Sponsored by..

Tuesday, 29 November 2016

Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from "61 2 97855412" - 2 page(s)


Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.


The link in the email goes to a hacked Sharepoint account, in this case:

https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1

It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named

Fax_11292016_page1.js
Fax_11292016_page2.js

that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:

siliguribarassociation.org/images/staffs/documetns.png

A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:

stengeling.com/20aml/index.php

The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

4.77.129.110
18.17.224.92
31.209.107.100
37.15.90.12
43.132.208.7
45.249.111.213
52.61.200.235
61.25.216.8
67.25.164.206
74.174.194.169
88.214.198.162
92.74.29.236
111.241.115.90
115.249.171.24
119.71.196.177
135.55.94.211
143.99.241.18
147.89.60.135
156.180.11.60
162.74.9.51
168.227.171.254
176.114.21.171
184.131.179.44
207.77.174.212

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:

butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com


Malware spam: "Please find attached a XLS Invoice 378296" / creditcontrol@somecompany.com / Ansell Lighting

This fake financial spam comes with a malicious attachment, purporting to come from Ansell Lighting:

Subject:     Please find attached a XLS Invoice 378296
From:     creditcontrol@potomachealthcare.com (creditcontrol@potomachealthcare.com)
Date:     Tuesday, 29 November 2016, 10:32

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830

The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as INVOICE.TAM_378296_20161129_886C9EAB6.xls.

My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:

ayurvedic.by/087gbdv4
pregnancysquare.com/087gbdv4
qiqi-store.com/087gbdv4
roberttrocina.com/087gbdv4
satherm.pt/087gbdv4
sayvir.com/087gbdv4
secotral.fr/087gbdv4
semeystvo.com.ua/087gbdv4
spookmedia.nl/087gbdv4
sp-tulun.ru/087gbdv4
stocktradex.com/087gbdv4
swkitchens.com.au/087gbdv4
thegarageteam.gr/087gbdv4
tyfastener.com/087gbdv4

The Hybrid Analysis shows that this is Locky ransomware, phoning home to:

185.115.140.210/information.cgi [hostname: nikita.grachev.81.example.com] (Megaserver LLC, Russia)
213.32.90.193/information.cgi [hostname:  sbg.13.vds.abcvg.ovh] (OVH, France)
95.213.195.123/information.cgi (Selectel SPb, Russia)


A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of 11/57.

Recommended blocklist:
185.115.140.210
213.32.90.193
95.213.195.123

Friday, 25 November 2016

Malware spam: [Vigor2820 Series] New voice mail message from 014xxxxxxxx on %date%

This fake voicemail spam leads to Locky ransomware and appears to come from within the victim's own domain, but this is just a simple forgery.

Subject:     [Vigor2820 Series] New voice mail message from 01435773591 on 2016/11/25 18:29:39
From:     voicemail@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Friday, 25 November 2016, 12:58

Dear webmaster :
    There is a message for you from 01435773591, on 2016/11/25 18:29:39 .
You might want to check it when you get a chance.Thanks!
The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript that looks like this.

This Malwr analysis shows behaviour consistent with Locky ransomware. My usual source tells me that all the download locations for this campaign are:

asrcargo.ru/yr387n3
easylation.com/yr387n3
jackybrith.net/yr387n3
namicg.com/yr387n3
nxarab.net/yr387n3
oyasinsaat.com.tr/yr387n3
pesaroeventi.it/yr387n3
plast-chem.com.pl/yr387n3
pornolartv.net/yr387n3
portalkerjaya.com/yr387n3
premierpromotions.co.uk/yr387n3
prizor.net/yr387n3
prongai.com/yr387n3
pulse-tv.net/yr387n3
puttechnologies.com/yr387n3
reginaautoauction.com/yr387n3
regionalclaimsrecovery.com/yr387n3
richcity.net/yr387n3
right-livelihoods.org/yr387n3
riyuegu.net/yr387n3
rooana.com/yr387n3
ruchengfcw.com/yr387n3
ruwechat.ru/yr387n3
ryrszs.com/yr387n3
sabinemerz.nl/yr387n3
saintsraw.com/yr387n3
sallymills.com/yr387n3
satherm.pt/yr387n3
sayvir.com/yr387n3
semeystvo.com.ua/yr387n3
setoxy.com/yr387n3
shenzhensh.com/yr387n3
shydnt.com/yr387n3
sienaert.org/yr387n3
signumtte.net/yr387n3
siken3d.com/yr387n3
sineria.com/yr387n3
sinmotor.com/yr387n3
sipho.es/yr387n3
skrzeczkowska.com/yr387n3
songpulatex.com/yr387n3
soonmarketing.com/yr387n3
sp-tulun.ru/yr387n3
square100.com/yr387n3
sreekrishnatemple.com/yr387n3
stamperia.pl/yr387n3
stevetoulch.com/yr387n3
stomatolog-implant.ro/yr387n3
sujiaotuoban.com/yr387n3
sunekitty.com/yr387n3
supplyglassess.com/yr387n3
swkitchens.com.au/yr387n3
sydayont.com/yr387n3
tarasarl.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
theoneworld.in/yr387n3
thoraxcenter.ru/yr387n3
tingfenglou.orgfree.com/yr387n3
tolga-tosun.com/yr387n3
trebleimp.com/yr387n3
tyfastener.com/yr387n3
unimarket.ch/yr387n3
uzmanfren.com.tr/yr387n3
vanaken.nu/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3

The C2s to block are the same as here, namely:

185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)


Recommended blocklist:
185.118.167.144
91.142.90.55





Malware spam: "Important Information" leads to Locky

This spam leads to Locky ransomware:

Subject:     Important Information
From:     Etta Figueroa
Date:     Friday, 25 November 2016, 10:28

Dear [redacted], your payment was not processed due to the problem with credentials.
Payment details are in the attached document.

Please check it out as soon as possible.
The name of the sender varies. Attached is a ZIP file beginning with payment_ and then the first part of the victim's email address.

This analysis comes from my trusted usual source (thank you!). It contains a randomly-named malicious javascript that downloads a component from one of the following locations:

agamaflop.net/6mhcounvr
agamaflop.net/kvlj0
agamaflop.net/poiloazz
agamaflop.net/pvva9uxg3f
facerecognition.com.ba/gyqjnk
hnsdedu.net/9l27sq5hcj
imckart.com/vpggfsdc
inedinburgh.com/0fngc
inspire-consultants.com.my/1d9by
internationalsaws.it/z4xfmsb7
itrechtsanwalt.at/41k0ye7wk
jreeda.w8w.pl/buhj9
jsharvie.com/zoopyji
jsydjc.com/xfsxwi
jyxiangqin.com/wkpm9nwpru
karayurt.nl/4edqluaffx
kreanova.fr/xiczr
lp.shtoryfactura.ru/ckwvbkks
malamalamak9.net/xbrfr
mandsong.com/3dow6hd2
mandsong.com/6uwkeev5ht
mandsong.com/9civ9crw
mandsong.com/di9i5xie
mervereklam.com.tr/9obbe4
microcontroller-cafe.com/1ssyys
montazh5.ru/7eerbjgbjj
muffben.net/5pctik
muffben.net/dyixm8h6x
muffben.net/etfsc5g9
muffben.net/n86rv07wep
pivno.com/l828a3ny
project-group.pro/91wvhx2ei7
puttechnologies.com/k0ncwuajq
repka.eu/tg2cyp
rerda.com/cqmgybvcf
restauranttajmahal.ca/opylmin
ripalknurl.net/3jl4ewks
ripalknurl.net/e7u7dsirr
ripalknurl.net/rnxp9u
ripalknurl.net/rwznknsrm4
rokumedia.de/b66b634w
ruangmobil.com/aykz8o5zzj
rz218.com/is387c6h
saleedu.com/n4ykvsw3h
sansjan.net/gpcef
satthachkhe.vn/oecdiyyxpz
sgadoutdo.net/0bvwbh
sgadoutdo.net/flvnz
sgadoutdo.net/ougezzqzf
sgadoutdo.net/zyxird
shomesofa.com/gidg3gpe
signdepot.com.au/nj5eq
simtecs.net/dubvr1ic
sitivisibili.it/qyebiv2oa2
slife.pt/gcuwpyu
slut-land.com/qjqxbo2n
sonajp.com/aklky4epuq
soulchance.com/jezrfbp
spb-gruz.ru/mhdxe
starovencleaning.co.uk/txre3i
stservis14.ru/fnyyzvd
sunfriends.nl/ppayh4
svegev.ru/gxl013km34
sxxcjt.com/kmgppa4zj4
sxxcjt.com/ntcjqde8
szycfj.com/egej4hc
tasct.ru/gmwpep
templeofrefuge.net/s74uwv4l
thenomadhostel.com/iahepa
thinx.net/rkp2tpxlrg
todos.com.au/a2rjocg6
tokomuslim354.com/dnnvxm6r
tuurbo.be/g5es0jxs6q
tx318.com/sbg12g0d4
use-inc.tv/apzwj5ak4
vanks.cl/plby8w55
vanniersen.nl/rxbtadzgo
veritasresults.com/hpxw6g
vesan.info/dvwsp8v3f
vitreus.nl/hlap29

The malware then phones home to:

213.32.66.16/information.cgi (OVH, France)
89.108.118.180/information.cgi (Datalogika / Agava, Russia)
91.201.42.83/information.cgi [hostname: aportom.com] (RuWeb, Russia)


Recommended blocklist:
213.32.66.16
89.108.118.180
91.201.42.83



Moar Locky 2016-11-25

This data comes from my trusted usual source, so far I have only seen a single example.

This morning's spam run has a subject with one of the following words:

DOC
DOCUMENT
FAX
IMG
LABEL
ORD
PHOTO
PIC
SCAN
SHEET

..plus a four digit random number. Attached is a ZIP file with a name mating the subject, containing a randomly-named malicious javascript that attempts to download a component from one of the following locations:

jackybrith.net/yr387n3
premierpromotions.co.uk/yr387n3
prongai.com/yr387n3
right-livelihoods.org/yr387n3
ryrszs.com/yr387n3
semeystvo.com.ua/yr387n3
signumtte.net/yr387n3
supplyglassess.com/yr387n3
sydayont.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
trebleimp.com/yr387n3
uzmanfren.com.tr/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3

The payload is Locky ransomware, phoning home to:

185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)


Recommended blocklist:
185.118.167.144
91.142.90.55


Wednesday, 23 November 2016

Malware spam: "financial records subpoena" / lawfirmofoklahoma.com

This spam purports to come from Michael T Diver who is a real Oklahoma attorney, but it doesn't really and is jut a simple forgery:

From:    MICHAEL T. DIVER [michael -at- lawfirmofoklahoma.com]
Date:    23 November 2016 at 15:24
Subject:    RE:RE: financial records subpoena

See you in court !!!

Subpoena for server

Thank you,

MICHAEL T. DIVER

T (405) 608-4990

F (405) 608-4991
The telephone number and also potentially the email address are genuine, but they are certainly not being sent from this law firm.

The link in the email goes to a legitimate but hacked Vietnamese site at techsmart.vn/backup2/get.php?id=[base64-encoded-part] (the last bit is a Base 64 representation of the victim's email address).

In testing the payload site was down, but previous emails of this type have lead to the Vawtrak banking trojan.

Moar Locky: "Bill-12345" from victim's own domain

This spam has no body text and appears to come from within the sender's own domain. It leads to Locky ransomware. For example:

From:    julia newenham [julia.newenham@victimdomain.tld]
Date:    23 November 2016 at 10:44
Subject:    Bill-76137
There is a randomly-named ZIP (e.g. 589af1aa1aaf4cb9ce571fced687b8ac.zip) containing a randomly-named malicious javascript. My usual reliable source (thank you) identifies the following download locations for these scripts:

asrcargo.ru/08yhrf3
decorvise.com/08yhrf3
gyreunbar.com/08yhrf3
halsklam.net/08yhrf3
myphychoice.com/08yhrf3
naruto55.com/08yhrf3
netclip.ro/08yhrf3
nikanels.pl/08yhrf3
nikitassalon.com/08yhrf3
njzhigaokt.com/08yhrf3
nkfyfs.cn/08yhrf3
noamshop.com/08yhrf3
notretribu.eu/08yhrf3
nuevarazajeans.com/08yhrf3
odtahova-sluzba-praha.eu/08yhrf3
oehome.com.cn/08yhrf3
ogrodexmilicz.pl/08yhrf3
ogustine.com/08yhrf3
onushilon.org/08yhrf3
o-sis.jp/08yhrf3
ossiatzki.com/08yhrf3
ostra.ro/08yhrf3
ouiphone.fr/08yhrf3
ovsz.ru/08yhrf3
parenclub-devilsenangels.nl/08yhrf3
paronleather.com/08yhrf3
paulking.it/08yhrf3
pedalcars.ru/08yhrf3
peppyinsta.com/08yhrf3
piaristesafriquecentrale.org/08yhrf3
plastictas.nl/08yhrf3
popek.si/08yhrf3
pppconstruction.co.za/08yhrf3
propfisher.com/08yhrf3
pusulam.com.tr/08yhrf3
qybest.cn/08yhrf3
raivel.pt/08yhrf3
rdyy.cn/08yhrf3
reaga.cz/08yhrf3
realearthproperties.in/08yhrf3
realtorpics.net/08yhrf3
receptoare-satelit.ro/08yhrf3
revaitsolutions.com/08yhrf3
rimiller.com/08yhrf3

A malicious DLL is dropped with an MD5 of 4e207b30c5eae01fa136f3d89d59bbbe and
a detection rate of 9/56. The malware then communicates with:

80.87.202.49/information.cgi (JSC Server, Russia)
94.242.55.81/information.cgi (RNet, Russia)
95.46.114.205/information.cgi (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)


Recommended blocklist:
80.87.202.49
94.242.55.81
95.46.114.205


Malware spam "Please Pay Attention" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Please Pay Attention
From:     Bill Rivera
Date:     Wednesday, 23 November 2016, 9:45

Dear [redacted], we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment - please check it out.
The name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script that looks like this.

This particular script (and there will be others) downloads a malicious component from one of the following locations:

nielsredeker.nl/gmcoirnrm
gurlfanam.net/krwjx
vedicmotet.com/61y7mljr4
praam.cz/iessl
nightpeople.co.il/xklqq33nr

According to this Malwr report a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56.

The Hybrid Analysis clearly shows the ransomware in action and shows it communicating with the following URLs:

95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
195.123.209.8/information.cgi [hostname: kostya234.itldc-customer.net] (Layer6, Latvia)
213.32.66.16/information.cgi (OVH, France)


Recommended blocklist:
95.213.186.93
195.123.209.8
213.32.66.16

Tuesday, 22 November 2016

Malware spam: "Invoice 123456" from random sender in victim's own domain

This fake financial spam appears to come from a random sender in the victim's own domain, but this is just a simple forgery. The payload is Locky ransomware.

Subject:     Invoice 5639438
From:     random sender (random.sender@victimdomain.tld)
Date:     Tuesday, 22 November 2016, 8:43

Attached is the document 'Invoice 5639438'.

The reference number varies from email to email, but is consistent in the subject, body and the name of the attachment (e.g. Invoice 5639438.zip). This ZIP file contains a malicious WSF script (e.g. Invoice 7868933153.wsf) that looks like this.

According the the Malwr analysis, that script downloads from:

manage.parafx.com/98y4h?AdIXigNCmu=UdJVux

There are no doubt many other locations. That same analysis shows a DLL being dropped with an MD5 of de5d8250edf98262f335cd87fe6f6740 and a detection rate of 9/56. The Hybrid Analysis of the same sample shows the malware contacting the following C2 locations:

89.108.73.124/information.cgi (Agava, Russia)
91.211.119.98/information.cgi (Zharkov Mukola Mukolayovuch aka 0x2a.com.ua, Ukraine)
94.242.55.81/information.cgi (RNet, Russia)


Recommended blocklist:
89.108.73.0/24
91.211.119.98
94.242.55.81


UPDATE

My usual reliable source came up with these additional download locations:

adoptshawm.net/98y4h
hotelmm.ro/98y4h
houseller.eu/98y4h
huaphoto.net/98y4h
huduanjichuang.com/98y4h
i12.ir/98y4h
ifsaiumumi.com/98y4h
illinoisnavhda.org/98y4h
inkubator.biz.pl/98y4h
interdean.hu/98y4h
iphoneservices.com.ua/98y4h
iran-bazaar.ir/98y4h
irandivinggroup.com/98y4h
islandspirits.ca/98y4h
izww.cn/98y4h
jain4jain.com/98y4h
jaydeepuk.com/98y4h
jazz.kvalitne.cz/98y4h
jinqiaonkyy.com/98y4h
jkshea.com/98y4h
joesrv.com/98y4h
joplinglobeonline.com/98y4h
junhao8.com/98y4h
justsport.co.il/98y4h
kabele.ru/98y4h
klaxcar.ro/98y4h
kongkhak.go.th/98y4h
korbastudio.com/98y4h
krepiec.pl/98y4h
kstm.or.th/98y4h
kuponik.eu/98y4h
lanphuong.vn/98y4h
lesmouf.com/98y4h
lhesh.com/98y4h
lifanpower.pl/98y4h
lomtalay.com/98y4h
lp511.com/98y4h
ltinvest.de/98y4h
luanasahian.ro/98y4h
lumitech.ro/98y4h
manage.parafx.com/98y4h
maroeg.com/98y4h
maxifitness.ru/98y4h
mckains.net/98y4h
mediawax.be/98y4h
megalingeriemall.com/98y4h
melzer-casting.de/98y4h
microsupport.net/98y4h
militarydirect.com/98y4h
minmin.in/98y4h
mirokon30.ru/98y4h
mooymedia.nl/98y4h
morgoo.es/98y4h
mudrahviezda.sk/98y4h
mybankofgold.com/98y4h
mysolosource.com/98y4h
natalija.ru/98y4h
reoilmaya.com/98y4h

Malware spam: "Delivery status" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Delivery status
From:     Gilbert Hancock
Date:     Tuesday, 22 November 2016, 8:51

Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.

In the sample I analysed there was an attachment named document_recipientname.zip (i.e. the first part of the recipient's email address was in the name), containing a malicious javascript with a random name. This particular script (and there are probably many others) attempts to download a component from one of the following locations:

sbdma.com/ri3xnzkaoz
robertocostama.com/qpnst8glsz
kettycoony.com/ahkzls3w
sadhekoala.com/efgqy4tdw
sdwsgs.com/voh7


According to this Malwr analysis, a malicious DLL is dropped with an MD5 of ebf03567c2a907705a026ff0821d8e63 and a detection rate of 6/55. The Hybrid Analysis reveals the following C2 locations:

91.201.202.130/information.cgi [hostname: dominfo.dp.ua] (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
188.120.250.138/information.cgi [hostname: olezhkakovtonyuk.fvds.ru] (TheFirst-RU, Russia)
213.32.66.16/information.cgi (OVH, France)

For those Russian and Ukranian networks I would be tempted to block the entire /24 at least, but this is my minimum recommended blocklist:

91.201.202.130
95.213.186.93
188.120.250.138
213.32.66.16

UPDATE

These are additional download locations for this variant (thank you to my usual source):

87.244.17.86/bhigobrbr
beachbreak.com/beachbreak/hk7mqlgs
bursacicekmagazasi.com/yqrws0c
campossa.com/ped2hwz3
cniplc.com/1cbgu
convertus.com/3p80kj
csplane.com/ej7irq
dmsoinfo.com/1buigkyvl
dtinsani.com/1gon5mmzk
fabriquekorea.com/1f3mauxvzb
facerecognition.com.ba/9b7aecm
girlstravelling.com/llnza
girlstravelling.com/zj3ij
gto-cro.com/zcvofb
gtodo.com.ar/shvssbgwh
gumorca.com/ydsojspvx
gxaiq.com/y6lhc
hairchinadirect.com/iryscuex9
hancebile.com/03aviw5ree
hancebile.com/cmlucpol
hancebile.com/fppm5myp7r
hancebile.com/rk9q4pf1
hjertearken.dk/pxyti0
kettycoony.com/ahkzls3w
kettycoony.com/cx55khn
kettycoony.com/gl74xldx
kettycoony.com/qllgov6rp
lauiatraps.net/90iuiatl
lauiatraps.net/lknfc
lauiatraps.net/tltnctyadf
lauiatraps.net/zyqjw08qqt
liftaccessory.com/crvjl4
marvicedo.com/drvf1s5x
mcmustard.com/lotojt3
misicka.com/ho6guo1jn
monowheels.ru/2nbknagte9
newautolatino.com/wa7lm4i7vo
nuociss.com/css5igxfe
oualili.org/afdnzqtmbc
paidforall.com/wnvppxdp0
parskavand.com/wekzwe
pattumalamatha.com/biwkk3sp
phaseiv.org/9utjgbof
poltec.com.au/wjzfftju
profilab.ru/wsmie0k
remixsarkilar.com/um5mvc53
rndled.com/adf4t5s3
robertocostama.com/qpnst8glsz
rsahosting.com/quudvvjxe
sadhekoala.com/efgqy4tdw
sadhekoala.com/lvqh1
sadhekoala.com/qg7bhfv3sa
sadhekoala.com/vjhxxwuo
sbdma.com/ri3xnzkaoz
sdwsgs.com/voh7l
shouwangstudio.com/uddj8u
snehil.com/8jp3sr
starmakersentertainment.com/vvaury
suziemorris.net/qz3wodtpqe
talentinzicht.eu/2szzeegt
thegioitructuyen.org/lalvx1nrj
thegoldclubs.com/soaiga
thirdchild.org/ratorfeybm
touroflimassol.com/uekc5dx
touroflimassol.com/vil8begqiq
ulmustway.com/gggsslzj1c
ulmustway.com/jm2hp
ulmustway.com/kzqnerxm
ulmustway.com/stj6o
unkalojistik.com/hhwh0xv9
valpit.ru/kn3jm
vedexpert.com/qbaiegzzu
verdianthy.com/iool1e
warisstyle.com/mjuurbt2bx
wbakerpsych.com/j00gr8z
whatsapphd.com/fqi0a
woodmode-eg.com/dsi79s
xa12580.com/lzwkiqsi8s
xhumbrella.com/jb5c396v
znany-lekarz.pl/nrpfqwwq

Monday, 21 November 2016

Malware spam: "Your LogMein.com subscription has expired!" / billing@secure-lgm.com

This fake financial spam leads to malware:

From:    billing@secure-lgm.com
Date:    21 November 2016 at 18:35
Subject:    Your LogMein.com subscription has expired!

Dear client,

You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.


You can download the bill directly from the LogMeIn website:
https://accounts.logme.in/billing.aspx?clusterid=4557&view_bill_id=34466152&file_type=doc


Please use another credit card or payment method in order to avoid complete service interruption.
Event type: Credit Card Declined
Account email: [redacted].com
At: 21/11/2016

If you need more help, visit LogMeIn Support at:
http://solutions.logmein. com/SalesContactUs


Important Security Notice:
LogMeIn will never for your password or other sensitive information by email. 


(Please don't reply to this email, as it's sent from an address that's not monitored.)

© LogMeIn Inc      
The link in the email actually goes to a page at reg.vn/en/view_bill.php?id=encoded-email-address  (where the last part is the email address in Base 64 encoding). It downloads a malicious document lgm_bill69290.doc with a current detection rate of 8/55

Automated analysis [1] [2] shows malicious network traffic to and from:

newaronma.com/zapoy/forum.php
newaronma.com/ls5/forum.php
newaronma.com/blt/patha1.php?v=51
www.libinvestusa.com/images/inst.exe
www.libinvestusa.com/images/pm1.dll


A malicious executable is dropped with a detection rate of 7/57. The payload appears to be Hancitor / Vawtrak.

The domain secure-lgm.com appears to have been created for the purposes of sending the email. The probably fake WHOIS details are:

Registrant Name: Nikolay Vazov
Registrant Organization: NA
Registrant Street: 106 Vitosha Blvd.
Registrant City: Sofia
Registrant State/Province: Sofia
Registrant Postal Code: 1463
Registrant Country: bg
Registrant Phone: +359.28058181
Registrant Phone Ext:
Registrant Fax: +359.28058787
Registrant Fax Ext:
Registrant Email: nokolay.vazov@mail.bg


Recommended blocklist:
95.215.111.222
newaronma.com
libinvestusa.com


Something evil on 64.20.51.16/29 (customer of Interserver, Inc)

I wrote about this evil network on 64.20.51.16/29 (a customer of Interserver, Inc) over a year ago, identifying it as a hotbed of fraud. Usually these bad networks don't hang around for very long, but in this case it seems to be very persistent.

This time it came to notice from a terse spam with a PDF attached:

From:    Lisa Liang [ineedu98@hanmail.net]
To:    me@yahoo.com
Date:    20 November 2016 at 23:23
Subject:    11/21/2016 Amended

FYI
Attached is a file Amended copy.pdf which when you open it (not recommended) looks blurry with "VIEW" in big red letters.

The link in the email goes to bit.ly/2fJbyol - if you put the "+" on the end of a Bitly link then you can see the number of clickthroughs and what the landing page is (www.serviceupgrade.tech/pdf.php in this case).

Clicking through gives you a login page for "Adobe PDF Online" which is of course a generic phishing page.


Analysis of the 64.20.51.16/29 range finds 193 sites historically connected with it marked as being phishing or some other malicious activity. There are at least 284 sites currently within that range, of which the following are both hosted in that range currently and are malicious:

sparvicharityfoundation.com
ftp.eurocontrol-int.net
eurocontrol-int.net
bocusin.com
eurocontrol-int.net
meclp.com
lntedg.com
bs-shipmanagements.com
rolloninz.com
outlook-excell.com
safetech-online.com
lrbis.com
stmposlka.com
combinaparts.com
gsctechinology.com
writverify-online.com
ubsinvbnk.com
kiy-carbon.com
hsbcoffshores.com
natural-live.top
ftp.daemon-mail.com
ftp.paypalcenter.com
mobile-secure.us
zharmonics-online.com
nahpa-vn.com
djhexport.com
paypalcenter.com
victorialmpex.com
schmiditsports.com
lindner-stofftiere.com
novady.top

11% of the total sites in the range have been tagged by SURBL or Google as being bad, and to be honest there are probably a LOT more but those services haven't caught up yet.

In any case, there seems to be nothing of value in 64.20.51.16/29 and I strongly recommend that you block traffic to the entire range.




Thursday, 17 November 2016

Malware spam: "Sage Invoice [service@sage-invoices.com]" / "Outdated Invoice" leads to Trickbot

This fake financial spam leads to the Trickbot banking trojan.

From:    Sage Invoice [service@sage-invoices.com]
Date:    17 November 2016 at 10:54
Subject:    Outdated Invoice

This is a customer service e-mail from © Sage (UK) Limited to [redacted]
   
Sage Invoice Payments
Outdated Invoice

You have an outdated invoice from Sage Invoice Payments that needs your attention. To find out more details on this invoice, please see the enclosed document attached to this email.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54. Hybrid Analysis shows malicious network traffic to:

substan.merahost.ru/petrov.bin  [185.86.77.224] (Mulgin Alexander Sergeevich aka gmhost.com.ua, Ukraine)

A malicious file scsnsys.exe is dropped with a detection rate of 8/53.

The domain sage-invoices.com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication. The no doubt fake WHOIS details are:

Registry Registrant ID: Not Available From Registry
Registrant Name: Antonio Padula
Registrant Organization: Weighpack Systems Inc
Registrant Street: 5605 Rue Cypihot
Registrant City: Saint Laurent
Registrant State/Province: Quebec
Registrant Postal Code: H4S 1R3
Registrant Country: CA
Registrant Phone: +1.5144243344
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: test@orasore.com


I recommend that you block traffic from that domain or check your filters to see who may have it.

Recommended blocklist:
sage-invoices.com [email]
185.86.77.0/24

Wednesday, 16 November 2016

Phishing: "Office 365 Tax Refund Service" / updatemicrosoftonline.com

Microsoft Office 365 offering a tax refund service? Really? No, of course not, it's a phishing scam..

From:    Microsoft Office 365 Team [noreply@cloud.baddogwebdesign.com]
Date:    16 November 2016 at 10:58
Subject:    Office 365 Tax Refund Service

     Office 365 Microsoft


Office 365 Tax Refund Service.
    –
–    

CONFIGURE TODAY

Thanks for using Office 365. We are delighted to present our new service associated with HM Revenue & Customs. To continue processing your tax refund please configure your bank account.

It's easy to configure your bank account:

1     –    

Sign in to your account.
1     –    

Configure your bank account.
1     –    

You are eligible to receive a tax refund of £537.25 GBP

Thanks for subscribing to Office 365. We hope to continue serving you.
    –

–     Helpful resources

How to reactivate your Office 365 subscription
Already renewed? Verify your subscription here
What happens to my data and access when my subscription expires?
Get help and support for Office 365
    –
–    

This is a mandatory service communication. To set your contact preferences for other communications, visit the Promotional Communications Manager.

This message was sent from an unmonitored e-mail address. Please do not reply to this message.
Privacy | Legal
    –
–    

Microsoft Office
One Microsoft Way


The link in the email leads to updatemicrosoftonline.com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page..

This multi-phish page has twelve UK banks set up on it:

  • Barclays
  • Halifax
  • HSBC
  • Lloyds Bank
  • NatWest
  • Royal Bank of Scotland
  • Santander
  • TSB
  • Metro Bank
  • Clydesdale Bank
  • The Co-Operative Bank
  • Tesco Bank
Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft.  The screenshots below are the sequence if you choose TSB bank.





Once you have entered all the information, the process appears to fail and you are directed to a genuine HMRC site instead.

A list of sites found in 89.248.168.0/24 can be found here [pastebin]. I suggest that the entire network range looks questionable and should be blocked.

Wednesday, 9 November 2016

Malware spam: "Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016" leads to Locky

This spam has an interestingly malformed subject, however the attachment leads to Locky ransomware:

Subject:     Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016
From:     KELLY MOORHOUSE (kelly.moorhouse@edbn.org)
Date:     Wednesday, 9 November 2016, 12:52

KELLY MOORHOUSE

Last & Tricker Partnership

3 Lower Brook Mews
Lower Brook Street
Ipswich Suffolk IP4 1RA
T: 01473 252961  F: 01473 233709  M: 07778464004
email: kelly.moorhouse@edbn.org

This e-mail and any attachments may contain confidential and privileged
information and is intended only for the use of the individual or entity to
which it is addressed. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this e-mail and destroy any
copies from your system; you should not copy the message or disclose its
contents to anyone. Any dissemination, distribution or use of this
information by a person other than the intended recipient is unauthorized
and may be illegal. We cannot accept liability for any damage sustained as a
result of software viruses and advise you to carry out your own virus checks
before opening any attachment.
Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf) that looks like this.

For one sample script, the Hybrid Analysis and Malwr report indicate a binary is downloaded from one of the following locations:

alamanconsulting.at/0ftce4?aGiszrIV=gRLYYDHSna
naka-dent.mobi/0ftce4?aGiszrIV=gRLYYDHSna

This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56.

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)


These are the same C2s as seen here.

Recommended blocklist:
85.143.212.23
158.69.223.5


UPDATE

A full list of download locations from my usual source:
 
alamanconsulting.at/0ftce4
ayurvedic.by/0ftce4
ekaterinburg.kacatka.ru/0ftce4
hoangtranwater.com/0ftce4
hoteldseason.com/0ftce4
hotelvinayakpalace.in/0ftce4
hotloto.com/0ftce4
hqseconsulting.com/0ftce4
hupsoft.com/0ftce4
idontknow.eu/0ftce4
idplus.sg/0ftce4
ifreenet.it/0ftce4
ijai.fr/0ftce4
iloveyf.com/0ftce4
indospyshop.com/0ftce4
innsat.pl/0ftce4
inzt.net/0ftce4
iriscommunications.com.pk/0ftce4
istanbulsoft.com.tr/0ftce4
ivakil.com/0ftce4
jaysilverdp.com/0ftce4
jcuenca.es/0ftce4
jer.be/0ftce4
jingaiwang.com/0ftce4
joralan.es/0ftce4
jxhyhz.com/0ftce4
kembarastation.com/0ftce4
kenankaynak.com/0ftce4
ketoantamviet.edu.vn/0ftce4
konan.nl/0ftce4
kopeyskdom.ru/0ftce4
krasnodar-sp.ru/0ftce4
k-scope.ca/0ftce4
kyrre.cn/0ftce4
labtekindie.com/0ftce4
lacosanostra.co/0ftce4
lander.pl/0ftce4
laurenward.me/0ftce4
leftakis.gr/0ftce4
level3.tv/0ftce4
lifez.nl/0ftce4
lindafluge.no/0ftce4
lingerievalentine.ueuo.com/0ftce4
linkset.ro/0ftce4
lujin.ro/0ftce4
luke-woods.com/0ftce4
luostone.com/0ftce4
martos.pt/0ftce4
matbaa.be/0ftce4
mch.kz/0ftce4
mckm11.cba.pl/0ftce4
meditativyoga.net/0ftce4
micashu.org/0ftce4
michellemccarron.com/0ftce4
microscopiavirtual.cl/0ftce4
milagrotarim.com/0ftce4
mineralsteel.cl/0ftce4
mogadk.ru/0ftce4
mospi.ru/0ftce4
moydom.by/0ftce4
mschroll.de/0ftce4
mtsas.freehost.pl/0ftce4
muamusic.com/0ftce4
muellerhans.ch/0ftce4
musicphilicwinds.org/0ftce4
muziekupdate.nl/0ftce4
mvpdental.com/0ftce4
mypcdaddy.com/0ftce4
naarndonau.at/0ftce4
naka-dent.mobi/0ftce4
oontsheol.net/0ftce4
shukatsu-live.com/0ftce4
sport-grace.by/0ftce4
tikkatawgi.com/0ftce4
vologda.maxuma.ru/0ftce4
www.0898tz.com/0ftce4
www.limpotools.com/0ftce4

Malware spam: "Account temporarily suspended" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Nicole Roman
Date:    9 November 2016 at 10:44
Subject:    Account temporarily suspended

Dear Customer.

You have exceeded the limit of operations on your credit card.
Thus, we have temporarily blocked your account.
The full itemization of transactions and instructions are given in the document attached to this message.

Best regards.
The name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script that looks like this

That particular script attempts to download a binary from one of the following locations (you can be sure there are others);

hippaupsup.com/3gc7c2rp
melkar.com/icfi5mg
inspireyouths.org/j48tb3
ausulifer.net/3xwpi
koratwifi.info/io4h3

This Hybrid Analysis and this Malwr report show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56.

No C2 locations have been identified yet. I will post them here if I get them.


Malware spam: "Your Amazon.com order has dispatched" leads to Locky

Overnight there has been a massive fake Amazon spam run leading to Locky ransomware:

From:    Amazon Inc [auto-shipping27@amazon.com]
Date:    8 November 2016 at 23:10
Subject:    Your Amazon.com order has dispatched (#021-3323415-8170076)

Dear Customer,

Greetings from Amazon.com,

We are writing to let you know that the following item has been sent using  DHL Express.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.com/your-account

Your order #021-3323415-8170076 (received November 8, 2016)


Your right to cancel:
At Amazon.com we want you to be delighted every time you shop with us.  O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at:  http://www.amazon.com/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
 video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
 accept returns of complete product, which is unused and in an "as new" con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label.  Ple=
ase go to http://www.amazon.com/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.com customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.com/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20
http://www.amazon.com/help

If you've explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.com

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
All the versions I have seen contain those same formatting errors. Details vary from message to message (e.g. carrier, reference numbers). Attached is a malicious ZIP file (e.g. ORDER-608-0848796-6857907.zip) containing a malicious javascript file (e.g. F-9295287522-9444213500-201611165156-2601.js) that looks like this.

My usual source (thank you) tells me that the various scripts download a component from these locations:

adultmagstore.co.uk/7845gf
asrcargo.ru/7845gf
bygg-molde.no/7845gf
chewysissy.net/7845gf
elektrickekefky.sk/7845gf
examsbank.com/7845gf
facerecognition.com.ba/7845gf
gadgetdealz.net/7845gf
girdap.org/7845gf
gpsfiles.nl/7845gf
heatsavingsystems.com/7845gf
helpcomm.com/7845gf
hnzhengzhou.com/7845gf
holzhaus.cl/7845gf
hud3.net/7845gf
hunt-magazine.com/7845gf
hydroservis.sk/7845gf
hz9m.com/7845gf
iaam.com.br/7845gf
igraficas.com/7845gf
immobilienbegleitung.de/7845gf
infosors.com/7845gf
inkjetss.com/7845gf
interabc.nl/7845gf
inteza.pl/7845gf
ipaper.ro/7845gf
irinka.ru/7845gf
islamhizmeti.com/7845gf
i-solutions.cz/7845gf
ivocal.fr/7845gf
izmirisgb.com/7845gf
janzwolinski.freehost.pl/7845gf
jgtour.wz.cz/7845gf
jlxzy.net/7845gf
jpvintage.nl/7845gf
jrockish.bravepages.com/7845gf
julian-g.ro/7845gf
karacanalbum.com/7845gf
kedaikerinchi.com/7845gf
khashchevato42.ru/7845gf
kiannaghsh.ir/7845gf
kleansys.com/7845gf
kolumbia.free.bg/7845gf
krd-php.ru/7845gf
kurdinfo.ru/7845gf
lekstom.ru/7845gf
lloveras.com/7845gf
mapbook.ir/7845gf
markanltd.com/7845gf
markscheffel.de/7845gf
masiled.es/7845gf
masterimob.ro/7845gf
materlux.ru/7845gf
mavicicek.com/7845gf
maytinhcaobang.net/7845gf
mdk-wear.ru/7845gf
mediclo.pl/7845gf
meshok.com.ua/7845gf
mh500.com/7845gf
minoritycounselor.com/7845gf
minunat.eu/7845gf
mischiefexpeditions.asia/7845gf
mjtmak.com/7845gf
mokinukai.lt/7845gf
monkey-drum.com/7845gf
monster-high.com.ua/7845gf
moveus.com.br/7845gf
mtgchile.cl/7845gf
mtntelekom.com/7845gf
muaban86.net/7845gf
musicrecruiting.com/7845gf
muzica-evenimente.ro/7845gf
mw077.ru/7845gf
myhtar.ru/7845gf
myxos.be/7845gf
naruby.kvalitne.cz/7845gf
natalilife.ru/7845gf
sport-grace.by/7845gf
teazexebec.com/7845gf
yastrebov25.sat34.ru/7845gf

It appears to drop a malicious DLL with a detection rate of 32/56. The following C2 servers have been identified:

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)


UPDATE
According to the Hybrid Analysis the dropped Locky binary actually has an MD5 of ad6fb318002df4ffc80795cc31d529b4 and a detection rate of 28/56.

Recommended blocklist:
85.143.212.23
158.69.223.5



Tuesday, 8 November 2016

Malware spam: "Suspicious movements" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Suspicious movements
From:     Marlene Parrish
Date:     Tuesday, 8 November 2016, 12:52

Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.
---
King regards,
Marlene Parrish
Account Manager
Tel.: 202-328-1800
U.S. Office of Personnel Management
1189 E Street, NW
Washington, DC 20415-1000
The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js) which looks like this (note the insane amount of whitespace).

That particular script downloads a malicious component from one of the following locations:

vexerrais.net/6sbdh
centinel.ca/wkr1j6n
3-50-90.ru/u4y5t
alpermetalsanayi.com/vuvls
flurrbinh.net/6mz3c5q


There will probably be other download locations. This Hybrid Analysis and this Malwr report show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56.

UPDATE

My usual reliable source (thank you) informs me that there are indeed C2 servers (see the end of the post). The download locations are as follows:

3-50-90.ru/u4y5t
365aiwu.net/hbdo6
85.92.144.157/y8giadzn
abclala.com/r2kvg2
abercrombiesales.com/nmuch6
accenti.mx/nryojp
acrilion.ru/84m9t
adriandomini.com.ar/bq62dx10
agorarestaurant.ro/cg06f
ajmontanaro.com/q9giar
alpermetalsanayi.com/vuvls
antivirus.co.th/jukwebgk
apidesign.ca/ijau8q2z
archmod.com/sapma828
assetcomputers.com.au/lkfpyww
avon2you.ru/ayz1waqm
ayurvedic.by/b9kk9k
babuandanji.jp/lq9kay
bepxep.com/mo05j41
berrysbarber.com/q6qsnfpf
bielpak.pl/a79a64h
bjshicheng.com/blewwab
bst.tw/gnjeebt
cafedelrey.es/snby1c
centinel.ca/wkr1j6n
cgrs168.com/xmej0mc
chandrphen.com/h4b1k
chaturk.com/mxaxemv1
cheedellahousing.com/h24ph1
ck.co.th/r2k6i6
codanuscorp.com/ay5v52r1
comovan.t5.com.br/byev5nd
competc.ca/qrc9n
concern-block.ru/nijp1xq
corinnenewton.ca/ctlt8b
cosmobalance.com/jsqlt0g
dekoral.eu/twnyr1s
dessde.com/zcwaya
dinglihn.com/zg3pnsj
dmamart.com/c5l2p
donrigsby.com/nts0mk
dowfrecap.net/0d08tp
dowfrecap.net/3muv7
dowfrecap.net/6f9tho
dowfrecap.net/7qd7rck9
drkitchen.ca/y5jllxe
drmulchandani.com/d6ymtf62
dunyam.ru/jge1b3e
dwcell.com/dph861ws
earthboundpermaculture.org/okez95b
edrian.com/dfc33k67
edubit.eu/b6ye94wv
eldamennska.is/h4yim
elektronstore.it/z298ejb9
elleart.nl/gn3pim41
eroger.be/918p2q
fibrotek.com/deoq2
flurrbinh.net/0nbir64
flurrbinh.net/3nrgpb
flurrbinh.net/6mz3c5q
flurrbinh.net/7wi66hp
geethikabedcollege.com/766epkuj
handsomegroup.com/ae2y1hr0
inzt.net/lbrisge
lashouli.com/rq4xoq3
odinmanto.com/0cz2zwz
odinmanto.com/2rw12
odinmanto.com/57evyr
odinmanto.com/7gplz
pastelesallegro.mx/ex67ri8
thisnspeel.com/04u77s
thisnspeel.com/2qrn06f
thisnspeel.com/3ypojyl0
thisnspeel.com/766epkuj
vexerrais.net/1jk8n
vexerrais.net/3nx3w
vexerrais.net/6sbdh
vexerrais.net/84fwijj
villaamericana.net/84fwijj
www.cutillas.fr/lmc80sdb

C2s:

185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd, Ukraine)
195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Latvia)
185.102.136.127/message.php [hostname: koltsov12.mgn-host.ru] (MGNHost, Russia)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
185.67.0.102
195.123.211.229
185.102.136.127
188.65.211.181



Malware spam: "Statement" leads to Locky

Another terse fake financial spam leading to Locky ransomware:

Subject:     Statement
From:     accounts@somedomain.tld
Date:     Tuesday, 8 November 2016, 10:59

For your Information.
The sender domain varies. Attached is a ZIP file with a name similar to Statement PDF - 56765041263.zip which in turn contains a malicious WSF script (like this) named in a format similar to SLM245260-0214.wsf.

Hybrid Analysis of this one sample shows a download occurring from:

gpstrackerbali.com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG

There will no doubt be many other locations, if I get more information then I will post it here. The script drops a DLL with a detection rate of 14/56 and the malware appears to phone home to:

185.118.66.90/message.php (vpsville.ru, Russia)
158.69.223.5/message.php (OVH, Canada)


Recommended blocklist:
185.118.66.90
158.69.223.5

Monday, 7 November 2016

Malware spam: "Financial documents" leads to Locky

The never-ending Locky ransomware onslaught continues. This fake financial spam has a malicious attachment:

Subject:     Financial documents
From:     Judy Herman
To:     [redacted]
Date:     Monday, 7 November 2016, 10:53

Hi [redacted],

These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.

Best Wishes,
Judy Herman 
Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:

http://coachatelier.nl/lg8s2
http://bechsautomobiler.dk/m8idi9j
http://desertkingwaterproofing.com/ma4562
http://zapashydro.net/6sgto2bd
http://owkcon.com/6xgohg6i

According to this Hybrid Analysis, the malware then phones home to:

195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181




Thursday, 3 November 2016

Malware spam: "!!! Urgent payment request" from random senders leads to Locky

This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.


Subject:     !!! Urgent payment request
From:     erika.whitwell@hillcrestlife.org (erika.whitwell@hillcrestlife.org)
Date:     Thursday, 3 November 2016, 10:01

ERIKA WHITWELL

Telefon: +49 1592 / 51-2545
Fax: +49 1592 / 5166-2545
E-Mail:
erika.whitwell@hillcrestlife.org

Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js) which looks like this [pastebin].

Analysis is pending. Please check back later.

UPDATE

This Hybrid Analysis shows the script downloading from:

dornovametoda.sk/jhb6576?jPUTusVX=GXNaiircxm

There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here):

194.28.87.26/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
109.234.34.227/message.php (McHost.Ru, Russia)


Recommended blocklist:
194.28.87.26
93.170.123.119
109.234.34.0/24




Moar Locky 2016-11-03

I haven't had much time to look at the Locky runs overnight, but here is a data dump of download locations and C2s (at the bottom) from my usual reliable source:

Download locations:
10minutesto1.net/d05k5d
1stop-entertainment.com/ztpt8d0
3rock.ie/qdq1fv4c
3tr.ru/f92o6
a1match.dk/spcmi8qp
ac-elektrik.com/tvb20i
affordablewebsitesolutions.net/hdeaf
akira-sushi34.ru/przgzq
alexchen.name/aw9yipi
alexchen.name/c3ortzkj
alexeliades.com/fxhrz4
alkatech.gr/x3z70
allgameserver.com/ewxhiknt
allur.com.ua/skiz8q
alphabet-city.com.au/cbfi1
amadistrit.com/1bnao0hm
amadistrit.com/47r6wm
amadistrit.com/7exev9x1
amadistrit.com/9qci0
asambleacristiana.com.ar/e6q09un
assuredtenancyagreement.co.uk/yrz0c4v
astrainks.com/wdb2s8ny
ateliebucal.com/mxxnu
batavia-restaurant.nl/vk3p2se
bddja.com/p0u44p8z
bestcomp.ge/cp0oag4r
beta-net.lt/htfpant
beyondthedeals.com/iv41b8mg
bios.gr/mwrbr
burgeravenue.ru/tl0wf2ls
camdo89.com/rs0o9
campagno.com.au/gz4lot
carblogger.net/tzf9ba
ceramacity.ru/v6fjk
cnesa.cn/au6rql7
cokealong.com/0l609
cokealong.com/2ylfay
cokealong.com/6z1n11
cokealong.com/8qa1in
cokseyvar.com/fsodg2ho
colagung.com/izm4t243
contiades.gr/lhj4kx6
cxsite.net/l8tn0z
cyrilunrun.com/07ubcvl
cyrilunrun.com/2jnf9f8b
cyrilunrun.com/4x9yp6
cyrilunrun.com/7u1lgycs
dadashop.no/yfks5f9z
damoresilvia.com.ar/aulkfvs
deadpuppetsociety.com.au/mzgtl9z
de-btc.ru/xe1j6kx
decoulissen.be/vtdn792
derekbrooker.ca/xzziio9
dh1789.com/tu4ry8
dhback.com/hgp825l
diplocam.cm/zec5nk
douledu.com/h5vpn
dpshop.it/cq2we
drukarnia.lodz.pl/olsyi7
dtmx.pl/o0ico52
dulawa.pl/hbskw
edeldental.hu/rv97fz
edrsoft.com/atttlti
ertebat24.ir/n2khs
evotrade.ro/toz1iqw
exideworld.com.cn/zh2xd6
ezimu.com/dziykl
f8development.be/at2fpz
fiveclean.com/14msj3
fiveclean.com/3mz5l6t
fiveclean.com/76wl2
fiveclean.com/9q8jjta
kekjacint.hu/nygdhk
meskatha.com/2ccjhik
meskatha.com/49x930
meskatha.com/7i1ko82
meskatha.com/a0flf
www.50mi.cn/lbcc88r
www.compsec.co.nz/lpmn9vw
www.cvdesign.nl/h7fid1op
028happy.com/kjg56f7
1140746.net/kjg56f7
abercrombiesales.com/kjg56f7
accenti.mx/kjg56f7
acrilion.ru/kjg56f7
ahmetaksan.com/kjg56f7
alphabureau.ma/kjg56f7
antivirus.co.th/kjg56f7
apidesign.ca/kjg56f7
asastaff.com/kjg56f7
auwm.ru/kjg56f7
babuandanji.jp/kjg56f7
babyparka.ca/kjg56f7
bazkomp.pl/kjg56f7
bemmart.net/kjg56f7
bepxep.com/kjg56f7
bilisimarsivi.com/kjg56f7
blakslee.com/kjg56f7
boraba.net/kjg56f7
brokerclub.lt/kjg56f7
budeanu.ro/kjg56f7
buh-uchet71.ru/kjg56f7
byensbilleje.dk/kjg56f7
canals.cn/kjg56f7
capitalintroductionservices.com/kjg56f7
chaturk.com/kjg56f7
chuandishe.com/kjg56f7
cip.edu.pk/kjg56f7
cluster09server.com/kjg56f7
concern-block.ru/kjg56f7
daivupaint.com/kjg56f7
damai0769.com/kjg56f7
dela-cruz.eu/kjg56f7
delfin-lait.ru/kjg56f7
dienmaykhanhhuy.com/kjg56f7
dinglihn.com/kjg56f7
ding.sk/kjg56f7
discuzshop.com/kjg56f7
dongwooclean.com/kjg56f7
donrigsby.com/kjg56f7
draiveris.lt/kjg56f7
drede.ro/kjg56f7
dudenman.net/kjg56f7
dunyam.ru/kjg56f7
earthboundpermaculture.org/kjg56f7
edrian.com/kjg56f7
efson.707.cz/kjg56f7
eplotery.pl/kjg56f7
ev-entertainment.nl/kjg56f7
fcarmida.ru/kjg56f7
fedsav.com/kjg56f7
guardrupia.com/kjg56f7
inzt.net/kjg56f7
morgkelly.net/kjg56f7
365aiwu.net/43ftybb8
421pfyy.com/43ftybb8
677spo.com/43ftybb8
abgr.ru/43ftybb8
abrahams.ch/43ftybb8
adasulamasistemleri.com/43ftybb8
aifgroup.jp/43ftybb8
aircrew.co.in/43ftybb8
alkfor.ru/43ftybb8
allebanken.net/43ftybb8
almaks-mr.ru/43ftybb8
animals.org.il/43ftybb8
anime-one.com/43ftybb8
arnaudgranata.com/43ftybb8
atart.cn/43ftybb8
atforum.pl/43ftybb8
autoabs.lt/43ftybb8
automaler.ru/43ftybb8
awaelschool.com/43ftybb8
ayulduz.biz/43ftybb8
baraonda.gr/43ftybb8
basketballninja.com/43ftybb8
bassguitartips.com/43ftybb8
battleduck.ch/43ftybb8
bdvdo.net/43ftybb8
beamit.be/43ftybb8
beautyexpress.com.au/43ftybb8
bechsautomobiler.dk/43ftybb8
bestprservices.com/43ftybb8
bha-group.eu/43ftybb8
bhatiarasayanudyog.in/43ftybb8
birthdaystoday.net/43ftybb8
bluehost.hu/43ftybb8
bogaziciradyo.com/43ftybb8
bst.tw/43ftybb8
buhlmend.net/43ftybb8
bvn.lt/43ftybb8
cabanaionela.ro/43ftybb8
carmenortigosa.com/43ftybb8
casadalocacao.com/43ftybb8
chandrphen.com/43ftybb8
cheappaintball.net/43ftybb8
cheedellahousing.com/43ftybb8
chinatea.ro/43ftybb8
christen-in-nuernberg.de/43ftybb8
christmas-metal-meeting.de/43ftybb8
city-charger.ru/43ftybb8
classicnet.ir/43ftybb8
club-impact.ro/43ftybb8
coachatelier.nl/43ftybb8
coinobras.com/43ftybb8
consardproiectare.ro/43ftybb8
contserv.ro/43ftybb8
corinnenewton.ca/43ftybb8
cxsd.com.cn/43ftybb8
cyclingpromotion.com.au/43ftybb8
cyprushealthservices.com/43ftybb8
d2dlaundry.com/43ftybb8
debki-klara.pl/43ftybb8
deborahshallcross.com/43ftybb8
decactus.cl/43ftybb8
delanothayer.cl/43ftybb8
dersiz.com/43ftybb8
desertkingwaterproofing.com/43ftybb8
diandiandx.com/43ftybb8
drossell.com/43ftybb8
dwcell.com/43ftybb8
ecomission.com.au/43ftybb8
edu-net.ro/43ftybb8
ejiavip.com/43ftybb8
eldamennska.is/43ftybb8
el-sklep.com/43ftybb8
enkobud.dp.ua/43ftybb8
erotes.gr/43ftybb8
eskopb.com/43ftybb8
eurotrading.com.ua/43ftybb8
evogelbacher.de/43ftybb8
fazilusta.com/43ftybb8
fibrotek.com/43ftybb8
filmsites.nl/43ftybb8
gzycgj.com/43ftybb8
irk.24abcd.ru/43ftybb8
pastelesallegro.mx/43ftybb8
wonnapian.com/43ftybb8
ws.osenilo.com/43ftybb8
xiguacity.com/43ftybb8

C2s:
51.255.107.20/message.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
85.143.215.209/message.php (PrdmService LLC / Comfortel Ltd / Trader soft LLC, Russia)
91.230.211.103/message.php (Optibit LLC, Russia)
91.239.232.171/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
194.28.87.26/message.php (Hostpro Ltd, Ukraine)
51.255.107.20/linuxsucks.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
194.28.87.26/linuxsucks.php (Hostpro Ltd, Ukraine)

Recommended blocklist:
51.255.107.20
85.143.215.209
91.230.211.103
91.239.232.171
93.170.123.119
194.1.239.152
194.28.87.26

Wednesday, 2 November 2016

Malware spam: "Companies House - new company complaint" / noreply@companies-house.me.uk / noreply@companieshouses.co.uk leads to TrickBot

This fake Companies House spam leads to TrickBot malware:

From:    Companies House [noreply@companieshouses.co.uk]
Date:    2 November 2016 at 11:51
Subject:    Companies House - new company complaint
Signed by:    companieshouses.co.uk

Investigations and Enforcement Services

This message has been auto-generated in response to the company complaint submitted to our WebFiling  service.

The submission number is ID109202DLK02911

Please find the attached document for your review.

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500

The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday) 
Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.


The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:

    Registrant:
        Camell Williams

    Registrant type:
        Unknown

    Registrant's address:
        550 HOLTS LAKE CT STE 101
        Suite 101
        Apopka
        Florida
        32703
        United States


Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.

All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.

Attached is a Word document Complaint.doc  (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:

futuras.com/img/dododocdoc.exe

This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.

The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:

78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)


The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.

Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117