department told us they haven’t received the receipt you’d promised to send them.
    Fines may apply from the third party. We are sending you the details in the attachment.
    Please check it out when possible.


23 November 2016: receipt_xerox.805.zip: Extracts to: Z8B105E8IK89A9HX.js - Current Virus total detections 15/55*
MALWR** shows a download of a file from  http ://orantpamir .net/el3w488r9 which is converted by the script to
 fWk6epu1.dll (VirusTotal 9/57***). Payload Security[4]...
Manual analysis shows these download locations
orantpamir .net/el3w488r9
oimeferio .net/sl60vci
websdns .com/k0ais
gigabothosting .com/kiltoonxqa
gpsfiles .nl/lywk0py
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1479921317/

** https://malwr.com/an...GQ1YTg0NTA1NjI/
Hosts
67.171.65.64

*** https://www.virustot...sis/1479921871/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.171.65.64
95.46.8.175
46.8.29.176
52.32.150.180
54.240.162.221
52.35.54.251

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 23 November 2016 - 04:32 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1837 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 25 November 2016 - 07:57 AM

FYI...

Fake 'Important Info' SPAM - leads to Locky
- http://blog.dynamoo....nformation.html
25 Nov 2016 - "This spam leads to Locky ransomware:
    Subject:     Important Information
    From:     Etta Figueroa
    Date:     Friday, 25 November 2016, 10:28
    Dear [redacted], your payment was not processed due to the problem with credentials.
    Payment details are in the attached document.
    Please check it out as soon as possible.


The name of the sender varies. Attached is a ZIP file beginning with payment_ and then the first part of the victim's email address. This analysis comes from my trusted usual source (thank you!). It contains a randomly-named malicious javascript that downloads a component... The malware then phones home to:
213.32.66.16 /information.cgi (OVH, France)
89.108.118.180 /information.cgi (Datalogika / Agava, Russia)
91.201.42.83 /information.cgi [hostname: aportom .com] (RuWeb, Russia)
Recommended blocklist:
213.32.66.16
89.108.118.180
91.201.42.83
"

- https://myonlinesecu...re-locky-zzzzz/
25 Nov 2016 - "... Locky downloader... an email with the subject of 'Important Information' coming or pretending to come from random companies, names and email addresses  with a semi-random named zip attachment in the format of payment_recipient’s name.zip... One of the  emails looks like:
From: Clay Clarke <Clarke.Clay@ static .vnpt .vn>
Date: Thu 01/09/2016 19:22
Subject: Important Information
Attachment: payment_montag.zip
    Dear montag, your payment was not processed due to the problem with credentials.
    Payment details are in the attached document.
    Please check it out as soon as possible.


25 November 2016: payment_montag.zip: Extracts to: HQ5q97uu9s2.js - Current Virus total detections 8/54*
Payload Security**. MALWR*** shows a download of an encrypted file from
   http ://thinx .net/rkp2tpxlrg which is converted by the script to Oe3cTld33aTOQyLh.tdb (VirusTotal 15/56[4]). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[5] and Bleeping computer[6] has a good write up about the use of non standard file extensions by Locky... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477646733/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
107.180.41.245
213.32.66.16
91.201.42.83
54.240.162.31
35.160.111.237


*** https://malwr.com/an...jYwNTc0OTEzNjc/
Hosts
133.130.109.98
185.154.13.79
83.217.11.193


4] https://www.virustot...sis/1480069873/

5] https://myonlinesecu...ile-extensions/

6] http://www.bleepingc...zzzz-extension/
___

Fake -blank/body- SPAM - more Locky
- https://myonlinesecu...re-locky-zzzzz/
25 Nov 2016 - "... Locky downloader... a -blank- email with the subject of (random number recipient name) coming or pretending to come from recipient name_olive at random email addresses with a semi-random named zip attachment in the format of INFO_random number_recipients name.zip that contains another zip file... One of the  emails looks like:
From: derekolive@ blueyonder .co.uk
Date: Fri 25/11/2016 08:10
Subject: 57051 derek
Attachment: INFO_052297_derek.zip


Body content: Totally Blank/empty

25 November 2016: INFO_052297_derek.zip: which extracts to MONEY_14189_ZIP.zip which in turn Extracts to:
 MONEY_14189.js. Current Virus total detections 3/55*. MALWR** shows a download of a file from
  http ://www .vollyuper .top/admin.php?f=2.dat which gave MALWR rad68D08.tmp (VirusTotal 4/57***)...
Update: the same series of emails with these .js files also have -other- links that are currently downloading Cerber ransomware. These sites include:
 http ://otreytl .bid/search.php?f=x1.dat | http ://hqtrssx .top/search.php?f=x2.dat (VirusTotal 5/57[4])
 (Payload Security [5]). (MALWR [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480061873/

** https://malwr.com/an...jYwNTc0OTEzNjc/
Hosts
133.130.109.98
185.154.13.79
83.217.11.193


*** https://www.virustot...sis/1480062381/

4] https://www.virustot...sis/1480062381/

5] https://www.hybrid-a...vironmentId=100
Contacted Hosts
63.55.11.0-31
15.93.12.0-31
194.165.16.0-255
194.165.17.0-255
194.165.18.0-255
194.165.19.0-167


6] https://malwr.com/an...jEyNzc5MjE2OTA/
Hosts
63.55.11.0-31
15.93.12.0-31
194.165.16.0-255
194.165.17.0-255
194.165.18.0-255
194.165.19.0-255

___

Moar Locky 2016-11-25
- http://blog.dynamoo....2016-11-25.html
25 Nov 2016 - "This data comes from my trusted usual source, so far I have only seen a single example. This morning's spam run has a -subject- with one of the following words:
DOC, DOCUMENT, FAX, IMG, LABEL, ORD, PHOTO, PIC, SCAN, SHEET

..plus a four digit random number. Attached is a ZIP file with a name mating the subject, containing a randomly-named malicious javascript that attempts to download a component... The payload is Locky ransomware, phoning home to:
185.118.167.144 /information.cgi [hostname: bogdankarpenko1998.pserver .ru] (Chelyabinsk-Signal, Russia)
91.142.90.55 /information.cgi (Miran, Russia)
Recommended blocklist:
185.118.167.144
91.142.90.55
"
___

Fake 'New voice mail' SPAM - leads to Locky
- http://blog.dynamoo....-new-voice.html
25 Nov 2016 - "This -fake- voicemail spam leads to Locky ransomware and appears to come from within the victim's own domain, but this is just a simple forgery.
    Subject:     [Vigor2820 Series] New voice mail message from 01435773591 on 2016/11/25 18:29:39
    From:     voicemail@ victimdomain .tld
    To:     victim@ victimdomain .tld
    Date:     Friday, 25 November 2016, 12:58
    Dear webmaster :
        There is a message for you from 01435773591, on 2016/11/25 18:29:39 .
    You might want to check it when you get a chance.Thanks!


The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript... This Malwr analysis* shows behaviour consistent with Locky ransomware... The C2s to block are the same as here**, namely:
185.118.167.144 /information.cgi [hostname: bogdankarpenko1998.pserver .ru] (Chelyabinsk-Signal, Russia)
91.142.90.55 /information.cgi (Miran, Russia)
Recommended blocklist:
185.118.167.144
91.142.90.55
"
* https://malwr.com/an...GVmNTdlMzQ4NWU/
Hosts
92.60.224.52
185.118.167.144
91.142.90.55

** http://blog.dynamoo....2016-11-25.html
___

Locky hidden in image file hitting Facebook, LinkedIn
- https://www.helpnets...ebook-linkedin/
Nov 25, 2016 - "Malware masquerading as an image file is still spreading on Facebook, LinkedIn, and other social networks. Check Point researchers have apparently discovered how cyber crooks are embedding malware in graphic and image files, and how they are executing the malicious code within these images to infect social media users with Locky ransomware variants... As they are searching for a solution, the Check Point research team advises* users not-to-open-any-image they have received from another user and have downloaded on their machine... A video demonstration of the attack can be viewed below:
> https://youtu.be/sGlrLFo43pY "

* http://blog.checkpoi...malware-images/
2016/11/24 - "... attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user -clicks- on the downloaded file..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 November 2016 - 11:03 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1838 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 28 November 2016 - 05:44 AM

FYI...

Fake 'Purchase Order' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
28 Nov 2016 - "... Locky downloader... an email with the subject of 'Purchase Order No. 90373' (random numbers)  coming or pretending to come donotreply@ south-staffordshire .com with a semi-random named zip attachment that matches the subject line... One of the  emails looks like:
From: donotreply@ south-staffordshire .com
Date: Mon 28/11/2016 09:45
Subject: Purchase Order No. 90373
Attachment: PO90373.zip
    Please find attached Purchase Order No. 90373.
    PLEASE DO NOT REPLY TO THIS ADDRESS.
    If you have any queries in regards to your Purchase Order, please contact your requestor, Reinaldo horrocks on 01922 062460 ext 5580...


28 November 2016: payment_history_64b96be.zip: Extracts to: 93410605.wsf - Current Virus total detections 8/55*
MALWR* is not giving any payload or download sites. Payload Security*** shows a download of an encrypted file from
 restauranttajmahal .ca/87nft3?iNKevOML=ChKIolivpc which is converted by the script to a dll and autorun.
Unfortunately Payload Security does not show or make the dll available for download in the free web version... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480327255/

** https://malwr.com/an...jQ5ZDI4MWEwMDY/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
76.74.128.120
185.115.140.210
185.118.67.162
213.32.90.193
52.34.245.108
54.240.162.88

___

Fake 'Urgent Alert' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
28 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent Alert' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of ATM_recipients name.zip... One of the  emails looks like:
From: Tami Soto <Soto.Tami@ lelycentereast .com>
Date: Mon 28/11/2016 09:22
Subject: Urgent Alert
Attachment: ATM_etgord34truew.zip
    Dear etgord34truew, we have detected a suspicious money ATM withdrawal from your card.
    For your security, we have temporarily blocked the card.
    All the details are in the attachment. Please open it when possible.


28 November 2016: ATM_etgord34truew.zip: Extracts to: HQ6za5d7.js - Current Virus total detections 7/53*
MALWR** shows a download of an encrypted file from http ://dodowiz .com/ynux4ac
  which is converted by the script to x3NzzWXgCcwO.tdb (VirusTotal 6/52***). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[4] and Bleeping computer[5] has a good write up about the use of non standard file extensions by Locky
(Payload Security [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480324767/

** https://malwr.com/an...Dk1MzY1YTIyZDc/
Hosts
183.98.152.2

*** https://www.virustot...sis/1480329111/

4] https://myonlinesecu...ile-extensions/

5] http://www.bleepingc...zzzz-extension/

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.176.241.230
213.32.66.16
91.201.42.83
185.146.171.180
52.32.150.180
54.240.162.86
52.35.54.251

___

Fake 'Bill' SPAM - more Locky
- https://myonlinesecu...-email-address/
28 Nov 2016 - "... Locky downloader... another blank/empty malspam pretending to come from random names at your-own-email-address with the subject of 'Bill-4491989' (random numbers) with a random named zip attachment. All these emails have a To: line of resort@ doggiespalace .com with a hidden bcc: to your email address... One of the emails looks like:
From: earlene mitchel <earlene.mitchel@ your-own-email-domain .co.uk>
Date: Mon 28/11/2016 12:07
Subject: Bill-4491989
To: resort@ doggiespalace .com
Attachment: d58e224b0e2266fb80b74c3b46f03fd1.zip


Body content: totally blank/empty

28 November 2016: d58e224b0e2266fb80b74c3b46f03fd1.zip: Extracts to: 64621603.wsf
Current Virus total detections 8/50*. MALWR is unable to get any malware or download sites. Payload Security** shows a download of an encrypted file from sinmotor .com/87nft3?XztYNBph=nhYXdz which is converted by the script to MxoWCE1.dll (VirusTotal 9/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480329075/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
61.7.236.41
213.32.90.193
185.115.140.210
185.118.67.162
2.16.4.42
52.32.150.180
54.240.162.245
35.160.111.237


*** https://www.virustot...sis/1480333048/
___

Fake 'Message' SPAM - more Locky
- https://myonlinesecu...-email-address/
28 Nov 2016 - "... Locky downloader... another malspam pretending to come from donotreply at your-own-email-address that pretends to be an email from a scanner/printer with the subject of 'Message from RNP0024D5D73B3A' (random numbers) with a semi-random named zip attachment in the format of todays date random numbers_random numbers.zip... One of the emails looks like:
From: donotreply@ your-own-email-address .co.uk
Date: Mon 28/11/2016 11:30
Subject: Message from “RNP0024D5D73B3A”
Attachment: 201611281559326883_0033.zip
    This E-mail was sent from “RNP0024D5D73B3A” (Aficio MP 2352).
    Scan Date: Mon, 28 Nov 2016 15:59:32 +0430)
    Queries to: {redacted}


28 November 2016: 201611281559326883_0033.zip: Extracts to: 95130643.wsf - Current Virus total detections 6/55*
Payload Security** shows a download of an encrypted file from somersetautotints .co.uk/87nft3?viqtJpG=zELkPdJaI  which is converted by the script to lkVpqyuH1.dll which VirusTotal 9/56*** shows is the same file as this concurrent malspam run[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480336074/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.133.180.146
213.32.90.193
54.240.162.123
91.198.174.192
91.198.174.208


*** https://www.virustot...bb90a/analysis/

4] https://myonlinesecu...-email-address/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 28 November 2016 - 08:28 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1839 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 29 November 2016 - 06:14 AM

FYI...

Fake 'XLS Invoice' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
29 Nov 2016 - "An email with the subject of 'Please find attached a XLS Invoice 293192' (random numbers) pretending to come from creditcontrol@ random companies with a malicious Excel XLS spreadsheet attachment delivers Locky... The email looks like:
From: creditcontrol@ riversideglass .com
Date: Tue 29/11/2016 08:01
Subject: Please find attached a XLS Invoice 293192
Attachment:  INVOICE.TAM_293192_20161129_C415186AD.xls
    Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting ...


29 November 2016: INVOICE.TAM_293192_20161129_C415186AD.xls - Current Virus total detections 9/56*
Payload Security** shows a download from thegarageteam .gr/087gbdv4 which is an encrypted file that gets converted by the macro to luswiacs1.dll. Unfortunately Payload Security does not make this file available in the free web version. MALWR*** did give the dll (VirusTotal 9/57[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480406523/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.32.154.18
95.213.195.123
213.32.90.193
185.115.140.210
52.34.245.108
54.240.162.84
35.160.111.237


*** https://malwr.com/an...TM5ZmJlYjc3ZTY/
Hosts
178.32.154.18
213.32.90.193
95.213.195.123
185.115.140.210


4] https://www.virustot...sis/1480407357/
___

Fake 'For Your Consideration' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
29 Nov 2016 - "... Locky downloader... an email with the subject of 'For Your Consideration' coming or pretending to come from random companies, names and email addresses  with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the  emails looks like:
From: Elliott Osborn <Osborn.Elliott@ airtelbroadband .in>
Date: Tue 29/11/2016 11:22
Subject: For Your Consideration
Attachment: unpaid_evf.zip
    Greetings! You paid for yesterday’s invoice – the total sum was $4636.
    Unfortunately, you hadn’t included the item #47089-14743 of $688.
    Please transfer the remainder as soon as possible.
    All details are in the attachment. Please check it out to see whether we are right.


29 November 2016: unpaid_evf.zip: Extracts to: -snk-7030904.js - Current Virus total detections 12/55*
MALWR** shows a download of an encrypted file from one of these 2 locations
 http ://tytswirl .com/u2asa61 and  http ://kalbould .wa .gov.au/n9zz5r8 which is converted by the script to AddoClgYDJ4J3F.tdb (VirusTotal 6/57***). The tdb file is actually a dll file that is run by rundll32 but given a different extension... Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480418735/

** https://malwr.com/an...WU3MzQ5NWJhM2Q/
Hosts
103.9.65.107
67.171.65.64


*** https://www.virustot...sis/1480419080/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.9.65.107
67.171.65.64
52.42.26.69
54.240.162.193

___

Fake 'File COPY' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
29 Nov 2016 - "An email with the subject of 'File COPY.29112016.94400.XLS Sent 29/11/2016' (random numbers) pretending to come from random senders with a malicious Excel XLS spreadsheet attachment delivers Locky ransomware... The email looks like:
From: ALLGREEN-USSING, RODOLFO <RODOLFO.ALLGREEN-USSING@ PARFEMY-ELNINO .SK>
Date: Tue 29/11/2016 13:23
Subject: File COPY.29112016.94400.XLS Sent 29/11/2016
Attachment: COPY.29112016.94400.XLS
    can you please pass this invoice for payment thank you...


29 November 2016: COPY.29112016.94400.XLS - Current Virus total detections 9/55*
Payload Security** shows a download of an encrypted file from steffweb .dk/087gbdv4 which is converted by the  macro to luswiacs1.dll (VirusTotal 10/56***). Although the Locky dll file -name- is the same as today’s earlier XLS malspam[1] run the file itself is different...
1] https://myonlinesecu...delivers-locky/
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480430599/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.231.108.252

*** https://www.virustot...d9124/analysis/
___

Fake 'eFax' SPAM - drops Nymaim variant
- http://blog.dynamoo....sharepoint.html
29 Nov 2016 - "This -fake -fax leads to a malicious ZIP file:

Screenshot: https://4.bp.blogspo.../s1600/efax.png

The link in the email goes to a -hacked- Sharepoint account, in this case:
 https ://supremeselfstorage-my.sharepoint .com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1
It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise[2]. The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical -scripts- named:
Fax_11292016_page1.js
Fax_11292016_page2.js
... Hybrid Analysis* of the script indicates this is Nymaim[3] downloading a component from:
siliguribarassociation .org/images/staffs/documetns.png
A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56**. The malware then phones home to:
stengeling .com/20aml/index.php
The domain stengeling .com appears to have been -created- for this malware and has -anonymous- registration details. It is apparently -multihomed- on the following IPs:
4.77.129.110, 18.17.224.92, 31.209.107.100, 37.15.90.12, 43.132.208.7, 45.249.111.213, 52.61.200.235
61.25.216.8, 67.25.164.206, 74.174.194.169, 88.214.198.162, 92.74.29.236, 111.241.115.90, 115.249.171.24
119.71.196.177, 135.55.94.211, 143.99.241.18, 147.89.60.135, 156.180.11.60, 162.74.9.51, 168.227.171.254
176.114.21.171, 184.131.179.44, 207.77.174.212
Each of those IPs appears to be a -hacked- legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:
butestsis .com
sievecnda .com
specsotch .com
crileliste .com
stengeling .com
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.158.76.73
115.249.171.24
45.249.111.213
168.227.171.254
31.209.107.100


** https://www.virustot...56c60/analysis/

2] https://support.micr...n-us/kb/2551603

3] http://cyber.verint....alware-variant/
___

Fake 'Insufficient funds' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
28 Nov 2016 - "... Locky.. an email with the subject of 'Insufficient funds' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment-recipient name.zip... One of the  emails looks like:
From: Ruby Quinn <Quinn.Ruby@ villatk .gr>
Date: Mon 28/11/2016 20:58
Subject: Travel expense sheet
Attachment: payment-gold.zip
    Dear gold,
    Your bill payment was rejected due to insufficient funds on your account.
    Payment details are given in the attachment.


28 November 2016: payment-gold.zip: Extracts to: -snk-007064018.js - Current Virus total detections 14/55*
MALWR** shows a download of an encrypted file from  http ://leyuego .com/ejxgf1iy which is converted by the script to Ddrh0VO4W20.tdb (VirusTotal 7/57***). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[4] and Bleeping computer[5] has a good write up about the use of non standard file extensions by Locky (Payload Security [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480370317/

** https://malwr.com/an...jYxM2I0MjkyN2E/
Hosts
121.201.23.80

*** https://www.virustot...sis/1480371353/

4] https://myonlinesecu...ile-extensions/

5] http://www.bleepingc...zzzz-extension/

6] https://www.reverse....vironmentId=100
Contacted Hosts
121.201.23.80
185.12.95.92
213.32.66.16
85.143.214.58
52.34.245.108
54.240.162.4
35.160.111.237

___

Apple ID – Phish
- https://myonlinesecu...le-id-phishing/
29 Nov 2016 - "... mass Apple phish... received about 200 so far this morning. Many of which are getting past spam filters because they seem to have found some sending addresses that aren’t yet listed in spam databases and that don’t use SPF /DKIM /DMARC so authentication checks don’t fail. Most mail servers are set up to ignore lack of mail authentication, rather than automatically delete or quarantine...

Screenshot: https://i0.wp.com/my...=1024,644&ssl=1

The links in the body go to
 http ://k4dot .biz/admindb/gi.html which -redirects- to http ://tkmarketingsolutions .com/skynet/Itunes/apple/

k4dot .biz: 161.58.203.203: https://www.virustot...03/information/
tkmarketingsolutions .com: 67.212.91.221: https://www.virustot...21/information/

... follow the link you see a webpage looking like:
> https://i1.wp.com/my...=1024,565&ssl=1
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 29 November 2016 - 03:59 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1840 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 30 November 2016 - 05:12 AM

FYI...

Fake 'Urgent bill' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
30 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the  emails looks like:
From: Adolfo Alexander <Alexander.Adolfo@ escondidohistory .org>
Date: Wed 30/11/2016 09:06
Subject: Urgent
Attachment: unpaid_forum.zip
    Dear forum, our accountant informed me that in the bill you processed, the invalid account number had been specified.
    Please be guided by instructions in the attachment to fix it up.


30 November 2016: unpaid_forum.zip: Extracts to: -snk-284042943.js - Current Virus total detections 10/55*
MALWR** shows a download of an encrypted file from http ://revaitsolutions .com/ij1driqioc which is converted by the script to K3GepPJAfH.tdb (VirusTotal 5/57***). Payload Security[4]. The tdb file is actually a dll file that is run by rundll32 but given a different extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480496588/

** https://malwr.com/an...mE3ODJmZGYyMWI/
Hosts
166.62.28.127

*** https://www.virustot...sis/1480498073/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
166.62.28.127
185.75.46.138
91.201.41.145
91.142.90.46
52.42.26.69
54.240.162.193
52.35.54.251

___

Fake 'Attached Image' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
30 Nov 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky... The email looks like:
From:  canon@ thespykiller .co.uk
Date: Wed 30/11/2016 09:23
Subject: Attached Image
Attachment: 6479_005.docm


Body content: Totally blank/empty

30 November 2016: 6479_005.docm - Current Virus total detections 9/55*
Both MALWR** and Payload Security*** show a download from satherm .pt/873nf3g which is converted by the macro to  ajufr51.dll (VirusTotal 5/57[4]). Manual analysis shows an attempt to download from
 http ://travelinsider .com.au/021ygs7 which is currently giving me a 404. There are normally 5 or 6 download locations buried inside the macro or scrpt files with these Locky versions.
C2 http ://91.142.90.61 /information.cgi | 95.213.195.123 /information.cgi... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480498411/

** https://malwr.com/an...jg0NmRjZWQzNTQ/
Hosts
80.172.235.175
91.142.90.61


*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
80.172.235.175
95.213.195.123
91.142.90.61
2.16.4.33
52.42.26.69
54.240.162.55
52.35.54.251
91.198.174.192
91.198.174.208


4] https://www.virustot...sis/1480499902/
___

Forced install - Chrome extension...
- https://blog.malware...rome-extension/
Nov 29, 2016 - "We have found a number of websites whose sole purpose is to try and force an extension on anyone visiting that site with Chrome. Most often, you can likely land on one of these sites after a -redirect- from a crack, keygen, or adult entertainment site... site runs a JavaScript producing this dialog box, telling you you’ll have to 'Add Extension to Leave':
> https://blog.malware.../11/prompt1.png
Clicking “Cancel” once changes it to add a tick box marked “Prevent this page from creating additional dialogs”:
> https://blog.malware...1/warning2w.png
Thinking that this is the ticket out of the page, you will tick that box and click “OK”. At this point, your tab will go into “Full Screen” mode, and you can see which extension they want you to install:
> https://blog.malware...1/warning3w.png
The app is called Veritasi and a big arrow pointing to the “Add extension” button is displayed on the site. Clicking the said button initiates the installation of the app:
> https://blog.malware...11/warning4.png
When I looked up Veritasi, we noticed it was added to the “Web Store” the same day we found it and it’s supposedly meant to improve your sound quality online:
> https://blog.malware...oundimprove.png
A similar extension was found and described by Botcrawl.com who classified it as adware. It has the permission “Read and change all your data on the websites you visit”, which is not unusual for a browser extension, but it’s all what -adware- needs to do its job:
> https://blog.malware...ermissionsw.png
If your Windows machine gets stuck on a site like this, use the Ctrl-Alt-Del key combination to invoke the Task Manager. Use “End Process” on every active “chrome.exe” process until the browser shuts down. When you restart Chrome, it will ask if you want to “Restore” the open tabs. I would recommend -not- to, unless it’s really necessary. We have sent in an abuse report and blocked the sites involved to protect as many possible victims as we could..."
> https://blog.malware...16/11/abuse.png
... A full removal guide can be found on our forums*..."
* https://forums.malwa...s-for-veritasi/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 30 November 2016 - 06:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1841 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 01 December 2016 - 09:09 AM

FYI...

Fake 'efax' SPAM - delivers Dridex
- https://myonlinesecu...nknown-malware/
1 Dec 2016 - "... an email with the subject of 'efax message from unknown – 2 page(s)' pretending to come from eFax <message@ inbound-efax-au .org> with a link-to-download-a-zip-file that extracts to 2 identical .js files named fax page 1 and fax page 2...

Screenshot: https://i2.wp.com/my...=1024,773&ssl=1

1 December 2016: Fax.zip: Extracts to: Fax_page1.js - Current Virus total detections 3/55*
MALWR** shows a download of a file from  ‘http ://mohdsuhaimy .com/wp-content/uploads/2006/06/background.png’ which is -not- a png (image file) but a -renamed- .exe  which is renamed back by the script to an .exe file
(VirusTotal 15/57***). (Payload Security [4]). Previously this trick & delivery method has delivered Trickbot banking Trojan. However this binary looks different and gives some indication of ransomware behaviour...
Update: I am reliably informed that this is Dridex Banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480579221/

** https://malwr.com/an...DJhYmMwMWZjYWU/
Hosts
173.247.245.31

*** https://www.virustot...sis/1480579728/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.247.245.31
111.69.33.166
104.236.219.229
185.8.165.33

___

Fake 'Invoices' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
1 Dec 2016 - "... Locky downloader... an email with the subject of 'E-Mailed Invoices Invoice_87313391' (random numbers) coming or pretending to come from random companies, names and email addresses with what appears to be a word docm attachment - In reality this attachment is a standard zip file that has been erroneously named as a word macro doc. It will not open in word or any other word processing program. This zip contains a VBS file. Trying to open the alleged word doc in Word gives this error message:
> https://i2.wp.com/my...png?w=524&ssl=1
... One of the emails looks like:
From: WAUGH, HORACIO <HORACIO.WAUGH@ originalyin .ca>
Date: Thu 01/12/2016 09:23
Subject: E-Mailed Invoices Invoice_87313391
Attachment: Invoice_87313391.docm
    Please find attached your latest purchase invoice...
    Any queries with either the quantity or price MUST be notified immediately to the department below.
    Yours sincerely, Sales Ledger Department...
    This email has been scanned by the Symantec Email Security.cloud service...


1 December 2016: Invoice_87313391.docm (actually a zip file): Extracts to: fGDpAMD-0438.vbs
Current Virus total detections on docm(zip) VirusTotal on VBS 20/55*. Payload Security** shows a download of an encrypted file from speckftp .de/978t6rve  which is converted by the script to nhbzalOHj.343 (VirusTotal 37/56***)
Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 etc or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480587704/
fGDpAMD-0438.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
87.106.247.11
95.213.195.123
91.142.90.61
54.240.162.180


*** https://www.virustot...sis/1480587701/
___

Fake 'Invoice' SPAM - links to Dridex
- https://myonlinesecu...banking-trojan/
1 Dec 2016 - "... an email with the subject of 'Invoice INV-01823 (Amended)' from Fleurs (random numbers and random companies) coming from Accounts <messaging-service@ post-xero .org>. There is no zip attachment but a -link- in the email to download a zip... post-xero .org is a newly created domain that is registered to a Chinese entity with probably -fake- details. It appears to be hosted on OVH in France... One of the  emails looks like:
From: Accounts <messaging-service@ post-xero .org>
Date: Thu 01/12/2016 08:02
Subject: Invoice INV-01823 (Amended) from Fleurs
Attachment: link-in-email to INV-01823.zip
    Dear Customer, Please find attached invoice INV-01823 (Amended) for 421.59 GBP. This invoice was sent too early in error. The payment date should be 7th December 2016. Kindly accept our apologies for the oversight and for any inconvenience caused. The amount outstanding of 421.59 GBP is due on 07 Dec 2016. View and pay your bill:
 https ://in.xero .com/vjNPxBRausdmfvsgnZKOMWvyHsISTwYm  If you have any questions, please do not hesitate to contact us. Kind regards, Accounts Department ...


The link in the body does -not- go to xero .com which is a legitimate small business accounting software but to a criminal controlled site on SharePoint:  ‘https :// ryandixon-my.sharepoint .com personal/judy_dixonconstructionwa_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=k9xc1qR8YuAKTF6D2%2bMExORcjRIY3nQj8RB7WhdXaSw%3d&docid=09d01294b7e434b2aad87127682150354&rev=1’

1 December 2016: INV-01823.zip: Extracts to: INV-01823.js - Current Virus total detections 6/54*
.. where comments show this downloads the same Dridex banking Trojan from the -same- locations as described in THIS earlier post:
> https://myonlinesecu...nknown-malware/
The basic rule is NEVER open any attachment to an email [OR click-on-links in the body] unless you are expecting it..."
* https://www.virustot...sis/1480587854/
INV-01823.js

post-xero .org: 46.105.101.84: https://www.virustot...84/information/

ryandixon-my.sharepoint .com: 104.146.222.33: https://www.virustot...33/information/
>> https://www.virustot...7e61f/analysis/
1/68
___

Fake 'Payment Information' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
1 Dec 2016 - "... Locky downloader... an email with the subject of 'Payment Information' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of  P_recipient’s name.zip... One of the  emails looks like:
From: Helga Hull <Hull.Helga@ dreamactunion .org>
Date: Thu 01/12/2016 18:23
Subject: Payment Information
Attachment: P_rek.zip
    Good afternoon. Thank you for sending the bill.
    Unfortunately, you have forgotten to specify insurance payments.
    So, we cannot accept the payment without them.
    All details are in the attachment.


1 December 2016: P_rek.zip: Extracts to: -6dt874p53077.js - Current Virus total detections 16/55*
MALWR** shows a download of an encrypted file from  http ://trewincefarm .co.uk/xlyy7 which is converted by the script to 0UBE8YF7q1BcN.zk (VirusTotal 11/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/

** https://malwr.com/an...Dc4MWI5ZWVmYjU/
Hosts
82.211.96.24

*** https://www.virustot...sis/1480617465/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
46.8.29.155
31.41.47.50
52.32.150.180
54.240.162.129
35.160.111.237

___

Worldwide cyber-crime network hit in coordinated raids
- http://www.reuters.c...r-idUSKBN13Q4Z6
Dec 1, 2016 - "One of the world's biggest networks of hijacked computers, which is suspected of being used to attack online banking customers, has been taken down following police swoops in 10 countries, German police said on Thursday. In an internationally coordinated campaign, authorities carried out the raids on Wednesday, seized servers and website domains and arrested suspected leaders of a criminal organization, said police and prosecutors in northern Germany. Officials said they had seized 39 servers and several hundred thousand domains, depriving criminals of control of more than 50,000 computers in Germany alone. These hijacked computers were used to form a 'botnet' to knock out other websites. Two people who are believed to have been the administrators of the botnet infrastructure known as 'AVALANCHE' were arrested in Ukraine, investigators said. Another person was arrested in Berlin, officials added. The strike came in the same week that hackers tried to create the world's biggest botnet, or an army of zombie computers, by infecting the routers of 900,000 Deutsche Telekom (DTEGn.DE) with malicious software. The attack failed but froze the routers, causing outages in homes, businesses and government offices across Germany on Sunday and Monday, Deutsche Telekom executives said. Police said criminals had used the 'AVALANCHE' botnet targeted in Wednesday's international raids since 2009 to send phishing and spam emails. More than a million emails were sent per week with malicious attachments or links. When users opened the attachment or clicked on the link, their infected computers became part of the botnet. Investigators said the suspects had operated the commandeered network and made it available to other criminal groups, who had used it to send spam and phishing mails, defraud online banking user and to spread ransomware, a form of online extortion scheme. Officials estimated worldwide damages at upward of several hundred million euros. Authorities have identified 16 suspected leaders of the organization from 10 different countries. A court in Verden, northern Germany, has issued arrest warrants for seven people on suspicion of forming a criminal organization, commercial computer fraud and other criminal offences. The raids came after more than four years of intensive investigation by specialists in 41 countries."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 01 December 2016 - 02:33 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1842 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted 02 December 2016 - 06:35 AM

FYI...

Fake 'Pay Attention' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
2 Dec 2016 - "... Locky downloader... an email with the subject of 'Please Pay Attention' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of SCAN_recipient’s name.zip... One of the  emails looks like:
From: Claud Hopper <Hopper.Claud@ jvaclub .com>
Date: Fri 02/12/2016 09:35
Subject: Please Pay Attention
Attachment: SCAN_ard.zip
    Greetings! Informing you that the contractor requires including VAT in the service receipt.
    Sending the new invoice and payment details in the attached file.
    Please open and study it as soon as possible – we need your decision.


2 December 2016: SCAN_ard.zip: Extracts to: -uvk3166985727v.js - Current Virus total detections 8/55*
MALWR** shows a download of an encrypted file from  http ://supermarkety24 .pl/levsyp8vp which is converted by the script to 5viAGx9N.zk (VirusTotal 8/56***) | Payload Security[4] | Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480674917/

** https://malwr.com/an...Dc4MWI5ZWVmYjU/
Hosts
82.211.96.24

*** https://www.virustot...sis/1480676872/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
193.106.106.169
95.46.98.25
91.201.41.145
46.8.29.173

___

Fake 'Emailing..." SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
2 Dec 2016 - "An email with the subject of 'Emailing: EPS000007' (random numbers) pretending to come from random names at your-own-email-address with a malicious word doc attachment delivers Locky... The email looks like:
From: edmund <edmund.simister@ malware-research .co.uk>
Date: Fri 02/12/2016 12:39
Subject:  Emailing: EPS000007
Attachment:  EPS000007.docm
    Please find attachment.
    —
    This email has been checked for viruses by Avast antivirus software...


2 December 2016: EPS000007.docm - Current Virus total detections 10/56*
MALWR** shows a download of an encrypted file from http ://solid-consulting .nl/74t3nf4gv4 which is converted by the macro to likyir1.exe (VirusTotal 8/57***). Payload security[4]. C2: http ://195.19.192.99 /information.cgi
Other download locations seen on manual analysis of the macro include:
solid-consulting .nl/74t3nf4gv4 | taikosushibar .com.br/74t3nf4gv4 | tatooshsfds .com/74t3nf4gv4
 sudeepgurtu .com/74t3nf4gv4 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480682348/

** https://malwr.com/an...TdlMzg0YjlmYjA/
Hosts
149.210.133.178
195.19.192.99


*** https://www.virustot...sis/1480680017/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
149.210.133.178
195.19.192.99
91.142.90.61
31.41.47.50
52.34.245.108
54.240.162.246

___

Fake 'Attached Document' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
2 Dec 2016 - "A -blank- email with the subject of 'Attached Document' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky. This series of malspam emails contain the same macro downloaders and end up delivering the -same- Locky payload as described in THIS* earlier post where they used an Epson scanner/printer... The email looks like:
From: canon@ my onlinesecurity .co.uk
Date: Fri 02/12/2016 15:52
Subject: Attached Document
Attachment: 0160_004.docm


Body content: Totally blank/empty

* https://myonlinesecu...delivers-locky/
2 Dec 2016
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 02 December 2016 - 11:52 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1843 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,563 posts

Posted Yesterday, 06:01 AM

FYI...

Fake blank body SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
5 Dec 2016 - "... Locky downloader... a completely -blank- email with the subject consisting of random numbers  coming or pretending to come from random companies, names and email addresses with a zip attachment that matches the subject line numbers. I have received about 1500 copies of this malspam overnight. All the ones that I have seen start with either 051220160 or 041220161... One of the  emails looks like:
From: Monica clare <Monica.clare85349@ fit4elegance .com>
Date: Mon 05/12/2016 00:47
Subject: 051220160746377790277
Attachment: 051220160746377790277.zip


Body content: totally blank/empty

5 December 2016: 051220160746377790277.zip: Extracts to: 201612031200123557933004.vbs
Current Virus total detections 14/55*. Payload Security** shows a download of an encrypted file from
  http ://natashacollis .com/8765r which is converted by the script to yqUePnct.343 (VirusTotal 11/53***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480911167/

** https://www.hybrid-a...vironmentId=100
46.16.59.177
91.142.90.61


*** https://www.virustot...sis/1480922615/
___

Fake 'No subject' SPAM - leads to Locky
- http://blog.dynamoo....6924272-no.html
5 Dec 2016 - "This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension '.osiris'. The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attached to that is an XLS file of the same name and it includes this body text:
        Your message is ready to be sent with the following file or link
        attachments:
          _9376_924272
        Note: To protect against computer viruses, e-mail programs may prevent
        sending or receiving certain types of file attachments.  Check your e-mail
        security settings to determine how attachments are handled.


The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xls . The macro in the malicious Excel file downloads a component...
(Long list of domain-names at the dynamoo URL above.)
... You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:
185.82.217.28 /checkupdate [hostname: olezhkakovtony11.example .com] (ITL, Bulgaria)
91.142.90.61 /checkupdate (Miran, Russia)
195.19.192.99 /checkupdate (OOO EkaComp, Russia)
Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99
"
1] https://malwr.com/an...zlmYTg3YzBjZjA/
Hosts
66.96.147.105
91.142.90.61


2] https://malwr.com/an...jAyNDQ4N2IzNjU/
Hosts
94.152.38.41
185.82.217.28


- https://myonlinesecu...delivers-locky/
5 Dec 2016 - "... Locky downloader... another -blank- email with no-subject coming or pretending to come from random companies, names and email addresses with an XLS spreadsheet attachment... One of the  emails looks like:
From: Rolf titterington <Rolf.titterington91@ prestonlegacy .com>
Date: Mon 05/12/2016 09:44
Subject:  no subject
Attachment: 2016120502434302394842.xls


Body content: empty

5 December 2016: 2016120502434302394842.xls - Current Virus total detections 16/55*
MALWR** shows a download of an encrypted file from  http ://soulscooter .com/87t34f which is converted by the script to shtefans1.spe (VirusTotal 6/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to. I am informed that Locky is now using .Osiris file extensions on the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/

** https://malwr.com/an...GI1YWU5MDQ3NTk/
Hosts
212.97.132.199
195.19.192.99
91.142.90.61
185.82.217.28


*** https://www.virustot...sis/1480932128/

4] https://www.hybrid-a...vironmentId=100
___

Fake 'Consider This' SPAM - leads to Locky
- http://blog.dynamoo....this-leads.html
5 Dec 2016 - "This -fake- financial spam leads to malware:
    From:    Aimee Guy
    Date:    5 December 2016 at 13:32
    Subject:    Please Consider This
    Dear [redacted],
    Our accountants have noticed a mistake in the payment bill #DEC-5956047.
    The full information regarding the mistake, and further recommendations are in the attached document.
    Please confirm the amount and let us know if you have any questions.


Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date. The scripts download another component...
(Long list of domain-names at the dynamoo URL above.)
... It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54*. The malware then phones home to the following locations:
91.142.90.61 /information.cgi [hostname: smtp-server1.ru] (Miran, Russia)
195.19.192.99 /information.cgi (EkaComp, Russia)
These IPs were also used in this earlier attack**.
Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99
"
* https://virustotal.c...c473e/analysis/

** http://blog.dynamoo....6924272-no.html
___

Fake 'Sage invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
5 Dec 2016 - "... an email with the subject of 'Outdated invoice' coming or pretending to come from Sage invoice <no-reply@ sage-uk .org> . There is no zip attachment with this Dridex delivery today, but a-link-in-the-body to download an invoice.zip from a hacked/compromised/fraudulently set up sharepoint site... from a site set up by the criminals to malspam the Dridex banking Trojan. The site is registered to a Chinese entity and hosted on an OVH server in France (SAGE-UK .ORG 46.105.101.84 ns3060005.ip-188-165-252.eu). One of the emails looks like:
From: Sage invoice <no-reply@ sage-uk .org>
Date: Mon 05/12/2016 12:48
Subject: Outdated invoice
Attachment: link in email to download invoice.zip
    Software for business
    Sage Account & Payroll
    You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link below to download your account invoice:
    https ://invoice.sage .co.uk/Account?864394=xUzlmOHtPY
    If we have any information about you which is incorrect or if there are any changes to your details please let us know so that we could keep our records accurate...


5 December 2016: Invoice.zip: Extracts to: Invoice.js - Current Virus total detections 3/53*
Payload Security** shows a download from  ‘http ://neelkanthelevators .com/images/about1.png’ (VirusTotal 10/56***). Payload Security[4]. This is -not- a png (image file) but a -renamed- .exe file, which the script renames to LzG7FzcEz.exe and runs... The basic rule is NEVER open any attachment to an email [OR click-a-link in it]  unless you are expecting it..."
* https://www.virustot...sis/1480944742/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
104.219.248.77
195.154.92.54
185.8.165.33
104.236.219.229
91.201.40.33


*** https://www.virustot...21a54/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.154.92.54
185.8.165.33
104.236.219.229
91.201.40.33


46.105.101.84: https://www.virustot...84/information/
___

Fake 'Shipping status' SPAM - delivers Vawtrak malware
- http://blog.dynamoo....us-changed.html
5 Dec 2016 - "This -fake- UPS spam has a malicious attachment:
    From:    UPS Quantum View [ups@ ups-service .com]
    Date:    5 December 2016 at 17:38
    Subject:    Shipping status changed for your parcel # 1996466
    Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.
    There must be someone present at the destination address, on the delivery day, to receive the parcel.
    Shipping type: UPS 3 Day Select
    Box size: UPS EXPRESS BOX
    Date : Nov 14th 2016
    You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.
    The delivery invoice can be downloaded from our website ...
    Thank you for shipping with UPS
    Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.


The link-in-the-email actually goes to a URL vantaiduonganh .vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain. This DOC file contains a malicious macro, the Malwr report* indicates that it downloads components from:
parkovka-rostov .ru/inst.exe
stela-krasnodar .ru/wp-content/uploads/pm22.dll
Those two locations are legitimate -hacked- sites. This has a detection rate of 7/56** plus a DLL with a detection rate of 37/56***. The malware appears to be Hancitor/Pony/Vawtrak, phoning home to:
cothenperci .ru/borjomi/gate.php
madingtoftling .com/ls5/forum.php
Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia)... malicious domains are also hosted on the same IP...
(List of domain-names at the dynamoo URL above.
... Recommended blocklist:
185.31.160.11
parkovka-rostov .ru
stela-krasnodar .ru
"
* https://malwr.com/an...DM1OTg2MmYyM2I/
Hosts
54.243.91.166
185.31.160.11
77.222.42.115
81.177.165.101


** https://www.virustot...sis/1480963673/

*** https://www.virustot...sis/1480964472/
___

Fake 'Urgent Data' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
5 Dec 2016 - "... Locky downloader... an email with the subject of 'Urgent Data' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment random numbers.zip... One of the  emails looks like:
From: Consuelo Wells <Wells.Consuelo@ skriverconsult .ch>
Date: Mon 05/12/2016 20:20
Subject: Urgent Data
Attachment: payment9095450.zip
    Dear [redacted],
    The error occurred during payment. Sending you details of the transaction.
    Please pay the remaining amount as soon as possible.
    King Regards,
    Consuelo Wells


5 December 2016: payment9095450.zip: Extracts to: ~3X072I792ZJ.js - Current Virus total detections 4/55*
MALWR** shows a download of an encrypted file from  http ://prosperer .mg/3n7uihwc0p which is converted by the script to yQC6CSDVn.zk (VirusTotal 5/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480969517/

** https://malwr.com/an...DY5NzE0ZDFkOGE/
Hosts
212.83.148.70
46.4.63.6


*** https://www.virustot...sis/1480970106/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
212.83.148.70
46.4.63.6
185.146.168.13
95.46.114.147

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, Yesterday, 04:53 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button