Sponsored by..

Wednesday 31 December 2014

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@inet.ba

This post by Brian Krebs drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics..

Safe Browsing
Diagnostic page for AS198252 (ELTAKABEL-AS)

What happened when Google visited sites hosted on this network?

    Of the 165 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, office-hosts.org/, invoice-ups.org/, refforwarding.eu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2014-12-31, and the last time suspicious content was found was on 2014-12-26.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that appeared to function as intermediaries for the infection of 525 other site(s) including, for example, webtretho.com/, detik.com/, zaodich.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that infected 572 other site(s), including, for example, webtretho.com/, detik.com/, zaodich.com/.
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts.

An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very many bad sites, the WHOIS details for that block being..

inetnum:        217.71.48.0 - 217.71.63.255
descr:          TXTV d.o.o. Tuzla
org:            ORG-TdT1-RIPE
netname:        BA-TXTV-20030807
country:        BA
admin-c:        IK879-RIPE
tech-c:         IK879-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-NSC1
mnt-routes:     MNT-NSC1
notify:         ripe@txtv.ba
changed:        hostmaster@ripe.net 20030807
changed:        hostmaster@ripe.net 20040625
changed:        hostmaster@ripe.net 20050719
changed:        bitbucket@ripe.net 20081003
changed:        hostmaster@ripe.net 20110804
changed:        hostmaster@ripe.net 20140324
changed:        bit-bucket@ripe.net 20140325
source:         RIPE

organisation:   ORG-TdT1-RIPE
org-name:       TXTV d.o.o. Tuzla
org-type:       LIR
address:        TXTV d.o.o.
address:        Admir Jaganjac
address:        Focanska 1N
address:        75000
address:        Tuzla
address:        BOSNIA AND HERZEGOVINA
phone:          +38735353333
fax-no:         +38735266114
tech-c:         TXTV1-RIPE
abuse-mailbox:  abuse@txtv.ba
mnt-ref:        MNT-TXTV
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
admin-c:        AJ2947-RIPE
admin-c:        AA26986-RIPE
admin-c:        IK879-RIPE
abuse-c:        NSC11-RIPE
source:         RIPE
e-mail:         ripe@txtv.ba
changed:        bitbucket@ripe.net 20140324

person:         Igor Krneta
address:        Majora Drage Bajalovica 18
address:        78000 Banjaluka, BA
e-mail:         ripe@elta-kabel.com
phone:          +387 51 961 001
nic-hdl:        IK879-RIPE
mnt-by:         MNT-NAVIGOSC
changed:        ikrneta@navigosc.net 20071126
source:         RIPE

route:          217.71.50.0/24
descr:          Inet subnet #1
origin:         AS31630
mnt-by:         GENELEC-MNT
changed:        aadeno@inet.ba 20061029
source:         RIPE


I highlighted the part of most interest, which appears to be a block suballocated to someone using the email address aadeno@inet.ba.

I took a look at the sites hosted in this /24 and these are the results [csv]. There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.

Recommended blocklist:
217.71.50.0/24
darotkskeu.com
hijuvchr.com
humhfsara.com
lomospaoerotr.com
noerdfjkieswp.com
p28aa.com
pkoefkosaep.com
teeirkfoews.com
niggercar.es
invoice-ups.net
www-myups.net
invoice-myups.org
invoice-ups.org
office-hosts.org
softupdates.org
updatedns.org
www-myups.org
abdilo.ru
bihilafes.ru
cloudughtold.su
dedicnqher.su
dnspqajr.su
dnsxjkd.su
hosrvnwj.su
hostfjwmr.su
hostsple.su
hostyksn.su
servergotold.su
serverhersse.su
servermexyr.su
serveruey.su
serverxpqk.su
serviolt.su
ugulddedic.su
usehostru.su
uttofhost.su
vpsjsner.su
vpslopwz.su
baycityads.biz
blingstarscpm.biz
plustimber.biz
plutoads.biz
tempomedia.biz
dsffdsk323721372131.com
ny-discount-sales.com
rxmega-shop.com
rx-product-shop.com
safe-refill-rx.com
viphealhtmarket.com
datadirects.eu
dataremark.eu
dataresultsid.eu
datasynchronize.eu
datavail.eu
datsunplus.eu
dedistarid.eu
detectionstream1.eu
dmpcheck.eu
drellmedia.eu
elitemembers.eu
eplymedia.eu
eravideoads.eu
euserviceid.eu
forwardingref.eu
glowcheck.eu
iprecognition.eu
newsettingso.eu
ordealsting.eu
planacheck.eu
pluginverifys.eu
proudeuro.eu
refforwarding.eu
resellerapis.eu
rpmstatus.eu
samjectstar.eu
secondtierdirect.eu
selldataset.eu
soundads.eu
spokenads.eu
stretchstrong.eu
syncdata1.eu
trackingstreamchk.eu
trackstats.eu
trafficlax.eu
verablade.eu
club-rx-bestseller.ru
fuckaustralia.ru
rx-bestseller.ru




NetGuard Toolbar (ngcmp.com) spam

Sometimes a spam comes through and it isn't immediately obvious what they are trying to do:

From:    Brad Lorien [bclorien@ngcmp.com]
Date:    31 December 2014 at 01:12
Subject:    Real estate (12/30/2014)

Our company reaches an online community of almost 41 million people,
who are mostly US and Canadian based. We have the ability to present
our nearly 41 million strong network with a best, first choice when
they are looking online for what your company does.

We are seeking a preferred choice to send our people who are looking
for real estate in Abilene and surrounding markets.

I’m in the office weekdays from 9:00 AM to 5:00 PM Pacific time.

Best regards,

Brad Lorien
Network Specialist, SPS EServices
Phone: (877) 489.2929, ext. 64
There is no link or attachment in the email. So presumably the spammer is soliciting replies to the email address bclorien@ngcmp.com which is a valid address. The domain ngcmp.com uses a mail server mail.ngcmp.com to receive email messages, hosted on 38.71.66.127 (PSInet / Virtual Empire, US). A look at the spam headers are rather revealing..

Received: from [38.71.66.126] (port=60856 helo=ngcmp.net)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <bclorien@ngcmp.com>)
    id 1Y67tI-0006Ub-TC
    for [redacted]; Wed, 31 Dec 2014 01:16:17 +0000
Received: from mail.ngcmp.com (211.sub-75-215-49.myvzw.com [75.215.49.211])
    by ngcmp.net (Postfix) with ESMTPA id 0812E3E34E
    for <[redacted]>; Tue, 30 Dec 2014 19:18:13 -0600 (CST)
    (envelope-from bclorien@ngcmp.com)
We can see that the spam was sent via a relay at 38.71.66.126 which is one IP different from the server handling incoming mail, which pretty much firmly identifies that whoever controls the ngcmp.com domain is actually sending the spam. The mail headers also identify the originating IP as well as the relay, which is a Verizon Wireless customer at 75.215.49.211, possibly someone sending spam using throwaway cell phones to avoid being traced.

An examination of those two PSInet addresses shows the following domains are associated with them:

ncmp.co
ngmp.co
ngcmp.com
ng-portal.com
ngcmp.net
ng-central.net
luxebagscloset.com
reviewwordofmouth.com


All of these domains have anonymous WHOIS details, but you can see that there is a common pattern here. I don't recommend that you visit spam sites, but I did in this case to see what it was about.


It appears to be some crappy toolbar called NetGuard and indeed the ngcmp.com pulls down many resources from the netguardtoolbar.com website. The site claims to be from a company called "NG Systems" but gives no other identification. netguardtoolbar.com has also had anonymous WHOIS details since it was registered in 2008.

If we look at the "Privacy" page of the site, we can see what this is all about.

NetGuard does not ask you for any personally identifiable information such as an email address, phone number, your name, or any such data. We do track IP addresses only of those who choose to download our App. We also track downloads of the NetGuard App, as well as uninstalls of the NetGuard App, so that we may have accurate data on those two items only in dealing with our Advertisers. Our Advertisers assist us in maintaining our NetGuard App Community, which allows us to provide the public with even more features as time and innovation allows. NetGuard does, as part of our advertising process, allow Advertisers who maintain an active Advertiser Account, to present their websites when an end user of the NetGuard does a search on any of the major search engines. This in no way changes the search results contained on the native pages of the major search engines, but does allow NetGuard to continue to present the general public with more options as time and innovation allows. 
This is basically adware. Going back to the original spam message, these "41 million people" are presumably suckers who have downloaded this crap, and NG Systems are busy spamming out to find more low-life advertisers to fill up their network. Or am I just sounding annoyed?

Predictably, there seems to be no such corporation as "NG Systems", but if you download the Toolbar it turns out it is digitally signed by a company called "IP Marketing Concepts, Inc." 

If we drill down into the certificate details we can find out  more about this mystery corporation.
CN = IP Marketing Concepts, Inc.
OU = SECURE APPLICATION DEVELOPMENT
O = IP Marketing Concepts, Inc.
L = Lewes
S = Delaware
C = US


Some Googling around finds a Delware corporation number 4099908 founded in 2006, but as Delware is a "go to" place for corporation trying to hide their identities, it is hard to find out more information without paying.

The executable itself is tagged by only one AV engine as malicious, but VirusTotal does note that it looks like a PUA. Malwr notes that individual components appear to be Russian in origin.

So all in all, this spam is being sent out by a company that goes a very, very long way to disguise its origins. Would you really want to either install their product or advertise on their network?


Wednesday 24 December 2014

Malware spam: Rhianna Wellings / Rhianna@teckentrupdepot.co.uk / Signature Invoice 44281

Teckentrup Depot UK is a legitimate UK company, but these emails are not from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are not responsible for this in any way.

From:    Rhianna Wellings [Rhianna@teckentrupdepot.co.uk]
Date:    24 December 2014 at 07:54
Subject:    Signature Invoice 44281

Your report is attached in DOC format.

To load the report, you will need the Microsoft® Word® reader, available to download at http://www.microsoft.com/
Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro [1] [2] [pastebin] which then downloads an additional component from one of these two locations:

http://Lichtblick-tiere.de/js/bin.exe
http://sunfung.hk/js/bin.exe

The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56. The ThreatExpert report shows traffic to the following IPs:

74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)

According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56, detected as the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere.de
sunfung.hk

Tuesday 23 December 2014

"Remittance Advice" spam comes with a malicious Excel attachment

This fake remittance advice comes with a malicious Excel attachment.

From:    Whitney
Date:    23 December 2014 at 09:12
Subject:    Remittance Advice -DPRC93

Confidentiality and Disclaimer:  This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error.

This email and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the Telecommunications (Lawful Business Practices)(Interception of Communications) Regulations 2000.

The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, this is poorly-detected by AV vendors [1] [2] [3] [4].

If you read this blog regularly then you might have seen me mention these attacks many times before, and most of these have a familiar pattern. However, the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself.

The macro itself looks like this [pastebin] and as far as I can tell from it, it loads some data from the Excel spreadsheet and puts it into a file %TEMP%\windows.vbs. So far I have seen four different scripts [1] [2] [3] [4] which download a component from one of the following locations:

http://185.48.56.133:8080/sstat/lldvs.php
http://95.163.121.27:8080/sstat/lldvs.php
http://92.63.88.100:8080/sstat/lldvs.php
http://92.63.88.106:8080/sstat/lldvs.php

It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe.

The ThreatExpert report shows traffic to the following:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)

VirusTotal indicates a detection rate of just 3/54, and identifies it as Dridex.

Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107

185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106

Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well.






Monday 22 December 2014

"Tiket alert" spam. Tiket? Really?

Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

From:    FBR service [jon.wo@fbi.com]
Date
:    22 December 2014 at 18:29
Subject:    Tiket alert

Look at the link file for more information.

http://mitsuba-kenya.com/ticket/fsb.html

Assistant Vice President, FBR service
Management Corporation
I have seen another version of this where the download location is negociomega.com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe.

This has a VirusTotal detection rate of 2/54. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:

http://202.153.35.133:42463/2212us12//0/51-SP3/0/
http://202.153.35.133:42463/2212us12//1/0/0/
http://moorfuse.com/images/unk12.pne


202.153.35.133 is Excell Media Pvt Ltd, India.

Recommended blocklist:
202.153.35.133
moorfuse.com
mitsuba-kenya.com
negociomega.com

Angler EK on 193.109.69.59

193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit.

The infection chain that I have seen is as follows (don't click those links, obviously):

[donotclick]www.opushangszer.hu/hora-at-200-b-csiptetos-gitarhangolo/1-864-359
-->
[donotclick]bettersaid.net/7b614b6f9fb62682c46d303fea879a38.swf
-->
[donotclick]www.smallbusinesssnapshot.com/

a6107b69be5422d82da0c2109cc7f20f.php?q=7a7581fad469383e7313d27d1cedf2d3
-->
[donotclick]qwe.holidayspeedfive.biz/em3t8gxum0
-->
[donotclick]qwe.holidayspeedfive.biz/

KuCRwb_Bwr38O4rT6dqEUCT9x5K26Bw_PNEHE3DJ_U9vgmcD31TZILN2BlAmHabL

The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:

qwe.holidayspeedsix.biz
qwe.holidayspeedfive.biz
qwe.holidayspeedseven.biz


A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted in this /23 indicates that most of them appear to be selling counterfeit goods, so blocking the entire /23 will probably be no great loss.

Recommended minimum blocklist:
193.109.69.59
holidayspeedsix.biz
holidayspeedfive.biz
holidayspeedseven.biz

Friday 19 December 2014

Malware spam: "Blocked Transaction. Case No 970332"

This fake ACH spam leads to malware:

Date:    19 December 2014 at 16:06
Subject:    Blocked Transaction. Case No 970332

The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID     083520
Transaction Amount     1458.42 USD
Sender e-mail     info@victimdomain
Reason of Termination     See attached statement

Please open the word file enclosed with this email to get more info about this issue. 
In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54. Inside are a series of images detailing how to turn off macro security.. which is a very bad idea.











If you are daft enough to enable macros, then this macro [pastebin] will run which will download a malicious binary from http://nikolesy.com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51 as is identified as the Dridex banking trojan.

Malware spam: no-replay@my-fax.com / "Employee Documents - Internal Use"

This fake fax spam leads to malware:

From:    Fax [no-replay@my-fax.com]
Date:    19 December 2014 at 15:37
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://crematori.org/myfax/company.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
The download locations in the email vary, so far I have seen:

http://newsurveyresults.com/myfax/company.html
http://ChallengingDomesticAbuse.co.uk/myfax/company.html
http://crematori.org/myfax/company.html
http://gnrcorbus.com/myfax/company.html
http://sonata-arctica.wz.cz/myfax/company.html

Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55. Most automated analysis tools are inconclusive [1] [2] but the VT report shows network connections to the following locations:

http://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http://202.153.35.133:40542/1912uk22//1/0/0/
http://natural-anxiety-remedies.com/wp-includes/images/wlw/pack22.pne


Recommended blocklist:
202.153.35.133
natural-anxiety-remedies.com




Malware spam: "BACS payment Ref:901109RW"

This spam comes with a malicious attachment, in a format similar to the following:

From:    Fern
Date:    19 December 2014 at 10:09
Subject:    BACS payment Ref:901109RW


Please see below our payment confirmation for funds into your account on Tuesday re invoice 901109RW

Accounts Assistant
Tel:  01874 662 346
Fax: 01874 501 248

To add credibility, the attachment has the same name as the reference in the subject and body text (in this case it is 901109RW.xls). The reference is randomly generated.

So far, I have seen three different type of attachment, all undetected by AV vendors [1] [2] [3] containing a different malicious macro each [1] [2] [3] [pastebin]. These macros then try to download an executable from the following locations:

http://78.129.153.23/sstat/lldvs.php
http://5.9.253.183/sstat/lldvs.php
http://185.48.56.123/sstat/lldvs.php


The file is downloaded as test.exe and is then moved to %TEMP%\VMUYXWYSFXQ.exe. It has a VirusTotal detection rate of 2/54. VT also reports that it phones home to 194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

Additional analysis is pending.

UPDATE:
A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal and a different macro [pastebin], however it downloads the same binary from http://78.129.153.23/sstat/lldvs.php as the previous example does.

Thursday 18 December 2014

Malware spam: aquaid.co.uk "Card Receipt"

[UPDATE: as of December 2015, there is a new version of the spam doing the rounds]

This spam claims to be from the legitimate firm AquAid, but it isn't. Instead it comes with a malcious attachment. The email is a forgery, AquAid are not sending the spam, nor have their systems been compromised in any way.

From:    Tracey Smith [tracey.smith@aquaid.co.uk]
Date:    18 December 2014 at 07:24
Subject:    Card Receipt

Hi

Please find attached receipt of payment made to us today

Regards
Tracey


Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk
email_new_logo
AquAid really is the only drinks supplier you will ever need with our huge product range. With products ranging from bottled and mains fed coolers ranging up to coffee machines and bespoke individual one off units we truly have the right solution for all environments. We offer a refreshing ethical approach to drinks supply in that we support both Christian Aid and Pump Aid with a donation from all sales.  All this is done while still offering a highly focused local service and competitive pricing. A personalised sponsorship certificate is available for all clients showing how you are helping and we offer £25 for any referral that leads to business.
*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with registered number 3505477 and registered office at 51 Newnham Road, Cambridge, CB3 9EY, UK. This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify the sender and delete the message and any attachments accompanying it immediately. Neither AquAid nor any of its Affiliates accepts liability for any corruption, interception, amendment, tampering or viruses occurring to this message in transit or for any message sent by its employees which is not in compliance with AquAid corporate policy.

In the sample I have seen, the attachment is called CAR014 151239.doc which is malicious, but only has a VirusTotal detection rate of 2/54. This particular document (note that there are usually several different documents in the spam run) contains this malicious macro [pastebin]. This macro downloads a malware executable from:

http://sardiniarealestate.info/js/bin.exe

..which is saved as %TEMP%\YEWZMJFAHIB.exe - this has a marginally better detection rate of 3/53.

The ThreatExpert report shows connections to the following two IPs:

74.208.11.204 (1&1, US)
81.169.156.5 (Strato AG, Germany)

The Malwr report shows that it drops a DLL which is very poorly detected but is probably the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5

FOR RESEARCHERS ONLY: a copy of the malicious DOC attachment plus dropped files can be found here. Password is "infected". Only handle these if you know what you are doing.

UPDATE 2015-01-13

This spam keeps coming back every few days or so. This time the attachment has a VirusTotal detection rate of 3/57 and the malicious macro it contains [pastebin] downloads from:

http://forpetsonly.cz/js/bin.exe

This file has a VirusTotal detection rate of 2/57. The Malwr report shows it phoning home to:

59.148.196.153
74.208.11.204

It also drops a DLL with a detection rate of 2/57.

UPDATE 2015-02-25

Another version of this spam run is in progress, with these malicious macros [1] [2] downloading from the following locations:

http://junidesign.de/js/bin.exe
http://jacekhondel.w.interia.pl/js/bin.exe

This malware is the same as used in this spam run.

Wednesday 17 December 2014

"Blocked ACH Transfer" spam has a malicious DOC attachment

Another spam run pushing a malicious Word attachment..

Date:    17 December 2014 at 07:27
Subject:    Blocked ACH Transfer

The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.

Canceled transaction
ACH file Case ID     623742
Total Amount     2644.93 USD
Sender e-mail     info@mobilegazette.com
Reason for rejection     See attached word file
Please see the document provided below to have more details about this issue.


Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55.

Inside this is a malicious macro [pastebin] which downloads a file from:

http://www.lynxtech.com.hk/images/tn.exe

This has a VirusTotal detection rate of just 1/54. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.

Recommended blocklist:
5.187.1.78
209.208.62.36



"PL REMITTANCE DETAILS ref844127RH" malware spam

This fake remittance advice comes with a malicious Excel attachment.

From:    Briana
Date:    17 December 2014 at 08:42
Subject:    PL REMITTANCE DETAILS ref844127RH

The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros [1] [2] which then reach out to the following download locations:

http://23.226.229.112:8080/stat/lldv.php
http://38.96.175.139:8080/stat/lldv.php


The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55. The ThreatTrack report [pdf] shows it POSTing to the following IP:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

This IP has been used in several recent attacks and I strongly recommend blocking it.

The Malwr report also shows it dropping a malicious DLL identified as Dridex.

The ThreatExpert report gives some different IPs being contacted:

80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)


The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:

194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139

Spam: "Localizan a los 43 estudiantes desaparecidos en Ayotzinapa"

This Spanish-language malware spam comes with a malicious attachment.

From:    El Universal
Date:    16 December 2014 at 09:06
Subject:    Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Hoy 16 de diciembre del 2014 por la madrugada, agentes de la Policía Ministerial de Guerrero
han localizado con vida a los 43 estudiantes, desaparecidos el dia 26 de septiembre del 2014.

Para ver imágenes exclusivas del reencuentro de los estudiantes con sus familias, y las condiciones en que
vivieron durante su secuestro, anexamos un documento en este correo electrónico en formato Microsoft Word.


El Universal © todos los Derechos Reservados  2014.
This translates roughly as:

Located at 43 students missing in Ayotzinapa.

Today December 16, 2014 at dawn, agents of the Ministerial Police Guerrero
have been located alive at 43 students, missing the day September 26, 2014.

To view exclusive footage of the reunion of students and their families, and the conditions under which
They lived during his abduction, we attach a document to this email in Microsoft Word format.


The Universal © All Rights Reserved 2014.
This email relates to the kidnapping and possible murder of 43 Mexican students which has been blamed by some on the Mexican Police.

The Word document contains a malicious macro, and detailed instructions for the victim on how to disable the inbuilt security to enable it to run.


Once this has been done, the malicious macro [pastebin] runs. This attempts to download a file from:

http://www.milusz.eu/templates/default/00/ss.exe

At the moment, this download location is coming up with a 404 error. If the download were to work, it would save the file as %TEMP%\ test00010.exe. The Word document has a moderate detection rate of 10/54.

This type of malicious spam has been around for a long time, and this particular technique seems to be exclusively in Spanish, I have never seen this attack in English or any other language.

Malware spam: UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" [roughandtumble63@yahoo.co.uk]

This somewhat odd and terse spam comes with a malicious attachment.

From:    UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" <roughandtumble63@yahoo.co.uk>
Date:    17 December 2014 at 07:20
Subject:    Invoice as requested
There is no body text, but there is an malicious DOC attachment named 20140918_122519.doc which come in two slightly different versions with poor detection rates [1] [2]. The macros have been subtly changed from recent spam runs [1] [2] [pastebin] and download a second stage from one of the following locations:

http://openstacksg.com/js/bin.exe
http://worldinlens.net/js/bin.exe


This malicious executable is saved as %TEMP%\ADGYMSEKRJE.exe and has a detection rate of only 2/54.

Is is common with recent similar malware attempts, it attempts to phone home to 74.208.11.204 (1&1, US) as shown in the ThreatTrack report [pdf]. The Malwr report indicates a dropped file with an MD5 of ee826c184155a1fa1aea984f914e606a which is probably Dridex.

Monday 15 December 2014

Malware spam: IFS Applications / vitacress.co.uk / DOC-file for report is ready

This fake payment advice spam is not from Vitacress but is a forgery with a malicious Word document attached.
From:    IFS Applications [Do_Not_Reply@vitacress.co.uk]
Date:    15 December 2014 at 07:49
Subject:    DOC-file for report is ready

The DOC-file for report Payment Advice is ready and is attached in this mail.
Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros [1] [2] [pastebin] that download a malware binary from one of the following locations:

http://gv-roth.de/js/bin.exe
http://notaxcig.com/js/bin.exe


This file is saved as %TEMP%\DYIATHUQLCW.exe  and is currently has a VirusTotal detection rate of just 1/52.

The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be blocked if you can:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)

The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet.

UPDATE 2014-12-16

A second wave of spam is in progress with a pair of new malicious Word documents with low detection rates [1] [2] containing new macros [1] [2] that download a malicious file from the following locations:

http://finepack.co.in/js/bin.exe
http://loneleaf.ca/js/bin.exe


This file is saved as %TEMP%\TQWTGECOROR.exe and it currently has a detection rate of just 1/54. The Malwr report shows it posting to 74.208.11.204 yet again, although it does not show the dropped Dridex binary that I would expect to see.


Friday 12 December 2014

wavecable.com "Order - R58551" spam

This fake invoice comes with a malicious attachment.

From:    kaybd2@wavecable.com
Date:    12 December 2014 at 17:17
Subject:    Order - R58551

Thanks for placing order with us today! Your order is now on process.



Outright Purchase: 6949 US Dollars

Please click the word file provided below to see more details about your order.

BILLING DETAILS

Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@[redacted]

Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56 on VirusTotal. That contains this macro [pastebin] which downloads an executable from:

http://www.2fs.com.au/tmp/rkn.exe

That has a VirusTotal detection rate of 5/55. The Malwr report shows HTTP traffic to the following URLs:

hxxp://5.187.1.78/
hxxp://46.250.6.1/yQ0rNl=kQUO%2C/Uy.%20%206vPh/sGiK2LtSiX75BirV=%3DyaE%2D0jZ5/
hxxp://46.250.6.1/QO&KN@tZOvZ%2Ba/JW/wI%20%3FqZCSz&CH
hxxp://46.250.6.1/lgXM77$&N~/fn0R&OPvY/0%26EySg.2
hxxp://46.250.6.1/BJHWvUNBFb%7E8FS7%20/ku_%2CLOZC/%3DA%26S@R%2CRsl
hxxp://46.250.6.1/hjr5mo3/Jx%2C%3DKciOwsc0h.ICAQCFqbLFj6Q6bvtk&2/%3F%2DcG~k1R%2Cfu%2Djty&Kch2t~I
hxxp://46.250.6.1/1o26ZIXNlEyK/68G%2DvlteIkwiQ~WG%2C9/qFcRXJ9%24FHkr
hxxp://46.250.6.1/ISTfN%3D%2BpR6z/sV3sFy=/&rwxy/8
hxxp://46.250.6.1/fBuw/4%241PoLX5P=ThT4Hyzu/wbkj9q/zTt
hxxp://46.250.6.1/StKeINKIun6v$l0%2478bpb=1.8S%2B/q~S%2BcrS%24F%24y/@HA%2B7e%7EK%2Bp1HeQ3l_Qlc/L
hxxp://5.135.28.106/riBmIaB8bRi/sb1VvM/U=_=/PPa
hxxp://46.250.6.1/fCBz41ytqa.%2DjS8cj_rj=m%2Dzuxyr/lcvsbBxg%2Dsx%2DfS/%3D7lus%3F7e%3D%2D2.ou61s~
hxxp://46.250.6.1/zkzwh6f08q+e%2Dj%26rf.21/96ih%2D4.lhse8%20x8kgn%2B/59f3%7Ef+j%7Es%3D=w%2C+z91o
hxxp://46.250.6.1/yw1oy1pkp2+f%20au%26p@%2D/fmqyfl=zerhywesazsz2&s%2C%24%24%2Csv@k=+sqvs%3F%7Ep/

The ThreatExpert report shows POSTing to 209.208.62.36:8080

Combining some extra lookup in the Malwr report indicates that these following IPs are suspect:

209.208.62.36 (Atlantic.net, US)
5.187.1.78 (Fornex Hosting, Germany)
46.250.6.1 (Briz, Ukraine)
5.135.28.106 (OVH, France)
66.213.111.72 (Ohio Public Libraries, US)
95.211.188.129 (Leaseweb, Netherlands)

A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.

Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129


Thursday 11 December 2014

"UK Fuels E-bill" (ebillinvoice.com) spam

This fake invoice comes with a malicious attachment:

From:     invoices@ebillinvoice.com
Date:     11 December 2014 at 08:06
Subject:     UK Fuels E-bill

Customer No :           35056
Email address :         [redacted]
Attached file name :    35056_49_2014.doc

Dear Customer

Please find attached your invoice for Week 49 2014.

In order to open the attached DOC file you will need
the software Microsoft Office Word.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely

Customer Services
UK Fuels Ltd



======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
This spam is not from UK Fuels Ltd or ebillinvoice.com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors. This downloads a file from the following location:

http://KAFILATRAVEL.COM/js/bin.exe

This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56 at VirusTotal.

The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you block this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55.

UPDATE 2014-12-12

Another spam run pushing this is in progress, with two different Word attachments seen so far (all called  35056_49_2014.doc. These are currently undetected by AV vendors [1] [2] and contains two slightly different macros [1] [2] [pastebin] that then attempt to download a binary from one of the following locations:

http://imperialenergy.ca/js/bin.exe
http://jnadvertising.com/js/bin.exe


This is then saved as %TEMP%\RPDWVRNDBGX.exe. This executable is malicious but has a VirusTotal detection rate of just 2/56. The ThreatExpert report shows connections to:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)

Both these IPs have been seen before and are definitely worth blocking. According to the Malwr report, this executable drops a DLL widely identified as the Dridex banking trojan.

Wednesday 10 December 2014

Spam: "Remittance Advice from Anglia Engineering Solutions Ltd"

This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.

From:     Serena Dotson
Date:     10 December 2014 at 10:33
Subject:     Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]

Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.


Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd
Tel: 01469 520572

The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros [1] [2] [pastebin] which attempts to download an executable from the following locations:

http://217.174.240.46:8080/stat/lld.php
http://187.33.2.211:8080/stat/lld.php


This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows attempted connections to the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)

Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic.

The payload is most likely Dridex, a banking trojan.

I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201

217.174.240.46
187.33.2.211

Tuesday 9 December 2014

Something evil on 5.196.33.8/29

This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.

Specifically, VirusTotal lists badness on the following IPs:

5.196.33.8
5.196.33.9
5.196.33.10

There are also some doubtful looking IP addresses on 5.196.33.15 which may we have a malicious purpose.

All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.

Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
kiogosphwuysvx12.com
nelipraderson3.com
aderradpow.in
akojdurczopat.in
amoptrafnoger.in
apo83ggacer.in
apowiurbera.in
asdlpoqnoosgteer.in
asdpqwoieu12.in
asdqpwcya2.in
ashcytiqwer.in
askio2iytqrefa.in
asnodp3booztrea.in
azlaowumoa.in
blomcreaters.in
bvioplorazeno.in
bvopqcawea.in
bxpqy7everas.in
bzoapitradetn.in
cnertazootreas.in
coiqpyteramed.in
foksatboks3.in
golhahorsea.in
greolkopanx9.in
hiapwjertas.in
hokayreenols.in
jonofogolor.in
kiaowqptrea.in
koapnoxopaiuw72.in
kutradopretano98.in
lapouiqwg28.in
loatu27amop.in
looperfter4.in
mozgyterfaopetr.in
mxopa3ieravuk.in
nioapowedrakt.in
nitreamoptec.in
nloopboobs.in
npcowytrar.in
nxaopautrmoge.in
opqertasopma.in
poltraderano.in
sapertzalofasmo.in
vjogersamxe.in
vokjotreasmo.in
xboapvogtase.in
xnaiojipotram.in
xnaioqowhera.in
ywusbopa63a.in
zbtywraser.in
gpjfwsznuhdjgzwg.com
zntddwqtteq4.com

Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant ID:WIQ_27860746
Registrant Name:Gennadiy Borisov
Registrant Organization:N/A
Registrant Street1:ul. Lyulyak 5
Registrant Street2:
Registrant Street3:
Registrant City:Varna
Registrant State/Province:
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:yingw90@yahoo.com


Monday 8 December 2014

"Soo Sutton" / "INVOICE 224245 from Power EC Ltd" spam

Another variant of this spam, this fake invoice comes with a malicious Word document attached.
From:     soo.sutton966@powercentre.com
Date:     8 December 2014 at 10:57
Subject:     INVOICE 224245 from Power EC Ltd

Please find attached INVOICE number 224245 from Power EC Ltd
Attached are one of two Word documents, both with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros [1] [2] [pastebin] which then downloads an executable from one of the following locations:

http://aircraftpolish.com/js/bin.exe
http://gofoto.dk/js/bin.exe


This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)

According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53.

Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish.com
gofoto.dk

UPDATE 2014-12-09:

A further couple of variants are being spammed out, both with low detections by VirusTotal [1] [2] and containing one of two malicious macros [1] [2] [pastebin] which down,loads from the following locations:

http://kawachiya.biz/js/bin.exe
http://darttoolinc.com/js/bin.exe


This is then saved as %TEMP%\YVXBZJRGJYE.exe and is presently undetected by vendors. The Malwr report and ThreatExpert report vary slightly, but both show traffic to the same IPs are before. The Malwr report also indicates that a DLL is dropped with a detection rate of 4/52 which is identified as the Dridex trojan.

Recommended blocklist:
203.172.141.250
74.208.11.204
 kawachiya.biz
 darttoolinc.com

Friday 5 December 2014

"Mathew Doleman" / "lightmoorhomes.co.uk" spam comes with a malicious Word document

This spam came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.

From:     Mathew Doleman [order@lightmoorhomes.co.uk]
Date:     5 December 2014 at 08:32
Subject:     Order no. 98348936010

Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.

Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB

Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)

Best regards,
Sales Department
Mathew Doleman
+07966 566663
The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors. Some investigation shows that it contains a malicious macro [pastebin].

The macro downloads a file from http://hiro-wish.com/js/bin.exe which is completely undetected by any AV vendor at present. According to the internal data, this is a Windows Media Player component although the compile date is today so this seems unlikely.
Developer metadata
Copyright
© Microsoft Corporation. All rights reserved.

Publisher Microsoft Corporation
Product Microsoft® Windows® Operating System
Original name wmadmod.dll
Internal name wmadmod.dll
File version 11.0.5721.5145 (WMP_11.061018-2006)
Description Windows Media Audio Decoder
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-12-05 06:30:06
Entry Point 0x00006460
Number of sections 3
The ThreatTrack report and ThreatExpert report indicate traffic to the following locations that you wouldn't expect a legitimate MS application to call home to:

74.208.11.204 (1&1 Internet, US)
203.172.141.250 (Ministry of Education, Thailand)

The VirusTotal report shows it phoning home t:

46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)

Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish.com