Sponsored by..

Thursday, 23 June 2016

Malware spam: "Final version of the report" probably leads to Locky

This spam leads to malware:

From:    Julianne Pittman
Date:    23 June 2016 at 09:48
Subject:    Final version of the report

Dear info,

Patrica Ramirez asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Patrica know if you have any questions about the contents of the report.


Kind regards


Julianne Pittman
Operations Director (CEO Designate)
The names in each version of the email vary. Attached is a ZIP file with a filename containing some version of the recipients email address and the word "report" which contains in turn a malicious ZIP .js script beginning with the words "unpaid".

The payload is not known at this time and analysis is pending, but is likely to be Locky ransomware similar to this.

UPDATE 1

Hybrid Analysis of three sample scripts [1] [2] [3] show three download locations (you can bet there will be many more):

bptec.ir/kvk9leho
promoresults.com.au/gx4al
boranwebshop.nl/ggc7ld


Each one drops a slightly different binary (VirusTotal results [4] [5] [6]) but at the moment automated analysis is inconclusive [7] [8] [9] [10] [11] [12]. I will try to post the C2 servers here if I get them.

UPDATE 2

A trusted third party analysis shows the following download locations (thank you!) :

3141592.ru/wyesvj
4k18.com/u69f97
aberfoyledental.ca/6dil05
abligl.com/8v62l4i4
adbm.co.uk/1o2wejz
angeelle.nichost.ru/y6s1y9h
arogyaforhealth.com/jujg6ru
atlantaelectronics.co.id/quv7rcc1
babycotsonline.com/ph42q6ue
barum.de/c2blg
beautifulhosting.com.au/rxn80
bilgoray.com/vi5sfu
bobbysinghwpg.com/pdqcqlnr
boranwebshop.nl/ggc7ld
bptec.ir/kvk9leho
cameramartusa.info/xrfpm
capitalwomanmagazine.ca/6k1oig
century21keim.com/c7xb2xy
certifiedbanker.org/obmv6590
cg.wandashops.com/evqbfwkx
clients.seospell.co.in/fkn67zy
climairuk.com/h32k491o
climatizareonline.ro/azkqs
cond.gribochechki.ru/zibni
dentalshop4you.nl/m22brjfz
disneyexperience.com/psyyhe
elviraminkina.com/ojyq1
euro-support.be/rdl3n7u
focolareostuni.it/0k2ren
freesource.su/ijugasq1
grantica.ru/6hjli
honeystays.co.za/siu2k
ideograph.com/k7qfsxx
imetinyang.za.pl/74hd4by5
immoclic.o2switch.net/styvuwti
jd-products.nl/xjld131
karl-lee.se/x23ft
margohack.za.pl/wkiokl
matvil8.freehostia.com/64tmb1
mycreativeprint.com/mqib9te
oakashandthorn.charybdis.seedboxes.cc/f7ge4y3k
pipt.wallst.ru/qojqp2
promoresults.com.au/gx4al
redpower.com.au/xlkdld
tip.ub.ac.id/k2e32vh
www.centroinfantilelmolino.com/60wfh
www.darkhollowcoffee.com/oqlyd9m
www.ellicottcitypediatrics.com/7d6sdl
www.keven.site.aplus.net/fmlonxl


C2 servers are at:

51.254.240.48 (Rackspace, US)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)


The malware uses the path /upload/_dispatch.php on the C2 servers.

Recommended blocklist:
51.254.240.48
91.219.29.41
217.12.223.88
195.123.209.227
93.170.169.188



/upload/_dispatch.php

Wednesday, 22 June 2016

Malware spam: "Corresponding Invoice" leads to Locky

This spam has a malicious attachment, probably leading to Locky ransomware:

From:    Althea Duke
Date:    22 June 2016 at 16:00
Subject:    Corresponding Invoice

Dear lisa:

Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
contact me.

Also, our records show that we have not yet received payment for the previous order of 11 June,
so I would be grateful if you could send payment as soon as possible. Please find attached the
corresponding invoice.

If there is anything else you require, our company would be pleased to help. Looking forward to
hearing from you soon.

Yours sincerely

Althea Duke
Managing Director
Who the message is "from" varies from message to message, but the body text is the same. Analysis of the payload is pending, but it is probably similar to yesterday's Locky run.

UPDATE

A little bit of analysis, via these automated reports [1] [2] [3] [4] [5] show some download locations as:

personal-architecture.nl/6gcpaey
ding-a-ling-tel.com/b289dg
plasticsmachine.com/d43ndxna
hyip-all.com/9qwmc65

Various files are dropped, including these samples [6] [7] the latter of which is a three week old version of Locky. Go figure. The comments in this report show C2 servers at:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
185.82.216.55 (ITL, Bulgaria)
93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)


Three out of those four servers are the same as yesterday.

Recommended blocklist:
51.254.240.48
91.219.29.41
185.82.216.55
93.170.169.188

Tuesday, 21 June 2016

Malware spam: "Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter."

This malicious spam leads to Locky ransomware, something that we haven't seen for several weeks:

From:    Lilian Fletcher
Date:    21 June 2016 at 20:01
Subject:    Re:

Dear lisa:

Please find attached our invoice for services rendered and additional disbursements in the above-
mentioned matter.

Hoping the above to your satisfaction, we remain.

Sincerely,
Lilian Fletcher
Head of Maintenance
These are being sent out in huge numbers at the moment. Details vary from message to message, but the body text is essentially the same. Attached is a ZIP file containing the words addition, invoice or services plus the recipients email address and a number (e.g. lisa_addition_278292.zip) containing a malicious script beginning with the word "addition".

A trusted third-party analysis (thank you, you know who you are) shows download locations at:

204.232.192.84/abjvucr
akdenizozalit.com/ixoxi
allchannel.net/lue6c4
aloprint.com/bk0f2
arabian-star.com/nay7jq7
beluxfurniture.com/0jcxx
cbactive.com/1sdfs
clerici.info/g1sd5d59
depaardestal.nl/z5htsm
ding-a-ling-tel.com/bazk3kao
easysupport.us/fl85xie
ekonova.nazwa.pl/wc0coj
ft.dol.za.pl/ymsikgp7
fuji-mig.com/awcigpa1
futuretech-iq.net/koqpy
handicraftmag.com/mrihc
heavenboundministry.com/i7a59qj
hrlpk.com/s5ibqz1
hyip-all.com/9qwmc65
iminlife.com/cqoanbzr
infocuscreative.net/didt48j
innatesynergy.com/mrgdve3
jasoncoroy.com/szlzqni
kitchenconceptagra.com/5s9xb7j
komplettraeder-24.de/w61qx92
marxforschung.de/tt18a
modelestrazackie.za.pl/zfww8nx
otolocphat.com/bv2n241r
passagegoldtravel.com/bqugo3qb
pawelbuczynski.za.pl/z1q8u
percorsipsicoarte.com/6gz707c
pub-voiture.com/dcsjrjm
racedayworld.com/808k8pd
reginamargherita96.net/hhtvomcw
rzezba-bierowiec.za.pl/y7fbo1a
samrhamburg.com/jrh9b
scpremiumbikes.com/3y1b0n4s
searchforamy.com/1fz0k9kp
stbb.pt/z59ifwj
stckwt.net/p4jlk
testfacility.awsome.pl/zc73v
totalsportnetwork.com/kpbrp2mq
ugmp.nazwa.pl/xkhhf2n
unitedprogamers.za.pl/ylxt67
vantagenetsvc.com/a7xssz
vinabuhmwoo.com/69udv
wasearch.us/6mm3hk
wbksis.com/5mxl28il
yourworshipspace.com/a3py3w


Analysis by those parties shows that it phones home to:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
185.82.216.55 (ITL, Bulgaria)
217.12.223.83 (ITL, Ukraine)


As I mentioned before, this is Locky ransomware which has not been circulating at all since about 31st May.

Recommended blocklist:
51.254.240.48
91.219.29.41
185.82.216.55
217.12.223.83


Thursday, 16 June 2016

Spam: Dr Happy's Terrorism Conference

Fake conferences are a pretty common scam. The criminals send out spam about serious-looking upcoming conferences that don't exist and then rip victims off for travel costs, conference fees and hotel accommodation. This spam about a fake conference about terrorism caught my eye because it comes from the amusingly named (but fake) Dr Happy Wisdom:

From:    Dr. Happy [shreyag@bajajcapital.com]
Reply-To:    "Dr. Happy" [iedhsto.officedesk@gmail.com]
Date:    15 June 2016 at 23:24
Subject:    INTERNATIONAL CONFERENCE PROGRAM 2016

Dear Sir/Madam,

 On behalf of the International Economic Development on Human Security and Terrorism Organization, I am pleased to invite you to our conference that will be held from August 15th to 19th, 2016 @ the conference place in Dallas Texas USA and August 22nd-26th 2016 @ in Dakar Senegal. The conference meeting will contain various talks and mini workshops related to the issues of Challenges to Economic Development & Human Security in our society.

The topic of the conference is "The Effect of Terrorism on Global Economy and Human Security " the sponsors of this event shall cover your round-trip air tickets from your country to the USA and from USA to Dakar Senegal back to your country and we shall also provide visa assistance with the U.S Embassy in your country of residence and your ground transportation from the airport to the conference venue. The hotel accommodation booking cost will be your own responsibility in Republic of Senegal. Please contact the conference secretariat for more information and registration for participation: [iedhsto.officedesk@gmail.com].

We look forward to your confirmed presence at the conference.
Respectfully Yours,
Dr. Happy Wisdom,
Program Assistant.

The email does actually originate from an IP address in Senegal (41.82.15.40) but then it is routed through a hacked server belonging to the domain bajajcapital.com which is a finance company in India. The compromise email account can be seen in the "From" field.

At best this scam is some sort of financial fraud. At worst, turning up to it could put your life in danger. Avoid.


Friday, 10 June 2016

Malware spam: ". CARTÓRIO POSTAL. Apontamento de Protesto. 10/06/2016 17:42:46"

This Portuguese-language spam leads to malware:

From:    formacion@salesianos-madrid.com
Date:    10 June 2016 at 21:42
Subject:    . CARTÓRIO POSTAL. Apontamento de Protesto. 10/06/2016 17:42:46

Levamos ao conhecimento de V. Sa. que se acha devidamente protocolado neste Tabelionato, para ser protestado, o título abaixo anexado.

Lei nº 9.492 de 10 setembro de 1997.
Art. 12. O protesto será registrado dentro de três dias úteis contados da protocolização do título ou documento de dívida.
§ 1º Na contagem do prazo a que se refere o caput exclui-se o dia da protocolização e inclui-se o do vencimento.

Favor comparecer munido deta intimação, no horário das 8:00h às 17:00h


Atenciosamente,Liliane peixoto.

The link in the email message in this case goes to:

www.sugarsync.com/pf/D3259546_878_449109824?directDownload=3Dtrue

This downloads an executable PROTESTO.exe with a VirusTotal detection rate of 15/56. Automated analysis [1] [2] [3] shows it dropping a further executable OViLQKDS.exe which has a detection rate of 16/56. Analysis of that is inconclusive [4] [5] [6] is inconclusive, but it looks like some kind of information stealer.

Wednesday, 8 June 2016

Malware spam: "David Bernard agent Fedex" / "Secure-FeDex" leads to Andromeda

This fake FedEx (or FeDex?) spam has a malicious attachment:

From:    Secure-FeDex
Date:    8 June 2016 at 18:17
Subject:    David Bernard agent Fedex

Deаr [redacted] ,
We tried tо delivеr уour item on June 08th, 2016, 10:45 АM.
The delivеry attempt failеd because thе аddress was business сlоsed оr nobodу сould sign fоr it.
Тo piсk up the package, please, рrint the receipt that is аttаchеd to this еmаil and visit FеdEx
office indicated in the invoice. If the pасkagе is nоt piсkеd up within 24 hоurs, it will bе returnеd to thе shipper.
 
Receipt Number:  98402839289
Eхpесted Delivеrу Dаte: June 08th, 2016
Class: Intеrnаtional Paсkаge Sеrviсe
Servicе(s): Delivеrу Cоnfirmation
Status: Notifiсatiоn sent
 
Thank you for choosing our service
 
 
©  FedEх  1995-2016
In this case there was an attachment FedEx_track_98404283928.zip which unzipped into a folder FedEx_track_98404283928 containing in turn a malicious script FedEx_track_98404283928.js which (according to Malwr) attempts to download a binary from one of the following locations:

www.brusasport.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.microsoft.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.mega.net/Brusa/vario/direct/teamviiverupdate2918372.exe
www.google.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.yahoo.com/Brusa/vario/direct/teamviiverupdate2918372.exe

Only the first one is a valid download location, the rest are a smokescreen. The dropped binary has a detection rate of 5/56 but automated analysis [1] [2] [3] is inconclusive. However those reports do seem to indicate attempted network traffic to:

secure.adnxs.metalsystems.it
upfd.pilenga.co.uk


These two subdomains appears to have been hijacked from unrelated Register.IT customers and are hosted on a questionable-looking customer of OVH Italy on 188.165.157.176:

organisation:   ORG-NQ1-RIPE
org-name:       Kitdos NOC
org-type:       OTHER
address:        UNKNOW
address:        UNKNOW UNKNOW
address:        US
e-mail:         kitdos.com@gmail.com
abuse-mailbox:  kitdos.com@gmail.com
phone:          +33.188866688
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-02-04T03:22:05Z
last-modified:  2016-02-23T13:14:14Z
source:         RIPE


Other hijacked subdomains on the same IP are:

tgr.tecnoagenzia.eu
bmp.pilenga.co.uk
maps.pilenga.co.uk
sundication.twitter.luigilatruffa.com
tit.pilenga.net
trw.pilenga.net
ocsp.pilenga.net
plda.pilenga.net
maps.pilenga.mobi
plda.pilenga.mobi


This Tweet from ‏@pancak3lullz indicates that this IP is associated with Anrdomeda rather than the usual recent patterns of Locky or Dridex (which has.. err.. dried up recently). It appears to have been a malicious IP for more than a month.

Of interest is that almost every part of this chain (including the spam sending IP of 31.27.229.22) is in Italy.

As with a great deal of recent spam, this is delivered via a .js script in a ZIP file. If you can configure your mail filters to reject such things then you will be a whole lot safer.

Recommended blocklist:
188.165.157.176/30


Malware spam: "Good morning" résumé spam drops Cerber ransomware and makes a statement

This fake résumé spam leads to malware:

From:    Dora Bain
Date:    7 June 2016 at 03:37
Subject:    Good morning

What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.

With gratitude,

--
Dora Bain
In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..


This downloads a file from 80.82.64.198/subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe  which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.

The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.

According to the VT report the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block.

That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.

Recommended blocklist:
80.82.64.0/24
85.93.0.0/24



Tuesday, 31 May 2016

Malware spam: "New Company Order" / "ABC Import & Export,LLC"

This fake financial spam leads to malware:

From:    accounting@abcimportexport.com
Reply-To:    userworldz@yahoo.com
To:    Recipients [accounting@abcimportexport.com]
Date:    31 May 2016 at 12:31
Subject:    New Company Order

Good Day,

Find the attached specifications in the purchase order for our company mid year order & projects before sending your Proforma Invoice and do get back to me with your quotations asap.
An Official order placement will follow as soon as possible.
CLICK HERE TO DOWNLOAD & VIEW PURCHASE ORDER IF DOESNT WORK THEN CLICK HERE TO DOWNLOAD SECURE PURCHASE ORDER 
https://gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip
Attention! This document was created with a newer version of Microsoft Word.. Please click Enable Content or Macro to view the content of our order
Best Regards,
Ameen La Binish
Purchasing Dept

ABC Import & Export,LLC 2534 Royal Lane
Suite # 205
Dallas,Texas 75229
USA
Toll Free : 1-800-666-5874
Office Main Line : 1-214-966-2627
Office Reception : 1-214-985-1696
Fax : 1-972-243-7275
Email:
Sales@abcimportexports.co
Website: http://abcimportexport.com
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
The link in the email message goes to gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip . This contains a malicious executable scan purchase orders.exe which has a detection rate of 3/56. That VirusTotal report and these other analyses [1] [2] [3] shows network traffic to:

185.5.175.211 (Voxility SRL, Romania)

This executable drops another similar EXE [4] [5] [6] [7] which phones home to the same IP. Between them, these reports indicate some sort of keylogger. There seems to be little of anything of value in this /24, so I would recommend blocking 185.5.175.0/24

sdfsdaf

Malware spam: "You have 1 new message from bank manager. To read it, please open the attachment down below. "

This fake financial spam has a malicious attachment:

From:    Lanna Weall
Date:    31 May 2016 at 12:18
Subject:    New Message from your bank manager

You have 1 new message from bank manager. To read it, please open the attachment down below. 
In the sample I saw there was an attachment see_it_77235678.zip containing a malicious script warning_letter_Bdrh5W.js (detection rate 4/57) and the Malwr analysis of that sample shows that it downloads a binary from:

pvprojekt.pl/oLlqvX

The dropped binary is Locky ransomware with a detection rate of 4/56. All those reports plus these analyses [1] [2] [3] show network traffic to:

85.17.19.102 (Leaseweb, Netherlands)
195.154.69.90 (Iliad Entreprises, France)
93.170.123.60 (PE Gornostay Mikhailo Ivanovich / time-host.net, Ukraine)


A trusted source (thank you) indicated that there was a earlier Locky campaign today with the following donwload locations:

101consult.com/zZVPJj
adrianschubert.pl/7s56K8
affinityee.com/jkpziP
akcord.com/R4yjhg
alex-makhinin.ru/hPBy2R
altezzatrio.com/aAS841
amande-concerts.de/LNfOKy
amansur.com/sJIEQB
andresvazquez.net/1UaAWY
arajinqayler.com/V8lL2k
asworkstation.com/1Cq0Kk
baidainhatrang.xyz/bA2xZO
balifashion.ru/FMGbdV
belov24.ru/1msPTS
bestplumbersindallas.com/UZmYow
betulbasol.com/jmS4ts
bitcoinprservices.com/4Xc6Fy
canale78.it/I52NbK
c-a-r.at/QSa8sI
fm2030.us/BznLrm
handmee.com/hIPTXx
jestempiotr.pl/IiJlGp
kickoff.ru/WNwvki
kontarkum.org/Lntxhy
ktistakis.com/UHqig6
kvarcevaya-lampa.ru/fC9qZW
kwweb.it/tNTjZ2
ladohumano.cl/bnmYOE
leatherberryconsulting.com/gXTND7
lidgroup.ru/vV9c7l
lizdion.net/9cRXIl
makarenkostyle.net/IJlEqC
marca-ce.com/n859VM
maridadiproperties.com/pQIJGB
mckinleyhigh.org/lhAfaC
metakino.ru/onryuE
metaldesign.info/o12QeD
minutemanpress-randburg.co.za/UXJnqs
most.org.mk/oiNWQ0
muslimdate.com/mlB3PW
noplacelikejones.com/hati3x
norisys.com/EwX0sO
nwa-dizel.ru/D8kTfA
ohmyg-o-d.info/Ns4gf5
pasit.heutagon.com/PyG0Oc
pgcommunitycab.com/FAlx1b
polibloki.ru/nbTURt
primeautoglass.co.nz/wMcW5Z
puliziafacile.it/JvZ9cX
pvprojekt.pl/oLlqvX
quotidianieriviste.com/WIKuLk
redcurrantjobs.co.uk/9cgwZ5
revista.motociclismo.es/4HgJ7t
riobrancoperu.org/B3AlqT
rockmind.pl/bg6kKf
rotaharita.com/5NmH3b
sanariumspb.ru/Xm9xul


Recommended blocklist:
85.17.19.102
195.154.69.90
93.170.123.60