Sponsored by..

Tuesday, 20 September 2016

Evil network: 178.33.217.64/28 et al (evolution-host.com, customer of OVH)

This customer of OVH appears to be registered with fake details, and are distributing malware via a block at 178.33.217.64/28. Currently, the following IPs are distributing some sort of unidentified exploit kit:

178.33.217.64
178.33.217.70
178.33.217.71
178.33.217.78
178.33.217.79

A list of the domains associated with those IPs can be found here [pastebin].

OVH have allocated the IP range to this customer:

organisation:   ORG-JR46-RIPE
org-name:       Jason Reily
org-type:       OTHER
address:        32 Oldfarm Road
address:        GB21DB London
address:        GB
e-mail:         ourbills@evolution-host.com
abuse-mailbox:  ourbills@evolution-host.com
phone:          +353.8429143
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-05-24T18:16:03Z
last-modified:  2016-05-24T18:16:03Z
source:         RIPE


There is no such address in London, the postcode is obviously invalid and the telephone number appears to be an Irish mobile phone. Checking the evolution-host.com domain reveals something similar:

Registrant Name: OWEN PHILLIPSON
Registrant Organization: EVOLUTION HOST
Registrant Street: 24 OLDFARM ROAD
Registrant City: LONDON
Registrant State/Province: LONDON
Registrant Postal Code: SW19 3RQ
Registrant Country: GB
Registrant Phone: +353.851833708
Registrant Phone Ext:
Registrant Fax: +44.7479012225
Registrant Fax Ext:
Registrant Email: info@evolutionhost.co.uk
Registry Admin ID: 


Again, an invalid address with a different street number from before and an Irish telephone number. We can look at evolutionhost.co.uk too..

    Registrant:
        Owen Phillipson

    Registrant type:
        UK Sole Trader

    Registrant's address:
        24 Oldfarm Road
        London
        London
        SW19 3RQ
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data
source on 09-Feb-2014


Obviously Nominet's validation process isn't worth rat shit. The Evolution Host website appears to have no contact details at all.

RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block all of them:

91.134.220.108/30
92.222.208.240/28
149.202.98.244/30
176.31.223.164/30
178.33.217.64/28


UPDATE

A contact says that IP listed at the beginning of the post are the Neutrino Exploit Kit.

Malware spam: "Tracking data" leads to Locky

This spam has a malicious attachment leading to Locky ransomware:

From:    Loretta Gilmore
Date:    20 September 2016 at 08:31
Subject:    Tracking data


Good afternoon [redacted],

Your item #9122164-201609 has been sent to you by carrier.
He will arrive to you on 23th of September, 2016 at noon.



The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.


The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.

Analysis of the attachments is pending.

UPDATE

Hybrid Analysis of various samples [1] [2] [3] [4] shows the script downloading from various locations:

akinave.ru/ckk7y
solenapeak.com/ha4n2
vetchsoda.org/uemmdt
akinave.ru/1e11lhrk


All of these are hosted on:

178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)


The malware then phones home to the following locations:

91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php  [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)

A DLL is dropped with a detection rate of 13/57.

Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202

Monday, 19 September 2016

Malware spam: "Order: 28112610/00 - Your ref.: 89403" leads to Locky

This fake financial spam has a malicious attachment that leads to Locky ransomware.

Subject:     Order: 28112610/00 - Your ref.: 89403
From:     Melba lochhead (SALES1@krheadshots.com)
Date:     Monday, 19 September 2016, 16:05

Dear customer,

Thank you for your order.

Please find attached our order confirmation.

Should you be unable to open the links in the document, you can download the latest version of Adobe Acrobat Reader for free via the following link: http://www.adobe.com/products/acrobat/readstep2.html

Should you have any further questions, do not hesitate to contact me.


Kind Regards,

Melba lochhead
Internal Sales Advisor - Material Handling Equipment Parts & Accessories

SALES1@krheadshots.com

TVH UK LTD
UNIT 17 PARAGON WAY • GB-CV7 9QS EXHALL, COVENTRY
T 02476 585 000 • F 02476 585 001 www.tvh-uk.co.uk
Watch our company movies on www.tvh.tv



Take our forklift and aerial work platform challenge!
Identify 10 brands by their machines. Be the fastest and win great prizes! Click on the image to start the quiz.

I have only seen a single sample so far, but I understand that reference numbers and names vary. Attached is a malicious .DOCM file with a name in the format OffOrd_87654321-00-1234567-654321.docm , my trusted source says that the various versions download a component from:

bernardchandran.com/67SELbosjc358
bobneal.net/67SELbosjc358
burgeoservise.ru/67SELbosjc358
dirkdj.nl/67SELbosjc358
emperesseconcierge.com/67SELbosjc358
extramileteam.com/67SELbosjc358
fernandoarias.org/67SELbosjc358
festivaldhamaka.com/67SELbosjc358
fungasoap.net/67SELbosjc358
grupoalana.com/67SELbosjc358
hellolanguage.com/67SELbosjc358
heritagebaptistchurch.ca/67SELbosjc358
hotelcelnice.cz/67SELbosjc358
judgedeborahshallcross.com/67SELbosjc358
kursustokoonline.net/67SELbosjc358
lomtalay.com/67SELbosjc358
ncmartec.org/67SELbosjc358
omeryilmaz.com/67SELbosjc358
puchipuchivirus.com/67SELbosjc358
sadek-music.com/67SELbosjc358
scanarchives.com/67SELbosjc358
seokonya.com/67SELbosjc358
techscape4.com/67SELbosjc358
thaihomecondo.com/67SELbosjc358
win88id.com/67SELbosjc358
zheng-du.com/67SELbosjc358


It drops a DLL which had a moderate detection rate earlier. This version of Locky does not communicate with C2 servers, so if you want to block or monitor traffic perhaps you should use the string 67SELbosjc358.

Malware spam: "Express Parcel service" leads to Locky

This spam has a malicious attachment:

From:    Marla Campbell
Date:    19 September 2016 at 09:09
Subject:    Express Parcel service

Dear [redacted], we have sent your parcel by Express Parcel service.

The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.


Thank you.
Attached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing.

The Hybrid Analysis for one sample shows a download location of:

178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)

There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:

195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra.pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)

It drops a DLL with a detection rate of 8/54.

UPDATE

These Hybrid Analysis reports of other samples [1] [2] [3] [4] [5] show other download locations at:

roxieimshi.com/eppmn
roxieimshi.com/y4lf1neg
foveawaac.net/yjmaazj
foveawaac.net/wzwzjply
merofid.com/zn6mcj


All of these domains are hosted on evil IPs:

178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)


These domains are all related and should be considered malicious:

duelrid.com
merofid.com
pradran.com
adzebury.com
amrastacy.com
bulkreasy.com
sternhala.com
gobantakao.com
roxieimshi.com
tearyrecce.com
wyvesnarl.info
aborik.net
ecadxyst.net
maydayen.net
ponggirr.net
foveawaac.net
normadnex.net
pawlrubia.net
pradkevyn.net
satyrwelf.net
vernpucka.net
yerndrunk.net
latexuchee.net
maggycocoa.net
moismdheri.net
rokerlelia.net
sparmsov.org
citmowra.in
swagpaty.in


Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10

91.194.250.131

The last one listed in italics is part of the update.


Friday, 16 September 2016

Locky download locations 2016-09-16

I haven't had a chance to look at Locky today, but here are the current campaign download locations (thanks to my usual source)..


1express.com.sg/54JHbjgcDLG
24hourprintshop.com/54JHbjgcDLG
46709394.com/54JHbjgcDLG
adityastar.com/54JHbjgcDLG
akademistcicek.com/54JHbjgcDLG
all4supply.com/54JHbjgcDLG
apro88.com/54JHbjgcDLG
bsm.sk/54JHbjgcDLG
chelsea-west.com/54JHbjgcDLG
criar-meu-site.com/54JHbjgcDLG
curlysol.com/54JHbjgcDLG
demo.website.pl/54JHbjgcDLG
graveyardsofmilwaukee.org/54JHbjgcDLG
helpmybathroom.com/54JHbjgcDLG
hollystamps.com/54JHbjgcDLG
honeydavis.us/54JHbjgcDLG
inovsol.com/54JHbjgcDLG
islamiccollege.org/54JHbjgcDLG
jsydjc.com/54JHbjgcDLG
lv-nexis.com/54JHbjgcDLG
mclodesigns.com/54JHbjgcDLG
miamilimosina.com/54JHbjgcDLG
mudelts.com/54JHbjgcDLG
mytourbid.com/54JHbjgcDLG
paraspokeri.net/54JHbjgcDLG
psychquiz.com/54JHbjgcDLG
qarmoo.com/54JHbjgcDLG
rentvspb.ru/54JHbjgcDLG
sadeqmedia.com/54JHbjgcDLG
salemwitchcat.com/54JHbjgcDLG
samenart.com/54JHbjgcDLG
sds-india.org/54JHbjgcDLG
shopmjn.com/54JHbjgcDLG
sinergica.cl/54JHbjgcDLG
swivelsrus.com/54JHbjgcDLG
tobybender.com/54JHbjgcDLG
travelvoice.com/54JHbjgcDLG
urachart.com/54JHbjgcDLG
wordpresshosting.co.il/54JHbjgcDLG
xsolution.sk/54JHbjgcDLG

1natureresort.com/afdIJGY8766gyu
allovercoupon.com/afdIJGY8766gyu
bet4good.org/afdIJGY8766gyu
bigfishcasting.com/afdIJGY8766gyu
charlcote1.net/afdIJGY8766gyu
credit-it.com/afdIJGY8766gyu
delicefilm.com/afdIJGY8766gyu
dendang.net/afdIJGY8766gyu
discoverstillwater.com/afdIJGY8766gyu
eiti.co.il/afdIJGY8766gyu
electua.org/afdIJGY8766gyu
espaciosamadhi.com/afdIJGY8766gyu
fenwaycourier.com/afdIJGY8766gyu
gearstuff.net/afdIJGY8766gyu
hawaiipoliticalinfo.org/afdIJGY8766gyu
iandistudio.com/afdIJGY8766gyu
iassess.net/afdIJGY8766gyu
insideinsights.net/afdIJGY8766gyu
insieutoc.com/afdIJGY8766gyu
jxbestextile.com/afdIJGY8766gyu
keratin.sk/afdIJGY8766gyu
kf-design.com/afdIJGY8766gyu
lacumpa.biz/afdIJGY8766gyu
lowcostveterinarios.com/afdIJGY8766gyu
lullaby-babies.co.uk/afdIJGY8766gyu
lusanmaster.com/afdIJGY8766gyu
mika.tohmon.com/afdIJGY8766gyu
mumbomedia.nl/afdIJGY8766gyu
ocscexpo.net/afdIJGY8766gyu
oliveservicedapartments.com/afdIJGY8766gyu
onefilmy.com/afdIJGY8766gyu
pasbardejov.sk/afdIJGY8766gyu
rimpro.ru/afdIJGY8766gyu
salarypra1.net/afdIJGY8766gyu
sandpiperchorus.us/afdIJGY8766gyu
sapanboon.com/afdIJGY8766gyu
techboss.net/afdIJGY8766gyu
tommylam.com/afdIJGY8766gyu
trudprom.ru/afdIJGY8766gyu
zharikoff.ru/afdIJGY8766gyu

bulkreasy.com/7e5a7
bulkreasy.com/8tl3rmh
bulkreasy.com/905jscb
bulkreasy.com/c3vaho
bulkreasy.com/oqn8p
maggycocoa.net/8i00a
maggycocoa.net/i9uje
maggycocoa.net/uml71ij
maggycocoa.net/z8xl3w7q
maggycocoa.net/zi6mrx
yerndrunk.net/esab0
yerndrunk.net/ez5jqc0n
yerndrunk.net/nhddf4gt
yerndrunk.net/t43anq3
yerndrunk.net/yk5vx6i

The first two lists are legitimate hacked sites, the last list are hosted on the following two IPs which are definitely worth blocking:


178.212.131.10 (21 Century Telecom Ltd, Russia)
37.200.70.6 (Selectel Ltd, Russia)

Inspiral Carpets hacked, leads to The Quantum Code binary options spam

This type of binary options scam spam comes in waves every so often:

Subject:     Welcoming speech
From:     jeffriesvx@mail2nancy.com
Date:     Friday, 16 September 2016, 3:31

Good day!

We are looking for employees working remotely.

My name is Glen, I am the personnel manager of a large International company.
Most of the work you can do from home, that is, at a distance.
Salary is $2600-$5500.

If you are interested in this offer, please visit Our Site

Good day!

It's not very interesting to tell the truth, but it relies on hacked WordPress sites in order to provide landing pages. Of course, hacking someone's site to do this is illegal and no legitimate business would promote itself like this.

What I noticed was the URL in the email..
inspiralcarpets.com/super/wp-content/themes/twentyfifteen/genericons/
Inspiral Carpets? Yup, that's the website of the Manchester rock band of the same name. Rather than a carpet shop. As this URLquery report shows, it lands on..

cash-onlines.com [172.246.233.55] (Enzu, US)

There's a familiar landing page..


Clicking the link goes to www.the-quantumcode.com hosted on 31.220.0.35 (Terratransit, Netherlands). This is some bollocks about a binary options trading robot which will apparently make you millions. Obviously this is a scam, because if it was really that easy we'll all be doing it.

One little scammy trick is a counter to tell you that loads of people are looking at the site but there are only a small number of slots available.

The numbers are completely made up. If you look exactly the same page in another browser window, they are different.


It's hard to say if the spam was sent out by whoever runs the binary options site or an affiliate. But it's still crap either way.

Hosted on the same server are the following domains which are probably more of the same plus a load of other bollocks:

15kin15minutes.com
altronix-app.com
altronix-app.net
altronixapp.net
beautifulasians.net
beckdietsolution.biz
blogtipsntricks.net
channel78news.com
channel818news.com
channel988news.com
clickcashformula.com
clickcashformulareview.com
cloudcliks.com
crescendobot.com
deliciouslyella.net
fannetasticfood.net
fasttrackprofits.net
freeteethwhitenings.co
gopsusports.net
healthbeatblog.net
heartifb.biz
hgspanel.com
hostingtosuccess.com
instantcashmarket.com
ironmantips.co
jeffbullas.net
jmusportsblog.us
jonbarron.me
liedetectorreview.biz
liedetectorreview.com
liedetectorreviews.com
makeyourbodywork.net
michaelcrawfordclub.com
millnaire-blueprint.com
myliedetectorreview.com
newskincaretips.org
perpetualformula.com
russianhotties.co
smallbiztrends.us
snapcreativity.net
startofhappiness.biz
the-orioncode.com
the-orioncode.net
the-orioncode.org
the-quantumcode.co
the-quantumcode.com
themillblueprint.com
thequantum-code.com
thequantum-code.net
thequantum-code.org
thequantumcode.biz
thequantumcode.co
thequantumreview.com
thezerolossformula.biz
thezerolossformula.net
thezerolossformula.org
upgradeforbonus.com
zerolossformula.biz
zerolossformula.net
zlformula.net


Avoid.

Malicious domains to block 2016-09-16

These domains are part of a cluster, some of with are serving the EITEST RIG exploit kit (similar to that described here). They all share nameservers running on 62.75.167.186 and 62.75.167.187.

kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com

blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
pronetanaliz.info
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net

aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org

outsecurety.pw
kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
bwl2rola3cpm.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com

blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
businessprofessionalzgroup.com
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net

aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org

siteanalytics.pro
pronetanaliz.info

The EK domains are running on a botnet (those are listed in italics). The other domains seem to serve some other sort of nastiness. Those IPs form part of a range rented from Host Europe Group consisting of the following IPs:

62.75.167.186
62.75.167.187
62.75.167.188
62.75.167.189
62.75.167.190

This is roughly analogous to 62.75.167.184/29 which might be worth blocking, but note that won't stop IP traffic to the EK domains which are on different IPs. These IPs are allocated to:

person:         Vasiliy Buyanov
address:        Tereshkovoy 37
address:
address:        664000 Irkutsk
address:        Russia
phone:          +7 901 6508840
e-mail:         admin@realhosters.com
nic-hdl:        VB5472-RIPE
remarks:        5408042
abuse-mailbox:  admin@realhosters.com
mnt-by:         BSB-SERVICE-MNT
created:        2015-10-07T08:35:50Z
last-modified:  2015-10-07T08:35:50Z
source:         RIPE



Tuesday, 13 September 2016

Malware spam: "Attached is the tax invoice of your company. Please do the payment in an urgent manner." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Tax invoice
From:     Kris Allison (Allison.5326@resorts.com.mx)
Date:     Tuesday, 13 September 2016, 11:22

Dear Client,

Attached is the tax invoice of your company. Please do the payment in an urgent manner.


Best regards,
Kris Allison
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:

adzebur.com/dsd7gk  [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
            [78.212.131.10] (21 Century Telecom Ltd, Russia)
            [31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f   [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
            [23.95.106.223] (New Wave Netconnect, US)
            [23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]

The payload then phones home to:

91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php   [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php   [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php


Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71


UPDATE: further analysis gives these other IPs to block..

78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116

Monday, 12 September 2016

Malware spam: "Budget report" leads to Locky (and also evil network on 23.95.106.128/25)

This fake financial spam leads to Locky ransomware:

From:    Lauri Gibbs
Date:    12 September 2016 at 15:11
Subject:    Budget report

Hi [redacted],

I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.


With many thanks,
Lauri Gibbs
Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:

921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js


The scripts are highly obfuscated however the Hybrid Analysis and Malwr report show that it downloads a component from:

lookbookinghotels.ws/a9sgrrak
trybttr.ws/h71qizc


These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked.

A DLL is dropped with a detection rate of about 8/57 [3] [4] which appears to phone home to:

51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte.ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy.ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)

Incidentally, the registrant information on the bad domains is also very familiar:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:



Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101


UPDATE - 2016/06/13

A list of the sites currently hosted on 23.95.106.128/25 and their SURBL ratings can be found here.



Friday, 9 September 2016

Malware spam: "Order Confirmation xxxxx" leads to Locky

This fake financial spam leads to malware:

From:    Ignacio le neve
Date:    9 September 2016 at 10:31
Subject:    Order Confirmation 355050211

--
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.
The name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip.

Contained within the ZIP file is a malicious .HTA script with a random name (example). This simply appears to be an encapsulated Javascript.

Analysis is pending, my trusted source (thank you) says that the various scripts download from one of the following locations:

adasurgical.com/7832ghd
agileprojects.ro/7832ghd
anatoliamaket.com/7832ghd
annurmaheshphotography.in/7832ghd
aycilinsaat.com/7832ghd
biogreentech.in/7832ghd
cardimax.com.ph/7832ghd
citycollection.com.tr/7832ghd
craskart.com/7832ghd
dashingleather.com/7832ghd
doctortools.eu/7832ghd
factumtech.com/7832ghd
flexfitent.com/7832ghd
goldenladywedding.com/7832ghd
iandiinternational.com/7832ghd
jmetalloysllp.com/7832ghd
linosys.info/7832ghd
marathazhunj.com/7832ghd
micaraland.com/7832ghd
moko-2.wptemplate.net/7832ghd
mylespollard.com.au/7832ghd
onlinepurohit.com/7832ghd
perfectfixuae.com/7832ghd
platformarchitects.com.au/7832ghd
rapiderbariyer.com/7832ghd
safiazsports.com/7832ghd
shagunproperty.com/7832ghd
sowhatresearch.com.au/7832ghd
stylecode.co.in/7832ghd
tipsforall.in/7832ghd
tscbearings.in/7832ghd
Ungelie.com/7832ghd
utsavi.net/7832ghd
walkerandhall.co.uk/7832ghd
webdesignselite.com/7832ghd
webnox.in/7832ghd
www.alfajerdecor.com/7832ghd
www.jmetalloysllp.com/7832ghd
www.mehrabtech.ae/7832ghd
www.pstimes.com/7832ghd
www.thegurukulians.com/7832ghd
yesiloglugrup.com/7832ghd


The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload is Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a but I do not have a sample yet.

This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above or monitoring/blocking access attempts with 7832ghd in the string.

UPDATE: The Hybrid Analysis of one of the scripts does not add much except to confirm that this is ransomware.

Thursday, 8 September 2016

Malware spam: "[Vigor2820 Series] New voice mail message from xxxxx"

This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.

Subject:     [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
From:     voicemail@victimdomain.tld (voicemail@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Thursday, 8 September 2016, 13:15

Dear webmaster :
    There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
You might want to check it when you get a chance.Thanks!
Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:

158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman.web.fc2.com/g76gyui
dcqoutlet.es/g76gyui
dpskaunas.puslapiai.lt/g76gyui
fidelitas.heimat.eu/g76gyui
gam-e20.it/g76gyui
ghost-tony.com.es/g76gyui
josemedina.com/g76gyui
kreativmanagement.homepage.t-online.de/g76gyui
olivier.coroenne.perso.sfr.fr/g76gyui
portadeenrolar.ind.br/g76gyui
sitio655.vtrbandaancha.net/g76gyui
sp-moto.ru/g76gyui
srxrun.nobody.jp/g76gyui
thb-berlin.homepage.t-online.de/g76gyui
tst-technik.de/g76gyui
unimet.tmhandel.com/g76gyui
www.agridiving.net/g76gyui
www.alanmorgan.plus.com/g76gyui
www.aldesco.it/g76gyui
www.alpstaxi.co.jp/g76gyui
www.association-julescatoire.fr/g76gyui
www.bytove.jadro.szm.com/g76gyui
www.ccnprodusenaturiste.home.ro/g76gyui
www.gebrvanorsouw.nl/g76gyui
www.gengokk.co.jp/g76gyui
www.hung-guan.com.tw/g76gyui
www.idiomestarradellas.com/g76gyui
www.laribalta.org/g76gyui
www.mikeg7hen.talktalk.net/g76gyui
www.one-clap.jp/g76gyui
www.radicegioielli.com/g76gyui
www.rioual.com/g76gyui
www.spiritueelcentrumaum.net/g76gyui
www.texelvakantiehuisje.nl/g76gyui
www.threshold-online.co.uk/g76gyui
www.whitakerpd.co.uk/g76gyui
www.xolod-teplo.ru/g76gyui


Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu)

Unusually, this version of Locky does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above or you could monitor for the string g76gyui in your logs.

UPDATE: the Hybrid Analysis of the script can be found here.