Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2041 replies to this topic

#1851 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 December 2016 - 04:45 AM

FYI...

Fake 'Amount Payable' SPAM - leads to Locky
- http://blog.dynamoo....e-leads-to.html
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    Lynn Drake
    Date:    15 December 2016 at 09:55
    Subject:    Amount Payable
    Dear [redacted],
    The amount payable has come to $38.29. All details are in the attachment.
    Please open the file when possible.
    Best Regards,
    Lynn Drake


The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js... highly obfuscated script... Typical detection rates for the script are around 16/54*. There are many different scripts, downloading a component...
(Long list of domain-names at the dynamoo URL above.)
According to this Malwr analysis**, a DLL is dropped with a detection rate of 18/55***. This Hybrid Analysis[4] shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:
86.110.117.155 /checkupdate (Rustelekom, Russia)
185.129.148.56 /checkupdate (MWTV, Latvia)
185.17.120.166 /checkupdate (Rustelekom, Russia)
MWTV is a known-bad-host, so I recommend blocking the entire /24.
Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166
"
* https://virustotal.c...sis/1481796164/

** https://malwr.com/an...jgxNzFiYTMxYjk/
Hosts
92.48.111.60

*** https://virustotal.c...sis/1481796614/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
92.48.111.60
185.129.148.56
86.110.117.155
52.42.26.69
52.85.184.67
52.35.54.251

___

Fake 'Order Receipt' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
15 Dec 2016 - "... an email with the subject of 'Order Receipt' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format which delivers Locky ransomware... One of the emails looks like:
From: Joshua Mooney <Mooney.Joshua@ ricket .net>
Date: Thu 15/12/2016 10:54
Subject: Order Receipt
Attachment: scan9022222.zip
    Dear enrico,
    Thank you for making your order in our store!
    The payment receipt and crucial payment information are in the attached document.
    King Regards,
    Joshua Mooney
    Sales Manager


15 December 2016: scan9022222.zip: Extracts to: ~_4RYT3KP_~.js - Current Virus total detections 6/54*
MALWR** shows a download of an encrypted file from  http ://www.bds-1 .com/gfftte3uv which is converted by the script to RJJvCX8vggvNw4PW.zk (VirusTotal 4/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1481799202/

** https://malwr.com/an...mY1YTYwZWZlNTA/
Hosts
64.71.33.107

*** https://www.virustot...sis/1481804458/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
64.71.33.107
185.17.120.166
185.129.148.56
178.209.51.223
52.42.26.69
52.85.184.195
35.160.111.237
91.198.174.192
91.198.174.208

___

One -billion- users affected - Yahoo hack
- https://www.helpnets...ion-yahoo-hack/
Dec 15, 2016 - "Yahoo has revealed that it’s been the victim of -another- hack and massive data breach that resulted in the compromise of information of a -billion- users... Outside forensic experts that have been called in to help with the investigation believe that this breach happened in August 2013, and that it’s likely -not- been performed by the same attackers as the 2014 breach disclosed this September. In addition to this, the company says that attackers have accessed the company’s proprietary code, which allowed them to learn how to -forge-cookies- and to, therefore, be able to access user accounts -without- a password... Yahoo says that they were unable to identify the intrusion associated with this latest data theft, but that it seems that data associated with more than one-billion- user accounts has been stolen..."
* https://help.yahoo.c...mpressions=true
Dec 14, 2016
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 15 December 2016 - 08:15 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1852 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 December 2016 - 05:10 AM

FYI...

Fake 'document' SPAM - delivers Locky
- https://myonlinesecu...re-again-today/
16 Dec 2016 - "Another -blank/empty- email with the subject of 'Attached document' pretending to come from copier@ your-own-email-address with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: copier@ your-own-email-address
Date: Fri 16/12/2016 09:57
Subject: Attached document
Attachment: 3867_002.docm


Body content: Completely empty/Blank

16 December 2016: 3867_002.docm - Current Virus total detections 12/56*
Payload Security** shows a download of an encrypted file from http ://fiddlefire .net/hjg766′ which is converted by the script to loppsa2.aww ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk  or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1481882199/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
69.161.143.24
37.235.50.29
176.121.14.95
86.110.117.155
83.220.172.182
52.88.7.60
91.198.174.192
91.198.174.208

___

Fake 'Subscription' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
16 Dec 2016 - "... an email with the subject of 'Subscription Details' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of user0989063.zip which delivers Locky ransomware... One of the emails looks like:
From: Cyril Levy <Levy.Cyril@ dragonflystudiosalon .com>
Date: Fri 16/12/2016 10:49
Subject: Subscription Details
Attachment: user0989063.zip
    Dear mammoth, thank for you for subscribing to our service!
    All payment and ID details are in the attachment.


16 December 2016: user0989063.zip: Extracts to: ~_P1EJYA_~.js - Current Virus total detections 4/55*
Payload Security** shows a download of an encrypted file from http ://rondurkin .com/c6w5pscmc which is converted by the script to jex1N6oXpYUpIQ.zk (VirusTotal 5/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk  or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1481885511/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137


*** https://www.virustot...sis/1481886225/
___

Fake 'Processing Problem' SPAM - leads to Locky
- http://blog.dynamoo....ng-problem.html
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    Juliet Langley
    Date:    15 December 2016 at 23:17
    Subject:    Payment Processing Problem
    Dear [redacted],
    We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
    The receipt is in the attachment. Please study it and contact us.
    King Regards,
    Juliet Langley


The name of the sender will vary as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js... the scripts download a component...
(Long list of domain-names at the dynamoo URL above.)
The malware then phones home to the following locations:
185.129.148.56 /checkupdate (MWTV, Latvia)
178.209.51.223 /checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119 /checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)
Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119
"

- https://myonlinesecu...delivers-locky/
15 Dec 2016 - "... an email with the subject of 'Payment Processing Problem' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of  MPay7197337.zip which delivers Locky ransomware... One of the emails looks like:
From: Kristie Soto <Soto.Kristie@ kadgraphics .com>
Date: Thu 15/12/2016 22:33
Subject: Payment Processing Problem
Attachment: MPay7197337.zip
    Dear adkins,
    We have to inform you that a problem occured when processing your last payment (code: 7197337-M, $454.$86).
    The receipt is in the attachment. Please study it and contact us.
    King Regards,
    Kristie Soto


15 December 2016: MPay7197337.zip: Extracts to: ~_7XXTOQ_~.js - Current Virus total detections 3/55*
Payload Security** shows a download of an encrypted file from http ://ustadhanif .com/q0w93lkrvp  
which is converted by the script to HNUsEBnh.zk (VirusTotal 6/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk  or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1481842328/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
208.75.151.108
37.235.50.119
52.85.184.150


*** https://www.virustot...sis/1481843139/
___

Malvertising compromises routers instead of computers
- https://www.helpnets...omises-routers/
Dec 16, 2016 - "The DNSChanger exploit kit is back and more effective than ever, and is being used in a widespread malvertising attack whose goal is to compromise small/home office routers. According to Proofpoint* researchers, the attacker’s current main goal is to change DNS records on the target router, so that it queries the attacker’s rogue DNS servers, and the users are served with ads that will earn the attackers money:
> https://www.helpnets...nger-attack.jpg
... Using ad-blocking software should also minimize the risk of getting hit through this and other malvertising campaigns. According to Kafeine**, the current one is successfully targeting Chrome browser users on Windows desktops and Android devices. Also, this is not the first time that attackers are successfully using steganography to deliver and run malicious code. Earlier this month, ESET researchers flagged a malvertising campaign that redirected users to the Stegano exploit kit through malicious code hidden in the pixels of the bad ads/banners."
* https://www.proofpoi...android-devices
"... Since the end of October, we have seen an improved version of the “DNSChanger EK” ** used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims' home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising..."
** http://malware.dontn...ed-to-csrf.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 16 December 2016 - 09:15 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1853 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 December 2016 - 05:52 AM

FYI...

Fake 'Payslip' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
19 Dec 2016 - "An email with the subject of 'Payslip for the month Dec 2016' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: JASMINE DICKEY <jasmine.dickey@ ejmbcommercial .com>
Date: Mon 19/12/2016 09:50
Subject: Payslip for the month Dec 2016.
Attachment: Payslip_Dec_2016_5490254.doc
    Dear customer,
    We are sending your payslip for the month Dec 2016 as an attachment with this mail.
    Note: This is an auto-generated mail. Please do not reply.


19 December 2016: Payslip_Dec_2016_5490254.doc - Current Virus total detections 11/53*
Payload Security** shows a download of an encrypted file from http ://routerpanyoso.50webs .com/8hrnv3 which is converted by the script to shtrina2.ero (VirusTotal 12/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk  or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482144602/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.210.101.94
193.201.225.124
46.148.26.82
188.127.237.76
176.121.14.95
52.39.24.163
52.85.184.92
91.198.174.192
13.82.139.29
91.198.174.192
91.198.174.208


*** https://www.virustot...sis/1482144877/

- http://blog.dynamoo....h-dec-2016.html
19 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    PATRICA GROVES
    Date:    19 December 2016 at 10:12
    Subject:    Payslip for the month Dec 2016.
    Dear customer,
    We are sending your payslip for the month Dec 2016 as an attachment with this mail.
    Note: This is an auto-generated mail. Please do not reply.


The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55*. This Hybrid Analysis** clearly shows Locky ransomware in action when the document is opened. According to my usual reliable source, the various versions of this download a component...
(Long list of domain-names shown at the dynamoo URL above.)
... The malware then phones home to one of the following locations:
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
193.201.225.124 /checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76 /checkupdate (SmartApe, Russia)
46.148.26.82 /checkupdate (Infium, Latvia / Ukraine)
A DLL is dropped with a detection rate of 12/52*.
Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82
"
* https://virustotal.c...sis/1482147232/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
193.201.225.124
188.127.237.76
46.148.26.82
176.121.14.95
52.85.184.12


*** https://virustotal.c...a16d3/analysis/
___

Fake 'LogMeIn' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
19 Dec 2016 - "The email looks like:
From: LogMeIn.com Auto-Mailer <noreply@ ssl-logmein .com>
Date: Mon 19/12/2016 17:10
Subject: LogMeIn Account Notification  – Ip blocked
Attachment: -Link-in-email-body- downloads notification_recipients_name.doc
    Your IP has been blocked from using the LogMeIn website after too many failed log-in attempts.
    Account holder: keith@[redacted]
    Event: IP blocked
    At: Mon, 19 Dec 2016 19:09:37 +0200
    To clear the IP address lockout, please follow the instructions...


Screenshot: https://i0.wp.com/my...ble-editing.png

19 December 2016: notification_keith.doc - Current Virus total detections 3/54*
Payload Security **. The link-in-the-email is to  http ://www .celf .jp/wp-content/themes/i-max/api/get.php?id=recipients email address encoded in base 64... The domain ssl-logmein .com was registered -today- 19 December 2016 via a Chinese registrar to a Bulgarian entity (IP address listed as 1.1.1.1). The emails are actually coming via a botnet of infected/compromised computers and servers... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482167739/
Trojan:W97...

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.21.228.240
80.78.251.134
212.24.98.247


ssl-logmein .com: 1.1.1.1: https://www.virustot....1/information/
> https://www.virustot...7a4a5/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 December 2016 - 04:30 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1854 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 December 2016 - 05:21 AM

FYI...

Fake 'printing' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
20 Dec 2016 - "An email spoofing Moonbake Inc with the subject of 'for printing' coming from random sender with a malicious Excel XLS spreadsheet attachment delivers Locky... One of the email looks like:
From: HILLARY TATEHAM <hillary.tateham@ stonelawassociates .Com>
Date: Tue 20/12/2016 09:47
Subject: for printing
Attachment: Certificate_2373.xls
    Hi,
    For printing.
    Thank you so much.
    HILLARY TATEHAM Cristobal HRD/Admin Officer
    Moonbake Inc. 14 Langka St., Golden Acres Talon 1
    Las Piñas City, Philippines ...


20 December 2016: Certificate_2373.xls - Current Virus total detections 5/56*
Payload Security** shows a download of an encrypted file from http ://yorkshire-pm .com/hjv56 which is converted by the script to momerk2.vip (VirusTotal 9/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk  or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do. Manual analysis shows these download locations:
yorkshire-pm .com/hjv56
isriir .com/hjv56
noosnegah .com/hjv56 ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482227222/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.11.101.46
91.223.180.3
188.127.239.48
193.201.225.124
54.239.168.79


*** https://www.virustot...sis/1482228007/
___

Fake 'Scan' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
20 Dec 2016 - "... an email spoofing Lumax Industries Ltd. with the subject of 'Scan' pretending to come from random companies, names and email addresses with a random named zip attachment which delivers Locky ransomware...

Screenshot: https://i0.wp.com/my...png?w=896&ssl=1

20 December 2016: 07cff4edf9a.zip: Extracts to: r9a2aa5cdfcbabe8bbbfc598cd334abb.wsf
Current Virus total detections 9/55*. Payload Security** shows a download of an encrypted file from
 http ://www.judo-hattingen .de /hjv56?lktttKC=koHaQOx which is converted by the script to pYmpJfsNiM1.dll which unfortunately the free web version of Payload security does not make available for download... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482248792/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.250.102.57
176.121.14.95
193.201.225.124
52.32.150.180
52.85.184.12

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 20 December 2016 - 11:45 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1855 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 December 2016 - 05:39 AM

FYI...

Fake 'Secure Comm' SPAM - delivers Trickbot
- https://myonlinesecu...livers-malware/
21 Dec 2016 - "An email spoofing CommBank with the subject of 'Secure Communication' coming from < secure.message@ commbanksecureemail .com > with a malicious word doc attachment delivers Trickbot banking Trojan...

Screenshot: https://i1.wp.com/my...=1024,805&ssl=1

21 December 2016: Message.doc - Current Virus total detections 14/54*
Payload Security** shows a downloadfrom http ://onsitepcinc .com/images/344bzhmyVYyWz7NqRpfuunqXxjkseLhdmy.png  which is -not- a png (image file) but a renamed .exe that is renamed by the script to wynrajo.exe (VirusTotal 22/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482306465/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
65.108.116.221
78.47.139.102
36.37.176.6
201.236.219.180
144.76.249.26


*** https://www.virustot...sis/1482314962/
___

Fake 'Photo' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
21 Dec 2016 - "... another -blank- empty email with the subject of 'Photo' from {random Girl’s name} pretending to come from  names and email addresses with a semi-random named zip attachment in the format of IMG-date-WA1234.zip which delivers Locky ransomware... One of the emails looks like:
From: Glenna <Glennaherron3424@ syprotek .com>
Date: Wed 21/12/2016 09:32
Subject: Photo from Glenna
Attachment: IMG-20161221-WA4646.zip


Body content: totally blank/Empty

21 December 2016: IMG-20161221-WA4646.zip: Extracts to: A87D1FCF.wsf - Current Virus total detections 8/55*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482312946/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.232.120.79
176.121.14.95
52.42.26.69
54.240.162.130
52.35.54.251

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 21 December 2016 - 07:25 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1856 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 December 2016 - 04:01 AM

FYI...

Fake 'scanned copy' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
22 Dec 2016 - "... another -blank/empty- email with the subject of 'scanned copy' pretending to come from random names and email addresses with a semi-random named zip attachment in the format of HP0000000937.zip delivers Locky ransomware... One of the emails looks like:
From: jeanne whitehorne <jeanne.whitehorne@ owdv .net>
Date: Thu 22/12/2016 03:55
Subject: scanned copy
Attachment: HP0000000937.zip


Body content: totally blank/empty

22 December 2016: HP0000000937.zip: Extracts to: JFF38A.vbs - Current Virus total detections 8/55*
Payload Security** shows a download of an encrypted file from http ://www .dvdpostal .net/result ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk  or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482379501/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.0.77.6
176.121.14.95
52.88.7.60
54.240.162.173
35.160.111.237

___

Fake 'Bestbuy' SPAM - delivers malware
- https://myonlinesecu...eliver-malware/
22 Dec 2016 - "... an email with the subject of 'Your Bestbuy item is due for delivery on 22th December' pretending to come from random names at yahoo .com with a random named zip attachment which tries to deliver some sort of malware. This zip file extracts to another zip file before it extracts to the .js file... One of the emails looks like:
From: josecastillo2344@ yahoo .com
Date: Thu 22/12/2016 08:56
Subject: Your Bestbuy item is due for delivery on 22th December
Attachment: ECIOPZiodlxc.zip
    On the morning 22th of December you’ll be delivered a window and you’ll have the possibility to track your request on its way to your address.
    Please make sure someone is available to sign for your delivery.
    Pack delivery info and your contact data is in the file attached to this letter.
    If you will be out, it’s not a problem: you have a range of ‘in-flight’ options like changing your delivery time collecting from the nearest DPD Pickup Shop, asking us to deliver to one of your frients or arranging to have your item delivered to a safe place at your work address.


22 December 2016: ECIOPZiodlxc.zip: Extracts to: ECIOPZiodlxc.js - Current Virus total detections 3/54*
Payload Security** shows a download of an encrypted file from  http ://optimastop .eu/castle/map which is currently giving me a 403 forbidden. It does show it wants to use BITS transfer and it is possible that a standard http get is blocked... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482399844/
Troj.Downloader.Js...

** https://www.hybrid-a...vironmentId=100
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 December 2016 - 04:22 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1857 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 December 2016 - 05:45 AM

FYI...

Tech support phone SCAM
- http://blog.dynamoo....scam-using.html
23 Dec 2016 - "If these people ring you DO -NOT- GIVE THEM ACCESS TO YOUR PC and either hang up - or waste their time like I do. It seems there are some prolific technical support scammers ringing from 02085258899 pretending to be from BT. They had a very heavy Indian accent, and they have made many silent calls to my telephone number before today. They -claim- that hackers are accessing my router. I wasted 37 minutes of their time, these are some of the steps to watch out for..
1. They get you to open a command prompt and type ASSOC which brings up a big long list of file associations, in particular they seem interested in one that says .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
2. Then they get you to bring up the Event Viewer by typing EVENTVWR and then clicking "Custom Views" and "Administrative Events". This is a log file that will always show a whole bunch of meaningless errors (such as network faults). It's quite normal for this to look quite bad to the untrained eye.
3. Then in order they try to get you to connect to the following services to take remote control of your PC: www .anydesk .com, www .teamviewer .com and www .supremofree .com. All of these are legitimate services, but I have to confess I'd never heard of the last one.. so I will add it to my corporate blacklist.
4. When those didn't work they tried directing me to a proxy at hide .me/proxy and www .hide .me/proxy (the same thing I know) which is probably another candidate for blocking.
Of course, once they have access to your PC they will try to convince you that you need to -pay- them some money for technical support. Be warned, that they can render-your-PC-unusable if you don't pay, and they can also steal confidential data. Despite how many times they may tell you they are from BT, they are not.. they are simply fraudsters."
___

Fake 'eFax' SPAM - delivers malware
- https://myonlinesecu...nknown-malware/
22 Dec 2016 - "... another email spoofing eFax with the subject of 'You have recevied a message' pretending to come from faxscanner scanner@ your-own-email-address with a semi-random named zip attachment in the format of Message efax system-1701.zip which delivers an unknown malware. Indications are that this could be Trickbot or could be Dridex banking Trojan... One of the emails looks like:
From: Fax Scanner <scanner @ your-email-address>
Date: Thu 22/12/2016 20:51
Subject: You have recevied a message
Attachment: Message efax system-1701.zip
    You have received a message on efax.
    Please download and open document attached.
    Scanner eFax system.


22 December 2016: Message efax system-1701.zip: Extracts to: Message efax system-2817.js
Current Virus total detections 4/53*. Payload Security** shows a download of ntntoto1].png (but doesn’t give the download url) which is renamed by the script to QE7JlpDt.exe (VirusTotal 29/56***). The js file is heavily obfuscated and almost impossible to human read and decrypt. Update: MALWR[4] gave me ‘http ://glendaleoffice .com/js/ntntoto.png’ as the download location... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482441908/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.47.139.102
36.37.176.6
201.236.219.180


*** https://www.virustot...d9c29/analysis/

4] https://malwr.com/an...DgwMDIxODEwMmU/
Hosts
69.67.54.86
78.47.139.102
54.243.154.49
45.76.25.15
167.114.174.158
188.40.53.51
36.37.176.6
192.189.25.143


glendaleoffice .com: 69.67.54.86: https://www.virustot...86/information/
> https://www.virustot...5d12e/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 23 December 2016 - 07:24 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1858 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 December 2016 - 06:49 AM

FYI...

Fake 'USPS' SPAM - delivers Locky, Kovter, other malware
- https://myonlinesecu...-other-malware/
27 Dec 2016 - "... malware gang spoofing FedEx, USPS and every other courier, delivery or postal service, sending thousands of 'Courier was not able to deliver your parcel' and hundreds of variants or similar subjects like 'USPS issue #06914074: unable to delivery parcel'... Some subjects seen, all have random numbers, include:
    USPS issue #06914074: unable to delivery parcel
    Parcel #006514814 shipment problem, please review
    USPS parcel #3150281 delivery problem
    Courier was not able to deliver your parcel (ID006976677, USPS)
    Parcel 05836911 delivery notification, USPS

... malware downloaders spoofing USPS pretending to be a message saying cannot deliver the parcel. These deliver Locky ransomware and Kovter Trojans amongst others...

27 December 2016: Delivery-Details-06914074.zip: Extracts to: Delivery-Details-06914074.doc.wsf
Current Virus total detections 7/55*. Payload Security** shows a download from
  http ://boardedhallgreen .com/counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7
  which gives counter.js (VirusTotal 1/55***) that in turn downloads from
 http ://baltasmenulis .lt/counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01 (and 02 – 05).
The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js on your computer, that is run directly from temp internet files ). It downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site giving counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the original counter.js) pretend to be png (image files). They are actually all renamed .exe files or in the case of number 3, a -renamed- php script. Both of the innocent files are misused to run the malware. This is a very noisy malware set that contacts 4 domains and -179- hosts. View the network section on the Payload Security report[4] for more details... One of the emails looks like:
From: USPS Priority Delivery <steven.kent@ confedampa .org>
Date: Tue 27/12/2016 06:57
Subject: USPS issue #06914074: unable to delivery parcel
Attachment: Delivery-Details-06914074.zip
    Dear Customer,
    Your item has arrived at December 25, but our courier was not able to deliver the parcel.
    You can download the shipment label attached!
    Thank you for your assistance in this matter,
    Steven Kent,
    USPS Chief Delivery Manager.


The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1482822876/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1482824922/

4] https://www.hybrid-a...network-traffic
Contacted Hosts (179)
___

Fake 'FedEx' SPAM - delivers Locky and other malware
- https://myonlinesecu...other-malwares/
25 Dec 2016

> https://www.hybrid-a...network-traffic
Contacted Hosts (170)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 December 2016 - 08:53 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1859 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 December 2016 - 06:36 AM

FYI...

Fake 'FedEx/USPS' SPAM - Kovter/Locky sites
- https://myonlinesecu...nd-locky-sites/
28 Dec 2016 - "Following on from these [FEDEX(1)] [USPS(2)] posts describing the Spoofed FedEx and USPS (and other delivery services from time to time). I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are -reused-daily- until taken down by their hosts. -All- the sites used in this malware spreading campaign are -hacked/compromised- sites.
1] https://myonlinesecu...other-malwares/

2] https://myonlinesecu...-other-malware/

The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file (counter.js by searching on your computer, that is run directly from temp internet files). Counter.js then downloads a different -variant- of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the -original- counter.js) pretend to be png (image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the -second- counter.js you need to change the &r=01 at the end of the url to &m=01 (or 02-05). This -second- counter.js contains -additional- sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.
I only accidentally found out about the second /3rd /4th /5th counter.js when I made a mistake in manually decoding the original wsf file (and the original counter.js) and mistyped/miscopied the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and -blocked- by an antivirus or web filter service.

25 December 2016: (Payload Security report [3]) Contacted Hosts (170)
3spension .com: 116.127.123.32: https://www.virustot...32/information/
minebleue .com: 213.186.33.87: https://www.virustot...87/information/
chaitanyaimpex .org: 43.255.154.44: https://www.virustot...44/information/
grancaffe .net: 94.23.64.40: https://www.virustot...40/information/
break-first .com: 87.98.144.123: https://www.virustot...23/information/
www .meizumalaysia .com: 103.51.41.205: https://www.virustot...05/information/
dreamoutloudcenter .org: 184.168.234.1: https://www.virustot....1/information/
megrelis-avocat .com: 213.186.33.82: https://www.virustot...82/information/

/counter/?a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&m=9488599&i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ
/counter/?i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ&a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&r=01

27 December 2016: (Payload Security report[4]) Contacted Hosts (179)
lacasadeicuochi .it: 185.2.4.12: https://www.virustot...12/information/
boardedhallgreen .com: 184.168.230.1: https://www.virustot....1/information/
www .memoodgetactive.det.nsw .edu.au: 153.107.134.124: https://www.virustot...24/information/
rebecook .fr: 213.186.33.104: https://www.virustot...04/information/
peachaid .com: 107.180.26.91: https://www.virustot...91/information/
kidsgalaxy .fr: 213.186.33.18: https://www.virustot...18/information/
baltasmenulis .lt: 185.5.53.28: https://www.virustot...28/information/
artss .org: 166.62.27.56: https://www.virustot...56/information/

/counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7  
/counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01

28 December 2016: (Payload Security report[5])  Contacted Hosts (174)
thanepoliceschool .com: 166.62.27.146: https://www.virustot...46/information/
chimie.iset-liege .be: 213.186.33.17: https://www.virustot...17/information/
partnersforcleanstreams .org: 192.186.205.128: https://www.virustot...28/information/

/counter/?a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&m=8429816&i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE
/counter/?i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE&a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&r=01 "

3] https://www.hybrid-a...vironmentId=100

4] https://www.hybrid-a...vironmentId=100

5] https://www.hybrid-a...vironmentId=100
___

29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
cobycaresfoundation .org: 72.47.244.92: https://www.virustot...92/information/
dev.zodia-q .com: 153.121.37.174: https://www.virustot...74/information/
shark1.idhost .kz: 82.200.247.240: https://www.virustot...40/information/
italysfinestdesign .it: 217.72.102.152: https://www.virustot...52/information/
salutgaudi .com: 185.2.4.20: https://www.virustot...20/information/
zodia-q .com: 153.121.37.174: https://www.virustot...74/information/

/counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

/counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

> 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

/counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

/counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

6] https://www.hybrid-a...vironmentId=100

7] https://www.hybrid-a...vironmentId=100
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 29 December 2016 - 05:03 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1860 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 December 2016 - 06:20 AM

FYI...

Fake 'FedEx/USPS' SPAM - updates
- https://myonlinesecu...nd-locky-sites/
28 Dec 2016

29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
cobycaresfoundation .org: 72.47.244.92: https://www.virustot...92/information/
dev.zodia-q .com: 153.121.37.174: https://www.virustot...74/information/
shark1.idhost .kz: 82.200.247.240: https://www.virustot...40/information/
italysfinestdesign .it: 217.72.102.152: https://www.virustot...52/information/
salutgaudi .com: 185.2.4.20: https://www.virustot...20/information/
zodia-q .com: 153.121.37.174: https://www.virustot...74/information/

/counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

/counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

> 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

/counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

/counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

6] https://www.hybrid-a...vironmentId=100

7] https://www.hybrid-a...vironmentId=100
___

Updated Sundown EK ...
- http://blog.trendmic...-steganography/
Dec 29, 2016 - "... On December 27, 2016, we noticed that Sundown was updated... The PNG files weren’t just used to store harvested information; the malware designers now used -steganography- to hide their exploit code. The newly updated exploit kit was used by multiple-malvertising-campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets:
> https://blog.trendmi...anography-1.jpg
...  previous Sundown versions directly connected victims to the Flash-exploit-file on their landing page. In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page. The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code... we found that it included the exploit code targeting CVE-2015-2419, a vulnerability in the JScript handling of Internet Explorer. A Flash exploit for CVE-2016-4117 is also retrieved by the exploit code. The landing page itself includes an exploit targeting another Internet Explorer (IE) vulnerability, CVE-2016-0189... The Sundown exploit kit exploits vulnerabilities in Adobe Flash and JavaScript, among others... Indicators of Compromise: The following domains were used by the Sundown Exploit kit with the matching IP addresses:
    xbs.q30 .biz (188.165.163.228)
    cjf.0340 .mobi (93.190.143.211)
The Chthonic sample has the following SHA1 hash:
    c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9
The sample also used the following C&C server:
    pationare .bit"

pationare .bit: 'Could not find an IP address for this domain name.'

188.165.163.228: https://www.virustot...28/information/

93.190.143.211: https://www.virustot...11/information/
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1861 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 January 2017 - 11:33 AM

FYI...

Fake 'FTC' SPAM - ransomware
- https://myonlinesecu...t-notification/
3 Jan 2017 - "... an email with the subject of 'Consumer complaint notification' pretending to come from Federal Trade Commission <ftc.mvUJw@ ftc .gov.uk>... this is a ransomware version. Techhelplist* has kindly helped out and run the sample on a test system and got this very seasonal screenshot:
* https://twitter.com/...316984371646469
... The domain “ftc .gov.uk” does -not- exist... The link-in-the-email goes to:
 http ://govapego .com//COMPLAINT42084270.zip

Screenshot: https://i2.wp.com/my...=1024,574&ssl=1

3 January 2017: COMPLAINT42084270.zip: Extracts to: COMPLAINT.pdf.exe - Current Virus total detections 21/57*
Payload Security**..."
* https://www.virustot...sis/1483458092/
COMPLAINT.pdf.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.4.123.67: https://www.virustot...67/information/

govapego .com: 92.51.134.34: https://www.virustot...34/information/
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1862 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 January 2017 - 01:14 PM

FYI...

Blockchain - phish
- https://myonlinesecu...chain-phishing/
4 Jan 2017 - "... don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Blockchain website but you can clearly see in the address bar, that it is fake. Some versions of this and similar phish will ask you fill in the html ( webpage) form that comes attached to the email. The link-in-the-email goes to
  http:// 178.33.66.249 /~kudi/admin/blockchain/info/login.php ..   which is an OVH German server..

Screenshot: https://i2.wp.com/my...=1361,998&ssl=1

If you follow through, all they want is your email address and password but none of the other information that these phishing scams usually ask for:
> https://i2.wp.com/my...=1024,758&ssl=1.."

178.33.66.249: https://www.virustot...49/information/
> https://www.virustot...ef706/analysis/
Detection: 5/68
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1863 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 January 2017 - 03:47 PM

FYI...

Fake 'New Invoice' SPAM - Cerber ransomware
- https://myonlinesecu...ber-ransomware/
5 Jan 2017 - "... an email with the subject of 'New Invoice #2768-16'... pretending to come from what I assume are  random companies, names and email addresses with a zip attachment containing a js file that eventually delivers Cerber ransomware... One of the emails looks like:
From: Janie Cain <asgard1234@ post .su>
Date:Thu 05/01/2017 17:25
Subject: New Invoice #2768-16
Attachment: info-inv.zip
    This email is being sent in order to inform you that a new invoice has been generated for your account.
    Please see the file that is attached.
    The file is password protected to protect your information.
    The password is 123456
    Thank you.
    Janie Cain


5 January 2017: info-inv.zip: Extracts to: info-inv.js - Current Virus total detections 12/54*
... Analysis by techhelplist[1] has found it to deliver Cerber ransomware. It downloads from 86.106.131.141 /10.mov  which is a renamed .exe file that if you try to run manually would open windows media player instead, although the script file will run it successfully (VirusTotal 3/45**) (Payload Security ***) (MALWR [4]). This Cerber version contacts -576- hosts... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://twitter.com/...105275580772353

* https://www.virustot...sis/1483646751/

** https://virustotal.c...642bb/analysis/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts (576)

4] https://malwr.com/an...WYzMTg5NjBhOGI/

86.106.131.141: https://www.virustot...41/information/
> https://www.virustot...cf181/analysis/
___

Tech support SCAM - DoS on Macs
- https://blog.malware...e-via-mail-app/
Jan 5, 2017 - "... yet another 'technique' that targets Mac OS users running Safari... second variant appears to still be capable of opening up iTunes, without any prompt in Safari... IOCs:
safari-get[.]com: Could not find an IP address for this domain name
safari-get[.]net: 111.118.212.86: https://www.virustot...86/information/
> https://www.virustot...29831/analysis/
safari-serverhost[.]com: Could not find an IP address for this domain name
safari-serverhost[.]net: 111.118.212.86 "
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 06 January 2017 - 07:18 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1864 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 January 2017 - 05:10 AM

FYI...

Merry X-Mas Ransomware
- https://isc.sans.edu...l?storyid=21905
2017-01-09 - "... Merry X-Mas Ransomware was first reported as distributed through malicious spam (malspam) disguised as FTC consumer complaints*...
* https://myonlinesecu...t-notification/
3 Jan 2017
By Sunday 2017-01-08, I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as 'court attendance' notifications. The malspam was a -fake- notification to appear in court. Email headers indicate the sender's address was -spoofed- and the email came from a cloudapp .net domain associated with Microsoft:
> https://isc.sans.edu...ry-image-02.jpg
The -link- from the malspam downloaded a zip archive. The zip archive contained a Microsoft Word document with a malicious macro. If macros were enabled on the Word document, it downloaded and executed the ransomware.
Flow chart of the infection process:
> https://isc.sans.edu...ry-image-03.jpg
... IoCs follow:
    192.185.18.204 port 80 - neogenomes .com - GET /court/PlaintNote_12545_copy.zip  [initial zip download]
    81.4.123.67 port 443 - onion1 .host:443 - GET /temper/PGPClient.exe  [ransomware binary]
    168.235.98.160 port 443 - onion1 .pw  - POST /blog/index.php  [post-infection callback]
... Malspam with links to malware is a common threat. This is not an unusual method of malware distribution, and its holiday theme also fits the season... Still, we need to keep an ongoing dialog to promote awareness of this and other ransomware threats. Too many people continue to fall for it..."
(More detail at the isc URL above.)

192.185.18.204: https://www.virustot...04/information/

81.4.123.67: https://www.virustot...67/information/

168.235.98.160: https://www.virustot...60/information/
___

Fake 'Apple' SPAM - links to malware
- https://myonlinesecu...ber-ransomware/
9 Jan 2016 - "... an email with the subject of 'Apple latest security checks' pretending to come from Support@ App .com... Link goes to ‘http ://bellinghamontap .com/apple.zip’... Attachment: Link in email...

Screenshot: https://myonlinesecu...ck-1024x666.png

9 January 2017: apple.zip: Extracts to: apple.exe - Current Virus total detections 4/56*
Payload Security**. I am guessing from this report it is Cerber ransomware, by the number of IP addresses it contacts... The basic rule is NEVER open any attachment to an email -or- click-a-link in an email unless you are expecting it...."
* https://www.virustot...a8b7f/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (576)

bellinghamontap .com: 192.254.185.196: https://www.virustot...96/information/
> https://www.virustot...6007e/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 09 January 2017 - 04:48 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1865 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 January 2017 - 04:54 AM

FYI...

Fake 'Certificate UPDATE' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
10 Jan 2017 - "... an email with the subject of 'Certificate UPDATE' pretending to come from Administrator at your-own-email-address delivers Trickbot banking Trojan... One of the emails looks like:
From: Administrator <Administrator@ victim domain .tld >
Date: Tue 10/01/2017 01:25
Subject: Certificate UPDATE
Attachment: certificate.zip
    **********Important – Internal ONLY**********
    Your Web mail account Certificate is about to expire. Please update it.
    New Certificate is in attachment. Download and launch file.
    Certificate details:
    Filename:        Certificate.crt
    Key:                 6260-6233-GFPV-6072-UAAV-1048
    Domain:        ...
    MX record:     ...


10 January 2017: certificate.zip: Extracts to: Certificate_webmail.scr - Current Virus total detections 15/57*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484029988/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.47.139.102
36.37.176.6
201.236.219.180
144.76.203.79

___

Extortionists Wipe Databases, Victims Who-Pay-Up Get-Stiffed
- https://krebsonsecur...up-get-stiffed/
Jan 10, 2017 - "Tens of thousands of personal and possibly proprietary databases that were left accessible to the public online have just been -wiped- from the Internet, replaced with ransom-notes demanding payment for the return of the files. Adding insult to injury, it appears that virtually none-of-the-victims (who) have paid the ransom have gotten-their-files-back because multiple-fraudsters are now wise to the extortion attempts and are competing to replace-each-other’s-ransom notes.
At the eye of this developing data destruction maelstrom is an online database platform called MongoDB. Tens of thousands of organizations use MongoDB to store data, but it is easy to misconfigure and leave the database exposed online. If installed on a server with the default settings, for example, MongoDB allows anyone to browse the databases, download them, or even write over them and delete them..."
Shodan, a specialized search engine designed to find things that probably won’t be picked up by Google, lists the number of open, remotely accessible MongDB databases available as of Jan. 10, 2017
> https://krebsonsecur...shodanmongo.png
... Truth 1: “If you connect it to the Internet, someone will try to hack it.”
Truth 2: “If what you put on the Internet has value, someone will invest time and effort to steal it.”
Truth 3: “Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”
(More detail at the 1st krebsonsecurity URL at the top.)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 10 January 2017 - 02:50 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1866 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 January 2017 - 04:37 AM

FYI...

Fake 'Document' SPAM - delivers Trickbot
- https://myonlinesecu...nking-trojan-2/
11 Jan 2017 - "An email with the subject of 'Document from Vogel' (random name) pretending to come from the same random name at your-own-email-address with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like:
From: Michael Vogel <Michael.Vogel@ victim domain .tld >
Date: Wed 11/01/2017 06:59
Subject: Document from Vogel
To: admin@victim domain.tld  + 9 other names at my domain
Attachment: Vogel_1101_30.doc
    My company sent you a document. Check it attached.
     Regards,
    Michael Vogel
    G8 Education Limited


11 January 2017: Vogel_1101_30.doc - Current Virus total detections 9/55*
Payload Security**  shows a download of what pretends to be a png (image file) but is actually a renamed .exe file from ‘http ://artslogan .com.br/images/jhfkjsdhfntnt.png’ which is renamed by the script to yatzxwe.exe and automatically run (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484121516/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
189.1.168.176
78.47.139.102
36.37.176.6
201.236.219.180
144.76.203.79


*** https://www.virustot...sis/1484091723/
___

Post-holiday spam campaign delivers Neutrino Bot
- https://blog.malware...s-neutrino-bot/
Jan 11, 2017 - "During the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as online criminals took a break from their malicious activities and popped the champagne to celebrate. It could also have been a time to regroup and plan new strategies for the upcoming year... over the weekend we observed a large new campaign purporting to be an email from ‘Microsoft Security Office’ with a link to a full security report (Microsoft.report.doc). This was somewhat unexpected, as typically the malicious Office files are directly attached to the email. Instead, the files are hosted on various servers with a short time to live window:
> https://blog.malware...17/01/email.png
The booby-trapped document asks users to enable-macros in order to launch the malicious code:
> https://blog.malware...cro_blocked.png
If the macro executes, the final payload will be downloaded and executed. This is Neutrino bot..."
IOCs:
Malicious doc:
agranfoundation[.]org/Microsoft[.]report[.]doc: 192.185.77.168
xn--hastabakc-2pbb[.]net/Microsoft[.]report[.]doc: 176.53.17.106
ecpi[.]ro/Microsoft[.]report[.]doc: 89.42.223.64
ilkhaberadana[.]com/Microsoft[.]report[.]doc: 159.253.46.194
cincote[.]com/Microsoft[.]report[.]doc: 192.185.145.46
mallsofjeddah[.]com/Microsoft[.]report[.]doc: 192.185.191.165
dianasoligorsk[.]by/Microsoft[.]report[.]doc: 178.124.131.21
8dd66dd191c9f0d2f4b5407e5d94e815e8007a3de21ab16de49be87ea8a92e8d
Neutrino bot:
www.endclothing[.]cu[.]cc/nn.exe: 137.74.93.42
87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe
b1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b
ca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 11 January 2017 - 12:35 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1867 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 January 2017 - 04:29 AM

FYI...

Fake 'MoneyGram' SPAM - delivers Java Jacksbot
- https://myonlinesecu...urgent-request/
12 Jan 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...previously mentioned... HERE*....
* https://myonlinesecu.../?s=java adwind
... This version is slightly unusual... has a html attachment with -links- for you to download the file yourself.

Screenshot: https://myonlinesecu...tion-email-.png

If you are unwise enough to open the html -attachment- you see a webpage looking like this:
> https://myonlinesecu...onfirmation.png
The page tries to automatically download the zip file, if that doesn’t work then the download button appears. That  goes to http ://dreamsbroker .com/Requested%20Missing-Confirmation%20of%20payment.zip which extracts to 2 identical but differently named java.jar files. Received documents And Customers identification.jar and Request Missing Transaction Details and Refrence.jar

12 January 2017: Received documents And Customers identification.jar (323kb) - Current Virus total detections 24/55*
Payload Security**. These malicious attachments have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP (web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484201418/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.243.41.200

dreamsbroker .com: 180.235.148.70: https://www.virustot...70/information/
___

'Phishy' sponsored tweets
- https://blog.malware...onsored-tweets/
Jan 12, 2016 - "Another day, another couple of rogue sponsored tweets [1], [2] which lead to phishing:
1] https://blog.malware...-card-phishing/
2] https://www.scmagazi...article/629182/
The account pushing the first phish has now been deleted, but it’s trivial to set up another one – and the phishing URL itself is -still- active, ready to be redeployed at a moment’s notice... site is located at
verifiedaccounts(dot)us
and – like the older versions of this scam – is all about getting yourself verified:
> https://blog.malware...ored-phish1.jpg
The site kicks things off by asking for username, email address, account type, phone number, year of account creation, and (finally) associated password. It’s not long before they’re sniffing around your wallet, too:
> https://blog.malware...ored-phish2.jpg
... We strongly advise all users of Twitter to be on their guard – just because a tweet is sponsored, doesn’t mean the content it leads to is legitimate. Be on your guard and don’t hand over login details, payment credentials, or anything else to sites -claiming- they can get you verified."

verifiedaccounts(dot)us: 192.185.128.203: https://www.virustot...03/information/
> https://www.virustot...a3883/analysis/
Detection ratio: 10/68
___

More Indian tech support SCAMS
- http://blog.dynamoo....gineer-and.html
12 Jan 2017 - "... huge upsurge in the number of Indian tech support scammers ringing, both at home and my place of work. For example.. this:
One common trick they use revolves around this hexadecimal number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. Either it's a signal that hackers are at your PC, or it's your secret router ID that only BT would know. The conversation goes something like this..
Victim: "But I don't get my internet from BT.."
Scammer: "BT provides all the internet connections for everyone else, including TalkTalk and Virgin Media."
Victim: "How do I know you're from BT?
Scammer: "There is a confidential Router ID that only BT will know. You can verify this to prove that we are BT."
The scammer then talks the victim through pressing -R then CMD (followed by OK) and then ASSOC (followed by RETURN). That simply produces a list of file associations (e.g. to say that .xlsx is an Excel spreadsheet). The line they want you to see is:
    .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
This is just something to do with how Windows handles compressed files and folders. All Windows machines should have this entry, but it looks sufficiently scary about to impress at least some victims.
>> NEVER GIVE THESE PEOPLE ACCESS TO YOUR PC.
However, if you want to waste their time please do so.. if you work in IT you can probably play a convincingly dumb user. It seems that they will try for up to 40 minutes or so before they give up. Alternatively, say that you have to get your laptop out from somewhere and it is very slow and just put them on hold. Every minute of their time you can waste will stop them targeting other potential victims. And don't just ignore the call - report it. If you are in the UK you can report this sort of -scam- to Action Fraud* - it will certainly help law enforcement if they have an idea of how many potential victims there are."
* http://www.actionfra...uk/report_fraud
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 12 January 2017 - 03:57 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1868 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 January 2017 - 05:29 AM

FYI...

Fake blank-body/no-subject SPAM - delivers Cerber
- https://myonlinesecu...ber-ransomware/
15 Jan 2017 - "I have been seeing these emails sporadically for the last month or so, but all previous versions have been corrupt... today’s actually has a working zip file. These arrive as a blank/empty email with no-subject pretending to come from asisianu @  pauleycreative .co.uk with a zip file containing a malicious word doc. They all actually come from asisianu at random email addresses, sometimes they spoof your-own-email-address, but always the 'From' address in the email is asisianu@pauleycreative .co.uk. This is Cerber ransomware... The email looks like:
From: asisianu@ pauleycreative .co.uk
Date: Sun 15/01/2017 06:54
Subject: none
Attachment:  EMAIL_31327_info.zip


Body content: Totally empty/blank

15 January 2017: 12412.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
 http ://coolzeropa .top/admin.php?f=0.dat which is renamed by the script to rcica.exe (VirusTotal 7/58**).
This also drops a full screen set of instructions on how to decrypt and pay the ransom:
  _HOW_TO_DECRYPT_CDF8WC_.hta ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484469048/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (577)

*** https://www.virustot...sis/1484469369/

coolzeropa .top: 35.161.229.79: https://www.virustot...79/information/
84.200.34.99: https://www.virustot...99/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 15 January 2017 - 05:33 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1869 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 January 2017 - 04:34 AM

FYI...

Blank-emails no-subject SPAM - deliver Locky and Kovter
- https://myonlinesecu...cky-and-kovter/
17 Jan 2017 - "... We are starting to see Locky, Kovter delivery emails trickling in this morning. The sites and payloads are the same as described in this post:
> https://myonlinesecu...nd-locky-sites/ 
It looks like the Locky gangs are gearing up for a mass malspam, but are getting the delivery systems fine tweaked and having a few problems. We always see errors and problems before a mass Locky onslaught. If they keep to the sites they have been using for the last month or so, it will be relatively easy to track them & block malware. The emails received so far today are totally-blank, no-subject. The zip attachment extracts to another zip before extracting to a supposedly .jse file. However these are not encoded javascript. They are just minimally obfuscated, in fact perfectly readable by a human:
From: charlie.wills@ 02glass .com
Date: Mon 16/01/2017 23:30  (arrived 07:35 utc 17/01/2017)
Subject: blank


Attachment: 38168891.zip extracts to 38168891.doc.zip extracts to 38168891.doc.jse  
VirusTotal 5/54* | Payload Security**
Payload:
1bin Locky: https://www.virustot...sis/1484631951/
File name: a1.exe / Detection: 16/55

2.bin Kovter: https://www.virustot...sis/1484642102/
File name: 2.bin / Detection: 12/56

* https://www.virustot...sis/1484641911/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (171)
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1870 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 January 2017 - 12:26 PM

FYI...

Fake 'ACH' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
18 Jan 2017 - "... an email spoofing ACH (Automated Clearing House) with the subject of 'Blocked Transaction Case No 255275283' coming or pretending to come from random companies, names and email addresses with rar attachment  extracting to a very heavily obfuscated .JS file delivers Locky ransomware after a long convoluted download system... One of the emails looks like:
From: Eufemia Quintyne <xefiuza03040150@ photogra .com>
Date: Wed 18/01/2017 14:08
Subject: Blocked Transaction. Case No 255275283
Attachment: doc_details.rar
    The Automated Clearing House transaction (ID: 058133683), recently initiated
    from your online banking account, was rejected by the other financial
    institution.
    Canceled ACH transaction
    ACH file Case ID     04123240
    Transaction Amount     1624.05 USD ...


18 January 2017:  doc_details.rar: Extracts to: doc_details.js - Current Virus total detections 7/54*
Payload Security** shows it drops another .js file (Payload Security ***) (VirusTotal 7/53[4]) which in turn downloads Locky ransomware from unwelcomeaz .top/2/56.exe (VirusTotal 9/55[5])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484760601/

** https://www.hybrid-a...vironmentId=100

*** https://www.hybrid-a...vironmentId=100
35.164.68.81
91.237.247.24
194.31.59.5
52.88.7.60
35.161.88.115


4] https://www.virustot...sis/1484757035/

5] https://www.virustot...sis/1484758078/

unwelcomeaz .top: 35.164.68.81: https://www.virustot...81/information/
54.149.186.25: https://www.virustot...25/information/
___

Fake 'signature required' SPAM - delivers hancitor
- https://myonlinesecu...ivers-hancitor/
18 Jan 2017 - "An email pretending to come from a firm of -lawyers- with the subject of 'RE: settlement' pretending to come from a random firm of lawyers with a link-that-downloads a malicious word doc delivers hancitor [1]...

Screenshot: https://myonlinesecu...1/bracewell.png

18 January 2017: contract_submit.doc - Current Virus total detections 3/53*. Payload Security**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.fireeye....aka_chanit.html

* https://www.virustot...sis/1484759676/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.23.117.228
109.120.170.116
188.212.255.49
78.47.141.185

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 18 January 2017 - 02:53 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1871 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 January 2017 - 12:37 PM

FYI...

Fake 'Insolvency Service' SPAM - delivers Cerber
- http://blog.dynamoo....cy-service.html
19 Jan 2017 - "This malware spam in unusual in many respects. The payload may be some sort of ransomware (UPDATE: this appears to be Cerber ).

Screenshot: https://3.bp.blogspo.../insolvency.png

Sample subjects are:
LSV 354EMPU31 -  Investigations Inquiry Reminder
JXI 647TESR39 -  Investigations Inquiry Reminder
SHV 622WYXP68 -  Investigations Inquiry Notice
QPY 661APWZ41 -  Investigations Inquiry Notice
FHF 338SYBV85 -  Investigations Inquiry Notice
EGY 318NHAR12 -  Investigations Inquiry Notification
IZJ 296CNWP92 -  Investigations Inquiry Notice
All the senders I have seen come from the chucktowncheckin .com domain. Furthermore, all of the sending servers are in the same /24: 194.87.216.* .. All the servers have names like kvm42.chapelnash .com in a network block controlled by Reg .ru in Russia. The link-in-the-email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect .com e.g. 2vo4 .uk-insolvencydirect .com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:
> https://3.bp.blogspo...gov-uk-fake.png
Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js)... Hybrid Analysis* of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool). The script downloads a component from www .studiolegaleabbruzzese .com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53**. Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:
soumakereceivedthiswith .ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor .ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource .ru (does not resolve)
maytermsmodiall .ru (does not resolve)
... I recommend that you block email traffic from:
194.87.216.0/24
-and- block web traffic to
uk-insolvencydirect .com
studiolegaleabbruzzese .com
176.98.52.157
151.0.42.255
"
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.149.142.206
208.118.235.148
208.67.222.222
5.58.153.190


** https://virustotal.c...1309e/analysis/
___

Verified Twitter accounts compromised ...
- https://blog.malware...-busy-spamming/
Jan 18, 2017 - "Verified Twitter accounts tend to be a little more secure than those belonging to non-verified users due to the amount of extra hoop jumping required to get one of those ticks in the first place. A number of security requirements, including providing a phone number and setting up 2FA, are all things a would-be verified Twitter user needs to do. In theory, it should be somewhat tricky to compromise those accounts – it wouldn’t really help Twitter if their theoretically appealing verified accounts were firing out Viagra spam all day long. Brand reputation and all that. And yet…in the space of a few hours last week, we had multiple verified users hitting the 'I’ve been compromised' wall of doom and gloom... 'rogue tweets' were, in theory, being sent to a combined audience of around 200,000+ people which could have been disastrous if the links had contained malicious files. Thankfully, these links were “just” porn spam and sunglasses, but the danger for something much worse is always present where a compromise is concerned. People trust the verified ticks in the same way they probably let their guard down around sponsored tweets, and in both cases a little trust can be a bad thing... scammers are doing it, always pay attention when your favorites start firing out URLs. Links are meant to be clicked, but that doesn’t mean we have to leap before looking – Twitter works best with shortened URLs, but you can usually see where they lead:
> https://blog.malware...ink-taking-you/
Whether you’re verified or not, keep your wits about you and have a hopefully stress free experience on that most popular of social networks."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 January 2017 - 01:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1872 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 January 2017 - 05:37 AM

FYI...

Fake 'Western Union' SPAM - delivers java Adwind/Jacksbot
- https://myonlinesecu...dwind-jacksbot/
20 Jan 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE:
> https://myonlinesecu.../?s=java adwind
The email looks like:
From: WU-IT Department <csc.it.westernunion@ gmail .com>
Date: Fri 20/01/2017 02:02
Subject: WUPOS Agent Portal Upgrade For All Agents
Attachment: Update Manual & Agent Certificate .pdf
    Dear All,
    Western Union ,IT Department  data is posting upgrade for new version of WUPOS.Please  download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen
    Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue. Thanks & Regards, IT Department Western Union Internet United Kingdom PO Box 8252 London United Kingdom W6 0BX..."


Screenshot: https://myonlinesecu...gents-email.png

The attached PDF looks like:
> https://myonlinesecu...1/wupos_pdf.png

The link-in-the-PDF is to http ://phrantceena .com/wp-content/plugins/Update%20Manual%20&%20Agent%20Certificate%20.zip which will give you -2- identical (although named differently) java.jar files. Agent certificate & branch details..jar and Wupos manual and update file..jar ..

20 January 2017: Agent certificate & branch details..jar (323kb) Current Virus total detections 26/55*
Payload Security **... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484897128/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.243.41.200

phrantceena .com: 66.147.244.127: https://www.virustot...27/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 20 January 2017 - 05:42 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1873 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 January 2017 - 09:46 AM

FYI...

Sage 2.0 ransomeware
- https://isc.sans.edu...l?storyid=21959
2017-01-21 - "On Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware I'd never seen before called 'Sage'. More specifically, it was 'Sage 2.0'... Sage is yet another family of ransomware in an already crowded field.  It was noted on BleepingComputer forums back in December 2016 [1, 2]...
1] https://www.bleeping...extension-sage/

2] https://www.bleeping...ort-help-topic/

... Emails from this particular campaign generally have -no- subject lines, and they always have -no- message text. The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware. Sometimes, I'll see a .js file instead of a Word document, but it does the same thing... attachments are often double-zipped. They contain -another- zip archive before you get to the Word document or .js file...
Example of a Word document with a malicious macro:
> https://isc.sans.edu...ry-image-05.jpg
Another example of the Word document with a malicious macro:
> https://isc.sans.edu...ry-image-06.jpg
The Word document macros or .js files are designed to download and install ransomware. In most cases on Friday, the ransomware was Sage 2.0... Under default settings, an infected Windows 7 host will present a UAC window before Sage continues any further. It keeps appearing until you click 'yes':
UAC pop-up caused by Sage: https://isc.sans.edu...ry-image-12.jpg
The infected Windows host has an image of the decryption instructions as the desktop background.  There's also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ".sage" is the suffix for all encrypted files:
Desktop of an infected Windows host: https://isc.sans.edu...ry-image-13.jpg
... Following the decryption instructions should take you to a Tor-based domain with a decryptor screen.  On Friday, the cost to decrypt the files was $2,000 US dollars (or 2.22188 bitcoin):
The Sage 2.0 decryptor: https://isc.sans.edu...ry-image-15.jpg
... When the callback domains for Sage didn't resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses...
Below are IOCs for Sage 2.0 from Friday 2017-01-20:
Ransomware downloads caused by Word document macros or .js files:
    54.165.109.229 port 80 - smoeroota .top - GET /read.php?f=0.dat
    54.165.109.229 port 80 - newfoodas .top - GET /read.php?f=0.dat
    84.200.34.99 port 80 - fortycooola .top - GET /user.php?f=0.dat
Post-infection traffic:
    54.146.39.22 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
    66.23.246.239 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
    mbfce24rgn65bx3g .rzunt3u2 .com (DNS queries did not resolve)
    Various IP addresses, UDP port 13655 - possible P2P traffic...
... not sure how widely-distributed Sage ransomware is. I've only seen it from this one malspam campaign, and I've only seen it one day so far. I'm also not sure how effective this particular campaign is. It seems these emails can easily be -blocked- so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals..."
(More detail at the isc URL at the top of this post.)
 

:ph34r: :ph34r: :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1874 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 January 2017 - 08:32 AM

FYI...

Fake 'Tiket alert' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
23 Jan 2017 - "An email spoofing the FBI with the subject of 'Tiket alert 331328222' pretending to come from random senders with a malicious word doc downloads locky ransomware... The email looks like:
From: Ngoc Trane <dpeupyl0386@ eiv .cl>
Date:  Mon 23/01/2017 13:14
Subject: Tiket alert 331328222
Attachment: information.doc
    From:   FBI service [dpeupyl0386@ fbi .com]
    Date:   Mon, 23 Jan 2017 14:14:09 +0100
    Subject:   Tiket alert
    Look at the attached file for more information.
    Assistant Vice President, FBI service
    Management Corporation


23 January 2017: information.doc - Current Virus total detections 5/54*
Payload Security** shows a download from http ://unwelcomeaz .top/2/56.exe (VirusTotal 3/56***).
Payload Security[4]. Last week this site[1] was delivering Locky ransomware, which is continuing today. It also looks like this Locky version is trying to download & install opera browser as well... The actual 56.exe pretends to be an adobe flash player 13 file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://myonlinesecu...cky-ransomware/

* https://www.virustot...sis/1485177870/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1485178446/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.17.40.234
52.88.7.60
54.240.162.210
35.161.88.115
91.198.174.192
91.198.174.208


unwelcomeaz .top: 35.164.68.81: https://www.virustot...81/information/
> https://www.virustot...0c689/analysis/
154.16.247.115: https://www.virustot...15/information/
> https://www.virustot...0c689/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 24 January 2017 - 04:52 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1875 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 January 2017 - 05:21 AM

FYI...

Fake 'Refund Unsuccessful' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
24 Jan 2017 - "... an email with the subject of 'Refund Unsuccessful 03246113' (random numbers) pretending to come from random companies, names and email addresses with a word doc attachment in the format of which delivers Locky ransomware... The email looks like:
From: Stefania Collyer <heg64423837@ zinchospitality .com>
Date: Tue 24/01/2017 01:53
Subject:  Refund Unsuccessful  03246113
Attachment:  information.doc
    Your order has been cancelled, however we are not able to proceed with the
    refund of $ 1371.48
    All the information on your case 527312277 is listed in the document below.


Locky binary (virustotal 24/55*)
Macro (VirusTotal 26/55**)
Antivirus detections on these are still terrible, 24 hours after being submitted... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485240808/

** https://www.virustot...d001e/analysis/
___

Fake 'DHL Shipment' SPAM - delivers Cerber
- https://myonlinesecu...ber-ransomware/
24 Jan 2017 - "... an email with the subject of 'DHL Shipment Notification: 6349701436' pretending to come from DHL Customer Support <support@ dhl .com> delivers Cerber ransomware...

Screenshot: https://myonlinesecu...otification.png

There are several different named attachments with this campaign. _Dhl_expr. DATE20170120.zip   -EXPRESS -Date20170120.zip and probably other variants.
All extract to the same named .js file: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js...

9 January 2017: P_rek.zip: Extracts to: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js
Current Virus total detections 9/54*. Payload Security** shows a download from
 http ://bonetlozano .com/kvst.exe (VirusTotal 7/56***) which from the network noise looks like Cerber ransomware, although neither Payload Security nor any Antivirus on Virus total detect it as Cerber... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485239971/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (695)

*** https://www.virustot...sis/1485168150/

bonetlozano .com: 217.76.130.248: https://www.virustot...48/information/
> https://www.virustot...2865c/analysis/
___

Fake 'Online-Shop' SPAM - delivers malware
- https://myonlinesecu...lspam-delivers/
24 Jan 2017 - "... email with the subject of 'Bestellung Online-Shop Auftr.Nr 02132596' (random numbers) coming or pretending to come from random companies, names and email addresses zip attachment containing a very heavily obfuscated JavaScript file which delivers an unknown malware... One of the emails looks like:
From: waldemar.wysocki@ gmx .de
Date: Tue 24/01/2017 10:53
Subject: Bestellung Online-Shop Auftr.Nr 02132596
Attachment: ea00ba32a5.zip
    Bestellung Nr.: 02132596 Datum: 24.01.2017


24 January 2017: -Bestellpositionen[alle Preise in EUR].zip: Extracts to: -Bestellpositionen[alle Preise in EUR].pdf.js - Current Virus total detections 1/55*
Payload Security** shows a download from volleymultdom .biz/fsgdhyrer6cdve8rv7hdsvkekvhbsdjh/cfhr.exe (VirusTotal 7/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485255695/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.144.125.170
212.2.153.190


*** https://www.virustot...c1684/analysis/

volleymultdom .biz: 162.144.125.170: https://www.virustot...70/information/
___

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecu...nknown-malware/
24 Jan 2017 - "... common email template pretending to come from HMRC, threatening enforcement action to recover unpaid tax... Update: being told this is Zurgop and Zbot spy...

Screenshot: https://myonlinesecu...ent-request.png

24 January 2017: Statement of Liabilities_7.doc - Current Virus total detections 3/54*
Payload Security** shows a download from http ://sergiosuarezgil .com/adobe_upd7.exe (VirusTotal 4/56***)
Payload Security[4].. nothing gives any real clue what it is or what it does... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485264589/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
198.20.102.131

*** https://www.virustot...sis/1485260445/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.63.140.108
193.104.215.58
185.162.9.59
212.227.91.231
104.87.224.175
82.192.75.161
37.252.227.51
178.77.120.104
169.50.71.245


sergiosuarezgil .com: 198.20.102.131: https://www.virustot...31/information/
> https://www.virustot...efedc/analysis/
6/64

email return URL: hmrcgsigov .org: 93.190.140.136: https://www.virustot...36/information/
Country - NL << Fraud
___

Android malware returns, gets >2M downloads on Google Play
- http://arstechnica.c...on-google-play/
1/23/2017 - "A virulent family of malware that infected more than 10 million Android devices last year has made a comeback, this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users. HummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the name given to a family of malicious apps researchers documented in July invading non-Google app markets. HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000 fraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per month in revenue..."
> http://blog.checkpoi...ingbad-returns/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 24 January 2017 - 12:56 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1876 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 January 2017 - 04:29 AM

FYI...

Fake 'DHL' SPAM - delivers banking Trojan
- https://myonlinesecu...banking-trojan/
25 Jan 2017 - "... an email with the subject of 'DHL prepared commercial invoice 9500238176 902694287308' (random numbers) pretending to come from ebillingcmf.td@ DHL .COM that delivers ursnif banking Trojan... One of the emails looks like:
From: ebillingcmf.td@ DHL .COM
Date: Wed 25/01/2017 07:49
Subject: DHL prepared commercial invoice 9500238176 902694287308
Attachment: Commercial.Form.25.01.2017.CVS.zip
    Attached notice amount customs charges
    Dear Customer,
    Attached your invoice in PDF format, dated 25/01/2017 and csv files for shipments and services provided by DHL Express.
    You can also display the details of his account and the historical invoices online.
    In case of substantial problems in the Annex, contact support at: support@dhl.com
    We expect to receive payment within the prescribed period, as indicated on the invoice.
    We send our thanks for having taken advantage of DHL Express services.
    Best regards,
    DHL Express


25 January 2017: Commercial.Form.25.01.2017.CVS.zip: Extracts to: Commercial.Form.25.01.2017.CVS.wsf
Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
 http :// www .cp4 .de/cp4/2401.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485330508/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (16)
81.169.145.165
192.229.221.24
195.93.42.3
195.93.42.2
217.79.188.60
207.200.74.133
217.79.188.46
37.157.6.252
172.227.147.7
152.163.56.3
217.79.188.60
64.12.235.98
151.101.192.249
107.22.179.226
104.94.37.243
104.74.100.205

___

Sage 2 ransomware - spreading in UK via malspam emails
- https://myonlinesecu...malspam-emails/
25 Jan 2017 - "... new entry to the market. Sage 2.0 ransomware. They are using the same basic email template telling you the order was cancelled but cannot give a refund. There are also 'ACH Blocked transaction' emails also spreading the same sage 2.0 ransomware. The security community has been warning about Sage2.0 ransomware for a few days now, but today is the first day we have seen malspam emails targeting UK users. All the emails so far received have contained the same zip file containing a very heavily encoded/obfuscated javascript file document_1.zip - there also appear to be 2 other files with no names inside the zip that don’t automatically  extract and are probably there as padding or left over artefacts. They just appear to contain a list of txt characters, possibly a tracking identity or even the decryption key. I am attaching a couple of different document_1.zip versions to a zip file for researchers to look at P/W ”infected”
25 jan_sage2 zip. Some subjects seen include:
'    Refund Unsuccessful  26485806 ( random numbers)
    Blocked Transaction. Case No 15120544 ( random numbers)
    Re:
    Fw: '

One of the emails looks like:
Body content with 'Refund Unsuccessful' or 'FW' and 'RE:'
    Your order has been cancelled, however we are not able to proceed with the
    refund of $ 1460.01
    All the information on your case 652661070 is listed in the document below.

Body content with 'Blocked Transaction'. 'Case No nnnn'
    The Automated Clearing House transaction (ID: 085112046), recently initiated
    from your online banking account, was rejected by the other financial
    institution.
    Canceled ACH transaction
    ACH file Case ID     07677730
    Transaction Amount     1436.17 USD
    Sender e-mail     obqeygua57341@ scaledagile .com
    Reason of Termination     See attached statement


25 January 2017: document_1.zip: Extracts to: doc_details_jOiqRJ.js - Current Virus total detections 7/54*
Payload Security** doesn’t show any download or file action, but the VT comments by @techhelplist[3] shows a download of sage 2.0 from http ://affections .top/ff/55.exe (VirusTotal 9/56[4]). Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485324653/

** https://www.hybrid-a...vironmentId=100

3] https://twitter.com/...053746829291520

4] https://www.virustot...sis/1485304233/

5] https://www.hybrid-a...vironmentId=100
54.149.186.25: https://www.virustot...25/information/
> https://www.virustot...509d1/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 January 2017 - 05:19 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1877 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 January 2017 - 06:01 AM

FYI...

Fake 'USPS' SPAM - delivers Sage 2 ransomware
- https://myonlinesecu...e-2-ransomware/
26 Jan 2017 - "... Sage 2 ransomware has started to use the same email template that we see daily that normally delivers Locky ransomware and Kovter Trojans HERE:
> https://myonlinesecu...nd-locky-sites/
... The only noticeable difference between the 2 campaigns (until you actually analyze the files inside the zip attachments) is the file size and file names. In the Locky/Kovter versions they were using .js files but now use lnk files... Locky /Kovter use a file name something like Delivery-Receipt-3793490.zip that extracts to another zip file Delivery-Receipt-3793490.doc..zip  that eventually extracts to Delivery-Receipt-3793490.doc.lnk where the numbers change with each email received. There are numerous different download sites for the malware each day. Sage 2 ransomware uses a static named file for all emails, currently Delivery-Details.zip extracting to Delivery-Details.js - There is one download site each day... One of the emails looks like:
From: USPS Ground <uwawsne253468@ netpetar .com>
Date: Thu 26/01/2017 02:04
Subject: Delivery problem, parcel USPS #40088683
Attachment: Delivery-Details.zip
    Hello,
    Your item has arrived at Thu, 26 Jan 2017 03:04:09 +0100, but our courier
    was not able to deliver the parcel.
    You can download the shipment label attached!
    All the best.
    Leisha Marshman – USPS Support Agent.


26 January 2017: Delivery-Details.zip: Extracts to: Delivery-Details.js - Current Virus total detections 14/53*
Payload Security** shows a download from http ://affections .top/ff/55.exe (VirusTotal 14/56***) (Payload Security [4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485410870/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1485413961/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
54.211.245.199

affections .top: 54.165.5.111: https://www.virustot...11/information/

Country US / Autonomous System 14618 (Amazon.com, Inc.)
> https://www.virustotal.com/en/url

/1d6b09c66cd47489598f77aff2f7922aca3b7dfbbb2441b958fcf97a841509d1/analysis/
52.203.213.69: https://www.virustot...69/information/
___

Fake 'Microsoft' SPAM - delivers malware
- https://myonlinesecu...nknown-malware/
26 Jan 2017 - "A blank/empty email pretending to come from Microsoft with a subject like 'RE: 23337 Microsoft Free 23337' with zip attachment that extracts to another zip file that in turn contains a malicious word doc...
Update: I am being told it is Ursnif banking Trojan... Update again: ... weird. This site is delivering different malware, almost at random it seems. Each visit gives a -different- file, although always the same name read.doc or read.php - currently all are 243kb but all have different file #. So far we have seen Cerber, Ursnif and the original unknown malware... The email looks like:
From: tcmf.microsoft <suard-c@ vendome .pf>
Date: Thu 26/01/2017 16:00
Subject: RE: 23337 Microsoft Free 23337
Attachment: 55554546637489.zip


Body content: totally blank/empty

> https://www.reverse....vironmentId=100
Contacted Hosts
208.67.222.222
195.5.126.248
46.150.69.43
188.27.92.82


> https://www.hybrid-a...vironmentId=100
Contacted Hosts (576)

26 January 2017: 55554546637489.zip: extracts to: 4446_ZIP.zip extracts to 4446.doc
Current Virus total detections 2/55*. Payload Security shows a download from
 http ://vvorootad .top/read.php?f=0.dat which delivers read.doc (which is -not- a doc file, although having an icon looking like a word doc, but a renamed .exe) (VirusTotal 9/57**). Payload Security***... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485447397/

** https://www.virustot...sis/1485448703/

*** https://www.hybrid-a...vironmentId=100

vvorootad .top: 52.203.115.53: https://www.virustot...53/information/
> https://www.virustot...76629/analysis/
35.165.86.173: https://www.virustot...73/information/
> https://www.virustot...31339/analysis/
___

Spyware on a Chromebook ??
- http://www.computerw...chromebook.html
Jan 25, 2017 - "... According to Google*, it means the extension 'can enable, disable, uninstall or launch themes, extensions, and apps you have installed'. Uninstall and disable other extensions? Are you kidding me? Why does Chrome even allow this? Web browsers do -not- allow a page on one website to interact with a page on another. Why does Chrome let an extension from Developer A disable or uninstall one from Developer B? Perhaps worse, is that Chrome does not warn, at installation time, about the modification to the New Tab page. This is inexcusable. And here's a sentence I never expected to write. When it comes to extensions modifying the New Tab page, Chrome on Windows is more secure than Chrome on Chrome OS..."
* https://support.goog...er/186213?hl=en

(More detail at the computerworld URL above.)
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 26 January 2017 - 03:35 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1878 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 January 2017 - 09:07 AM

FYI...

Phish - using PDF attachments
- https://blogs.techne...df-attachments/
Jan 26, 2017 - "... deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the heightened phishing activity that we have come to expect every year during the holiday season has not subsided. Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where -you- are then asked-to-divulge sensitive information...
Example 1: One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity:
> https://msdnshared.b...2017/01/120.jpg
When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel”. But it’s actually a link to a website:
> https://msdnshared.b...creenshot-1.png
Clicking the link opens your browser and brings you to a website, where the social engineering attack continues with a message that the document is protected because it is confidential, and therefore you need to sign in with your email credentials:
> https://msdnshared.b...creenshot-2.png
... Don’t open attachments or click-links in suspicious emails. Even if the emails came from someone you know, if you are not expecting the email, be wary about opening the attachment, because spam and phishing emails may spoof the sender..."
(More detail at the blogs.technet.microsoft URL at the top of this post.)

 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1879 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 January 2017 - 01:58 PM

FYI...

Netflix Scam delivers Ransomware
- http://blog.trendmic...ers-ransomware/
Jan 29, 2017 - "Netflix has a 93 million-strong subscriber base in more than 190 countries, so it’s unsurprising that cybercriminals want a piece of the pie. Among their modus operandi: stealing user credentials that can be monetized in the underground, exploiting vulnerabilities, and more recently infecting systems with Trojans capable of pilfering the user’s financial and personal information. What other purposes can stolen Netflix credential serve? Offer them up as bargaining chip to fellow cybercriminals, for instance. Or more nefariously, use them as lure to trick certain users into installing malware (and turn a profit in the process).
If you’re planning to free ride your way into binge-watching your favorite shows on Netflix, think again. Your computer’s files may end up getting held hostage instead. We came across a -ransomware- (detected by Trend Micro as RANSOM_ NETIX.A) luring Windows/PC users with a Netflix account via a login generator, one of the tools typically used in software and account membership piracy. These programs are usually found on suspicious websites sharing cracked applications and access to premium/paid web-based services:
(The ransom note displayed as wallpaper in the affected system)
> https://blog.trendmi...ransomware1.jpg
(One of the ransom notes with instructions to victims)
> https://blog.trendmi...ransomware2.jpg
(Fake Netflix Login Generator)
> https://blog.trendmi...ransomware3.jpg
(The prompt window after clicking “Generate Login”)
> https://blog.trendmi...ransomware4.jpg
The ransomware starts as an executable (Netflix Login Generator v1.1.exe) that drops another copy of itself (netprotocol.exe) and then executed afterwards. Clicking the “Generate Login” button leads to another prompt window that purportedly has the login information of a genuine Netflix account. RANSOM_NETIX.A uses these fake prompts/windows as distraction while it performs its encryption routine on 39 file types under the C:\Users directory... The ransomware employs AES-256 encryption algorithm and appends the encrypted files with the .se extension. The ransom notes demand $100 worth of Bitcoin (0.18 BTC) from its victims... Interestingly, the ransomware terminates itself if the system is -not- running Windows 7 or Windows 10... This highlights the significance for end users to keep their subscription accounts safe from crooks. Keep to your service provider’s security recommendations. More importantly, practice good security habits: beware of -emails- you receive pretending to be legitimate, regularly update your credentials, use two-factor authentication, and download -only- from official sources... Does getting your important files encrypted worth the piracy? Netflix’s premium plan costs around $12 per month, and allows content to be streamed in four devices at the same time. Compare that with $100 you need to pay in order to get your files decrypted. Getting them back isn’t guaranteed either, as other ransomware families have shown... Bad guys need only hack a modicum of weakness for which no patch is available — the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download -or- click-ads promising the impossible. If the deal sounds too good to be true, it usually is."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 30 January 2017 - 02:06 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1880 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 February 2017 - 06:53 AM

FYI...

Fake 'XpressMoney' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
27 Feb 2017 - "We continue to be plagued daily by fake financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]...
1] https://myonlinesecu.../?s=java adwind
This appears to be a newish Java Adwind version in this email... The email looks like:
From: XM.accounts@ xpressmoney .com <aproc@ xpressmoney .com>
Date: Mon 27/02/2017 00:56
Subject: Fwd: Reference: Xpress Money compliant report
Attachment: Details.zip
    Dear Agent,
    The attached Compliant report was issued on Thursday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked.
    Regards
    Nasir Usuman
    Regional Compliance Manager Pakistan & Afghanistan
    Global Compliance, Xpress Money ...


Email Headers: I have received -alot- of these early this morning in 2 waves. They are coming from 2 IP numbers/servers:
60.249.230.30: https://www.virustot...30/information/
Country: TW
83.243.41.200: https://www.virustot...00/information/
Country: DE
70.32.90.96: https://www.virustot...96/information/
Country: US
83.243.41.200: https://www.virustot...00/information/
Country: DE

hinet.net: Could not find an IP address for this domain name...

27 February 2017: REF.XPIN 742352XXXXXXXXX.jar (333kb) -  Current Virus total detections 13/57*
Payload Security** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1488178107/

** https://www.hybrid-a...vironmentId=100
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 February 2017 - 02:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1881 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 March 2017 - 07:00 AM

FYI...

Fake 'debit card' – Phish
- https://myonlinesecu...twest-phishing/
2 Mar 2017 - "... many email clients, especially on a mobile phone or tablet, only show the NatWest and not the bit in <xxxx>. This one has a HTML page attachment, not even a link to the phishing site in the email body. The attachment has the -link- which goes to:
 http ://www .immosouverain .be/css/supst.html which -redirects- you to the actual phishing site:
 http ://planurday .in/css/WaL0eHW/4!@_1.php?s0=;87d929c328f8c62a231c1cc95057fb7087d929c328f8c62a231c1cc95057fb70

Screenshot: https://myonlinesecu...ons-NatWest.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

immosouverain .be: 5.135.218.101: https://www.virustot...01/information/

planurday .in: 78.142.63.63: https://www.virustot...63/information/
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1882 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 March 2017 - 10:43 AM

FYI...

'Free' AV coupon leads to tech support scam
- https://blog.malware...h-support-scam/
Mar 3, 2017  - "... This scheme is actually hosted on the same domain that was running the fake Windows support we described before and our assumption is that users are -redirected- to this coupon page via a similar malvertising campaign. It plays on special offers, discounts and time-limited deals to entice you to claim your product now, choosing between Norton or McAfee. After filling in your personal details (which are actually sent off to the crooks), a page simulates the offer being processed only to fail with an error message. Victims are mislead into thinking that their offer was redeemed, but that they -must- perform a final call to get it completed... This is where the tech support scam comes in. Once you call that number, you are routed to an Indian boiler room where one of many agents will take remote control of your computer to figure out what went wrong. (Un)shockingly, the -bogus- technician will identify severe problems that need an immediate fix... Despite the scam being about Norton, the technician brushes it off as useless when it comes to the real deal: “Junk is a kind of virus which is the most harmful virus“. With his technical expertise, he proceeds to highly recommend the most expensive plan, for a lifetime low price of $400. Of course, there is nothing there, it’s a pure rip-off where once they have your money, they couldn’t care less about helping you out (for a problem you didn’t have in the first place anyway)...There are other scam domains also hosted on this IP (166.62.1.15)... Instantpccare .com is familiar and related to a previous investigation* where the owner of that tech support company incriminated himself by posting a comment on our blog which shared the same IP address as the remote technician who had just scammed us. As always, please stay vigilant online when you see 'free coupons' or other similar offers. They often are the gateway to a whole of trouble..."
* https://blog.malware...pport-scammers/

> https://blog.malware...-support-scams/

166.62.1.15: https://www.virustot...15/information/

Related:
166.62.1.1: https://www.virustot....1/information/
___

Fake 'IRS Urgent' SPAM - delivers ransomware
- https://myonlinesecu...ers-ransomware/
3 Mar 2017 - "... an email with the subject of 'IRS Urgent Notification' pretending to come from Dick Richardson who pretends to be an IRS Tax Officer. I have seen dozens of these and they all come from random email addresses. Dick Richardson changes his job in different emails. Sometimes he is a tax officer or a Tax Specialist or Tax department manager as well as an official representative...
Update: I am reliably informed[1] this is Shade/Troldesh ransomware...
1] https://id-ransomwar...ea894b2e24d5e47
Other subjects include:
    Realty Tax Arrears – IRS
    Please Note – IRS Urgent Message
    IRS Urgent Message
    Overdue on Realty Tax ...


One of the emails looks like:
From: Dick Richardson <electric@ oceanicresources .co.uk>
Date: Thu 01/09/2016 19:22
Subject: IRS Urgent Notification
Attachment: link-in-email
    Dear Citizen,
    My name is Dick Richardson, I am the official representative of the Internal Revenue Service, Realty Tax Department.
    My office is responsible for notification of citizens, description of the tax system for them, supporting citizens on issues related to tax procedures, arrears, and payments, etc.
    In the present case, I have to notify you that you have the considerable tax arrears pertaining to your property. More specifically, there is the tax debt for your realty – the realty tax. Generally, we make no actions in case of such delays for 4-6 months, but in your context, the overdue period comes to 7 months. Thereby, we must take relevant measures to remedy the situation.
    Particularly for your convenience, our specialists have made the full and comprehensive report for you. It contains the full information regarding realty tax accrual, your debt (including the total amount), and the chart of overdue payments for each month of the arrears period.
    Please download the report directly from the official server of the IRS, going to the link:
     http ://radiotunes .co.uk/wp-content/plugins/simple-social-icons/index0.html
    Please study the document at the earliest possible moment. Actually, after receiving this message, you have only 1 day to contact your taxmanager and provide them with the information you get in the report in order to resolve the problem. Differently, significant charges and fines may apply.
    Best Regards,
    Dick Richardson,
    Realty Tax Division
    Internal Revenue Service ...


Realty.tax.division.xls.zip: Extracts to: Realty.tax.division.xls.js -  Current Virus total detections 5/56*
Payload Security**  shows a download from
  www .metropolisbangkok .com/assets/70958ae0/fonts/gcdf/templates/winscr.exe (VirusTotal 14/58***)...
There are loads of -other- sites in the body of alternative emails downloading the .js file...
The basic rule is NEVER open any attachment -or- link-in-an-email, unless you are expecting it..."
* https://www.virustot...sis/1488549054/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (15)

*** https://www.virustot...4efab/analysis/

radiotunes .co.uk: 192.138.189.151: https://www.virustot...51/information/
> https://www.virustot...cf70f/analysis/

metropolisbangkok .com: 27.254.96.21: https://www.virustot...21/information/
> https://www.virustot...833c2/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 03 March 2017 - 04:07 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1883 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 March 2017 - 04:12 PM

FYI...

Fake UPS, USPS, FedEx SPAM - deliver Cerber ransomware
- https://myonlinesecu...parcel-malspam/
4 Mar 2017 - "...  we are noticing that the 2 different malspammed versions of spoofed/faked 'UPS, USPS, FedEx failed to deliver your parcel' malspam are now distributing Cerber ransomware instead of Locky or Sage 2 along with Kovter... I am continuing to document the 2 versions... changes and different sites used to distribute them: HERE[a] and HERE[b]...
a] https://myonlinesecu...nd-locky-sites/

b] https://myonlinesecu...ltiple-malware/

The subjects all mention something about 'failing to deliver parcels' and includes:
    Courier was not able to deliver your parcel (ID0000333437, FedEx)
    Our UPS courier can not contact you (parcel #4633881)
    USPS issue #06914074: unable to delivery parcel
    Parcel #006514814 shipment problem, please review
    USPS parcel #3150281 delivery problem
    Courier was not able to deliver your parcel (ID006976677, USPS)
    Parcel 05836911 delivery notification, USPS
    New status of your UPS delivery (code: 6622630)
    Please recheck your delivery address (UPS parcel 004360910)
    Status of your USPS delivery ID: 158347377
    FedEx Parcel: 1st Attempt Unsuccessful
    Delivery Unsuccessful, Reason: No Answer
    Express FedEx Parcel #614617064, Current Status: Delivery Failed

 ... basically identical in the body of the email (the delivery service changes and switches between FedEx, UPS, USPS) ... The attachment is a zip file with a second zip inside it that extracts to a .js file. These have names like UPS-Parcel-ID-4633881.zip that extracts to UPS-Parcel-ID-4633881.doc.zip that extracts to UPS-Parcel-ID-4633881.doc.js...

Screenshot: https://myonlinesecu...s_v1_cerber.png

... Examples of this version VirusTotal [1-4/56] [2-15/59] [3-7/59] Payload Security [4] [5] [6]...

Currently the format is < site from array.top >/counter/?< variable m> where m is a long set of random looking characters hard coded in the js file. and the actual download comes from site name.top /counter/exe1.exe  Yesterday was Cerber. VirusTotal [7-3/55] [8-17/59]. Payload Security[9] and /counter/exe2.exe delivers Kovter (VirusTotal 10-10/59). Currently at the time of writing all the .top sites I have listed are down and not responding. As soon as the new set of emails arrive, I will post images of them with any changes."
1] https://www.virustot...sis/1488613659/
UPS-Parcel-ID-4633881.doc.js

2] https://www.virustot...sis/1488609050/
5d3fa709e29d.png

3] https://www.virustot...sis/1488609063/
fe3be7902ac8.png

4] https://www.hybrid-a...vironmentId=100
UPS-Parcel-ID-4633881.doc.js
Contacted Hosts (1234)

5] https://www.hybrid-a...vironmentId=100
fe3be7902ac8.png
Contacted Hosts (1088)

6] https://www.hybrid-a...vironmentId=100
5d3fa709e29d.png
Contacted Hosts (382)

7] https://www.virustot...sis/1488510919/
Delivery-Details.js

8] https://www.virustot...8b651/analysis/
carved_1.exe

9] https://www.hybrid-a...vironmentId=100
Contacted Hosts (1240)

10] https://www.virustot...sis/1488526482/
exe2[1].exe
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1884 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 March 2017 - 03:29 PM

FYI...

Fake 'DVLA' SPAM - delivers Trojan
- https://myonlinesecu...banking-trojan/
6 Mar 2017 - "Following on from recent parking, speeding and companies investigations malspam delivering ursnif banking Trojan, todays example spoofs the DVLA and pretends to be a warning that you will be fined if you don’t report the change of keeper. They use email addresses and subjects that will scare, persuade or entice a user to read the email and open the attachment -or- follow the links-in-the-email... Following the link-in-the-email you get sent via a passthrough/redirect site where you eventually land on the fake/spoofed DVLA site...

Screenshot: https://myonlinesecu...nal-Warning.png

Case_10133-4.js - Current Virus total detections 5/56*. Payload Security** shows a download from
 http ://djphanton .de/Tatjanapolinski/wp-admin/network/MEJMhJDp/cs.pdf which is -not- a pdf but a renamed .exe file (VirusTotal 36/58***)... The basic rule is NEVER open any attachment -or- click-on-a-link in an email, unless you are expecting it..."
* https://www.virustot...sis/1488549054/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
27.254.96.21
128.31.0.39
193.23.244.244
212.51.143.20
51.254.112.52
95.215.61.4
195.154.97.160
178.62.43.5
178.33.107.109
104.200.16.227
195.169.125.226
217.79.178.60
213.197.22.124
85.214.115.214


*** https://www.virustot...4efab/analysis/

djphanton .de: 85.214.35.155: https://www.virustot...55/information/
> https://www.virustot...0bc39/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 07 March 2017 - 06:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1885 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 March 2017 - 07:31 AM

FYI...

Fake 'BENEFICIARY' SPAM - delivers java malware
- https://myonlinesecu...rs-java-adwind/
7 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments... we are seeing 2 slightly different delivery methods today both spoofing Orient Exchange Co. (L.L.C.)...
The 1st email looks like:
From: a.bouazza@ bkam .ma
Date: Tue 07/03/2017 09:34
Subject: BENEFICIARY REMITTANCE CONFIRMATION
Attachment: BENFICIARY REMITTANCE CONFIRMATION.zip
Body content:
    Dear agent,
    Please kindly Confirm the status of this transaction.
    The remitter demands for the payment record, because the beneficiary has
    filed a complaint against your remitting outlet.
    So Please kindly check the attached complaint form and reference of
    transaction if it was paid, Please report to us with receipt of
    transaction to clear your name.
    Thanking You,
    Orient Exchange Co. (L.L.C.)...


Version 1 (the attached zip): BENFICIARY REMITTANCE CONFIRMATION.jar (274kb) is using a 1 week old version of java adwind Trojan Current Virus total detections 14/57*: Payload Security** ...

The second version is slightly more devious and has a genuine PDF attachment that contains-a-link to dropbox
 ( https ://www.dropbox .com/s/jws0fszxa48c3sx/COMPLAIN%20OF%20UNPAID%20REMITTANCE.zip?dl=0) to download the zip file that contains 2 different copies of the java jar files...

Screenshot: https://myonlinesecu...dropbox-pdf.png

Version 2 (the dropbox) contains 2 identical java.jar files
 BENEFICIARY COMPLAINT FORM FILED AGAINST YOUR BRANCH.jar -and-
 CONFIRMATION AND REFRENCE OF THIS TRANSACTION NEEDED.jar (323kb) VirusTotal 25/56*** | Payload Security[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1488354204/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1488888491/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.243.41.200: https://www.virustot...00/information/
> https://www.virustot...dc1d0/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 07 March 2017 - 08:05 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1886 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 March 2017 - 09:33 AM

FYI...

Fake 'invoice' SPAM - delivers malware
- https://myonlinesecu...banking-trojan/
8 Mar 2017 - "An email with the subject of 'copy invoice 581652' pretending to come from Wes gatewood <Wes@ onehotcookiefranchise .com> with a malicious word doc attachment delivers what looks like Dridex banking Trojan... The email looks like:
From: Wes gatewood <Wes@ onehotcookiefranchise .com>
Date: Wed 08/03/2017 12:47
Subject: copy invoice 581652
Attachment: inv-0928(copy).doc
    Hi,
    Please see attached copy invoice 581652
    Wes gatewood
    Direct Tel: 01787 658153
    Fax: 01787 658153 ...


inv-0928(copy).doc - Current Virus total detections 5/57*: Payload Security** shows a download from  http ://birchwoodplaza .com/54gf3f (VirusTotal 9/59***) which I am guessing is Dridex... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1488977021/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
72.167.131.153
107.170.0.14
37.120.172.171
81.12.229.190


*** https://www.virustot...sis/1488970720/

birchwoodplaza .com: 72.167.131.153: https://www.virustot...53/information/
> https://www.virustot...b61cf/analysis/
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1887 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 March 2017 - 11:28 AM

FYI...

Fake 'Receipt' SPAM - delivers Trojan
- https://myonlinesecu...roved-purchase/
13 Mar 2017 - "... a password protected docx file as the malware attachment, spoofing https ://www.eway .com.au/ a well known Australian Credit card Payment/processing  service. Without entering the password you cannot see the content of the word doc and that will -allow- it past antivirus checks...  an email with the subject of 'Receipt of APPROVED purchase' pretending to come from customer@ ewaystore .info with a malicious word doc or Excel XLS spreadsheet attachment delivers what looks like some sort of Zeus/Zbot/ Panda banking Trojan... However ewaystore .info was registered on 12 March 2017 by criminals:
- https://whois.domain.../ewaystore.info

Screenshot: https://myonlinesecu...oofed-email.png

The word doc looks like:
- https://myonlinesecu...us-word-doc.png

... Other subjects in this series seen so far include, some with and some without various numbers of exclamation marks:
    Receipt of APPROVED payment!
    Receipt of APPROVED purchase!
    Receipt of APPROVED purchase
    Receipt of APPROVED purchase at eWAY!!
    Receipt of APPROVED purchase!! ...


Order_326794.docx ... Luckily the contact who sent me this did manage to find the download which is
  http ://earlychildhoodconsulting .com.au/flash.exe (VirusTotal 8/60*). Payload Security** which in turn downloads groupcreatedt .at/pav/32.bin (VirusTotal 0/54***) which is encrypted and will be either data or needs to be decrypted by the flash.exe or the original docx file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.c...e0420/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.111.243.83
208.67.222.222


*** https://www.virustot...sis/1481049239/

earlychildhoodconsulting .com.au: 192.185.163.104: https://www.virustot...04/information/
> https://www.virustot...af87c/analysis/

groupcreatedt .at: 5.105.45.139
46.98.252.42
46.119.92.41
93.113.176.105
77.122.51.2
195.211.242.109
93.78.227.231
176.99.113.116
109.87.247.145
37.229.39.217

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 13 March 2017 - 11:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1888 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 March 2017 - 04:54 AM

FYI...

Fake 'payment receipt' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
15 Mar 2017 - "... an email with the subject of 'Document:36365' coming from random companies, names and email addresses with a semi-random named zip attachment which delivers what looks like Dridex banking Trojan ... One of the emails looks like:
From: Susie <Susie@ novayaliniya .com>
Date: Wed 15/03/2017 09:35
Subject: Document:36365
Attachment: document_3332.zip
    Attached is the copy of your payment receipt.
    Susie


document_3332.zip: Extracts to: file_356.js - Current Virus total detections 0/56*
MALWR** shows a download of a txt file  from http ://mercurytdsconnectedvessel .com/hjg6657 which is renamed by the script to hjg6657.exe (VirusTotal 8/61***) MALWR[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...c9b79/analysis/

** https://malwr.com/an...DE1MjE0NWM0ZjQ/

*** https://www.virustot...sis/1489573275/

4] https://malwr.com/an...zNkNmZkZDRlODQ/

mercurytdsconnectedvessel .com: 66.135.46.202: https://www.virustot...02/information/
> https://www.virustot...55bf7/analysis/
___

US accuses Russia of Yahoo hacks
- http://www.cnbc.com/...s-tell-nbc.html
Mar 15, 2017 - "The Department of Justice indicted two Russian intelligence officers and two other people, on charges stemming from the hacking of at least half a billion Yahoo accounts. The defendants, including two officers of the Russian Federal Security Service, Dmitry Dokuchaev and Igor Sushchin, were able to gain information about "millions of subscribers" at Yahoo, Google, and other webmail providers, the Justice Department said. Dokuchaev and Sushchin paid co-conspirators Alexsey Belan and Karim Baratov to access email accounts, the Justice Department said... Dokuchaev and Sushchin paid co-conspirators Alexsey Belan and Karim Baratov to access email accounts, the Justice Department said... Acting Assistant Attorney General Mary McCord said that Belan is a 'notorious' criminal hacker — one of the FBI's most wanted — known for hacking U.S. e-commerce companies. Belan used the Yahoo attacks to launch spam campaigns, searched user communications for credit card and gift card numbers, and other schemes to 'line his own pockets with money', McCord said.
The FSB — an intelligence and law enforcement agency and a successor to the Soviet Union's KGB — used Belan to break into Yahoo's network instead of detaining him, McCord said. Baratov, a Canadian, was arrested on Tuesday, the DOJ said.
Yahoo disclosed two separate data breaches last year, both among the biggest in history. A 2013 attack revealed in December affected more than 1 billion user accounts. In a separate 2014 attack, disclosed in September, information was stolen from at least 500 million user accounts. The Justice Department said Wednesday's indictment concerned at least 500 million Yahoo accounts for which account information was stolen and at least 30 million Yahoo accounts for which account contents. Eighteen accounts with other providers, such as Google, were affected. Targets included Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies, according to the Justice Department..."
- https://www.databrea...ahoo-intrusion/
Mar 15, 2017

> https://www.justice....oo-and-millions
Mar 15, 2017
> https://www.fbi.gov/...-intrusion-case
Mar 15, 2017

> https://www.fbi.gov/...r/alexsey-belan
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 16 March 2017 - 12:26 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1889 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 March 2017 - 04:49 AM

FYI...

Fake 'Returned Sendout Transaction' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
16 Mar 2017 - "... This appears to be a newish Java Adwind version in this email, see below for details. The zip/Rar file contains -2- different sized and differently named java.jar files that both are slightly different Adwind versions...

Screenshot: https://myonlinesecu...Transaction.png

Benficiary details.jar (497kb) - Current Virus total detections 19/58*
Transaction Report.jar (267kb) - Current Virus total detections 18/59**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1489657794/

** https://www.virustot...sis/1489657804/
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1890 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 March 2017 - 07:39 AM

FYI...

Update to Fake 'FedEx, UPS and USPS' SPAM - delivers ransomware
- https://myonlinesecu...-simple-stupid/
18 Mar 2017 - "A quick update to  the never ending spoofed emails from 'FedEx, UPS and USPS cannot deliver your parcel' malspam that generally delivers Locky ransomware and Kovter with the occasional Nemucod ransomware or Cerber ransomware thrown into the mix... noticed a  slight change today where it looks like the “apprentice” coding the javascript file in the email -attachment- has tried to be too clever and resulted in a spectacular fail. Instead of the usual “counter.js” or “counter.txt ” that gives the current download sites and what malware to download & run it just gives the php interpreter file that they bundle with the malware downloads...
Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR* | Payload Security**. If “var m” ends in a character( a-z, A-Z)  you get the counter.txt telling you which sites to download from & what malware to download. If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky, occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 (when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files...
* https://malwr.com/an...GY2NGQzNjNkMmU/
Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128


** https://www.hybrid-a...vironmentId=100
Contacted Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128


... all sites are downloading a 0 byte harmless empty file but if you do a little bit of simple editing of the javascript file and correct the apprentice’s mistake by removing the last digit to leave a character you get  MALWR*** | Payload Security[4] -both- showing crypted files and nemucod ransomware at work.
Direct downloads of the malware 1.exe (Locky) VirusTotal 13/62[5] | 2.exe (kovter) VirusTotal 16/62[6]
Currently counter/txt is nemucod ransomware, which delivers a very heavily obfuscated javascript file...
*** https://malwr.com/an...DBhMTQ3NTZhNmU/
Hosts
184.168.58.126
50.63.219.1


4] https://www.hybrid-a...vironmentId=100
Contacted Hosts (423)

5] https://www.virustot...sis/1489825684/

6] https://www.virustot...sis/1489825694/

... you end up with this txt file on your desktop (and normally the same as a html desktop background) the bitcoin address and the download decryptor links are individual to each javascript attachment. -Every- email attachment has a randomly hard coded address, which is embedded inside the Var “m” in the javascript..."
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1891 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 March 2017 - 04:42 AM

FYI...

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
20 Mar 2017 - "... a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically... The link-in-the-email does not go to dropbox but to a compromised website being used to spread this malware https ://www.opelhugg .com/components/Sendout Report.zip... As usual with these, the zip contains -2- differently named and different size java.jar files...

Screenshot: https://myonlinesecu...tion-Report.png

beneficiary and mtcn details.jar (272kb) - Current Virus total detections 15/59* MALWR**
Sender’s copy of pending transaction..jar (501kb) - Current Virus total detections 20/58***. MALWR[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1489993883/

** https://malwr.com/an...TZkN2JjYTBmNTY/

*** https://www.virustot...sis/1489993897/

4] https://malwr.com/an...jdhMTgyNzExMDM/

opelhugg .com: 208.83.210.25: https://www.virustot...25/information/
> https://www.virustot...38ffe/analysis/
___

Fake 'Your order' SPAM - delivers Ramnit
- http://blog.dynamoo....spam-using.html
20 Mar 2017 - "... comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).
    From: customerservice@ newshocks .com [mailto:customerservice@ newshocks .com]
    Sent: 15 March 2017 18:23
    Subject: [Redacted] Your order 003009 details
    Hello [redacted],
    We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
    If you have an online account with us, you can log in here to see the current status of your order.
    You will receive another e-mail from us when we have despatched your order.
    Information on order 003009 status here
    All prices include VAT at the current rate. A full VAT receipt will be included with your order.
    Delivery Address:
    [Name and address redacted]
    If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
    Best regards and many thanks...


The newshocks .com domain used in the "From" field matches the sending server of rel209.newshocks .com (also mail.newshocks .com) on 185.141.164.209. This appears to be a legitimate but -unused- domain belonging to a distributor of car parts. The link-in-the-email goes to clipartwin .com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit* or similar. This is using another -hijacked- but apparently legitimate web server. I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient..."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
180.149.132.47
185.117.74.77
52.9.172.230


185.141.164.209: https://www.virustot...09/information/

newshocks .com: 143.95.232.95: https://www.virustot...95/information/

clipartwin .com: 198.54.115.198: https://www.virustot...98/information/
___

Twitter app spams... and Amazon surveys
- https://blog.malware...amazon-surveys/
Mar 20, 2017 - "... dodgy download links and random Zipfiles claiming to contain stolen nude photos and video clips, but today we’re going to look at one specific -spam- campaign aimed at Twitter users. The daisy chain begins with multiple links claiming to display stolen images of Paige, a well known WWE wrestler, caught up in the latest dump of files. With regards to two specific messages, we saw close to -300- over a 24 hour period (and it’s possible there were others we didn’t see). These appear to have been the most common:
> https://blog.malware...03/app-spam.jpg
... The Bit(dot)ly link, so far clicked close to 7,000 times, resolves to the following:
twitter(dot)specialoffers(dot)pw/funnyvideos/redirect(dot)php
That smoothly segues into an offered Twitter App install tied to a site called Viralnews(dot)com:
> https://blog.malware...app-install.jpg
... there’s one final -redirect- URL (a bit(dot)do address) which leads to an Amazon themed survey gift card page. Suffice to say, filling this in hands your personal information to marketers – and there’s no guarantee you’ll get any pictures at the end of it (and given the images have been stolen without permission, one might say the people jumping through hoops receive their just desserts in the form of a large helping of “nothing at all”)... it’s time to return to the app and see what it’s been up to on the Twitter account we installed it on:
> https://blog.malware...r-spam-pile.jpg
Automated spam posts, complete with yet more pictures used as bait. As freshly leaked pictures and video of celebrities continue to be dropped online, so too will scammers try to make capital out of image-hungry clickers. Apart from the fact that these images have been taken without permission so you really shouldn’t be hunting for them, anyone going digging on less than reputable sites is pretty much declaring open season on their computers. Do yourself a favor and leave this leak alone..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 20 March 2017 - 11:51 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1892 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 March 2017 - 03:20 PM

FYI...

Canada/U.K. hit by Ramnit Trojan - malvertising
- https://blog.malware...ising-campaign/
Mar 21, 2017 - "Over the last few days we have observed an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously -redirect- users to the RIG exploit kit. This particular campaign abuses the ExoClick ad network (ExoClick was informed and took action to stop the fraudulent advertiser based on our reports) and, according to our telemetry, primarily targets Canada and the U.K. The ultimate payloads we collected during this time period were all the Ramnit information stealer (banking, FTP credentials, etc.) which despite a takedown in 2015 has rebounded and is quite active again... The payloads we collected via our honeypot were all the Ramnit Trojan, which is interesting considering the traffic flow from the TDS (Canada, U.K. being the most hits recorded in our telemetry)...
IOCs...
RIG EK IPs:
188.225.38.209
188.225.38.186
188.225.38.164
188.225.38.131
5.200.52.240
"
(More detail at the malwarebytes URL above.)
___

'Important Notification' - phish
- https://myonlinesecu...-phishing-scam/
21 Mar 2017 - ".. my webmail is being blocked for spreading viruses, or so this -phishing- scam wants me (and you) to believe...

Screenshot: https://myonlinesecu...ail-blocked.png

The link goes to http ://ostelloforyou.altervista .org/modules/007008.php where it -redirects- to a page looking like a typical webmail login page on a Cpanel server http ://transcapital .com.ge/language/hgfghj/webmail/index.php where after you insert an email address and password are bounded on to a genuine Cpanel webmail login page on http ://jattours .com:2095/  which appears to be an innocent site picked at random and doesn’t give any indication of actually being hacked or compromised:
> https://myonlinesecu...bmail-login.png "

ostelloforyou.altervista .org: 104.28.14.157: https://www.virustot...57/information/
> https://www.virustot...5395f/analysis/
104.28.15.157: https://www.virustot...57/information/
> https://www.virustot...5395f/analysis/

transcapital .com.ge: 213.157.215.229: https://www.virustot...29/information/
> https://www.virustot...9300d/analysis/

jattours .com: 192.163.250.41: https://www.virustot...41/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 March 2017 - 04:39 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1893 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 March 2017 - 07:30 AM

FYI...

Fake 'Energy bill' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
22 Mar 2017 - "A blank-empty-email with the subject of 'Your GB Energy Supply bill 00077334 is attached' pretending to come from szaoi <szaoi@ 21cn .com> with a malicious word doc attachment delivers Dridex banking Trojan... The email looks like:
From: szaoi <szaoi@ 21cn .com>
Date: Wed 22/03/2017 11:14
Subject: Your GB Energy Supply bill 00077334  is attached
Attachment: bill 000309573.docm


Body content: totally blank/Empty

bill 000309573.docm - Current Virus total detections 11/59*. Payload Security** | Malwr***

Manual analysis shows a download of an encrypted file from one of these locations:
palmcoastcondo .net/de3f3
shadowdalestorage .com/de3f3
lpntornbook .com/de3f3
precisioncut .com.au/de3f3
... which is converted by the macros to polivan2.exe (VirusTotal 12/62[4]) (Payload Security[5]) (MALWR[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1490183915/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
52.0.119.245
8.8.247.36
107.170.0.14
37.120.172.171
81.12.229.190


*** https://malwr.com/an...2VkMjIzZjFkY2Q/
Hosts
52.0.119.245

4] https://www.virustot...sis/1490184702/

5] https://www.hybrid-a...vironmentId=100
8.8.247.36
107.170.0.14
37.120.172.171
81.12.229.190


6] https://malwr.com/an...DliZDRkZmRiMjM/
__

'Blank Slate' campaign pushing Cerber ransomware
- https://isc.sans.edu...nsomware/22215/
2017-03-22 - "Cerber ransomware has been a constant presence since it was first discovered in February 2016.  Since then, I've seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. I've also been tracking Cerber on a daily basis from malicious spam (malspam). Some malspam pushing Cerber is part of the 'Blank Slate' campaign. Why call it Blank Slate? Because the emails have -no- message text, and there's nothing to indicate what, exactly, the attachments are. Subject lines and attachment names are vague and usually consist of random numbers. An interesting aspect of this campaign is that the file attachments are double-zipped. There's a zip archive within the zip archive. Within that second zip archive, you'll find a malicious JavaScript (.js) file -or- a Microsoft Word document. These files are designed to infect a computer with ransomware...
> https://isc.sans.edu...ry-image-09.jpg
... Potential victims must open an attachment from a -blank- email, go through -two- zip archives, then double-click the final file. If the final file is a Word document, the victim must also enable-macros..."
(More detail at the isc URL at the top.)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 23 March 2017 - 04:47 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1894 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 March 2017 - 05:36 AM

FYI...

Word file targets -both- Windows and Mac OS X
- https://blog.fortine...crosoft-windows
Mar 22, 2017 - "... new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X -and- Microsoft Windows systems...
When the Word file is opened, it shows notifies victims to enable-the-Macro security option, which allows the malicious VBA code to be executed...
IoCs: URL:
hxxps ://sushi.vvlxpress .com:443/HA1QE
hxxps ://pizza.vvlxpress .com:443/kH-G5
hxxps ://pizza.vvlxpress .com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/
hxxps ://sushi.vvlxpress .com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/ "
(More detail at the fortinet URL above.)

vvlxpress .com: 184.168.221.63: https://www.virustot...63/information/
> https://www.virustot...5a0d7/analysis/

- https://www.helpnets...rd-windows-mac/
Mar 23, 2017 - "... The malicious Word file is currently flagged by nearly half of the malware engines used by VirusTotal*..."
* https://www.virustot...48a74/analysis/
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1895 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 March 2017 - 06:41 AM

FYI...

Fake 'Photos' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
24 Mar 2017 - "... still not seeing the full volume of malware we have been used to seeing, but it is coming in steadily. They have gone back to an old favorite with an email pretending to be from some girl with a simple message saying 'photos' and a simple body content saying 'last 2'. I have only seen 1 copy so far and mine said it came from Georgia. I am pretty sure that almost any girls name will be used, it was in previous runs of this nature... Manual analysis shows a download of an encrypted file from one of these locations:
golongboard .pl/b723dd?
taddboxers .com/b723dd?
dfl210 .ru/b723dd?
naturalcode-thailand .com/b723dd? which is converted by the script to tRIVqu.exe3 and autorun by the script
(VirusTotal 6/62*)...
* https://www.virustot...sis/1490356510/

One of the emails looks like:
From: Georgia
Date: Thu 01/09/2016 19:22
Subject: photos
Attachment: IMG_67727.zip

    last 2


IMG_67727.zip: Extracts to: IMG_7339.vbs and a simple text file with loads of random characters.
Current Virus total detections 7/57**: Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustot...sis/1490355913/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.23.21.169
8.8.247.36
192.99.108.183
107.170.0.14
37.120.172.171


golongboard .pl: 185.23.21.17: https://www.virustot...17/information/
185.23.21.169: https://www.virustot...69/information/
> https://www.virustot...2c5be/analysis/
taddboxers .com: 107.180.55.17: https://www.virustot...17/information/
> https://www.virustot...d425d/analysis/
dfl210 .ru: 194.63.140.43: https://www.virustot...43/information/
> https://www.virustot...23923/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 24 March 2017 - 07:04 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1896 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 March 2017 - 05:35 AM

FYI...

Fake 'Unusual sign-in' SPAM - delivers ransomware
- https://myonlinesecu...rome_update-exe
24 Mar 2017 - "... a change to one of the common Cerber -ransomware- delivery methods today... 'pretends to be from Adobe, The body content is all about an unusual sign in activity on your Microsoft account and the -link- goes to a spoofed/fake Chrome download site where the malware payload is a -fake- Google chrome installer...

Screenshot: https://myonlinesecu...in-activity.png

... Remember many email clients, especially on a mobile phone or tablet, only show the 'Name' in the 'From':  and not the bit in <domain .com>. That is why these scams and phishes work so well...

chrome_update.exe - Current Virus total detections 19/61*. Payload Security**.. MALWR***...
The link in the email goes to http ://chromebewfk .top/site/chrome_update.html  where you see this
-fake- Google Chrome download page... numerous other sites involved in this campaign, some delivering
 Cerber and some Locky ransomware. One other site I have found is:
  voperforseanx .top/site/chrome_update.html ...
> https://myonlinesecu...wnload-site.png
... They also display a -fake- Chrome 'terms & conditions' pop up when you press the 'download now':
> https://myonlinesecu...e-installer.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1490381016/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (1088)

*** https://malwr.com/an...zRlYmI3MDkyZDk/

chromebewfk .top: 47.90.205.113: https://www.virustot...13/information/
> https://www.virustot...973c5/analysis/
voperforseanx .top: 47.90.205.113:
> https://www.virustot...d8a75/analysis/

35.187.59.173: https://www.virustot...73/information/
> https://www.virustot...973c5/analysis/
> https://www.virustot...d8a75/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 March 2017 - 06:55 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1897 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 March 2017 - 08:59 AM

FYI...

Fake 'Xpress Money' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
27 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments... This is more unusual than previous ones because the attachment is an -html- file rather than a zip file...

Screenshot: https://myonlinesecu...s_money_PDF.png

If you open the attached html file you get a page saying:
    e UN-responded/outstanding claims as of march 24th, Pending At Your Branch 2089/234. Download Secured File Here
The -link- behind the download here goes to http ://www.ctraxa .net/wp-content/plugins/akismet/XPRESS%20MONEY.pdf .. where you get a genuine PDF with yet-another-link-embedded:
> https://myonlinesecu...s_money_PDF.png

... which downloads the zip from http ://www.ctraxa .net/wp-content/plugins/akismet/XPINZ%20&%20UN-respondedoutstanding%20claims%20as%20of%20march%2024th.zip .. which contains -2- identical although different named java.jar files...

Complain Refrence.jar and Sendout Reference.jar (480kb) - Current Virus total detections 39/59*
Payload Security** ...

I have also been informed about -other- sites involved in this massacre scam today including:
  http ://locandinadellavalle.altervista .org/wp-content/themes/metro-style/ruhiut/outstanding%20claims%20as%20of%20March%2024,2017.zip... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1490614148/

** https://www.hybrid-a...vironmentId=100

ctraxa .net: 212.193.234.99: https://www.virustot...99/information/
> https://www.virustot...3afcc/analysis/

locandinadellavalle.altervista .org: 104.28.2.143: https://www.virustot...43/information/
> https://www.virustot...ce27e/analysis/
104.28.3.143: https://www.virustot...43/information/
> https://www.virustot...4a77f/analysis/
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1898 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 March 2017 - 07:25 AM

FYI...

Fake 'Important matter' SPAM - delivers unknown malware
- https://myonlinesecu...nknown-malware/
28 Mar 2017 - "This email was forwarded to me by a contact who works for a public service agency. I have redacted the actual recipients domain and any email address. There is a 'Charmaine' [redacted] living at the address listed according to google searches. I am sure that there will be a lot of other emails with other real details that will really scare the recipients into opening these emails and being infected. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain .com >. That is why these scams and phishes work so well... The email looks like:
From: Antony Gfroerer <antongfoufou@ wanadoo .fr>
Date: Tue, 28 Mar 2017 09:37:38 +0000
To:  Charmaine [redacted] <c*********@ [redacted]>
Subject: Charmaine
Attachment: victim.dot (renamed from recipients name)
    Hello, Charmaine!
    I am disturbing you for a very important matter. Though we are not familiar, but I have considerable ammount of information concerning you. The matter is that, most probably mistakenly, the data of your account has been sent to me.
    For example, your address is:
    5 [redacted] Lane
    Perth
    Perthshire and Kinross
    PH2 [redacted]
    I am a lawful citizen, so I decided to personal details may have been hacked. I pinned the file – victim.dot that that was emailed to me, that you could find out what information has become accessible for fraudsters. File password is – 2131
    I look forward to hearing from you,
    Antony Gfroerer ...


victim.dot - Current Virus total detections 0/55*. Payload Security** is unable to analyse as an unsupported format. MALWR*** shows nothing... I am informed that they download:
 galaxytown .net/store/read.gif -and- effeelle .eu/img/logo.gif  which appear to be genuine gif files from the headers, although they refuse to display as any sort of image file and must contain some sort of embedded -malware- content... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1490695414/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.149.140.45: https://www.virustot...45/information/
> https://www.virustot...a3c34/analysis/

*** https://malwr.com/an...jlhNWUyNDViYjQ/

galaxytown .net: 67.225.216.115: https://www.virustot...15/information/
> https://www.virustot...98912/analysis/
___

'Message from IT' - Phish
- https://myonlinesecu...e-365-phishing/
28 Mar 2017 - "... slightly different than many others and much more involved and complicated. It pretends to be a message from IT support to update webmail to use Office 365 / Outlook web access...

Screenshot: https://myonlinesecu...m-IT-Sector.png

This email has a genuine PDF attachment:
> https://myonlinesecu...365_upgrade.png
If you follow the link inside the pdf  you see a webpage looking like this:

  [ http ://radioclassicafm .com.br/lr/barracuda/barracuda/index.html ]
>> https://myonlinesecu...uda_signin1.png
After you input your email address and password, you get told -incorrect- details and -forwarded- to an almost  identical looking page where you can put it in again:
>> https://myonlinesecu...acuda_login.png
Then you get sent to an imitation of the Google Verification page where they ask for either your phone number or alternative email address...
>> https://myonlinesecu...ogle_verify.png
Then you get a 'success' page... All of these emails use Social engineering tricks to persuade you to open the -attachments- that come with the email..."

radioclassicafm .com.br: 216.172.173.156: https://www.virustot...56/information/
> https://www.virustot...bbdc8/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 28 March 2017 - 09:42 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1899 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 March 2017 - 03:43 AM

FYI...

Fake 'Payment Receipt' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
30 Mar 2017 - "... -blank- or -empty- body emails today  with the subject of 'Payment Receipt 79159'
(almost certainly random numbers) coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment, that does -not- match the subject line which delivers what some AV are calling nymaim Trojan, while others are just giving heuristic detections. This starts with a zip Receipt28765.zip which extracts to PaymentReceipt.zip which extracts to PaymentReceipt86654.exe which has an icon making it look like a PDF file... One of the emails looks like:
From: donotreply@ yuku .biz
Date: Thu 30/03/2017 06:15
Subject: Payment Receipt 79159
Attachment: ea00ba32a5.zip


Body content: Totally empty/blank

Screenshot: https://myonlinesecu...ceipt-79159.png

Receipt28765.zip: Extracts to: PaymentReceipt86654.exe - Current Virus total detections 18/61*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1490851299/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
84.200.69.80: https://www.virustot...80/information/
> https://www.virustot...3e11e/analysis/
___

Fake 'Confirmation' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
30 Mar 2017 - "... an email with the subject of 'uk_confirmation_ph489329718.pdf' (random numbers) coming or pretending to come from info@ random companies and email addresses with a semi-random named zip attachment...
Update: I am being reliably informed it is QuantLoader* which is dropping various malwares including Dridex banking Trojan [1] [2] [3]...
* https://blogs.forcep...ian-underground

1] https://www.virustot...52fcd/analysis/

2] https://www.virustot...871fe/analysis/

3] https://www.virustot...11771/analysis/

One of the emails looks like:
From: info@criticare-anaesthesia .co.uk
Date: Thu 30/03/2017 12:15
Subject: uk_confirmation_ph489329718.pdf
Attachment: uk_confirmation_ph489329718.zip
    Confirmation letter enclosed. Please see attachment.


uk_confirmation_ph489329718.pdf.zip :Extracts to: uk_confirmation_ph954869378.exe - Current Virus total detections 15/60**. Payload Security***. Nothing is definite on what these are but it looks vaguely like a zeus/Zbot variant.
Update: now getting a -second- run with same file names that Clam AV on the mailserver is detecting as  Win.Trojan.Ag-3 and quarantining VirusTotal 10/62[4] | Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustot...sis/1490873262/

*** https://www.hybrid-a...vironmentId=100

4] https://www.virustot...sis/1490874947/

5] https://www.hybrid-a...vironmentId=100
Contacted Hosts
8.8.247.36
81.12.229.190
107.170.0.14
37.120.172.171

 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 30 March 2017 - 06:56 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1900 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 March 2017 - 05:48 AM

FYI...

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
31 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments...

Screenshot: https://myonlinesecu...Cash-Report.png

Western Union Cash Report Reference.jar (478kb) - Current Virus total detections 15/59*: MALWR**
...  All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1490914940/

** https://malwr.com/an...TExMzRjZmM4ZmU/
___

> https://myonlinesecu...rs-java-adwind/
30 Mar 2017
Screenshot: https://myonlinesecu...nion-refund.png
"... links in the email go to http ://www.ctraxa .net/wp-content/plugins/akismet/views/Western Union Refund Transaction.zip ..."
ctraxa .net: 212.193.234.99: https://www.virustot...99/information/
> https://www.virustot...a0df2/analysis/
2017-03-31
___

Fake 'GameStop' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
31 Mar 2017 - "... an email with the subject of '[GameStop] Order No.327609' (random numbers) pretending to come from “GameStop .co.uk Help” with a semi-random named zip attachment which delivers malware. The attachment extracts to -2- files: First a long set of random characters and numbers .exe that has an icon of a PDF file and a genuine PDF with just a few numbers in it called info.pdf...
Update: First indications are that is a plain and simple Dridex banking Trojan, not the Quantloader intermediary...

Screenshot: https://myonlinesecu...er-No.32760.png

066525-960519-20170331-105353-2f0134f7-23cd-f947-1b65-f1a530c28254.zip:
 Extracts to: 156910-268936-20161128-151851-de121ee8-6954-4911-80aa-8255b6b023cb.exe
Current Virus total detections 11/62*. Payload Security** | MALWR***
... There are frequently dozens or even hundreds of different download locations, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions from each one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1490951595/

** https://www.hybrid-a...vironmentId=100

*** https://malwr.com/an...jdmM2IyMDhhZDI/
___

Fake 'Payment Request' SPAM - delivers Dridex
- https://myonlinesecu...elivers-dridex/
31 Mar 2017 - "... a 'Payment Request' email coming from random email addresses. The payload is the -same- as this slightly earlier campaign spoofing GameStop .co.uk*. The file -names- are different but the content is
-identical- with -same- SHA-256 hash numbers. All the copies I have seen -spoof- Hedley & Ellis Ltd, Newark Road, Peterborough, PE1 5UA in the email body, but have totally random senders with the email address in the email body...
* https://myonlinesecu...livers-malware/

Screenshot: https://myonlinesecu...ent-request.png

... There are frequently dozens or even hundreds of different download locations, sometimes delivering the exact same malware from all locations and sometimes slightly different malware versions from each one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 31 March 2017 - 06:56 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button