Sponsored by..

Thursday, 29 October 2015

Malware spam: "Domain [domain] Suspension Notice" / abuse@enom.com.org

There appear to be many versions of this spam, aimed at domain owners and apparently coming from the actual registrar of the domain. For added authenticity, the owner's name is included in the spam. Here is one example that I got.. it would have been very convincing, except that I had the heads up on this attack a couple of day ago.

From:    ENOM, INC. [abuse@enom.com.org]
Date:    30 October 2015 at 04:11
Subject:    Domain LAPTOP-MEMORY.COM Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:

Domain Name: LAPTOP-MEMORY.COM
Registrar: ENOM, INC.
Registrant Name: CONRAD LONGMORE

Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-406-7704
In this case, clicking on the link goes to edecisions.com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify any domain name and it gives a matching file.

Before we look at the analysis of the downloaded executable, let's look at the domain name edecisions.com. It looks like the sort of domain that might contain abuse reports, but in fact it is a hijacked GoDaddy domain hosted on 65.78.174.100 and a quick look at VirusTotal indicates that one of the other 4 sites on the same server was also compromised and was serving up malware in 2013. This is definitely a good candidate to block.

The downloaded file has a VirusTotal detection rate of 2/55. Automated analysis tools [1] [2] [3] indicate that whatever the hell this is, it tries to contact a LOT of other servers. We can see that the following domain names are accessed (mostly POST attempts):

0tv.co
abettertravelagent.com
agentclicktocall.com
airconditioning12601.com
all-inclusiveresortstravel.com
allgroupstravel.com
allreadytravel.com
ameliastyle.com
anabolicsteroidsrx.com
anunciamicasa.com
aprovechatudia.com
armangarzon.info
beachhouseplans.com
bigboattravel.com
biznal.com
bloccailmutuo.com
boilersandfurnaces.com
breakerhub.com
breathtakingsolutions.com
brindegenie.com
cameroonmarket.com
camirate.com
carltonchambers.co.uk
certifiedphytoceramides.com
chuckwhitlock.com
ciiapparelblog.com
circuitbreakerhub.com
colebar.com
cpasolutiononline.com
cruiseandtravel.agency
cruises-travelandmore.com
cruisetravelpros.com
cruisewithdawn.com
cruisingatdawn.com
cywellness.com
dallascircuitbreaker.co
dallascircuitbreaker.com
dallaselectricalsurplus.com
dallasreconditionedtransformers.com
dangerousgarciniacambogia.com
dawat-restaurant.com
designbrossard.com
designingartinstitute.com
designtravelagency.com
destinycruiseandtravel.com
enterrealtyny.com
superfunshoes.com
tarkshyainc.com

Note that almost everything is in the A-D range, which makes me suspect that this is only a fraction of the compromised domains. If we look at the IP addresses of those domains, then it gets even more interesting:

50.87.144.249 (Unified Layer, US)
50.87.151.145 (Unified Layer, US)
108.167.140.175 (WebSiteWelcome, US) [13 instances]
162.144.0.215 (Unified Layer, US)
162.144.12.115 (Unified Layer, US)
192.185.5.33 (WebSiteWelcome, US) [2 instances]
192.185.16.67 (WebSiteWelcome, US) [7 instances]
192.185.19.115 (WebSiteWelcome, US)
192.185.21.162 (WebSiteWelcome, US)
192.185.22.63 (WebSiteWelcome, US) [4 instances]
192.185.90.237 (WebSiteWelcome, US)
192.185.101.210 (WebSiteWelcome, US)
192.185.140.214 (WebSiteWelcome, US)
192.185.152.133 (WebSiteWelcome, US) [2 instances]
192.185.183.81 (WebSiteWelcome, US)
192.185.226.164 (WebSiteWelcome, US)
192.254.186.85 (WebSiteWelcome, US) [2 instances]
192.254.231.138 (WebSiteWelcome, US)
192.254.234.204 (WebSiteWelcome, US)
198.57.242.171 (Unified Layer, US) [4 instances]
198.57.244.38 (Unified Layer, US)
208.109.119.156 (GoDaddy, US)

A check of those WebSiteWelcome and Unified Layer IPs on VirusTotal (for example 192.185.226.164) indicates several compromised domains on the same server, indicating that the entire box has been popped.

It isn't clear what the payload is, but given the fact that it is aimed at domain owners and given the unusual characteristics of the malware, I can make a guess that it is some sort of password stealer, possibly harvesting domains or server admin credentials. If you are not using multi-factor authentication for your domains, then perhaps now would be a good time to choose to do so.

Recommended blocklist:
50.87.144.249
50.87.151.145
108.167.140.175
162.144.0.215
162.144.12.115
192.185.5.33
192.185.16.67
192.185.19.115
192.185.21.162
192.185.22.63
192.185.90.237
192.185.101.210
192.185.140.214
192.185.152.133
192.185.183.81
192.185.226.164
192.254.186.85
192.254.231.138
192.254.234.204
198.57.242.171
198.57.244.38
65.78.174.100

UPDATE:

The payload appears to be the Cryptowall ransomware.

6 comments:

Marc Madrigal said...

Thanks for posting this! Got the same e-mail except it was addressed from UK2 Group Lmtd. Looks pretty convincing.

smitty7532 said...

I have never gotten anything like this until I switched all my domains to a new hosting.
Kinda fishy...
Makes me wonder about my new hosting now and if they sold all my info as soon as I signed up...

Unknown said...

Yep, I got one too from 1&1 Internet AG and it almost got me. The give away was the link where mine was to http://www.lurkotanoda.hu/abuse_report.php?ccbible.com

Thanks, your post was very helpful.

Bug said...

If you CURL the link its binary and starts with "LÍ!This program cannot be run in DOS mode." so I'm guessing it's directed at M$ desktops. I keep getting them. And I'm sure if anyone ever tracks the scumbag down they'll get a Strongly Worded Letter of Protest.

Grosv said...

I received a similar email purporting to be from Enom Inc this morning. Thought I would check things out before opening the attachments! Thanks for the heads up, This is a very well researched scam using accurate names obtained from service providers somehow. For my registration I use a slight variant to my actual name. The email was addressed to this variant name and was sent to a different email domain address to the domain in question. All very convincing.

Lynn C-H said...

Really glad you posted this, I got one of these emails on Nov 6 myself - Google marked it as spam and I didn't find it until today. Luckily they'd named a domain I don't own anymore so I'd have been suspicious anyway, but it really bothers me that they'd managed to get my full real name paired with that 'private registration' domain to begin with.