Sponsored by..

Wednesday, 9 November 2016

Malware spam: "Your Amazon.com order has dispatched" leads to Locky

Overnight there has been a massive fake Amazon spam run leading to Locky ransomware:

From:    Amazon Inc [auto-shipping27@amazon.com]
Date:    8 November 2016 at 23:10
Subject:    Your Amazon.com order has dispatched (#021-3323415-8170076)

Dear Customer,

Greetings from Amazon.com,

We are writing to let you know that the following item has been sent using  DHL Express.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.com/your-account

Your order #021-3323415-8170076 (received November 8, 2016)


Your right to cancel:
At Amazon.com we want you to be delighted every time you shop with us.  O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at:  http://www.amazon.com/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
 video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
 accept returns of complete product, which is unused and in an "as new" con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label.  Ple=
ase go to http://www.amazon.com/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.com customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.com/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20
http://www.amazon.com/help

If you've explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.com

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
All the versions I have seen contain those same formatting errors. Details vary from message to message (e.g. carrier, reference numbers). Attached is a malicious ZIP file (e.g. ORDER-608-0848796-6857907.zip) containing a malicious javascript file (e.g. F-9295287522-9444213500-201611165156-2601.js) that looks like this.

My usual source (thank you) tells me that the various scripts download a component from these locations:

adultmagstore.co.uk/7845gf
asrcargo.ru/7845gf
bygg-molde.no/7845gf
chewysissy.net/7845gf
elektrickekefky.sk/7845gf
examsbank.com/7845gf
facerecognition.com.ba/7845gf
gadgetdealz.net/7845gf
girdap.org/7845gf
gpsfiles.nl/7845gf
heatsavingsystems.com/7845gf
helpcomm.com/7845gf
hnzhengzhou.com/7845gf
holzhaus.cl/7845gf
hud3.net/7845gf
hunt-magazine.com/7845gf
hydroservis.sk/7845gf
hz9m.com/7845gf
iaam.com.br/7845gf
igraficas.com/7845gf
immobilienbegleitung.de/7845gf
infosors.com/7845gf
inkjetss.com/7845gf
interabc.nl/7845gf
inteza.pl/7845gf
ipaper.ro/7845gf
irinka.ru/7845gf
islamhizmeti.com/7845gf
i-solutions.cz/7845gf
ivocal.fr/7845gf
izmirisgb.com/7845gf
janzwolinski.freehost.pl/7845gf
jgtour.wz.cz/7845gf
jlxzy.net/7845gf
jpvintage.nl/7845gf
jrockish.bravepages.com/7845gf
julian-g.ro/7845gf
karacanalbum.com/7845gf
kedaikerinchi.com/7845gf
khashchevato42.ru/7845gf
kiannaghsh.ir/7845gf
kleansys.com/7845gf
kolumbia.free.bg/7845gf
krd-php.ru/7845gf
kurdinfo.ru/7845gf
lekstom.ru/7845gf
lloveras.com/7845gf
mapbook.ir/7845gf
markanltd.com/7845gf
markscheffel.de/7845gf
masiled.es/7845gf
masterimob.ro/7845gf
materlux.ru/7845gf
mavicicek.com/7845gf
maytinhcaobang.net/7845gf
mdk-wear.ru/7845gf
mediclo.pl/7845gf
meshok.com.ua/7845gf
mh500.com/7845gf
minoritycounselor.com/7845gf
minunat.eu/7845gf
mischiefexpeditions.asia/7845gf
mjtmak.com/7845gf
mokinukai.lt/7845gf
monkey-drum.com/7845gf
monster-high.com.ua/7845gf
moveus.com.br/7845gf
mtgchile.cl/7845gf
mtntelekom.com/7845gf
muaban86.net/7845gf
musicrecruiting.com/7845gf
muzica-evenimente.ro/7845gf
mw077.ru/7845gf
myhtar.ru/7845gf
myxos.be/7845gf
naruby.kvalitne.cz/7845gf
natalilife.ru/7845gf
sport-grace.by/7845gf
teazexebec.com/7845gf
yastrebov25.sat34.ru/7845gf

It appears to drop a malicious DLL with a detection rate of 32/56. The following C2 servers have been identified:

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)


UPDATE
According to the Hybrid Analysis the dropped Locky binary actually has an MD5 of ad6fb318002df4ffc80795cc31d529b4 and a detection rate of 28/56.

Recommended blocklist:
85.143.212.23
158.69.223.5



1 comment:

Adrian Oldfield said...

Dynamoo, thanks very much for your analysis and in particular listing the JScript source code on pastebin. With these I've been able to start some anti-ransomware investigations. Keep it up! Adrian