From: Cryptopocalypse NOW 01 04 2016 [no-reply@foocrypt.net]Err.. no. "Quantum Encryption" is a branch of quantum physics, it's a completely different level of encryption in the same way that an aeroplane is not like a car. Attached is some weird semi-messianic picture..
Date: 7 April 2016 at 18:24
Subject: Cryptopocalypse NOW 01 04 2016
Cryptopocalypse NOW 01 04 2016
Now available through iTunes - iBooks @ https://itunes.apple.com/us/book/cryptoapocalypse-now/id1100062356?ls=1&mt=11
Cryptopocalypse NOW is the story behind the trials and tribulations encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption."
"FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening several commonly used Symmetric Open Source Encryption methods so that they are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'.
"FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under export control by the Australian Department of Defence Defence Export Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology as per the ‘Wassenaar Arrangement’
A permit from Defence Export Control is expected within the next 2 months as the Australian Signals Directorate is currently assessing the associated application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical Encryption."
Early releases of "Cryptopocalypse NOW" will be available in the period leading up to June, 2016.
This is Volume 1 of N, where N represents an arbitrary number greater than 1 but less than infinity.
Limited Edition Collectors Versions and Hard Back Editions are available via the store on http://www.foocrypt.net/
© FooCrypt 1980 - 2016, All Rights Reserved.
Regards,
Mark A. Lane
© Mark A. Lane 1980 - 2015, All Rights Reserved.
Disclaimer : To remove yourself from this email list, kindly goto http://www.foocrypt.net/unsub.html
From: Gregg gale
Date: 30 March 2016 at 13:42
Subject: Additional Costs
Based on our contact (#084715), we're required to inform you about additional costs associated with your account, more information attached.
From: administrator [netadmin@victimdomain.tld]It pretends to come from within the victim's own domain, but this is a simple forgery. The reference number changes from email to email, attached is a ZIP file named consistently with the subject (e.g. FC_462982347.zip). This ZIP file contains a malicious script (typical detection rate 8/56) which then downloads Locky ransomware. According to these automated analyses [1] [2] [3] [4] [5] show the scripts downloading from the following locations (there are almost definitely more):
Date: 30 March 2016 at 11:09
Subject: Facture client N° FC_462982347 du 30/03/2016
Bonjour,
Veuillez trouver ci-joint la facture pour le renouvellement de votre antivirus.
Bonne réception
A.Morel
From: Joe holdman [holdmanJoe08@seosomerset.co.uk]The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.
Date: 30 March 2016 at 08:55
Subject: RE: Additional Information Needed #869420
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
From: victim
To: victim
Date: 29 March 2016 at 17:50
Subject: CCE29032016_00034
Sent from my iPhone
From: Rose Lu [salesdeinnovative@technologist.com]
Date: 29 March 2016 at 02:30
Subject: Re: New Order P2016280375
Good Day,Please find enclosed our new order P2016280375 for your kind attention and prompt execution.I look forward to receiving your order acknowledgement in due course.Best regardsRose LuOffice ManagerSuzhou Eagle Electric Vehicle Manufacturing Co., Ltd.Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, ChinaTel: +86 512 6596 0151 Fax: +86 512 6252 1796Cell: +86 186 2520 8037Skype:rose.lu22Email:luyi@eg-ev.comWeb: http://www.eagle-ev.comhttp://www.eg-ev.comhttp://szeagle.en.alibaba.comhttp://www.chinaelectricvehicle.com http://szeagle-golfcar.en.made-in-china.com
From: Christine Faure [c.faure@technicoflor.fr]To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:
Date: 28 March 2016 at 16:54
Subject: Envoi d’un message : 9758W-TERREDOC-RS62937-15000
Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :
9758W-TERREDOC-RS62937-15000
Message de sécurité
From: Marta Wood
Date: 24 March 2016 at 10:10
Subject: FW: Payment Receipt
Dear [redacted],
Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.
Regards,
Marta Wood
Technical Manager - General Insurance
From: customer.service@axminster.co.ukAttached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8] shows download locations at:
Date: 24 March 2016 at 10:11
Subject: Your order has been despatched
Dear Customer
The attached document* provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk
Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm
Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk
Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)
Kind regards
Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk
* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
From: FX Service [emailsend@w.e191.victimdomain.tld]Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:
Date: 21 March 2016 at 14:32
Subject: Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff
Please find attached to this email a facsimile transmission we
have just received on your behalf
(Do not reply to this email as any reply will not be read by
a real person)
From: UKMail Customer Services [list_reportservices@ukmail.com]
Date: 18 March 2016 at 02:46
Subject: Proof of Delivery Report: 16/03/16-17/03/16
Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD
.............................. .............................. .............................. .............................. .............................. .............................. .......
Please consider the environment before printing this e-mail or any attachments. This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.
From: Administrator [admin@victimdomain.tld]All the attachments that I saw were corrupt, but it appears to be trying to download a script that installs Locky ransomware, as seen here.
Date: 17 March 2016 at 12:54
Subject: PDFPart2.pdf
Sent from my Samsung Galaxy Note 4 - powered by Three
Sent from my Samsung Galaxy Note 4 - powered by Three
From: victim@domain.tldInside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13] indicate that the script attempts to download a binary from the following locations:
To: victim@domain.tld
Date: 17 March 2016 at 10:37
Subject: Document32
From: Booth.Garth19@idsbangladesh.net.bdSender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:
Date: 17 March 2016 at 09:17
Subject: Remittance Adivce
Please find attached a remittance advice for payment made yo you today.
Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.
Kind Regards
Garth Booth
From: Interparcel [bounce@interparcel.com]Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:
Date: 17 March 2016 at 08:51
Subject: Interparcel Documents
Your Interparcel collection has been booked and your documents are ready.
There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
Thank you for booking with Interparcel.
From: Myrna bakerDetails in the email vary from message to message. The payload is Teslacrypt ransomware, as see in this earlier spam run.
Date: 14 March 2016 at 15:58
Subject: Traffic report ID: 62699928
Dear Citizen,
We are contacting you on behalf of a local Traffic Violation Bureau.
Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 49757
Unfortunately, we will have no other option rather than passing this case to the local police authorities.
Please, see the report with the documents proofs attached for more information on this case.
From: Ladonna featherSend names, references and attachment names vary. The malicious scripts in the attachment attempt to download from:
Date: 14 March 2016 at 14:50
Subject: Credit details ID: 87320357
Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.
NOTE: This is the automatically generated message. Please, do not reply.
