Sponsored by..

Thursday, 3 March 2016

Malware spam: "Order Delay - Package Ref. 30432839"

This spam comes with a malicious attachment. The name of the sender and the reference number will vary from message to message.

From:    Lorna trevor-roper [trevor-roperLorna54235@cable.net.co]
Date:    3 March 2016 at 17:28
Subject:    Order Delay - Package Ref. 30432839


Respected Customer,

The delay of your parcel ref. # 30432839 cannot be controlled due to the unstable weather conditions in our region.

We are doing everything we can to arrange the best shipping time for your package.

Please check the information on your purchase in the attached file. There your will also find the info on the new delivery time.

Sincerely,
Sales Department Manager
Lorna trevor-roper
3000 E Grand Ave,
Des Moines, IA 27222
308-590-9335 
So far I have seen three samples, with attachments named in the format Invoice_ref-30432839.zip containing a malicious script starting with invoice_ and then having some variable elements in it. These have detection rates of 3/55 or so [1] [2] [3] and which the Malwr reports [4] [5] [6] indicate attempt to GET a binary from one of the following locations:

isthereanybodyqq.com/69.exe?1
isthereanybodyqq.com/80.exe?1
ujajajgogoff.com/69.exe?1
ujajajgogoff.com/80.exe?1

Data is then POSTed to:

dustinhansenbook.com/wstr.php
agri-distribution.net/wstr.php
onegiantstore.com/wp-includes/theme-compat/wstr.php

The VirusTotal reports for the dropped binary [1] [2] indicate Ransomware, but those Malwr reports look more like the Dridex banking trojan. Either way it is Nothing Good.

The download locations are interesting, hosted on the following IPs:

78.135.108.94 (Sadecehosting, Turkey)
162.211.67.244 (Secure Dragon LLC, US)


The following domains are either hosted on these IPs or use them as namesevers. They all look highly suspect and worthy of futher analysis:

ohelloweuqq.com
ujajajgogoff.com
ohellohowru.ws
ujajajgogo.ws
gangthatgirlfast.ws
gutentagmenliebe.ws
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com


Recommended blocklist:
78.135.108.94
162.211.67.244


UPDATE

Smarter folks than I think this is Teslacrypt.


2 comments:

Bored Stiff said...

Nice work. I've received a couple emails lately and decided to look this up. The latest I received yesterday, had the 3000 E. Grand Avenue address in Des Moines. I knew it was some sort of scam, obviously, but it's fun to see how creative these creeps can be sometimes.

Thanks for the info on this. If you need or want the emails I received for study, let me know.

Ken

Security Magic said...

another link to add
blablaworldqq.com/80.exe