Sponsored by..

Showing posts with label Germany. Show all posts
Showing posts with label Germany. Show all posts

Monday, 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*


Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249

Tuesday, 18 July 2017

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity
   
   
ACCOUNT NO
******969    
   
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

       
    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
   
       
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

   
Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.


In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)


Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95




Monday, 5 June 2017

Malware spam: "John Miller Limited" / "Invoice"

This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does not match the company being spoofed, and varies from message to message.

From:    Felix Holmes
Date:    5 June 2017 at 10:20
Subject:    Invoice


Regards



Felix Holmes

cid:image001.jpg@01D00F00.660A92D0
Kirkburn Ind. Estate
Lockerbie
Dumfries and Galloway
DG11 2FF

Tel – 01576 208 741 (Accounts) 01576 208 747 (Main line)
Fax – 01576 208 748
Ext – 1008/1006
‘’New Website launched 30.05.2014 – visit www.[redacted].uk’’


Attached is a PDF file with a name similar to A4 Inv_Crd 914605.pdf - opening it up (NOT recommended) displays something fairly minimal.

The attachment currently has a detection rate of about 9/56. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis shows the malicious file downloading a component from cartus-imprimanta.ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other variants possibly exist.


A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:

192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)


The payload is not clear at this time, but it will be nothing good.

Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177



Tuesday, 2 May 2017

Malware spam: DHL Shipment 458878382814 Delivered

Another day and another fake DHL message leading to an evil .js script.

From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
To: [redacted]
Subject: DHL Shipment 458878382814 Delivered

You can track this order by clicking on the following link:
https://www.dhl.com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother

Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.

All weights are estimated.

The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.

This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.

Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.

In this case the link goes to parkpaladium.com/DHL24/18218056431/  and downloads a file DHL-134843-May-02-2017-55038-8327373-1339347112.js which looks like this.

According to Malwr and Hybrid Analysis the script downloads a binary from micromatrices.com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38  - UK2, UK) and then subsequently attempts communication with

75.25.153.57 (AT&T, US)
79.170.95.202 (XL Internet Services, Netherlands)
87.106.148.126 (1&1, Germany)
78.47.56.162 (Mediaforge, Germany)
81.88.24.211 (dogado GmbH, Germany)
92.51.129.235 (Host Europe, Germany)
74.50.57.220 (RimuHosting, US)


The dropped binary has a VirusTotal detection rate of 10/60.

Recommended blocklist:
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220

Wednesday, 19 April 2017

Malware spam: "Copy of your 123-reg invoice" / no-reply@123-reg.co.uk

This fake financial spam does not come from 123-Reg (nor is it sent to 123-Reg customers). It has a malicious attachment.

From     no-reply@123-reg.co.uk
Date     Wed, 19 Apr 2017 17:19:51 +0500
Subject     Copy of your 123-reg invoice ( 123-093702027 )

Hi [redacted],

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg
Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.
https://www.123-reg.co.uk
The invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf).

This PDF file appears to drop an Office document according to VirusTotal results.

Hybrid Analysis shows the document dropping a malicious executable with a detection rate of 15/61. It appears to contact the following IPs (some of which contain legitimate sites):

216.87.186.15 (Affinity Internet, US)
216.177.132.93 (Alentus Corporation, US)
152.66.249.132 (Budapest University of Technology and Economics, Budapest)
85.214.113.207 (Strato AG, Germany)
192.184.84.119 (RamNode LLC, US)

The general prognosis seems to be that this is dropping the Dridex banking trojan.

Recommended blocklist:
216.87.186.15
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119



Monday, 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Tuesday, 11 April 2017

Malware spam: "Sprawdź stan przesylki DHL"

This spam targeting Polish victims seems quite widespread. It leads to malware. The email is personalised with the victim's real name which has been harvested from somewhere.

From: DHL Express (Poland) [mailto:biuro@nawigatorxxi.pl]
Sent: Monday, April 10, 2017 7:09 PM
To: [redacted]
Subject: Sprawdź stan przesylki DHL

Sprawdź stan przesylki DHL
Szanowny Kliencie, [redacted]

Informujemy, że w serwisie DHL24 zostało zarejestrowane zlecenie realizacji przesyłki, której jesteś odbiorcą.

Dane zlecenia:
- numer zlecenia:
9653788657

- data złożenia zlecenia:
poniedziałek, 10. kwietnia

Informacje o aktualnym statusie przesyłki znajdziesz na http://dhl24.com.pl/report.html&report=JavaScript&email=[redacted]. (JavaScript Raport)

Niniejsza wiadomość została wygenerowana automatycznie.

Dziękujemy za skorzystanie z naszych usług i aplikacji DHL24.

DHL Parcel (Poland)

UWAGA: Wiadomość ta została wygenerowana automatycznie. Prosimy nie odpowiadać funkcją Reply/Odpowiedz 

The link goes to a malicious Javascript [example here] [Malwr report] which downloads a binary from:

freight.eu.com/download3696 (159.100.181.107 - World Wide Web Hosting LLC, Netherlands)

..this has a detection rate of 10/60. This Malwr report plus observed activity show traffic to the following IPs and ports:

5.196.73.150:443 (OVH, France)
31.220.44.11:8080 (HostHatch, Netherlands)
46.165.212.76:8080 (Leaseweb, Germany)
109.228.13.169:443 (Fasthosts, UK)
119.82.27.246:8080 (Tsukaeru.net, Japan)
173.230.137.155:8080 (Linode, US)
173.255.229.121:443 (Linode, US)
203.121.145.40:8080 (Pacific Internet, Thailand)
206.214.220.79:8080 (ServInt, US)


There may be other phone home locations not observed.

Recommended blocklist:
5.196.73.150
31.220.44.11
46.165.212.76
109.228.13.169
119.82.27.246
159.100.181.107
173.230.137.155
173.255.229.121
203.121.145.40
206.214.220.79





Wednesday, 2 November 2016

Malware spam: "Companies House - new company complaint" / noreply@companies-house.me.uk / noreply@companieshouses.co.uk leads to TrickBot

This fake Companies House spam leads to TrickBot malware:

From:    Companies House [noreply@companieshouses.co.uk]
Date:    2 November 2016 at 11:51
Subject:    Companies House - new company complaint
Signed by:    companieshouses.co.uk

Investigations and Enforcement Services

This message has been auto-generated in response to the company complaint submitted to our WebFiling  service.

The submission number is ID109202DLK02911

Please find the attached document for your review.

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500

The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday) 
Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.


The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:

    Registrant:
        Camell Williams

    Registrant type:
        Unknown

    Registrant's address:
        550 HOLTS LAKE CT STE 101
        Suite 101
        Apopka
        Florida
        32703
        United States


Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.

All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.

Attached is a Word document Complaint.doc  (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:

futuras.com/img/dododocdoc.exe

This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.

The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:

78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)


The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.

Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117


Tuesday, 1 November 2016

Malware spam: "New Fax Message" / administrator@local-fax.com leads to TrickBot

This fake fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

From:    Administrator [administrator@local-fax.com]
To:    annie@[redacted]
Date:    1 November 2016 at 13:28
Subject:    New Fax Message
Signed by:    local-fax.com

Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.

[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]

Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.



Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54. Both the Malwr report and Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:

www.tessaban.com/img/safafaasfasdddd.exe

This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr and Hybrid Analysis reports give the following suspect traffic:

91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)

I can match all those IPs except the last to this ThreatGeek report, those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (highlighted):

5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)
37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)
68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


3NT Solutions (aka Inferno Solutions / inferno.name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit. FLP Kochenov Aleksej Vladislavovich aka uadomen.com has appeared here so many times [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] that really I have to categorise that as an Evil Network too.

If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a recommended blocklist of:

37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24


However, there's more to this too. The original email message is actually signed by local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.

All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..


Wednesday, 26 October 2016

Malware spam: "Your order has been proceeded." leads to Locky

This curiously worded spam email leads to Locky ransomware:

Subject:     Your order has been proceeded
From:     Elijah Farrell
Date:     Wednesday, 26 October 2016, 12:41


Your order has been proceeded.

Attached is the invoice for your order 2026326638.

Kindly keep the slip in case you would like to return or state your product's warranty.
The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name.

The various scripts download a component from one of the following locations (thank you to my usual source for this):

198zc.com/vnrymi
3d-schilling.de/ytm08hf
abaffbedip.net/0ec4sb62
abaffbedip.net/1roef5v
abaffbedip.net/5k4oh5
abaffbedip.net/8b0lk2p
actiononsports.com/yduc1
aiccard.co.th/sy7hb7
alefunny.pl/vjjw0
alvida.de/zhw8nw6
antiguarelojeria.com/zg28jio
ayso722.org/ny8s6fn
banana2.jp/zsf0952
begbuilders.com/xjtb9k
bibliocultura.org/hdhwx7sf
bluecuracao.nl/xt8w2p3
bonetti.nl/bqc565q
brkos.borec.cz/skxkk33b
callideo.fr/zwg1d
caulgreet.com/0gxgwa
caulgreet.com/2sqh38d1
caulgreet.com/6o04pdt
caulgreet.com/9gl7t
chuvafeatherstone.com/rve6j
ciscscout.net/rvkbiv3t
cloudafis.com/kpw6h4uh
cngmalaysia.org/f4cda
cpugame.com/r3octl
cryochoice.com/n4801d
dadaniu.cn/cyk9hpr
danor.ro/xnnhp5
dmtya.ru/zqzii
dominoassociates.com/keg4g
dongyigg.com/onirn0r
dont.pl/stuf3
dovgan.bclas.ru/wk7tah
dzyncreative.com/v1djrmn
ecentz.com/sbvv8md
edepolama.com/xlyrh
edu02.ru/nk6z1
entersukses.com/cudm8
ergobois.com/j87ns
esteticapro.com/tje1ya
esysports.com/ybn7qw
exquisiteescape.com/fa8f7fk9
fazendacristal.com/djgyn
fbstone.com/xjlq6
fengxiaohui.com/yulge
filenetp8.info/esg742j9
flw123.com/kygiq6t
gerardfetter.com/fudjm1m
gongzuoshu.com/lojhvcj7
grandfm.com/my98xg7a
guymorgandaily.com/ilgx8tki
hankookm.com/lun77kyf
hfhhk.com/edfwyi1
hotsigns.net/ayxpi
jean-ealogy.com/dauwq7a
khstarter.com/w8811bg
landondavid.com/d5t56y4b
lanmaicao.com/bxyi91
lcmaya.com/d79p8w
mannersfromtheheart.com/cn450b
milianjie.com/dg1ie
morenaart.com/qbwnl
nakedglobal.com/d6s6f
roweliced.net/12fi9dc
roweliced.net/35lz355g
roweliced.net/6vgrs4
roweliced.net/a1f8yb
sheatcatan.com/1cb7jn
sheatcatan.com/3oze6ie
sheatcatan.com/74mqu
sheatcatan.com/awcdu3
titmaius.net/0f7ygeg
titmaius.net/1zsxe
titmaius.net/6g32j
titmaius.net/8u0ie

The downloaded binary then phones home to:

78.46.170.94/linuxsucks.php [hostname: k-42.ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks.php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost.hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks.php [hostname: weblinks-3424.ru] (Sobis, Russia)


It also tries to phone home to these URLs which are currently not resolving:

umjjvccteg.biz/linuxsucks.php
hbnatserncelosskp.biz/linuxsucks.php
rqnegynlpkohoohp.pw/linuxsucks.php
ymrorgauixirigj.biz/linuxsucks.php
ayyxamwyvfyqidija.pw/linuxsucks.php
yfjxvok.ru/linuxsucks.php
lbbauqqpynjem.xyz/linuxsucks.php
tnvnmjdyokgyj.pl/linuxsucks.php
hoiedes.pl/linuxsucks.php
toaqabrl.xyz/linuxsucks.php
leacfrc.info/linuxsucks.php
jkjxnrnirmqt.pw/linuxsucks.php

Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225




Wednesday, 31 August 2016

Malware spam: "bank transactions"

This fake financial spam comes with a malicious attachment:

From:    Rueben Vazquez
Date:    31 August 2016 at 10:06
Subject:    bank transactions


Good morning petrol.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.


Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.

According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):

www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis

Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:

95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably the Locky ransomware.

Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24


Monday, 15 August 2016

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Friday, 12 August 2016

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs


The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190


Thursday, 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Thursday, 28 July 2016

Malware spam: "Please check the attached invoice and confirm me if I sent the right data" leads to Locky

This fake financial spam leads to malware:

Subject:     Invoice
From:     Kendall Harrison (Harrison.59349@chazsmedley.com)
Date:     Thursday, 28 July 2016, 10:33

Hello,

Please check the attached invoice and confirm me if I sent the right data

Yours sincerely,
Kendall Harrison

320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3 
The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted".

The Malwr analysis for the partially deobfuscated script and this Hybrid Analysis show this particular sample downloading from:

83.235.64.44/~typecent/xvsb58

This drops a malicious Locky ransomware binary with a detection rate of 7/55. Analysis of this binary is pending.

UPDATE

Thank you to my usual source for this analysis. The download locations for the various scripts are:

01ad681.netsolhost.com/7j0jlq3
12-land.co.jp/vrquj
178.78.87.8/xjzhm
83.235.64.44/~typecent/xvsb58
arabian-horse-highlights.homepage.t-online.de/kzm2n
bajasae.grupos.usb.ve/4y13jg1
baldwinhistory.portalstream.net/rqbljjx
billy-hanjo.homepage.t-online.de/2r713u
blanquerna.eresmas.net/tt2e8s4
burkersdorf.eu/8y5n3f
campustouren.de/k6tkk
christilipp.com/cnb0o
creartnet.com/5ylah
dev12.gammat.net/oxg2m3
exclusive-closet.com/fld2h8
fremdesland.x.fc2.com/iya9qt
gkxxx.x.fc2.com/dxfom
idd00dnu.eresmas.net/wdmlqe
it4cio.servicos.ws/u8c3x
jozefow.cba.pl/ouini6
karumaengeki.web.fc2.com/f3ry4
kbridge.web.fc2.com/hj1fr
lacrima.ru/hvn1c
luzdevelas.es/9belfi
mbiurorachunkowe.republika.pl/6t6sz
motorkote.org/0gq654
okhtinka.ru.hoster-ok.com/qdiqooeo
papamama.com.sg/zhbepez
piggy.riffle.be/~gniff/r9bzz
robertstefan.home.ro/pycz4o
sav-krelingen.de/36r3qe8
schefman.info/snjqz
slit.xxxxxxxx.jp/l58gd3p
sv-r.ru/btawsoc
www.acheri.it/magii
www.andyschwietzer.homepage.t-online.de/r3a0tw
www.chantale.force9.co.uk/lsyeuw
www.clefranceitalie.org/cj937f7l
www.inari.net/ov5u1k
www.kan-therm.ru/qara9i
www.marinoderosas.com/59nue8uo
www.panella.org/eo9lk
www.rgtalp14.it/ykb84n40
www.ruyssinck-demeyer.be/v4xo5r28
www.schwarzer-baer-kastl.de/tt7ea
www.uasm.de/qwqiyk
yourparty.cba.pl/5avhe
zckupila.republika.pl/m6w6uu5f


C2 locations:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)


Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0


Wednesday, 27 July 2016

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be 
The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:

beauty-jasmine.ru/6dc2y

There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.

UPDATE

The C2 locations for this variant are:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)


Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30


Malware spam: "Sent from my Samsung device" leads to Locky

This spam comes in a few different variations:

From:    Lottie
Date:    27 July 2016 at 10:38
Subject:    scan0000510

Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:

alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765


The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)


(Thank you to my usual source for this data)

There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.

Recommended blocklist:
5.9.253.160/27
178.62.232.244


Wednesday, 29 June 2016

Malware spam: "Financial report" / "I have attached the financial report you requested."

This spam appears to come from various sources, but has a malicious attachment:
From:    Hester Stanley
Date:    29 June 2016 at 13:25
Subject:    Financial report

Hello [redacted],

I have attached the financial report you requested.


Regards
Hester Stanley

Chief Executive Officer

Attached is a ZIP file containing some version of the recipient's email address, the words "report" or "freport" or "financial" plus a number. This contains a malicious .js file beginning with "swift".

Trusted analysis by another party (thank you as ever) gives download locations at:

115.146.42.43/5dtvzet
164.15.59.210/polytech/faculte/n0iqya
210.196.205.19/~pvpip/ypznpez0
65.99.205.183/~studiantec/w29xxnph
82.140.32.172/~haukebensch/3l6zu4
83.235.64.44/~astr-pap/3h59w9s
arquipiedra.cl/6xp7a8k5
benelist.cz/p3oyew2
buron.dk//xc71iuq
centralbs.com/wogium
centro-odontoiatrico-neuromuscolare.it/jtap3
Deutsch-Krone.privat.t-online.de/od24jb
dewaeletransportes.atspace.com/moqry4r9
dragoljub.50webs.com/2gkowrrg
dueto.sk/mdjhnlh
elipse.es/~elipse/8cbjb
enpeler.web.fc2.com/nryumnd
free.co.ca//s3po2n54
geduque.com.br/xu5u1hw
geiten.nl/jjupt07
greatlakessawingsolutions.com/zm70yfs7
jharanch.net/wsi8rh9g
josenria.nl/tohbw3e
joynergraphics.com/2e7qysyn
joynergraphics.com/9htk0ug
karosguren.web.fc2.com//sgejjt
kibridz.50webs.com/l2rvuivn
kitaori.net/r7zt9
labibliocancerdig.com/mhbgy5
laneylakes.com/fj521
maridea.cz/3w36st3
maridea.eu/3ofkxjlt
mayhemparkcom.sites.qwestoffice.net/gdduzqe
onlinepartners.no/kiwcpse
onwings.nl/~onwings.nl/zcr3r9
otherworldsbookstore.com/qmn38
otherworldsbookstore.com//w7q4o2
otherworldsbookstore.com/yluli4ye
pospesch.de/78uftb3
qualiphone.tv/fpmrb
sao24.net/0wnm7v
tczpug.org/z8nvas
teste-site.hi2.ro/7he6ez0
ulin.jp/1p5sqt
vimperk-haselburg.cz/kf27u5
www.notaverde.com/vq1ep
www.oemsen.gmxhome.de/sh91u3a


The payload is Locky ransomware, phoning home to the following servers:

93.170.123.219 (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
149.154.159.125 (EDIS, Germany)
151.236.17.45 (EDIS, Germany)
151.236.17.47 (EDIS, Germany)
194.31.59.147 (Hostbar, Russia)


I don't currently have a copy of the payload.

Recommended blocklist:
93.170.123.219
149.154.159.125
151.236.17.45
151.236.17.47
194.31.59.147


Friday, 27 May 2016

Malware spam: "Neue Abrechnung Nr. 746441" / support@sipcall.de

This German-language spam has a malicious attachment:

From:    support@sipcall.de
Date:    27 May 2016 at 10:57
Subject:    Neue Abrechnung Nr. 746441


Guten Tag

Im Anhang erhalten Sie die neue Rechnung des vergangenen Monates mit der Abrechnungsnummer 746441.

Für eine fristgerechte Bezahlung danken wir Ihnen. Bei Fragen oder Anregungen steht Ihnen unser Kundendienst gerne zur Verfügung.


Freundliche Grüsse
Ihr VoIP Provider


Dies ist eine automatisch generierte Nachricht. Antworten auf diese E-Mail können nicht bearbeitet werden.

Reference numbers vary. Attached is a randomly-named Word document (e.g. INV842038-746441.docm). The sample I submitted to Malwr showed it downloading a binary from:

www.ding-a-ling-tel.com/98yh87nb6v4

Other sources indicate additional download locations at:

egadget.ru/98yh87nb6v4
www.samrhamburg.com/98yh87nb6v4
bridgeplacements.com/98yh87nb6v4
birlesimsucuklari.com/98yh87nb6v4
ecpi.ro/98yh87nb6v4
wondervalley.in/98yh87nb6v4

acnek.com/98yh87nb6v4
cacpa.org/98yh87nb6v4
cobrebactericida.org/98yh87nb6v4
greenwfms.com/98yh87nb6v4
iwebmediasavvy.com/98yh87nb6v4
projectodetalhe.pt/98yh87nb6v4
renaudsfurniture.ca/98yh87nb6v4
saintkatherine.orthodoxy.ru/98yh87nb6v4
www.orchidealito.it/98yh87nb6v4


There are probably other locations too.

An executable is dropped with a detection rate of 3/56. The Hybrid Analysis and DeepViz report both indicate different phone-home locations:

193.9.28.13 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
5.152.199.70 (Redstation, UK)


Private sources also indicate C2s at:

212.109.219.31 (JSC Server, Russia)
107.181.187.12 (Total Server Solutions, US)


The payload is Locky ransomware.

Recommended blocklist:
193.9.28.13
5.152.199.70
212.109.219.31
107.181.187.12

Thursday, 26 May 2016

Malware spam: "Please find attached a document containing our responses to the other points which we discussed.."

This spam appears to come from different companies and senders, and has a malicious attachment:

From:    Sara Osborne
Date:    26 May 2016 at 10:53
Subject:    RE:

Dear sales,

Please find attached a document containing our responses to the other points which we
discussed on Monday 23th May.

Please let me know if you have any queries


Regards,

Wayfair Inc.

Sara Osborne
Attached is a ZIP file (the ones I have seen so far all begin with responses_) which contains a malicious script name in a similar way to employees -382-.js. These have a typical detection rate of 4/56.

Two samples analysed by Malwr [1] [2] show download locations from:

newgeneration2010.it/mkc27f
projectodetalhe.pt/do5j36a


There will be many other download locations too. These drop two different binaries (VirusTotal results [3] [4]). Those two VT results plus these two DeepViz analyses [5] [6] show the malware phoning home to:

138.201.93.46 (Hetzner, Germany)
107.181.187.12 (Total Server Solutions, US)
212.109.219.31 (JSC Server, Russia)
5.152.199.70 (Redstation, UK)


This behaviour is consistent with Locky ransomware.

Recommended blocklist:
138.201.93.46
107.181.187.12
212.109.219.31
5.152.199.70