Sponsored by..

Tuesday 31 May 2016

Malware spam: "New Company Order" / "ABC Import & Export,LLC"

This fake financial spam leads to malware:

From:    accounting@abcimportexport.com
Reply-To:    userworldz@yahoo.com
To:    Recipients [accounting@abcimportexport.com]
Date:    31 May 2016 at 12:31
Subject:    New Company Order

Good Day,

Find the attached specifications in the purchase order for our company mid year order & projects before sending your Proforma Invoice and do get back to me with your quotations asap.
An Official order placement will follow as soon as possible.
CLICK HERE TO DOWNLOAD & VIEW PURCHASE ORDER IF DOESNT WORK THEN CLICK HERE TO DOWNLOAD SECURE PURCHASE ORDER 
https://gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip
Attention! This document was created with a newer version of Microsoft Word.. Please click Enable Content or Macro to view the content of our order
Best Regards,
Ameen La Binish
Purchasing Dept

ABC Import & Export,LLC 2534 Royal Lane
Suite # 205
Dallas,Texas 75229
USA
Toll Free : 1-800-666-5874
Office Main Line : 1-214-966-2627
Office Reception : 1-214-985-1696
Fax : 1-972-243-7275
Email:
Sales@abcimportexports.co
Website: http://abcimportexport.com
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
The link in the email message goes to gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip . This contains a malicious executable scan purchase orders.exe which has a detection rate of 3/56. That VirusTotal report and these other analyses [1] [2] [3] shows network traffic to:

185.5.175.211 (Voxility SRL, Romania)

This executable drops another similar EXE [4] [5] [6] [7] which phones home to the same IP. Between them, these reports indicate some sort of keylogger. There seems to be little of anything of value in this /24, so I would recommend blocking 185.5.175.0/24

sdfsdaf

Malware spam: "You have 1 new message from bank manager. To read it, please open the attachment down below. "

This fake financial spam has a malicious attachment:

From:    Lanna Weall
Date:    31 May 2016 at 12:18
Subject:    New Message from your bank manager

You have 1 new message from bank manager. To read it, please open the attachment down below. 
In the sample I saw there was an attachment see_it_77235678.zip containing a malicious script warning_letter_Bdrh5W.js (detection rate 4/57) and the Malwr analysis of that sample shows that it downloads a binary from:

pvprojekt.pl/oLlqvX

The dropped binary is Locky ransomware with a detection rate of 4/56. All those reports plus these analyses [1] [2] [3] show network traffic to:

85.17.19.102 (Leaseweb, Netherlands)
195.154.69.90 (Iliad Entreprises, France)
93.170.123.60 (PE Gornostay Mikhailo Ivanovich / time-host.net, Ukraine)


A trusted source (thank you) indicated that there was a earlier Locky campaign today with the following donwload locations:

101consult.com/zZVPJj
adrianschubert.pl/7s56K8
affinityee.com/jkpziP
akcord.com/R4yjhg
alex-makhinin.ru/hPBy2R
altezzatrio.com/aAS841
amande-concerts.de/LNfOKy
amansur.com/sJIEQB
andresvazquez.net/1UaAWY
arajinqayler.com/V8lL2k
asworkstation.com/1Cq0Kk
baidainhatrang.xyz/bA2xZO
balifashion.ru/FMGbdV
belov24.ru/1msPTS
bestplumbersindallas.com/UZmYow
betulbasol.com/jmS4ts
bitcoinprservices.com/4Xc6Fy
canale78.it/I52NbK
c-a-r.at/QSa8sI
fm2030.us/BznLrm
handmee.com/hIPTXx
jestempiotr.pl/IiJlGp
kickoff.ru/WNwvki
kontarkum.org/Lntxhy
ktistakis.com/UHqig6
kvarcevaya-lampa.ru/fC9qZW
kwweb.it/tNTjZ2
ladohumano.cl/bnmYOE
leatherberryconsulting.com/gXTND7
lidgroup.ru/vV9c7l
lizdion.net/9cRXIl
makarenkostyle.net/IJlEqC
marca-ce.com/n859VM
maridadiproperties.com/pQIJGB
mckinleyhigh.org/lhAfaC
metakino.ru/onryuE
metaldesign.info/o12QeD
minutemanpress-randburg.co.za/UXJnqs
most.org.mk/oiNWQ0
muslimdate.com/mlB3PW
noplacelikejones.com/hati3x
norisys.com/EwX0sO
nwa-dizel.ru/D8kTfA
ohmyg-o-d.info/Ns4gf5
pasit.heutagon.com/PyG0Oc
pgcommunitycab.com/FAlx1b
polibloki.ru/nbTURt
primeautoglass.co.nz/wMcW5Z
puliziafacile.it/JvZ9cX
pvprojekt.pl/oLlqvX
quotidianieriviste.com/WIKuLk
redcurrantjobs.co.uk/9cgwZ5
revista.motociclismo.es/4HgJ7t
riobrancoperu.org/B3AlqT
rockmind.pl/bg6kKf
rotaharita.com/5NmH3b
sanariumspb.ru/Xm9xul


Recommended blocklist:
85.17.19.102
195.154.69.90
93.170.123.60


Friday 27 May 2016

Malware spam: "As per our discussion yesterday, please find attached the amended meeting minutes."

This spam leads to Locky ransomware:

From:    Meagan Branch
Date:    27 May 2016 at 12:35
Subject:    Information request


Dear [redacted],

As per our discussion yesterday, please find attached the amended meeting minutes.
I have accepted the majority of the changes requested, however there are some that I have left in the document.
I have included the edits as track changes.

Please confirm that the changes we have made are acceptable.

Many thanks


Regards,

Oramed Pharmaceuticals Inc.

Meagan Branch
Phone: +1 (620) 980-41-94
The senders vary from email to email. Attached is a ZIP file with a malicious script, which in the examples that I have found downloads one of a variety of malicious executables [1] [2] [3] [4] which call home to the same IP addresses found in this earlier spam run.

Malware spam: "Neue Abrechnung Nr. 746441" / support@sipcall.de

This German-language spam has a malicious attachment:

From:    support@sipcall.de
Date:    27 May 2016 at 10:57
Subject:    Neue Abrechnung Nr. 746441


Guten Tag

Im Anhang erhalten Sie die neue Rechnung des vergangenen Monates mit der Abrechnungsnummer 746441.

Für eine fristgerechte Bezahlung danken wir Ihnen. Bei Fragen oder Anregungen steht Ihnen unser Kundendienst gerne zur Verfügung.


Freundliche Grüsse
Ihr VoIP Provider


Dies ist eine automatisch generierte Nachricht. Antworten auf diese E-Mail können nicht bearbeitet werden.

Reference numbers vary. Attached is a randomly-named Word document (e.g. INV842038-746441.docm). The sample I submitted to Malwr showed it downloading a binary from:

www.ding-a-ling-tel.com/98yh87nb6v4

Other sources indicate additional download locations at:

egadget.ru/98yh87nb6v4
www.samrhamburg.com/98yh87nb6v4
bridgeplacements.com/98yh87nb6v4
birlesimsucuklari.com/98yh87nb6v4
ecpi.ro/98yh87nb6v4
wondervalley.in/98yh87nb6v4

acnek.com/98yh87nb6v4
cacpa.org/98yh87nb6v4
cobrebactericida.org/98yh87nb6v4
greenwfms.com/98yh87nb6v4
iwebmediasavvy.com/98yh87nb6v4
projectodetalhe.pt/98yh87nb6v4
renaudsfurniture.ca/98yh87nb6v4
saintkatherine.orthodoxy.ru/98yh87nb6v4
www.orchidealito.it/98yh87nb6v4


There are probably other locations too.

An executable is dropped with a detection rate of 3/56. The Hybrid Analysis and DeepViz report both indicate different phone-home locations:

193.9.28.13 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
5.152.199.70 (Redstation, UK)


Private sources also indicate C2s at:

212.109.219.31 (JSC Server, Russia)
107.181.187.12 (Total Server Solutions, US)


The payload is Locky ransomware.

Recommended blocklist:
193.9.28.13
5.152.199.70
212.109.219.31
107.181.187.12

Phish: "Final PO Contract..xlsx"

This spam email is phishing for email credentials. Unlike some, this one seems to be quite well done and might convince unsuspecting people that it is genuine.

From:    M Tufail Shakir [admin@ebookmalls.com]
Date:    27 May 2016 at 08:42
Subject:    Re: Final PO Contract..xlsx

Please see below attachment for the final signed contract

Regards,
27-05-2016

Tom Yip | Regional Sales Team | Marchon Eyewear (HK) Ltd.
Room 1503-05, 15/F, One Island South, 2 Heung Yip Road, Wong Chuk Hang, Hong Kong
P: (852) 2814 6674  |  tyip@marchon.com


From: Marites [villaventures@hotmail.com]
Sent: Thursday, May 26, 2016 2:15 PM
To: [redacted]
Cc: Jeff Lam; Swallow Yeung
Subject: SF and CE Contract


Final Contact Statement.xlsx    1 file (Total 387.5 KB)    View | Download
The link in this email goes to:

cagselectrical.com.au/libraries/emb/excel/excel/index.php?email=[redacted]

This gives a pretty convincing looking facsimile of an Excel spreadsheet, prompting for credentials..


Entering any combination of username and password seems to work, then you get redirected to a GIF of a spreadsheet..


Curiously, this GIF is not part of a phishing site but is on a wholly legitimate site belonging to a software company called Aspera (you can see it here):

download.asperasoft.com/download/docs/console/2.0/linux/html/images/console/console-report-ex1-xls.gif

The asperasoft.com domain is NOT involved in the phishing nor has it been compromised. As ever, I would advise you not to explore links like this as they might lead to an exploit kit or malware, and bear in mind that some phishing pages are better than others, and this is one of the more convincing ones that I have seen recently.

Thursday 26 May 2016

Malware spam: "Please find attached a document containing our responses to the other points which we discussed.."

This spam appears to come from different companies and senders, and has a malicious attachment:

From:    Sara Osborne
Date:    26 May 2016 at 10:53
Subject:    RE:

Dear sales,

Please find attached a document containing our responses to the other points which we
discussed on Monday 23th May.

Please let me know if you have any queries


Regards,

Wayfair Inc.

Sara Osborne
Attached is a ZIP file (the ones I have seen so far all begin with responses_) which contains a malicious script name in a similar way to employees -382-.js. These have a typical detection rate of 4/56.

Two samples analysed by Malwr [1] [2] show download locations from:

newgeneration2010.it/mkc27f
projectodetalhe.pt/do5j36a


There will be many other download locations too. These drop two different binaries (VirusTotal results [3] [4]). Those two VT results plus these two DeepViz analyses [5] [6] show the malware phoning home to:

138.201.93.46 (Hetzner, Germany)
107.181.187.12 (Total Server Solutions, US)
212.109.219.31 (JSC Server, Russia)
5.152.199.70 (Redstation, UK)


This behaviour is consistent with Locky ransomware.

Recommended blocklist:
138.201.93.46
107.181.187.12
212.109.219.31
5.152.199.70



Phish: "Please find attached telegraphic transfer copy for payment made to your account today."

At first glance this spam looks like malware, but it appears to be a phish instead:


From:    General trading ltd [info@7studio.co]
Date:    26 May 2016 at 05:04
Subject:    Payment

Dear Sir/Ma'am!

As requested by our customer
Please find attached telegraphic transfer copy for payment made to your account today.

Kindly confirm once you received this payment.

Regards

Muhammad Farooq
Exchange Manager,
MCB New Garden Exchange
U.A.E (1080)
Contact: 971-35866698 - 03004278636

Disclaimer:

This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions.

Attached is a file TT-USD.pdf .. as a rule I would recommend not opening PDF files or other attachments from unknown sources. When you open the file it looks like this:



Yes, it does look that blurry. The enticement here is to click the link in the document, which is something I wouldn't recommend that you do because it could lead to a malicious download, exploit kit or in this case a simple phishing page hosted on poloimport2012.com.



This seems to be phishing for general webmail credentials. Of course, once a hacker has those they can use your account to send spam or even rifle through your private emails and reset passwords and gain access to other important accounts.

Signing in with any credentials appears to fail, but of course the bad guys have just harvested your password..

As I said, I don't recommend opening files like this and clicking links to see where they go. I use a test environment to do this, but some similar spam emails can deliver malware that will silently plant itself on your computer which can be even more dangerous than this phish.

Wednesday 25 May 2016

Malware spam: "Weekly report" / "Please find attached the Weekly report."

This fake financial spam comes from random senders and companies and has a malicious attachment:

From:    Alicia Ramirez
Date:    25 May 2016 at 14:22
Subject:    Weekly report

Hi [redacted],


Please find attached the Weekly report.


King regards,

Alicia Ramirez
Castle (A.M.) & Co.
There are a large number of these, with a ZIP file attached containing a malicious scripts with a typical detection rate of 3/56. In this sample Malwr analysis, it downloads a file from:

test.glafuri.net/yxk6s

There will certainly be a LOT of other download locations. The dropped file GSKQtcnNu8MS.exe has a detection rate of 4/55 and that same VirusTotal report indicates C2 traffic to:

138.201.93.46 (Hetzner, Germany)
91.200.14.139 (PP SKS-LUGAN, Ukraine)
104.131.182.103 (Digital Ocean, US)
164.132.40.47 (OVH, France)


Even though other automated analysis failed [1] [2] this time we have previously identified two of those IPs as being Locky ransomware, so there is little doubt that this will be more of the same.

Recommended blocklist:
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47

Malware spam: "URGENT - DELIVERY" / "Jobin Jacob / "HYTEX"

This fake delivery spam leads to malware:

From:    Justin harmon
Date:    25 May 2016 at 12:30
Subject:    URGENT - DELIVERY

Dear customer.

Please find the attachment.


--
Thanks & Best Regards


Jobin Jacob
HYTEX
Ph: +974-44506682
Mob:+974-70400514,55129954
Attached is a ZIP file that contains one of many scripts that downloads a binary from one of the following locations (according to a trusted third party, thank you!):

avi-vest.ro/3g34t3t4tggrt?[random-string]=[random-string]
bankruptcymag.com/3g34t3t4tggrt?[random-string]=[random-string]
bizconsulting.ro/3g34t3t4tggrt?[random-string]=[random-string]
brunohenrique.net/3g34t3t4tggrt?[random-string]=[random-string]
cjglobal.co/3g34t3t4tggrt?[random-string]=[random-string]
comecomunicare.eu/3g34t3t4tggrt?[random-string]=[random-string]
crimeshurt.com/3g34t3t4tggrt?[random-string]=[random-string]
digitacaoveloz.com.br/3g34t3t4tggrt?[random-string]=[random-string]
globalcredithub.com/3g34t3t4tggrt?[random-string]=[random-string]
lifeclinics.net/3g34t3t4tggrt?[random-string]=[random-string]
orobos.nyc/3g34t3t4tggrt?[random-string]=[random-string]
selonija.lv/3g34t3t4tggrt?[random-string]=[random-string]
smp.com.mx/3g34t3t4tggrt?[random-string]=[random-string]
sweethomesgroup.com/3g34t3t4tggrt?[random-string]=[random-string]
tspipp.tsu.tula.ru/3g34t3t4tggrt?[random-string]=[random-string]
unijovem.com.br/3g34t3t4tggrt?[random-string]=[random-string]
www.appoutpost.com/3g34t3t4tggrt?[random-string]=[random-string]


Where [random-string] seems to be a random alphanumeric string. The dropped binary is Locky ransomware (as seen in this Malwr report) which phones home to:

164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)


These are the same C2 servers as found here.




Malware spam: "Operational Expense" leads to Locky

This fake financial spam leads to malware:

From:    Theodora Hamer
Date:    25 May 2016 at 12:17
Subject:    Operational Expense

Operational Expense of 7,350,80 USD has been credited from your account. For more details please refer to the report that can be found down below 
This analysis is based on a trusted source (thank you!). Attached is a ZIP file containing a malicious script, downloading from:

alborzcrane.com/g1slEn.exe
alborzcrane.com/Z94n5r.exe
alintagranito.com/fOA8Bl.exe
alintagranito.com/xB7nku.exe
amazoo.com.br/R0koId.exe
avayeparseh.com/s0faxS.exe
buzzimports.com.au/cRQVC4.exe
buzzimports.com.au/ECScwi.exe
galabel.com/lRkuJX.exe
galabel.com/oQz26K.exe
jett.com/6APaSk.exe
kitchen38.com/HYPETS.exe
kitchen38.com/V1ygc2.exe
onestopcableshop.com/J7t6au.exe
osdc.eu/gct5TH.exe
osdc.eu/n2UuEj.exe
purfectcar.com/9OaoqM.exe
purfectcar.com/sHXqZT.exe
wisebuy.com/WiOqzB.exe
yearnjewelry.com/OnvBrc.exe
yearnjewelry.com/t8HnK3.exe
zhaoyk.com/Dmv3As.exe
zhaoyk.com/JbO9uX.exe


This drops what is apparently Locky ransomware, with a detection rate of 3/56. This phones home to:

164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)


This Hybrid Analysis shows the Locky ransomware in action.

Recommended blocklist:
164.132.40.47
104.131.182.103


Malware spam: "Following the phone conversation with the accounting department represantatives I'm sending you the invoices."

These fake financial spams come from different companies, all with a malicious attachment.

From:    Frank.ClaraZO@pr-real.com
Date:    25 May 2016 at 11:34
Subject:    The invoices from INCHCAPE PLC


Hello,
Following the phone conversation with the accounting department represantatives I'm sending you the invoices.

Thank you for attention,
Kind regards
Clara Frank
INCHCAPE PLC
tel. (2045)/641493 54

> Sent from Iphone
Attached is a ZIP file with a name similar to Invoice 5044-032841.zip which in turn contains a malicious script named in a similar manner to invoice(677454).js which typically has a detection rate of 3/56. Hybrid Analysis of that sample shows the script creating a PFX (personal certificate) file which is then transformed into a PIF (executable) file using the certutil.exe application.

This PIF file itself has a detection rate of 6/56 but automated analysis [1] [2] [3] is inconclusive. The behaviour is somewhat consistent with the Dridex banking trojan but may possibly be Locky ransomware.

Tuesday 24 May 2016

Malware spam: "Account Compromised" / "Suspicious logon attempt"

These fake security warnings come with a malicious attachment:

From:    Jennings.KarlaVk@ttnet.com.tr
Date:    24 May 2016 at 11:48
Subject:    Account Compromised

Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 108.127.172.96)
Reason: unusual IP
Please refer to the attached report to view further detailed information.

BMJ Group
tel. (4813)/675337 33

> Sent from iPad

--------------

From:    Hooper.Cecilep@hotelaviatrans.am
Date:    24 May 2016 at 11:40
Subject:    Suspicious logon attempt

Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 223.149.173.250)
Reason: unusual IP
Please refer to the attached report to view further detailed information.

YUJIN INTL LTD
tel. (4020)/438007 92

> Sent from iPad

In the two samples I have seen, there are attachments named Security Report.zip and Security Notification.zip which in turn contain a Word document with a name such as Security Report ID(11701573).doc

The two documents that I have seen have detection rates of about 3/56 [1] [2] but according to these automated analyses [3] [4] [5] [6] it seems that the infection doesn't work properly, failing to find a created file harakiri.exe. This Malwr report shows a dropped file named harakiri.pfx which isn't an executable, my guess is that this is an encrypted file that hasn't decrypted properly.

UPDATE

According to a third party analysis, this apparently drops Dridex which phones home to:

210.245.92.63 (FPT Telecom Company, Vietnam)
162.251.84.219 (PDR Solutions, US)
80.88.89.222 (Aruba, Italy)
213.192.1.171 (EASY Net, Czech Republic)


Recommended blocklist:
210.245.92.63
162.251.84.219
80.88.89.222
213.192.1.171


Phish: "TNT Consignment Notification" via rit.edu

This fake TNT notification is phishing for credentials:

From:    TNT Express
Reply-To:    sh3llsh0p@yahoo.com
Date:    24 May 2016 at 11:34
Subject:    TNT Consignment Notification

Attention: [redacted],

TNT is pleased to advise you that ANTONIOU KONSTANTINOS has arranged for a shipment to be collected from them on May 23, 2016 , and delivered to You on 275th May 2016.
The shipment has a TNT CONSIGNMENT NOTE NUMBER: 119138390

To be able to check the status of the shipment simply visit or click below to track.



http://www.tnt.com/webtracker/tracking.do?navigation=1&searchType=CON&respLang=en&respCountry=GENERIC&genericSiteIdent=.&cons=119138390


From :
ANTONIOU KONSTANTINOS
Theokritou 5
THESSALONIKI
THESSALONIKIS
546 27
GR

Pieces : 1
Weight : 0.5 KG
Shipment reference :
Description : sample
If you would like to find out about the many ways TNT helps you to track your shipment, or if you would like to know more about the services provided by TNT, simply connect to www.tnt.com and select your location at any time.


---------------------------------------------------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.
Please consider the environmental impact before printing this document and its attachment(s). Print black and white and double-sided where possible.
------------------------------------------------------------------------------
The link in the email is disguised to make it look like a link to tnt.com, but in face it goes to:

heurica.dk/tnt1/?email=[redacted]

which then forwards to

booking-smart-swim-school.co.uk/images/TNT/index.php?rand=13InboxLightaspxn.1774256418&fid&1252899642&fid.1&fav.1&email=[redacted]

This URLquery report shows what is going on, as the victim ends up on a laughably fake phishing page:


Presumably this is phishing for general email credentials rather than a TNT login. Orignating IP is 87.106.178.108 (1&1, Germany) via an apparently compromised account or server at pmdf01b.rit.edu



Evil network: OVH / kaminskiy@radiologist.net

Here's an Angler EK cluster, hosted on multiple ranges rented from OVH France.. working first from this list of Angler IPs in OVH address space we can see a common factor.

5.135.249.214
5.135.249.215
51.255.59.119
51.255.59.120
51.255.59.121
51.255.59.123
91.134.206.128
91.134.206.129
91.134.206.130
91.134.206.131
91.134.204.217
91.134.204.218
91.134.204.219
91.134.204.243
91.134.204.245
91.134.204.247

One handy thing that OVH does with suballocated ranges is give clear details about the customer. This certainly helps track down abusers. In this case, the ranges these IPs are in are allocated to:

organisation:   ORG-KM91-RIPE
org-name:       Kaminskiy Mark
org-type:       OTHER
address:        Bema 73
address:        01-244 Warszawa
address:        PL
e-mail:         kaminskiy@radiologist.net
abuse-mailbox:  kaminskiy@radiologist.net
phone:          +48.224269043
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-05-18T14:46:09Z
last-modified:  2016-05-18T14:46:09Z
source:         RIPE


That ORG-KM91-RIPE reference can be looked up on the RIPE database: giving more of these little /30 blocks:

5.135.249.212/30
51.255.59.116/30
51.255.59.120/30
51.255.59.124/30
91.134.206.128/30
91.134.204.212/30
91.134.204.216/30
91.134.204.220/30
91.134.204.240/30
91.134.204.244/30
91.134.204.248/30
91.134.204.252/30
164.132.223.192/30


OVH have been pretty good at cleaning up this sort of thing lately (unlike PlusServer) so hopefully they will get this under control.

If you want to find other Angler EK ranges then I have a bunch of 'em in my Pastebin.

Monday 23 May 2016

Malware spam: "Your bank account has been deleted,more information attached. "

This alarming looking spam has a malicious attachment:

From:    Bradyrian Hassell
Date:    23 May 2016 at 14:00
Subject:    Account Deleted

Your bank account has been deleted,more information attached. 
I have only seen a single copy of this and the ZIP file attached was corrupt, however, it is very likely that this is a variant of the Locky ransomware run from earlier today.

Malware spam: "Please find attached the file we spoke about yesterday" leads to Locky

This spam appears to come from random senders, and leads to Locky ransomware:

From:    Graham Roman
Date:    23 May 2016 at 11:59
Subject:    Re:

Hi [redacted]

Please find attached the file we spoke about yesterday.

Thank you,
Graham Roman
PCM, Inc.
Attached is a ZIP file starting with copy_invoice_ and then a random sequence. This contains a malicious script file which in the sample I analysed downloads an obfuscated binary from:

oakidea.com/by2eezw8
islandflavaja.com/0p1nz
dragqueenwig.com/itukabk


Automated analysis of the script [1] [2] shows it dropping a file klA1KMQj2D.exe which has a VirusTotal detection rate of 5/56. Those prior reports plus these additional analyses of the binary [3] [4] [5] show network traffic to:

188.166.168.250 (Digital Ocean, UK)
31.41.44.45 (Relink Ltd, Russia)
92.63.87.53 (MWTV, Latvia)


Those reports all demonstrate clearly that this is Locky ransomware, although the barely encrypted downloaded binaries are a new feature.

UPDATE

Trusted third-party analysis (thank you) shows some additional download locations:

4cornerbazaar.com/rcjmp
ap-shoes.com/r3mkkch
b2cfurniture.com.au/ztydt7
babyhalfoff.com/di286c
bekith.com/twe4puv
canalshopping.com.br/kf5d9
ereganto.com.br/4bxi09t
farmavips.com/hlnl21tf
fina-mente.com/kitrl2
hablatinamerica.com/mkhxrsm
jhplhomedecor.com/m637g
joyofgiving.com.au/1b6v94yu
la-mousson.de/pxwimc
lojaonline.eurobar.pt/kmdb4euf
maibey.com/bakcy9s
metallerie.com/uh0kd
mymy365.com/d7bd2
objetsdinterieur.com/0p1nz
peptide-manufacturer.com/jc6pxks
pro-lnz.com/9ed5v5v
promotionalsales.com.au/0iobfbwc
store.steelalborz.com/fw4i3ssf
stylelk.com/12opjwfh


The MD5s of decrypted downloaded files are:

0cef8d79dd32b5701768ffb3e80dd6c9
18e1591325994d60468e58b30bd47ec7
1e1b9729198cb392636ad4b8ec880284
1eacf23630db85c2af07d2657c1a0917
2742891aff1f20ee09a67d29c5b4157d
2f7373602c67761a1666c3170a0adfd9
4f4d754ffb9b33c5b2b7ec6c38dc6a30
517c1805c2b805a801a6132bfd9d7a69
64eef31dc4cd4dc1ca51b6686e4cdaa1
6fc220a8b95e2167c21d0e1f91a516cb
73552fcfff60a171965103d691679b43
8108de8bf200d4baa62541e9eeca2ee4
9125956e3ee99b9f59b595fcba9ac658
9da331f4353f5b0033c162eb308a8197
a01d60682ad5fadc9018908185e8cde3
aceec3d6334e925297efc8d4232473c2
afd40dca335530ec993d9cf91be96b4c
d69adb50c7f2436f5f7502f22b3a5714
dab81432d4d6241e47d7110b8d051f41
de6c020b8639fda713fbe2285dc6740c
eb3391cefb6634e587b58e0d6540c7c3
fb56f158f6f4c81f7bed2a7c4490fadb


One additional C2 server:

176.31.47.100 (Unihost, Seychelles / OVH , France)

Recommended blocklist:
188.166.168.250
31.41.44.45
92.63.87.53

176.31.47.100

Friday 20 May 2016

Malware spam: "I wanted to follow up with you about your refund. Please find the attached document" leads to Locky

This spam comes from random senders and has a malicious attachment. Here is an example:

From:    Frederic Spears
Date:    20 May 2016 at 10:29
Subject:    Re:

Hi [redacted],

I wanted to follow up with you about your refund.
Please find the attached document

Regards,
Frederic Spears
CBS Corporation

The company name and sender's name varies from message to message. Attached is a ZIP file which contains elements of the recipient's name, which in turn contains one of a variety of malicious scripts. Out of the samples I have seen, I have so far found download locations of:

delicious-doughnuts.net/oqpkvlam
dev.hartis.org/asvfqh2vn
dugoutdad.com/0ygubbvvm
craftbeerventures.nl/hgyf46sx
babamal.com/av2qavqwv
forshawssalads.co.uk/af1fcqav


Only three of those download locations work so far (VirusTotal results [1] [2] [3]) and automated analysis of those [4] [5] [6] [7] [8] shows behaviour consistent with Locky ransomware. All of those reports show the malware phoning home to:

91.219.29.106 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.89 (Relink LLC, Russia / OVH, France)
138.201.118.102 (Hetzner, Germany)


Recommended blocklist:
91.219.29.106
51.254.240.89
138.201.118.102


Tuesday 17 May 2016

Malware spam: "Per E-Mail senden: DOC0000329040"

This German-language spam comes with a malicious attachment. It appears to come from the victim themselves, but this is just a simple forgery.
From:    victim@victimdomain.tld
Date:    17 May 2016 at 13:28
Subject:    Per E-Mail senden: DOC0000329040

Folgende Dateien oder Links können jetzt als Anlage mit Ihrer Nachricht
gesendet werden:

DOC0000329040
Attached is a ZIP file that matches the reference number in the subject and body text. I have only seen one sample, downloading a binary from:

katyco.net/0uh8nb7

The VirusTotal detection rate is 4/57, the comments in that report indicate that this is Locky ransomware and the C&C servers are at:

188.127.231.124 (SmartApe, Russia)
176.53.21.105 (Radore Veri Merkezi Hizmetleri, Turkey)
217.12.199.151 (ITL, Ukraine)
107.181.174.15 (Total Server Solutions, US)


Recommended blocklist:
188.127.231.124
176.53.21.105
217.12.199.151
107.181.174.15



Monday 16 May 2016

Malware spam: "I have attached a revised spreadsheet.."

This spam has a malicious attachment:

From:    Britney Hart
Date:    16 May 2016 at 13:15
Subject:    Re:

hi [redacted]

I have attached a revised spreadsheet contains customers. Please check if it's correct

Regards,
Britney Hart

Other variations of the body text seen so far:

I have attached a revised spreadsheet contains general journal entries. Please check if it's correct
I have attached a revised spreadsheet contains estimates. Please check if it's correct


Attached is a ZIP file with three identical malicious .js files. The ones I have seen so far download from

fundaciontehuelche.com.ar/897kjht4g34
thetestserver.net/fg45g4g
technobuz.com/876jh5g4g4


There are probably other download locations. Each one downloads a slightly different binary (VirusTotal prognosis [1] [2] [3]) and automated analysis [5] [6] [7] [8] [9] shows the malware phoning home to:

188.127.231.124 (SmartApe, Russia)
31.184.197.72 (Petersburg Internet Network, Russia)
92.222.71.26 (RunAbove / OVH, France)
149.202.109.202 (Evgenij Rusachenko aka lite-host.in, Russia / OVH, France)


The payload is Locky ransomware.

Recommended blocklist:
188.127.231.124
31.184.197.72
92.222.71.26
149.202.109.202


Wednesday 11 May 2016

Malware spam: Emailing: Photo 05-11-2016, 03 26 04

This spam comes with a malicious attachment:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    11 May 2016 at 12:39
Subject:    Emailing: Photo 05-11-2016, 03 26 04

Your message is ready to be sent with the following file or link
attachments:

Photo 05-11-2016, 03 26 04


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
It appears to come from the sender's own email address, but this is a simple forgery (explained here). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
match the references in the email). It contains a .js file with a similar name.

Trusted third-party analysis (thank you!) shows the various scripts downloading from:

51941656.de.strato-hosting.eu/87yg7yyb
67.222.43.30/87yg7yyb
developinghands.com/87yg7yyb
gesdes.com/87yg7yyb
helpcomm.com/87yg7yyb
neihan8.tk/87yg7yyb
oldtimerfreunde-pfinztal.de/87yg7yyb
otakutamashi.cl/87yg7yyb
sarikamisotelleri.com/87yg7yyb


This drops a file with a detection rate of 3/56. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to:

185.82.202.170 (Host Sailor, United Arab Emirates)
88.214.236.11 (Overoptic Systems, UK / Russia)
5.34.183.40 (ITL, Ukraine)

According to a DeepViz report,  this sample has identical characteristics.

Recommended blocklist:
185.82.202.170
88.214.236.11
5.34.183.40

Tuesday 10 May 2016

Malware spam: "As promised, the document you requested is attached" leads to Locky

This fairly brief spam has a malicious attachment:

From:    Alexandra Nunez
Date:    10 May 2016 at 21:10
Subject:    Re:

hi [redacted],

As promised, the document you requested is attached

Regards,

Alexandra Nunez
The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:


4hotdeals.com.au/j47sfe
stationerypoint.com.au/cnb3kjd
floranectar.com.au/er5tsd
togopp.com/vbg5gf
printjuce.com/rt5tdf
designitlikeal.com/cvb3ujd


There are probably many more download locations.

The typical detection rate for these binariesis about 12/56 [1] [2] [3] [4] [5] and automated analysis [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] shows network traffic to:

5.34.183.40 (ITL, Ukraine)
185.82.202.170 (Host Sailor, United Arab Emirates / Romania)
185.14.28.51 (ITL, Netherlands)
92.222.71.26 (OVH, France)
88.214.236.11 (Overoptic Systems, UK / Russia)


The payload is Locky ransomware

Recommended blocklist:
5.34.183.40
185.82.202.170
185.14.28.51
92.222.71.26
88.214.236.11


Saturday 7 May 2016

WARNING: projmanagementintl.org / "Project Management International" aka Patty Patchrint and Anthony Christopher Jones

I blogged about "Project Management International" last year, an outfit running (in my personal opinion) fake or low-quality seminars, at that time using the domain projectmanagementinternational.org.

This outfit is run by Anthony Christopher Jones and Patchree "Patty" Patchrint (aka Patty Jones) from California. I've written about this oufit several times in the past five years, but it turns out that Jones and Patchrint have been running similar schemes since 2008.

In 2011 ABC15 news in Arizona investigated a previous incarnation of these scheme, named "NAPPPA"...


These Jones / Patchrint operations seem to pop up from time to time and then disappear, usually after being exposed for what they are. This latest iteration of the fake "Project Management International" organisation uses the domain projmanagementintl.org. It's a flashy-looking site, but really it is just made from a standard template.


The "Registration" page lists some prestigious universities as hosting these courses.


From what I can tell, the usual thing that happens is that at the last minute the location is changed to a nearby hotel or conference centre, and it seems that no booking are ever made with the university. All feedback on the courses seems to indicate that they are all of very poor quality. There are numerous reports that the people hired to teach these courses are also not paid as promised.

The courses themselves are advertised through spam email (example here)

The Project Management Fundamentals Course  will be offered May 25-27, 2016 at the University of Utah campus in Salt Lake City, Utah. Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .

May 25-27, 2016
Salt Lake City, Utah
8:00am - 5:00pm
The Project Management Fundamentals Course  is designed for those seeking professional project management certification. It serves as a thorough introduction to the fundamentals of project management. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.  

Project Management Fundamentals Course provides 24 hours of project management education hours for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 24 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials. Additionally, the program awards 2.4 Continuing Education Units (CEUs) upon request. 

Program Description

Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.

The skills developed in the Project Management Fundamentals Course apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.  

Our approach to project management education offers proven, results-focused learning.

Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.

Tuition

Tuition for the three-day Project Management Fundamentals Course is $595.00

Program Schedule and Content
1. Project Initiation, Costing, and Selection, Day 1
2. Project Organization and Leadership, Day 1 
3. Detailed Project Planning, Day 2 
4. Project Monitoring and Control, Day 2
5. Project Risk and Stakeholder Management, Day 3

Benefits
·   A Project Management International Certificate of Accomplishment is awarded upon completion of the three day program. ·    Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.·   Each class is highly focused and promotes maximum interaction.·   You can network with other project management professionals from a variety of industries.·   Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.·    Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will receive 24 project management education hours towards the requirements for eligibility.

Registration

Participants may reserve a seat online at the Project Management International website , by calling the Program Office toll-free at (888) 201-6372, or by sending their name and contact information via email to the Program Registrar .

Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.



To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.



Contact numbers listed on the spamvertised site are:

Toll Free: (888) 201-6372
Phone: (213) 222-6855
Fax:   (855) 420-6217


If you see these telephone numbers on other seminar sites, then it will be the same operation. The site quotes a PO box as a contact address but reveals no other information about this so-called corporation.

Project Management International
PO BOX 812112
Los Angeles, California 90081


If you feel you have been scammed by this operation then I urge you to report it to the police, FBI, FTC or your local AG's Office. If you would like to share your experiences (positive or negative) then please feel free to use the Comments section below.

Thursday 5 May 2016

Malware spam: "Please See Attached" / "Statement 6BBC0E"

This fake financial spam leads to malware. Details change slightly from email to email:

From:    Administrator [adminHb@victimdomain.tld]
Date:    5 May 2016 at 11:29
Subject:    Statement 6BBC0E

Please See Attached

______________________________________________________________________
Scanned by MailDefender Plus, powered by Symantec Email Security.cloud
http://www.intycascade.com/products/symantec/
______________________________________________________________________
---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

It must be safe.. scanned by both Symantec and Avast! Well, of course that's just BS and the attached DOC file leads to malware, specifically the same payload as seen in this slightly earlier spam run.

Malware spam: "DocuCentre-IV" / "Scan Data"

This fake document scan appears to come from within the victim's own domain (but this is just a simple forgery) and has a malicious attachment:

From:    DocuCentre-IV [DocuCentre1230@victimdomain.tld]
Date:    5 May 2016 at 10:27
Subject:    Scan Data

Number of Images: 1
Attachment File Type: PDF

----=_Part_45251_4627454344.4826709420825--

Details vary slightly from message to message. Attached is a DOC file (not a PDF) starting with PIC, DOC or IMG in the samples I have seen plus a random number. Typical VirusTotal detection rates are 6/56 [1] [2] [3] [4] [5] [6]. Various automated analyses of these documents [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] show a binary being downloaded from the following locations:

fm1.ntlweb.org/87hcnrewe
iconigram.com/87hcnrewe
www.sammelarmband.de/87hcnrewe
hospice.psy.free.fr/87hcnrewe


This dropped file has a detection rate of 5/46. This Hybrid Analysis and this DeepViz report show subsequent network traffic to:

192.241.252.152 (Digital Ocean, US)
195.169.147.26 (Culturegrid.nl, Netherlands)
70.164.127.132 (Southland Technology, US)


The characteristics of the payload suggest this is the Dridex banking trojan.

Recommended blocklist:
192.241.252.152
195.169.147.26
70.164.127.132

Tuesday 3 May 2016

Malware spam: "You Are Fired" leads to Locky

This spam email comes with a malicious attachment.

From:    Elfrida Wymer [WymerElfrida9172@recordshred.com]
Date:    3 May 2016 at 12:40
Subject:    You Are Fired BBF904D

We regret to inform you, yet we no longer need require your services.
Attached you can find additional information and the payout roll for the last month.
It's a bit of a self-fulfilling prophecy. If you are daft enough to download the ZIP file, and extract and run the script then perhaps you WILL get fired.

According to this Malwr report, the twice-obfuscated script in the sample I saw downloads a binary from:

niagara.vn.ua/5wpSRm.exe

This Hybrid Analysis indicates that this is Locky ransomware. The DeepViz report shows network traffic to:

31.184.197.126 (Petersburg Internet Network, Russia)
91.226.93.113 (Sobis, Russia)
91.219.29.64 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)


This is a subset of the IPs found in this earlier spam run, I recommend you block the lot.