2041 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Fattura' SPAM - delivers xls attachment malware
- https://myonlinesecu...anking-trojans/
27 Jun 2017 - "An email with the subject of 'Fattura n.9171 del 27/06/17' pretending to come from random Italian email addresses with an Excel XLS spreadsheet attachment...
Update: I am 100% assured* that this is Trickbot banking Trojan...
* https://twitter.com/...680802136707073

Screenshot: https://myonlinesecu...ra_it_spam1.png

Attachment: https://myonlinesecu...ra_it_spam2.png

The xls file looks like this, with the instructions to 'enable content' in Italian. They obviously hope that the victim will 'enable content & macros' to see the washed out invoice details in full detail:
> https://myonlinesecu...invoice-xls.png

FATTURA num. 6655 del 27-=.xls - Current Virus total detections 6/56[1]. Payload Security[2] shows a download from
 https ://3eee22abda47 .faith/nvidia4.dvr (VirusTotal 11/61[3])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...c9395/analysis/
1_FATTURA num. 5999 del 27-06-2017.xls

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.173.218.138

3] https://www.virustot...619f8/analysis/
nvidia4.dvr

3eee22abda47 .faith: 46.173.218.138: https://www.virustot...38/information/
> https://www.virustot...feca1/analysis/
___

Protect Your Cloud - from Ransomware
> http://www.darkreadi.../d/d-id/1329221
6/27/2017
___

Multiple Petya Ransomware Infections Reported
- https://www.us-cert....ctions-Reported
June 27, 2017

- http://blog.talosint...re-variant.html
June 27, 2017 - "... a new malware variant has surfaced..."

- https://www.helpnets...tya-ransomware/
June 27, 2017

- http://www.reuters.c...k-idUSKBN19I1TD
Jun 27, 2017 | 4:35pm EDT

- http://www.telegraph...-cyber-attack1/
27 June 2017 • 8:50pm GMT
 

   

Edited by AplusWebMaster, 27 June 2017 - 02:49 PM.

[AplusWebMaster]

FYI...

Fake 'UPS cannot deliver' SPAM - delivers ransomware
- https://myonlinesecu...kovter-payload/
29 Jun 2017 - "The 'UPS failed to deliver' messages have come back... it looks like the Kovter gang have taken advantage of the Petya outbreak to add to the mix. They have updated the nemucod ransomware version to make it, on first look, impossible to decrypt at this time without paying the ransom. Thanks to Michael Gillespie* a well known anti-ransomware campaigner for his assistance and pointing me in the right direction about the new nemucod ransomware version...
* https://twitter.com/demonslay335
If you get infected by this or any other ransomware please check out the ID Ransomware service** which will help to identify what ransomware you have been affected by and offer suggestions for decryption...
** https://id-ransomwar...m.com/index.php

The emails are the same as usual (you only have to look through this blog and search for UPS[1] or FedEx[2] or USPS[/3]... hundreds of different examples and subjects)...
1] https://myonlinesecurity.co.uk/?s=UPS

2] https://myonlinesecu....co.uk/?s=fedex

3] https://myonlinesecurity.co.uk/?s=usps

Screenshot: https://myonlinesecu..._to_deliver.png

... there is a difference in the .js files that are coming in the (attachment) zips... The initial js looks very similar to previous but has much longer vars (var zemk) that is used to download the other files...
Showing a high level of encryption that at this time appears unable to be decrypted without paying the ransom.
This ransom note (or something similar with different links) gets displayed on the victim’s desktop:
>> https://myonlinesecu...nstructions.jpg

The original js downloads 3 files - 1 is Kovter as usual, the second is unknown and there is a massive 6.7mb php interpreter. The 2nd file won’t run without the php interpreter. It looks like it also belongs to PHP and both php files together are needed to run the downloaded php counter files to encrypt the computer...
4] https://www.hybrid-a...vironmentId=100
Contacted Hosts (406)

5] https://jbxcloud.joe...s/300085/1/html
UPS-Delivery-005156577.doc.js

6]https://www.virustot...sis/1498629470/
UPS-Delivery-005156577.doc.js
Detection ratio: 9/55

... The Kovter download looks like it works separately to the ransomware but might actually be involved somewhere along the line:
7] https://www.virustot...sis/1498630707/
da40c167cd75d.png
Detection ratio: 25/62

8] https://www.hybrid-a...vironmentId=100
Contacted Hosts (398)

... Sites involved in this campaign found so far this week:
resedaplumbing .com > 166.62.58.18
modx.mbalet .ru> 95.163.101.104
artdecorfashion .com > 107.180.0.125
eventbon .nl > 109.106.167.212
elita5 .md > 217.26.160.15
goldwingclub .ru > 62.109.17.210
www .gloszp .pl > 87.98.239.19
natiwa .com > 115.84.178.83
desinano .com.ar > 190.183.59.228
amis-spb .ru > 77.222.61.227
perdasbasalti .it > 94.23.64.3
120.109.32.72: https://www.virustot...72/information/
calendar-del .ru > 77.222.61.227
indexsa.com .ar > 190.183.59.228 ..."
___

'Blank Slate' - malspam campaign -ransomware-
- https://isc.sans.edu...g strong/22570/
Last Updated: 2017-06-29 - "'Blank Slate' is the nickname for a malicious spam (malspam) campaign pushing
-ransomware- targeting Windows hosts... Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign. Today's Blank Slate malspam was pushing Cerber and GlobeImposter ransomware... -fake- Chrome pages sent victims zip archives containing malicious .js files designed to infect Windows hosts with ransomware... potential -victims- must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations..."
(More detail at the isc URL above.)
___

- https://www.bitdefen...pages|goldeneye
Update 6/28 08.00 GMT+3 - "There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction..."
 

   

Edited by AplusWebMaster, 29 June 2017 - 02:16 PM.

[AplusWebMaster]

FYI...

Fake 'Documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
5 Jul 2017 - "An email with the subject of 'Important Account Documents' pretending to come from Lloyds bank but actually coming from a look-a-like domain Lloyds Bank Documents <no-reply@ lloydsbankdocs .co.uk> with a malicious word doc attachment... So far we have only found 1 site sending these today:
  lloydsbankdocs .co.uk
As usual they are registered via Godaddy as registrar and the emails are sent via IP 37.46.192.51 which doesn’t have any identifying details except AS47869 Netrouting in Netherlands...

Screenshot: https://myonlinesecu...t-Documents.png

The word doc looks like:
> https://myonlinesecu...ccount-docs.png

AccountDocs.doc - Current Virus total detections 7/57*. Payload Security** shows a download from
 http ://pilotosvalencia .com/sergollinhols.png which of course is -not- an image file but a -renamed- .exe file that gets renamed to fsrtat.exe and autorun (VirusTotal 14/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...a43f6/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.217.4
167.114.174.158
197.248.210.150

*** https://www.virustot...70a11/analysis/
___

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
5 July 2017 - "... delivering banking Trojans is an email with the subject of 'Customer message' pretending to come from 'Nat West Bank' but actually coming from a series of look alike domains - NatWest Bank Plc <alert@ natwest-serv478 .ml> with a malicious word doc attachment... criminals sending these have registered various domains that look-like-genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate-the-bank or some message sending service... we have found 6 but it is highly likely there could be hundreds, because they are -free- domains that don’t need any checkable registration details:
    natwest-serv478 .ml > 81.133.163.165
    natwest-serv347 .ml > 185.100.68.185
    natwest-serv305 .ml > 72.21.246.90
    natwest-serv303 .ml > 47.42.101.137
    natwest-serv505 .ml > 98.191.98.153
    natwest-serv490 .ml > 128.95.65.99
These are registered via freenom .com as registrar and the emails are sent via a series of what are most likely compromised email accounts or mail servers:
> https://myonlinesecu...p_spam_list.png

Screenshot: https://myonlinesecu...mer-message.png

The word doc looks like:
> https://myonlinesecu...ment283_doc.png

message_payment283.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
  http ://armor-conduite .com/34steamballons.png which of course is -not- an image file but a renamed .exe file that gets renamed to nabvwhy.exe and autorun (VirusTotal 16/62***) which is a slightly different -Trickbot- payload... An alternative download location is
 http ://teracom .co.id/34steamballons.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499266638/
message_payment283.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
202.169.44.149
94.42.91.27

*** https://www.virustot...8ff7f/analysis/
nabvwhy.exe

armor-conduite .com: 193.227.248.241: https://www.virustot...41/information/
> https://www.virustot...62e47/analysis/

teracom .co.id: 202.169.44.149: https://www.virustot...49/information/
> https://www.virustot...add04/analysis/
___

'AdGholas' malvertising ...
- https://blog.malware...ware-outbreaks/
July 5, 2017 - "... other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific -malvertising- gang of the moment, dubbed 'AdGholas'... A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the -malvertising- operators are able to quickly roll out and activate a -fake- advertising infrastructure for a few days before getting banned...
> https://blog.malware...17/06/certs.png
... We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of -redirect- is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity...
IOCs:
AdGholas:
expert-essays[.]com
jet-travels[.]com
5.34.180.73
162.255.119.165
Astrum Exploit Kit:
uniy[.]clamotten[.]com
comm[.]clamotten[.]com
comp[.]computer-tutor[.]info
lexy[.]computer-tutor[.]info
sior[.]ccnacertification[.]info
kvely[.]our-health[.]us
nuent[.]mughalplastic[.]com
mtive[.]linksaffpixel[.]com
cons[.]pathpixel[.]com
sumer[.]pathlinkaff[.]com
nsruc[.]ah7xb[.]com
ction[.]ah7xb[.]com
nstru[.]onlytechtalks[.]com
const[.]linksaffpixel[.]com
quely[.]onlytechtalks[.]com
coneq[.]modweave[.]com
94.156.174.11 ..."
(More detail at the malwarebytes URL above.)
___

Fake 'invoice' SPAM - delivers java adwind malware
- https://myonlinesecu...ng-java-adwind/
4 Jul 2017 - "... fake 'invoices' rather then their more usual method of fake 'MoneyGram' or 'Western Union money transfer' reports or updates...

Screenshot: https://myonlinesecu...ue-invoices.png

Payment Dunmore 27.26.170001.jar (566kb) - Current Virus total detections 12/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499145423/

** https://malwr.com/an...TBiNWE0NmNlNGE/
 

   

Edited by AplusWebMaster, 05 July 2017 - 12:44 PM.

[AplusWebMaster]

FYI...

Fake 'wire request' SPAM - delivers banking trojan
- https://myonlinesecu...banking-trojan/
6 Jul 2017 - "An email with the subject of 'The wire request is unsuccessful!' pretending to come from Billing Support using random senders & email addresses with a malicious word doc attachment delivers Chthonic banking trojan...

Screenshot: https://myonlinesecu...ing-support.png

printed_ty_0717.doc - Current Virus total detections 12/58*. Payload Security** shows a download from
 http ://185.117.73.105 /bofasup.exe (VirusTotal 13/57***)... alternative doc detections [1] [2]. Other download locations include: (there are 3 download locations hard coded in the macro):
 http ://185.45.192.116 /bofasup.exe
 http ://185.117.72.251 /bofasup.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499318502/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...ee397/analysis/
bofasup.exe

1] https://www.virustot...a3968/analysis/
printed_copy_da_0717.doc
Detection ratio: 13/57
 
2] https://www.virustot...sis/1499319821/
copy_wt_0717.doc
Detection ratio: 11/57
___

Fake 'eFax' SPAM - malicious doc/xls attachment
- https://myonlinesecu...livers-malware/
6 Jul 2017 - "... spoofed eFax message from 1 month ago[1], the same gang are using a similar range of fake e-faxcorporatexxx.top domains to send these malspam emails. Today’s comes  with the usual typical subject of 'eFax message from “0300 200 3822” – 2 page(s)' coming from eFax <message@ e-faxcorporate102 .top> with a malicious word doc attachment which delivers some sort of malware...
1] https://myonlinesecu...l-and-trickbot/

Screenshot: https://myonlinesecu...7/efax_nest.png

The word doc looks like:
> https://myonlinesecu...agedoc_nest.png

SecureMessage.doc - Current Virus total detections 6/57*... Joesandbox** shows a download from
 http ://5.149.252.155 /parcelon13.exe (VirusTotal 15/63***)...
This email attachment contains what appears to be a genuine word doc -or- Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499264264/
SecureMessage.doc

** https://jbxcloud.joe...s/304760/1/html

*** https://www.virustot...sis/1499306577/

e-faxcorporate102 .top: 46.8.221.104: https://www.virustot...04/information/
 

   

Edited by AplusWebMaster, 06 July 2017 - 04:52 AM.

[AplusWebMaster]

FYI...

Fake 'BACs documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
7 Jul 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from Royal Bank of Scotland but actually coming from a look-a-like domain <Secure.Delivery@ rbsdocs .co.uk> with a -link- to a malicious zip attachment containing a .js file... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine Bank domains. Normally there are 3 or 4 newly registered domains that -imitate- the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today:
    rbsdocs .co.uk > 160.153.162.130
As usual they are registered via Godaddy as registrar and hosted by Godaddy on ip 160.153.162.130 but the emails are being sent via host Europe 85.93.88.125...

Screenshot: https://myonlinesecu...cs_trickbot.png

Rbs_Account_BACs.js - Current Virus total detections 1/57*. Payload Security** shows a download from
 http ://mutfakdolabisitesi .com/grandsergiostalls.png  which of course is -not- an image file but a renamed .exe file that gets renamed to qkY5ijY.exe and autorun (VirusTotal 12/64***)... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1499423876/
Rbs_Account_BACs.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.235.11.61
50.19.227.215
37.120.182.208
78.47.139.102

*** https://www.virustot...sis/1499422646/

mutfakdolabisitesi .com: 46.235.11.61: https://www.virustot...61/information/
> https://www.virustot...eb157/analysis/

rbsdocs .co.uk: 160.153.162.130: https://www.virustot...30/information/
> https://www.virustot...8dfec/analysis/
___

'Facebook Lottery' - Scam
- https://myonlinesecu...k-lottery-scam/
7 Jul 2017 - "'Oh look I have won the Facebook Lottery', or might have done if there actually was such a thing. Unfortunately it is all a big scam. If you were unwise enough to reply, all you would get is a request for a sum of money for Post & packing and the transfer fee for the money. To make it more attractive than usual, apart from the just over $1m money they are giving you a Facebook cap, tee shirt and wallet, 'Wow! how exciting!'. To show how clueless or how they don’t filter or check email addresses they send to, this was sent to a spam-trap-email address...

Screenshot: https://myonlinesecu...ook-lottery.png

Email Headers:
124.153.79.193 - mailgw.notvday .in...
188.207.76.172 - static.kpn .net...
 

   

Edited by AplusWebMaster, 07 July 2017 - 02:53 PM.

[AplusWebMaster]

FYI...

Fake 'Delivery Status' SPAM - delivers ransomware
- https://myonlinesecu...ounce-messages/
10 July 2017 - "We were notified of a new ransomware version* last night. This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a -fake- 'Delivery Status Notification, failed to deliver' email bounce message. The .js file in the email attachment is a PowerShell -script- and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent 'UPS failed to deliver'** nemucod ransomware versions...
* https://twitter.com/...136470910562304

** https://myonlinesecu...kovter-payload/

Screenshot: https://myonlinesecu...are_email-1.png

There is also a section in the script... causes a fake pop up message making the victim think that the file isn’t running properly:
> https://myonlinesecu...not_found-1.png

After the file has run and encrypted your files, you get a message left called _README-Encrypted-Files .html:
> https://myonlinesecu...omware_note.jpg

As well as encrypting the usual image, music, video and document files this also encrypts databases files, email, and very unusually many executable file types. It also encrypts your bitcoin wallet and other similar financial files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1499666506/
Readable Msg-j8k5b798d4.js

2] https://www.reverse....vironmentId=100
Readable Msg-j8k5b798d4.js

The sender domain is also the C2 http ://joelosteel .gdn/pi.php currently hosted by digitalocean .com on  165.227.1.206 ..."

joelosteel .gdn: 165.227.1.206: https://www.virustot...06/information/
> https://www.virustot...6e150/analysis/
___

Fake 'Secure Communication' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
10 Jul 2017 - "An email with the subject of 'Secure Communication' pretending to come from HM Revenue & Customs but actually coming from a look-alike-domain < Secure.Communication@ hrmccommunication .co.uk > with a malicious word doc attachment... delivering Trickbot banking Trojan... a very important site involved in today’s campaign with images being hosted on www .libdemvoice .org/wp-content/uploads/2012/06/HMRC-logo-300×102.jpg... they have been hosting an HMRC logo since 2012...

Screenshot: https://myonlinesecu...mrc_10_july.png

HMRC3909308823743.doc - Current Virus total detections 6/57*. Payload Security** shows a download from one of these 2 locations:
 http ://pilotosvalencia .com/grazlocksa34.png -or- http ://ridderbos .info/grazlocksa34.png
which of course is -not- an image file but a renamed .exe file that gets renamed to Sonqa.exe and
autorun (VirusTotal 10/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499682599/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.217.4
107.22.214.64
93.99.68.140
195.133.197.179

*** https://www.virustot...8c9cf/analysis/

pilotosvalencia .com: 81.169.217.4: https://www.virustot....4/information/
> https://www.virustot...1a61a/analysis/

ridderbos .info: 84.38.226.82: https://www.virustot...82/information/
> https://www.virustot...5e526/analysis/

libdemvoice .org: 104.28.31.9: https://www.virustot....9/information/
104.28.30.9: https://www.virustot....9/information/
 

   

Edited by AplusWebMaster, 10 July 2017 - 06:28 AM.

[AplusWebMaster]

FYI...

JAVA_ADWIND - Trend Micro telemetry
> http://blog.trendmic...an-adwind-jrat/
July 11, 2017 - "... our telemetry for JAVA_ADWIND... the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware...
JAVA_ADWIND detections from January to June, 2017:
> https://blog.trendmi...wind-spam-1.jpg
... a Java EXE, dynamic-link library (DLL) and 7-Zip installer will be fetched from a domain that we uncovered to be a file-sharing platform abused by the spam operators:
    hxxps ://nup[.]pw/DJojQE[.]7z
    hxxp ://nup[.]pw/e2BXtK[.]exe
    hxxps ://nup[.]pw/9aHiCq[.]dll ...
... it appears to have the capability to check for the infected system’s internet access. It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be -abused- to evade static analysis from traditional antivirus (AV) solutions...
Indicators of Compromise:
Files and URLs related to Adwind/jRAT:
    hxxp ://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php
    hxxp ://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif
    hxxps ://nup[.]pw/e2BXtK[.]exe
    hxxps ://nup[.]pw/Qcaq5e[.]jar ..."

nup .pw: 149.210.145.237: https://www.virustot...37/information/
> https://www.virustot...a6033/analysis/

employersfinder .com: 198.38.91.121: https://www.virustot...21/information/
> https://www.virustot...59e9e/analysis/

ccb-ba .adv.br: 50.116.112.205: https://www.virustot...05/information/
> https://www.virustot...30c44/analysis/

 

  

Edited by AplusWebMaster, 11 July 2017 - 03:42 PM.

[AplusWebMaster]

FYI...

Fake 'Confidential Documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
13 July 2017 - "An email with the subject of 'Confidential Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsconfidential .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ments-email.png

... they are asking you to insert an authorisation code or password... (but) there is -no- option in this word doc to do that. The word doc looks like:
> https://myonlinesecu...otected_doc.png

Protected.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
 http ://armor-conduite .com/geroi.png which of course is -not- an image file but a renamed .exe file that gets renamed to Tizpvu.exe and autorun (VirusTotal 9/63***). An alternative download location is
 http ://kgshrestha .com.np/geroi.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1499942591/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustot...sis/1499942505/

armor-conduite .com: 193.227.248.241: https://www.virustot...41/information/
> https://www.virustot...ee1d6/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustot...84/information/
> https://www.virustot...ffcb1/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Secure message' SPAM - delivers Trickbot
- https://myonlinesecu...ivers-trickbot/
14 Jul 2017 - "An email with the subject of 'Secure email message. pretending to come from Sage Invoice but actually coming from a look-a-like domain <noreply@ sage-invoice .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ted-invoice.png

The word doc looks like:
> https://myonlinesecu...Invoice_doc.png

SageInvoice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
 http ://ridderbos .info/sergiano.png which of course is -not- an image file but a renamed .exe file that gets renamed to Pmkzc.exe and autorun (VirusTotal 8/61***)... An alternative download location is
 http ://kgshrestha .com.np/sergiano.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1500038647/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustot...sis/1493725297/

ridderbos .info: 84.38.226.82: https://www.virustot...82/information/
> https://www.virustot...9cb3b/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustot...84/information/
> https://www.virustot...b4263/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'payment slip' SPAM - delivers malware
- https://myonlinesecu...-a-jrat-trojan/
18 Jul 2017 - "... an email with the subject of 'payment slip' ... pretending to come from random companies, names and email addresses with an ACE attachment (ACE files are a sort of zip file that normally needs special software to extract. Windows and winzip do not natively extract them) which delivers some malware... it has some indications of fareit Trojan. This also has a jrat java.jar file attachment...

Screenshot: https://myonlinesecu...ayment-slip.png

> Attachments: bank detailes copy.xls.ace -and- TT COPY MBUNDU  GISA 740,236 USD.jar

bank detailes copy.xls.ace: Extracts to: bank detailes copy.xls.exe - Current Virus total detections 6/63*
 Payload Security**

TT COPY MBUNDU GISA 740,236 USD.jar - Current Virus total detections 2/59[3]. Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1500351301/

** https://www.hybrid-a...vironmentId=100
HTTP Traffic
104.69.49.57

3] https://www.virustot...e7698/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
174.127.99.198
 

  

Edited by AplusWebMaster, 18 July 2017 - 06:03 AM.

[AplusWebMaster]

FYI...

Fake blank-subject SPAM - downloads Trickbot
- https://myonlinesecu...ubject-noreply/
18 July 2017 - "... Trickbot downloaders... from noreply@ random email addresses (all spoofed). Has a -blank- subject line and a zip attachment containing a VBS file...

Screenshot: https://myonlinesecu...t_vbs_email.png

doc00042714507507789135.zip extracts to: doc000799723147922720821.vbs - Current Virus total detections 9/57*.
Payload Security* shows a download of an encrypted text file from
 http ://pluzcoll .com/56evcxv? which is converted to nbVXsSxirbe.exe (VirusTotal 31/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1500373606/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
210.1.58.190
107.20.242.236

*** https://www.virustot...f838c/analysis/

pluzcoll .com: 210.1.58.190: https://www.virustot...90/information/
> https://www.virustot...19e51/analysis/
___

Fake 'Invoices' SPAM - deliver Trickbot
- https://myonlinesecu...banking-trojan/
19 July 2017 - "... pdf attachments that drops a malicious macro enabled word doc that delivers Trickbot...
today we have seen 3 different campaigns and subjects all eventually leading to the same Trickbot payload..."
___

Fake 'RFQ' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
19 July 2017 - "... emails containing java adwind or Java Jacksbot attachments...
Screenshot: https://myonlinesecu...nery-Co-Ltd.png..."
___

Bots - searching for Keys & Config Files
- https://isc.sans.edu/diary/22630
2017-07-19 - "... yesterday, I found a -bot- searching for... interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically leave juicy data amongst the HTML files... Each file was searched with a different combination of lower/upper case characters... This file could contain references to hidden applications (This is interesting to know for an attacker)..."
(More detail at the isc URL above.)
___

 

'Cloud' - Data Leak results from Amazon AWS Configuration Error

> http://www.darkreadi.../d/d-id/1329382

7/18/2017 - "A data leak at Dow Jones & Co. exposed the personal information of millions of customers after a public cloud configuration error. This marks the fifth major public cloud leak in the past several months after similar incidents affected Verizon, the WWE, US voter records, and Scottrade. This mistake compromised millions of customers' names, account information, physical and email addresses, and last four digits of credit card numbers. It also affected 1.6 million entries in Dow Jones Risk and Compliance, a collection of databases used by financial companies for compliance with anti-money laundering regulations. All of this information was left exposed in an Amazon Web Services S3 bucket, which had its permission settings configured to let any AWS Authenticated User download data using the bucket's URL. Amazon defines "authenticated user" as anyone who has a free AWS account, meaning the data was available to more than one million users... Dow Jones has confirmed 2.2 million people were exposed. Based on the repository's size and composition, Upguard "conservatively estimates" up to four million people could have been affected, though it states* duplicated subscriptions may account for some of the difference. The publisher has "no reason to believe" any of the data was stolen..."

* https://www.upguard....-leak-dow-jones

 

   

Edited by AplusWebMaster, 19 July 2017 - 12:29 PM.

[AplusWebMaster]

FYI...

Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
20 July 2017 - "... Trickbot malspams... an email with the subject of 'eFax message from 8473365403' – 1 page(s), Caller-ID: 44-020-3136-4931 pretending to come from eFax but actually coming from a look-a-like domain <message@ efax-download .com> with a malicious word doc attachment... they are registered via Godaddy as registrar hosted on 160.153.16.19 and the emails are sent via AS8972 Host Europe GmbH 85.93.88.109. These are registered with what are obviously -fake- details...

Screenshot: https://myonlinesecu..._spam_email.png

... The -link- in the email body goes to
 https ://efax-download .com/pdx_did13-1498223940-14407456340-60
where you see page like this with-a-link to download the actual malware binary
 https ://efax-download .com/14407456340-60.zip. extracting to 14407456340-60.exe
The page tries initially to automatically download 14407456340-60.pdf.exe (VirusTotal 3/64*).
Payload Security[2]...
> https://myonlinesecu...ax-download.png

DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1500552776/
14407456340-60.pdf.exe

** https://www.hybrid-a...vironmentId=100

efax-download .com: 160.153.16.19: https://www.virustot...19/information/
> https://www.virustot...c7ed5/analysis/
___

Fake various subjects SPAM - deliver Trickbot, fake flashplayer
- https://myonlinesecu...stebin-adverts/
20 July 2017 - "... Trickbot banking Trojan campaign comes in an email with varying subjects including:
    paper
    doc
    scan
    invoice
    documents
    Scanned Document
    receipt
    order
They are all coming from random girls names at random email addresses. There is a zip attachment containing a VBS file...
Download sites found so far are listed on:
- https://pastebin.com/MGAVB1uz// Thanks to Racco42*

* https://twitter.com/Racco42
> Beware - for some reason the pastebin link is giving me -diverts- to a scumware site trying to download a -fake-flashplayer-hta-file (VirusTotal 17/58[1]) (Payload Security [2])
https ://uubeilisthoopla .net/85123457821940/be74be7a58e47c2837f71295a31d1533/24c3df3c0fe3c937281c3d8d7427e1da.html
  which downloads
 https ://uubeilisthoopla .net/85123457821940/1500548202679984/FlashPlayer.jse
(VirusTotal 4/58[3]) (Payload Security [4])...
1]  https://www.virustot...sis/1500548514/
FlashPlayer.hta

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
209.126.113.203

3] https://www.virustot...sis/1500549163/
FlashPlayer.jse

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
209.126.113.203
192.35.177.195

uubeilisthoopla .net: 209.126.113.203: https://www.virustot...03/information/
> https://www.virustot...20942/analysis/
 

   

Edited by AplusWebMaster, 21 July 2017 - 04:16 AM.

[AplusWebMaster]

FYI...

Fake 'Voice Message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
21 Jul 2017 - "... coming via the Necurs -botnet- is an email with the subject of 'Voice Message Attached from 01258895166' – name unavailable [random numbered]  pretending to come from vm@ unlimitedhorizon .co.uk with a zip attachment...

Screenshot: https://myonlinesecu...ted-horizon.png

01258895166_6382218_592164.zip: Extracts to: 01258861149_20170411_185381.wsf
Current Virus total detections 2/58*. Payload Security** shows a download from
 http ://avocats-france-maroc .com/sdfgdsg1? which gave a js file (VirusTotal 7/57[3]) (Payload Security[4]) which contacts a list-of-sites and should download an encrypted text file which is converted by the js file to the Trickbot binary. However, Payload Security[4] couldn’t get anything. The sites I can see in -this- js file are:
  aprendersalsa .com/nhg67r? – artegraf .org/nhg67r? – asheardontheradiogreens .com/nhg67r?
asuntomaailma .com/nhg67r?... It will probably be similar to an earlier Trickbot version...
Thanks to Racco42[5] who has found the download sites and payload - PasteBin[6].
> Caution: we have been seeing fake flashplayer downloads & diverts via malicious ads on pastebin...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1500641858/
01258861149_20170411_185381.wsf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
158.69.133.237

3] https://www.virustot...sis/1500641867/
sdfgdsg1.js

4] https://www.hybrid-a...vironmentId=100

5] https://twitter.com/...392692761284608

6] Updated > https://t.co/eD7MtOxind

avocats-france-maroc .com: 158.69.133.237: https://www.virustot...37/information/
> https://www.virustot...7d9e6/analysis/

aprendersalsa .com: 207.7.94.54: https://www.virustot...54/information/
> https://www.virustot...5646f/analysis/

artegraf .org: 185.58.7.72: https://www.virustot...72/information/

asheardontheradiogreens .com: 199.30.241.139: https://www.virustot...39/information/
> https://www.virustot...82dc5/analysis/

asuntomaailma .com: 185.55.85.4: https://www.virustot....4/information/
___

Malicious Chrome extensions / Facebook fraud - more
- https://www.helpnets...tealthy-botnet/
July 21, 2017 - "ESET* researchers have unearthed a botnet of some 500,000 infected machines engaged mostly in ad-related fraud by using malicious Chrome extensions, but also Facebook fraud and brute-forcing Joomla and WordPress websites..."
* https://www.welivese...tly-since-2012/
20 Jul 2017 - "... a huge botnet that they monetize mainly by installing malicious browser extensions** that perform ad injection and click fraud. However, they don’t stop there. The malicious Windows services they install enable them to execute anything on the infected host. We’ve seen them being used to send a fully featured backdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and WordPress administrator panels in an attempt to compromise and potentially resell them.
Figure 1 shows the full Stantinko threat from the infection vector to the final persistent services and related plugins:
> https://www.welivese...ics-blog-01.png
... Stantinko stands out in the way it circumvents antivirus detection and thwarts reverse engineering efforts to determine if it exhibits malicious behavior. To do so, its authors make sure multiple parts are needed to conduct a complete analysis. There are always -two- components involved: a loader and an encrypted component. The malicious code is -concealed- in the encrypted component that resides either on the disk or in-the-Windows-Registry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed. Moreover, Stantinko has a powerful resilience mechanism. After a successful compromise, the victim’s machine has two malicious Windows services installed, which are launched at system startup. Each service has the ability to reinstall the other in case one of them is deleted from the system. Thus, to successfully uninstall this threat, both services must be deleted at the same time. Otherwise, the C&C server can send a new version of the deleted service that isn’t detected yet or that contains a new configuration..."
** https://www.helpnets...stantinko-1.jpg
(More detail at the welivesecurity URL above.)

(IOC's): https://github.com/e...aster/stantinko

   

Edited by AplusWebMaster, 21 July 2017 - 03:21 PM.

[AplusWebMaster]

FYI...

Weather .com, Fusion expose Data via Google Groups Config Error
> http://www.darkreadi.../d/d-id/1329449
7/24/2017 - "Major companies have publicly exposed messages containing sensitive information due to a user-controlled configuration error in Google Groups. Researchers at RedLock Cloud Security Intelligence (CSI) discovered Google Groups belonging to hundreds of companies inadvertently exposed personally identifiable information (PII) including customer names, passwords, email and home addresses, salary compensation details, and sales pipeline data. Internal messages also exposed business strategies, which could create competitive risk if in the wrong hands, explains RedLock*...
* https://blog.redlock...isconfiguration
The Weather Company, the IBM-owned operator of weather .com and intellicast .com, is among the companies affected. Fusion Media Group, parent company of Gizmodo, The Onion, Jezebel, Lifehacker, and other properties made the same mistake... The companies that leaked data accidentally chose the sharing setting 'public on the Internet', which enabled -anyone- on the Web to access -all- information contained in their messages. RedLock advises all companies using Google Groups to ensure 'private' is the sharing setting** for 'Outside this domain-access to groups'.  RedLock's CSI team routinely checks various cloud infrastructure tools for threat vectors, and monitors publicly available data to detect misconfigurations that could cause security incidents..."
** https://blog.redlock...oupsSetting.png
___

Petya decryptor for old versions released
- https://blog.malware...sions-released/
Last updated: July 25, 2017 - "Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project... Based on the released key, we prepared a decryptor that is capable of unlocking all the legitimate versions of Petya...
WARNING: During our tests we found that in some cases Petya may -hang- during decryption, or cause some other problems potentially -damaging- to your data. That’s why, before any decryption attempts, we recommend you to make an additional backup...
It -cannot- help the victims of pirated Petyas, like PetrWrap or EternalPetya (aka NotPetya)..."
(More detail at the malwarebytes URL above.)

Related:
- https://blog.malware...-piece-package/

- https://blog.malware...malware-author/
 

   

Edited by AplusWebMaster, 25 July 2017 - 01:21 PM.

[AplusWebMaster]

FYI...

Fake 'No Subject' SPAM - delivers Trickbot
- https://myonlinesecu...stage-download/
26 Jul 2017 - "Another Trickbot campaign overnight... Pretends to be a bill coming from notifications@ in.telstra .com.au.... You get a wsf file in zip to start with. That has a hardcoded single site in the file. That downloads a .js file which has 4 or sometimes 5 hardcoded urls which download an encrypted txt file that is converted by the js file to a working Trickbot binary. The name & reference number in the email is random...

Screenshot: https://myonlinesecu...lstra_email.png

May-July2017.zip: Extracts to: QPX_ 18941124638_411385.wsf - Current Virus total detections 4/57*.
Payload Security** downloads from dodawanie .com/?1 (or one of the other stage 2 sites listed in this pastebin[3] (VirusTotal 5/577[4]) (Payload Security[5]) which -cannot- examine the file because it is seen as txt. However that  downloads of an encrypted file from one of the stage 3 sites listed in this pastebin report[6] which is converted by the script to an .exe file (VirusTotal 17/63[7]) (Payload Security[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501020013/
QPX_ 18941124638_411385.wsf

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
74.125.104.72
185.23.21.13

3] https://pastebin.com/RvHqTC7y

4] https://www.virustot...sis/1501026192/

5] https://www.hybrid-a...vironmentId=100

6] https://pastebin.com/RvHqTC7y

7] https://www.virustot...sis/1501041870/
C.exe

8] https://www.reverse....vironmentId=100
Contacted Hosts
216.58.198.196
216.58.198.206

dodawanie .com: 185.23.21.13: https://www.virustot...13/information/
> https://www.virustot...30a84/analysis/
___

Fake 'Account secure documents' SPAM - delivers Trickbot
- https://myonlinesecu...ivers-trickbot/
26 Jul 2017 - "An email with the subject of 'Account secure documents' pretending to come from HSBC but actually coming from a look-alike-domain <noreply@ hsbcdocs .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan ...

Screenshot: https://myonlinesecu...ments_email.png

The word doc looks like:
> https://myonlinesecu...tAdvice_doc.png

PaymentAdvice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
  https ://kartautoeskola .com/test/images/logo.png  which is -not- an image file but a renamed .exe file
that gets -renamed- to warrantyingresalesdioxide.exe and autorun (VirusTotal 1/63***) Payload Security[4]...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501070044/
PaymentAdvice.doc

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1501067853/
vaqqamsxhmfqdrakdrchnwhcd.exe

4] https://www.hybrid-a...vironmentId=100

kartautoeskola .com: 69.160.38.3: https://www.virustot....3/information/
> https://www.virustot...cfe4b/analysis/
___

BEC attacks more costly than Ransomware...
- http://www.darkreadi.../d/d-id/1329414
7/20/2017 - "... cybercriminals walked away with $5.3 billion from business email compromise (BEC) attacks compared with $1 billion for ransomware over a three-year stretch, according to Cisco's 2017 Midyear Cybersecurity Report released*...
* https://engage2deman...security_report
... Cisco's Martino says targeted cybersecurity -education- for employees can help prevent users from falling for BEC -and- ransomware attacks. The finance department could especially benefit from security training on phishing campaigns, so when the bogus-email comes across the transit of the CEO asking for a funds transfer it can be detected... Regular software patching also is crucial. When spam-laden-malware hits or ransomware attacks similar to WannaCry surfaces, the impact can be minimized... a balanced defensive and offensive posture, with not just firewalls and antivirus but -also- including measures to hunt down possible attacks through data collection and analysis..."
 

  

Edited by AplusWebMaster, 26 July 2017 - 11:22 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice notification' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
27 Jul 2017 - "An email with the subject of 'Invoice notification with id number: 40533' pretending to come from random senders with a link-in-the-email to a malicious word doc delivers... malware... possibly Emotet banking Trojan...

Screenshot: https://myonlinesecu...umber-40533.png

GOCNX8263762.doc - Current Virus total detections 7/57*. Payload Security** shows a download from one of the sites listed below where a random named .exe is delivered (VirusTotal 13/62[/3]) (Payload Security[4]).
The delivery sites are all compromised sites:
 http ://petruchio .org/zbmcicj/
 http ://danjtec .it/ldcgtgkew/
 http ://radiosmile .hu/q/
 http ://ihealthcoach .net/paqdauulaq/
 http ://btsound .com/erepr/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501132650/
URQTN6370102.doc

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1501134465/

4] https://www.hybrid-a...vironmentId=100

petruchio .org: 64.90.44.242: https://www.virustot...42/information/
> https://www.virustot...8ad51/analysis/

danjtec .it: 5.135.157.47: https://www.virustot...47/information/
> https://www.virustot...7e8d0/analysis/

radiosmile .hu: 92.61.114.191: https://www.virustot...91/information/
> https://www.virustot...60d5f/analysis/

ihealthcoach .net: 66.59.64.111: https://www.virustot...11/information/
> https://www.virustot...da823/analysis/

btsound .com: 74.220.199.25: https://www.virustot...25/information/
> https://www.virustot...1b72d/analysis/
 

   

Edited by AplusWebMaster, 27 July 2017 - 05:12 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - leads to malware/Trojan
- https://myonlinesecu...coded-sections/
31 July 2017 - "Following on from THIS* -fake- invoice email is a -newer- version with a different word doc at the end of the link-in-the-email. Today’s email with the subject of 're: Invoice 622806' pretending to come from  senders with a known connection to the recipient. The link-in-the-email leads to a malicious word doc that eventually delivers Emotet/Geodo banking Trojan...
* https://myonlinesecu...livers-malware/

Screenshot: https://myonlinesecu...oice-622806.png

ZDFRRI208.doc - Current Virus total detections 1/58[1]. Payload Security[2] doesn’t show any download... Twitter contacts Malwarehunterteam[3] and Antelox[4] have found some of the associated download urls and payload...
Theses word docs are using various tricks that make it difficult for the online sandboxes to decode/analyse, find the download sites and download the eventual payload. The url so far found is
 http ://macsys.ca/ZQRZCy/ but... there are others.
1] https://www.virustot...sis/1501480309/
BNCKKK930.doc

2] https://www.hybrid-a...vironmentId=100

3] https://twitter.com/...913205047590913

4] https://twitter.com/...914028246638592

Update: another contact[5] has found[5a] the complete list (pastebin[6])
    http ://macsys .ca/ZQRZCy/ > 216.177.130.19
    http ://paulplusa .com/jUiYKJFIuj/ > 216.97.239.25
    http ://josephconst .com/cByNSVwsK/ > 67.228.48.40
    http ://cs-skiluj.sanfre .eu/PSArDr/ > 185.5.98.24
    http ://itdoctor .ca/jgaeQ/ > 67.205.112.177

5] https://twitter.com/...922001647894528

5a] https://twitter.com/...918128627597315

6] https://pastebin.com/Cdvat2Bp

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
> https://www.hybrid-a...vironmentId=100
Contacted Hosts
207.210.245.164
___

Fake 'Receipt' SPAM - delivers ransomware
- https://myonlinesecu...obe-ransomware/
31 July 2017 - "... malware downloaders pretending to be a 'payment receipt' -or- a 'receipt' is an email with the subject of 'Receipt 21426' coming or pretending to come from donotreply@ random email addresses with a zip attachment containing a .vbs file that delivers globe ransomware. The zip name corresponds with the subject line. There are a mass of subject lines today. Some of the patterns include:
    Receipt#83396
    Receipt 21426
    Payment-421
    Payment Receipt 222
    Payment Receipt#97481
    Payment Receipt_8812
    Receipt-351
    Payment Receipt_03950 ...
One of the emails looks like:
From: donotreply@ blueprintrecruitment .co.uk
Date: Mon 31/07/2017 11:15
Subject:  Receipt 21426
Attachment: P21426.zip
[Body content:]
    Attached is the copy of your payment receipt.

P21426.zip: Extracts to: 20172.2017-07-31_75.20.68.vbs - Current Virus total detections 7/58*. Payload Security**  shows a download of a txt file from
  http ://koeweg .de/98wugf56? > 81.169.145.77
which is simply renamed by the script to a random named .exe file (VirusTotal 14/64[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501499651/
20172.2017-07-31_75.20.68.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.145.77

3] https://www.virustot...sis/1501501469/

4] https://www.hybrid-a...vironmentId=100
Associated URLs: http ://okdomvrn .ru/98wugf56?
okdomvrn .ru: 92.53.96.9: https://www.virustot....9/information/
> https://www.virustot...380ed/analysis/
 

   

Edited by AplusWebMaster, 01 August 2017 - 07:12 AM.

[AplusWebMaster]

FYI...

Fake 'secure message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
1 Aug 2017 - "An email with the subject of 'You have a new secure message waiting' pretending to come from Santander but actually coming from a look-alike-domain Santander <pleasedonotreply@ -santandersecuremessage- .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...age-waiting.png

SecureMessage.doc - Current Virus total detections 5/58* Payload Security** shows a download from
  http ://lexpertpret .com/fr/nologo.png which of course is -not- an image file but a renamed .exe file that gets renamed to ywbltmn.exe and autorun (VirusTotal 16/63[3]) (Payload Security[4]). An alternative download location is
  https ://hvsglobal .co.uk/image/nologo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501605462/
SecureMessage.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
146.255.36.1
69.247.60.183
46.105.250.84
91.206.4.216

3] https://www.virustot...sis/1501604882/
ywbltmn.exe

4] https://www.hybrid-a...vironmentId=100

lexpertpret .com: 216.138.226.110: https://www.virustot...10/information/
> https://www.virustot...5c217/analysis/

hvsglobal .co.uk: 192.185.37.229: https://www.virustot...29/information/
> https://www.virustot...eea4b/analysis/
___

Fake 'Voicemail' SPAM - delivers Trojan
- https://myonlinesecu...banking-trojan/
1 Aug 2017 - "... an email with the subject of 'Voicemail From 845-551-#### at 9:35AM' pretending to come from Microsoft Voice <MSVoice@ your own email domain> downloads Emotet banking Trojan...

Screenshot: https://myonlinesecu...66-at-935AM.png

VM97358238_20170801.zip: Extracts to: VM9742814303_20170801.vbs Current Virus total detections 16/55*
Payload Security**. Manual analysis of the vbs file shows these download sites hardcoded in a base64 encoding with a bit of extra nonsense padding to try to hide them (there will be loads of other sites in other vbs files attached to a -different- version of this)
 showyourdeal .com/JHghjHy6? > 143.95.99.159
 89tg7gjkkhhprottity .com/af/JHghjHy6 > 91.214.114.154
 mybutterhalf .com/JHghjHy6? > 208.91.198.170
 dreamoneday .com/JHghjHy6? > 103.21.58.181
These are downloaded as txt files but are simply renamed .exe files (VirusTotal 16/55[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

3] https://www.virustot...sis/1480616575/
-6dt874p53077.js

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

Update: it appears that this is more likely to be Globeimposter ransomware* not Emotet. It looks like I was mislead by initial detections on VirusTotal and the delivery method.
* https://twitter.com/...613372889399296
2nd Update 2 August 2017: This campaign has continued on and off all night (UK time) with a slight change to the zip file names. From exactly midnight UK time last night the last part of the zip name ( the date) changed from VM#######_20170801.zip to VM#######_20170802.zip. Looking through a few of the nearly 600 I received, it looks like the download sites are the -same- as many of the sites in yesterday’s (and earlier) Trickbot and  globeimposter campaigns that I didn’t report on because of other real world commitments. A list of sites can be seen in VT comments**. Just change /98wugf56 to /JHghjHy6 (quite a few sites are live using the latest file name format).
** https://www.virustot...1fa27/analysis/
 

   

Edited by AplusWebMaster, 02 August 2017 - 04:16 AM.

[AplusWebMaster]

FYI...

Fake 'Online Bill' SPAM - delivers malware
- https://myonlinesecu...banking-trojan/
2 Aug 2017 - "... malspam campaign pretending to be a 'Vodafone bill'. These started earlier this morning with links-in-the-email to a compromised or fraudulently set up SharePoint business site that soon stopped delivering the malware payloads. They then quickly switched to a whole host of other compromised sites to host the word doc that is the first stage in the malware download process. This is definitely a dyre based banking Trojan and might be Dridex or might be Trickbot...

Screenshot: https://myonlinesecu...ady-to-view.png

Bill_02082017.doc - Current Virus total detections 21/59*. Payload Security** downloads an encrypted txt file from one of these 3 sites (may be more in other macros so far not examined):
  http ://ortaokuldayiz .com/82yyfh3 > 94.73.148.130
  http ://trredfcjrottrdtwwq .net/af/82yyfh3 > 54.214.108.57
  http ://eoliko .com/82yyfh3 > 5.100.152.26
which is converted by the script to sultan8.exe (VirusTotal 16/63[3]) (Payload Security[/4])...
Eset Ireland did mention this one earlier today:
> https://blog.eset.ie...trojan-malware/
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...59eb8/analysis/
Bill_02082017.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.73.148.130
37.120.182.208
191.7.30.30
194.87.102.119
172.97.69.140

3] https://www.virustot...65b22/analysis/
82yyfh3.exe

4] https://www.hybrid-a...vironmentId=100
Filename: 82yyfh3
 

   

Edited by AplusWebMaster, 02 August 2017 - 01:19 PM.

[AplusWebMaster]

FYI...

Fake 'Secure Email' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
3 Aug 2017 - "An email with the subject of 'Nationwide Secure Email – Secured Message' pretending to come from Nationwide but actually coming from a look-a-like domain <secured@ nationwidesecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... Today’s example of the spoofed domain is nationwidesecure .co.uk 184.168.221.37  ip-184-168-221-37 .ip.secureserver .net...

The word doc attachment looks like this and tells you to use the non existent passphrase to open it. The blue moving circle makes you think that you need to enable the content & macros to see the hidden secure content.
DO NOT enable the macros or content. You WILL be infected:
> https://myonlinesecu...-Secure_doc.png

Secure.doc - Current Virus total detections 7/58*. Payload Security** shows a download from
 http ://catterydelacanaille .be/logo.png which of course is -not- an image file but a renamed .exe file
that gets renamed to tyltl.exe and autorun (VirusTotal 15/65[3]). An alternative download location is
 http ://carriereiserphotography .com/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1501756792/
Secure.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.255.9.40
37.120.182.208
185.30.144.205

3] https://www.virustot...sis/1501755791/
tyltl.exe

catterydelacanaille .be: 89.255.9.40: https://www.virustot...40/information/
> https://www.virustot...44ba2/analysis/

carriereiserphotography .com: 72.32.177.50: https://www.virustot...50/information/
> https://www.virustot...b9dce/analysis/
___

'Payment copy' - Phish
- https://myonlinesecu...il-credentials/
3 Aug 2017 - "... phishing attempts for email credentials. This one is slightly different than many others and surprisingly creative from the phisher. It pretends to be a message saying to 'download a payment copy and please ship the goods' they have ordered...

Screenshot: https://myonlinesecu...ishing-scam.png

If you follow the link inside the email you see a webpage looking like this:
 http ://clcktoviewnow.a-acheter .org/  which contains an -Iframe- to
 http ://www.pensiunea-ciobanelu .ro/view-ttcpy/
which actually displays the phishing attempt:
> https://myonlinesecu...s_pensiunea.png

After you input your email address and password, you get told “Please wait download will start in a minute”. It never does, there is no download of anything, whether malware or a genuine “fake” invoice or payment receipt  and this is simply a phishing -scam- to get your email account credentials:
> https://myonlinesecu..._pensiunea2.png

... these emails use Social engineering tricks to persuade you to open the attachments or follow links in emails..."

clcktoviewnow.a-acheter .org: 85.14.138.114: https://www.virustot...14/information/
> https://www.virustot...2319e/analysis/

pensiunea-ciobanelu .ro: 89.40.32.15: https://www.virustot...15/information/
> https://www.virustot...18c36/analysis/
 

   

Edited by AplusWebMaster, 03 August 2017 - 05:57 AM.

[TheJoker]

Linux Kernel Race Condition in inotify_handle_event() and vfs_rename() Lets Local Users Gain Elevated Privileges
http://www.securityt....com/id/1039075
 
Description:   A vulnerability was reported in the Linux kernel. A local user can obtain elevated privileges on the target system.

Impact: A local user can obtain elevated privileges on the target system.

Solution: The vendor has issued a source code fix, available at:
https://git.kernel.o...1208422b4091cd9

[AplusWebMaster]

FYI...

Fake 'Beneficiary’s Details' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
14 Aug 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... 'previously mentioned many of these HERE*. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically...
* https://myonlinesecu.../?s=java adwind

Screenshot: https://myonlinesecu...12602119326.png

The link in the email body goes to
 http ://karizma-co .com/wp-admin/user/Beneficiary%27s Details.R01 (VirusTotal 0/65[1]) (almost certainly a compromised WordPress website) where a zip file is downloaded.
Beneficiary’s Details.zip - Extracts to Beneficiary’s Details.jar (478kb) - Current Virus total detections 1/59[2]
Payload Security[3]... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustot...sis/1502700304/

2] https://www.virustot...sis/1502679993/
Xpressmoney Global network.jar

3] https://www.hybrid-a...vironmentId=100
File Details:
Beneficiary's Details.jar

karizma-co .com: 5.189.185.178: https://www.virustot...78/information/
___

Fake 'Secure Email' SPAM - delivers trickbot
- https://myonlinesecu...ivers-trickbot/
14 Aug 2017 - "An email with the subject of 'You have a Santander Secure Email' pretending to come from Santander Bank but actually coming from a look-a-like domain <message@ santanderdocs .co.uk> with an html attachment which downloads a  malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is
santanderdocs .co.uk: 160.153.162.141: https://www.virustot...41/information/
> https://www.virustot...1ffb3/analysis/

I don’t have an actual email. The information was forwarded to me and only has the basic details with -no- email body content. The email looks like:
From: Santander  <message@santanderdocs .co.uk>
Date: 14 August 2017 20:12
Subject: You have a Santander Secure Email
Attachment: SecureDoc.html

Screenshot of word doc: Beware of the -login- in the word doc. It is only there to persuade the recipient to enable content which allows the macros-to-run and infect you. Do NOT follow those instructions:
> https://myonlinesecu...r_SecureDoc.png

SecureDoc.doc - Current Virus total detections 3/58*. Payload Security**. This malware file downloads from
 http ://cfigueras .com/armanistand.png which of course is -not- an image file but a renamed .exe file that gets renamed to Cqgcf.exe (VirusTotal 10/64[3]). An alternative download location is
 http ://centromiosalud .es/armanistand.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1502715405/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.255.225.215
158.69.26.138
46.160.165.31

3] https://www.virustot...sis/1502713865/

cfigueras .com: 51.254.83.173: https://www.virustot...73/information/
> https://www.virustot...ff174/analysis/

centromiosalud .es: 178.255.225.215: https://www.virustot...15/information/
> https://www.virustot...fd183/analysis/
 

   

Edited by AplusWebMaster, 14 August 2017 - 03:26 PM.

[AplusWebMaster]

FYI...

Fake 'eFax' SPAM - delivers trickbot
- https://myonlinesecu...banking-trojan/
15 Aug 2017 - "An email with the subject of 'eFax' pretending to come from eFax but actually coming from a look-a-like domain eFax <noreply@ faxdocuments120 .ml> with a malicious word doc attachment is today’s latest spoof of a well known company, messaging service, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ocuments120.png

The word doc looks like:
> https://myonlinesecu...53_2425_doc.png

efax42542153_2425.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
 http ://cfigueras .com/nothing44.png which of course is -not- an image file but a renamed .exe file that gets renamed to Qhdizwg.exe and autorun (VirusTotal 14/64***). An alternative download location is
 http ://cfai66 .fr/nothing44.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1502883132/
efax42542153_2425.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
51.254.83.173
158.69.26.138
185.141.26.86
185.40.20.42

*** https://www.virustot...sis/1502881050/
Qhdizwg.exe

cfigueras .com: 51.254.83.173: https://www.virustot...73/information/
> https://www.virustot...c777e/analysis/

cfai66 .fr: 87.252.5.144: https://www.virustot...44/information/
> https://www.virustot...57f20/analysis/
___

Locky ransomware returns - two new "flavors"
- https://blog.malware...wo-new-flavors/
Aug 16, 2017 - "We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware... From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random] .htm“. Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus .html“... Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script:
> https://blog.malware...cus_MalSpam.png
... The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should
-never- assume Locky is gone simply because it’s not active at a particular given time..."
(More detail at the first malwarebytes URL above.)
___

Paypal phish - fake verification
- https://isc.sans.edu/diary/22726
2017-08-16 - "They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new -fake- pages almost daily. Sometimes, the web server isn’t properly configured and the source code is publicly available... I presume that the kit is related to a spam campaign but I did not get the initial email. Based on the quality of the kit, I suspect the email to be properly written. As usual, it starts with the classic Paypal login page:
- https://isc.sans.edu...-20170816-1.png
Then a fake verification page is displayed to warn the victim that a check of the account must be performed. Note that the values are hard coded:
- https://isc.sans.edu...-20170816-2.png
The next steps ask the victim to enter his/her details, including banking details:
- https://isc.sans.edu...-20170816-4.png
Graphically, the different pages are very clean and use components from the Paypal website to reproduce a look and feel very close to the official pages... There is also a second check of the IP address included in the PHP code. If a valid IP address or User-Agent is detected, an HTTP error 404 (page not found) is returned... When the verification screens are displayed to the victim, fields are prefilled with the extracted information from Paypal. This is really evil! All fields are also validated to prevent garbage and increase the change to capture real data. Depending on the card number that the victim provided, a next screen is presented to fill bank details. Based on the source code, three countries are targeted: US, CA and UK. Depending on the bank, specific forms are displayed to request valid connection details... At the end of the “verification process”, an email is sent to the attacker with all the victim's details. The destination is a gmail .com account... If most phishing kits remain simple and can be easily spotted by the victims, some of them are really well developed and harder-to-catch, especially if the URL used is nicely chosen and distributed via HTTPS. This kit was huge with more than 300 files in a 1.8MB ZIP file. Take care!"
 

   

Edited by AplusWebMaster, 16 August 2017 - 01:34 PM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
17 Aug 2017 - "... an email with the subject of 'Your Xero Invoice INV-0855485' coming from subscription.notifications@ xeronet .org which uses -compromised- sharepoint aka onedrive for business accounts to deliver Dridex banking Trojan...

Screenshot: https://myonlinesecu...INV-0855485.png

The -link- in the body of the email is to
 https ://lakesambel-my.sharepoint .com/personal/contact_caravanparkbeechworth_com_au/_layouts/15/guestaccess.aspx?docid=03b4b6316d9ca4fa48971a9101a38b364&authkey=Afo8hRz5LV65-XWim02sZtg
where a zip file containing a .js file is downloaded.

Xero Invoice.zip: Extracts to: Xero Invoice.js - Current Virus total detections 20/57[1]. Payload Security[2]
This malware downloads from
 https ://stakks-my.sharepoint .com/personal/accounts_stakks_com_au/_layouts/15/guestaccess.aspx?docid=0426cc21c900f4425bfd868cf0a9bc836&authkey=AdVBGQCO-SGtytiexhgUfw8
to deliver documents.xero which is -renamed- to Y739Ayh.exe (VirusTotal 34/65[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustot...sis/1502950371/

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
13.107.6.151
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229

3] https://www.virustot...c0aea/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229

lakesambel-my.sharepoint .com: 13.107.6.151: https://www.virustot...51/information/

stakks-my.sharepoint .com: 13.107.6.151
___

Fake 'Outstanding invoices' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
17 Aug 2017 - "An email with the subject of 'Outstanding invoices email 1 of 2' pretending to come from random names and email addresses with a malicious word doc attachment delivers Locky Ransomware...

Screenshot: https://myonlinesecu...mail-1-of-2.png

056757.doc - Current Virus total detections 15/58*. Payload Security**.
This malware downloads from
 http ://campingtossa .com/87wifhFsdf (VirusTotal 23/63***).
There will be dozens if not hundreds of other downloads sites in different versions of these word docs...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1502969190/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.93.73.211
212.109.220.109

*** https://www.virustot...sis/1502969865/
87wifhFsdf.exe

campingtossa .com: 188.93.73.211: https://www.virustot...11/information/
 

   

Edited by AplusWebMaster, 17 August 2017 - 06:33 AM.

[AplusWebMaster]

FYI...

Fake 'order' SPAM - links deliver malware
- https://myonlinesecu...livers-malware/
18 Aug 2017 - "... an email with the subject of 'Your order no 8194788 (random numbers) has been processed' coming from random names @ creatingkindly .com which delivers some sort of malware... These pretend to be an order confirmation for cotton material from a -random- name shop with a -fake- address...

Screenshot: https://myonlinesecu...n-processed.png

The email has a -link- in the body to
 http ://michellesteve .com/victim_name/8194788.php?recipient-id=bzmqkpohrma&=282193283842&395981697844=760611824 which downloads document.zip:  which Extracts to: document.lnk
- Current Virus total detections 6/55[1]. Payload Security[2].
An alternative email had the -link- to
 http ://letsgetvisibility .com/victim_name/6290807.php?id-ee=ycttmymbp&=vdfq&jxkhgrs=vddrhdu
which currently gives me a 404 on the entire domain although it does have registration details from 2015.
This malware downloads from
 http ://otp.forgetmenotbeading .com/valid.bin which is -renamed- by the script to combo.exe
(VirusTotal 8/61[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it... -Never- attempt to open a zip directly from your email, that is a guaranteed way to get infected... just delete the unexpected zip and not risk any infection..."
1] https://www.virustot...sis/1503034822/
document.zip

2] https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1503034808/
valid.bin

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
65.55.50.189
185.117.73.5

creatingkindly .com: 50.63.202.38: https://www.virustot...38/information/

michellesteve .com: 185.61.152.60: https://www.virustot...60/information/

letsgetvisibility .com: A temporary error occurred during the lookup...

[Corrected to:] otp.forgetmenotbeading .com: 185.183.97.141:  https://www.virustot...7607e/analysis/
___

Cloud: User Account Attacks jumped 300% since 2016
... Most of these Microsoft user account compromises can be attributed to weak, guessable passwords and poor password management...
- http://www.darkreadi.../d/d-id/1329666
8/17/2017 - "... 'One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites', the report* states... Attackers -frequently- compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning..."
* http://download.micr...t_Volume_22.pdf
 

   

Edited by AplusWebMaster, 18 August 2017 - 09:37 AM.

[AplusWebMaster]

FYI...

Fake 'please print' 'images etc' SPAM - delivers Cerber
- http://blog.dynamoo....images-etc.html
21 Aug 2017 - "I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

    Subject:       images
    From:       "Sophia Passmore" [Sophia5555@ victimdomain .tld]
    Date:       Fri, May 12, 2017 7:18 pm

    *Sophia Passmore*
--
    Subject:       please print
    From:       "Roberta Pethick" [Roberta5555@ victimdomain .tld]
    Date:       Fri, May 12, 2017 7:18 pm

    *Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58*. Both samples contained a malicious Javascript named 20170821_08914700.js ...
Automated analysis [1] [2] shows a download from the following locations:
gel-batterien-agm-batterien .de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh .info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]
The Hybrid Analysis report[1] shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64[3].
Recommended blocklist:
46.4.91.144
119.28.100.249 "
* https://virustotal.c...ee573/detection
??

1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.4.91.144
119.28.100.249
216.58.206.228

2] https://malwr.com/an...mVmMTJlNjg3Y2M/
Hosts
46.4.91.144
119.28.100.249

3] https://www.virustot...a234c/analysis/
___

Fake 'O2 Bill' SPAM - delivers Emotet banking Trojan
- https://myonlinesecu...banking-trojan/
21 Aug 2017 - "... an email with the subject of 'My O2 Business – Your O2 Bill is ready' – (recipient’s name) coming from random senders which delivers Emotet banking Trojan. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in -all- the campaigns...

Screenshot: https://myonlinesecu.../08/O2_bill.png

Update 22 August 2017: a new malspam run this morning with a slightly changed subject 'Your O2 bill is ready' – (recipient name) still coming from random senders but pretending to come from 'O2 bill'. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in all the campaigns...
Screenshot: https://myonlinesecu.../08/O2_bill.png

The link in the email is to various sites where a word doc is downloaded. Some sites include:
http ://ekomer .es/HPRKFQZXAP5465294/ > 5.145.175.240
http ://eyelife .org/Rech-59081174958/ > 188.65.115.132
http ://cruisecapital .co.uk/gescanntes-Dokument-38085714326/ > 173.236.152.205
http ://theglobetrotters .org/Rechnung-55894642722/ > 69.195.116.213
http ://bryntel .com/JWYFPGLBMH8935758/ > 50.87.66.150
http ://itgrammatics .com/VMZJSGJXBS6464519/ > 178.159.253.100
http ://atitmedia .com/RIVTDJLDUW6513072/ > 109.104.86.127
http ://bytesoftware .com.br/FXXIGOFTER8590131/ > 216.172.172.168
http ://hapmag .com/VVHMVGTRCP7428957/ > 143.95.238.54
http ://marianamengote .com/RLDXAIYKZD2314573/ > 173.254.28.19
The word doc when opened [ and -if- you are unwise enough to enable macros ] will drop an encoded/obfuscated  PowerShell script that has several obfuscated hard coded URLs inside it which download the actual Emotet banking Trojan. These do need quite a bit of decoding to get to the payload.
Some of today’s Urls are:
http ://ohleronline .com/qnhvqLeGds/ > Could not find an IP address for this domain name.
http ://wilsondesign .com.au/EmOYzciXN/ > 192.232.203.190
http ://effectiveit .com.au/zrMwJInVT/ > 175.107.174.7
http ://portseven .com.br/AEVHV/ > 67.23.238.138
http ://nubodyofdallas .com/FwJSgvPKF/ > 74.124.198.22
... The basic rule is NEVER open any attachment -or- link ln an email, unless you are expecting it...
Analysis reports: Note the binaries update at frequent intervals during the day (time of the malware campaign) so you will get -different- versions/file hashes from those mentioned here."
Word Doc: > https://www.virustot...ec54e/analysis/
Rech-03674886877.doc
O2 bill - 000952128372.doc

> https://www.hybrid-a...vironmentId=100

Dropped binary: > https://www.virustot...sis/1503320867/
nvidiamath.exe

> https://www.virustot...sis/1503333837/
vHsZK.exe

> https://www.hybrid-a...vironmentId=100
Contacted Hosts
104.236.252.178
storagewmi.exe

> https://www.hybrid-a...vironmentId=100
HTTP Traffic
104.236.252.178
 

   

Edited by AplusWebMaster, 22 August 2017 - 03:54 AM.

[AplusWebMaster]

FYI...

Fake 'Voicemail Service' SPAM - delivers ransomware
- http://blog.dynamoo....il-service.html
22 Aug 2017 - "This -fake- voicemail leads to malware:
    Subject:       [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
    From:       "Voicemail Service" [pbx@ local]
    Date:       Tue, August 22, 2017 10:37 am
    To:       "Evelyn Medina"
    Priority:       Normal
    Dear user:
            just wanted to let you know you were just left a 0:53 long message (number 46)
    in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
    so you might want to check it when you get a chance.  Thanks!
                                    --Voicemail Service

The numbers and details -vary- from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js...
The script has a VirusTotal detection rate of 14/59*.
According to automated analysis [1] [2] the script reaches out to the following URLs:
5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]
A -ransomware- component is dropped (probably Locky) with a detection rate of 16/64[3]."
* https://virustotal.c...ae059/detection
??

1] https://malwr.com/an...WE0OWUxNGZkMTA/
msg6355.js
Hosts
91.234.195.48
5.196.99.239

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.209.238
91.234.195.48
5.188.63.30

3] https://www.virustot...cd38f/analysis/
jbfr387

> https://myonlinesecu...delivers-locky/
22 Aug 2017 - "... an email with the subject of '[PBX]: New message 10 in mailbox 101 from 100GOFEDEX' <7820413853> pretending to come from 'Voicemail Service' <pbx@ local>... The new message number, mailbox number, gofedex number and telephone number are all random. All of these are being sent to Evelyn Medina <random_name@ recipient_domain .tld>...

Screenshot: https://myonlinesecu...x-voicemail.png

msg0575.rar: Extracts to: msg0575.js - Current Virus total detections 16/55*. Payload Security** delivers
bURnweP2.exe VirusTotal 16/65***...
There are literally hundreds of sites listed in the different versions of js files - when one of the other researchers uploads a list of today’s sites, I will edit this post to link to it...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
File Details
msg4975.js
Contacted Hosts
37.247.123.33
94.242.59.239
5.196.99.239

*** https://www.virustot...cd38f/analysis/
jbfr387[1].3164.dr
___

Fake 'Payments request' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
22 Aug 2017 - "An email with the subject of 'Payments request' pretending to come from HSBC but actually coming from a look-a-like domain <message@ hsbc-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is hsbc-mail .co.uk 89.233.106.146. As usual they are registered via Godaddy as registrar and the emails are being sent via sent 89.233.106.146 AS35017 Swiftway Sp. z o.o...

Screenshot: https://myonlinesecu...nts-request.png

Word doc looks like: https://myonlinesecu...cuments_doc.png

PaymentDocuments.doc - Current Virus total detections 3/59*. Payload Security**. This malware file downloads from
 http ://pfsmoney .com/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to vgjqlt.exe and autorun (VirusTotal 13/65***).
An alternative download location is
 http ://panda .biz/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...a3167/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.191.25.102
37.120.182.208
194.87.144.16
172.93.37.143

*** https://www.virustot...sis/1503394753/

pfsmoney .com: 162.144.12.198: https://www.virustot...98/information/
> https://www.virustot...901b0/analysis/

panda .biz: 192.64.147.215: https://www.virustot...15/information/
___

Fake 'Purchase Order' SPAM - delivers nanocore RAT
- https://myonlinesecu...s-nanocore-rat/
22 Aug 2017 - "... an email with the subject of 'Purchase Order' coming from Angelika Rodriguez  <zales@ municipiodepaute .gob.ec>[1] which delivers what is probably a nanocore RAT (it matches yara sigs for that malware)...
1] http://www.reputatio...29.250&d=gob.ec

Screenshot: https://myonlinesecu...chase-order.png

Purchase_Order_List_Aug.zip: Extracts to: Purchase_Order_List_Aug.exe - Current Virus total detections 12/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503426139/
Purchase_Order_List_Aug.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
174.127.99.135
 

   

Edited by AplusWebMaster, 22 August 2017 - 01:33 PM.

[AplusWebMaster]

FYI...

Fake 'purchase order' SPAM - delivers malware
- https://myonlinesecu...vering-malware/
23 Aug 2017 - "... an email with the subject of 'RFQ072017' coming from Stafford Shawn <staffordshawn1@ yahoo .com> (possibly random senders) but definitely coming via Yahoo email network with a zip attachment containing a file that pretends to be a pdf file but is an .exe file... All detections on VirusTotal are heuristic or generic detections but it is quite well detected.
Update: I am reliably informed it is nanocore RAT 1.2.2.0...

Screenshot: https://myonlinesecu...8/RFQ072017.png

SCAN_PO#20170823.PDF.z: Extracts to: SCAN_PO#20170823.PDF.z.exe - Current Virus total detections 23/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503458477/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.12.45.79
___

Fake 'Ref' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
23 Aug 2017 - "An email with the subject of 'Ref: 72381821' pretending to come from Barclays Bank but actually coming from a look-a-like domain Barclays <message@ barclaysmail .co.uk> -or- Barclays <message@ barclays-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are barclaysmail .co.uk 46.21.147.128 AS35017 Swiftway Sp. z o.o. and barclays-mail .co.uk 85.93.88.35  malta2333.startdedicated .net AS8972 Host Europe GmbH...

Screenshot: https://myonlinesecu...clays-email.png

Ref72381821.doc - Current Virus total detections 4/58*. Payload Security**... This malware file downloads from
 http ://eva-wagner .net/picture_library/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to hgfudf.exe and autorun (VirusTotal 18/63***). An alternative download location is
 http ://eva-poldi .at/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503484026/
attachment20170823-17020-5y3sht.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.138.14.149
37.120.182.208
51.254.164.249
188.165.62.11

*** https://www.virustot...1e212/analysis/
hgfudf.exe

eva-wagner .net: 148.251.26.133: https://www.virustot...33/information/
> https://www.virustot...2b542/analysis/

eva-poldi .at: 62.138.14.149: https://www.virustot...49/information/
> https://www.virustot...6d639/analysis/
___

Fake 'Fax' SPAM - delivers Locky
- https://myonlinesecu...-email-malspam/
22 Aug 2017 - "... series of Locky downloaders... an email with the subject of 'Fax from: (01242) 856225' [random numbers] pretending to come from Free Fax to Email <freefaxtoemail@ random email domain>...

Screenshot: https://myonlinesecu...1242-856225.png

Fax278044344f0dd0b.rar: Extracts to: Fax1423519vc18e7c3.js - Current Virus total detections 16/55*
Payload Security** - delivers /REjhb54 (VirusTotal ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.169.226.106
82.118.17.218
5.196.99.239

*** https://www.virustot...a2471/detection
??
 

   

Edited by AplusWebMaster, 23 August 2017 - 09:33 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - leads to Locky
- http://blog.dynamoo....ce-copy-of.html
23 Aug 2017 - "This fairly generic spam leads to Locky ransomware:
    Subject:       Copy of Invoice 3206
    From:       "Customer Service"
    Date:       Wed, August 23, 2017 9:12 pm
    Please download file containing your order information.
    If you have any further questions regarding your invoice, please call Customer Service.
    Please do not reply directly to this automatically generated e-mail message.
    Thank you.
    Customer Service Department

A -link-in-the-email- downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis* has seen it all before. The download EXE (VT 21/64**) script POSTS to 5.196.99.239 /imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler*** last year, so I would recommend blocking all traffic to 5.196.99.0/24."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
212.89.16.143
46.183.165.45
62.109.16.214
5.196.99.239
216.58.204.132
216.58.204.142

** https://www.virustot...d6cd1/analysis/

*** https://pastebin.com/D5pXvR1W
 

  

[AplusWebMaster]

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
24 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from Bank of America but actually coming from a look-a-like domain Bank of America <message@ bofamsg .com> or Bank of America <message@ bofa-msg .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ssage_email.png

SecureMessage.doc - Current Virus total detections 7/58*. Payload Security**. This malware file downloads from
 http ://esp .jp/serca.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aoitas.exe (VirusTotal ***). An alternative download location is
 http ://enyahoikuen .com/serca.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...41ffa/analysis/
SecureMessage.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
121.50.42.51
78.47.139.102
195.133.197.70
79.124.78.81

*** https://www.virustot...74c77/analysis/
serca.png

esp .jp: 121.50.42.51: https://www.virustot...51/information/
> https://www.virustot...73f3a/analysis/

enyahoikuen .com: 202.231.207.151: https://www.virustot...51/information/
> https://www.virustot...e4cd1/analysis/
___

Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecu...y-fake-bt-bill/
24 Aug 2017 - "... Locky downloader... an email with the subject of 'New BT Bill' pretending to come from BT Business <btbusiness@ bttconnect .com> with a-link-in-the-body- of the email to download a zip file...

Screenshot: https://myonlinesecu...cky_BT-bill.png

bill-201708.zip: Extracts to: bill-201708.exe - Current Virus total detections 19/65*. Payload Security**.
Currently all the copies I am seeing (hundreds of them) have -2- download links in the email body:
 http ://kabbionionsesions .net/af/bill-201708.rar -and- http ://metoristrontgui .info/af/bill-201708.zip
-both- domains have been spreading Locky all day. The downloads are extremely slow but I eventually got the zip version. Also several emails with
 http ://kabbionionsesions .net/af/download.php (currently 404) and
 http ://kabbionionsesions .net/af/bill-201708.7z (also 404)...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1503597867/
bill-201708.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.179.190.31
216.58.206.228
216.58.206.238

kabbionionsesions .net: 47.89.246.2: https://www.virustot....2/information/
> https://www.virustot...c68bd/analysis/

metoristrontgui.info: 47.89.246.2: https://www.virustot....2/information/
> https://www.virustot...a7afd/analysis/
 

   

Edited by AplusWebMaster, 25 August 2017 - 11:53 AM.

[AplusWebMaster]

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
25 Aug 2017 - "An email with the subject of 'You have a new secure Message' pretending to come from Lloyds Bank  but actually coming from a look-a-like domain Lloyds Bank <message@ lloydsbankmsg .com> or Lloyds Bank <message@ lloydsbank-msg .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are lloydsbankmsg .com 46.21.147.242 and lloydsbank-msg .com 109.235.52.44 ...

Screenshot: https://myonlinesecu...ssage-email.png

The word doc looks like:
> https://myonlinesecu...Message_doc.png

EncryptedMessage.doc - Current Virus total detections 6/58*. Payload Security**. This malware file downloads from
 http ://fabianpfau .de/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to lnmflgf.exe (VirusTotal 13/65***). An alternative download location is
 http ://evakrause .nl/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503657342/
EncryptedMessage.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
176.28.13.220
216.239.32.21
131.153.40.196

*** https://www.virustot...sis/1503658322/
lnmflgf.exe

fabianpfau .de: 176.28.13.220: https://www.virustot...20/information/
> https://www.virustot...694d1/analysis/

evakrause .nl: 94.126.70.16: https://www.virustot...16/information/
> https://www.virustot...34f8c/analysis/
___

Fake 'Sage invoice' SPAM - leads to Locky
- http://blog.dynamoo....bscription.html
25 Aug 2017 - "This -fake- Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much[1] by the bad guys is a bit of a mystery.
[1] http://blog.dynamoo.com/search?q=sage

Screenshot: https://1.bp.blogspo.../s1600/sage.png

The link-in-the-email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.
helpmatheogrow .com/SINV0709.rar
hendrikvankerkhove .be/SINV0709.rar
heinverwer .nl/SINV0709.rar
help .ads .gov.ba/SINV0709.rar
harvia .uz/SINV0709.rar
The RAR file itself contains a malicious VBS script... with a detection rate of 19/56*, which attempts to download another component from:
go-coo .jp/HygHGF
hausgerhard .com/HygHGF
hausgadum .de/HygHGF
bromesterionod .net/af/HygHGF
hartwig-mau .de/HygHGF
hecam .de/HygHGF
haboosh-law .com/HygHGF
hbwconsultants .nl/HygHGF
hansstock .de/HygHGF
heimatverein-menne .de/HygHGF
Automated analysis of the file [1] [2] shows a dropped binary with a 39/64** detection rate, POSTing to 46.183.165.45 /imageload.cgi (Reg.Ru, Russia)
Recommended blocklist:
46.183.165.45 "
* https://virustotal.c...a9b2c/analysis/
bill-201708.exe

1] https://malwr.com/an...TQyMTEzNDU0MWY/
SINV0709.vbs
Hosts
203.183.65.225
46.183.165.45

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.183.65.225
46.183.165.45

** https://www.virustot...cc86e/analysis/
bill-201708.exe

... Fake 'Sage invoice' variant - delivers Locky
> https://myonlinesecu...cky-ransomware/
24 Aug 2017

Screenshot: https://myonlinesecu...ce-is-ready.png

> https://www.virustot...sis/1503606828/
SINV0709.vbs
15/57

SINV0711.docm - Current Virus total detections *. Payload Security**...

* https://www.virustot...sis/1503602547/
SINV0711.docm
9/59

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.169.35.187
185.179.190.31

help.ads .gov.ba: 80.65.162.70: https://www.virustot...70/information/
> https://www.virustot...48ebb/analysis/

hausverwaltungfrankfurt .de: 83.169.35.187: https://www.virustot...87/information/
> https://www.virustot...4699b/analysis/
___

Fake 'Voicemail' SPAM -  leads to Locky
- http://blog.dynamoo....ervice-new.html
25 Aug 2017 - "The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.
Subject: New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From:       "Voicemail Service" [vmservice@ victimdomain .tdl]
Date:       Fri, August 25, 2017 12:36 pm
Dear user:
just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance.  Thanks!
                                --Voicemail Service

Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too... The VBS script is similar to this* (variable names seem to change mostly) with a detection rate of about 15/59**. Hybrid Analysis*** shows it dropping a Locky executable with a 18/65[4] detection rate which phones home to 46.17.44.153 /imageload.cgi (Baxnet, Russia) which I recommend that you block."
* https://pastebin.com/UK2MYHct

** https://virustotal.c...70b55/analysis/
20170825_ID904754594.vbs

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.208.206
92.51.164.62
185.179.190.31
46.17.44.153
216.58.213.132
216.58.206.238
95.141.44.61

4] https://www.virustot...5c251/analysis/
UYGgfhRDSaa
 

   

Edited by AplusWebMaster, 25 August 2017 - 09:18 AM.

[AplusWebMaster]

FYI...

Fake 'DHL' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
26 Aug 2017 - "... an email with the subject of 'DHL GLOBAL FREIGHT CONSIGNMENT FORM' coming from DHL GLOBAL WORLD WIDE AGENT <deddi@ karebet-group .com> with an .ace attachment delivers malware... returns are coming back from several antivirus companies describing this as .Win32.SpyEyes[1]...
1] https://www.microsof...an:Win32/Spyeye

Screenshot: https://myonlinesecu...GNMENT-FORM.png

DHL GLOBAL Consignment form……………………………..ace: Extracts to: Purchase order.exe
Current Virus total detections 17/65*. Payload Security**. This drops a modified version of itself as win32.exe (VirusTotal 17/64***) it also contacts
 http :// 98.142.221.58/~comsgautopart/.regedit/mail/home/gate.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503723385/
Purchase order.exe

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1503723627/
win32.exe

98.142.221.58: https://www.virustot...58/information/
___

Fake 'Purchase Contract' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
26 Aug 2017

Screenshot: https://myonlinesecu...f-PO30-PO31.png

Doc Purchase Contract of PO30PO31.jar (547kb) - Current Virus total detections *. Payload Security**...

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503773842/
Doc Purchase Contract of PO30PO31.jar

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.178.43.16
 

   

Edited by AplusWebMaster, 27 August 2017 - 06:56 AM.

[AplusWebMaster]

FYI...

Defray - New Ransomware targets Education and Healthcare
> https://www.helpnets...ware-delivered/
Aug 28, 2017

>> https://www.darkread.../d/d-id/1329725
8/25/2017

> https://www.proofpoi...hcare-verticals
Aug 24, 2017 - "... distribution of Defray has several notable characteristics:
    Defray is currently being spread via Microsoft Word document attachments in email
    The campaigns are as small as several messages each
    The lures are custom crafted to appeal to the intended set of potential victims
    The recipients are individuals or distribution lists, e.g., group@ and websupport@
    Geographic targeting is in the UK and US
    Vertical targeting varies by campaign and is narrow and selective
On August 22, Proofpoint researchers detected an email campaign targeted primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable... Defray may cause other general havoc on the system by -disabling- startup recovery and -deleting- volume shadow copies. On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers. We have not observed the same behavior on Windows XP..."
Indicators of Compromise (IOCs) [ ... more listed at the proofpoint URL above. ]
C&C IP
145.14.145.115: https://www.virustot...15/information/
___

Potential Hurricane Harvey Phishing Scams
- https://www.us-cert....-Phishing-Scams
Aug 28, 2017 - "US-CERT warns users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters..."
 

   

Edited by AplusWebMaster, 28 August 2017 - 02:37 PM.

[AplusWebMaster]

FYI...

Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
29 Aug 2017 - "... Locky downloader... email has the subject of 'Overdue BT bill' pretending to come from random names at your-own-email-address...

Screenshot: https://myonlinesecu...due-BT-bill.png

Scan_201708293861.zip: Extracts to: scan_201708292366.zip which eventually extracts to  scan_201708292366.vbs - Current Virus total detections 11/59*. Payload Security**... first attachment I chose leads to a site giving a 404 so the results are very good. Another attachment gives better results
(VirusTotal 0/58***) where another researcher has filled in all then blanks in the comments[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1503998928/
scan_201708292366.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.2.195.144

*** https://www.virustot...sis/1503999225/

4] https://twitter.com/...465569965973504

> https://www.virustot...sis/1503999480/
9/65
___

Fake 'scan' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
29 Aug 2017 - "... Locky downloader... an email with the subject of 'You have received a scan from AT Management' pretending to come from Scan @ AT Management <scan_754@ atmanagement .co.uk> [random numbers after the scan_]. All these are being addressed to Accounts: <name@ victiomdomain .tld>...

Screenshot: https://myonlinesecu...-Management.png

... same sites, file names and payload as today’s earlier ^malspam run^ delivering Locky ransomware:
> https://myonlinesecu...cky-ransomware/

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Amazon phish...
- https://myonlinesecu...ishing-attempt/
29 Aug 2017 - "We see a lot of Amazon phishing attempts. This one is quite different to the usual ones we see. Although there are a lot of Amazon sellers, the chances of a mass malspam like this one actually  being received by a seller is quite small compared with the more usual 'payment review' or 'your account was signed into from an unknown computer' or similar scams.
'You sold an item' pretending to come from Amazon <selleramazon@ reply.amazon .com> is one of the latest phish attempts to steal your Amazon Account and your Bank details. This one only wants your Amazon log in details and bank details. Many of them are also designed to specifically steal your email and other log in details as well...

Screenshot: https://myonlinesecu...old_an_item.png

The link-in-the-email goes to:
 https ://www.google .co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0ahUKEwiO9aOs-vvVAhXBZFAKHY3XCYgQFghJMAc&url=http%3A%2F%2Fwww.almatulum.com%2Fcontact-2%2F&usg=AFQjCNFdrv7025EsAfzW8QKj40lSrovIbA
which redirects to:
https ://directele .net/user_guide/documentation/amazon.co.uk/Amazon-Sign-In.htm?adenlankenadransakbnizwetmilrtuniietnnudbenwdiaateaaleeaallilaadmusmdzmnlelubbaalamzsnaittsndakaweiuidaawnamdlerendeuedimnailtrdtaknzeaanmleni4493782410

If you follow the link you see a webpage looking like:
> https://myonlinesecu...rectele_net.png

When you fill in your user name and password you get a page looking like this, asking for your bank sort code and bank-account-number. I am not quite sure what they can do with this on its own without passwords or bank login details. However knowing that quite a high proportion of users do re-use login details and passwords on multiple sites, it is not beyond the realms of possibility that your Amazon account, email log in and bank log in all -share- a password:
> https://myonlinesecu...ctele_net_1.png

You then get -redirected- to the genuine Amazon suite for your country..."

directele .net: 166.62.73.164: https://www.virustot...64/information/
> https://www.virustot...b1909/analysis/
 

   

Edited by AplusWebMaster, 29 August 2017 - 10:13 AM.

[AplusWebMaster]

FYI...

Fake 'Emailing Payment' SPAM - delivers Locky
- https://myonlinesecu...201708-malspam/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'Emailing: Payment_201708-838 [the “Emailing: Payment_201708-” stays consistent but the final 3 to 5 digits are random] pretending to come from random names at your-own-email-address or company-domain-addresses to another random name at your-own-domain...

Screenshot: https://myonlinesecu..._201708-838.png

Payment_201708-838.7z: Extracts to: Payment_201708-2866.jse - Current Virus total detections 14/59*.
Payload Security**. Locky payload: (VirusTotal 31/65***).
Another researcher has posted already about this one with several links to download sites and C2 IP numbers:
> https://hazmalware.w...cky-ransomware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1504067419/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.90.36.32
46.183.165.45
74.125.206.106
8.250.3.254
74.125.206.106

*** https://www.virustot...e7886/analysis/
CuuDxa1.exe

146.120.110.46: https://www.virustot...46/information/
> https://www.virustot...d3b58/analysis/

46.183.165.45: https://www.virustot...45/information/
> https://www.virustot...05f58/analysis/
___

Fake 'E-invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'E-invoice for your order #6377810026' [random numbers] pretending to come from do_not_reply@ random Apple email addresses.... the addresses I have seen include:
    do_not_reply@ eu.apple .com
    do_not_reply@ asia .apple.com
    do_not_reply@us .apple .com ...

Screenshot: https://myonlinesecu...-6377810026.png

9891613510.7z: Extracts to: 9891611187.vbs - Current Virus total detections 10/59*. Payload Security**.
Locky Binary (VirusTotal 17/65***). These droppers have gone back to the old way of downloading Locky from the remote server, by downloading an encrypted text file that needs to be decoded by the script... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1504086697/
9891611187.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
66.36.173.159
146.120.110.46

*** https://www.virustot...sis/1504087141/
hJBoTJ.exe
___

Fake 'Secure email message' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
30 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from NatWest bank but  actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 501 and 599 - .ml domains are -free- domains administered by freenom .com... I am seeing domains ranging from servicemessage501 .ml to servicemessage599 .ml all being hosted on -different- IP numbers & ranges all appearing to be -compromised- ISP IP numbers from major ISPs in UK, Europe & USA...

Screenshot: https://myonlinesecu...emessage_ml.png

The word doc looks like:
> https://myonlinesecu...087_352_doc.png

natwest1753465723087_352.doc - Current Virus total detections 6/58*. Payload Security**.
This malware file downloads from
 http ://campuslinne .com/pages/kasaragarban.png which of course is -not- an image file but a renamed .exe file that gets renamed to Buqtjkk.exe (VirusTotal 12/64***). An alternative download location is
 http ://campusassas .com/fonction/kasaragarban.png
This email attachment contains a genuine word doc with a macro script that when run will infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...18d51/analysis/
natwest1753465723087_352.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
193.227.248.241
158.69.26.138
178.156.202.206

*** https://www.virustot...102c5/analysis/
kasaragarban.png

campuslinne .com: 193.227.248.241: https://www.virustot...41/information/
> https://www.virustot...2740d/analysis/

campusassas .com: 193.227.248.241
> https://www.virustot...ee05c/analysis/
___

Fake 'BT OneBill' SPAM - leads to Dridex
- https://myonlinesecu...banking-trojan/
30 Aug 2017 - "An email with the subject of 'Your latest BT OneBill is available now' pretending to come from BT but actually coming from a different domain ebilling4business@ btdnet .com that can just about be mistaken for a genuine BT email address is today’s latest spoof of a well-known company, bank or public authority delivering Dridex banking Trojan... Today’s example of the spoofed domains are, as usual, registered via eranet .com as registrar. This was registered on 29 August 2017 by the criminals:
    btdnet .com hosted on 54.36.30.168 OVH
This particular email was sent from IP 54.36.30.230 but a quick look up of the domain details show that these criminals have also set a-whole-range of IP addresses to be able to send these emails and pass authentication checks:
91.121.174.196
54.36.30.0/24
94.23.212.72
54.36.30.0/24
188.165.227.13
54.36.30.0/24
94.23.208.20
54.36.30.0/24
176.31.240.50
54.36.30.0/24
37.59.50.201 ...

Screenshot: https://myonlinesecu...ailable-now.png

The -link-in-the-email goes to a compromised or fraudulently set up SharePoint AKA onedrive for business address:
 https ://mccabelawyers-my.sharepoint .com/personal/g_macneill_swslawyers_com_au/_layouts/15/guestaccess.aspx?docid=0cc833a8ff3b4411a986bfb04282f2ffb&authkey=AVpD74OXseK7zr4gaxr_UBE
which downloads the zip file containing the .js file that eventually delivers Dridex.

BT OneBill.zip extracts to: BT OneBill.js - Current Virus total detections 7/58*. Payload Security**.
This downloads Dridex banking Trojan but I am unable to determine the actual download site
(VirusTotal 17/64[3])... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504105031/
BT_OneBill.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
13.107.6.151
185.203.118.198
31.31.77.229
178.62.199.166
144.76.62.10

3] https://www.virustot...e587c/analysis/
SdVoAfj.exe
___

Fake 'Sage' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
30 Aug 2017 - "An email with the subject of 'Your Sage subscription invoice is Due' pretending to come from Sage but actually coming from a look-a-like domain SAGE UK <message@ sagemailsupport14 .top> with a malicious word doc attachment is another one of today’s spoofs of a well-known company, bank or public authority... I am being told is it a smokeloader[1] which downloads a variety of -other- malware...
1] https://twitter.com/...979668239761408
... Today’s example of the spoofed domains are:
    sagemailsupport14 .top hosted on 82.202.233.14 AS49505 OOO Network of data-centers Selectel
I have discovered a-whole-range of -fake- sagemailsupport## .top domains on this network. So far I can find sagemailsupport10 .top -to- sagemailsupport110-.top hosted on the corresponding IP address -range- between 82.202.233.10 and 82.202.233.110 all having an rdns set properly and pass email authentication...
[ 82.202.233.* ]

Screenshot: https://myonlinesecu...oice-is-Due.png

INV0293083017.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
 http ://5.149.252.152 /r37.exe (VirusTotal 16/64[3]) (Payload Security[/4]). An alternative download location is
 http ://200.7.98.51 /r37.exe
This email attachment contains a genuine word doc [i]with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...3083017_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1504103297/
INV0293083017.doc

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1504116823/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
2.20.202.119
217.23.8.41

5.149.252.152: https://www.virustot...52/information/
> https://www.virustot...ff56e/analysis/

200.7.98.51: https://www.virustot...51/information/
> https://www.virustot...12409/analysis/
 

   

Edited by AplusWebMaster, 30 August 2017 - 02:42 PM.

[AplusWebMaster]

FYI...

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecu...-bank-messages/
31 Aug 2017 - "... imitating NatWest Bank and using the same look-a-like domain as yesterday’s version[1]... using a slightly different email message. They have even re-used the same domains to deliver the actual payload, but with different file names.
[1] https://myonlinesecu...banking-trojan/
An email with the subject of 'Customer message' pretending to come from NatWest bank but actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 1 and 599...

Screenshot: https://myonlinesecu...mer-message.png

natwest112543798124_21454.doc - Current Virus total detections 5/58*. Payload Security**.
This malware file downloads from
 http ://campuslinne .com/maquette2/nataresonodor.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ubqwyc.exe (VirusTotal 15/65***). An alternative download location is
 http ://campusassas .com/imagesv1/nataresonodor.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks identical to yesterday’s but with a different document name:
> https://myonlinesecu...087_352_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1504181231/
natwest112543798124_21454.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
193.227.248.241
216.239.32.21
67.21.84.23
216.58.209.228
216.58.209.238
66.85.27.170

*** https://www.virustot...b6ddd/analysis/
Ubqwyc.exe

campuslinne .com: 193.227.248.241: https://www.virustot...41/information/
> https://www.virustot...7bf64/analysis/

campusassas .com: 193.227.248.241
> https://www.virustot...0dd87/analysis/
___

Fake 'Important Documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
31 Aug 2017 - "An email with the subject of 'Important – New Account Documents' pretending to come from Santander Bank  but actually coming from a look-a-like domain Santander <account.documents@ santanderdoc .co.uk> or Santander <account.documents@ santandersec .co.uk> with a malicious word doc attachment is another spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...t-Documents.png

Account_Documents_31082017.doc - Current Virus total detections 10/58*. Payload Security**.
This malware file downloads from
 http ://evaluator-expert .ro/sergio.png which of course is -not- an image file but a renamed .exe file that gets renamed to bicprcv.exe (VirusTotal 17/64***).
An alternative download location is
 http ://www.events4u .cz/sergio.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...1082017_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...3a505/analysis/
Account_Documents_31082017.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
93.114.64.118
146.255.36.1
194.87.238.42
66.85.27.170
216.58.209.228
216.58.209.238

*** https://www.virustot...65987/analysis/
bicprcv.exe

evaluator-expert .ro: 93.114.64.118: https://www.virustot...18/information/
> https://www.virustot...099bb/analysis/

events4u .cz: 93.185.102.11: https://www.virustot...11/information/
> https://www.virustot...6d3f8/analysis/
 

   

Edited by AplusWebMaster, 31 August 2017 - 02:59 PM.

[AplusWebMaster]

FYI...

Fake 'Dropbox' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
31 Aug 2017 10:03 pm - "We are seeing a run of a very different Locky delivery email tonight. This only seems to work properly in Google Chrome, Firefox gives a simple download file box and  Internet Explorer gives error messages on clicking the  “click here” link. This means that Internet Explorer users will be safe from this attack, but Google Chrome and Firefox users could be infected if they aren’t careful. The email pretends to be from -Dropbox- asking you to 'verify your email address to continue' the sign up...

Screenshot: https://myonlinesecu...ail-address.png

Win.JSFontlib09.js - Current Virus total detections 22/58*. Payload Security** |
Locky Binary (VirusTotal 17/65***)
There appear to be -hundreds- of different links-in-these-emails that go to -compromised- sites pretending to be Dropbox. They all however have the -same- few links to actually download the .js malware file...
The link in this particular example went to
 http ://jakuboweb .com/dropbox.html but each email I received (so far 300+) has a multitude of different links.
Following the link in the email leads to a page looking like this, which is -different- in each commonly used browser. Lets start with Internet Explorer which gives an error on pressing “click here”:
> https://myonlinesecu..._dropbox_IE.png
... Firefox which gives a file download prompt:
> https://myonlinesecu..._dropbox_FF.png
... Google Chrome which displays the lure... telling you that The “HoeflerText” font was not found. The web page you are trying to load is displayed incorrectly, as it uses the “HoeflerText” font. To fix the error and display the next, you have to update the “Chrome Font Pack”:
> https://myonlinesecu...pbox_chrome.png
The link from chrome went to
 http ://gclubrace .info/json.php whereas the links from the other 2 versions went to
 http ://dippydado .net/json.php all of which downloaded the -same- Win.JSFontlib09.js ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...c4a37/analysis/
Win.JSFontlib09.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
202.169.44.143
46.183.165.45
216.58.209.228
216.58.209.238

*** https://www.virustot...sis/1504207421/
pGDIWEKDHD2.exe

jakuboweb .com: 149.7.99.14: https://www.virustot...14/information/
> https://www.virustot...ebb0a/analysis/

gclubrace .info: Could not find an IP address for this domain name...

dippydado .net: Could not find an IP address for this domain name...
___

RIG exploit kit > 'Princess' ransomware
- https://blog.malware...ess-ransomware/
Aug 31, 2017 - "We have identified a new drive-by-download campaign that distributes the Princess-ransomware (AKA PrincessLocker), leveraging -compromised-websites-and the RIG-exploit-kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads... We are not so accustomed to witnessing compromised websites pushing exploit kits... some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from -legitimate- publishers and -malvertising- ... we observed an -iframe-injection- which redirected from the -hacked- site to a temporary gate...
Indicators of compromise:
RIG EK gate: 185.198.164.152
RIG EK IP address: 188.225.84.28 ..."
(More detail at the malwarebytes URL above.)
 

   

Edited by AplusWebMaster, 01 September 2017 - 09:57 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
4 Sep 2017 - "... Locky downloader... an email with the subject of 'Invoice INV-000379' from Property Lagoon Limited for Gleneagles Equestrian Centre (random numbers) pretending to come from a random name that matches the name in the email body but appearing to come from  messaging-service@ post.xero .com...

Screenshot: https://myonlinesecu...rian-Centre.png

Invoice INV-000379.7z: Extracts to: INV-000626.vbs - Current Virus total detections 13/59*. Payload Security**
Locky download (VirusTotal ***). These all have a 7z attachment and a link-in-email-body to download the zip. The invoice amounts are random as well.... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504521374/
INV-000626.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
clubdeautores .es: 91.121.165.214

*** https://www.virustot...sis/1504516547/
BSmIimqLX.exe
___

Fake 'Invoice' SPAM - delivers Globeimposter ransomware
- https://myonlinesecu...ter-ransomware/
4 Sep 2017 - "... an email with the subject of '45653946 – True Telecom Invoice for August 2017' (random numbers)  pretending to come from billing@ true-telecom .com. This is coming via the Necurs botnet but instead of delivering Locky today, this 2nd malspam run is delivering Globeimposter ransomware... In the same way that today’s earlier malspam run that delivered Locky ransomware[1], these have a-link-in-the-body to download the zip and a zip (7z) attachment as well...
1] https://myonlinesecu...cky-ransomware/

Screenshot: https://myonlinesecu...August-2017.png

2017-08-45653946-Bill.7z: 2017-08-41840179-Bill.vbs - Current Virus total detections 8/57*. Payload Security**
Another version (VirusTotal 10/58***) | (Payload Security[4]) | downloaded & xor’d binary - VirusTotal 18/64[5] | Payload Security[6]...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504533698/
2017-08-41840179-Bill.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
world-tour2000 .com: 103.53.172.3
naturofind .org: 85.192.177.103
www.world-tour2000 .com: 103.53.172.3
proyectogambia .com: 87.106.65.247

*** https://www.virustot...64b3b/analysis/
2017-08-92918095-Bill.vbs

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
49.50.240.107

5] https://www.virustot...56f47/analysis/
zojzoefi.exe

6] https://www.hybrid-a...vironmentId=100
___

Fake 'Incoming Docs' SPAM - delivers Trickbot
- https://myonlinesecu...ivers-trickbot/
4 Sep 2017 - "An email with the subject of 'Important: Incoming BACs Documents' pretending to come from NatWest Bank but actually coming from a look-a-like domain Natwest <message@ natwestbacs .co.uk> or Natwest <message@ natwestbacs .com> with a password protected malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...fed-NatWest.png

SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** | JoeSandBox***
This malware file downloads from
 http ://6-express .ch/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to execute.exe (VirusTotal [4]). An alternative download location is
 http ://checkpointsystems .de/ser.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...t_bacs_docs.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1493724795/
SecureMessage.doc

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://jbxcloud.joe...s/355644/1/html

4] https://www.virustot...sis/1504524050/
ser.png

6-express .ch: 77.236.96.52: https://www.virustot...52/information/
> https://www.virustot...5429f/analysis/

checkpointsystems .de: 87.106.183.214: https://www.virustot...14/information/
___

Locky ransomware campaign
- https://www.helpnets...rns-new-tricks/
Sep 1, 2017 - "... the newest variant adds the .lukitus extension to the encrypted files:
> https://www.helpnets...ky-appriver.jpg
... AppRiver researchers explained*. The malware arrives in inboxes attached to emails with vague subject lines like “please print”, “documents”, “scans”, “images”, and so on, And, unfortunately for those who get infected, there are no publicly shared methods to reverse this Locky strain. The crooks behind this malware campaign are asking 0.5 Bitcoin to deliver the decryption key..."

* https://blog.apprive...tacks-increase/
Aug 30, 2017 - "... In the past 24 hours we have seen over 23-million-messages sent in this attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017... a massive malicious email campaign began attempting to reach their inboxes. A large spike in malware traffic began this morning just after 7 am CST... The emails utilized one of the following subject lines:
    please print
    documents
    photo
    images
    scans
    pictures
Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file..."
> https://blog.apprive...eat-ransomware/
 

   

Edited by AplusWebMaster, 04 September 2017 - 09:41 AM.

[AplusWebMaster]

FYI...

Fake 'Scanning' SPAM - delivers Locky
- https://myonlinesecu...redgroup-co-uk/
5 Sep 2017 - "... Locky downloader... an email with the subject of 'Scanning' pretending to come from random names @ tayloredgroup .co.uk... These have a -link-in-the-body- of the email to download the malware as well as an email attachment. The link does -NOT- go to Dropbox but another compromised website, however the link is not correctly formed in this example so won’t open and gives warning in Outlook:
 http ://dna-sequencing .org/MSG000-00090.7z

Screenshot: https://myonlinesecu...lored_group.png

SCNMSG00002704.7z: Extracts to: Invoice INV-000518.vbs - Current Virus total detections 13/59*.
Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504602932/

** https://www.hybrid-a...vironmentId=100
DNS Requests
pamplonarecados .com: 5.2.88.79: https://www.virustot...79/information/

dna-sequencing .org: 66.36.160.119: https://www.virustot...19/information/
> https://www.virustot...e53fd/analysis/
MSG000-00090.7z

tayloredgroup .co.uk: 85.233.160.151: https://www.virustot...51/information/
> https://www.virustot...a074b/analysis/
__

> http://blog.dynamoo....ding-to-be.html
5 Sep 2017 - "This -spam- email pretends to be from tayloredgroup .co.uk but it is just a simple -forgery-
leading to Locky ransomware. There is -both- a malicious attachment and -link- in the body text. The name of the sender varies.
    Subject:       Scanning
    From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
    Date:       Thu, May 18, 2017 8:26 pm
    https ://dropbox .com/file/9A30AA
    Jeanette Randels DipFA
    Taylored Group
    26 City Business Centre
    Hyde Street
    Winchester
    SO23 7TA
    Members of the CAERUS Capital Group
    www .tayloredgroup .co.uk
    Office Number: 01962 826870
    Mobile: 07915 612277
    email: Jeanette.Randels@ tayloredgroup .co.uk
    Taylored Financial Planning is a trading style of Jonathan & Carole
    Taylor who are an appointed representative of Caerus Financial Limited...

Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.
Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6] shows -Locky-  ransomware attempting to phone home to the following locations:
91.234.35.170 /imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75 /imageload.cgi (McHost.ru / VDSINA, Russia)
McHost is such a well-known purveyor of toxic-crap* that I recommend you block -all- of their ranges (plus I guess the related VDSINA ones), or even block-the-entire Webzilla AS35415**. You can find a list of the network ranges here**. Also thehost .ua also has a lot of crap*** and I would lean towards blocking-whole-network-ranges****.
Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24 "
1] https://www.virustot...sis/1504604787/
Invoice INV-000614.vbs

2] https://www.virustot...sis/1504604894/
MSG000-00090.vbs

3] https://malwr.com/an...zQxMDg3ZDY1OWU/
Hosts
193.227.248.241

4] https://malwr.com/an...mVmNWZkZmQyZjI/
Hosts
109.234.35.75
91.234.35.170

5] https://www.hybrid-a...vironmentId=100
DNS Requests
193.227.248.241

6] https://www.hybrid-a...vironmentId=100
DNS Requests
5.2.88.79

* http://blog.dynamoo....search?q=mchost

** https://bgp.he.net/AS35415#_prefixes

*** http://blog.dynamoo....?q=Valeriyovuch

**** https://bgp.he.net/AS56485#_prefixes
___

Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
5 Sep 2017 - "... an email with the subject of 'OnePosting Invoice Ready to View' pretending to come from SPECTUR LIMITED <members@ onenewpost .com>. This eventually delivers Dridex banking Trojan... set up by criminals to spread malware and imitate oneposting .com. onenewpost .com was registered on 4th September 2017 by a Chinese entity and is currently hosted on OVH...

Screenshot: https://myonlinesecu...ady-to-View.png

The -link-in-the-body- of the email goes to a -compromised- or fraudulently set up OneDrive for business /SharePoint site...
 https ://royalpay-my.sharepoint .com/personal/jamie_costello_royalpay_com_au/_layouts/15/guestaccess.aspx?docid=0b0e5809caadd404ab8e21e3a7322f232&authkey=AfQzKtINqI58J1P-xlw10eg  
which downloads a zip containing a.js file...
N2398210.zip: Extracts to: IN2398210.js - Current Virus total detections 6/58*. Payload Security**
 downloaded Dridex (VirusTotal 32/64***) (I can’t easily determine the actual download location of the Dridex payload. It does come from -another- compromised or fraudulent SharePoint site)... it appears that onenewpost .com is a domain set up by criminals to spread malware... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it...
* https://www.virustot...sis/1504580504/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...e98c3/analysis/
MTXCLU.DLL

onenewpost .com: 188.165.209.31: https://www.virustot...31/information/

royalpay-my.sharepoint .com: 13.107.6.151: https://www.virustot...51/information/
 

   

Edited by AplusWebMaster, 05 September 2017 - 01:33 PM.

[AplusWebMaster]

FYI...

Fake 'eBay invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
6 Sep 2017 - "... Locky downloader... an email with the subject of 'Your invoice for eBay purchases (83998749832384616#)' [random numbers]  pretending to come from eBay <ebay@ ebay .us>. We are also seeing these pretending to come from all the other main English speaking eBay domains:
    ebay@ ebay .com.au
    ebay@ ebay .co.uk
    ebay@ ebay .com ...

Screenshot: https://myonlinesecu...49832384616.png

eBay_Invoice_3476.js - Current Virus total detections 7/59*. Payload Security** | Downloads:
  http ://homecarpetshopping .com/bxxomjv.exe (VirusTotal 13/61***)... The link-in-the-email body goes to one of numerous compromised sites. In this case it went to
  http ://littleulearning .com/invoive.html
where it downloads an eBay_Invoice_####.js file from
 http ://letoftheckhosa .info/invoicing.php  
All of the compromised sites in these emails will download or try to download from this address. That creates a randomly numbered eBay_Invoice_.js file. The first 5 or 6 attempts gave me a 0 byte empty file until a working one was delivered... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504698237/
eBay_Invoice_3476.js

** https://www.hybrid-a...vironmentId=100
DNS Requests
195.123.218.58
91.234.137.145
91.215.186.147
208.79.200.218
62.149.161.147

*** https://www.virustot...sis/1504698766/
bxxomjv[1].exe

homecarpetshopping .com: 208.79.200.218: https://www.virustot...18/information/
> https://www.virustot...cfb8b/analysis/

littleulearning .com: 66.36.166.87: https://www.virustot...87/information/
> https://www.virustot...5ad0d/analysis/

letoftheckhosa .info: 47.88.55.29: https://www.virustot...29/information/
> https://www.virustot...f742b/analysis/
___

Fake 'Virgin Media bill' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
6 Sep 2017 - "... an email with the subject of 'Your Virgin Media bill is ready' pretending to come from Virgin Media <webteam@ virginmediaconnections .com> which delivers Dridex banking trojan...

Screenshot: https://myonlinesecu...-media-Bill.png

Virgin Media bill.zip: Extracts to: Virgin Media bill.js - Current Virus total detections 2/59*
Payload Security** | Dridex Payload VirusTotal 14/65*** | Payload Security[4] ... the criminals sending these have registered a look-a-like domain virginmediaconnections .com on 5th September 2017 using eranet .com as registrar and hosted on OVH 176.31.244.44. They are sending these emails from a whole-range-of-IP-addresses that pass email authentication for the -fake- domain virginmediaconnections .com...
The link-in-the-email goes to a compromised or fraudulently set up OneDrive for business/ SharePoint site where  a zip file containing a .js file is downloaded. That eventually contacts  http ://cabinetcharpentier .fr/css/style.png (which is -not- a png but a renamed .exe file) to download the Dridex banking Trojan...
 https ://kobaltsystemsptyltd-my.sharepoint .com/personal/karen_kobaltsystems_com_au/_layouts/15/guestaccess.aspx?docid=1a0c9ac9effc046b6840207579a616453&authkey=AVRvpElPwHq48OG2zdkLMk8 ...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504695675/
Virgin Media bill.js

** https://www.hybrid-a...vironmentId=100
DNS Requests
91.216.107.90

*** https://www.virustot...sis/1504696253/
FFCa9j9ru.exe

4] https://www.hybrid-a...vironmentId=100

176.31.244.44: https://www.virustot...44/information/

cabinetcharpentier .fr: 91.216.107.90: https://www.virustot...90/information/
> https://www.virustot...6d071/analysis/

kobaltsystemsptyltd-my.sharepoint .com: 13.107.6.151: https://www.virustot...51/information/
 

   

Edited by AplusWebMaster, 06 September 2017 - 08:07 AM.

[AplusWebMaster]

FYI...

Fake 'FreeFax' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
7 Sep 2017 - "... Locky downloader... an email with the subject of 'FreeFax From:1707075536' (random numbers) pretending to come from fax@ freefaxtoemail .net...

Screenshot: https://myonlinesecu...-1707075536.png

Fax_Message_7932180645.js - Current Virus total detections 12/59*. Payload Security** downloads from
  http ://universodeljuguete .com/eusukll.exe (VirusTotal 15/65[3]) (Payload Security[4])...
This current series of downloaders have links-in-the-body of the email to numerous different -compromised-  websites. This particular one went to
 http ://coopstella .net/fax.html where there is an -iframe- that downloads the js file from
 http ://leypart .su/fax.php where a randomly numbered Fax_Message_####.js file is created and downloaded...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1504782496/
Fax_Message_7932180645.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.127.190.141
62.109.12.221
47.88.55.29
98.124.251.75
98.124.252.66

3] https://www.virustot...sis/1504784148/
eusukll.exe

4] https://www.hybrid-a...vironmentId=100

universodeljuguete .com: 94.127.190.141: https://www.virustot...41/information/

coopstella .net: 185.58.7.72: https://www.virustot...72/information/

leypart .su:  > https://check-host.n...host=leypart.su- ??
 

   

Edited by AplusWebMaster, 07 September 2017 - 03:07 PM.

[AplusWebMaster]

FYI...

Fake 'Amazon' SPAM - delivers Trickbot
- https://myonlinesecu...eliver-malware/
12 Sep 2017 - "... coming from the Necurs botnet is an email with the subject of 'Your Amazon.co.uk order 172-3041149-3373628 has been dispatched' (random numbers) pretending to come from Amazon .co.uk <auto-shipping@ amazon .co.uk>...
UPDATE: found download site and it is Trickbot again...

Screenshot: https://myonlinesecu...tched-email.png

The fake Amazon website looks like this. The Sign In button does go to a genuine Amazon .co.uk sign in page:
> https://myonlinesecu...oader-_site.png
Update: ... 'found a download location
 http ://storiteller .com/3f3geuf.exe (VirusTotal 11/59*) (Payload Security**)... 'not certain if actually running the .js file will deliver the payload or whether the malware devs have messed up.
Further update: I am also being told about some versions downloading Locky via
 http ://ruisi .fr/ddokslf.exe (VirusTotal 10/65[3]) (Payload Security[4])... 'really difficult to work out the  payloads, when the .js files are created on the fly... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1505211474/
ORDER-467-3587106-1645978.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.80.201.25
47.88.55.29

3] https://www.virustot...sis/1505213071/
3f3geuf.exe

4] https://www.hybrid-a...vironmentId=100

storiteller .com: 82.80.201.25: https://www.virustot...25/information/
> https://www.virustot...3c80a/analysis/

ruisi .fr: 195.154.227.5: https://www.virustot....5/information/
> https://www.virustot...e26e9/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - Necurs botnet delivers malware
- https://myonlinesecu...eliver-malware/
14 Sep 2017 - "... sent from the Necurs botnet is a typical generic spam email with the subject of 'Copy of Invoice 487391' (random numbers) pretending to come from Customer Service <service@ randomdomain .tld>. There is -no- attachment with these today, just a link-in-the-email body to a variety of -compromised- sites. The link will always go to <site name>/invoice .html which uses an -iframe- to download a random numbered invoice.js from
 http ://wittinhohemmo .net/invoice.php (this site has been used in this malware campaign for at least 1 week now). The js file is different to the ones we have been seeing so far this week, they are much smaller (about 5kb) and using trivially obfuscated reverse strings to “hide” the download sites...

Screenshot: https://myonlinesecu...oice-487391.png

Sites I found are:
 http ://multila .com/HJGFjhece3.exe
 http ://vereouvir .pt/HJGFjhece3.exe
They use email addresses and subjects that will entice a user to read the email and follow the link.
Invoice-671398.js - Current Virus total detections 9/58*. Payload Security**
 HJGFjhece3.exe (VirusTotal 10/63[3]) (Payload Security[4]). I cannot work out if this is Trickbot or Locky today so far. The behaviour so far seen doesn’t exactly match either malware. It might be damaged or not working properly or some sort of anti-sandbox /VM protection to it. My gut feeling is -Trickbot- based on similar behaviour over the last few days when run in a sandbox or VM... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1505376478/
Invoice-290134.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.74.203.14
47.89.254.1
80.172.241.21

3] https://www.virustot...sis/1505377027/
2193.exe

4] https://www.hybrid-a...vironmentId=100

wittinhohemmo .net: 47.89.254.1: https://www.virustot...10/information/
> https://www.virustot...4a393/analysis/

multila .com: 203.74.203.14: https://www.virustot...14/information/
> https://www.virustot...9fdbf/analysis/

vereouvir .pt: 80.172.241.21: https://www.virustot...21/information/
> https://www.virustot...285de/analysis/
___

FTC probes Equifax hack...
- https://www.reuters....n-idUSKCN1BP1VX
Sep 14, 2017 - "The U.S. Federal Trade Commission said on Thursday it was investigating Equifax Inc’s (EFX.N) massive data breach, a rare public confirmation... Confirming what many cyber security experts expected, Equifax said late on Wednesday that hackers used a flaw in its open-source Struts software, distributed by the nonprofit Apache Software Foundation, to break into its systems. A patch for the vulnerability was issued in March, two -months- before Equifax said hackers began siphoning data..."
> https://www.reuters..../overview/EFX.N

- https://www.reuters....k-idUSKCN1BP0CB
Sep 14, 2017 - "Credit reporting company Equifax Inc blamed a web server vulnerability in its open-source software, called 'Apache Struts'*, for the recent data breach that compromised personal details of as many as 143 million U.S. consumers. The massive data breach had exposed valuable information to hackers between mid-May and July... Cyber security experts said it was among the largest hacks ever recorded and was particularly troubling due to the richness of the information exposed - names, birthdays, addresses and Social Security and driver’s license numbers. Equifax said it is determining with the assistance of an independent cybersecurity firm what exact information was compromised during the data breach..."
* https://cwiki.apache...splay/WW/S2-045
Mar 19, 2017
> https://cwiki.apache...splay/WW/S2-046
Mar 20, 2017

> https://cwiki.apache...urity Bulletins

> https://nvd.nist.gov...l/CVE-2017-5638
CVSS v3 Base Score: 10.0 Critical ...
Last Modified: 03/10/2017

> http://blog.talosint...-exploited.html
Mar 8, 2017
___

Phishing Scams Related to Equifax Data Breach
- https://www.us-cert....fax-Data-Breach
Sep 14, 2017 | Last revised: Sep 18, 2017
 

   

Edited by AplusWebMaster, 20 September 2017 - 05:47 PM.

[AplusWebMaster]

FYI...

CCleaner 5.33 compromised...
- https://www.helpnets...oored-ccleaner/
Sep 18, 2017 -  "... Piriform – the company that develops CCleaner and which has been recently acquired by AV maker Avast – has confirmed* that the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud were affected..."
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
* https://www.piriform...t-windows-users
Sep 18, 2017 -  "We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had-been-compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download**. We apologize and are taking extra measures to ensure this does not happen again..."
** https://www.piriform...wnload/standard

- http://blog.talosint...es-malware.html
Sep 18, 2017 -  "... Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode-on-top of the installation of CCleaner... Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities..."
Indicators of Compromise (IOCs):
... IP Addresses
216[.]126[.]225[.]148 "
 

216.126.225.148: https://www.virustot...5d3a8/analysis/

___

Fake 'Revised invoice' SPAM - delivers malware
- https://myonlinesecu...-r24-extension/
18 Sep 2017 - "... an email with the subject of 'Re: Revised invoice' pretending to come from Sales <Sales@ machinery .com>... it comes with an .r24 extension which is completely unknown to windows. Examining the file in a hex editor shows it has a PK header which means it is a compressed (zip) file. Simply renaming the extension to .zip will allow the contents to be extracted and examined...

Screenshot: https://myonlinesecu...sed-invoice.png

New Invoice.r24 (VirusTotal 9/62*): Extracts to: New Invoice.com - Current Virus total detections 15/65**
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1505723811/
New Invoice.r24

** https://www.virustot...sis/1505723863/
New Invoice.com

*** https://www.hybrid-a...vironmentId=100
___

Fake 'Status of invoice' SPAM - leads to Locky
- http://blog.dynamoo....ce-with-7z.html
18 Sep 2017 - "This spam leads to Locky ransomware:
    Subject:       Status of invoice
    From:       "Rosella Setter" ordering@ [redacted]
    Date:       Mon, September 18, 2017 9:30 am
    Hello,
    Could you please let me know the status of the attached invoice? I
    appreciate your help!
    Best regards,
    Rosella Setter
    Tel: 206-575-8068 x 100
    Fax: 206-575-8094
    *NEW*   Ordering@[redacted].com
    * Kindly note we will be closed Monday in observance of Labor Day *

The name of the sender varies. Attached is a .7z archive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename... Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:
yildizmakina74 .com/87thiuh3gfDGS?
miliaraic .ru/p66/87thiuh3gfDGS?
lanzensberger .de/87thiuh3gfDGS?
web-ch-team .ch/87thiuh3gfDGS?
abelfaria .pt/87thiuh3gfDGS?
An executable is dropped with a detection rate of 19/64[5] which Hybrid Analysis[6] shows is phoning home to:
91.191.184.158 /imageload.cgi (Monte Telecom, Estonia)
195.123.218.226 /imageload.cgi (Layer 6, Bulgaria)
.7z files are popular with the bad guys pushing -Locky- at the moment. Blocking them at your mail perimiter may help.
Recommended blocklist:
195.123.218.226
91.191.184.158 "
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
85.95.237.29
195.123.218.226
91.191.184.158

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
194.150.248.56
91.191.184.158
195.123.218.226

3] https://malwr.com/an...zZjNjJjMmViYzQ/
5121669985.vbs

4] https://malwr.com/an...WE5NGJjZDA1ZmM/
25860394240.vbs

5] https://www.virustot...7c8a7/analysis/
CJgBjTI.exe

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.191.184.158
195.123.218.226
216.58.209.228

85.95.237.29: https://www.virustot...29/information/

195.123.218.226: https://www.virustot...26/information/

91.191.184.158: https://www.virustot...58/information/
 

  

Edited by AplusWebMaster, 19 September 2017 - 08:00 AM.

[AplusWebMaster]

FYI...

Fake 'Order' SPAM - delivers Locky ykcol
- https://myonlinesecu...rs-locky-ykcol/
19 Sep 2017 - "... Locky downloader... an email with the subject of 'HERBALIFE Order Number: 6N01000137' (random numbers) pretending to come from Herbalife <svc_apacnts_8169@ herbalife .com> (random numbers as well). Today’s version continues to use the 'ykcol' extension for encrypted files...

Screenshot: https://myonlinesecu...-6N01000137.png

6N01000137_1.7z: Extracts to: 6N01005710.vbs - Current Virus total detections 16/55*. Payload Security**
 | downloads an encrypted txt file which is converted by the script to vtifOYBP.exe (VirusTotal 30/64***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
DNS Requests
isiquest1 .com - 178.33.107.201 - OVH, SAS - France
Contacted Hosts
178.33.107.201: https://www.virustot...01/information/
> https://www.virustot...a3c34/analysis/

*** https://www.virustot...727f8/analysis/
JGHldb03m
 

   

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - delivering Locky
- https://myonlinesecu...re-again-today/
20 Sep 2017 - "... Locky downloaders... an email with the subject of 'Status of invoice A2178050-11' (random numbers) pretending to come from random names with a from address of ordering@ random companies. The subjects all start with 'Status of invoice A217' with 4 extra digits, then 2 digits...

Screenshot: https://myonlinesecu...A2178050-11.png

A2178050-11.rar: Extracts to: 20080920_757068.vbs - Current Virus total detections*. Payload Security**.
Downloads
 http ://mariamandrioli .com/RSkfsNR7? which is an executable file....
Frequently these are encrypted -txt- files that need converting to the .exe (VirusTotal 16/65[3])
Payload Security[4]). Other download sites for the malware binary include:
 http ://ryterorrephat .info/af/RSkfsNR7
 http ://hard-grooves .com/RSkfsNR7?
Other sites and a -different- locky binary - details have been posted by Racco42[5]on pastebin[6]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
-6dt874p53077.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
108.59.87.148

3] https://www.virustot...sis/1505896879/
RSkfsNR7.exe

4] https://www.hybrid-a...vironmentId=100

5] https://twitter.com/...423167092629504

6] https://pastebin.com/F5K6BKQX

mariamandrioli .com: 108.59.87.148: https://www.virustot...48/information/
> https://www.virustot...3fdcd/analysis/

ryterorrephat .info: 54.187.116.55: https://www.virustot...55/information/
> https://www.virustot...3b343/analysis/

hard-grooves .com: 54.187.116.55: https://www.virustot...55/information/
 

  

[AplusWebMaster]

FYI...

Fake 'Amazon Invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
21 Sep 2017 - "... Locky downloaders... an email with the subject of 'Invoice RE-2017-09-21-00102' (random last 6 digits) pretending to come from Amazon Marketplace <uJLHsSYOYmvOX@ marketplace.amazon .co.uk> (random characters before the @)...

Screenshot: https://myonlinesecu...-downloader.png

RE-2017-09-21-00102.7z: Extracts to: RE-2017-09-21-00273.vbs - Current Virus total detections 14/58*:
Payload Security** | Downloads
 http ://accuflowfloors .com/IUGiwe8? which is a txt file that is -renamed- to nVtcNP.exe (VirusTotal 22/63***)
Other download sites inside this VBS file are:
 fulcar .info/p66/IUGiwe8 and
 afradem .com/IUGiwe8? - There will be dozens of others in other versions...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1505983662/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
65.182.174.12

*** https://www.virustot...sis/1505984851/
TnipmOahC.exe

accuflowfloors .com: 65.182.174.12: https://www.virustot...12/information/
> https://www.virustot...c8c18/analysis/

fulcar .info: https://check-host.n...ost=fulcar.info
[ http://blog.dynamoo....2017-09-21.html
21 Sep 2017
Comment: ... This will be the Necurs botnet. IPs will be all over the place... blocking .7z files would probably not cause much a problem, these are commonly used for Locky right at the moment. ]

afradem .com: 178.255.99.134: https://www.virustot...34/information/
___

'CCleaner' Command and Control - follow up ...
- http://blog.talosint...c2-concern.html
Sep 20, 2017 - "Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application*. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files. In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized -secondary- payloads...
* http://blog.talosint...es-malware.html
... These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from -backups- or -reimage- systems to ensure that they completely remove not only the backdoored version of CCleaner but -also- any other malware that may be resident on the system...
Conclusion: Supply chain attacks seem to be increasing in velocity and complexity. It's imperative that as security companies we take these attacks seriously. Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim's best interests. Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time. When advanced adversaries are in play, this is especially true. They have been known to craft attacks that avoid detection by specific companies through successful reconnaissance techniques. In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks..."
(More detail at the talosintelligence URL above.)

- https://www.helpnets...romise-targets/
Sep 21, 2017
>> https://www.helpnets...m/tag/ccleaner/

- https://blog.avast.c...r-investigation
Sep 21, 2017

> https://www.askwoody...ests-maybe-not/
Sep 21, 2017
> https://www.ghacks.n...oad-discovered/
Sep 21, 2017
 

   

Edited by AplusWebMaster, 21 September 2017 - 11:50 AM.

[AplusWebMaster]

FYI...

Fake 'Forskolin' SPAM - using spoofed email addresses
- https://myonlinesecu...mail-addresses/
22 Sep 2017 - "... malspam campaign again today pushing the crappy, scummy, useless 'Forskolin weight loss' junk... Some subjects in the original emails include (there are hundreds of variants): These pretend to be Facebook notifications about missed private messages or pending notifications:
    You photos that will be deleted in 1 days
    You have notification that will be removed in 5 hours
     For You new message that will be removed in 6 days
    Private message that will be deleted in 3 hours
    You friend that will be deleted in 5 hours
    You have notification that will be deleted in 7 days

The Hotmail emails look like:
- https://myonlinesecu...jects_email.png

The original emails look like these:
- https://myonlinesecu...9/support_3.png

- https://myonlinesecu...9/support_2.png

- https://myonlinesecu...9/support_1.png

The links go to a multitude of -compromised- sites but all eventually end today on
  http ://weight4forlossdiet-4tmz .world/en/caus/forskolin/?bhu=8mczFswKd5ZrUCttf15dChmqRGCWobCch
 (with a different random reference number) where you see a page looking like this:
> https://myonlinesecu...htloss-scam.png
This shows the importance of having correct authentication set up on your email server with DMARC* reporting, so you know when your email address is being spoofed and used in a mass malspam campaign:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/09/hotmail_dmarc_rejects2.png  

* https://myonlinesecu...ould-use-dmarc/ "

weight4forlossdiet-4tmz .world: 192.254.79.249: https://www.virustot...49/information/
> https://www.virustot...6ec06/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'Scan xxx' SPAM - Necurs sent Locky/Trickbot
- https://myonlinesecu...ion-techniques/
28 Sep 2017 - "... malware downloaders coming from the necurs botnet... email with the subject of 'Emailing: Scan0253' (random numbers)  pretending to come from random names at your-own-email-address or company domain. Today they have changed delivery method and will give either Locky Ransomware or Trickbot banking Trojan depending on your IP address and country of origin...

Screenshot: https://myonlinesecu...ivery-email.png

Scan0253.7z: Extracts to: Scan0277.vbs - Current Virus total detections 11/59*. Payload Security** |
In this particular VBS example there were 6 hard coded urls
“geeks-online .de/9hciunery8g?”,
”freevillemusic .com/9hciunery8g?” (VirusTotal 9/65[3]) (Payload Security[4]) Looks like Trickbot
“anarakdesert .com/LUYTbjnrf?”,
”americanbulldogradio .com/LUYTbjnrf?”
”sherylbro .net/p66/LUYTbjnrf” (VirusTotal 20/65[5]) (Payload Security[6]) This one is Locky
“poemsan .info/p66/d8743fgh” - Also Locky but a different file hash (VirusTotal 39/64[7]) (Payload Security[8])
The lookup services used are : “https ://ipinfo .io/json”,
”http ://www.geoplugin .net/json.gp”,
”http ://freegeoip .net/json/”
Update: thanks to Racco42[9] we have full list of currently known URLs posted on Pastebin[10]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506589221/
Scan0277.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.239.38.21
178.237.36.10
205.204.66.82

3] https://www.virustot...sis/1506589359/

4] https://www.hybrid-a...vironmentId=100

5] https://www.virustot...sis/1506589526/

6] https://www.hybrid-a...vironmentId=100

7] https://www.virustot...sis/1506591639/

8] https://www.hybrid-a...vironmentId=100

9] https://twitter.com/...339950015373312

10] https://pastebin.com/ahfN337m

> http://blog.dynamoo....n0xxx-from.html
28 Sep 2017 - "This -fake- 'document scan' delivers different malware depending on the victim's location...
... All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block -or- strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too."
 

   

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - deliver Locky/Trickbot
- https://myonlinesecu...-large-js-file/
29 Sep 2017 - "... Locky downloaders... an email with a blank/empty subject pretending to come from random names and email addresses. The body content pretends to be an 'invoice' notification. There are -no- attachments with these emails but a link-in-the-email-body goes to various -compromised- sites to download a .js file. As far as I can tell the actual Locky payload is -embedded- inside the .js file. For some strange reason the js file is named voicemsg_random numbers.js which would indicate that this was intended or has also been used in a voice message scam attempt to deliver Locky as well. The other strange thing in this campaign is the url in the body. All the ones I received are broken and start with 'ttp://' but looking at the mailscanner they look normal with a -complete- html on my server they look -normal- with a complete html and start with the proper 'http://'...

Screenshot: https://myonlinesecu...ank-subject.png

voicemsg_088436.js - 410.7 KB (420558 bytes) - Current Virus total detections 5/59*. Payload Security**
| drops 1102.exe 298.0 KB (305152 bytes) - VirusTotal 14/65[3] - Payload Security[4].
Nothing is actually detecting these as -Locky- Ransomware and in fact some AV on VirusTotal detect as
-Cerber- Ransomware. I am only calling these Locky based on the
 moroplinghaptan .info/eroorrrs post request (giving a 404) shown in the Payload Security report. This has been a strong Indicator-of-Compromise (IOC) for Locky recently.
> Update: I am reliably informed that it depends on your IP address and location what malware you get. You will either get -Locky- Ransomware or -Trickbot- banking Trojan embedded inside the .js file.
Some of the download sites in the emails include:
 http ://resortphotographics .com/invoice.html
 http ://somallc .com/invoice.html
 http ://pinkyardflamingos .com/invoice.html
 http ://agregate-cariera .ro/invoice.html
 http ://sgtenterprises .com/invoice.html
 http ://weloveflowers .co.uk/invoice.html
They all use an -iframe- to actually download from
 http ://moroplinghaptan .info/offjsjs/ - This site has been used in a later Locky campaign today that was spoofing voicemessages...
The basic rule is NEVER open any attachment or -link- an email, unless you are expecting it..."
* https://www.virustot...sis/1506691940/
voicemsg_088436.js

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
49.51.133.167
216.58.213.174

3] https://www.virustot...sis/1506692289/
1102.exe

4] https://www.hybrid-a...vironmentId=100

moroplinghaptan .info: 49.51.133.167: https://www.virustot...67/information/
> https://www.virustot...ba588/analysis/
___

Fake 'Office 365 invoice' - delivers Locky
- https://myonlinesecu...cky-ransomware/
29 Sep 2017 - "The 3rd version I have seen today... Locky downloaders has gone back to a traditional zip (7z)  attachment containing a vbs file. This is an email pretending to be an 'Office 365 Invoice' with the subject of 'Invoice' pretending to come from the -same-name- that is in the recipient field. Random names & email addresses...

Screenshot: https://myonlinesecu...nvoice_O365.png

604173.7z: Extracts to: Invoice_930546166795.vbs - Current Virus total detections 10/58*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506683968/

** https://www.virustot...sis/1506683968/
Contacted Hosts
185.57.172.213: https://www.virustot...13/information/
___

Fake 'order' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
29 Sep 2017 - "...  malware today, all using -different- or unusual delivery methods. This next example is about an order confirmation. The attachment is a .uue attachment. Winzip says it can open .UUE files but only extracted a -garbled- encrypted/encoded txt file. Universal extractor extracted a working .exe file...

Screenshot: https://myonlinesecu...order_email.png

order290917.uue: (virusTotal 4/58*) - Extracts to: order290917.exe - Current Virus total detections 14/64**
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506681970/
order290917.uue

** https://www.virustot...sis/1506696900/
order290917.exe

*** https://www.hybrid-a...vironmentId=100