Sponsored by..

Showing posts with label Estonia. Show all posts
Showing posts with label Estonia. Show all posts

Monday, 3 August 2015

Malware spam: "E-bill : 6200228913 - 31.07.2015 - 0018" / "noreply.UK.ebiller@lyrecobusinessmail.com"

This fake financial spam does not come from Lyreco but is instead a simple forgery with a malicious attachment:

From:    noreply.UK.ebiller@lyrecobusinessmail.com
Date:    2 August 2015 at 03:00
Subject:    E-bill : 6200228913 - 31.07.2015 - 0018

Dear customer,

Please find enclosed your new Lyreco invoicing document nA^° 6200228913 for a total amount of 43.20 GBP, and
due on 31.08.2015

We would like to remind you that all of your invoices are archived electronically free of charge and can be reviewed by

you at any time.

For any questions or queries regarding your invoices, please contact Customer Service on Tel : 0845 7676999*.

Your Lyreco Customer Service

*** Please do not reply to the sender of this email.
This e-mail, including any attachments to it, may contain company confidential and/or personal information.
If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the
information contained within it.

Please notify immediately by return e-mail of the error and then delete the original e-mail by replying to
wise.cs.iqt@lyreco.com ***
The attachment is named 0018_6200228913.docm which contains a malicious macro like this one [pastebin]. So far I have seen three different variants (Hybrid Analysis reports [1] [2] [3]) which then go and download a malicious binary from one of the following locations:

orpigagny.com/w45r3/8l6mk.exe
audiobienentendre.fr/w45r3/8l6mk.exe
immobilier-roissyenbrie.com/w45r3/8l6mk.exe


All of these sites are hosted on 94.23.55.169 (OVH, France). The binary has a detection rate of 4/55. This Malwr report shows it phoning home to 46.36.219.141 (FastVPS, Estonia). The payload is probably the Dridex banking trojan.

Recommended blocklist:
46.36.219.141
94.23.55.169


MD5s:
939EE3B203B79F6422EF4A96FDE11393
1C76B4A8CFA4227DCFCF0FD2C2C4BA37
D0EC5C08C0A7F744C620CFA28F96521E
147D2E6E2D5903FE694DDC59BCB55DD0


Wednesday, 13 May 2015

Malware spam: "Need your attention,''Important notice" / "Financial information" / "Important information"

This mix of spam messages come with a malicious attachment:

From:    Johnny Higgins [JohnnyHigginsyb@mail.whitsoncm.com]
To:    "it-dept@victimdomain"
Date:    13 May 2015 at 11:39
Subject:    Need your attention,''Important notice

Good Afternoon,

We have received a payment from you for the sum of £ 686.  Please would you provide me with a remittance, in order for me to reconcile the statement.

I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1564  less the £3254.00 received making a total outstanding of £ 878.  We would very much appreciate settlement of this.

As previously mentioned, we changed entity to a limited company on 1st December 2014.  We are keen to close all the old accounts down, for both tax and year end reasons.  We would be very grateful in your assistance in settling the outstanding.

If you need any copy invoices please do not hesitate to contact us

Regards,

Johnny Higgins

--------------------------

From:    Rowena Mcconnell [RowenaMcconnellev@telemar.it]
To:    tedwards@victimdomain
Date:    13 May 2015 at 11:38
Subject:    Financial information

Good Afternoon,

Please see attached the copy of the remittance.

Please can you send a revised statement so we can settle any outstanding balances.

Kind Regards,

Rowena Mcconnell

--------------------------

From:    Jimmie Cooley [JimmieCooleyzils@fsband.net]
To:    server@victimdomain
Date:    13 May 2015 at 11:34
Subject:    Important information

Good morning

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Jimmie Cooley
Seniour Finance Assistant

Each attachment is slightly different, but does contain the name of the recipient plus a random number (e.g. it-dept_0E78A3A5700B.doc). The payload is meant to be a multi-part MIME file, but many are corrupt and are either Base 64 encoded or are "404 Not Found" files.

If the file is correctly format, it should behave similarly to this Hybrid Analysis report, which says that it connects to several different IPs, but crucially also it downloads a malicious executable from 91.226.93[.]110/bt/get1.php (Sobis, Russia) and saves it as crypted.120.exe.

This malicious executable has a detection rate of 2/56 and the Malwr report says that it communicates with 46.36.217.227 (FastVPS, Estonia) and drops a Dridex DLL with a detection rate of 22/56.

Recommended blocklist:
46.36.217.227
91.226.93.110

MD5s:
9afecfaa484c66f2dd11f2d7e9dc4816
d2f825ecfb3d979950b9de92cbe29286



Tuesday, 12 May 2015

Malware spam: "ATTN: Outstanding Invoices - [4697E0] [April|May]"

This spam comes with random senders and reference numbers, but in all cases includes a malicious attachment:

From:    Debbie Barrett
Date:    12 May 2015 at 11:14
Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]

Dear anthony,

Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.

Kind regards
The attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.

First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu

Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.

This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.

There are several different attachments, so far I have seen the following MD5s:
110B42E097A7677A993CF1B3B24743D8
20AEB9ECEBC26B3CDE960728E890F904
33A8CBE7B75B20B5EA1069E3E2A13D80
3973E29F7BDC7903FFCB596B10F9FD54
7019D711AE0E2FEDEE25EAA3341CFB7F
949816F4DF724E690690B3C8AD3871D4
9CDEFFBAC7B79302D309404E6F3068C4
B5C2393D44D8E0C94D04E2D159AE8776
B84D52F59AEC53B8D7FA109D256FCB6B
CA5E8A531A8EE24B15FC7B2A66502042
E99216D829C632DF24ECAD9162AF654C
EC1AD4316DBA799EF2E2440E715CD5F5
F4B5B0AE85F27E0A475BD359F5BE76E8
F666682D638FE67607DD189705844AD5

The MD5s for the malware components are:
DD7ADC5B140835DC22F6C95694F9C015
9AFECFAA484C66F2DD11F2D7E9DC4816
838F0A8D3FCBD0DDB2F8E8D236D17957

Recommended blocklist:
92.63.88.0/24
46.36.217.227


Monday, 11 May 2015

Malware spam: "Payment details and copy of purchase [TU9012PM-UKY]"

I haven't really had time to analyse this, so I am using the analysis of an anonymous source (thank you)..

From:    Kristina Preston [Kerry.df@qslp.com]
Date:    11 May 2015 at 12:56
Subject:    Payment details and copy of purchase [TU9012PM-UKY]

Dear [redacted]

On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Kristina Preston
Brewin Dolphin
The names and references change between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments.

My source has analysed that this downloads a VBS file from Pastebin at pastebin[.]com/download.php?i=FsYQqTaj which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia)

This binary has a detection rate of 2/56 and according to automated analysis tools [1] [2] it communicates with:

46.36.217.227 (FastVPS, Estonia)

It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56.

Recommended blocklist:
46.36.217.227
91.226.93.14

Friday, 17 April 2015

Malware spam: "Julie Mckenzie [julie0526@swift-cut.co.uk]" / "Credit Card Statement"

This spam does not come from Swift Cut, but is instead a simple forgery with a malicious attachment:

From:    Julie Mckenzie [julie0526@swift-cut.co.uk]
Date:    17 April 2015 at 12:24
Subject:    Credit Card Statement

Hi
Attached your credit card statement.
Can you return with receipts by Friday 17th April.
Thanks
Julie
 
Julie McKenzie
Sales Administrator
Tel +44 (0)1543 473300
E-mail julie@swift-cut.co.uk
Attached is a file C Swift Credit Card.doc which comes in at least four different versions, all of which are malicious and all of which have a macro similar to this one [pastebin].

These macros download a file from one of the following locations:

http://oolagives.com/24/733.exe
http://derekthedp.com/24/733.exe
http://sempersleep.com/24/733.exe

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54 (identified clearly as a Dridex component). Automated analysis [1] [2] [3] [4] shows that it attempts to communicate with:

46.36.219.32 (FastVPS, Estonia)


I recommend that you block traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53.

MD5s:
6c784bec892ce3ef849b1f34667dccac
ec35660657404295a78d8d1bcb1f1071
89b87b7c5c38039a4a46060f00a1ec37
40862ce3abb02d69ec31b8a1b62fef95
59fe482009fecc8761809a9c974a143e
f840f9075a178ab579ed2e4c622bc291


Friday, 27 June 2014

Vladimir Tsastsin sentenced to 6 years, 4 months in jail

A search of the office of Vladimir Tšaštšini
Photo: Jassu Hertsmann
Source: DELFI.ee
Sometimes the wheels of justice work very slowly. Back in 2011 I mentioned that Vladimir Tsastsin had been arrested in Estonia - the kingpin of EstHost, EstDomain and Rove Digital among other criminal enterprises, Tsastsin and his accomplices were responsible for a great deal of illegal activity in the past decade.

In this case a Court of Appeal in Estonia handed down a prison sentence of 6 years 4 months to Vladimir Tsastsin, and his accomplices were jailed from ranges of 1 year 10 months to 3 years 10 months or fined up to €100,000.

A full report of the sentences can be found here (in Estonian) or autotranslated below:

The circuit court sentenced Vladimir küberkurijategija Tšaštšini more than six years in prison


www.DELFI.ee
June 26, 2014 16:38
                    

The District Court sentenced today Tšaštšini Vladimir and his associates guilty of large scale money laundering activities of criminal association.

The Court of Appeal overturned the decision today, Harju County Court judgment of 20 December 2013, was sentenced to Vladimir Tšaštšin, Valentina Tšaštšina, Timur Gerassimenko, Dmitri Egorov, Konstantin Poltev, Oak Development LLC, Credit Union Ltd., IT Consulting, LLC and Infradata Novatech Ltd, and the case acquitted new decision, which ordered all parties guilty of large scale money laundering activities of criminal association.

Dmitri Egorov, Konstantin Poltev Novatech Ltd, and was convicted of a criminal offense as facilitators. Vladimir Tšaštšin was convicted in a criminal organization, the organization and management.

Do not subject to being sentenced to the penalty of Vladimir Tšaštšinile 6 years and 4 months and 6 days in prison.

Valentina Tšaštšinale sentenced to 3 years 10 months in prison, Timur Gerassimenkole 1 year, 10 months and 9 days, Dmitri Jegorov 1 year and 8 days, Konstantin Poltevile two years and eight days in prison.

Oak Development LLC, was sentenced to a financial penalty of 100,000 euros, Credit Union Ltd. for 60,000 euros, Infradata OÜ 40,000 euros, IT Consulting for 20,000 euros and Novatech LLC for 20,000 euros. Also convicted were confiscated criminal assets.

The indictment accused Parties Act to the greatest extent in money laundering and criminal organization.

The District Court denied the position of the county in which the county court held that the predicate offense, or computer crimes are not shown because there is no final judicial decision in this regard.

The District Court found that the purpose is not a final judicial decision is required, it is sufficient if there is evidence that a predicate offense has been committed. Proved the predicate offenses being committed U.S. indictment and other evidence gathered in the matter.

The Court of Appeal found that there was no malicious software downloads computer users to consent because there is no evidence that computer users have agreed to the installation of malware on their computer, and the relevant provisions of the amendment.

It also disagreed with the district court of the county's position that the prosecution has violated the principle of prohibition of double punishment because the parties have been charged in the money laundering and criminal organization, but the U.S. indictment accused the parties of computer crimes. Thus, making various allegations.

The decision can be challenged in the Supreme Court within 30 days, said a spokesman for the Tallinn Administrative Court and the District Court.

Monday, 4 November 2013

CCDCOE.org "Information Security Audit" spam

Here's a weird spam email..

From: CCDCOE [mailto:ccdcoe@ccdcoe.org]
Sent: Monday, November 04, 2013 12:16 PM
Subject: Information Security Audit


Dear Sir,

I am writing to inform you that NATO Cooperative Cyber Defence Centre of Excellence
conducted an information security audit of the network infrastructureof your organization. It
was carried out as part of exercise Steadfast Jazz 2013.

Our specialists have obtained access to theprivate network and the administration panel of the
website of your organization.

The level of information security of your organization does not meet the requirements of
NATO cyber security guidelines.

It is strongly recommended that you pay attention to this fact.

For more information you should contact NATO Cooperative Cyber Defence Centre of
Excellence.


Sincerely,

Col. Artur Suzik
Director,NATO Cooperative Cyber Defence Centre of Excellence


E-mail: ccdcoe@ccdcoe.org
Phone: +3727176800
Fax: +3727176308
Adress: Filtri tee 12, Tallinn 10132, Estonia

The email was sent to a target in Estonia, and the CCDCOE is a genuine NATO facility, also located in Estonia. The domain, telephone and fax number all appear genuine, and there are no attachments to the email nor are there any links.

However, the email is not genuine as it comes from 213.157.216.139 which is a Caucasus Online LLC ASDL subscriber in Georgia. Caucasus Online IPs are often seen in conjunction with botnets, so this is almost definitely a botnet node. The CCDCOE logo used in the email is also out of date.

A close examination of the mail headers shows that some of them have been faked in order to spoof an originating IP of 217.146.66.99 in Estonia.

Received: from dvb35.srv.it.ge (HELO dvb35.srv.it.ge) (213.157.216.139)
  by [redacted] with SMTP; 4 Nov 2013 10:15:35 -0000
Received: mx1.zone.ee (HELO ccdcoe.org) ([217.146.66.99])  by
 dvb35.srv.it.geL with ESMTP; Mon, 4 Nov 2013 12:01:08 +0200

Received: by ccdcoe.org (Postfix, from userid 309) id fu73vb6de6220; Mon, 4 Nov
 2013 12:00:45 +0200
Received: from 10.1.1.218 (10.1.1.218:35781)    by ccdcoe.org (Postfix) with SMTP
 id gkuuqe31b7s45.9.2013.11.04.59.56;    Mon, 4 Nov 2013 11:59:06 +0200
Message-ID: <20130e3f74d2.4353bd02@user>
From: "CCDCOE" <ccdcoe@ccdcoe.org>
To: [redacted]
Subject: Information Security Audit
Organization: CCDCOE


I can't figure out the purpose of this message, but it is almost definitely malicious. Perhaps there is a second part to this why has not been seen yet?




Wednesday, 12 June 2013

Malware sites to block 12/6/13

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:
5.175.157.110 (GHOSTnet, Germany)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal Communication Tech. Co., China)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
46.165.248.117 (Leaseweb, Germany)
49.212.221.29 (Sakura Internet Inc., Japan)
50.56.216.124 (Rackspace, US)
50.57.166.222 (Slicehost, US)
59.42.10.172 (Guangdong Tuosi Software Science Garden, China)
67.159.12.94 (FDCservers, US)
67.202.109.141 (Steadfast Networks, US)
67.215.2.251 (Colo-Serv Communications, Canada)
77.237.190.22 (Parsun Network Solutions, Iran)
81.252.120.250 (Collectivit Locale , France)
83.136.249.108 (Sigmatic Oy, Finland)
85.17.178.56 (Leaseweb, Netherlands)
85.26.31.60 (Brutele SC, Belgium)
85.201.12.244 (Brutele SC, Belgium)
86.84.0.11 (Planet Technologies, Netherlands)
88.80.222.73 (Alfahosting, Germany)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
95.143.41.16 (Inline Internet / VPS4less, Germany)
95.170.95.142 (TransIP, Netherlands)
109.95.23.4 (Kvartal Plus Ltd, Russia)
109.129.225.68 (Belgacom / Skynet, Belgium)
110.78.147.173 (CAT Telecom, Thailand)
111.93.156.171 (Tata Teleservices, India)
112.170.169.56 (Korea Telecom, Korea)
114.4.27.219 (IDIA Kantor Arsip MKS, Indonesia)
116.3.3.200 (China Unicom, China)
119.147.137.31 (China Telecom, China)
141.28.126.201 (Hochschule Furtwangen, Germany)
143.107.220.160 (Universidade De Sao Paulo, Brazil)
151.1.224.118 (ITnet, Italy)
159.90.91.179 (Universidad Simon Bolivar, Venezuela)
159.253.18.253 (FastVPS, Estonia)
160.75.169.49 (Istanbul Technical University, Turkey)
164.77.149.237 (Isapre Banmedica, Chile)
172.8.24.9 (Angela Curtolo DBA / AT&T, US)
172.246.16.27 (Enzu Inc, US)
177.84.128.54 (Informática Ltda, Brazil)
177.86.131.18 (Prime Telecomunicacoes Ltda, Brazil)
177.124.195.202 (Mundivox Do Brasil Ltda, Brazil)
178.16.216.66 (Gabrielson Invest AB, Sweden)
181.52.237.17 (Telmex, Colombia)
183.82.221.13 (Hitech / Beam Telecom, India)
184.82.115.37 (HostNOC, US)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
187.33.48.12 (GTi Telecomunicacoes Ltda, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
192.64.80.143 (Interserver, US)
192.210.216.90 (ColoCrossing, US)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.199.93.55 (Digital Ocean, US)
200.3.153.91 (Pontificia Universidad Javeriana, Colombia)
200.87.177.124 (EntelNet, Bolivia)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
202.29.242.249 (UniNet, Thailand)
202.31.139.173 (Kum Oh National University Of Technology, Korea)
203.64.69.52 (Taiwan Academic Network, Taiwan)
203.157.216.77 (Information Technology Office, Thailand)
208.68.36.11 (Digital Ocean, US)
210.42.103.141 (Wuhan Urban Construction Institute, China)
213.74.79.236 (Superonline, Turkey)
216.172.102.230 (EBL Global Networks, US)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Plain IPlist for copy-and-pasting:
5.175.157.110
41.89.6.179
42.62.29.4
46.18.160.86
46.165.248.117
49.212.221.29
50.56.216.124
50.57.166.222
59.42.10.172
67.159.12.94
67.202.109.141
67.215.2.251
77.237.190.22
81.252.120.250
83.136.249.108
85.17.178.56
85.26.31.60
85.201.12.244
86.84.0.11
88.80.222.73
93.89.235.13
95.143.41.16
95.170.95.142
109.95.23.4
109.129.225.68
110.78.147.173
111.93.156.171
112.170.169.56
114.4.27.219
116.3.3.200
119.147.137.31
141.28.126.201
143.107.220.160
151.1.224.118
159.90.91.179
159.253.18.253
160.75.169.49
164.77.149.237
172.8.24.9
172.246.16.27
177.84.128.54
177.86.131.18
177.124.195.202
178.16.216.66
181.52.237.17
183.82.221.13
184.82.115.37
186.215.126.52
188.32.153.31
187.33.48.12
190.93.23.10
192.64.80.143
192.210.216.90
193.254.231.51
196.1.95.44
198.199.93.55
200.3.153.91
200.87.177.124
201.65.23.153
202.29.242.249
202.31.139.173
203.64.69.52
203.157.216.77
208.68.36.11
210.42.103.141
213.74.79.236
216.172.102.230
217.174.211.1
222.200.187.83

Identified malicious domains:
abacs.pl
autotradeguide.net
avastsurveyor.com
balckanweb.com
biati.net
bnamecorni.com
businessdocu.net
buyparrots.net
citysubway.net
cocainism.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
diodmobilered.com
docudat.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
fastkrug.ru
federal-credit-union.com
freemart.pl
freenico.net
genown.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
hiddenhacks.com
historuronded.com
icensol.net
ingrestrained.com
inutesnetworks.su
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
lorganizedcue.com
ludena.ru
mantuma.pl
marvelfilms.net
mortolkr4.com
mslatearrival.com
multipliedfor.com
myhispress.com
nipiel.com
nvufvwieg.com
onlinedatingblueprint.net
otoperhone.com
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
privat-tor-service.com
proxy-tor-service.com
relectsdispla.com
relectsdispla.net
reportingglan.com
safe-browser.biz
safe-time.net
salesplaytime.net
secondfiddleu.com
securepro7.ru
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
smurfberrieswd.su
sngroup.pl
solarmiracles.net
techno5room.ru
televisionhunter.com
testerpro5.ru
thinkindi.net
tor-connect-secure.com
trleaart.net
twinkniche.net
twintrade.net
ukbarbers.net
unixawards.net
usergateproxy.net
usforclosedhomes.net
vip-proxy-to-tor.com
well-tailored.net
wmlawoffice.net
yelpwapphoned.com

Thursday, 10 November 2011

Rove Digital and Vladimir Tsastsin busted.

If you work in IT Security, you'll probably remember the names EstDomains and EstHost, part of a criminal organisation called Rove Digital headed by Vladimir Tsastsin (pictured).

Finally, the FBI and Estonia authorities have arrested Tsastsin and some of his associates, and have effectively ended one of the biggest organised crime rings around.

The good guys are no doubt celebrating that the online world is just a little bit safer today.. read more at Brian Krebs's blog.