Fake 'Amount Payable' SPAM - leads to Locky
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Lynn Drake
Date: 15 December 2016 at 09:55
Subject: Amount Payable
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js... highly obfuscated script... Typical detection rates for the script are around 16/54*. There are many different scripts, downloading a component...
(Long list of domain-names at the dynamoo URL above.)
According to this Malwr analysis**, a DLL is dropped with a detection rate of 18/55***. This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:
126.96.36.199 /checkupdate (Rustelekom, Russia)
188.8.131.52 /checkupdate (MWTV, Latvia)
184.108.40.206 /checkupdate (Rustelekom, Russia)
MWTV is a known-bad-host, so I recommend blocking the entire /24.
Fake 'Order Receipt' SPAM - delivers Locky
15 Dec 2016 - "... an email with the subject of 'Order Receipt' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format which delivers Locky ransomware... One of the emails looks like:
From: Joshua Mooney <Mooney.Joshua@ ricket .net>
Date: Thu 15/12/2016 10:54
Subject: Order Receipt
Thank you for making your order in our store!
The payment receipt and crucial payment information are in the attached document.
15 December 2016: scan9022222.zip: Extracts to: ~_4RYT3KP_~.js - Current Virus total detections 6/54*
MALWR** shows a download of an encrypted file from http ://www.bds-1 .com/gfftte3uv which is converted by the script to RJJvCX8vggvNw4PW.zk (VirusTotal 4/56***). Payload Security. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
One -billion- users affected - Yahoo hack
Dec 15, 2016 - "Yahoo has revealed that it’s been the victim of -another- hack and massive data breach that resulted in the compromise of information of a -billion- users... Outside forensic experts that have been called in to help with the investigation believe that this breach happened in August 2013, and that it’s likely -not- been performed by the same attackers as the 2014 breach disclosed this September. In addition to this, the company says that attackers have accessed the company’s proprietary code, which allowed them to learn how to -forge-cookies- and to, therefore, be able to access user accounts -without- a password... Yahoo says that they were unable to identify the intrusion associated with this latest data theft, but that it seems that data associated with more than one-billion- user accounts has been stolen..."
Dec 14, 2016
:ph34r: :ph34r: :grrr:
Edited by AplusWebMaster, 15 December 2016 - 08:15 AM.