Sponsored by..

Thursday, 18 August 2016

Malware spam: "The office printer is having problems so I've had to email the UPS label"

This fake UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.

From     "Laurence lumb" [Laurence.lumb25@ups.de]
Date     Thu, 18 Aug 2016 17:35:21 +0530
Subject     Emailing: Label

Good afternoon

The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.

Cheers

Laurence lumb
Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):

a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7


This dropped binary has a detection rate of 6/54. It phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)

Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183






Monday, 15 August 2016

Malware spam: "Jen [Jen@purple-office.com]" / "Documents from Purple Office - IN00003993"

These fake financial documents have a malicious attachment:

From:    Jen [Jen@purple-office.com]
Date:    15 August 2016 at 14:10
Subject:    Documents from Purple Office - IN00003993

Please find attached invoice/credit from Purple Office.

Best regards,

Purple Office 
Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here and here.

Malware spam: "Emma Critchley (emmacritchley@advantage-finance.co.uk)" / "Emailing - 9104896607509"

This fake financial spam has a malicious attachment. It does not come from Advantage Finance but is instead a simple forgery.

Subject:     Emailing - 9104896607509
From:     Emma Critchley (emmacritchley@advantage-finance.co.uk)
Date:     Monday, 15 August 2016, 13:28

Hi

Vicky has asked me to forward you the finance documents (Please see attached)


Many Thanks 
Attached is a DOCM file with a name that matches the subject. There are various versions, all of which download Locky ransomware from one of the following locations (thank you to my source):

devierdemuur.50webs.com/HJ6bhGHV
kittoyakudatu.web.fc2.com/HJ6bhGHV
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
rondoncompany.bake-neko.net/HJ6bhGHV
topfireart.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.bozenan.swk.vectranet.pl/HJ6bhGHV
www.carrosserie-promocar.net/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.scoutvda.it/HJ6bhGHV
www.tecnohellas.gr/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


This phones home to the same servers as mentioned in this post.


Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Friday, 12 August 2016

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs


The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190


Thursday, 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Thursday, 4 August 2016

Malware spam: "Please sign the receipt attached for the arrival of new office facilities." leads to Locky

Yet another Locky campaign today..

From:    Erica Hutchinson
Date:    4 August 2016 at 12:34
Subject:    please sign

Dear [redacted]

Please sign the receipt attached for the arrival of new office facilities.


Best regards,
Erica Hutchinson

This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run.

Malware spam: "Emailing: Sheet / Document / Invoice" with a .docm leads to Locky

This malware-laden spam comes with a variety of subjects, for example:

Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf


There is no body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component from one of the following locations:

abi64.com/h78r3gfe
bikepaintpureworks.web.fc2.com/h78r3gfe
brupuoli.tempsite.ws/h78r3gfe
composit.vtrbandaancha.net/h78r3gfe
film-online.bejbiblues.cba.pl/h78r3gfe
ftp.bergamo.chiesacattolica.it/h78r3gfe
innal.com.mx/h78r3gfe
karnat.cba.pl/h78r3gfe
mbc.nekonikoban.org/h78r3gfe
potato.chottu.net/h78r3gfe
schello4u.de/h78r3gfe
tyouseikan.web.fc2.com/h78r3gfe
www.agriturismolapiana.net/h78r3gfe
www.artistsagainstwar.it/h78r3gfe
www.bwmodels.com/h78r3gfe
www.comunedicanischio.it/h78r3gfe
www.ekstraciuchy.pl/h78r3gfe
www.kishazy.hu/h78r3gfe

(Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here.

Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change


King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:

escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7


This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:

31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22






Wednesday, 3 August 2016

Malware spam: "Confirmation letter" leads to Locky

Another spam run leading to Locky ransomware..
From:    Mavis Howe [Howe.4267@croestate.com]
Date:    3 August 2016 at 13:32
Subject:    Confirmation letter

Hi [redacted],

I attached the employment confirmation letter I prepared.
Please check it before you send it out.

Best regards

Mavis Howe
The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here.

Malware spam: "As you directed, I send the attachment containing the data about the new invoices"

Another day, another Locky ransomware run:

From:    Marian Mcgowan
Date:    3 August 2016 at 11:15
Subject:    Fw: New invoices

As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script  which according to this Malwr analysis downloads a binary from..

blog-aida.cba.pl/2zensi7t

..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:

93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]

Both those IPs are in known bad blocks.

Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24



Malware spam: "I attached the project status report in order to update you about the last meeting"

This spam leads to Locky ransomware:

From:    Keri Jarvis [Jarvis.64030@bac.globalnet.co.uk]
Date:    2 August 2016 at 22:13
Subject:    report

Hi,

I attached the project status report in order to update you about the last meeting

Best regards,
Keri Jarvis
Attached is a randomly named ZIP file containing a malicious .js script beginning with the word "report". This downloads an evil binary from one of the following locations:

ary.ken-shin.net/jc6f3r
bizconsulting.ro/mgld4
czerwinski.ciesielstwo.cba.pl/6qxwpzt0
equalityindonesia.com/mdxrgr
essenciadoequilibrio.net/jl6aq
essenciadoequilibrio.net/szbcfto
go4leiner.de/vm3u88
hitoribotch.web.fc2.com/73bm9p96
ikkyohawks.web.fc2.com/e61h18
lifeserv.myarena.ru/mp9133x
locogallery.com/dz0lw6
mephisto.nd.e-wro.pl/05fvl56n
miyadu.web.fc2.com/hrdl2sh8
namarinoko.hariko.com/376wx19
nedayepak.ir/eu9om
rsxxx.com/jsc6uao
russiansnow.web.fc2.com/yfu287q
slava.nsknet.ru/hi65u4w
sugetipula12.hi2.ro/rwnmj
sugetipula12.hi2.ro/v2gbzo0s
sumrmo360.web.fc2.com/hv07h
sven-jaenecke.homepage.t-online.de/1siww
tip.ub.ac.id/m7blnpxy
trans-free.ru/lve7y
watafuku.web.fc2.com/ao0dw
woblk17jc.homepage.t-online.de/xckpw14
wt7dzbn78.homepage.t-online.de/qxyc94p
www.am-i-evil.de/hkak1si
www.arstaelteknik.com/7o6uw8w
www.arstaelteknik.com/se0hgcy
www.bagana.net/oucgn5
www.breuninger-web.de/c1gjikd8
www.cafealaska.es/znsih5
www.carrelliusati.it/7zf90
www.closecombat.mynetcologne.de/cddpnu
www.cosentinoarredamenti.com/o77fzv
www.e-bev.com/7dl4wjqt
www.jansen-consultancy-machines.be/cnipq7ja
www.puntoit-informatica.com/6jnx8ms
www.sashraf.plus.com/d9g6d
www.serial-production.com/vqprmy
www.stucchifedele.com/wg4spe
www.vincenzofranchino.it/aymbt6k7


(Thank you to my usual source for this data)

The malware phones home to:

37.139.30.95/php/upload.php (Digital Ocean, Netherlands) [hostname: belyi.myeasy.ru]
93.170.128.249/php/upload.php (Krek Ltd, Russia)
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

Recommended blocklist:
37.139.30.95
93.170.128.249
93.170.104.20




Tuesday, 2 August 2016

Malware spam: "Unable to deliver your item, #000179376" / "FedEx International Ground" leads to ransomware

This fake FedEx email has a malicious attachment.

From:    FedEx International Ground [terry.mcnamara@luxmap.com]
Date:    2 August 2016 at 18:53
Subject:    [REDACTED], Unable to deliver your item, #000179376

Dear [Redacted],

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Thanks and best regards,
Terry Mcnamara,
Support Manager.
Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis on the sample shows that the script downloads ransomware from opros.mskobr.ru but a quick examination of the code reveals several download locations:

opros.mskobr.ru
alacahukuk.com
www.ortoservis.ru
aksoypansiyon.com
samurkasgrup.com


Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:

195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)


A couple of binaries are dropped onto the system, a.exe (detection rate 2/53) [may not be malicious] and a2.exe (detection rate 7/53).

The payload seems to be Nemucod / Crypted or some related ransomware.

Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32



Malware spam: "Please see the attached last month’s paid bills for the company" leads to Locky

This fake financial spam has a malicious attachment:

From:    Nathanial Lane
Date:    2 August 2016 at 12:05
Subject:    Paid bills

Hello [redacted],

Please see the attached last month’s paid bills for the company

Best regards
Nathanial Lane
The name of the sender varies. It appears that these are being sent out in very high volumes. Attached to the email message is a randomly-named ZIP file which contains a malicious .js scripts beginning with "sales charts".

Thank you to my usual source for this analysis: the script downloads from one of the following locations:

158.199.158.185/e2ti07
212.26.129.68/f0671
acnek.com/zfwiice
alex-walter.de/gzag8yht
beate-oberle-kosmetik.de/jqbf9
breinco.com/~export/jrjnlkc
cinerd.info/wwekm4yk
clinic.gov.ua/my2vo
dev.appleleafabstracting.com/uis21
ecpi.ro/3kc9d2
essenciadoequilibrio.net/7vsuk59
exportwroclaw.cba.pl/565489s
fotografuj.pl/qk4zo4cv
gebetech.at/lpgrvcoa
go4leiner.de/8wofbvq
itconcept.md/mgvlj3m
jhengineering.szm.com/5242czu9
lifeserv.myarena.ru/0siarbi
madiv.ru/pbzgphhj
morfaux.fr/hvk9pc
my-result.ru/vhzj63z
nolwo.ru/nimsr
olis.atspace.com/b6aqk
plasseramerican.net/3064rl
psclimat.ru/rnn59v
realm-of-rage.heimat.eu/e4pxmx1
rsxxx.com/xy4dghdn
russiansnow.web.fc2.com/d8k6pqag
sancompany.ru/pl8in
setcoop.com.br/87pyu
siteriqi.bget.ru/sfgjthf
subbenim.atspace.com/kqfyrwph
system-inka.de/31f7r
terminatorzy.cba.pl/goix6
thehybrid.0catch.com/36sye
totalrepalrhonda.web.fc2.com/g6qx0t
tvoy-android.com/mqs5z
ultramarincentr.ru/soao7gp
woblk17jc.homepage.t-online.de/ao4sg9
wt7dzbn78.homepage.t-online.de/2x5qs94
www.arstaelteknik.com/6kpppb
www.bagana.net/0743nt3
www.cafealaska.es/bc3z9j9
www.cosentinoarredamenti.com/1zq31
www.dsalchi.org/dmkd5
www.gioilda.com/lcoucn62
www.serial-production.com/9c4xv
www.simons-vakantiehuisje.nl/2e3vp
www.stucchifedele.com/9c5m4g


The payload is Locky ransomware, phoning home to:

37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
93.170.128.249/upload/_dispatch.php (Krek Ltd, Russia)


Recommended blocklist:
37.139.30.95
93.170.128.249