Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2025 replies to this topic

#2001 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 03 October 2017 - 06:55 AM

FYI...

Fake 'order' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
2 Oct 2017 - "An email with the subject of 'Fwd: Re: Order' pretending to come from info@ anashin .am with a malicious word doc attachment delivers malware...

Screenshot: https://myonlinesecu...7_doc_email.png

Order0210177.doc - Current Virus total detections 15/58*. Payload Security** downloads
 http ://birsekermasali .com/hta/gen.hta (VirusTotal 15/57[3]) (Payload Security[4]) which in turn downloads
 http ://birsekermasali .com/css_files/gen/quote.exe (VirusTotal 25/66[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1506949614/
Order0210177.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
192.185.115.14

3] https://www.virustot...sis/1506968237/
gen.hta

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.115.14
198.187.29.143


5] https://www.virustot...sis/1506967286/
quote.exe

6] https://www.hybrid-a...vironmentId=100

birsekermasali .com: 192.185.115.14: https://www.virustot...14/information/
> https://www.virustot...c43f3/analysis/

> https://www.virustot...26ef3/analysis/
 

:ninja: :ninja:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2002 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 03 October 2017 - 12:29 PM

FYI...

Fake 'FedEx' SPAM - leads to info stealer
- https://isc.sans.edu/diary/rss/22888
2017-10-03 - "... On Monday 2017-10-02, I ran across malicious spam (malspam) pushing Formbook, an information stealer. Arbor Networks has a good article about Formbook here:
> https://www.arbornet...k-form-grabber/
... The email is disguised as a 'FedEx delivery notice'. It has a-link-to-a-compromised-website that's hosting malware. The link points to a supposed document for this fake delivery:
> https://isc.sans.edu...ry-image-01.jpg
Clicking on-the-link (DON'T) returned a RAR archive. The RAR archive contains a Windows executable that's poorly-disguised as some sort of receipt... indicators seen during the infection from Formbook malspam on Monday 2017-10-02:
Email:
    Date/Time:  2017-11-02 at 14:23 UTC
    Subject:  Re: Alert: FedEx OFFICE Delivery® ... 17-10-02, at 07:22:11 AM BA
    From:  "DOCUMENT2017" <gifcos@ tutanota.com>
    Link from the email:  hxxps ://superiorleather .co.uk/Receipt.r22

Traffic seen when retrieving the RAR archive:
    185.46.121.66 [1] port 443 - superiorleather .co.uk - GET /Receipt.r22 ..."
1] 185.46.121.66: https://www.virustot...66/information/
> https://www.virustot...c6369/analysis/
Post-infection traffic:
    47.90.52.201 port 80 - www .shucancan .com - GET /ch/?id=[80 character ID string]
    52.87.61.120 port 80 - www .ias39 .com - GET /ch/?id=[80 character ID string]
    66.206.43.242 port 80 - www .fairwaytablet .com - GET /ch/?id=[80 character ID string]
    103.38.43.236 port 80 - www .chunsujiayuan .com - GET /ch/?id=[80 character ID string]
    104.250.134.156 port 80 - www .ebjouv .info - GET /ch/?id=[80 character ID string]
    104.31.80.135 port 80 - www .dailyredherald .com - GET /ch/?id=[80 character ID string]
    153.92.6.50 port 80 - www .beykozevdenevenakliyatci .com - GET /ch/?id=[80 character ID string]
    162.242.173.39 port 80 - www .238thrift .com - GET /ch/?id=[80 character ID string]
    180.178.39.66 port 80 - www .et551 .com - GET /ch/?id=[80 character ID string]
    195.154.21.65 port 80 - www .lesjardinsdemilady .com - GET /ch/?id=[80 character ID string]
    198.54.114.238 port 80 - www .prfitvxnfe .info - GET /ch/?id=[80 character ID string]
    199.34.228.59 port 80 - www .craigjrspestservice .com - GET /ch/?id=[80 character ID string]

    162.242.173.39 port 80 - www .238thrift .com - POST /ch/
    198.54.114.238 port 80 - www .prfitvxnfe .info - POST /ch/ "
(More detail @ the isc URL above.)

> http://www.malware-t...0/03/index.html
___

Fake 'Shipping' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
3 Oct 2017 - "... an email with the subject of 'Re: Shipping arrangement process' pretending to come from Valero .com but coming  from Anna Brugt <dhen.ordonez@ ritetrend .com.ph>...

Screenshot: https://myonlinesecu...ent-process.png

There is a-link-in-the-email body to
 http ://www.oysterpublicschool .com//hy/reciept/_outputC9E322F.exe which gives a 404,
 but there is also a RAR attachment with a file of the same name. It is highly likely that other versions of this email will have a different download link, that might be active.

_outputC9E322F.rar: Extracts to: _outputC9E322F.exe - Current Virus total detections 15/66*. Payload Security**
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1507051011/
_outputC9E322F.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
109.169.89.11

oysterpublicschool .com: 192.185.115.66: https://www.virustot...66/information/
___

Fake 'Cash Statement' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
3 Oct 2017 - ... Malware downloaders... an email with the subject of 'Cash Statement of Account 10/03/2017'  coming from Front Desk <reception@ st-timsrc .org>...

Screenshot: https://myonlinesecu...-10-03-2017.png

The email has a pdf attachment with a link to
 https ://goo .gl/4tzM3b which redirects to
 http ://uae-moneyremit .top/plugins/cfare.html where you seen a page like this asking you to install a plugin to view the page:
> https://myonlinesecu...ugin_needed.png

Pressing install will download
 https ://www.dropbox .com/s/piw5k38lytremqz/firefoxplugin_install.exe (VirusTotal 13/64*) (Payload Security**)

We have had a series of these emails recently (28 September 2017) was DAY END CASH PAYMENT REPORT AS ON 28/09/2017 which delivered fxplugin_install.exe (VirusTotal 44/65[3]) (Payload Security[4]) which was netwire RAT...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1507058018/
firefoxplugin_install.exe

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.206.227.248

3] https://www.virustot...sis/1506917666/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
85.159.233.23
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 03 October 2017 - 03:08 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2003 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 04 October 2017 - 02:10 PM

FYI...

Fake 'Copy of invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
4 Oct 2017 - "... Locky downloaders... an email with the subject of 'Copy of invoice A5165059014. Please find your invoice attached' pretending to come from online@ screwfix .com...

Screenshot: https://myonlinesecu...ce-attached.png

InvoiceA5165059014.7z: Extracts to: Invoice558727316499528791952132.vbs - Current Virus total detections 6/59*
Payload Security** downloads from one of these hard coded locations in this vbs. (There will be numerous others):
“spazioireos .it/8etyfh3ni?”,
”derainlay .info/p66/8etyfh3ni”,
”turfschiploge .nl/8etyfh3ni?” (VirusTotal 16/65[3])...

> Update: current list of known download sites PASTEBIN(a) thanks to Racco42(b)
a) https://pastebin.com/ajXf4k0f
b) https://twitter.com/Racco42

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1507106667/
Invoice558727316499528791952132.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.29.205.233

3] https://www.virustot...sis/1507107227/

spazioireos .it: 81.29.205.233: https://www.virustot...33/information/

derainlay .info: https://en.wikipedia.../wiki/Fast_flux

turfschiploge .nl: 46.235.43.11: https://www.virustot...11/information/
___

Fake 'Payment Confirmation' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
4 Oct 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments or
-links- to download them
. I have previously mentioned many of these HERE[1]...
1] https://myonlinesecu.../?s=java adwind

Screenshot: https://myonlinesecu...onfirmation.png

Xpress Money Payment Confirmation.jar (462kb) - Current Virus total detections 16/62*. Payload Security**...
All the links-in-the-email (including the -image- of an XLS file) go to the-same-url (guaranteed to be a compromised site), where the all the site content is now about QTUM, a -bitcoin- exchange. I have been seeing several compromised malware delivery sites recently with all their content changed to the QTUM content) to download a zip file:
 http ://restaurantelburladero .com/Xpress Money Payment Confirmation.z (.z is a file extension that many unzipping utilities will extract from, although not commonly used)...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1507035357/
Scan 2017100323 114727.xls Here.JAR

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.209.238

restaurantelburladero .com: 5.2.88.79: https://www.virustot...79/information/
> https://www.virustot...1fc97/analysis/
___

'Dnsmasq' - multiple vulnerabilities
> https://www.helpnets.../dnsmasq-flaws/
Oct 3, 2017
> https://www.kb.cert.org/vuls/id/973527
2 Oct 2017
> http://www.securityt....com/id/1039474
Oct 2 2017
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 04 October 2017 - 02:18 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2004 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 05 October 2017 - 05:40 AM

FYI...

Fake 'Payment Advice' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
5 Oct 2017 - "An email with the subject of 'Important – Payment Advice' pretending to come from HSBC but actually coming from a look-a-like domain HSBC <no-reply@ hsbcpaymentadvice .com> or HSBC <no-reply@ hsbcadvice .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... there is a slight formatting problem in Outlook, where the emails arrive with a -blank- body. Reading in plain text or using view source, shows the content...

Screenshot: https://myonlinesecu...dvice_-HSBC.png

SecureMessage.doc - Current Virus total detections 10/59*. Payload Security**
This malware file downloads from
 http ://diga-consult .de/ser1004.png which of course is -not- an image file but a renamed .exe file that gets renamed to aqdccc.exE (VirusTotal 13/65***). An alternative download location is
 http ://hill-familie .de/ser1004.png
This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...oc_4_Oct_17.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1507166812/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
87.106.222.158
64.182.208.181
194.87.92.191


*** https://www.virustot...sis/1507170157/
ser1004.png

diga-consult .de: 87.106.222.158: https://www.virustot...58/information/
> https://www.virustot...18c0e/analysis/

hill-familie .de: 148.251.5.116: https://www.virustot...16/information/
> https://www.virustot...27ff4/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 05 October 2017 - 05:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2005 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 06 October 2017 - 07:32 AM

FYI...

Fake 'Payment history' SPAM - delivers Locky
- https://myonlinesecu...d-of-zip-files/
6 Oct 2017 - "... Locky downloaders... an email with the subject of 'Payment history' pretending to come from accounts @ random email addresses and companies.... encoding the files today and the so called 7z attachment is actually a base64 file that needs decoding to get the 7z file, before extracting the VBS...

Screenshot: https://myonlinesecu...locky-email.png

62046_Remittance.7z: decoded from base 64 and Extracts to: 872042 Remittance.vbs
Current Virus total detections 9/60*. Payload Security**
This particular VBS has these URLs hardcoded (there will be loads of others)
 "asheardontheradiogreens .com/uywtfgh36?”,
 ”thedarkpvp .net/p66/uywtfgh36″
 ”2-wave .com/uywtfgh36?” (virusTotal 14/66[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1507281470/
872042 Remittance.vbs

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.213.142
74.125.160.39
199.30.241.139
91.142.170.187
209.54.62.81


3] https://www.virustot...sis/1507281734/
freSUUFBdtY.exe

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.223.106.227

asheardontheradiogreens .com: 199.30.241.139: https://www.virustot...39/information/

thedarkpvp .net: https://en.wikipedia.../wiki/Fast_flux

2-wave .com: 209.54.62.81: https://www.virustot...81/information/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 06 October 2017 - 08:58 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2006 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 11 October 2017 - 08:28 AM

FYI...

Fake 'Amazon' SPAM - delivers banking trojan
- https://myonlinesecu...banking-trojan/
11 Oct 2017 - "... malware scammers are imitating Amazon Associates to deliver their malware. An email with the subject of coming from 'Amazon Associates Network' <erikam1@ umbc .edu> with a malicious word doc or Excel XLS spreadsheet attachment delivers Cthonic banking trojan. These are coming via a -compromised- umbc .edu email account. All the sites in the malware delivery chain are -compromised- sites...

Screenshot: https://myonlinesecu...twork-email.png

The link-in-the-email goes to a broken link
  ttps ://www.angelbasar .de/skin/form.php it should be
 https ://www.angelbasar .de/skin/form.php where it downloads Your account, statement.docm
Current Virus total detections 5/61*. Payload Security** Where you can see the same screenshots as described yesterday where the content only appears after enabling and allowing macros to run. This malware doc downloads from
 http ://shirtlounge .eu/skin/priv8.exe (VirusTotal 50/62[3]) (Payload Security[4]) Cthonic banking trojan...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustot...sis/1507708534/
bddca74a4da71137b8f780ff9c959a54_doc

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...fe217/analysis/
A.exe

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
104.238.186.189
87.98.175.85
5.9.49.12
144.76.133.38
49.51.33.103
93.170.96.235
85.159.213.210
37.187.16.17
31.3.135.232
62.113.203.55
62.113.203.99


angelbasar .de: 82.165.238.218: https://www.virustot...18/information/
> https://www.virustot...14e3a/analysis/

shirtlounge .eu: 85.214.130.213: https://www.virustot...13/information/
> https://www.virustot...4fd4c/analysis/
 

:ninja: :ninja:    :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2007 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 12 October 2017 - 07:52 AM

FYI...

Equifax website hacked again - redirects to fake Flash update
- https://arstechnica....e-flash-update/
10/12/2017 - "In May credit reporting service Equifax's website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday the site was compromised again, this time to deliver -fraudulent- Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers. Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp :centerbluray .info that looked like this:
> https://cdn.arstechn...first-flash.jpg
... he encountered the -bogus- Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit... The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry* shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security** shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes[3] flagged the centerbluray .info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults .com. In the hour this post was being reported and written, Abrams was unable to reproduce the -redirects- leading to the malicious download. It's possible Equifax has cleaned up its site. It's also possible the attackers have shut down for the night and have the ability to return at will to visit still worse misfortunes on visitors. Equifax representatives didn't respond to an e-mail that included a link to the video and sought comment for this post."
* https://www.virustot...sis/1506995209/
MediaDownloaderIron.exe

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...51cc7/analysis/

centerbluray .info: Could not find an IP address for this domain name...

newcyclevaults .com: Could not find an IP address for this domain name...
 

:ninja: :ninja:    :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2008 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 17 October 2017 - 07:18 AM

FYI...

Fake 'MoneyGram' SPAM - delivers java trojan
- https://myonlinesecu...rs-java-trojan/
27 Oct 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...
The link-in-the-email goes to a zip file which doesn’t extract. However if you rename the zip to .rar it does...

Screenshot: https://myonlinesecu...ction-Query.png

The link-in-the-email goes to
 http ://analab .it/TransactionQuery_10-16-2017.zip which is actually a .rar file that needs to be renamed to .rar to extract it.
TransactionQuery_10-16-2017.jar (307kb) - Current Virus total detections 19/58*. Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...c5185/analysis/
TransactionQuery_10-16-2017.jar

** https://www.hybrid-a...vironmentId=100
DNS Requests
46.183.223.33: https://www.virustot...33/information/

analab .it: 62.149.205.46: https://www.virustot...46/information/
> https://www.virustot...c7ff2/analysis/
___

FBI press releases
> https://www.fbi.gov/news/pressrel

10.17.2017: Twelve People Indicted Installing Credit-Card Skimmers on Gas Pumps in Five States and Stealing Account Information from Thousands

10.17.2017: Two Women, Including Former Associate Dean of Caldwell University, Admit Defrauding Veterans’ G.I. Bill

10.17.2017: Doctor Admits Billing Medicare, Other Insurers $3 Million for Therapy Services Performed by Unqualified Personnel

10.17.2017: New York Man Sentenced to 43 Months in Prison for Robbing Bergen County, New Jersey Bank
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 17 October 2017 - 03:41 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2009 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 18 October 2017 - 08:51 AM

FYI...

Fake 'Invoice' SPAM - delivers Locky or Trickbot
- https://myonlinesecu...ky-or-trickbot/
18 Oct 2017 - "... downloaders from the Necurs botnet that deliver Locky ransomware or Trickbot banking trojan... I saw a few twitter links leading to this post on Bleeping Computer[1] saying that Locky (Necurs Downloaders) will take screenshots of the “victim’s” computer and send back error messages to base... Todays is an email pretending to come from invoicing@ random names and email addresses, with a subject like 'Invoice 009863361 10.18.2017' where the numbers are random with a blank/empty body...
One of the emails looks like:
From: Invoicing <Invoicing@ random name>
Date: Wed 18/10/2017 10:27
Subject: Invoice 009863361 10.18.2017
Attachment: Invoice 009863361 10.18.2017.7z
Body content:
    totally empty blank


1] https://www.bleeping...runtime-errors/
Oct 17, 2017
> https://www.symantec...ee-your-desktop
17 Oct 2017 - "... Beware of strangers offering fake invoices..."

Invoice 009863361 10.18.2017.7z: Extracts to: Invoice 364776483 10.18.2017.vbs
Current Virus total detections 10/56[2]. Payload Security [3]| JoeSandbox[4].
Thanks to various Twitter contacts (my grateful thanks to them all for their hard work and expert knowledge) we have some downloads sites delivering Locky ransomware using USA IP numbers - VirusTotal 17/56[5]. Payload Security[6] from these locations:
dbatee .gr/niv785yg
goliathstoneindustries .com/niv785yg
3overpar .com/niv785yg
pciholog .ru/niv785yg
disfrance .net/p66/niv785yg
Joesandbox was given a different binary (sandbox pcap) that is a totally different size (VirusTotal 17/66[7]) (Payload Security[8]) it looks like the file must have been cut off during download. Using a different UK IP number, one researcher was given Trickbot banking trojan (VirusTotal 21/66[9]) (Payload Security[10]) from:
envi-herzog .de/iuty56g
pac-provider .com/iuty56g
pesonamas .co.id/iuty56g
disfrance .net/p66/iuty56g
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
2] https://www.virustot...sis/1508316046/
Invoice 364776483 10.18.2017.vbs

3] https://www.hybrid-a...vironmentId=100
DNS Requests
49.51.134.78
Contacted Hosts
49.51.134.78

4] https://jbxcloud.joe...s/390019/1/html

5] https://www.virustot...fe484/analysis/

6] https://www.hybrid-a...vironmentId=100

7] https://www.virustot...fe484/analysis/

8] https://www.hybrid-a...vironmentId=100

9] https://www.virustot...1564b/analysis/

10] https://www.hybrid-a...vironmentId=100
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 18 October 2017 - 02:50 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2010 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 19 October 2017 - 07:02 AM

FYI...

Fake 'Invoice' SPAM - delivers Locky and Trickbot
- https://myonlinesecu...microsoft-word/
19 Oct 2017 - "Another change from the Necurs botnet delivering Locky and Trickbot again today with an email with the subject of 'Emailed Invoice – 459572' (random numbers) pretending to come from random names at your own email address or company domain...
They have changed to using word docs again but they are -not- using macros but using the DDE “exploit” or feature which -allows- linked files. These are very similar to embedded ole objects but instead of the object (normally a script file) being embedded in the word doc & you clicking it to allow it to run, these link to a remote website without you seeing the link. This link describes it in better detail:
> https://blog.barkly....ttack-no-macros

One of the emails looks like:
From: Stacie Osborne <Stacie@ victim domain .tld>
Date: Thu 19/10/2017 11:15
Subject: Emailed Invoice – 459572
Attachment: I_459572.doc
Body content:
    As requested  
    regards
    Stacie Osborne ...


Screenshot of word doc:
> https://myonlinesecu..._459572_doc.png

I_459572.doc - Current Virus total detections 9/60*. Payload Security**
The word doc uses this DDE “feature” to contact (in this example, there will be loads of others)
 http ://alexandradickman .com/KJHDhbje71 where a base64 encoded file is opened and decoded.
This has 3 hardcoded URLS inside it (again there will be others in other examples)
 “http ://shamanic-extracts .biz/eurgf837or”,
 ”http ://centralbaptistchurchnj .org/eurgf837or”,
 ”http ://conxibit .com/eurgf837or” which gives a  txt file which is -renamed- to rekakva32.exe
(VirusTotal 6/65[3]) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1508408047/

** https://www.hybrid-a...vironmentId=100
DNS Requests
98.124.251.65
83.242.103.81
98.124.251.65

Contacted Hosts
98.124.251.65
62.212.154.98
83.242.103.81


3] https://www.virustot...sis/1508408465/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.190.71.132
___

Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
19 Oct 2017 - "An email with the subject of 'eFax' pretending to come from eFax service but actually coming from a whole range of look-a-like domains with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... the criminals sending these have registered various domains that look-like genuine Company, Bank, Government or message sending services...

Screenshot: https://myonlinesecu...ervicexx_ml.png

efax190238535-34522.doc - Current Virus total detections 4/59*. Payload Security**
This malware file downloads from
 http ://acupuncturenorthwest .com/kas47.png which of course is -not- an image file but a renamed .exe file that gets renamed to Fcd-4.exe (VirusTotal 12/64[3]). An alternative download location is
 http ://www.agcofruit .com/kas47.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...5-34522_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1508420918/

** https://www.hybrid-a...vironmentId=100
DNS Requests
74.50.21.13
64.182.208.184

Contacted Hosts
74.50.21.13
64.182.208.184
79.170.7.139
185.125.46.77


3] https://www.virustot...f884d/analysis/
Fcd-4.exe

acupuncturenorthwest .com: 74.50.21.13: https://www.virustot...13/information/
> https://www.virustot...dfff7/analysis/

agcofruit .com: 192.185.118.67: https://www.virustot...67/information/
> https://www.virustot...70065/analysis/
___

Locky Ransomware’s Recent SPAM
- http://blog.trendmic...pam-activities/
Oct 19, 2017 - "... A closer look at Locky’s activities reveals a constant: the use of spam. While spam remains to be a major entry point for ransomware, others such as Cerber also employ vectors like exploit kits. Locky, however, appears to concentrate its distribution through large-scale spam campaigns regardless of the variants released by its operators/developers... We’ve also found how the scale and scope of Locky’s distribution are fueled by the Necurs botnet, a spam distribution infrastructure comprising zombified devices. It churns out a sizeable amount of spam emails carrying information stealers like Gameover ZeuS, ZBOT or Dridex, and other ransomware families such as CryptoLocker, CryptoWall, and Jaff. Necurs is Locky’s known and long-time partner in crime, and it’s no coincidence that the surge of Locky-bearing spam emails corresponds with the uptick in Necurs’ own activity. In fact, we saw that Necurs actively pushed Locky from August to October:
> https://blog.trendmi...ocky-spam-2.jpg
It’s also worth noting that Necurs also distributed Locky via URL-only spam emails — that is, the messages didn’t have -any- attachments, but rather -links- that divert users to -compromised- websites hosting the ransomware. The use of HTMLs embedded with -links- to the -compromised- site also started gaining traction this year... the continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists. Some of the recent lures we saw were:
- Fake voice message notifications (vishing, or the use of voice-related systems in phishing attacks)
- HTML attachments posing as invoices
- Archive files masquerading as business missives from multinationals, e.g., audit and budget reports
- Fraudulent emails that involve monetary transactions such as bills, parcel/delivery confirmations, and payment receipts..."
(More detail at the trendmicro URL above.)
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 19 October 2017 - 09:58 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2011 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 20 October 2017 - 07:59 AM

FYI...

Today's crop of cyber criminal attempts to INFECT systems and PC's through E-mail gets WORSE. 'Best bet is to read these posts by "good-guy" analysts and get what you can from their research, however convoluded the criminals means have evolved, and remember the standard warnings for ALL E-mail that hits your Inbox:

"DO NOT follow the advice they give to enable macros or enable editing to see the content.

The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it."

Scanned image from MX-2600N malspam pretending to come from your own company delivers Locky ransomware using Word DDE exploit
- https://myonlinesecu...rd-dde-exploit/
20 Oct 2017

Fake Swift Copy message delivers fareit trojan
- https://myonlinesecu...-fareit-trojan/
20 Oct 2017

More Locky ransomware delivered via DDE exploit pretending to come from your own company or email address
- https://myonlinesecu...-email-address/
20 Oct 2017

Necurs Botnet malspam pushes Locky using DDE attack
- https://isc.sans.edu...E attack/22946/
2017-10-19 - "... the DDE attack* technique has spread to large-scale distribution campaigns..."
* https://www.bleeping...needing-macros/
___

Alert (TA17-293A)
Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors

- https://www.us-cert....lerts/TA17-293A
Oct 20, 2017 - "Systems Affected:
    Domain Controllers
    File Servers
    Email Servers
Overview: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks...
DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity..."
(More detail at the us-cert URL above.)
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 21 October 2017 - 07:08 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2012 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 23 October 2017 - 05:34 AM

FYI...

Fake 'Office 365 update' SPAM - delivers Trojan
- https://myonlinesecu...banking-trojan/
23 Oct 2017 - "... an email with the subject of 'Office 365' pretending to come from Microsoft Security Team  but actually coming via what looks like a compromised email account...

Screenshot: https://myonlinesecu...365_cthonic.png

office_security_update.zip: Extracts to: ms_office_update.exe - Current Virus total detections 13/67*.
Payload Security**...
Update: after digging around the mail server quarantine, I have found several of these, coming via numerous different -compromised- email accounts. All of them have the same malformed content with no accessible attachment... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1508670171/
ms_office_update.exe

** https://www.hybrid-a...vironmentId=100
DNS Requests
35.189.99.49
Contacted Hosts
45.63.25.55
5.9.49.12
87.98.175.85
141.138.157.53
45.63.99.180
45.32.28.232
108.61.164.218
45.56.117.118
23.94.5.133
51.255.48.78
35.189.99.49
144.76.133.38

 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 23 October 2017 - 05:43 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2013 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 24 October 2017 - 08:32 AM

FYI...

'BadRabbit' ransomware attacks...
> https://www.bleeping...eastern-europe/
Oct 24, 2017 - "A new ransomware strain named 'Bad Rabbit' is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike. At the time of writing, the ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey. The speed with which Bad Rabbit spread is similar to the WannaCry and NotPetya outbreaks... ESET and Proofpoint researchers say Bad Rabbit has initially spread via -fake- Flash update packages, but the ransomware also appears to come with tools that help it move laterally inside a network, which may explain why it spread so quickly across several organizations in such a small time..."

> https://twitter.com/...Rabbit?src=hash

> https://www.csoonlin...ia-outlets.html
Oct 24, 2017

> https://www.welivese...der-ransomware/
24 Oct 2017

> https://askwoody.com/tag/badrabbit/
Oct 24, 2017

> https://www.virustot...8d0da/analysis/
BadRabbit.exe.virus / Uninstaller 27.0
49/66
File detail: FlashUtil.exe
Additional info:
install_flash_player.exe
___

Fake 'Invoice' SPAM - using 'DDE exploit'
- https://myonlinesecu...ng-dde-exploit/
24 Oct 2017 - "Another Locky ransomware campaign using the DDE exploit[1]...
1] https://www.bleeping...needing-macros/
... the word doc contains embedded -links- that use the DDE exploit to contact a remote server & get a base64 encoded string which decodes to a set of instructions to contact a list-of-urls in turn, until one responds...
Asking somebody to 'update links' seems innocent enough and many recipients will click 'yes':
Update fields warning message from DDE exploit word doc:
> https://myonlinesecu...date-fields.png
... many of the intermediate stages and files never get stored or kept on the victim’s computer, in fact the final Locky binary is deleted as soon as it has been run, so there are few forensic artefacts for investigation. Brad Duncan has done a Blog post at ISC explaining all this in detail[2] with examples from the earlier run.
2] https://isc.sans.edu...E attack/22946/

Screenshot: https://myonlinesecu...e-DDE-email.png

Invoice_file_921629.doc - Current Virus total detections 10/61*. Payload Security** | contacts
 ‘http ://transmercasa .com/JHGGsdsw6'
where it downloads to memory the base64 encoded string which decodes to give these 3 urls
    http ://tatianadecastelbajac .fr/kjhgFG
    http ://video.rb-webdev .de/kjhgFG
    http ://themclarenfamily .com/kjhgFG

This delivers heropad64.exe (VirusTotal 51/67[3]) (Payload Security[4]) which in turn sends a post request with system fingerprints to
  http ://webhotell .enivest.no/cuYT39.enc  
where if the response is acceptable it then downloads the Locky ransomware file from that site in an encrypted text format and converts it to a working .exe. 6213Lq3p.exe (VirusTotal 8/67[5]).
It then autoruns it & deletes both the encrypted txt and the binary. It further contacts what looks like a C2 at
 http ://gdiscoun .org ...
... easy to protect against by changing 1 simple setting in Microsoft Word (provided your company does -not- use the DDE feature to dynamically update word files with content from Excel spreadsheets etc). See HERE for details:
- https://myonlinesecu...ro-viruses/#dde

... The Word doc has changed slightly since last week with a couple of blue star like images instead of just a few Russian characters or words:
> https://myonlinesecu..._921629_doc.png

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1508840890/

** https://www.hybrid-a...vironmentId=100
DNS Requests
75.98.175.70
178.216.98.139
151.236.60.40
62.50.190.101

Contacted Hosts
75.98.175.70
151.236.60.40
178.216.98.139
62.50.190.101


3] https://www.virustot...6b0f2/analysis/

4] https://www.hybrid-a...vironmentId=100
DNS Requests
217.175.4.4
Contacted Hosts
217.175.4.4

5] https://www.virustot...sis/1508841472/
6213Lq3p.exe
___

Fake 'Scan Data' SPAM - delivers Locky via 'DDE exploit'
- https://myonlinesecu...yvictim-domain/
24 Oct 2017 - "... Once again the word doc contains embedded links that use the 'DDE exploit' to contact a remote server & get a base64 encoded string which decodes to a set of instructions to contact a list of urls in turn, until one responds, to download a small file which in turn downloads the main Locky ransomware binary...

... easy to protect against by changing 1 simple setting in Microsoft Word (provided your company does not use the DDE 'feature' to dynamically update word files with content from Excel spreadsheets etc) See HERE for details:
> https://myonlinesecu...ro-viruses/#dde..."
___

Fake 'Order acknowledgement' SPAM - malicious attachment
- http://blog.dynamoo....gement-for.html
24 Oct 2017 - "A change to the usual -Necurs- rubbish, this -fake- order has a malformed .z archive file which contains a malicious executable with an icon to make it look-like an Office document:
    Reply-To:    purchase@ animalagriculture .org
    To:    Recipients [DY]
    Date:    24 October 2017 at 06:48
    Subject:    FW: Order acknowledgement for BEPO/N1/380006006(2)
    Dear All,
    Kindly find the attached Purchase order# IT/IMP06/06-17 and arrange to send us the order acknowledgement by return mail.
    Note: Please expedite
    the delivery as this item is very urgently required.
    Regards,  Raj Kiran
    (SUDARSHAN SS)  NAVAL SYSTEMS (S&CS) ...


Attached is a file -Purchase order comfirmation.doc.z- which contains a malicious executable 'Purchase order comfirmation.exe' which currently has a detection rate of 12/66*. It looks like the archive type does
-not- actually match the extension:
> https://3.bp.blogspo.../7zip-error.png
If the intended target -hides- file extensions then it is easy to see how they could be fooled:
> https://2.bp.blogspo...As/s1600/po.png
... VirusTotal shows this information about the file**...
The Hybrid Analysis*** for is a little interesting (seemingly identifying it as Loki Bot), showing the malware phoning home to:
jerry.eft-dongle .ir/njet/five/fre.php (188.165.162.201 / Mizban Web Paytakht Co. Ltd., Iran)
> https://www.virustot...01/information/
... RIPE show them as being in Tehran:
> https://www.ripe.net...ata/ir.mwp.html
... if you are -not- interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of 185.165.40.0/22 as well. I'll make a guess that the 188.165.162.200/29 range may be -insecure- and could be worth blocking... You probably -don't- need to accept .z attachments at your mail perimeter, and any decent anti-spam tool should be able to look inside archives to determine was is in there."
* https://www.virustot...e010f/analysis/
Purchase order comfirmation.exe

** File detail: SysInv2.exe

*** https://www.hybrid-a...vironmentId=100
DNS Requests
188.165.162.201
Contacted Hosts
188.165.162.201
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 25 October 2017 - 06:47 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2014 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 25 October 2017 - 07:18 AM

FYI...

Fake 'Quotation' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
25 Oct 2017 - "... an email with the subject of 'Re: Quotation' pretending to come from SNG Equipment <sales@ sngequipment .com> (in previous similar emails, the sender & companies mentioned in the email body were fairly random). I am not entirely sure what malware this is. Indications are it could be Lokibot... This file has an icon that makes it look like it is an Excel spreadsheet. Unless you have “show known file extensions enabled“, it can easily be mistaken for a genuine XLS spreadsheet instead of the .EXE file it really is, so making it much more likely for you to accidentally open it and be infected...

Screenshot: https://myonlinesecu...ation-email.png

Quotation.zip: Extracts to: Quotation.exe - Current Virus total detections 12/65*. Payload Security** ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1508905407/
Quotation.exe

** https://www.hybrid-a...vironmentId=100
___

Fake 'Payment slip' SPAM - delivers Java Trojan
- https://myonlinesecu...rs-java-trojan/
25 Oct 2017 - "... emails containing java Adwind, Java Jacksbot or other Java backdoor or Remote Access Trojans. We see these sort of emails frequently. Today’s has a slightly different subject and email content to many of the previous ones. This has a link-to-download-the-java-file rather than an attachment containing the malware...

Screenshot: https://myonlinesecu...t-Slip-Copy.png

The -link- hidden behind the image goes to
  http ://www.system.air-alicante .eu/lib/css/Payment508879883.jar (519kb)
Current Virus total detections 1/62*. Payload Security**... system.air-alicante .eu looks to be a compromised Virtual Airline Site that appears to have been abandoned by its owner after a server crash. It was registered by Godaddy in July 2016 to a German Registrant. Currently hosted on 206.214.223.170 ServInt AS25847 which appears to be “owned” by a reseller fivedev .net who doesn’t have any abuse or contact details... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1508882800/

** https://www.hybrid-a...vironmentId=100

system.air-alicante .eu: 206.214.223.170: https://www.virustot...70/information/
> https://www.virustot...149ee/analysis/
___

Fake 'Payment Advice' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
25 Oct 2017 - "... an email with the subject of 'RE: Payment Advice 2000076579' (probably random numbers, although both copies I received have the  same numbers) pretending to come from OFFICE <office@ transferdept .com>. with an ACE file attachment (ACE files are a lesser known form of zip file that needs special programs to unzip them. A high proportion of recipients will -not- have this software on their commuter)... no idea what malware this actually is, although it is quite well detected on Virus Total as a generic malware.... As far as I can determine transferdept .com is a domain that is up for sale and has no website etc associated with it...

Screenshot: https://myonlinesecu...-2000076579.png

PAYMENT.ace (VirusTotal 10/59*): Extracts to: PAYMENT.exe Current Virus total detections 28/67**.
Payload Security[3]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1508921444/

** https://www.virustot...sis/1508933216/
PAYMENT.exe

3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.58.209.238

transferdept .com: A temporary error occurred during the lookup...
___

Fake 'Sage invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
25 Oct 2017 - "... an email with the subject of 'Your Sage subscription invoice is ready' pretending to come from Sage which delivers Dridex banking trojan...

Screenshot: https://myonlinesecu...eady_-email.png

... The link-in-the-email goes to a -compromised- or fraudulently set up OneDrive for business/ SharePoint site where a zip file containing a .js file is downloaded. That eventually downloads the Dridex banking Trojan:
 https ://tailoredpackaging-my.sharepoint .com/personal/bec_tailoredpackaging_com_au/_layouts/15/guestaccess.aspx?docid=0b5a1a2799b6e419daf97f646640e195b&authkey=AduyYkbo5mf9IESLsGPE6yk

Sage subscription invoice.zip: Extracts to: Sage subscription invoice.js Current Virus total detections 2/59*
 Payload Security** | Dridex Payload VirusTotal 13/67[3]| Payload Security[4]... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1508929523/
Sage subscription invoice.js.bin

** https://www.hybrid-a...vironmentId=100
DNS Requests
104.146.164.67
Contacted Hosts
199.21.115.94
162.243.137.50
173.214.174.107
104.236.49.165


3] https://www.virustot...sis/1508933673/
mvrdcoqbki2.exe

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
199.21.115.94
162.243.137.50
173.214.174.107
104.236.49.165


tailoredpackaging-my.sharepoint .com: 104.146.164.27: https://www.virustot...27/information/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 25 October 2017 - 03:12 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2015 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 26 October 2017 - 07:52 AM

FYI...

Fake 'TRANSFER PAYMENT ERROR' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
26 Oct 2017 - "... an email with the subject of 'TRANSFER PAYMENT ERROR (URGENT ATTENTION!!!)' pretending to come from OFFICE <office@ transferdept .com> with an ACE file attachment (ACE files are a lesser known form of zip file that needs special programs to unzip them. A high proportion of recipients will not have this software on their commuter). Yesterday we saw a similar malspam campaign using the same-email details spoofing transferdept .com[1]... not sure what malware this actually is, although it is quite well detected on Virus Total as a generic malware. It is most probably Fareit trojan...
1] https://myonlinesecu...livers-malware/

Screenshot: https://myonlinesecu...NTION-email.png

PAYMENT ADVICE.ace (VirusTotal 19/59*): Extracts to: PAYMENT ADVICE.exe
- Current Virus total detections 29/66**. Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1509003325/

** https://www.virustot...sis/1509008143/
PAYMENT ADVICE.exe

*** https://www.hybrid-a...vironmentId=100
___

Fake 'Invoice' SPAM - delivers Fareit trojan
- https://myonlinesecu...-fareit-trojan/
26 Oct 2017 - "... an email with the subject of 'Re: Invoice' pretending to come from Sales (random names and email addresses) delivers Fareit/Pony trojan...

Screenshot: https://myonlinesecu...voice_email.png

NEW INVOICE.R23 (113kb): Extracts to: NEW INVOICE .com (which is an absolutely massive 11.5MB in size) 

Current Virus total detections 14/66*. Payload Security**| tries to contact
 http ://laximdiamond .com/fta/panel/shit.exe (which gives a 404) however there is an open directory
 http ://laximdiamond .com/fta/panel/ where we see this:
> https://myonlinesecu...aximdiamond.png
It should be noted that this file has an invalid Microsoft Digital signature that expired in 2011:
> https://myonlinesecu...l-signature.png

The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...0daff/analysis/
daff.exe
Additional Information:
File names: Madhavan.exe
daff.exe
NEW INVOICE .com
Madhavan
NEW INVOICE .com

** https://www.hybrid-a...vironmentId=100
DNS Requests
45.122.138.22
Contacted Hosts
45.122.138.22

laximdiamond .com: 45.122.138.22: https://www.virustot...22/information/
> https://www.virustot...96c4d/analysis/
___

Fake 'account documents' SPAM - delivers Trickbot via DDE exploit
- https://myonlinesecu...he-dde-exploit/
26 Oct 2017 - "... using the DDE exploit[1] to perform malware campaigns... today the Trickbot gang have got in the act with an email with the subject of 'Your account documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsbankdownload .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
1] https://www.bleeping...needing-macros/

Screenshot: https://myonlinesecu...ments-email.png

> https://myonlinesecu...uments_docx.png

Documents.docx - Current Virus total detections 4/58*. Payload Security**...
This malware docx file downloads from
 http ://preview.tastymovies .com/moviefiles/lorangosor.png which of course is -not- an image file but a renamed .exe file that gets renamed to ect.exe (VirusTotal 12/67***)
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar using privacy protection services.
  lloydsbankdownload .com hosted on numerous servers and IP addresses and sending the emails via  185.106.121.26  smtp3.wow-me .org | 95.211.213.219 | 185.2.81.3 | 213.152.162.231 | All of which are based in Netherlands... DO NOT follow the advice they give to enable macros or enable editing to see the content...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1509019722/
ec4b69380c33a9fa2b0145ed0b118ef2.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
37.120.182.208
69.12.77.100

Contacted Hosts
69.12.77.100
37.120.182.208
195.133.146.122
194.87.235.112


*** https://www.virustot...e5d5a/analysis/

smtp3.wow-me .org: A temporary error occurred during the lookup...

lloydsbankdownload .com: 95.211.213.219
185.2.81.3
213.152.162.231
185.106.121.26

 

tastymovies .com: 69.12.77.100: https://www.virustot...00/information/
> https://www.virustot...27b03/analysis/
___

Fake 'RBS bank line secure email' SPAM - delivers Trickbot via DDE exploit
- https://myonlinesecu...ia-dde-exploit/
26 Oct 2017

Screenshot: https://myonlinesecu...ecure-email.png

> https://myonlinesecu...24533._docx.png

DO NOT follow the advice they give to enable macros or enable editing to see the content...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."

(More detail at the myonlinesecurity.co.uk URL above. )
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 26 October 2017 - 09:45 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2016 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 31 October 2017 - 09:17 AM

FYI...

Fake 'Invoice' SPAM - delivers Locky via word docs with embedded OLE objects
- https://myonlinesecu...ed-ole-objects/
31 Oct 2017 - "... another change in the Necurs botnet malspam delivery that normally delivers Locky ransomware or Trickbot banking trojan. After a week or so of using the DDE exploit, today they have switched back to embedded-OLE-objects inside a word doc... The emails pretend to be invoices with a completely empty-blank-body... The word doc contains an embedded PowerShell -script- that runs when you follow their prompts to double-click-the-image. This contacts a remote server where it opens in memory (without saving to the disc in any obvious way) a set of instructions to contact a list-of-urls in turn, until one responds, to download a small file...

Screenshot: https://myonlinesecu...00808_email.png

The word doc looks like:
> https://myonlinesecu...0000808_doc.png

Invoice INV0000808.doc - Current Virus total detections 5/61*. Payload Security** contacts
  http ://christakranzl .at/eiuhf384 where it downloads to memory a set of instructions that give
these 6 urls:
 "http ://projex-dz .com/i8745fydd”,
 “http ://celebrityonline .cz/i8745fydd”,
 “http ://sigmanet .gr/i8745fydd”,
 “http ://apply.pam-innovation .com/i8745fydd”,
 “http ://bwos .be/i8745fydd”,
 “http ://zahntechnik-imlau .de/i8745fydd”
... Using a UK based IP number, this delivered requ4.exe which is an old well known remote admin tool Netcat. (VirusTotal 48/67[3])... using a USA based IP via a proxy, I also got requ4.exe (from the same urls) but a totally different version that looks like Locky ransomware (VirusTotal 15/66[4]) (Payload Security[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1509442810/

** https://www.hybrid-a...vironmentId=100
DNS Requests
88.198.9.176
5.196.81.12

Contacted Hosts
88.198.9.176
5.196.81.12


3] https://www.virustot...sis/1509448777/
nc.exe

4] https://www.virustot...sis/1509452021/
requ4.exe

5] https://www.hybrid-a...vironmentId=100
DNS Requests
77.93.62.179
Contacted Hosts
77.93.62.179

5.196.81.12: https://www.virustot...12/information/
> https://www.virustot...d71de/analysis/

88.198.9.176: https://www.virustot...76/information/
> https://www.virustot...c66b5/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 31 October 2017 - 10:31 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2017 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 03 November 2017 - 08:43 AM

FYI...

Banking Trojan targets Google Search Results (SEO)
- http://blog.talosint...a-campaign.html
Nov 2, 2017 - "It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything you need to know. Links returned by a Google search, however, are not guaranteed to be safe. In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization (SEO) to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus-Panda-banking-Trojan. By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion. By targeting primarily financial-related keyword searches and ensuring that their -malicious- results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time... The initial vector used to initiate this infection process does not appear to be email based. In this particular campaign, the attacker(s) targeted specific sets of search keywords that are likely to be queried by potential targets using search engines such as Google. By leveraging compromised web servers, the attacker was able to ensure that their malicious results would be ranked highly within search engines, thus increasing the likelihood that they would be clicked on by potential victims...
Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape. Users, however, must also remain vigilant and think twice before clicking-a-link, opening-an-attachment or even blindly trusting the results of a Google search..."
IPs Distributing Maldocs:
67.195.61.46: https://www.virustot...46/information/

C2 IP Addresses:
82.146.59.228: https://www.virustot...28/information/
(More detail at the talosintelligence URL above.)
___

'Coin Miner' Malware - hits Google Play
- http://blog.trendmic...ts-google-play/
Oct 30, 2017 - "... Recently, we found that apps with -malicious- cryptocurrency mining-capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER. This is not the first time we’ve found these types of apps on app stores. Several years ago, we found -malicious- apps on the Google-Play-store detected as ANDROIDOS_KAGECOIN, a malware family with hidden-cryptocurrency-mining capabilities:
> https://www.gdatasof...oes-to-the-moon

 However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER. This is not the first time we’ve found these types of apps on app stores. Several years ago, we found malicious apps on the Google Play store detected as ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.*           
* https://blog.gdataso...o-the-moon.html
... We’ve previously seen tech support scams** -and- compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users. However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER.
** http://blog.trendmic...s-monero-miner/
 We found two apps; one supposedly helps users pray the rosary, while the other provides discounts of various kinds:
> https://blog.trendmi...id-mining-1.png
...
> https://blog.trendmi...id-mining-2.png
Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key... This JavaScript code runs within the app’s webview, but this is -not- visible to the user because the webview is set to run in -invisible- mode by default... Another family of malicious apps takes -legitimate-versions- of apps and adds mining libraries, which are then repackaged and distributed. We detect these as ANDROIDOS_CPUMINER. One version of this malware is in Google Play and disguised as a wallpaper application:
> https://blog.trendmi...id-mining-5.png
These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of -any- performance degradation on their devices after installing an app. We have reached out to Google, and the apps mentioned in this post are no longer on Google Play..."

Related posts: http://blog.trendmic...e-banking-apps/

> http://blog.trendmic...s-monero-miner/

> http://blog.trendmic...er-information/

> http://blog.trendmic...ead-filelessly/
"... Conclusion: Fileless attacks are becoming more common. Threat actors are increasingly using attack methods that work directly from memory and use legitimate tools or services*. In this case, WMI subscriptions have been used by this cryptocurrency-mining malware as its -fileless- persistence mechanism. Since there are no malware files on the hard drive, it’s more difficult to detect..."
* Fileless Threats that Abuse PowerShell
> https://www.trendmic...buse-powershell
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 03 November 2017 - 11:51 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2018 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 07 November 2017 - 06:40 AM

FYI...

Fake 'invoice' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
7 Nov 2017 - "... an email with a subject of 'Invoice #231910390' (random numbers) pretending to come from XXDocumentSend at your own email address or company domain... Once again the word doc contains an embedded OLE object that when clicked on opens a PowerShell script which contacts a remote server & get a text string which contains a set of instructions to contact a list of urls in turn, until one responds, to  download the main Locky ransomware or Trickbot binary...

Screenshot: https://myonlinesecu...10390-email.png

... over the last couple of weeks or so the downloaders from the Necurs botnet used system fingerprinting to decide which malware to give to any victim. Certain countries and IP ranges got Locky, others got Trickbot banking trojan. I am pretty sure that these Word embedded OLE downloaders and the downloaders will also be using the same techniques:
> https://myonlinesecu...-ole-object.png

115403772_11_07_2017_14_87_41.doc - Current Virus total detections 11/60*. Payload Security** | contacts
 ‘http ://gotcaughtdui .com/693’ where it downloads to memory the text string which contains these 6 urls
 "http ://teesaddiction .com/JHgd3Dees“,
 ”http ://christaminiatures .nl/JHgd3Dees“,
 ”http ://336.linux1.testsider .dk/JHgd3Dees“,
 ”http ://florastor .net/JHgd3Dees“,
 ”http ://heinzig .info/JHgd3Dees“,
 ”http ://muchinfaket .net/p66/JHgd3Dees”
This delivers wera4.exe (VirusTotal 10/66[3]) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1510048862/
115403772_11_07_2017_14_87_41.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
132.148.21.213
217.73.227.10

Contacted Hosts
132.148.21.213
217.73.227.10


3] https://www.virustot...735ce/analysis/

4] https://www.hybrid-a...vironmentId=100
___

Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
7 Nov 2017 - "An email with the subject of 'You have a new fax' pretending to come from eFax Corporate but actually coming from a look-a-like domain <message@ efax-secure .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...x-from-eFax.png

Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
    efax-secure .com hosted on and sending the emails via 134.19.180.224  hosted-by .rapidrdp .com AS49453 Global Layer B.V. | 95.211.214.251 AS60781 LeaseWeb Netherlands B.V.| 185.106.121.147 free.hostsailor .com  AS60117 Host Sailor Ltd. | 185.2.81.10 guish.elvb-listverify .com AS49981 WorldStream B.V. |

HighlyEncryptedFax.doc - Current Virus total detections 3/59*. Payload Security**
This malware file downloads from
 http ://styleof.co .uk/ser1107.png which of course is -not- an image file but a renamed .exe file that gets renamed to Hmmd.exe (VirusTotal 8/61[3]). An alternative download location is
 http ://tablet-counter .com/ser1107.png
This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...ptedFax_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1510053544/
HighlyEncryptedFax.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
37.120.182.208
79.171.39.110
146.255.32.109

Contacted Hosts
79.171.39.110
146.255.32.109
37.120.182.208
176.120.126.21
194.87.93.48
62.109.10.76


3]  https://www.virustot...sis/1493725297/
Epvuyf.exe
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 07 November 2017 - 07:24 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2019 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 08 November 2017 - 11:29 AM

FYI...

Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecu...-efax-messages/
8 Nov 2017 - "... this week the Trickbot gangs have decided to continue with -imitating- eFax to distribute their malware. Unlike yesterday’s version[1] which looked quite realistic. Today’s version is quite a pale imitation...
1] https://myonlinesecu...banking-trojan/
This example is an email containing the subject of 'You have received a fax message' pretending to come from eFax but actually coming from a series of look-a-like domains <noreply@ faxmessage*** .ml> (*** = 1 to 599) with a malicious word doc attachment is the second of today’s spoofs of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ge_8_nov_17.png

faxmessage*** .ml is being hosted on different IP numbers & ranges all appearing to be -compromised- ISP IP numbers from major ISPs in UK, Europe & USA. In previous phishing and malware scams by this criminal gang they used a range of domain numbers between 1 and 600 over several days, so there could be a lot more to come.

efax1298357237174_23536.doc - Current Virus total detections 5/60*. Payload Security**
This malware doc file downloads using PowerShell from
 http ://transfercar24 .de/xjersey/grondbag.png which of course is -not- an image file but a renamed .exe file that gets renamed to slaaen.exe (VirusTotal 18/67***)
Alternative download site:
 http ://theartofinvestment .co.uk/authentic/grondbag.png
The word doc looks like:
> https://myonlinesecu...53_2425_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1510147039/
efax1298357237174_23536.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
200.47.70.193
127.0.0.4
78.47.139.102
87.106.3.106

Contacted Hosts
87.106.3.106
78.47.139.102
82.146.62.66
92.53.67.5


*** https://www.virustot...sis/1510152607/
grondbag.png.exe

transfercar24 .de: 87.106.3.106: https://www.virustot...06/information/
> https://www.virustot...0bbd0/analysis/

theartofinvestment .co.uk: ... A temporary error occurred during the lookup...
___

Drive-by cryptocurrency mining
> https://www.helpnets...urrency-mining/
Nov 8, 2017

(MANY details at the URL above.)
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 08 November 2017 - 04:34 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2020 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 10 November 2017 - 10:56 AM

FYI...

Fake 'Resume' SPAM - delivers malware
- https://myonlinesecu...eliver-malware/
10 Nov 2017 - "... This is a continuation from these 2 previous posts about malware using resumes or job applications as the lure [1] [2]...
1] https://myonlinesecu...obe-ransomware/
2] https://myonlinesecu...ads-to-malware/
... you can see from the email headers, these pass all authentication checks, so stand quite a good chance of being delivered to a recipient... the web address the word doc downloads from
 http ://89.248.169.136 /bigmac.jpg is exactly the same as reported on 8th October 2107. More than 1 month ago & still live and spewing out malware...

Screenshot: https://myonlinesecu...resume_amir.png

resume.doc - Current Virus total detections 11/59*. Payload Security**...
This malware downloads from http ://89.248.169.136 /bigmac.jpg  which of course it -not- an image file but a renamed .exe ASDlkoa.exe (VirusTotal 18/67[3]) (Payload Security[4])... This word doc looks like this:
> https://myonlinesecu.../resume_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1510290607/
resume.doc

** https://www.hybrid-a...vironmentId=100

Hybrid Analysis
89.248.169.136: https://www.virustot...36/information/
> https://www.virustot...f8f9e/analysis/

3] https://www.virustot...sis/1510290556/
ASDlkoa.exe

4] https://www.hybrid-a...vironmentId=100
DNS Requests
145.249.104.14
212.227.91.231

Contacted Hosts
212.227.91.231
145.249.104.14
104.16.40.2
216.58.201.228
216.58.201.238

___

Fake 'MoneyGram' SPAM - Java Adwind delivered
- https://myonlinesecu...m-notice-again/
10 Nov 2017 - "... mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a  slightly different subject and email content to previous ones. Many Antiviruses on Virus Total normally detect these heuristically...
1] https://myonlinesecu.../?s=java adwind
Make Note: JavaAdwind/JavaJacksbot are both very dangerous remote access backdoor Trojans...

Screenshot: https://myonlinesecu...e-1110_2017.png

There is -no-attachment- with this malspam campaign, but instead a -link- that activates when you click the image in the email, which downloads
 http ://ferraniguillem .com/MG%20Notice%201110.zip which is NOT a .zip but a .rar file. It will not extract until you -rename- it to rar and then only in WinZip -not- in any other of my extraction tools... eventually extracts to:
MG Notice 1110.JAR (532kb) Current Virus total detections 15/58*. Payload Security**...  
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustot...sis/1510301644/
MG Notice 1110.JAR

** https://www.hybrid-a...vironmentId=100

ferraniguillem .com: 82.98.139.51: https://www.virustot...51/information/
> https://www.virustot...9b12d/analysis/
___

Fidelity Investments – Phish...
- https://myonlinesecu...otice-phishing/
10 Nov 2017 - "... one we don’t often see in the UK. Fidelity Investments is a US based bank or institution...

Screenshot: https://myonlinesecu...-scam-email.png

If you follow the link-in-the-email
 http ://www.meyvesebze .net/wp-content/plugins/p.php which -redirects- you to
 https ://www.todentists .ca/Site/styles/RtlCust/IdentifyUser/login.php?cmd=login_submit&id=e992ab62da234424f3975ad9356b4929e992ab62da234424f3975ad9356b4929&session=e992ab62da234424f3975ad9356b4929e992ab62da234424f3975ad9356b4929
... you see a webpage looking like this:
> https://myonlinesecu...ty_phishing.png

After you input your User Name and Password, you get forwarded to a page asking for Social security number, Date of Birth, Email Address and Email Password:
> https://myonlinesecu...y_phishing2.png

Then you get a failure page saying “Due to a technical error, the update system is temporarily unavailable. We apologize for the inconvenience. Please try again later”:
> https://myonlinesecu...y_phishing3.png

... Watch for -any- site that invites you to enter ANY personal or financial information... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... Email Headers and phishing Site information: the From address in the email does-not-exist and is totally made up..."

meyvesebze .net: 31.186.8.167: https://www.virustot...67/information/

todentists .ca: 64.118.86.45: https://www.virustot...45/information/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 10 November 2017 - 02:28 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2021 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 13 November 2017 - 08:49 AM

FYI...

Fake 'Sage invoice' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
13 Nov 2017 - "An email with the subject of 'Important: Outdated Invoice' pretending to come from Sage but actually coming from a look-a-like or typo-squatted domain <secure@ sage-invoices .com> with a malicious word doc attachment... delivering Trickbot banking Trojan... Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
    sage-invoices .com  hosted on  185.2.81.187 | 213.152.162.139 | 185.106.121.134 |

Screenshot: https://myonlinesecu...ted-invoice.png

SecureMessage.doc - Current Virus total detections 2/60*. Payload Security**...
This malware file downloads from
 http ://styleof .co.uk/ser1113.png which of course is -not- an image file but a renamed .exe file that gets renamed to yjgeidqce.exe (VirusTotal 11/66***)
An alternative download location is
 http ://rifweb .co.uk/ser1113.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...sagepay_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...c1f92/analysis/
76SagePay.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
127.0.0.2
79.171.39.110
146.255.36.1
127.0.0.4

Contacted Hosts
79.171.39.110
217.194.212.248
146.255.36.1
179.43.160.50
194.87.238.194
216.177.130.203


*** https://www.virustot...sis/1510574768/
ser1113.png

styleof .co.uk: 79.171.39.110: https://www.virustot...10/information/
> https://www.virustot...0bbc8/analysis/

rifweb .co.uk: 217.194.212.248: https://www.virustot...48/information/
> https://www.virustot...c3ea5/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 13 November 2017 - 08:56 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2022 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 14 November 2017 - 06:38 AM

FYI...

Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecu...uments-malspam/
14 Nov 2017 - "An email with the subject of 'Secure email message' pretending to come from Lloyds Bank but actually coming from... look-a-like or typo-squatting domains and email addresses <secure@ lloydsconfidential .com>
  or <secure@ lloydsbankdocs .com> or <secure@ lloydsbankconfidential .com> with a malicious word doc attachment  is today’s latest -spoof- of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...Lloyds-Bank.png

Despite the instructions in the email to use the Authorisation code in the word doc, there is nowhere to enter it and it is not needed. The criminals are relying on you being fooled by this simple Social Engineering trick persuading you to enable Macros and content to infect you & steal your Money, Passwords and Bank details.
They tell you ”Note: Contents of this document are protected and secured. If you have problems viewing/loading secure content, please select “Enable Content” button.”
Do -NOT- enable Macros or Content under any circumstances. That will infect you...

Today’s example of the -spoofed- domains are, as usual, registered via Godaddy as registrar.
 lloydsconfidential .com  hosted on and sending emails via 185.106.121.78
  free.hostsailor .com AS60117 Host Sailor Ltd.
 lloydsbankconfidential .com hosted on and sending emails via 95.211.104.108 hosted-by.swiftslots .com
AS60781 LeaseWeb Netherlands B.V.
  lloydsbankdocs .com hosted on and sending emails via 134.19.180.151 134191801511.onlinemarketmix .com AS49453 Global Layer B.V.

doc1_46.doc - Current Virus total detections 3/59*. Payload Security**...
This malware file downloads from
 http ://simplicitybystrasser .com/images/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to a .exe file. (VirusTotal 9/68***).
An alternative download location is
 http ://lhelectrique .com/logo.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.

The word doc looks like:
> https://myonlinesecu...doc1_46_doc.png

DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1510661006/
doc1_46.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
216.239.36.21
23.235.209.96

Contacted Hosts
23.235.209.96
216.239.36.21
92.63.107.222
91.211.247.94


*** https://www.virustot...8e952/analysis/
logo.png

simplicitybystrasser .com: 23.235.209.96: https://www.virustot...96/information/
> https://www.virustot...65de7/analysis/

lhelectrique .com: 173.209.38.131: https://www.virustot...31/information/
> https://www.virustot...e7a81/analysis/
___

Fake 'Bank login' - Phish...
- https://myonlinesecu...count-phishing/
14 Nov 2017 - "... phishing attempts for Bank login details. This one is actually quite effective when you get to the site. As you can see from the screenshots, it is very easy to be fooled by the
 http ://www.halifax-online .co.uk.personal.logon.login.jsp at the start on the URL in the browser address bar
(Highlighted in Yellow) where the real web address you are sent to is lifextension .ro (Highlighted in Green)...

Screenshot: https://myonlinesecu...14_nov_2017.png

... If you follow the-link-inside-the-email you first get sent to
 https ://superjasa .com/wp-admin/js/widgets/x86x.php  which immediately redirects you to
 http ://www.halifax-online .co.uk.personal.logon.login.jsp.1510638768542.lifextension .ro/RT28JASHHDAS02/Login.php?sslchannel=true&sessionid=WR3WM0KHcrFBC45ugtRa7iFomyQGXFz5fraRrou3vd4QceX3svWxy82f4JzNRFdeGOjHnwfj5iI0UJ2T

where you see a webpage looking like this:
> https://myonlinesecu...tension.ro_.png

... Both sites involved in this phish are likely to be -compromised- sites, being used without the website owners knowledge
 http ://lifextension .ro - 76.72.173.69: https://www.virustot...69/information/

There is a message on the home page for lifextension .ro warning that the hosting agreement for this page has expired! but the hosts/resellers have only put that on the home page -not- on any subdomains so the phish stays active... the DCM software “company” is a webdesigner and hosting reseller, who aren’t taking security of their client’s sites seriously enough. By the layout and design of their own website they must think of style over substance and mistakes and errors don’t matter (various missing & broken links, including social media buttons going nowhere):
- https://myonlinesecu...xtension_ro.png

> https://www.virustot...dca0b/analysis/

Has a malware prompt on its home page, luckily the file is hosted-on-Dropbox & no longer available for download.

superjasa .com: 202.52.146.30: https://www.virustot...30/information/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 14 November 2017 - 10:07 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2023 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 15 November 2017 - 10:10 AM

FYI...

Fake 'Bankline' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
15 Nov 2017 - "An email with the subject of 'You have a new secure message' pretending to come from Bankline but actually coming from a look-a-like or typo-squatting domain <message@ banklinemail .com> with a link-in-the-email body to download a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan
Today The Trickbot delivery method has changed somewhat. First, they have a link-in-the-email body to download a word doc. Next they have gone with a generic Bankline sender and domain. There are several banks using the Bankline name, including RBS (Royal Bank of Scotland), NatWest, Ulster Bank and a Bitcoin-Bank-Account called Bankline... no idea which one they trying to imitate today but it cleverly covers all of them & spreads the net wider than usual. There is also only 1 download location for the Trickbot payload today, they normally have 2. It looks like they have messed up the PowerShell script that gets created by the macro and the 2nd url isn’t being formed correctly...

Screenshot: https://myonlinesecu...ure-message.png

Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
    banklinemail .com hosted on 160.153.129.238  Godaddy AS26496 but also sending emails via 185.106.121.234  | 95.211.104.113 | 46.21.144.11 | 134.19.180.163 | all of which pass authentication and have correct records set.
Despite the instructions in the email to use the Authorisation code in the word doc, there is nowhere to enter it and it is not needed. The criminals are relying on you being fooled by this simple Social Engineering trick persuading you to 'enable Macros' and content to infect you & steal your Money, Passwords and Bank details.
They tell you Note: Contents of this document are protected and secured. If you have problems viewing/loading secure content, please select “Enable Content” button.
Do NOT enable Macros or Content under any circumstances. That will infect you.

8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 2/59*. Payload Security**..
This malware file downloads from
 http ://aperhu .com/ser111517.png which of course is -not- an image file but a renamed .exe file that gets renamed to tdhq.exe (VirusTotal 11/59***).
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...b460259_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1510740562/
Secure Message.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
127.0.0.2
127.0.0.4
78.47.139.102
143.95.252.46

Contacted Hosts
143.95.252.46
78.47.139.102
92.63.97.68
194.87.110.139


*** https://virustotal.c...57e8d/analysis/
ser111517.png

aperhu .com: 143.95.252.46: https://www.virustot...46/information/
> https://www.virustot...17e8c/analysis/
___

Android Trojan malware discovered in Google Play
- https://blog.malware...ed-google-play/
Nov 14, 2017 - "A new piece of mobile malware has been discovered in Google Play masquerading as multiple apps: an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. According to Google Play data, all were last updated between October and November 2017. These dates are likely when they were added to Google Play, based on their low version numbers (e.g. 1.0, 1.0.1). We named this new malware variant Android/Trojan.AsiaHitGroup based on a URL found within the code of these malicious APKs...
this QR scanner is short lived. You only get one chance to use the app, because after clicking out of it, the icon disappears! Out of frustration, you may immediately go to your apps list to uninstall this bizarre-behaving QR scanner, but good luck finding it... there appears to be no fail-proof way to stop malware from entering the Play store. This is where a second layer of protection is strongly recommended. By using a quality mobile anti-malware scanner, you can stay safe even when Google Play Protect fails..."
(More detail at the malwarebytes URL above.)

> https://www.helpnets...er-google-play/
Nov 16, 2017 - "Google has removed from Google Play eight apps that have served as downloaders for Android banking malware..."
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 16 November 2017 - 08:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2024 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 16 November 2017 - 09:34 AM

FYI...

Suspicious Domains Tracking ...
- https://isc.sans.edu/diary/rss/23046
2017-11-16 - "Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network...
Happy hunting!
[1] https://isc.sans.edu...us_domains.html
[2] https://en.wikipedia...ation_algorithm
[3] http://securityaffai...ill-switch.html
[4] http://misp-project.org/
[5] https://blog.rootshell.be/2017/10/31/splunk-custom-search-command-searching-misp-iocs/  "

(MUCH more detail at the isc URL above.)
 

  :thumbsup:

___

Fake 'Re:payment' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
16 Nov 2017 - "An email with the subject of 'Re:payment' coming from [redacted]@ cs .com with a zip attachment which contains some sort of malware...

Screenshot: https://myonlinesecu...ment_cs_com.png

Bank receipt pdf.zip: Extracts to: Bank receipt pdf.exe - Current Virus total detections 15.68*. Hybrid Analysis**...
This malware file attempts to download from these -3- sites:
  http ://www.plasticbags .info/na/?id=ct7EX847F+fIn3VkER7xV/XU/exdWHV6LvmrngXmar4Pbag2la+n0AnpQnxVHV21Mp6i4Q==&Lv18=bLUdWtwp4bJhJP -or-
  http ://www.nettopolis .email/na/?id=DetlfAibiVhB/jSD5CdGOk3sftJHeNpzwT01DHDpstch9neoK+a+bAVv0IXcSJ5QPSyr6g==&Lv18=bLUdWtwp4bJhJP
-both- of which fail to respond. Both sites are hosted on Godaddy (184.168.221.53) and have a temporary holding / domain parking page with the usual adverts. Both sites were registered in early September 2017. Either Godaddy has exploitable vulnerabilities on their Domain Parking pages or they were registered by criminals who haven’t set up the domains properly yet.
 http ://www.marlow-and-co .com/na/?id=mLSZLOZGg8XOoWhtThKSW1hFX7QHeHYwxlPs7+FwgoIusw3OZOrPJE6119RFPiuJf6vG8Q==&Lv18=bLUdWtwp4bJhJP&sql=1
which is hosted in Japan (183.90.253.3) and gives a 404...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1510806654/

** https://www.hybrid-a...vironmentId=100
File Details
Bank receipt pdf.exe
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted...

plasticbags .info: 50.63.202.62: https://www.virustot...62/information/

nettopolis .email: 184.168.221.53: https://www.virustot...53/information/

marlow-and-co .com: 183.90.253.3: https://www.virustot....3/information/
___

Fake 'Confidential account documents' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
16 Nov 2017 - "An email with the subject of 'Confidential account documents' pretending to come from Barclays Bank but actually coming from a look-a-like or typo-squatted domain <secure@ barclaysdocuments .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The attachment has random numbers protected**.doc ...
Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
 barclaysdocuments .com hosted on and emails sent via 134.19.180.171 | 94.100.21.212 | 185.117.74.216 | 94.75.219.142 |

Screenshot: https://myonlinesecu...t-documents.png

Protected80.doc - Current Virus total detections 5/55*. Payload Security**...
This malware file downloads from
 http ://simplicitybystrasser .com/images/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aqv6.exe (VirusTotal 10/68***).
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecu...ected80_doc.png
... You -cannot- enter the password because that is an-image of a password-entry-box and they hope you will enable the macros (DON'T) ... and get infected...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493724795/
SecureMessage.doc

** https://www.hybrid-a...vironmentId=100
DNS Requests
216.138.226.110
50.19.97.123

Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86


*** https://www.virustot...sis/1510840036/
Aqv6.exe

simplicitybystrasser .com: 23.235.209.96: https://www.virustot...96/information/
> https://www.virustot...fb00f/analysis/
 

:ninja: :ninja:    :grrr:


Edited by AplusWebMaster, 16 November 2017 - 12:03 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2025 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted 17 November 2017 - 09:14 AM

FYI...

Fake 'Product Enquiry' SPAM - delivers Nanocore RAT
- https://myonlinesecu...s-nanocore-rat/
17 Nov 2017 - "An email with the subject of 'Product Enquiry' pretending to come from Robert Osuna Sales <roberto. osuna76@mail .com> with a malicious Excel XLS spreadsheet attachment delivers NanoCore Remote Access Trojan...

Screenshot: https://myonlinesecu...uct_enquiry.png

These are actually coming via an automated mailing service based in Russia, who despite sending malware are complying with the various anti-spam laws worldwide by having an unsubscribe link in the email body. I do not recommend to use the -unsubscribe- link. That is an almost guaranteed way to get your email address added to a load more spam and malware lists. The blurry image in the XLS spreadsheet is a Social Engineering trick to persuade you to enable editing & content (macros) so they can infect you.
DO NOT enable Editing or Content (macros) under any circumstances:
> https://myonlinesecu...enquiry_xls.png

Product Enquiry.xls - Current Virus total detections 14/61*. Hybrid Analysis**...
This malware downloads from
 http ://cryptovoip .in/awedfs/DDF_outputCEAA78F.exe (VirusTotal 18/68[3]) (Hybrid Analysis[4])...
Email Headers and malware sites details:
191.96.249.92 - smtp4.digitalsearchengine .in - Moscow...
balajipacker .com  registered 27/09/2017 using Godaddy as registrar hosted on 191.96.249.92
cryptovoip .in 103.21.58.122 Probably a hacked compromised server not knowingly involved in hosting the malware payload...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1510851227/

** https://www.hybrid-a...vironmentId=100
DNS Requests
181.215.247.234
103.21.58.122

Contacted Hosts
103.21.58.122
201.174.233.241
181.215.247.234


3] https://www.virustot...sis/1510899976/
DDF_outputCEAA78F[1].exe

4] https://www.hybrid-a...vironmentId=100
DNS Requests
181.215.247.234
Contacted Hosts
201.174.233.241
181.215.247.234


digitalsearchengine .in: A temporary error occurred during the lookup...

cryptovoip .in: 103.21.58.122: https://www.virustot...22/information/
> https://www.virustot...d702a/analysis/
 

:ninja: :ninja:    :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2026 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,013 posts

Posted Today, 09:26 AM

FYI...

Fake 'scanned from' SPAM - delivers Ransomware
- https://myonlinesecu...opier-messages/
23 Nov 2017 - "... It is almost as if they have timed the new version to spam out on Thanksgiving day in USA, where the AV companies and security teams are off on their long weekend holiday... downloaders from the Necurs botnet... an email with the subject of 'scanned from (printer or scanner name)' pretending to come from copier@ your own email address or company domain... definitely ransomware but doesn’t look like Locky. The ransom note is very different. These all have -blank- email bodies with just an attachment and the subject...
Update I am being told it is Scarab Ransomware... The new ransom note is called 'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT'... The subjects in this vary but are all copier or scanner related:
    Scanned from Lexmark
    Scanned from HP
    Scanned from Canon
    Scanned from Epson


P_rek.zip: Extracts to: image2017-11-22-5864621.vbs - Current Virus total detections 4/57*. Hybrid Analysis**
| Anyrun Beta[3] | Joesecurity[/4] |
This downloads from (in this example, there will be -dozens- of other download sites)
 http ://pamplonarecados .com/JHgd476? (VirusTotal 8/66[5])
One of the  emails looks like:
From: copier@ victimsdomain .com
Date: Thu 23/11/2017 06:28
Subject: Scanned from HP
Attachment: image2017-11-23-4360760.7z
Body content:

    EMPTY


The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1511423196/
image2017-11-22-5864621.vbs

** https://www.hybrid-a...vironmentId=100
DNS Requests
5.2.88.79
88.99.66.31

Contacted Hosts
5.2.88.79
88.99.66.31


3] https://app.any.run/...c6-8aead1ea33a8

4] https://jbxcloud.joe...s/445266/1/html

5] https://www.virustot...sis/1511422910/
JHgd476

pamplonarecados .com: 5.2.88.79: https://www.virustot...79/information/
> https://www.virustot...f655f/analysis/
 

:ninja: :ninja:    :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!