Sponsored by..

Friday, 29 April 2016

Malware spam: "Second Reminder - Unpaid Invoice"

This fake financial spam leads to malware:

From:    Janis Faulkner [FaulknerJanis8359@ono.com]
Date:    29 April 2016 at 11:13
Subject:    Second Reminder - Unpaid Invoice

 We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail

Regards,

Janis Faulkner
Chief Executive Officer - Food Packaging Company 

Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.


The scripts I have seen download slightly different binaries from the following locations:

cafeaparis.eu/f7yhsad
amatic.in/hdy3ss
zona-sezona.com.ua/hj1lsp
avcilarinpazari.com/u7udssd


VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2] [3] [4]. In addition to those reports, various automated analyses [5] [6] [7] [8] [9] show that this is Locky ransomware phoning home to:

91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
83.217.8.155 (Park-web Ltd, Russia)
31.41.44.246 (Relink Ltd, Russia)
89.108.84.155 (Agava Ltd, Russia)
51.254.240.60 (Relink, Russia / OVH, France)


I strongly recommend that you block traffic to:

91.234.32.19
83.217.8.155
31.41.44.246
89.108.84.155
51.254.240.60




Malware spam: "Attached Doc" / "Attached Image" / "Attached Document" / "Attached File"

This fake document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.

Example subjects include:

Attached Doc
Attached Image
Attached Document
Attached File


Example senders:

epson@victimdomain.tld
scanner@victimdomain.tld
xerox@victimdomain.tld

There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of malicious scripts, the ones that I have seen download a binary from:

emcartaz.net.br/08j78h65e
kizilirmakdeltasi.net/08j78h65e
easytravelvault.com/08j78h65e
64.207.144.148/08j78h65e
cdn.cs2.pushthetraffic.com/08j78h65e


The VirusTotal detection rate for the dropped binary is 3/55. That VirusTotal report and this Hybrid Analysis show subsequent traffic to:

giotuipo.at/api/
giotuipo.at/files/dDjk3e.exe
giotuipo.at/files/VTXhFO.exe


The payload is Locky ransomware. This is hosted on what appears to be a bad server at:

134.249.238.140 (Kyivstar GSM, Ukraine)

Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo.at domain shows that it is multihomed on many IPs:

109.194.247.26 (ER-Telecom Holding, Russia)
95.189.128.70 (Sibirtelecom, Russia)
79.119.196.161 (RCS & RDS Business, Romania)
5.248.229.186 (Lanet Network Ltd, Ukraine)
188.230.17.38 (Airbites, Ukraine)
134.249.238.140 (Kyivstar, Ukraine)
5.58.29.200 (Lanet Network Ltd, Ukraine)
212.3.103.225 (Apex, Ukraine)
93.95.187.243 (Triolan, Ukraine)
178.151.243.153 (Triolan, Ukraine)

These IPs are likely to be highly dynamic, so blocking them may or may not work. If you want to try, here is a recommended blocklist:

109.194.247.26
95.189.128.70
79.119.196.161
5.248.229.186
188.230.17.38
134.249.238.140
5.58.29.200
212.3.103.225
93.95.187.243
178.151.243.153






Thursday, 28 April 2016

Malware spam: "Royal Bancshares of Pennsylvania, Inc." / "Latest invoice [Urgent]"

This fake financial spam leads to malware:

From:    Kieth Valentine [Kieth.Valentine87@assistedlivingflorida.com]
Date:    28 April 2016 at 16:32
Subject:    Latest invoice [Urgent]

Hello,

We are writing to you about fact, despite previous reminders, there remains an outstanding amount of USD 5883,16 in respect of the invoice(s) contained in current letter. This was due for payment on 17 April, 2016.

Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue.
The total amount due from you is therefore USD 5883,16

If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we will begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take affect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.

This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.

To view the the original invoice in the attachment please use Adobe Reader.

We await your prompt reaction to this email.

Best wishes,

Kieth Valentine

Royal Bancshares of Pennsylvania, Inc.
1(265)530-0620 Ext: 300
1(265) 556-3611
The only sample I have seen of this is malformed and the attachment cannot be downloaded. However, what it should be in this case is a file Latest invoice18.zip containing a malicious script 2016INV-APR232621.pdf.js. Analysis of this obfuscated script is pending, it is likely to be either Locky ransomware or the Dridex banking trojan.

Malware spam: "FW: Invoice" from multiple senders

This fake financial spam comes from randomly-generated senders, for example:

From:    Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br]
Date:    28 April 2016 at 11:40
Subject:    FW: Invoice

Please find attached invoice #342012

Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:

http://rabitaforex.com/pw3ksl
http://tribalsnedkeren.dk/n4jca
http://banketcentr.ru/v8usja
http://3dphoto-rotate.ru/h4ydjs
http://switchright.com/2yshda
http://cafe-vintage68.ru/asad2fl
http://minisupergame.ru/a9osfg


The payload looks like Locky ransomware. The DeepViz report shows it phoning home to:

83.217.26.168 (Firstbyte, Russia)
31.41.44.246 (Relink, Russia)
91.219.31.18 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.60 (Relink, Russia / OVH, France)
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua.  Ukraine)


These two Hybrid Analysis reports [1] [2] show Locky more clearly.

Recommended blocklist:
83.217.26.168
31.41.44.246
91.219.31.18
51.254.240.60
91.234.32.19

Minimalist spam leads to Locky ransomware

There is currently a very minimalist spam run leading to Locky ransomware, for example:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    28 April 2016 at 11:21
Subject:    Scan436
The spam appears to come from the victim's own email address. There is no body text, but attached is a ZIP file with a name matching the subject, e.g.:

file238.zip
file164.zip
file84.zip
Document4.zip
Doc457.zip
Scan1.zip
Doc5.zip
file394.zip
Scan436.zip

Inside is a semi-randomly named script that downloads malware. Download locations I have seen so far are:

nailahafeez.goldendream.info/8778h4g
kfourytrading.com/8778h4g
kasliknursery.com/8778h4g
allied.link/8778h4g
xtrategiamx.com/8778h4g


The downloaded executable is Locky ransomware and has a VirusTotal detection rate of 2/56. This Hybrid Analysis shows Locky quite clearly, and this DeepViz report shows it phoning home to:

51.254.240.60 (Relink LLC, Russia / OVH, France)
31.41.44.246 (Relink LLC, Russia)
83.217.26.168 (Firstbyte, Russia)


Recommended blocklist:
31.41.44.246
51.254.240.60
83.217.26.168





Wednesday, 27 April 2016

Malware spam: Message from "RNP0BB8A7" / CLAUDIA MARTINEZ leads to Locky

This Spanish-language spam leads to malware:

From:    CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com]
Date:    27 April 2016 at 16:22
Subject:    Message from "RNP0BB8A7"

Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).

Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@victimdomain.tld
Attached is a  randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:

mebdco.com/8759j3f434
amwal.qa/8759j3f434
ecmacao.com/8759j3f434
lifeiscalling-sports.com/8759j3f434


This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:

absxpintranet.in/8759j3f434
amismaglaj.com.ba/8759j3f434
caegpa.com/8759j3f434
codeaweb.net/8759j3f434
coorgcalling.com/8759j3f434
gedvendo.com/8759j3f434
gedvendo.com.pe/8759j3f434
mc2academy.com/8759j3f434
teyseerlab.com/8759j3f434
www.adgroup.ae/8759j3f434
www.rumbafalcon.com/8759j3f434


This DeepViz report shows the malware phoning home to:

107.170.20.33 (Digital Ocean, US)
139.59.166.196 (Digital Ocean, Singapore)
146.185.155.126 (Digital Ocean, Netherlands)


There's a triple whammy for Digital Ocean! Well done them.

Recommended blocklist:
107.170.20.33
139.59.166.196
146.185.155.126

Malware spam: "Thank you. Our latest price list is attached. For additional information, please contact your local ITT office."

This fake financial spam leads to malware:

From:    Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date:    27 April 2016 at 12:23
Subject:    Price list

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.

Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:

aaacollectionsjewelry.com/ur8fgs
adamauto.nl/gdh46ss
directenergy.tv/l2isd
games-k.ru/n8eis
jurang.tk/n2ysk
lbbc.pt/n8wisd
l-dsk.com/k3isfa
mavrinscorporation.ru/hd7fs
myehelpers.com/j3ykf
onlinecrockpotrecipes.com/k2tspa
pediatriayvacunas.com/q0wps
soccerinsider.net/mys3ks
warcraft-lich-king.ru/i4ospd

haraccountants.co.uk/k9sjf

This downloads Locky ransomware. The executable then phones home to the following servers:

176.114.3.173 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
139.59.166.196 (Digital Ocean, Singapore)
107.170.20.33 (Digital Ocean, US)
146.185.155.126  (Digital Ocean, Netherlands)


Recommended blocklist:
176.114.3.173
139.59.166.196
107.170.20.33
146.185.155.126

Tuesday, 26 April 2016

Malware spam: "Missing payments for invoices inside"

This fake financial spam leads to malware:

From:    Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com]
Date:    26 April 2016 at 12:58
Subject:    Missing payments for invoices inside

Hi there!

Hope you are good.

Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.

BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.

Kind Regards

Jeffry Rogers

Henderson Group

Tel: 337-338-4607
I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:

web.spartanburgcommunitycollege.com/gimme/some/loads_nigga.php

This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:

103.245.153.154 (OrionVM Retail Pty Ltd, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (FPT Telecom Company, Vietnam)
213.192.1.171 (EASY Net, Czech Republic)


The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.

Recommended blocklist:
103.245.153.154
176.9.113.214
210.245.92.63
213.192.1.171


Friday, 22 April 2016

Malware spam: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

This fake Amazon email leads to malware. On some mail clients there may be no body text:

From: auto-shipping@amazon.co.uk Amazon.co.uk
To
Date: Fri, 22 Apr 2016 10:50:56 +0100
Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #525-2814418-9619799 (received April 22, 2016)


Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  Occasionally though, we know you may want to return items. Read more about our Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have the right to cancel the contract for the purchase of any of these items within a period of 7 working days, beginning with the day after the day on which the item is delivered. This applies to all of our products. However, we regret that we cannot accept cancellations of contracts for the purchase of video, DVD, audio, video games and software products where the item has been unsealed. Please note that we are unable to accept cancellation of, or returns for, digital items once downloading has commenced. Otherwise, we can accept returns of complete product, which is unused and in an "as new" condition.

Our Returns Support Centre will guide you through our Returns Policy and, where relevant, provide you with a printable personalised return label.  Please go to http://www.amazon.co.uk/returns-support to use our Returns Support Centre.

To cancel this contract, please pack the relevant item securely, attach your personalised return label and send it to us with the delivery slip so that we receive it within 7 working days after the day of the date that the item was delivered to you or, in the case of large items delivered by our specialist couriers, contact Amazon.co.uk customer services using the link below within 7 working days after the date that the item was delivered to you to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend that you use a recorded-delivery service. Please note that you will be responsible for the costs of returning the goods to us unless we delivered the item to you in error or the item is faulty. If we do not receive the item back from you, we may arrange for collection of the item from your residence at your cost. You should be aware that, once we begin the delivery process, you will not be able to cancel any contract you have with us for services carried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection in the event that our specialist courier service collect a large item from you to return to us.

As soon as we receive notice of your cancellation of this order, we will refund the relevant part of the purchase price for that item.

Should you have any questions, feel free to visit our online Help Desk at:
http://www.amazon.co.uk/help

If you've explored the above links but still need to get in touch with us, you will find more contact details at the online Help Desk.

Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail. Please do not reply to this message.

Thank you for shopping at Amazon.co.uk

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------

Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:

www.smileybins.com.au/0u8ggf5f5
kpmanish.com/0u8ggf5f5
neoventtechnologies.com/0u8ggf5f5
itronsecurity.com/0u8ggf5f5
bnacoffees.com/0u8ggf5f5
ambikaonline.com/0u8ggf5f5
usacarsimportsac.com/0u8ggf5f5
giftsandbaskets.co.th/0u8ggf5f5


This dropped executable has a detection rate of 6/56. The Hybrid Analysis and DeepViz Analysis plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs:

186.250.48.10 (Redfox Telecomunicações Ltda., Brazil)
193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload here appears to be the Dridex banking trojan.

Recommended blocklist:
186.250.48.10
193.90.12.221
194.116.73.71
200.159.128.144


UPDATE 2016-04-26

Another identical round of this spam is being sent out, complete with the formatting error that prevents the body text being displayed on some email clients. VirusTotal detection rates for the two samples I have seen are 5/57 [1] [2]. Hybrid Analysis of the attachments [3] [4] shows download locations at:

shagunproperty.com/987gby8nn8
aysanatorganizasyon.com/987gby8nn8


A trusted source tells me there are other download locations at:

cubasedersi.com/987gby8nn8
denizlikinaorganizasyon.com/987gby8nn8
factumtech.com/987gby8nn8
kurudomatesci.com/987gby8nn8
nuevomomento.com/987gby8nn8
seahawkexports.com/987gby8nn8
solucionhumana.mx/987gby8nn8
tipsforall.in/987gby8nn8


From here a binary is dropped on the system with a detection rate of 3/56. Those Hybrid analyses plus this DeepViz report show network traffic to:

176.9.113.216 (Hetzner, Germany)

Apparently there are C2 servers here:

186.250.48.10 (Redfox Telecomunicações Ltda, Brazil)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload still appears to be Dridex.

Recommended blocklist:
176.9.113.216
186.250.48.10
200.159.128.144


Thursday, 21 April 2016

Malware spam: "FW: Latest order delivery details" is somewhat rude

This fake financial spam leads to malware:

From:    Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]
Date:    21 April 2016 at 17:45
Subject:    FW: Latest order delivery details

Good morning!

Hope you are good.

Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.

I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.

Many thanks and good luck

Milan Bell

DORIC NIMROD AIR ONE LTD

tel. 443-682-9021
The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.

This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:

trendmicro.healdsburgdistricthospital.com/RIB/assets.php

Cheekily the URL references a well-known security company.  The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:

176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)

You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:

103.245.153.154 (OrionVM, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (PT Telecom Company, Vietnam)
23.249.1.171 (Datacate , US)


It is not clear what the payload is, but there are indications it is the Dridex banking trojan.

Recommended blocklist:
176.103.56.30
103.245.153.154
176.9.113.214
210.245.92.63
23.249.1.171



Malware spam: "Dispatched Purchase Order" / FSPRD@covance.com

This fake financial spam does not come from Covance but is instead a simple forgery with a malicious attachment:

From:    FSPRD@covance.com
Reply-To:    donotreply@covance.com
Date:    21 April 2016 at 12:03
Subject:    Dispatched Purchase Order

Purchase Order, 11300 / 0006432242,  has been Dispatched.  Please detach and print the attached Purchase Order.

***Please do not respond to this e-mail as the mailbox is not monitored.
________________________________
Confidentiality Notice: In accordance with Covance's Data Classification Policy, this email, including attachment(s), is classified as Confidential or Highly Confidential. This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or dissemination of the content of this e-mail is strictly prohibited.

If you have received this e-mail transmission in error or this email is not intended for you, please delete or destroy all copies of this message in your possession and inform the sender. Thank you.

Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn another archive file with a name like 5611205-19.04.2016.tar and it that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56.

So far I have seen two versions of this script, downloading from:

mountainworldtreks.com/9uhg5vd3
secondary36.obec.go.th/9uhg5vd3


The downloaded binary is the same in both cases. This Hybrid Analysis and DeepViz Analysis indicate network traffic to:

193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
193.90.12.221
194.116.73.71
64.76.19.251
200.159.128.144

Malware spam: "BalanceUK_INVOICE_X002380_1127878" / adminservices@grouphomesafe.com

This fake financial spam does not come from BalanceUK Limited but is instead a simple forgery with a malicious attachment:

From:    adminservices@grouphomesafe.com
Date:    21 April 2016 at 10:33
Subject:    "BalanceUK_INVOICE_X002380_1127878"

Thank you for placing your order with BalanceUK Ltd

Please find attached your document.

BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
Martock,
Somerset,
TA12 6HB

Email: Balanceuk.orders@erahomesecurity.com
Tel: 01935 826 960
Fax: 01935 829 215


***  Please do not reply to this email address  ***

Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56.

This malicious script [pastebin] downloads an executable from:

dd.ub.ac.id/9uhg5vd3

There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56. The Hybrid Analysis of the dropped binary shows network traffic to:

193.90.12.221 (MultiNet AS, Norway)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload is not clear, but is probably the Dridex banking trojan.

Recommeded blocklist:
193.90.12.221
200.159.128.144