Sponsored by..

Showing posts with label Dropbox. Show all posts
Showing posts with label Dropbox. Show all posts

Tuesday 25 August 2015

Malware spam: "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" via sugarsync.com

 This fake Dropbox email leads to malware, hosted on the sharing service sugarsync.com.

From:    June Abel via Dropbox [no-reply@dropbox.com]
Date:    25 August 2015 at 12:59
Subject:    June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you






June used Dropbox to share a file with you!

Click here to download.




© 2015 Dropbox
I have seen three different samples with different download location:

https://www.sugarsync.com/pf/D3941255_827_052066225?directDownload=true
https://www.sugarsync.com/pf/D160756_82_6104120627?directDownload=true
https://www.sugarsync.com/pf/D2694666_265_638165437?directDownload=true


In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55. Analysis is pending, but the payload appears to be the Dyre banking trojan.

UPDATE: 
The Hybrid Analysis report shows traffic to 197.149.90.166 (Cobranet, Nigeria) which I recommend you block.

Thursday 16 April 2015

Malware spam: "Decisive notification about your Automated Clearing House payment"

This fake ACH spam leads to malware:

From:    aileen.alberts@[redacted]
Date:    16 April 2015 at 15:55
Subject:    Decisive notification about your Automated Clearing House payment


The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.

Rejected ACH payment
Automated Clearing House transfer Case # L669461617
Transaction Total 27504.02 US Dollars
Email [redacted]
Reason of Termination Download full details

Please visit the link provided at the top to see more information about this problem.
The link in the email goes to a download location at dropbox.com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro [pastebin].

I haven't had the time to analyse it fully, but it is rather different from other offerings. From what I can tell, it downloads an encrypted file [pastebin] from:

sundsvallsrk.nu/tmp/1623782.txt or
hpg.se/tmp/1623782.txt

And some sort of executable from Dropbox with a detection rate of 3/57. Automated analysis tools are inconclusive at the moment [1] [2] although the Payload Security report does show several dropped files including two malicious scripts [pastebin].

Of note is that one of the scripts downloads what looks like a PNG from:

savepic.su/5540444.png

For now, I would recommend blocking traffic to
sundsvallsrk.nu
hpg.se
savepic.su

For researchers only, I have an archive of some of the files here, password is infected.

Wednesday 25 February 2015

Malware spam: 'Info Chemicals shared "MT 103_PO_NO!014.zip" with you' uses Dropbox

This spam leads to a malware download via Dropbox.

From:    Info via Dropbox
Reply-To:    hcm0366@gmail.com
Date:    25 February 2015 at 05:38
Subject:    Info Chemicals shared "MT 103_PO_NO!014.zip" with you
Signed by:    dropbox.com

From Info:

"Good day ,

How are you today
pls check attached, my manager had requested I email you our new order details together with TT copy of balance payment. Kindly confirm in return.

regards,

Frank Manner

Broad Oak Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602

Disclaimer :
This electronic mail transmission may contain material that is legally privileged and confidential for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient or the employee or agent responsible for delivery of this message to the intended recipient, you are hereby notified that any disclosure, copying, dissemination, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately by responding to this electronic mail and then delete all copies including any attachments thereto from your computer, disk drive, diskette, or other storage device or media.

Maritim Barito Perkasa does not accept any liability in respect of communication made by its employee that is contrary to company policy or outside the scope of employment of the individual concerned."

Click here to view

(Info shared these files using Dropbox. Enjoy!)
The email has been digitally signed by Dropbox (which means exactly nothing) and is spoofing the wholly legitimate Broad Oak Ltd who have been a target of this sort of thing several times before.

In this case, the link in the email goes to:

https://www.dropbox.com/l/dFxVxjuDRo3j2oANVURy2v
and then to
https://www.dropbox.com/s/fnsprei93c45ts6/MT%20103_PO_NO!014.zip

Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57. According to the Malwr report it drops another executable with a detection rate of 9/57. The payload looks similar to the Zeus trojan.

Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at

mmc65z4xsgbcbazl.onion.am

onion.am is hosted on 37.220.35.39 (YISP Colo, Netherlands) and I suggest this isn't the sort of thing that you want on your corporate network regardless of its legitimate uses.

Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com who are normally quite good at dealing with this sort of thing.

Friday 3 October 2014

"Thanks for shopping with us today!" malspam spreads via Dropbox

This spam email leads to malware hosted on Dropbox:

From:     pghaa@pghaa.org
To:     victim@victimdomain.com
Date:     3 October 2014 11:43
Subject:     victim@victimdomain.com

Thanks for shopping with us today! Your purchase will be processed shortly.

ORDER DETAILS

Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@victimdomain.com

Amount: 4580 US Dollars

Open your payment details

Please click the link provided above to get more details about your order.
In this case the download location is https://www.dropbox.com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others.

The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF  .scr_56453.exe which has a VirusTotal detection rate of 5/55.  At the moment, automated analysis tools [1] [2] [3] are inconclusive as to what it does.

UPDATE: it is also being distributed via
https://www.dropbox.com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https://www.dropbox.com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1 
https://www.dropbox.com/s/fvogsazezmv00hw/Transaction_G287O.zip?dl=1
https://www.dropbox.com/s/42b7binqmk8auu9/Payment_Details_A0869.zip?dl=1
https://www.dropbox.com/s/okag3y2qtg12vg7/Payment_Details_R435C.zip?dl=1

 

Tuesday 10 June 2014

"You have received a voice mail" spam downloads malware from Dropbox

Another fake voice message spam, and another malware attack downloading from Dropbox.

From:     Microsoft Outlook [no-reply@victimdomain]
Date:     10 June 2014 15:05
Subject:     You have received a voice mail

You received a voice mail : VOICE437-349-3989.wav (29 KB)
Caller-Id: 437-349-3989
Message-Id: U7C7CI
Email-Id: [redacted]

Download and extract the attachment to listen the message.

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANABss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1
Sent by Microsoft Exchange Server
The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52. Automated analysis [1] [2] [3] [4] indicates that it downloads files from the following domains:

newsbrontima.com
yaroshwelcome.com
granatebit.com
teromasla.com
rearbeab.com


Thursday 29 May 2014

More eFax / Dropbox malware spam

This fake eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     29 May 2014 10:26
Subject:     INCOMING FAX REPORT : Remote ID: 499-364-9797

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 29 May 2014 18:26:56 +0900
Speed: 4360bps
Connection time: 07:09
Pages: 9
Resolution: Normal
Remote ID: 915-162-0353
Line number: 0
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/[redacted]
The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr

This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1] [2] are pretty inconclusive as to what this does.

Wednesday 28 May 2014

eFax message from "unknown" spam downloads malware from Dropbox

This fake eFax message downloads malicious content from a Dropbox link.

From:     eFax [message@inbound.efax.com]
Date:     28 May 2014 13:12
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643

Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.

* The reference number for this fax is atl_did1-1400166434-95058563842-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.
The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.

This binary has a VirusTotal detection rate of 6/53. Automated reporting tools [1] [2] show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:
This last one makes a connection to innogate.co.kr for unknown reasons.

Recommended blocklist:
landscaping-myrtle-beach.com
innogate.co.kr