Sponsored by..

Tuesday, 24 October 2017

Malware spam: "Order acknowledgement for BEPO/N1/380006006(2)"

A change to the usual Necurs rubbish, this fake order has a malformed .z archive file which contains a malicious executable with an icon to make it look like an Office document.

Reply-To:    purchase@animalagriculture.org
To:    Recipients [DY]
Date:    24 October 2017 at 06:48
Subject:    FW: Order acknowledgement for BEPO/N1/380006006(2)

Dear All,
Kindly find the attached Purchase order# IT/IMP06/06-17 and arrange to send us the order acknowledgement by return mail.

Note: Please expedite
the delivery as this item is very urgently required.


Regards,  Raj Kiran

(SUDARSHAN SS)  NAVAL SYSTEMS (S&CS)
BHARAT ELECTRONICS LIMITED  BANGALORE  PH:9180-22195857  BEL Website : www.bel-india.com SRM PORTAL :https://hpcrmp.iscodom.com/irj/portal



Every Sheets of paper is made from a tree.. Save trees... Conserve Trees.... Go Green .... Don't print this email or any Files unless you really need to!!!!
Confidentiality Notice


The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or support@bel.co.in immediately and destroy all copies of this message and any attachments.

Attached is a file Purchase order comfirmation.doc.z which contains a malicious executable Purchase order comfirmation.exe which currently has a detection rate of 12/66. It looks like the archive type does not actually match the extension..


If the intended target hides file extensions then it is easy to see how they could be fooled..

Incidentally, VirusTotal shows this information about the file:


Copyright: (c)1998 by RicoSoft
Product: System Investigation
Description: System Investigation for NT/9x
Original Name: SysInv2.exe
Internal Name: SysInv2
File Version:2.3.1.37
Comments: Freeware / Careware from RicoSoft

Obviously that's fake, but a bit of Googling around shows SysInv2.exe being used in other similar attacks.

The Hybrid Analysis for is a little interesting (seemingly identifying it as Loki Bot), showing the malware phoning home to:

jerry.eft-dongle.ir/njet/five/fre.php   (188.165.162.201 / Mizban Web Paytakht Co. Ltd., Iran)

Actually, the IP is leaded from OVH and claims to belong to dedicatedland.com in Birmingham, UK:

organisation:   ORG-MWPM1-RIPE
org-name:       Mizban Web Paytakht Mizban Web Paytakht
org-type:       OTHER
address:        55 Orion Building, 90 Navigation Street
address:        B5 4AA Birmingham
address:        GB
e-mail:         info@dedicatedland.com
abuse-mailbox:  info@dedicatedland.com
phone:          +44.7455017803
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2015-01-22T22:12:03Z
last-modified:  2015-01-22T22:12:03Z
source:         RIPE


The small 188.165.162.200/29 range is marked as "failover IPs".  The WHOIS for dedicatedland.com comes up with a bogus looking address in Massachusetts:

Registrant Email: info@dedicatedland.com
Registry Admin ID: Not Available From Registry
Admin Name: Mizban Web Paytakht LLC
Admin Organization: irnameserver.com
Admin Street: Newton Center 
Admin City: Newton Center
Admin State/Province: Massachusetts
Admin Postal Code: 00000
Admin Country: US
Admin Phone: +1.00000000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext: 


However RIPE show them as being in Tehran:
Mizban Web Paytakht Co. Ltd.

No.43, North Ekhtiyariyeh St, Ekhtiyariyeh Sqr
1958743611 Tehran
IRAN, ISLAMIC REPUBLIC OF

phone:   +98 2122587469
fax:  +98 2122761180
e-mail:  info (at) dedicatedland (dot) com
Anyway, if you are not interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of 185.165.40.0/22 as well. I'll make a guess that the 188.165.162.200/29 range
may be insecure and could be worth blocking.

The email itself originates from 104.171.114.204 which is allocated as follows:

CustName:       jason Richards
Address:        121 main street
City:           suffolk
StateProv:      VA
PostalCode:     23434
Country:        US
RegDate:        2017-01-16
Updated:        2017-01-16
Ref:            https://whois.arin.net/rest/customer/C06298370


You probably don't need to accept .z attachments at your mail perimeter, and any decent anti-spam tool should be able to look inside archives to determine was is in there.

Tuesday, 17 October 2017

Evil network: Fast Serv Inc / Qhoster.com

Checking these IOCs for this latest Flash 0-day came up with an interesting IP address of 89.45.67.107 which belongs to Fast Serv Inc aka Qhoster, probably of Bulgaria but masquerading themselves as a Belize outfit.

I came across Fast Serv / Qhoster a lot last year during the Angler EK epidemic, where they had entire ranges full of badness, often with no discernable legitimate sites at all. It turns out that I'd blocked the /24 a year ago as it was full of EK servers. The full analysis I did of Fast Serv / Qhoster Angler ranges can be found in these Pastebins: [1] [2] [3] [4] [5] [6] [7]

So, this Flash 0 day gave me a renewed impetus to identify these ranges and keep them the hell off my network. Luckily HE's BGP tool can identify most of the allocated IPs of a /24 size or larger [8] [9] plus a bit of infill from other sources.

I can't guarantee that these ranges are free of legitimate sites, but even a quick glance at some of the ranges (the BGP tool is quite good for this [10]) shows signs of obvious badness in almost all of them. Use at your own risk :)

Note that these ranges are across many different ASes and hosts, although AS201630 is allocated to Qhoster themselves.

5.104.105.192/26
37.157.253.64/26
46.102.152.0/24
46.102.252.0/23
85.204.74.0/24
86.104.15.0/24
86.105.1.0/24
86.105.5.0/24
86.105.18.0/24
86.105.227.0/24
86.106.93.0/24
86.106.102.0/24
86.106.131.0/24
89.32.40.0/24
89.33.64.0/24
89.34.111.0/24
89.35.178.0/24
89.37.226.0/24
89.42.212.0/24
89.43.60.0/24
89.43.202.0/23
89.44.103.0/24
89.45.67.0/24
92.114.35.0/24
92.114.92.0/24
93.113.45.0/24
93.115.38.0/24
93.115.201.0/24
93.117.137.0/24
93.119.123.0/24
94.177.12.0/24
94.177.123.0/24
103.197.160.0/22
138.204.168.0/22
141.255.160.48/28
146.0.43.64/26
168.227.36.0/24
168.227.37.0/24
168.227.38.0/24
168.227.39.0/24
176.223.111.0/24
176.223.112.0/24
176.223.113.0/24
176.223.165.0/24
185.77.128.0/24
185.77.129.0/24
185.77.130.0/24
185.77.131.0/24
188.213.204.0/24
188.215.92.0/24
188.241.39.0/24
188.241.68.0/24
220.158.216.0/22
2403:1480:1000::/36
2403:1480:9000::/36
2a05:6200::/32
2a05:6200:72::/48
2a05:6200:74::/48


Sunday, 8 October 2017

Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk

This spam email is a scam:

Subject:       Help Your Child To Be A Professional Footballer.
From:       "FC Academy" [csa@sargas-tm.eu]
Date:       Sun, October 8, 2017 10:30 am
To:       "Recipients" [fcsa@sargas-tm.eu]
Priority:       Normal

Hello,
Does your child desire to become a professional footballer?

Our football academy are currently scouting for young football player to participate in 3-6 months training and  our main purpose is to recruit young and talented footballers to help become a great football  player in Life and become a great star .  Our agent will train and linked your child up with big clubs in United Kingdom and Europe.

We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.

Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.

If you want to help your child achieve their soccer dream, reply us for more information.
Best Regards,
CFAA.

At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:

Domain name:
        champ-footballacademyagency.co.uk

    Registrant:
        NELSON OZI

    Registrant type:
        Unknown

    Registrant's address:
        404 sapphire tower
        404 sapphire tower
        USA
        Kentucky
        97101
        United States

    Data validation:
        Nominet was not able to match the registrant's name and/or address against a 3rd party
source on 19-Sep-2017

    Registrar:
        Web4Africa Ltd. t/a Web4Africa [Tag = WEB4AFRICA-GH]
        URL: https://www.web4africa.net

    Relevant dates:
        Registered on: 19-Sep-2017
        Expiry date:  19-Sep-2018
        Last updated:  19-Sep-2017

    Registration status:
        Registered until expiry date.

    Name servers:
        dns1.yandex.net
        dns2.yandex.net

Disclaimer
WHOIS lookup made at 10:50:09 08-Oct-2017


There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:

svbfib.com
svbfibem.com
globalcreditsus.com

These all seem to be connected with an IP range 169.255.59.0/24 (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.

The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from 103.207.37.101 in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.

It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.

Thursday, 28 September 2017

Malware spam: "Emailing: Scan0xxx" from "Sales" delivers Locky or Trickbot

This fake document scan delivers different malware depending on the victim's location:

Subject:       Emailing: Scan0963
From:       "Sales" [sales@victimdomain.tld]
Date:       Thu, September 28, 2017 10:31 am


Your message is ready to be sent with the following file or link
attachments:

Scan0963


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a .7z file with a name matching the "Scan" part in the header and body text. MD5s of those seen so far (there may be more):

58B76A9DC942AF73CFADFAF764637A48
627A8A6C3F73365161B94ABF5472E5C0
8927AE38D6F84DF1940D0E13491015F9
1CD93386F4FD7D5771A8119C5E9E6C98
A406E870D20A5913B17C4F9D6D52CDCD
EB087BB59BEED8039FC7B7E48F099E79
1D94DC6ECAED3D33D840E61DDAD7AC07
FDB76F480AF0A8D01DA2E4A3098A549F
320401A216CC7A3BA6B9C12163B3EB60
1AC6D2DA56FAA27C60A22CFD2099435F
1BD79C90F2CC8390170A4D6231282328

Inside is a malicious VBS script (example) which exhibits a curious feature:


If you are in the UK, Australia, Ireland, Belgium or Luxembourg you get one binary [VT 12/64], everyone else gets another [VT 20/64]. My Online Security describes this in more detail - the first group get the Trickbot banking trojan and everyone gets Locky ransomware.

In the samples I saw, the Trickbot download locations were:

autoecole-jeanpierre.com/9hciunery8g?
autoecoleathena.com/9hciunery8g?
conlin-boats.com/9hciunery8g?
flooringforyou.co.uk/9hciunery8g?
fls-portal.co.uk/9hciunery8g?
fmarson.com/9hciunery8g?
freevillemusic.com/9hciunery8g?
geeks-online.de/9hciunery8g?
jakuboweb.com/9hciunery8g?
jaysonmorrison.com/9hciunery8g?
melting-potes.com/9hciunery8g?
sherylbro.net/p66/LUYTbjnrf
camerawind.com/9hciunery8g?


The Locky download locations:

americanbulldogradio.com/LUYTbjnrf?
anarakdesert.com/LUYTbjnrf?
atlantarecyclingcenters.com/LUYTbjnrf?
augustinechua.com/LUYTbjnrf?
classactionlawsuitnewscenter.com/LUYTbjnrf?
davidstephensbanjo.com/LUYTbjnrf?
e-westchesterpropertytax.com/LUYTbjnrf?
felicesfiestas.com.mx/LUYTbjnrf?
financeforautos.com/LUYTbjnrf?
mtblanc-let.co.uk/LUYTbjnrf?
plumanns.com/LUYTbjnrf?
poemsan.info/p66/d8743fgh
asnsport-bg.com/LUYTbjnrf?


There may be other locations too.

The following legitimate services are used for geolocation. They might be worth monitoring:

https://ipinfo.io/json
http://www.geoplugin.net/json.gp
http://freegeoip.net/json/


All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block or strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too.

UPDATE

A more complete list of download locations from a trusted source (thank you!)

ambrogiauto.com/9hciunery8g
autoecoleathena.com/9hciunery8g
autoecoleboisdesroches.com/9hciunery8g
autoecole-jeanpierre.com/9hciunery8g
camerawind.com/9hciunery8g
conlin-boats.com/9hciunery8g
feng-lian.com.tw/9hciunery8g
flooringforyou.co.uk/9hciunery8g
fls-portal.co.uk/9hciunery8g
fmarson.com/9hciunery8g
freevillemusic.com/9hciunery8g
geeks-online.de/9hciunery8g
givensplace.com/9hciunery8g
jakuboweb.com/9hciunery8g
jaysonmorrison.com/9hciunery8g
melting-potes.com/9hciunery8g
patrickreeves.com/9hciunery8g
sherylbro.net/p66/LUYTbjnrf

americanbulldogradio.com/LUYTbjnrf
anarakdesert.com/LUYTbjnrf
asnsport-bg.com/LUYTbjnrf
astilleroscotnsa.com/LUYTbjnrf
atlantarecyclingcenters.com/LUYTbjnrf
augustinechua.com/LUYTbjnrf
classactionlawsuitnewscenter.com/LUYTbjnrf
davidstephensbanjo.com/LUYTbjnrf
essenza.co.id/LUYTbjnrf
evlilikpsikolojisi.com/LUYTbjnrf
e-westchesterpropertytax.com/LUYTbjnrf
felicesfiestas.com.mx/LUYTbjnrf
financeforautos.com/LUYTbjnrf
fincasoroel.es/LUYTbjnrf
kailanisilks.com/LUYTbjnrf
mediatrendsistem.com/LUYTbjnrf
modaintensa.com/LUYTbjnrf
mtblanc-let.co.uk/LUYTbjnrf
plumanns.com/LUYTbjnrf
poemsan.info/p66/d8743fgh

Tuesday, 26 September 2017

Malware spam: "AutoPosted PI Notifier"

This spam has a .7z file leading to Locky ransomware.
From:      "AutoPosted PI Notifier" [NoReplyMailbox@redacted.tld]
Subject:      Invoice PIS9344608
Date:      Tue, September 26, 2017 5:29 pm

Please find Invoice PIS9344608 attached.
The number referenced in the spam varies, but attached is a .7z archive file with a matching filename. In turn, this contains one of a number of malicious VBS scripts (like this) that download an executable from one of the following locations (thanks to a trusted source for these):

camerawind.com/jkhguygv73
envirotambang.com/jkhguygv73
fianceevisa101.com/jkhguygv73
fiancevisacover.com/jkhguygv73
financeforautos.com/jkhguygv73
fincasoroel.es/jkhguygv73
fmarson.com/jkhguygv73
formareal.com/jkhguygv73
fwbcondo.com/jkhguygv73
gaestehaus-im-vogelsang.de/jkhguygv73
gbvm.nl/jkhguygv73
geeks-online.de/jkhguygv73
playbrief.info/p66/jkhguygv73

The dropped file currently has a detection rate of 21/63. There are no C2s.

Thursday, 21 September 2017

Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment:

Subject:       Invoice RE-2017-09-21-00794
From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date:       Thu, September 21, 2017 9:21 am
Priority:       Normal

------------- Begin message -------------

Dear customer,

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace

==



[commMgrHmdToken:EVDOOCETFBECA]

------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid
for through our Amazon Payments system via our Shopping Cart or 1-Click. Our
Guarantee does not cover any payments that occur off Amazon.co.uk including wire
transfers, money orders, cash, check, or off-site credit card transactions.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=3149571).



[commMgrTok:EVDOOCETFBECA]
Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:

ahlbrandt.eu/IUGiwe8?
fulcar.info/p66/IUGiwe8
accuflowfloors.com/IUGiwe8?
aetozi.gr/IUGiwe8?
agricom.it/IUGiwe8?


An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1] [2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

UPDATE - additional download locations:
81552.com/IUGiwe8
adr-werbetechnik.de/IUGiwe8
afmance.it/IUGiwe8
afradem.com/IUGiwe8
agriturismobellaria.net/IUGiwe8
agro-kerler.de/IUGiwe8
moonmusic.com.au/IUGiwe8

Monday, 18 September 2017

Malware spam: "Status of invoice" with .7z attachment

This spam leads to Locky ransomware:

Subject:       Status of invoice
From:       "Rosella Setter" ordering@[redacted]
Date:       Mon, September 18, 2017 9:30 am

Hello,

Could you please let me know the status of the attached invoice? I
appreciate your help!

Best regards,

Rosella Setter

Tel: 206-575-8068 x 100

Fax: 206-575-8094

*NEW*   Ordering@[redacted].com

* Kindly note we will be closed Monday in observance of Labor Day *


The name of the sender varies. Attached is a .7z arhive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename (examples here and here).


Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:





yildizmakina74.com/87thiuh3gfDGS?
miliaraic.ru/p66/87thiuh3gfDGS?
lanzensberger.de/87thiuh3gfDGS?
web-ch-team.ch/87thiuh3gfDGS?
abelfaria.pt/87thiuh3gfDGS?

An executable is dropped with a detection rate of 19/64 which Hybrid Analysis shows is phoning home to:

91.191.184.158/imageload.cgi (Monte Telecom, Estonia)
195.123.218.226/imageload.cgi (Layer 6, Bulgaria)


.7z files are popular with the bad guys pushing Locky at the moment. Blocking them at your mail perimiter may help.

Recommended blocklist:
195.123.218.226
91.191.184.158