Sponsored by..

Showing posts with label Czech Republic. Show all posts
Showing posts with label Czech Republic. Show all posts

Tuesday 24 May 2016

Malware spam: "Account Compromised" / "Suspicious logon attempt"

These fake security warnings come with a malicious attachment:

From:    Jennings.KarlaVk@ttnet.com.tr
Date:    24 May 2016 at 11:48
Subject:    Account Compromised

Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 108.127.172.96)
Reason: unusual IP
Please refer to the attached report to view further detailed information.

BMJ Group
tel. (4813)/675337 33

> Sent from iPad

--------------

From:    Hooper.Cecilep@hotelaviatrans.am
Date:    24 May 2016 at 11:40
Subject:    Suspicious logon attempt

Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 223.149.173.250)
Reason: unusual IP
Please refer to the attached report to view further detailed information.

YUJIN INTL LTD
tel. (4020)/438007 92

> Sent from iPad

In the two samples I have seen, there are attachments named Security Report.zip and Security Notification.zip which in turn contain a Word document with a name such as Security Report ID(11701573).doc

The two documents that I have seen have detection rates of about 3/56 [1] [2] but according to these automated analyses [3] [4] [5] [6] it seems that the infection doesn't work properly, failing to find a created file harakiri.exe. This Malwr report shows a dropped file named harakiri.pfx which isn't an executable, my guess is that this is an encrypted file that hasn't decrypted properly.

UPDATE

According to a third party analysis, this apparently drops Dridex which phones home to:

210.245.92.63 (FPT Telecom Company, Vietnam)
162.251.84.219 (PDR Solutions, US)
80.88.89.222 (Aruba, Italy)
213.192.1.171 (EASY Net, Czech Republic)


Recommended blocklist:
210.245.92.63
162.251.84.219
80.88.89.222
213.192.1.171


Tuesday 26 April 2016

Malware spam: "Missing payments for invoices inside"

This fake financial spam leads to malware:

From:    Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com]
Date:    26 April 2016 at 12:58
Subject:    Missing payments for invoices inside

Hi there!

Hope you are good.

Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.

BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.

Kind Regards

Jeffry Rogers

Henderson Group

Tel: 337-338-4607
I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:

web.spartanburgcommunitycollege.com/gimme/some/loads_nigga.php

This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:

103.245.153.154 (OrionVM Retail Pty Ltd, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (FPT Telecom Company, Vietnam)
213.192.1.171 (EASY Net, Czech Republic)


The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.

Recommended blocklist:
103.245.153.154
176.9.113.214
210.245.92.63
213.192.1.171


Monday 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:
From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )
I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.

UPDATE

I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:

bjdennehy.ie/~upload/89u87/454sd.exe

This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)


MD5s:
495d47eedde6566a12b74c652857887e
182db9fc18c5db0bfcb7dbe0cf61cae5
177948c68bc2d67218cde032cdaf1239
07c90e44adcf8b181b55d001cd495b7f


Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239

Tuesday 24 November 2015

Malware spam: "Scan as requested" / "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]

This fake document scan does not come from New Hope Specialist Care but is instead a simple forgery with a malicious attachment:

From     "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]
Date     Tue, 24 Nov 2015 07:11:00 -0300
Subject     Scan as requested

Regards


Paulette Riley

Administrator

New Hope Specialist Care Ltd
126 Brook Road
Oldbury
West Midlands
B68 8AE

tel: 0121 552 1055
mobile: 07811 486 270
fax: 0121 544 7104


* PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL *


This is an email from New Hope Specialst Care Ltd. The information contained
within this message is intended for the addressee only and may contain
confidential and/or privilege information. If you are not the intended
recipient you may not peruse, use, disseminate, distribute or copy this
message. If you have received this message in error please notify the sender
immediately by email or telephone and either return or destroy the original
message. New Hope Specialsit Care Ltd accept no responsibility for any
changes made to this message after it has been sent by the original author.
The views contained herein do not necessarily represent the views of New
Hope Specialist Care Ltd This email or any of its attachments may contain
data that falls within the scope of the Data Protection Acts. You must
ensure that handling or processing of such data by you is fully compliant
with the terms and provisions of the Data Protection Act 1984 and 1988

---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

Attached is a file 20151009144829748.doc of which I have seen two versions (VirusTotal results [1] [2]) and which contain a macro like this [pastebin].

Analysis of these documents is pending, but the payload is likely to be the Dridex banking trojan.

Frustratingly, it looks like the web host has suspended newhopecare.co.uk which is not helpful in these circustances, as it stops the victim company from posting a warning.


UPDATE

These two Hybrid Analysis reports [1] [2] show a download from the following locations:

www.costa-rica-hoteles-viajes.com/~web/7745gd/4dgrgdg.exe
janaduchanova.wz.cz/7745gd/4dgrgdg.exe


This has a VirusTotal detection rate of 4/55. That VT analysis and this Malwr analysis and these two Hybrid Analysis reports [1] [2] show network traffic to:

157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
88.86.117.153 (SuperNetwork, Czech Republic)


MD5s:
06c1c0a6d5482b93737f9ce250161b82
3368d7d4f48d291ee0f4ae7c81dd73a6
15fcf405b726379c6efabc89d6e0ceac


Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12
88.86.117.153



Thursday 20 August 2015

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This fake TfL spam comes with a malicious attachment:

From     "Transport for London" [noresponse@cclondon.com]
Date     Thu, 20 Aug 2015 17:04:26 +0530
Subject     Email from Transport for London

Dear Customer

Please open the attached file(7887775.zip) to view correspondence from Transport
for London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative



______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.
The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56 and 1/57. These two Hybrid Analysis reports [1] [2]  show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:

93.185.4.90:12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90:12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM


These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you block it.

Those Hybrid Analysis reports also identify some botnet IPs and dropped files, which I suggest that you study if interested.



Friday 7 August 2015

Malware spam: "Sleek Granite Computer" / "saepe 422-091-2468.zip" / "nulla.exe"

What the heck is a Sleek Granite Computer? As clickbait it is kind of weird.. but perhaps interesting enough to get people to click on the malicious attachment is comes with.

From:    mafecoandohob [mafecoandohob@bawhhorur.com]
To:    Karley Pollich
Date:    7 August 2015 at 13:17
Subject:    Sleek Granite Computer

Good day!

If you remember earlier this week we discussed with You our new project which we intend to start next month.
For Your kind review we enclose here the business plan and all the related documents.
Please send us an e-mail in case You have any comments or proposed changes.
According to our calculations the project will start bringing profit in 6 months.
Thanks in advance.


Karley Pollich
Dynamic Response Strategist
Pagac and Sons
Toys, Games & Jewelery
422-091-2468
The only sample of this I had was malformed and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe.

This has a VirusTotal detection rate of 4/55 with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre / Dyre traffic pattern to:

195.154.241.208:12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208:12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM


This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom.eu. Traffic is also spotted to:

37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)


There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.

Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50

MD5:
9520d04a140c7ca00e3c4e75dd9ccd9f

Friday 17 July 2015

Malware spam: eFax message from "unknown" - 1 page(s), Caller-ID: 1-123-456-7890

This fake fax spam leads to malware:

From:    eFax [message@inbound.efax.com]
To:    administrator@victimdomain
Date:    17 July 2015 at 10:42
Subject:    eFax message from "unknown" - 1 page(s), Caller-ID: 1-357-457-4655



Fax Message [Caller-ID: 1-357-457-4655
You have received a 1 page fax at Fri, 17 Jul 2015 15:12:25 +0530.

* The reference number for this fax is atl_did1-1400166434-67874083637-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!


j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but hacked site at:

breedandco.com/fileshare/FAX-1400166434-707348006719-154.zip

The ZIP file has a detection rate of 6/55 and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55. Automated analysis [1] [2] [3] shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):

93.185.4.90:12325/ETK7/<MACHINE_NAME>/0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90:12325/ETK7/<MACHINE_NAME>/41/5/1/GKBIMBFDBEEE


This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip.dyndns.org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.

The malware reaches out to some other malicious IPs (mostly parts of a botnet):

93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)

Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55] and vastuvut.exe [VT 6/55].

Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106

MD5s:
777ea29053d4e3e4eeb5689523a5ed11
2cb619f59c10a9877b672d66ab17edf9
efa2887ab892c34a5025aa3f943f49a9
debfdeb9b14dda4ed068a73b78ce5a24

Thursday 16 July 2015

Malware spam: "Excelent job !" / "Good achievement !"

These spam emails appear to have randomly-generated text, which would account for the strange language.. and they come with a malicious attachment:

Date:    16 July 2015 at 12:53
Subject:    Excelent job !

Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
All the best.
Michelle Curtis Company management

---------------------

Date:    16 July 2015 at 11:53
Subject:    Good achievement !

Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
With the best regards.
Sharon Silva Company management 
Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc


Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55. Inside the document is this malicious macro [pastebin], which (according to Hybrid Analysis) downloads several components (scripts and batch files) from:

thereis.staging.nodeproduction.com/wp-content/uploads/78672738612836.txt
www.buildingwalls.co.za/wp-content/themes/corporate-10/78672738612836.txt
www.buildingwalls.co.za/wp-content/themes/corporate-10/papa.txt


These are executed, then a malicious executable is downloaded from:

midwestlabradoodles.com/wp-content/themes/twentyeleven/qwop.exe

This has a VirusTotal detection rate of 8/55 and that report plus other automated analysis tools [1] [2]  phones home to the following malicious URLs:

93.185.4.90:12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90:12319/LE2/<MACHINE_NAME>/41/7/4/


That IP belongs to C2NET in the Czech Republic. It also send non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.

This malware drops the Dyre banking trojan.

Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction.com
www.buildingwalls.co.za
midwestlabradoodles.com

MD5s:
0582ed37ebb92da47fc2782e3228a4c5
ea0daafe232c6ffb8f783bb1f317fbf2

Wednesday 1 July 2015

Malware spam: "HMRC taxes application with reference L4TI 2A0A UWSV WASP received" / "noreply@taxreg.hmrc.gov.uk"

This fake tax spam leads to malware:

From     "noreply@taxreg.hmrc.gov.uk" [noreply@taxreg.hmrc.gov.uk]
Date     Wed, 1 Jul 2015 11:20:37 +0000
Subject     HMRC taxes application with reference L4TI 2A0A UWSV WASP received

The application with reference number L4TI 2A0A UWSV WASP submitted by you or your
agent to register for HM Revenue & Customs (HMRC) taxes has been received and will
now be verified. HMRC will contact you if further information is needed.

Please download/view your HMRC documents here: http://quadroft.com/secure_storage/get_document.html

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.d

If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake 404 page will be generated.
The page then forwards to the real HMRC login page but attempts to dump a malicious ZIP from another source at the same time.

In this case, the ZIP file was Document_HM901417.zip which contains a malicious executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55 (identified as the Upatre downloader).

Automated analysis [1] [2] [3] shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55.

The payload is almost definitely the Dyre banking trojan.

Monday 29 June 2015

Malware spam: "Payslip for period end date 29/06/2015" / "noreply@fermanagh.gov.uk"

This fake financial spam comes with a malicious payload:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    29 June 2015 at 11:46
Subject:    Payslip for period end date 29/06/2015

Dear [redacted]

Please find attached your payslip for period end 29/06/2015

Payroll Section

Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:

http://audileon.com.mx/css/proxy_v29.exe

That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes:

69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is on this occassion.

Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242

MD5s:
71a42eaac6f432c8dc04465c065e48e1
4009cd042071c81ce9c1aaa13ac046f2


Wednesday 24 June 2015

Malware spam: "Considerable law alternations" / "excerptum_from_the_implemented_rule.zip" / "Pamela Adams"

This fake legal spam comes with a malicious payload:
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations

Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above  .
Pamela Adams
Chief accountant

In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.

Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs:

93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)

The Malwr report and Hybrid Analysis report indicate a couple of  dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.

Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35

MD5s:
a85849c45667805231f2093e2eabe89d
e91e0424ac23193461c57ac1046e7dc1

Tuesday 17 February 2015

An analysis of reported Equation Group IP ranges and domains

There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks [1] [2] [3] [4].

Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.

Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.

The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.

There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.

(Updated 18/2/15 to remove an OpenDNS sinkhole and add 41.222.35.70)

FLAG Telecom / Reliance Globalcom

62.216.152.64/28
80.77.2.160/27
80.77.4.0/26

Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:

team4heat.net
forgotten-deals.com
phoneysoap.com
cigape.net
mimicrice.com
charmedno1.com
functional-business.com
rehabretie.com
advancing-technology.com
crisptic01.net
tropiccritics.com
cribdare2no.com
following-technology.com
teatac4bath.com

Verizon

194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
202.95.84.32/27
210.81.52.96/27
212.177.108.192/27

Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:

honarkhaneh.net
meevehdar.com
parskabab.com
ad-noise.net
ad-void.com
aynachatsrv.com
damavandkuh.com
fnlpic.com
monster-ads.net
nowruzbakher.com
sherkhundi.com
quickupdateserv.com
goodbizez.com
www.dt1blog.com
www.forboringbusinesses.com
timelywebsitehostesses.com
technicads.com
darakht.com
ghalibaft.com
adservicestats.com
downloadmpplayer.com
honarkhabar.com
techsupportpwr.com
webbizwild.com
zhalehziba.com

Global Telecom & Technology Americas Inc. / Cogent / PSInet

149.12.71.0/26

This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:

avidnewssource.com
rubi4edit.com
listennewsnetwork.com
unite3tubes.com

Colombia: Alfan Empaques Flexibles S.A. / Columbus Networks / IFX Networks / Terremark

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
190.60.202.0/28
190.60.202.0/28

The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:

selective-business.com
technicalconsumerreports.com
technicaldigitalreporting.com
technology-revealed.com
melding-technology.com

Czech Republic: Master Internet / IT-PRO / 4D Praha

81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27

A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:

islamicmarketing.net
noticiasftpsrv.com
coffeehausblog.com
platads.com
nickleplatedads.com
arabtechmessenger.net

Spain: Terremark / GTT Global Telecom

84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28


Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:

businessedgeadvance.com
business-made-fun.com
rampagegramar.com
unwashedsound.com
businessdealsblog.com
industry-deals.com
itemagic.net
posed2shade.com
slayinglance.com
rubiccrum.com
rubriccrumb.com

Netherlands: Tripartz-Atrato / IX Reach / Claranet / FiberRing

212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109

In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.

arm2pie.com
businessdirectnessource.com
housedman.com
taking-technology.com
micraamber.net
charging-technology.com
brittlefilet.com
dowelsobject.com
speedynewsclips.com

Malaysia: Piradius NET

124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29

Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.

roshanavar.com
adsbizsimple.com
bazandegan.com
amazinggreentechshop.com
foroushi.net
technicserv.com
afkarehroshan.com
thesuperdeliciousnews.com
sherkatkonandeh.com
mashinkhabar.com

Other ranges and hosts

  • RACSA in Costa Rica hosts customerscreensavers.com and xlivehost.com on 196.40.84.8/29.
  • EasySpeed in Denmark hosts  quik-serv.com and goldadpremium.com on 82.103.134.48/30.
  • Cyber Cast International in Panama hosts havakhosh.com and toofanshadid.com on 200.115.174.254.
  • EM Technologies in Panama hosts technicupdate.com and rapidlyserv.com on 201.218.238.128/26.
  • INET in Thailand hosts globalnetworkanalys.com on 203.150.231.49 with an apparently hardcoded IP of 203.150.231.73 in use as well.
  • American Internet Services hosts suddenplot.com on 207.158.58.102.
  • GoDaddy hosts serv-load.com and wangluoruanjian.com on 97.74.104.208.
  • Quadranet / GZ Systems hosts fliteilex.com plus some other questionable domains on 67.215.237.104/29.
  • Vegas Linkup LLC hosts standardsandpraiserepurpose.com on 209.59.42.97.
  • Vox Telecom in South Africa hosts mysaltychocolateballs.com on 41.222.35.70 having previously hosted forboringbusinesses.com.
In all the following network blocks and IPs appear to be hosting servers connected to the Equation Group:

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
69.42.114.96/28
196.40.84.8/29
81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27
82.103.134.48/30
80.77.2.160/27
84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
212.177.108.192/27
210.81.52.96/27
124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29
212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
200.115.174.254
201.218.238.128/26
202.95.84.32/27
203.150.231.49
203.150.231.73
62.216.152.64/28
207.158.58.102
149.12.71.0/26
80.77.4.0/26
97.74.104.208
67.215.237.104/29
209.59.42.97
41.222.35.70

I recommend that you look at the data before you do drastic things with these IP ranges.

Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..

Thursday 7 August 2014

Aggressive scumbag spammers strike again

The very aggressive scumbag snowshoe spammers [1] [2] [3] [4] [5] strike again, this time burning through a bunch of email servers belonging to Serverel Corp in the Czech Republic:

IPs:
109.206.177.121
109.206.177.122
109.206.177.123
109.206.177.124
109.206.177.125
109.206.177.126

Spamvertised domains:
newfreecredit.com
here-medicaresignup.com
lean-slim-down.com
best-cheap-ins.com
oddmiracle.com
true-refihouse.com

Subjects:
RE: Your TransUnion Score may have recently changed.
Hey, Unhappy with your Plan? Notice #3550165
Re: Foreskolin - Recently featured on The Dr. Oz Show. Order: 22232150
Fwd: Your AutoInsurance-Policy can be lower. Notice #20768701
Fwd: 5 Diseases You Thought Couldn't Be Cured, See Article 24300322
Fwd: How much can you save by lowering our house payment?

Domain registration details:
Registrant Name: BENITA DUFFY
Registrant Organization: MARY KIMBREL
Registrant Street: 1031 WOODLEY RD
Registrant City: MONTGOMERY
Registrant State/Province: AL
Registrant Postal Code: 36106
Registrant Country: US
Registrant Phone: +1.3348343223
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: benitaduffy918@yahoo.com


UPDATE 1:

More from the same spammer, same host but different IP range:

IPs:
109.206.177.151
109.206.177.152
109.206.177.153
109.206.177.154
109.206.177.155
109.206.177.156

Spamvertised domains:
foxy-russianbrides.com
fine-walkintubs.com
many-asianbrides.com
near-enroll-medicare.com
easy-vinylsiding.com
all-rent2own.com

Subjects:
Re: Ilsa, Sasha, Sonya and others want to say Hello
Hey, Learn about the Versatility of a Walk in Bathtub Message: 7541884
Fwd: It's Communication Week. Ting and her friends want to say Hi No: 13142142
Hey, Attention: Medicare Open Enrollment Begins Soon Notice: 12453216
Hey, Help your home keep its value Tip: 21978846
Hi, Stop paying rent! Pymts can go toward owning Notice: 11516529

UPDATE 2:

Yet more but from a different Serverel range..

IPs:
109.206.177.194
109.206.177.195
109.206.177.196

Domains:
woodsurface.com
true-harp-save.com
star-auto-ins.com

Example subjects:
Re: Garage Floor Coatings before Winter Rain and Snow
Fwd: Save Thousands on Your Home Loan. Rpt: 1400334
Re: Are you overpaying for your auto insurance? Msg ID.11929129

And now a batch from Nforce IPs who were seen yesterday, but these are different servers..

IPs:
109.201.148.82
109.201.148.90
109.201.148.178
109.201.148.179

Domains:
protect-home-surfaces01.mobi
instant-oninebackgrounds101.mobi
how-low-mortgage-go.mobi
right-plan-medicare101.mobi

Example subjects:
Garage Floor Coatings before Winter Rain and Snow
Fwd: Safety Notice: Can you trust your friends? Notice: 23746989
Fwd: Save Thousands on Your Home Loan. Rpt: 1455838

These domains have a new fake registrant:
Registrant ID:aab597ea681630c5
Registrant Name:Zoe Clemons
Registrant Organization:n/a
Registrant Street1:21257 N Black Canyon Hwy
Registrant City:Phoenix
Registrant State/Province:AZ
Registrant Postal Code:85027
Registrant Country:US
Registrant Phone:+1.6234347727
Registrant Email:zoeclemons906@yahoo.com

Monday 21 July 2014

Something evil on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic)

Here another bunch of Cushion Redirect sites closely related to this attack a few weeks ago but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the redirect in action in this URLquery report and VirusTotal has a clear indication of badness on this IP.

All the sites are hijacked subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer. Domains in use are:

e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia


To give credit to the owners of dora-explorer.co.uk, they have spotted that something is wrong, although it looks like the nameservers of their webhost (eu1.downtownhost.com and eu2.downtownhost.com) are improperly secured.


A full list of all the subdomains I can find is here [pastebin] but I would recommend applying a temporary block to these domains until the webhost secures them, although the most effective way of securing your network is to permablock 188.120.198.1.

Recommended blocklist:
188.120.198.1
e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia

UPDATE: It definitely appears that downtownhost.com have not secured their nameservers as a few more customer sites are being abused in this way. It appears that the attackers are going through downtownhost.com's customers in alphabetical order. For example, the following subdomain are in use:

dfmgjne934eod8khquq1axg.elluse.com
280pfzhnb4usz3hajazvtlw.eaila.com
zefh96abfex1r32md0jdh7p.e-oman.me

Additional sites to block:
elluse.com
eaila.com
e-oman.me

UPDATE 2: it looks like downtownhost.com have fixed the problem. These recently-flagged domains can now be considered to be safe.

4-cheap.co.uk
aandelenblog.be
apteka-erekcja.pl
arcadehaven.co.uk
bewegwijzeringborden.nl
bitfrog.co.uk
carpediemcosmetics.de
cewh-cesf.ca
charlie-lola.co.uk
check-email.org
cialis25.pl
cialis25.pl
clashofclanshackdownload.com
deepfryershop.co.uk
designwonen.be
dora-explorer.co.uk
eaila.com
elluse.com
e-meskiesprawy24.com.pl
e-meskiesprawy24.pl
e-oman.me