Sponsored by..

Wednesday, 23 August 2017

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx - name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP.

Subject:       Voice Message Attached from 001396445685 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:22 am

Time: Wed, 23 Aug 2017 14:52:12 +0530
Download <http://tyytrddofjrntions.net/af/VM20170823_193908.zip> file to listen
Voice Message

Subject:       Voice Message Attached from 055237805419 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:21 am

Time: Wed, 23 Aug 2017 14:51:13 +0530
Download <http://mjhsdgc872bf432rdf.net/af/VM20170823_193908.rar> file to listen
Voice Message
Both download locations of tyytrddofjrntions.net and mjhsdgc872bf432rdf.net are hosted on 119.28.100.249 (Tencent, CN). This same IP was seen in this other recent spam run. Both the RAR and ZIP downloads (detection rate about 18/59 [1] [2]) contain the same malicious VBS script [pastebin]. The script tries to download an additional component from one of the following locations:

grlarquitectura.com/Mvgjh67?
grundschulmarkt.com/Mvgjh67?
aldirommestorr887.info/af/Mvgjh67?
grupoegeria.net/Mvgjh67?
gestionale-orbit.it/Mvgjh67?
gdrural.com.au/Mvgjh67?
geocean.co.id/Mvgjh67?
grupoajedrecisticoaleph.com/Mvgjh67?
grupofergus.com.bo/Mvgjh67?
gruppostolfaedilizia.it/Mvgjh67?

You'll note that most of those download locations start with "gr" which indicates that this is just a small subset of hacked servers under the control of the bad guys.

Automated analysis [3] [4] shows a dropped file with a VirusTotal detection rate of 14/64 (probably Locky). Those same analyses show traffic being sent to:

62.109.16.214/imageload.cgi (TheFirst-RU, RU - hostname: gpodlinov.letohost.com)
5.196.99.239/imageload.cgi (Just Hosting, RU - hostname: noproblem.one)

UPDATE:  Several other IPs in the 5.196.99.0/24 range have been used to host malware in the past. I would recommend blocking the entire /24.

Recommended blocklist:
119.28.100.249
62.109.16.214
5.196.99.0/24


1 comment:

C. W. said...

I extracted these additional addresses from samples:

doinlife.com/yb8w7fg?
ttytreffdrorseder.net/af/yb8w7fg?

The payloads were otherwise identical.