Received some emails saying that I've got to look at a new photo...
hi my new photo :) if u like my photo send me u
.... lovely.... except... it contains a zip attachment... my_photo.zip
Inside the zip file is a poor attempt at filename hiding...
my_photo_home_38472398472398749283.exe
Here's the current scanner situation..
VirusTotal Results 17/56 (df0620c00068fc83a539d95fda4bbb7f)
Wednesday, 10 December 2014
Voice redirected message malware
Received a few of these today....
Date: Wed, 10 Dec 2014 13:49:50 +0000
From: "Message Admin"dropibox.com
>
To: enquiries@xxxxxxxxxx.co.uk
Subject: Voice Message
Message-ID: <0298040680 span="" style="color: red;">dropibox.com>
X-Sender: admin@dropibox.com
User-Agent: Roundcube Webmail/1.0.1
Voice redirected message
http://offroadshop DOT sk/dropbox/invoice1
Sent: Wed, 10 Dec 2014 13:49:50 +0000
Note: the letter i in the dropbox name... dropibox.com
Needless to say, the clickable link delivers malware.
Date: Wed, 10 Dec 2014 13:49:50 +0000
From: "Message Admin"
>
To: enquiries@xxxxxxxxxx.co.uk
Subject: Voice Message
Message-ID: <0298040680 span="" style="color: red;">dropibox.com>
X-Sender: admin@dropibox.com
User-Agent: Roundcube Webmail/1.0.1
Voice redirected message
http://offroadshop DOT sk/dropbox/invoice1
Sent: Wed, 10 Dec 2014 13:49:50 +0000
Note: the letter i in the dropbox name... dropibox.com
Needless to say, the clickable link delivers malware.
XLS Macro malware: K J Watking & Co
Another run of the faked K J Watking & Co, containing an XLS spreadsheet... BAC439622TB.xls (example name) which has Macro based malware inside it....
Update:
Since the macro malware downloads an exe... it's interesting to see how many times
the malware exe file has actually succeeded in being downloaded:
73,655 -- http://217 DOT 174 DOT 240 DOT 46 :8080/stat/stati.php
73,672 -- http://187 DOT 33 DOT 2 DOT 211 :8080/stat/stati.php
That's a few infected pc's there :(
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Heath David
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 432377
Interestingly they've used the same malware XLS has the earlier post today and just renamed it...
eg.
This malware run: BAC998947HJ.xls (hash: 061930c8fc246872dda3af5670d3ea44)
Ealier malware run: ID_00477M.xls: (hash: 061930c8fc246872dda3af5670d3ea44)
Ealier malware run: ID_00477M.xls: (hash: 061930c8fc246872dda3af5670d3ea44)
All varients were zero hour (0 hour) detected by:
Sanesecurity.Malware.24631.XlsHeur (phish.ndb)
Sanesecurity.Malware.24631.XlsHeur (phish.ndb)
and Additionally Sanesecurity.Rogue.0hr.20141210-1026 (rogue.hdb)
Update:
Since the macro malware downloads an exe... it's interesting to see how many times
the malware exe file has actually succeeded in being downloaded:
73,655 -- http://217 DOT 174 DOT 240 DOT 46 :8080/stat/stati.php
73,672 -- http://187 DOT 33 DOT 2 DOT 211 :8080/stat/stati.php
That's a few infected pc's there :(
Cheers,
Steve
Sanesecurity
XLS macro malware: Anglia Engineering Solutions Ltd
Looks like another XLS macro run has just started... this time it's faked from this company...
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 694878F]
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Bertha Hahn
Anglia Engineering Solutions Ltd
Tel: 01469 382553
There are currently 4 variants all of which were zero hour (0 hour) detected by:
Sanesecurity.Malware.24631.XlsHeur
Additionally Sanesecurity.Rogue.0hr.20141210-1026 blocks the following hashes on VirusTotal and
currently all not detected by any of the 56 Virus Scanners:
061930c8fc246872dda3af5670d3ea44
20a66473d970a3b91aa0e6184e6d7e76
b5153a417ab4e4a2017a08909c771dfd
ed3f7389bd63fb1dd6c35279e7009046
Cheers,
Steve
www.sanesecurity.com
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 694878F]
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Bertha Hahn
Anglia Engineering Solutions Ltd
Tel: 01469 382553
There are currently 4 variants all of which were zero hour (0 hour) detected by:
Sanesecurity.Malware.24631.XlsHeur
Additionally Sanesecurity.Rogue.0hr.20141210-1026 blocks the following hashes on VirusTotal and
currently all not detected by any of the 56 Virus Scanners:
061930c8fc246872dda3af5670d3ea44
20a66473d970a3b91aa0e6184e6d7e76
b5153a417ab4e4a2017a08909c771dfd
ed3f7389bd63fb1dd6c35279e7009046
Cheers,
Steve
www.sanesecurity.com
Friday, 5 December 2014
XLS macro malware: K J Watking & Co
Looks like they've now switched to XLS (Excel) based macro malware instead of DOC (Word) based...
Various names from K J Watking & Co seems to be the company being used....
Various names from K J Watking & Co seems to be the company being used....
Four versions so far...
08e73d8f175eb9e9b557f0403019a302
8efa7edba64776a05c7fea4d07eb5021
92d499bb61395f29d2c09616894ba429
bddacd683e959f02ea8f590b989b2b83
bddacd683e959f02ea8f590b989b2b83
Detected as:
rogue.hdb: Sanesecurity.Rogue.0hr.20141205-0827
rogue.hdb: Sanesecurity.Rogue.0hr.20141205-0901
phish.ndb: Sanesecurity.Malware.24629.XlsHeur
Subscribe to:
Posts (Atom)