Sponsored by..

Monday, 31 October 2016

Malware spam: "SureVoIP" / "Voicemail from.." leads to Locky

This fake voicemail message leads to Locky ransomware:

Subject:     Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
From:     SureVoIP (voicemailandfax@[redacted])
Date:     Monday, 31 October 2016, 11:17


Message From "Catalina rigby 02355270166" 02355270166
Created: 2016.10.31 14:46:53 PM
Duration: 00:01:22
Account: voicemailandfax@[redacted]
Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component from one of the following locations.

1y9y.com/g7cberv
3922group.net/g7cberv
abraszczecin.pl/g7cberv
afh-indy.org/g7cberv
ajaraheritage.ge/g7cberv
alifaruk.com/g7cberv
andrewclark.com.au/g7cberv
arabian-link.com/g7cberv
artanatrade.com/g7cberv
artemon.gr/g7cberv
ashbury.bg/g7cberv
atelier13.ro/g7cberv
bandenland.be/g7cberv
beasee.com/g7cberv
bemassive.nl/g7cberv
bertedu.com/g7cberv
bestroyalart.com/g7cberv
blogmepro.com/g7cberv
bobyfrancisandpradeep.com/g7cberv
bolat-zhol.kz/g7cberv
buynolvadexonlineshop.com/g7cberv
bwdianji.com/g7cberv
carama.info/g7cberv
caseycarrental.com/g7cberv
ceil.hk/g7cberv
cetinakademi.com/g7cberv
charistia.info/g7cberv
crossroadsmgmt.com/g7cberv
ctrlalt.de/g7cberv
dapos.ru/g7cberv
dbtsites.com/g7cberv
decoracionbebes.com/g7cberv
detectodecolombia.com/g7cberv
devinkellerart.com/g7cberv
ditjenp2p.info/g7cberv
dobromoda.ru/g7cberv
doolotto.com/g7cberv
dor29.ru/g7cberv
drevenefasady.eu/g7cberv
drpneu.ro/g7cberv
ekotracks.com/g7cberv
emg.su/g7cberv
en.fitgrp.com/g7cberv
enliveshow.com/g7cberv
fortuneprixgroup.com/g7cberv
freehosted.netai.net/g7cberv
gopa1.ru/g7cberv
grupotalents.com/g7cberv
halimbamdad.ir/g7cberv
haydistributing.com/g7cberv
hundeschulegoerg.de/g7cberv
inventionsteel.com/g7cberv
ipmart.co.in/g7cberv
jianshu100.com/g7cberv
jnzbookkeeping.com/g7cberv
kavehconsultancy.co/g7cberv
liftaccessory.com/g7cberv
lux-luster.com/g7cberv
lzeshine.com/g7cberv
monoadage.net/g7cberv
nbjzpx.com/g7cberv
net2008.com/g7cberv
newdawnexperience.com/g7cberv
nixvector.com/g7cberv
oakridge-realty.com/g7cberv
oualili.org/g7cberv
pandoracharm.ru/g7cberv
panel.steelpars.com/g7cberv
paulasalamanca.com/g7cberv
peskara.com/g7cberv
pidaco.com/g7cberv
reviewprimer.com/g7cberv
ri-vyoo.com/g7cberv
rkanswers.com/g7cberv
rktest.net/g7cberv
rndled.com/g7cberv
trustcarts.com/g7cberv
unoldontal.com/g7cberv
webframez.com/g7cberv
www.a2zportals.com/g7cberv
www.shavash.ir/g7cberv
www.webframez.com/g7cberv
xn--72c6awi9b2bj7ixcg4c.com/g7cberv
zist-konkur.ir/g7cberv

The C2 servers overlap with the ones found here.

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152



Malware spam: "Wrong tracking number" leads to Locky

This spam email leads to Locky ransomware:

From     "Samuel Rodgers"
Date     Mon, 31 Oct 2016 15:21:22 +0530
Subject     Wrong tracking number

It looks like the delivery company gave us the wrong tracking number.

Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.
The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script [pastebin] named something like tracking number A99DB PDF.vbs.

That script tries to download a component from:

tastebudsmarketing.com/uw6lin
mechap.com/xd7uh
coffeeteashop.ru/daz2rp
ficussalm.com/0bqzcn96
waynesinew.com/0fqt9he1

There will no doubt be other locations. At present I do not have those or the C2 servers, but will update this post if I get them.

UPDATE

The full list of download locations is as follows (thank you to my usual source):

365cuit.com/d9x9f0
7ut.ru/ge9j0et2
8hly.com/jc45tun
a1akeyssportfishing.com/etrt5
academy24.nl/k6lxc
aconetrick.com/2ejczfc
aconetrick.com/564nr0
aconetrick.com/6yoajl7
aconetrick.com/bwt2ixo
ami-mo.ca/k5xhdz2
ami-mo.ca/kr641jxw
archilog.at/imwjmt
architectureetenvironnement.ma/g31701d
badznaptak.pl/inlgm49
bebmila.it/eczde9
buenotour.com/j97s7
business-cambodia.com/he8wtc
campossa.com/vjbfdtj
cdqdms.com/d887wn9
cintasuci.com/cl6pa
coffeeteashop.ru/daz2rp
comistus.net/j6y95
customrestaurantapps.com/gn7c2se
dgtoca.net/d1wr3
dicresco.vn/gq1bjtbb
ecig-ok.com/luflbx4
eijsvogel.nl/gpbka1n2
elgrandia.com.mx/ginlp2f
epsihologie.com/jd2qrzg
eredmenyek.net/ff2i98t
ficussalm.com/0bqzcn96
ficussalm.com/2m6u1jt9
ficussalm.com/65s3r
ficussalm.com/8pmjmwp
financesystem.net/inliid
frijaflail.com/21fpb
frijaflail.com/37cu2
frijaflail.com/6u982pak
frijaflail.com/bnrxxvsk
mcmustard.com/u6ll6y
mechap.com/xd7uh
personalizar.net/nrwnmk
personalizar.net/qz5x2mmr
robertocostama.com/xyulv
shouwangstudio.com/xkocl94
sintasia.com/ziyd0iap
tastebudsmarketing.com/uw6lin
thegioitructuyen.org/rw6ost0e
timwhid.com/1mdm3
timwhid.com/33ck9bxc
timwhid.com/6twktm
timwhid.com/bnkxqf
tjbjpw.com/wsdou72d
tonglizhongji.com/xia3fu0
tropicalcoffeebreak.com/mqomzf
utopiamanali.com/tylv91
valpit.ru/syrwg2r3
vedexpert.com/zt4ug
visualtopshop.com/svnjzk9
warisstyle.com/sq1sae
wayneboyce.com/u5ahu
waynesinew.com/0fqt9he1
waynesinew.com/2psuru2
waynesinew.com/67egbs
waynesinew.com/9li2sv1r
wbakerpsych.com/mm3kuv
wedding-pix.net/u39ssq
wei58.com/wnticba
wklm.it/qjv1ap
xa12580.com/pq2xb
xhumbrella.com/rb374woh
yurtdax.com/wgltz
zbdesignsas.com/m13o692o
znany-lekarz.pl/wd7zj

The malware phones home to:

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
5.187.7.111/linuxsucks.php (Fornet Hosting, Spain)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152

Friday, 28 October 2016

Malware spam: "Payment history" leads to Locky

Another morning, another spam run pushing Locky ransomware:

Subject:     Payment history
From:     Theodore Wilkins
Date:     Friday, 28 October 2016, 10:09

The payment history for the first week of October 2016 is attached as you requested.

Please review it and let us know if you have any question.
The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script [pastebin] (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].

There are many different variants of the script, downloading components from:

2rtt-2rm.ru/grb7c
92hanju.com/utl41nrt
a1plus2.de/ljwxw6vh
accubattery.eu/sjc2at
aegischina.com/yrp6eyv
agrobiciuffa.com.ar/l5e7m6i
allaboutseniors.in/wtm1i0yg
alpha-next.com/ssvmwa
angundoviz.com/lhk96wx
aoteatrial.net/02yls0
aoteatrial.net/142y5x
aoteatrial.net/4865ht
aoteatrial.net/7gojeo
artmusic.dk/izpv2d39
autoreal16.ru/r1j54weq
bachledowka.net/xausf
beauty-link.jp/umjwg8f
bikemielec.com/b7owupi
bircansigorta.com/s84vkrx
blaauw-woonidee.nl/hvlqf9v4
bts-site.nl/fb80j
bumbocubeb.net/04s7752
bumbocubeb.net/163yebg7
bumbocubeb.net/4rjsepe
bumbocubeb.net/8p54eb8
burdur-bld.gov.tr/usl1pm4
buron.dk/t8nh96d
butterflytiger.com/o7eancbx
caraudiogdl.com/zm74gwvw
cavafis.gr/ouyrvo
chanet.jp/mrf40le
chernozem-msk.ru/l5wvp4nc
clinicaharvard.com/umuyki
cmmsrilanka.lk/xztuej9
codelime.net/u9dhbjib
cronos-com.ru/hbxxkshz
dadou0531.com/gych5
dcproduction.fr/wrs9q6
dohere.net/zyme3z
dollheiser.de/v5oqpb4
doogo.com.ar/vw280ik8
drewnianaskrzynka.pl/nfw15wn9
eajhosting.nl/q7jijj3k
edhalper.it/tmnm2v
efb-demarco.de/ywkdd
eflproject.org/vco8bi
egda.pl/unu16fq9
elma.7080.ru/qe3sp3
energiclima.com/sesmgrv4
enzyma.es/lpzd1gev
er-mecanicautomotriz.com/fxlkkv
e-testers.it/jy5ipe3
eurobnr.ro/qd0gn425
euromac.es/oodhs
expert-as.ru/ulfzbh
finahistory.com/jhrni
hellomissdance.com/a03sf
helsby.biz/apwms
hltrader.com/audu4f4o
huodaibbs.com/bqmvde
ilmdesign.com/aos8ly25
joshdult.net/0ia6e4
joshdult.net/3c554n2
joshdult.net/73eqx7oc
joshdult.net/9p4eh
nowon.dk/woqb5j
plookseri.net/097ga
plookseri.net/1s4bzaa1
plookseri.net/5t9nja
plookseri.net/9jyg2s70
shop.ukrtk.com/ck6jfe2e
verdianthy.com/diqlfy1
weddingandfashion.it/djzuf5c
zencart.alpm.gogzmermedia.com/h0woq
zlotysalmo.net/0zx0ken3
zlotysalmo.net/3v8va8ov
zlotysalmo.net/75vepy6f
zlotysalmo.net/9v50aob

(Thank you to my usual source for this data). The malware phones home to:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks.php [hostname: tarasik1.infium.net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks.php (Dunaevskiy Denis Leonidovich, Ukraine)


It also attempts to contact the following URLs which appear to be dead:

pqrifsjpryygmip.pw/linuxsucks.php
uxpxpirusm.xyz/linuxsucks.php
wbaskcsxiffiax.info/linuxsucks.php
kcydflvipqsvqxw.work/linuxsucks.php
haxkbqwyudoeghlhj.biz/linuxsucks.php
mdecrwmtscal.su/linuxsucks.php
pqpmswodyqlbbjmwm.pl/linuxsucks.php
yppsuvfjmnsbi.org/linuxsucks.php
fpeuwdde.xyz/linuxsucks.php
qggdljlijbygeutc.click/linuxsucks.php
juiweirqvt.su/linuxsucks.php
gyhbiuo.ru/linuxsucks.php

A DLL is dropped with a detection rate of 12/57.

Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79

Thursday, 27 October 2016

Moar Locky 2016-10-27

Lots of Locky today, here are some additional download locations for those naughty .wsf scripts.

139.162.29.193/g67eihnrv
1water.com.au/g67eihnrv
adenadataediting.com/g67eihnrv
aghadiinfotechforclient.com/g67eihnrv
agile-scrum-training.com/g67eihnrv
anandlab.com/g67eihnrv
axzio.com/g67eihnrv
banatlebanon.com/g67eihnrv
banknifty.com/g67eihnrv
bindaasdelhi.org/g67eihnrv
bmbuildingpteltd.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cfolio.uk/g67eihnrv
cibr.in/g67eihnrv
ctc.crru.ac.th/g67eihnrv
cttcleaning.com/g67eihnrv
davaomarbled.com/g67eihnrv
dev.searchthruster.com/g67eihnrv
dmlevents.com/g67eihnrv
dollsdelight.com/g67eihnrv
dreamruntech.com/g67eihnrv
drhairchandigarh.in/g67eihnrv
dryilmazyildirim.com/g67eihnrv
dssstaging.net/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eurofranq.com/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
flyingbtc.com/g67eihnrv
ftp-reklama.gpd24.pl/g67eihnrv
fullservicetech.com/g67eihnrv
goldseparator.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
infomazza.com/g67eihnrv
intomim.com/g67eihnrv
intralab.co.id/g67eihnrv
intrekmedya.com/g67eihnrv
italics.in/g67eihnrv
jackpotfutures.com/g67eihnrv
joshturansky.com/g67eihnrv
jus2chat.com/g67eihnrv
kakapublicity.com/g67eihnrv
kalkashimlataxiservice.in/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kaushikjanmejay.com/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
kursuskomputer.web.id/g67eihnrv
librahost.com/g67eihnrv
livingfreehomeramps.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
mgregency.com/g67eihnrv
micaraland.com/g67eihnrv
mileshilton-barber.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
olivierimmobiliare.com/g67eihnrv
paihotel.in/g67eihnrv
physioandpain.com/g67eihnrv
projects.seawindsolution.com/g67eihnrv
prototypingjob.com/g67eihnrv
pubbligrafica360.it/g67eihnrv
riverlifechurch.tv/g67eihnrv
saurabh-kachhadiya.comyr.com/g67eihnrv
scpolytechnic.com/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
srisaioilfield.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
tasveeranarts.in/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
tutorialcodeigniter.16mb.com/g67eihnrv
twoj-sennik.pl/g67eihnrv
ui.worklab.in/g67eihnrv
uniquebulldogpuppies.com/g67eihnrv
uniquecoders.in/g67eihnrv
videoregistrator.bg/g67eihnrv
vkwelaarts.co.za/g67eihnrv
webihawks.com/g67eihnrv
www.3shadz.com/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.camko-motor.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.hayatesabz.ir/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv
zinger.nl/g67eihnrv

Malware spam: "E-TICKET 41648" leads to Locky

More Locky ransomware today..

From     "Matthew standaloft"
Date     Thu, 27 Oct 2016 15:20:27 +0530
Subject     E-TICKET 41648

Dear Sir ,

Please find the attached E-ticket as per your requested.


Thanks & Regards ,

Matthew standaloft
Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil from one of the following locations (according to my usual source):

agile-scrum-training.com/g67eihnrv
axzio.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cttcleaning.com/g67eihnrv
dmlevents.com/g67eihnrv
dreamruntech.com/g67eihnrv
dryilmazyildirim.com/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
fullservicetech.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
intomim.com/g67eihnrv
jackpotfutures.com/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
librahost.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
micaraland.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
riverlifechurch.tv/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
vkwelaarts.co.za/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv

This drops a malicious DLL with a detection rate of 9/56. The following C2 servers are contacts:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks.php (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
213.159.214.86/linuxsucks.php (JSC Server, Russia)


Recommeded blocklist (also see this other spam run today):
83.217.11.193
91.201.202.12
213.159.214.86 

Malware spam: "This is from the Telephone Company to remind you that your bill is overdue." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Bill overdue
From:     Alexandria Maxwell
Date:     Thursday, 27 October 2016, 9:35

This is from the Telephone Company to remind you that your bill is overdue.

Please see the attached bill for the fine charge.
The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script [pastebin] detailed bill C43A9.vbs

The Malwr Report and Hybrid Analysis for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download from:

198zc.com/f7ss3oy
3d-schilling.de/jrz8hn
502mm.com/wwe0mac6
88cui.de/rwl8ov
abmelectric.ca/q0o4780r
actiononsports.com/kq0u93a1
aiccard.co.th/dvja1te
alefunny.pl/fksf4
alvida.de/klv2aog3
antiguarelojeria.com/kkzyr
ardnas.nl/f2v5o
art-yoga.myjino.ru/r1es12r
astra-antiques.com/bt32u5
atgem.ch/okl2jok
ayubatikpekalongan.com/cb2it0jj
babilon.by/sws2z1
bachvietxd.com/cbm2v
bathboating.co.uk/fptmhcm
bazalt-gracze.pl/cux57
begbuilders.com/i7ux0sxr
bestseptik.ru/zkmdw66
bibigame.net/ilc753c
bibob-hairshop.nl/fm0tue
bluecuracao.nl/iplibwz
brkos.borec.cz/dwz8li
buypc.ro/vds7o
callideo.fr/msn9ar
casadecandomble.com.br/rhn2dn
cneedu.cn/t1k2wlus
cztaxes.cz/rx19j
dabar.name/hscgqx
dadaniu.cn/o1ws9s
danor.ro/ip9f85t
dicatex.com.ar/tx3or
digicap.net/s6bhb6
dmtya.ru/mpozceu
dont.pl/cvjjw1
dovgan.bclas.ru/gtyvx
dzx800.com/j3sll
dzyncreative.com/o2ilww
ebgboz.nl/pzxc1je
ecentz.com/nvp7s9t
edepolama.com/o56szw
eiskgd.ru/vgvr31
ekofil.pl/o3pp6
elektrik1.ru/vn2q7au
englishukcentral.com/gw59b8
enrico.ru/wqhni
esysports.com/k3qsnhm
favourfinance.com/ouzoy
fbstone.com/gud0y
fengxiaohui.com/k5sqnm
fightsportuk.com/s9e9qdm
flutygoy.net/1b2sy4r
flutygoy.net/48jc5on
flutygoy.net/82okzzkq
flutygoy.net/9vvgvtk
guguhah.com/0w6rv87d
guguhah.com/3mikeq
guguhah.com/7ut2t95
guguhah.com/9bxqzgzo
khstarter.com/fy5cns7
monecouth.net/1gz0ae
monecouth.net/702t90
monecouth.net/8qxfzegf
monecouth.net/atb1yedm
morenaart.com/ng8if4c
njlsyb.com/rp7pn
sozluktr.com/x65mjo
szylbx.com/bgmhcx14
tahradeep.com/0u0zb
tahradeep.com/1tuqd
tahradeep.com/7emuv
tahradeep.com/94rttn
theatosc.net/1clhtqam
theatosc.net/558x66
theatosc.net/8j3wm
theatosc.net/a952l

A DLL is dropped with a detection rate of 11/56, and the malware then phones home to:


91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)


Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150

Wednesday, 26 October 2016

Malware spam: "Your order has been proceeded." leads to Locky

This curiously worded spam email leads to Locky ransomware:

Subject:     Your order has been proceeded
From:     Elijah Farrell
Date:     Wednesday, 26 October 2016, 12:41


Your order has been proceeded.

Attached is the invoice for your order 2026326638.

Kindly keep the slip in case you would like to return or state your product's warranty.
The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name.

The various scripts download a component from one of the following locations (thank you to my usual source for this):

198zc.com/vnrymi
3d-schilling.de/ytm08hf
abaffbedip.net/0ec4sb62
abaffbedip.net/1roef5v
abaffbedip.net/5k4oh5
abaffbedip.net/8b0lk2p
actiononsports.com/yduc1
aiccard.co.th/sy7hb7
alefunny.pl/vjjw0
alvida.de/zhw8nw6
antiguarelojeria.com/zg28jio
ayso722.org/ny8s6fn
banana2.jp/zsf0952
begbuilders.com/xjtb9k
bibliocultura.org/hdhwx7sf
bluecuracao.nl/xt8w2p3
bonetti.nl/bqc565q
brkos.borec.cz/skxkk33b
callideo.fr/zwg1d
caulgreet.com/0gxgwa
caulgreet.com/2sqh38d1
caulgreet.com/6o04pdt
caulgreet.com/9gl7t
chuvafeatherstone.com/rve6j
ciscscout.net/rvkbiv3t
cloudafis.com/kpw6h4uh
cngmalaysia.org/f4cda
cpugame.com/r3octl
cryochoice.com/n4801d
dadaniu.cn/cyk9hpr
danor.ro/xnnhp5
dmtya.ru/zqzii
dominoassociates.com/keg4g
dongyigg.com/onirn0r
dont.pl/stuf3
dovgan.bclas.ru/wk7tah
dzyncreative.com/v1djrmn
ecentz.com/sbvv8md
edepolama.com/xlyrh
edu02.ru/nk6z1
entersukses.com/cudm8
ergobois.com/j87ns
esteticapro.com/tje1ya
esysports.com/ybn7qw
exquisiteescape.com/fa8f7fk9
fazendacristal.com/djgyn
fbstone.com/xjlq6
fengxiaohui.com/yulge
filenetp8.info/esg742j9
flw123.com/kygiq6t
gerardfetter.com/fudjm1m
gongzuoshu.com/lojhvcj7
grandfm.com/my98xg7a
guymorgandaily.com/ilgx8tki
hankookm.com/lun77kyf
hfhhk.com/edfwyi1
hotsigns.net/ayxpi
jean-ealogy.com/dauwq7a
khstarter.com/w8811bg
landondavid.com/d5t56y4b
lanmaicao.com/bxyi91
lcmaya.com/d79p8w
mannersfromtheheart.com/cn450b
milianjie.com/dg1ie
morenaart.com/qbwnl
nakedglobal.com/d6s6f
roweliced.net/12fi9dc
roweliced.net/35lz355g
roweliced.net/6vgrs4
roweliced.net/a1f8yb
sheatcatan.com/1cb7jn
sheatcatan.com/3oze6ie
sheatcatan.com/74mqu
sheatcatan.com/awcdu3
titmaius.net/0f7ygeg
titmaius.net/1zsxe
titmaius.net/6g32j
titmaius.net/8u0ie

The downloaded binary then phones home to:

78.46.170.94/linuxsucks.php [hostname: k-42.ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks.php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost.hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks.php [hostname: weblinks-3424.ru] (Sobis, Russia)


It also tries to phone home to these URLs which are currently not resolving:

umjjvccteg.biz/linuxsucks.php
hbnatserncelosskp.biz/linuxsucks.php
rqnegynlpkohoohp.pw/linuxsucks.php
ymrorgauixirigj.biz/linuxsucks.php
ayyxamwyvfyqidija.pw/linuxsucks.php
yfjxvok.ru/linuxsucks.php
lbbauqqpynjem.xyz/linuxsucks.php
tnvnmjdyokgyj.pl/linuxsucks.php
hoiedes.pl/linuxsucks.php
toaqabrl.xyz/linuxsucks.php
leacfrc.info/linuxsucks.php
jkjxnrnirmqt.pw/linuxsucks.php

Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225




Malware spam: "Western Union Help Desk" / "Proof" leads to Adwind

Just by way of a change, here's some malspam that doesn't lead to Locky..

From:    Western Union Help Desk [mes@prosselltda.cl]
Reply-to:    Western Union Help Desk [mes@prosselltda.cl]
Date:    26 October 2016 at 20:07
Subject:    Proof

Dear All,

To comply with customer service standards, we need to have the Proof of Payment for the following attached transaction that has been marked as paid by one of your Locations.

Please e-mail us a copy of the ?To Receive Money Form?  as a Proof of Payment. If no TRMF or reason for delay were received by the above mentioned due date, we will consider the Transaction as Paid in Error and will proceed to reinstate it accordingly charging Paying Account.

In case there are an Automatic Customer Receipt (ACR) and a Handwritten Form, please send us both.

Click To View  Click to download  Click to open on browser

Thanks

Shameer Illyas

| Agent Support Officer |

|  Western Union Money Transfer |


In this case, the link in the email goes to:

linamhost.com/host/Western_Union_Agent_Statement_and_summary_pdf.jar

This is a Java file, if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it won't run. VirusTotal identifies it as the Adwind Backdoor. The Malwr report shows it attempting to contact:

boscpakloka.myvnc.com     [158.69.56.128] (OVH, US)

A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis. Check the Dropped Files section of the Malwr Report for more.

Personally, I recommend blocking all dynamic DNS domains such as myvnc.com in corporate environments. At the very least I recommend blocking 158.69.56.128.

Tuesday, 25 October 2016

Malware spam: "Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data" leads to Locky

Perhaps minimalist spam works better, there is currently a Locky spam run with on of the subjects Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript that looks like this [pastebin]. There is no body text.

These automated analyses [1] [2] [3] [4] show that it is Locky. My usual sources tell me that the various scripts download from one of the following locations:

abplhomes.com/g76dbf
alyatater.com/g76dbf
baedalapp.com/g76dbf
beaumontschool.com/g76dbf
blastspraypolish.com/g76dbf
codefinder.co/g76dbf
copperfilters.com/g76dbf
cultural-ecology.com/g76dbf
designera.org/g76dbf
dev.indonesiatextile.id/g76dbf
dwimultimakmur.com/g76dbf
dziennikarze.lo-kolaczyce.pl/g76dbf
easytravelvault.com/g76dbf
elitednadt.com/g76dbf
emreker.com/g76dbf
faisal-ibrahim.info/g76dbf
fpi-canada.com/g76dbf
fresflor.net/g76dbf
gellyrepin.com/g76dbf
himytutor.com/g76dbf
informing.asia/g76dbf
jciindia.in/g76dbf
kantoor.vescolub.nl/g76dbf
kendalpos.com/g76dbf
lamurindo.com/g76dbf
lilxtreme.com/g76dbf
lookbeauty.ir/g76dbf
mahendradesai.net/g76dbf
newdesign.well.pk/g76dbf
nitrogenwebs.com/g76dbf
panaceapeople.com/g76dbf
permars.com/g76dbf
privatestashstorage.com/g76dbf
promo.worldloft.ru/g76dbf
read4change.com/g76dbf
runmyaccounts.ch/g76dbf
rws1.com.au/g76dbf
samuderaciptaraya.com/g76dbf
sendat.vn/g76dbf
shopro.ir/g76dbf
srcc.co.th/g76dbf
swissmades.com/g76dbf
tacunair.com/g76dbf
tciislandguide.com/g76dbf
uatsa.cl/g76dbf
vicampro.com/g76dbf
web.justproductions.co.uk/g76dbf
wivebeday.com/g76dbf
www.fireballindia.com/g76dbf
www.jockytours.com/g76dbf
www.pb2bb2c.com/g76dbf
www.pharmaciela.com/g76dbf

The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh

A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56. The malware then phones home to one of the following locations:

185.127.27.100/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks.php (Volia DataCentre, Ukraine)


The malware also attempts to contact the following locations, all of which seem to be inactive:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221

Monday, 24 October 2016

Generic email phish tries to bamboozle with jargon

This phishing spam tries to confuse potential victims by throwing legitimate-looking jargon around.

From: Postmaster [mailer-daemon@mailhost.rceit.com]Date: 24 October 2016 at 15:43

To: victim@victimdomain.tld
Subject: Warning: Incoming Messages for victim@victimdomain.tld is [13 undelivered messages]



This message was created automatically by mail delivery software inbound-mail-x1.501.102.43.1

I'm afraid I wasn't able to deliver 13 contact email messages since October 16 2016 for victim@victimdomain.tld

To retrieve your emails and reconfigure Port 486, Click Here

Warning: Failure to do this will lead to total suspension of your email account.

Remote host said: 550 sorry, can't deliver message to your inbox


                                                                                               Please delete and Ignore if this is not your email address.

Clicking on the link ends up at a generic phishing site (in this case the link was foodworkshighcountry.com.au/inbound/index2.htm?victim@victimdomain.tld) which throws even more jargon including these lines:

An error in your SMTP/POP settings is blocking your incoming emails……
Message:      
Date:   

Subject:     Error loading some of your inbox messages
User:     %0%
Bounce reason:   
An error in your SMTP/POP settings is blocking your incoming e-mails
550-5.1.1 :POP configuration text can not be verified
550-5.1.2:Login encountered an unhandled error in your SSL settings
550-5.1.3:Login encountered an unhandled error in your SSL settings
Suggested Solution:   

    Please fill out the form below. Once the error is fixed, our team will contact you.
    Email address:   
    Password:   
       

    
    Your e-mail may be completely blocked, if you do not report this error.


----------------
Content-Type: multipart/alternative; boundary=001a1135f63edd4472050da42d05.


Typing your username and password will send it to the bad guys. Not all phishing emails look stupid, and although this one doesn't really make sense when you look at it closely, it looks authentic enough that it might fool some people.

Malware spam: "Complaint letter" leads to Locky

This spam leads to Locky ransomware:

From     "Justine Hodge"
Date     Mon, 24 Oct 2016 19:27:53 +0600
Subject     Complaint letter

Dear [redacted],

Client sent a complaint letter regarding the data file you provided.
The letter is attached.

Please review his concerns carefully and reply him as soon as possible.

Best regards,
Justine Hodge
The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS scripts with a name starting with "saved letter".

My source tells me that this scripts download from one of the following locations:

adultmagstore.com/itc0h81
alkanshop.com/zrwcx8om
azaminsaat.com/nyzhvh2c
bwocc.org/dkttu
circolorisveglio.com/dw2hheb
coreywallace.com/qjkrlxp
corployalty.it-strategy.ru/p4icah5h
cruzdemiguel.com/jittrxkr
cz1321.com/zg4c4m
decorvise.com/g7k3n
denas-express.ru/fl5vy16
desthailand.com/wfmaq0az
disneyrentalvillas.com/k2ars5j2
downtownlaoffice.com/ixmh1
DSWRITINGS.ORG/lnf7gv
duvalitatli.com/umx3btc1
executivegolfmanagement.com/qtzsegm6
firephonesex.com/bxuobuam
fjbszl.com/m4q1pmr5
fraildata.net/09rz1jcj
fraildata.net/4s1szk77
fraildata.net/5ti18g
fraildata.net/9b8cba
getitsold.info/cndrdsu9
girlsoffire.com/d2k0b967
GNSTUDIO.NET/sxv6fhqo
greenmedicalgroup.org/dy7s5
gruffcrimp.com/352gr0
gruffcrimp.com/5inrze
gruffcrimp.com/8vzak
gruffcrimp.com/bki56h
gunnisonkoa.com/d5cw6
gzxyz.net/zznej
hetaitop.com/pgq8e
infopea.com/bm747o9
iwebmediasavvy.com/eu7mq36w
jejuep.com/jh7rrgbi
jejui.com/j1ldsf
julianhand.com/hollu
jzmkj.net/y7tf2
kak-vernut-devushku.gq/rwlr9
kirijones.net/2b8fnrqm
kirijones.net/4v7574mp
kirijones.net/66wey
kirijones.net/a2r3pme
lqfrdj.com/rbpkt
luobuma8.com/h5hq2que
myboatplans.net/p8gik2g8
nightpeople.co.il/o8le7
onlysalz.com/xjo100
payrentonline.org/l3mdiv7y
pblossom.com/t78u8
potchnoun.com/06p2vxua
potchnoun.com/38j2xn
potchnoun.com/5ngsn8g5
potchnoun.com/8x2nt
privateclubmag.com/wyztr73
prodesc.net/x7nlxq
relentlesspt.com/faisexor
riyuegu.net/o69ecb
royallife.co.uk/mx5nck
ryanrandom.com/hwv97p8
scope-t.com/loinhgm
sexybliss.co.uk/en8ds7nt
sunproductivity.com/m6ot1
taiyuwanli.com/cpkd9
theleadershipdoc.com/wm1bv
turservice.xaker007.net/k92b92
ukdistributionservices.com/x1397
vowedbutea.net/2f1okfif
vowedbutea.net/5491o
vowedbutea.net/8jtnj8nt
vowedbutea.net/apupuyh3
weekcoupon.com/hggbcg
wjyunfanbs.com/ihku0r53
www.studiorif.ru/toiu7
xn--80aa3c3a.xn--b1aajgfxm2a9g.xn--p1ai/xip5lltq
xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
yourrealestateconnection.us/rlfh0

The malware phones home to the following URLs:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)


The following URLs are also contacted but are not active:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
 
81.177.22.221



Malware spam: fake "Receipt" leads to the unwelcome return of Locky

Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example spam with a format similar to the following is currently being sent out:

Date: Mon, 24 Oct 2016 16:03:30 +0530
From: christa.hazelgreave@gmail.com
Subject: Receipt 68-508
Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta.

You can see some of the malicious activity in this Hybrid Analysis. My sources (thank you!) give the download locations for this particular spam run as:

103.15.50.73/076wc
117.239.70.228/076wc
absxpintranet.in/076wc
acanac.wysework.com/076wc
asadraza.ca/076wc
bagnet.ir/076wc
checkimage.comuf.com/076wc
cignitech.com/076wc
cynosurejobs.net/076wc
dolphinom.com/076wc
grupoecointerpreis.com/076wc
ledenergythai.com/076wc
naacllc.com/076wc
thaitooling.net/076wc
tifa-awards.net/076wc
wkreation.com/076wc
www.pspgemencheh.edu.my/076wc
www.pspmrsmag.com/076wc

The malware is Locky ransomware phoning home to:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt.work/linuxsucks.php   [208.100.26.234] (Steadfast, US)

The following don't seem to resolve:
fqtdrnqmeofknd.biz/linuxsucks.php
fyrtopd.info/linuxsucks.php
wsrcyjnmrfyej.ru/linuxsucks.php
dvrudoqhwxbxrob.info/linuxsucks.php
ooyjnteswckystd.info/linuxsucks.php
vrruwpuccbud.info/linuxsucks.php
jdjnhiwgnxks.info/linuxsucks.php
pcjbfqivrejipumc.pw/linuxsucks.php
gktccomjjk.pl/linuxsucks.php
aolqgoweq.biz/linuxsucks.php
vholevsjx.pl/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234





Thursday, 6 October 2016

Malware spam: "Your Order" and the inevitable Locky

This fake financial spam leads to Locky ransomware:

From:    Adrian Salinas
Date:    6 October 2016 at 10:13
Subject:    Your Order

Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.
Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js

According to my source, these various scripts then download a component from one of the following locations:

activexsearch.com/yggv8
allinfo.xyz.com/zzi5zq2
aquatixbottle.com/yqr8i
askmeproperties.com/xc3db
asknaija.com/wvv5yh
atstory.com/zm2uojf
autokover.ru/z2oc4
b2c-batteries.com/hcgc64j
badimalik.com/dzqzl
bantayan.net/z3z3cc
baomoji.com/y6amo
betwer.com/t21j21t
booltom.com/19abb0h0
booltom.com/5nqlax
booltom.com/7dp0k
booltom.com/8qm9ldj
dipsite.com/r4f2wug
distribuidorabmk.com/wuv2rw
dvdworldmagazine.com/ptibu73
escolaemacao.com/rksgyuj
facerecognition.com.ba/cffdw
feuduprid.com/1xrdgx1j
feuduprid.com/6cpar
feuduprid.com/7sv4ygr9
feuduprid.com/aohsi
fifieoho.com/10a74fd
fifieoho.com/4u29v4
fifieoho.com/74uf3
fifieoho.com/8gplb
hdyzzs.com/qis3lqzw
kristiantouborg.com/trdmz3c
kronosmd.com/oqyxt
kuzeydogalgaz.com/gspiqv
laisou8.com/c4ecj8n
mayrice.net/07il79
mayrice.net/3w7eqv5
mayrice.net/6zok4n
mayrice.net/7uh0f
mgrshs.com/arabn
mmpang.com/h71zo4
mplaylist.com/mw921
nbjzpx.com/n9ih0k
net2008.com/mx93j63z
njykvalve.com/crk5x
numberoneenglish.com/b2v8x8
ofertacar.com/lzdp0id1
oguzhannakliyat.net/nhl290
onji.org/hox0lh
optimize4youseo.com/il9e7
oualili.org/kys133ec
ougelook.com/f7fr3
ozgurbasin.net/ceo09c
pandalove.ru/meft1bs5
peskara.com/n01afb
phaseiv.org/b0uo1
pioneerschina.com/xwks4
pmofmichigan.com/p1inbvn
prettymeuk.com/btvcc
print800.com/p3tw0nst
pro-units.ru/e8uosl
rbwm.ru/wvz996u
relishyomama.org/ebugjjni
sanalgelisim.com/pdjrz8w6
sccxtx.com/gdywsb9
sellflash.com/pjphz
sladetahil.com/1oiyflq
sladetahil.com/6763jdl
sladetahil.com/7fedf3f
sladetahil.com/99f2zg
speakrz.com/oa7ev
tbcthebillingcompany.com/u8uq8t5g
test1.unihost.link/rhh8saz
test.personne.ru/h3x2h682
vudie.com/uco3h8o
westpommern.com/ha0jaeo
winterferienhaus.com/sqfjn29
woodmode-eg.com/o47tu
yepi-games.net/wpp6wl0
zakscott.com/obg7n
zhiwuba.com/ogtkhy

The malware then phones home to the following IPs (belonging pretty much to the usual suspects):

46.8.44.105/apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76/apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21/apache_handler.php (TheFirst-RU, Russia)
217.12.223.78/apache_handler.php (ITL, Ukraine)
46.183.221.134/apache_handler.php (Dataclub, Latvia)

It attempts to contact the following domains, none of which were resolving for me:

vrqhyhyhfoqtetjj.su/apache_handler.php
aukahiofk.click/apache_handler.php
mbjyucltybuujwrec.pl/apache_handler.php
odktufycxibodtlgc.xyz/apache_handler.php
oglvsqvesshcq.work/apache_handler.php
tfgyuhlggusls.ru/apache_handler.php
senawhlqiyl.biz/apache_handler.php
gsrhrrx.su/apache_handler.php
sodugmdutpwo.click/apache_handler.php
ibmwyjowwkvquhftq.info/apache_handler.php
knsyllstwjfv.org/apache_handler.php
pxeuwhmghsnffbn.info/apache_handler.php

Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78


Malware spam: "Invoice-123456-12345678-123-A1B2C3D4" / "01635 279370"

This fake financial spam leads to malware:

From:    invoices@[redacted].com
Date:    6 October 2016 at 07:16
Subject:    Invoice-365961-42888419-888-DE0628DA

Dear Customer,

Please find attached Invoice 42888419 for your attention.

Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

### This mail has been sent from an un-monitored mailbox ###

The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc.

The telephone number appears to belong to a company called Stearn who have absolutely nothing to do with this spam.

The sample I sent for automated analysis [1] [2] downloads some data from:

eaglemouth.org/d5436gh 

I know from my sources (thank you, you know who you are) that there are additional download locations at:

dabihfluky.com/d5436gh
fauseandre.net/d5436gh


This particular variant of Locky ransomware uses black hat hosting for this download location rather than a hacked legitimate site. All these domains are hosted on the following IPs:

62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France)


Furthermore, those IPs are associated with these malicious domains (active ones are in bold):


stenokeid.org
dabihfluky.com
veddanagor.net
eaglemouth.org

writewile.su
bebopamelu.su
anoamans.com
shuspong.com
tchawane.com
teetypoop.com
thokelieu.com
uredosafe.com
awaftaxled.com
clankcutup.com
droukulnad.com
gweedbizen.com
haikhhoose.com
muangbouge.com
ovinekusum.com
shinalumen.com
wellyzimme.com
grimkonde.net
steyjixie.net
pryerungot.net
unzenjerib.net
uphershoji.net
palialawi.org

All of these are tagged for malware by SURBL. Most of them have either anonymous registration or obviously fake details, although this one (for the domain steyjixie.net) stands out:

Registry Registrant ID:
Registrant Name: Taras Ponomarev
Registrant Organization: N/A
Registrant Street: g. Belgorod, ul. Malysheva 96, kv. 124
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 111111
Registrant Country: RU
Registrant Phone: +7.527221603
Registrant Fax: +7.527221603
Registrant Email: info@steyjixie.net
Registry Admin ID: 


A DLL is dropped with a detection rate of 13/56.

UPDATE

I completely forgot to include the C2. D'oh.

109.248.59.164/apache_handler.php (Netart, Russia)

Recommended blocklist:
62.84.69.75
85.118.45.12

109.248.59.164

Wednesday, 5 October 2016

Malware spam: "complaint letter" leads to Locky

This spam email message has a malicious attachment that leads to Locky ransomware:

Subject:     complaint letter
From:     Jae Mason
Date:     Wednesday, 5 October 2016, 10:48

Dear [redacted], client sent a complaint letter regarding the data file you provided.

The letter is attached. Please review his concerns carefully and reply him as soon as possible.
The sender name will vary. Attached is a ZIP file with a name in the format complaint_letter_955ce806.zip which contains a malicious .WSF script.

My source tells me that the scripts download from one of the following locations:

all-rides.com/owav14
bbs.vlibang.com/ojojbry
caggynext.net/0vm80
caggynext.net/1yz517
caggynext.net/36z66i
caggynext.net/6mcco3s
carpetcleaningwestchesterny.net/j2pkoex
dom-dekor.net/q62g3
drewolea.net/0fuhybw0
drewolea.net/1lc09
drewolea.net/25do4q7
drewolea.net/3r9jke
enricobasili.com/m4fqj4lt
goodkiddy.com/pvn5l
idealuze.com/lu814bj
instantstamp.com/j50mt
kencaedu.com/25do4q7
klamathkinetic.org/11c84e3
knoozroom.com/igv7j9e
lanamusty.net/11c84e3
lanamusty.net/1z5vbh
lanamusty.net/3b33zp
lanamusty.net/72mjp
lev-pr.com/i2acpqa1
lgbtbookstore.com/gech2hc
lzeshine.com/girq6q
markjenningsbates.com/72mjp
mediaalias.com/lplgnnaf
minoritycounselor.com/j8365gb
motionthatmovesme.com/h1n2ix7
mysolosource.com/l3x3oczx
ndsemi.com/gy5tw
nuntatimisoara.com/ekrc0i6
nuociss.com/b5ebfsuy
nytaihao.com/ffaw7
pattumalamatha.com/e7r2v1t
phohchaui.com/0mvwos0
phohchaui.com/1xqbcjm
pmfaccountant.com/ggbvw1nj
pobreloco.com/36z66i
praxis-blechert.de/t86h1a
rdoent.com/okq0h9
sasguildford.com/yccemkwd
semes.sk/y0fmps
shingpohk.com/wc2mp0d
snehil.com/vfksxp
sotaygiadinh.net/t9ifk7j
sportowy.info/tbccuj
supergem.net/mri7i
talentinzicht.eu/va7tgx6
technix.ca/jbatquey
theshopwiz.com/t6epks
tiaocuo.org/z4nyglmm
tulisasource.com/rne42v8
turkbyte.com/q7zorra
upper-classmen.com/k1hd6
vincentsvineyard.com/z02mw8ab
www.resumebuddy.net/rcz888
yinstrage.com/0g9b921
yinstrage.com/1tsi2zr
yinstrage.com/2ld6aep
yinstrage.com/5s56ss

There are no C2 servers.

Malware spam: "Document from.." leads to Locky

I have only received a single sample of this spam, presumably it comes from random senders. There is no body text in my sample.

Subject:     Document from Paige
From:     Paige cuddie (Paige592035@gmail.com)
Date:     Wednesday, 5 October 2016, 9:37 
In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script [pastebin] DOC-20161005-WA0002715.wsf.

Automated analysis [1] [2] shows this sample downloads from:

euple.com/65rfgb?EfTazSrkG=eLKWKtL

There will be many other locations besides this.

Those same reports show the malware (in this case Locky ransomware) phoning home to:

88.214.236.36/apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100/apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)


The sample I found downloaded a legitimate binary from ciscobinary.openh264.org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.

Recommended blocklist:
88.214.236.0/23
109.248.59.0/24


Monday, 3 October 2016

Malware spam: "I have shipped your packet. Please check the report enclosed here to view more info."

This spam email leads to Cerber ransomware:

From:    Trevor David
Date:    3 October 2016 at 13:46
Subject:    Pede Industries

Hello
I have shipped your packet. Please check the report enclosed here to view more info.

Word doc password: JqpcGrKK9


Pede Industries
Company names and senders are randomly generated. Attached is a randomly-named .DOT file with password protection. The password protection makes it hard to analyse, but my source tell me that these documents download from:

www.ldlogistic.it/kls.doc
csir.bdx6.siteinternet.com/kls.doc

The dropped malware apparently has an MD5 of 0e7913875724151d8e822add07ec75b2.

Once downloaded, the malware attempts to make a C2 connection to an IP in the range
31.184.234.0/23:6892 (GTO, Montenegro and Virty.io, Russia). I don't know which is the active IP, but blocking the entire /23 might be a good precaution.

Malware spam: "[Scan] 2016-1003 15:26:26" / "Sent with Genius Scan for iOS." leads to Locky

This fake document scan leads to Locky ransomware:

From:    DAMON ASHBROOK
Date:    3 October 2016 at 10:56
Subject:    [Scan] 2016-1003 15:26:26

--
Sent with Genius Scan for iOS.
The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat.

This Malwr analysis shows some of the infection in action. Overall my sources tell me that the various malicious macros download from:

acaciainvest.ro/jhg45s
alraysa.com/jhg45s
anthonycarducci.lawyerpublicity.com/jhg45s
antiquescollectablesandjuststuff.com/jhg45s
atronis.com/jhg45s
bluewaterappco.com/jhg45s
boservice.info/jhg45s
catlong.com/jhg45s
cedrussauna.com/jhg45s
craftsreviews.com/jhg45s
denvertracy.com/jhg45s
dickenshandchimes.com/jhg45s
far-infraredsaunas.com/jhg45s
foe-2.com/jhg45s
gcandcbuilderssite.aaomg.com/jhg45s
hostmyimage.biz/jhg45s
icdsarch.com/jhg45s
inmopromo.com/jhg45s
lesscellantshautegamme.ca/jhg45s
maxleather.aaomg.com/jhg45s
mmm2.aaomg.com/jhg45s
monkeysdragon.net/jhg45s
orhangazitur.com/jhg45s
parkerneem.com/jhg45s
test.cedrussauna.net/jhg45s
tsukasagiku.com/jhg45s
villadiana.lv/jhg45s
webhost911.com/jhg45s

C2 locations are:

149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou.info/apache_handler.php
krmwgapkey.work/apache_handler.php
hruicryqytbmc.xyz/apache_handler.php
vswaagv.org/apache_handler.php
smskymrtssawsjb.org/apache_handler.php
wvandssbv.org/apache_handler.php
ytxsbkfjmyxglvt.click/apache_handler.php
rqybmggvssutf.xyz/apache_handler.php
qaemlwlsvqvgcmbke.click/apache_handler.php
btlyarobjohheg.ru/apache_handler.php
civjvjrjjlv.pw/apache_handler.php
xlarkvixnlelbsvxl.xyz/apache_handler.php

A DLL is dropped with a detection rate of 19/57.

Recommended blocklist:
149.202.52.215
217.12.199.244

Malware spam: "please sign" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     please sign
From:     Ricardo Buchanan
Date:     Monday, 3 October 2016, 10:27

Hi [redacted],

I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.



Best Wishes,
Ricardo Buchanan
CEO
In the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name. This obfuscated script [pastebin] appears to download Locky ransomware. Analysis is pending.

UPDATE

This Hybrid Analysis clearly shows Locky in action. According to my sources there are no C2s, and the download locations are:

027tzx.com/lscpv
5v5.net/wmas4
a1hose.com/j9ccher
arabhashtag.com/q2aatrh
arcworks.ca/xmz948l8
AVTORESURS.NET/n5rz8w
basofttech.com/lf7agf
bassbudsgame.com/ptqrx0bl
bradjones.com.au/qglrydv
champi.nl/v5zovddy
charge2go.com/coplbr
clinicaavellaneda.com/ovg45gh
crossroadspd.com/515grm
dangras.net/1f5d4mlo
dangras.net/3geg2zj
dangras.net/5edbite
dangras.net/6lebt
demo.academia-moscow.ru/f6wmma
demo.hostfabrica.ru/n8ygd
dotcom-enterprises.com/cpgskvx9
edrozd.net/zuz15wuc
eskrow.ru/gk2sabe
ferumusky.com/229k9z
ferumusky.com/3surnwl
ferumusky.com/5o11b5s
ferumusky.com/6nfhu0lt
galelaure.com/gvn4j9eq
glosalonline.com/adsry1c
hoamiu.info/lgvdn1l
honeine.com/h03dyzp
hrbqcc.com/kz3vidu6
jetxaviation.com/xbvqdt
joplinglobeonline.com/cc3al2x7
klipink.com/vfvlqynq
louisirby.com/cmlfoyb
louisirby.com/ejtocks
medicangka.com/0s7ygu
medicangka.com/2wn3r
medicangka.com/515grm
medicangka.com/65l4byy
mlsmaids.com/b2ofgow7
mrwebdirectory.net/vl4h091
mucicsitta.net/09xhx
mucicsitta.net/2imhkap
mucicsitta.net/4li3zc
mucicsitta.net/64vvi
mutiarafurniture.com/qwal3v9
netclip.ro/v6wj6yln
nonprofitbenefit.com/h6lne
ossiatzki.com/dyke9
p2pbikini.com/cm9s56to
parasaymamakina.net/ja152
relianceclouds.com/tr56dz8z
remont-vanosa.ru/j292hr
rondeaho.com/08dqn
rondeaho.com/24agob
rondeaho.com/4h2vq
rondeaho.com/5ubi0cxh
rosewong.com/va8asq
sentedesign.pt/pbery0
shinipri.com/brzvbi
softwaregolower.com/rddt0z
superoriente.com/kbgt8m4
syncfish.com/k7brjhgm
tandjsalon.com/gd5ke
tinoprins.nl/uji62x
trulytechnology.com/xs5t4q8
verafleischer.com/eh36e
vinabuhmwoo.com/64vvi
vipmarketing.co.il/ub0ybv5
welsell.com/tgtmzm
www.4u-byme.com/ay7ugmad
yogajourneyretreat.com/ewgjrey
yoobux.com/euy7k8
youspeak.pt/l5j3iw
yuzhuyuan.com/65l4byy
zachmacphoto.com/be8il1jb
zsvlomnica.sk/229k9z