Sponsored by..

Showing posts with label Java. Show all posts
Showing posts with label Java. Show all posts

Wednesday 26 October 2016

Malware spam: "Western Union Help Desk" / "Proof" leads to Adwind

Just by way of a change, here's some malspam that doesn't lead to Locky..

From:    Western Union Help Desk [mes@prosselltda.cl]
Reply-to:    Western Union Help Desk [mes@prosselltda.cl]
Date:    26 October 2016 at 20:07
Subject:    Proof

Dear All,

To comply with customer service standards, we need to have the Proof of Payment for the following attached transaction that has been marked as paid by one of your Locations.

Please e-mail us a copy of the ?To Receive Money Form?  as a Proof of Payment. If no TRMF or reason for delay were received by the above mentioned due date, we will consider the Transaction as Paid in Error and will proceed to reinstate it accordingly charging Paying Account.

In case there are an Automatic Customer Receipt (ACR) and a Handwritten Form, please send us both.

Click To View  Click to download  Click to open on browser

Thanks

Shameer Illyas

| Agent Support Officer |

|  Western Union Money Transfer |


In this case, the link in the email goes to:

linamhost.com/host/Western_Union_Agent_Statement_and_summary_pdf.jar

This is a Java file, if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it won't run. VirusTotal identifies it as the Adwind Backdoor. The Malwr report shows it attempting to contact:

boscpakloka.myvnc.com     [158.69.56.128] (OVH, US)

A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis. Check the Dropped Files section of the Malwr Report for more.

Personally, I recommend blocking all dynamic DNS domains such as myvnc.com in corporate environments. At the very least I recommend blocking 158.69.56.128.

Wednesday 12 November 2014

Exchange House Fraud (Police Headquaters) / omaniex@investigtion.com spam

I got a lot of these yesterday that I've only just noticed..

From:     omaniex@investigtion.com
Subject:     Exchange House Fraud (Police Headquaters)


please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.

Note: come along with your report as it will be needed

regards,
Police headquarters.
Investigtion dept. 

Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:

7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar

This is some sort of malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably don't need it). It has a VirusTotal detection rate of 7/55 and the Malwr report has some screenshots of something odd happening, but not much more data.

Sunday 16 February 2014

"Account Credited" / TTCOPY.jar spam

This spam email comes with a malicious .JAR attachment:

From:     Tariq Bashir muimran@giki.edu.pk
Reply-To:     Tariq Bashir [ta.ba@hot-shot.com]
Date:     15 February 2014 11:03
Subject:     Account Credited

Dear Sir,

I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.

Find attached Bank TT  and update us on delivery schedule.

Regards,

Tariq Bashir
Remal Al Emarat Travel & Tourism L.L.C.
Al Muteena Street, Salsabeel Building, 103
P.O. Box 56260, Dubai, UAE
Tel: +971 4 271 54 06
Fax: +971 4 271 50 65
Mobile: +971 50 624 62 05
e-mail: ta.ba@hot-shot.com

The spam email originates from 121.52.146.226 (mail.giki.edu.pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50 and the Malwr analysis reports an attempted connection to clintiny.no-ip.biz on 67.215.4.123 (GloboTech, Canada / MaXX Ltd, Germany).

Although this is an unusual threat, Java attacks are one of the  main ways that an attacker will gain access to your system. I strongly recommend deinstalling Java if you have it installed.

I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:

67.215.4.64/28
67.215.4.120/29
u558801.nvpn.so
jagajaga.no-ip.org
jazibaba.no-ip.org
cyberx2013.no-ip.org
deltonfarmhouse.no-ip.biz
deltoncowstalls.no-ip.org
can2-pool-1194.nvpn.so
jazibaba1.no-ip.biz
ns2.rayaprodserver.com
kl0w.no-ip.org
jajajaja22.no-ip.org
mozillaproxy.zapto.org