Thursday, 24 July 2014

NatWest "You have received a secure message" spam

This spam contains a link going to a malicious file:

From:     NatWest [secure.message@natwest.co.uk]
Date:     24 July 2014 14:06
Subject:     You have received a new secure message


You have received a secure message

To read your secure message click here . You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 2568.
First time users - will need to register after opening the attachment.

About Email Encryption - http://www.natwest.com/content/global_options/terms/Email_Encryption.pdf
Another version uses the telephone number 0131 556 2164.

There are probably several different versions, in the ones I have the download location is:

http://avlabpro.com/img/report934875438jdfg8i45jg_07242014.exe
http://dentairemalin.com/images/report934875438jdfg8i45jg_07242014.exe


This malware has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] as to what it does.

Wednesday, 23 July 2014

Birminghammail / Paul Fulford "Redirected message" spam

This spam pretends to be from a journalist called Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.

Date:      Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
From:      Birminghammail [paul.fulford@birminghammail.co.uk]
Subject:      Redirected message

Dear [redacted]!

Please find attached the original letter received by our system.
I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)

Poor Mr Fulford thinks that his email has been hacked.. it hasn't, but I suspect that he has pissed off some Russian spammers somewhere.


Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe which has a VirusTotal detection rate of 5/53. The Malwr report shows that this part reaches out to the following IPs:

37.139.47.103
37.139.47.117


Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53. The Malwr report is inconclusive.

I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites.

inetnum:        37.139.40.0 - 37.139.47.255
netname:        COMFORTEL-NET
descr:          COMFORTEL ltd.
country:        RU
admin-c:        ME3174-RIPE
tech-c:         RASS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     MNT-PIN
mnt-domains:    PIRIX-MNT
source:         RIPE # Filtered

person:         Mikhail Evdokimov
address:        PIRIX
address:        Obukhovskoy Oborony, 120-Z
address:        192012, St.Petersburg
address:        Russia
phone:          +7 812 3343610
fax-no:         +7 812 6002014
nic-hdl:        ME3174-RIPE
mnt-by:         RUNNET-MNT
source:         RIPE # Filtered

person:         Dmitry Rassohin
address:        194156, St.Petersburg, Russia
address:        Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone:          +7 931 2700021
nic-hdl:        RASS-RIPE
mnt-by:         RASS-MNT
source:         RIPE # Filtered

route:          37.139.40.0/21
descr:          PIRIXROUTE
origin:         AS56534
mnt-by:         MNT-PIN
source:         RIPE # Filtered


UPDATE: a slightly different version of the spam is doing the rounds today, with the fake senders being Allyson.Mays@birminghammail.co.uk and Troy.Short@birminghammail.co.uk (there seems to be nobody working for the Birmingham Mail with that name).

The attachment is in the format letter_549588.zip and letter_235708.zip and which unzips to a folder original_letter_234389_193.eml containing a malicious executable original_letter_234389_193.eml.exe which has a VirusTotal detection rate of 4/54.

The Malwr analysis shows that this reaches out to the following sites:

www.zag.com.ua
daisyblue.ru
37.139.47.117


This drops a further file called mss3.exe with an MD5 of 8e5ea3a1805df3aea28c76adb13b3d9e which is still pending analysis.



Tuesday, 22 July 2014

IGPK (Integrated Cannabis Solutions Inc) pump-and-dump spam

There seems to be a low-volume pump-and-dump spam run promoting IGPK (Integrated Cannabis Solutions Inc), the second recent spam I've seen for a cannabis company after this one.

Date:      Mon, 21 Jul 2014 21:15:06 +0400 [07/21/14 13:15:06 EDT]
From:      carolinehopkinsd@arcusinvest.com
Subject:      Check out this company that investors buy

Dear Classified Investor,
If you have been watching to the news, I am sure you have
learned about this new and exciting gigantic business that
everyone is talking about, right in USA! We're talking about
medical marijuana and the colossal Dot Bong Boom currently
underway. INTEGRATED CANNABIS SOLUTIONS INC I G_P-K, offers
a secret, backdoor way to get some of the best potentially
lucrative marijuana investments in the world! Published by
the WSJ, legal marijuana could be the next big thing. This
legal marijuana company is, effortlessly, the utmost
possibly lucrative purchase in this domain right now. I
G_P-K +4% on Friday the 18th of July, seems is groomed
totally for a popular surge up the graphs that can bring
openly compensate us five hundred percent or more. Don't
wait, take 5 minutes and invest early this week, while I
G_P-K is still available for purchase before Wall Street
learns about it! 
IGPK has a turnover of about $2m but is haemorrhaging cash which is not a good sign, but it doesn't mean that the company is necessarily going to fold.

It looks like some sort of stock promotion started last month, but this is simply low-grade spam. However a look a the stock chart shows that the spam run has pushed up the price by 45% to $0.08.. but that is down from $0.74 in May so the price has certainly slumped.

The mail originates from 61.234.227.151 (Railcom, China) via a mailserver at 185.8.3.210 (GNC, Armenia). Despite the "arcusinvest.com" domain in the email there is no evidence that it actually comes from this domain (that belongs to Arcus Investment Ltd, a real UK investment company).

Unless you want to lose out, you should never buy stock promoted by spam as the price tends to collapse as soon as the promotion stops.. or even while the promotion is still going on!

Monday, 21 July 2014

Something evil on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic)

Here another bunch of Cushion Redirect sites closely related to this attack a few weeks ago but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the redirect in action in this URLquery report and VirusTotal has a clear indication of badness on this IP.

All the sites are hijacked subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer. Domains in use are:

e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia


To give credit to the owners of dora-explorer.co.uk, they have spotted that something is wrong, although it looks like the nameservers of their webhost (eu1.downtownhost.com and eu2.downtownhost.com) are improperly secured.


A full list of all the subdomains I can find is here [pastebin] but I would recommend applying a temporary block to these domains until the webhost secures them, although the most effective way of securing your network is to permablock 188.120.198.1.

Recommended blocklist:
188.120.198.1
e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia

UPDATE: It definitely appears that downtownhost.com have not secured their nameservers as a few more customer sites are being abused in this way. It appears that the attackers are going through downtownhost.com's customers in alphabetical order. For example, the following subdomain are in use:

dfmgjne934eod8khquq1axg.elluse.com
280pfzhnb4usz3hajazvtlw.eaila.com
zefh96abfex1r32md0jdh7p.e-oman.me

Additional sites to block:
elluse.com
eaila.com
e-oman.me

UPDATE 2: it looks like downtownhost.com have fixed the problem. These recently-flagged domains can now be considered to be safe.

4-cheap.co.uk
aandelenblog.be
apteka-erekcja.pl
arcadehaven.co.uk
bewegwijzeringborden.nl
bitfrog.co.uk
carpediemcosmetics.de
cewh-cesf.ca
charlie-lola.co.uk
check-email.org
cialis25.pl
cialis25.pl
clashofclanshackdownload.com
deepfryershop.co.uk
designwonen.be
dora-explorer.co.uk
eaila.com
elluse.com
e-meskiesprawy24.com.pl
e-meskiesprawy24.pl
e-oman.me

Friday, 18 July 2014

Something evil on 5.135.211.52 and 195.154.69.123

This is some sort of malware using insecure OpenX ad servers to spread. Oh wait, insecure is pretty much the default configuration for OpenX servers..

..anyway, I don't know quite what it is, but it's running on a bunch of hijacked GoDaddy subdomains and is triggering a generic Javascript detection on my gateway. Domains spotted in this cluster are:

fart.somerspointnjinsurance.com
farms.somerspointnjinsurance.com
farming.somerspointnjinsurance.com
farma.risleyhouse.net
farmer.risleyhouse.net
farmers.risleyhouse.net
par.ecofloridian.info
papers.ecofloridian.com
papa.trustedelderlyhomecare.net
paper.trustedelderlyhomecare.org
pap.trustedelderlyhomecare.info
fas.theinboxexpert.com
fashion.theinboxexpert.com

The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT]. This second IP has also been used to host "one two three" malware sites back in May.

Recommended blocklist:
5.135.211.52
195.154.69.123
somerspointnjinsurance.com
risleyhouse.net
ecofloridian.info
ecofloridian.com
trustedelderlyhomecare.net
trustedelderlyhomecare.org
trustedelderlyhomecare.info
theinboxexpert.com

Thursday, 17 July 2014

"Notificación de transferencia de fondos a su favor" spam

This Spanish-language spam has a malicious Word document as an attachment.

From:     HSBC Transferencias [Mexico_contacto@hsbc.com.mx]
Reply-To:     respuesta@hsbc.com.mx
Date:     17 July 2014 11:01

¡BIENVENIDO A HSBC!

El motivo de este correo es informarle que el día de hoy recibió una transferencia SPEI la cual se encuentra retenida debido a anomalías en su cuenta. Para mas detalles sobre esta situación le adjuntamos un documento en formato Microsoft Word donde explicamos el motivo de la retención y los pasos a seguir.



Banco emisor: BBVA BANCOMER
Importe: $94,000.00
Fecha: 17/07/2014
Folio: 89413


Estatus: Retenida
Recomendamos seguir los pasos descritos en el documento adjunto en este correo.


Para cualquier duda o aclaración  nos ponemos a sus órdenes en contacto@hsbc.com.mx o si lo prefiere,  puede comunicarse a Banca por Internet en los siguientes teléfonos:
     México D.F. (55) 5721 1635
     Desde cualquier estado de la República al 01800 4722 638 LADA sin costo.

Con gusto le atenderemos

The attachment is essentially the same as the one mentioned here which tries to lure the victim into removing their Word security settings so that a malicious macro can run.

The VirusTotal detection rate is a pretty poor 4/54. You can see some of the text strings in the Malwr report which feature a reverse URL of exe.ss/pw/arc/lc.paip//:ptth which is reverse to try to download a file from http://piap.cl/cra/wp/ss.exe (currently 404ing). The VBA in the document can be found here [pastebin].

As mentioned before, this is a long-running campaign apparently targeting users in Mexico, and as yet I have not seen this in any language except Spanish.

Wednesday, 16 July 2014

"You've received a new fax" / "You have a new Secure Message" spam

This pair of spam messages leads to a malicious ZIP file downloaded via goo.gl (and not Dropbox as the spam says)

From:     Fax [fax@victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax

New fax at SCAN7905518 from EPSON by https://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800

Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/8AanL9

(Dropbox is a file hosting service operated by Dropbox, Inc.)

-------------

From:     NatWest [secure.message@natwest.com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message

You have received a encrypted message from NatWest Customer Support

In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )

Please download your ecnrypted message at:

https://goo.gl/8AanL9


(Dropbox is a file hosting service operated by Dropbox, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4612.
I have seen three goo.gl URLs leading to three different download locations, as follows

https://goo.gl/1dlcL3 leads to
http://webbedenterprisesinc.com/message/Document-6936124.zip

https://goo.gl/8AanL9 leads to
http://rollermodena.it/Document-2816409172.zip

https://goo.gl/pwgQID leads to
http://www.vetsaudeanimal.net/Document-9879091.zip

In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54. The Malwr report shows that this then downloads components form the following locations (hosted by OVH France):
http://94.23.247.202/1607h/HOME/0/51Service%20Pack%203/0/
http://94.23.247.202/1607h/HOME/1/0/0/


An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54. The Malwr report for that is inconclusive.

Recommended blocklist:
94.23.247.202
vetsaudeanimal.net
rollermodena.it
webbedenterprisesinc.com