Sponsored by..

Showing posts with label Netherlands. Show all posts
Showing posts with label Netherlands. Show all posts

Tuesday, 13 September 2016

Malware spam: "Attached is the tax invoice of your company. Please do the payment in an urgent manner." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Tax invoice
From:     Kris Allison (Allison.5326@resorts.com.mx)
Date:     Tuesday, 13 September 2016, 11:22

Dear Client,

Attached is the tax invoice of your company. Please do the payment in an urgent manner.


Best regards,
Kris Allison
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:

adzebur.com/dsd7gk  [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
            [78.212.131.10] (21 Century Telecom Ltd, Russia)
            [31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f   [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
            [23.95.106.223] (New Wave Netconnect, US)
            [23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]

The payload then phones home to:

91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php   [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php   [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php


Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71


UPDATE: further analysis gives these other IPs to block..

78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116

Monday, 12 September 2016

Malware spam: "Budget report" leads to Locky (and also evil network on 23.95.106.128/25)

This fake financial spam leads to Locky ransomware:

From:    Lauri Gibbs
Date:    12 September 2016 at 15:11
Subject:    Budget report

Hi [redacted],

I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.


With many thanks,
Lauri Gibbs
Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:

921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js


The scripts are highly obfuscated however the Hybrid Analysis and Malwr report show that it downloads a component from:

lookbookinghotels.ws/a9sgrrak
trybttr.ws/h71qizc


These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked.

A DLL is dropped with a detection rate of about 8/57 [3] [4] which appears to phone home to:

51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte.ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy.ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)

Incidentally, the registrant information on the bad domains is also very familiar:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:



Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101


UPDATE - 2016/06/13

A list of the sites currently hosted on 23.95.106.128/25 and their SURBL ratings can be found here.



Monday, 5 September 2016

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.


Sincerely yours,
Tamika Good
Account manager
The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:

canonsupervideo4k.ws/1bcpr7xx

This appears to be multihomed on the following IP addresses:

23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)


Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru


Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57.  These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:

91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48

91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55


Wednesday, 31 August 2016

Malware spam: "bank transactions"

This fake financial spam comes with a malicious attachment:

From:    Rueben Vazquez
Date:    31 August 2016 at 10:06
Subject:    bank transactions


Good morning petrol.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.


Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.

According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):

www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis

Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:

95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably the Locky ransomware.

Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24


Wednesday, 3 August 2016

Malware spam: "As you directed, I send the attachment containing the data about the new invoices"

Another day, another Locky ransomware run:

From:    Marian Mcgowan
Date:    3 August 2016 at 11:15
Subject:    Fw: New invoices

As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script  which according to this Malwr analysis downloads a binary from..

blog-aida.cba.pl/2zensi7t

..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:

93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]

Both those IPs are in known bad blocks.

Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24



Malware spam: "I attached the project status report in order to update you about the last meeting"

This spam leads to Locky ransomware:

From:    Keri Jarvis [Jarvis.64030@bac.globalnet.co.uk]
Date:    2 August 2016 at 22:13
Subject:    report

Hi,

I attached the project status report in order to update you about the last meeting

Best regards,
Keri Jarvis
Attached is a randomly named ZIP file containing a malicious .js script beginning with the word "report". This downloads an evil binary from one of the following locations:

ary.ken-shin.net/jc6f3r
bizconsulting.ro/mgld4
czerwinski.ciesielstwo.cba.pl/6qxwpzt0
equalityindonesia.com/mdxrgr
essenciadoequilibrio.net/jl6aq
essenciadoequilibrio.net/szbcfto
go4leiner.de/vm3u88
hitoribotch.web.fc2.com/73bm9p96
ikkyohawks.web.fc2.com/e61h18
lifeserv.myarena.ru/mp9133x
locogallery.com/dz0lw6
mephisto.nd.e-wro.pl/05fvl56n
miyadu.web.fc2.com/hrdl2sh8
namarinoko.hariko.com/376wx19
nedayepak.ir/eu9om
rsxxx.com/jsc6uao
russiansnow.web.fc2.com/yfu287q
slava.nsknet.ru/hi65u4w
sugetipula12.hi2.ro/rwnmj
sugetipula12.hi2.ro/v2gbzo0s
sumrmo360.web.fc2.com/hv07h
sven-jaenecke.homepage.t-online.de/1siww
tip.ub.ac.id/m7blnpxy
trans-free.ru/lve7y
watafuku.web.fc2.com/ao0dw
woblk17jc.homepage.t-online.de/xckpw14
wt7dzbn78.homepage.t-online.de/qxyc94p
www.am-i-evil.de/hkak1si
www.arstaelteknik.com/7o6uw8w
www.arstaelteknik.com/se0hgcy
www.bagana.net/oucgn5
www.breuninger-web.de/c1gjikd8
www.cafealaska.es/znsih5
www.carrelliusati.it/7zf90
www.closecombat.mynetcologne.de/cddpnu
www.cosentinoarredamenti.com/o77fzv
www.e-bev.com/7dl4wjqt
www.jansen-consultancy-machines.be/cnipq7ja
www.puntoit-informatica.com/6jnx8ms
www.sashraf.plus.com/d9g6d
www.serial-production.com/vqprmy
www.stucchifedele.com/wg4spe
www.vincenzofranchino.it/aymbt6k7


(Thank you to my usual source for this data)

The malware phones home to:

37.139.30.95/php/upload.php (Digital Ocean, Netherlands) [hostname: belyi.myeasy.ru]
93.170.128.249/php/upload.php (Krek Ltd, Russia)
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

Recommended blocklist:
37.139.30.95
93.170.128.249
93.170.104.20




Tuesday, 2 August 2016

Malware spam: "Please see the attached last month’s paid bills for the company" leads to Locky

This fake financial spam has a malicious attachment:

From:    Nathanial Lane
Date:    2 August 2016 at 12:05
Subject:    Paid bills

Hello [redacted],

Please see the attached last month’s paid bills for the company

Best regards
Nathanial Lane
The name of the sender varies. It appears that these are being sent out in very high volumes. Attached to the email message is a randomly-named ZIP file which contains a malicious .js scripts beginning with "sales charts".

Thank you to my usual source for this analysis: the script downloads from one of the following locations:

158.199.158.185/e2ti07
212.26.129.68/f0671
acnek.com/zfwiice
alex-walter.de/gzag8yht
beate-oberle-kosmetik.de/jqbf9
breinco.com/~export/jrjnlkc
cinerd.info/wwekm4yk
clinic.gov.ua/my2vo
dev.appleleafabstracting.com/uis21
ecpi.ro/3kc9d2
essenciadoequilibrio.net/7vsuk59
exportwroclaw.cba.pl/565489s
fotografuj.pl/qk4zo4cv
gebetech.at/lpgrvcoa
go4leiner.de/8wofbvq
itconcept.md/mgvlj3m
jhengineering.szm.com/5242czu9
lifeserv.myarena.ru/0siarbi
madiv.ru/pbzgphhj
morfaux.fr/hvk9pc
my-result.ru/vhzj63z
nolwo.ru/nimsr
olis.atspace.com/b6aqk
plasseramerican.net/3064rl
psclimat.ru/rnn59v
realm-of-rage.heimat.eu/e4pxmx1
rsxxx.com/xy4dghdn
russiansnow.web.fc2.com/d8k6pqag
sancompany.ru/pl8in
setcoop.com.br/87pyu
siteriqi.bget.ru/sfgjthf
subbenim.atspace.com/kqfyrwph
system-inka.de/31f7r
terminatorzy.cba.pl/goix6
thehybrid.0catch.com/36sye
totalrepalrhonda.web.fc2.com/g6qx0t
tvoy-android.com/mqs5z
ultramarincentr.ru/soao7gp
woblk17jc.homepage.t-online.de/ao4sg9
wt7dzbn78.homepage.t-online.de/2x5qs94
www.arstaelteknik.com/6kpppb
www.bagana.net/0743nt3
www.cafealaska.es/bc3z9j9
www.cosentinoarredamenti.com/1zq31
www.dsalchi.org/dmkd5
www.gioilda.com/lcoucn62
www.serial-production.com/9c4xv
www.simons-vakantiehuisje.nl/2e3vp
www.stucchifedele.com/9c5m4g


The payload is Locky ransomware, phoning home to:

37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
93.170.128.249/upload/_dispatch.php (Krek Ltd, Russia)


Recommended blocklist:
37.139.30.95
93.170.128.249



Monday, 1 August 2016

Malware spam: "Please review the attached corrected annual report." / "Corrected report"

This spam comes with a malicious attachment:

Subject:     Corrected report
From:     Joey Cox (Cox.48@sodetel.net.lb)
Date:     Monday, 1 August 2016, 13:37

Dear webmaster,

Please review the attached corrected annual report.

Yours faithfully
Joey Cox
The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware from one of the following locations (thank you to my usual source for analysis):

121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a


The dropped binary then attempts to phone home to:

91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

The host for that last one comes up over and over again, it's time to block that /22..

Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22



Friday, 29 July 2016

Malware spam: "Voicemail from Anonymous" / SureVoIP [voicemailandfax@surevoip.co.uk]

This fake voicemail spam has a malicious attachment:
From     SureVoIP [voicemailandfax@surevoip.co.uk]
Date     Fri, 29 Jul 2016 17:47:41 +0700
Subject     Voicemail from Anonymous <Anonymous> 00:02:15

Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain.tld
The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf.

According to my trusted source (thank you as ever):

64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry


The downloaded binary is Locky ransomware, phoning home to:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]

Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139

Thursday, 28 July 2016

Malware spam: "Please check the attached invoice and confirm me if I sent the right data" leads to Locky

This fake financial spam leads to malware:

Subject:     Invoice
From:     Kendall Harrison (Harrison.59349@chazsmedley.com)
Date:     Thursday, 28 July 2016, 10:33

Hello,

Please check the attached invoice and confirm me if I sent the right data

Yours sincerely,
Kendall Harrison

320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3 
The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted".

The Malwr analysis for the partially deobfuscated script and this Hybrid Analysis show this particular sample downloading from:

83.235.64.44/~typecent/xvsb58

This drops a malicious Locky ransomware binary with a detection rate of 7/55. Analysis of this binary is pending.

UPDATE

Thank you to my usual source for this analysis. The download locations for the various scripts are:

01ad681.netsolhost.com/7j0jlq3
12-land.co.jp/vrquj
178.78.87.8/xjzhm
83.235.64.44/~typecent/xvsb58
arabian-horse-highlights.homepage.t-online.de/kzm2n
bajasae.grupos.usb.ve/4y13jg1
baldwinhistory.portalstream.net/rqbljjx
billy-hanjo.homepage.t-online.de/2r713u
blanquerna.eresmas.net/tt2e8s4
burkersdorf.eu/8y5n3f
campustouren.de/k6tkk
christilipp.com/cnb0o
creartnet.com/5ylah
dev12.gammat.net/oxg2m3
exclusive-closet.com/fld2h8
fremdesland.x.fc2.com/iya9qt
gkxxx.x.fc2.com/dxfom
idd00dnu.eresmas.net/wdmlqe
it4cio.servicos.ws/u8c3x
jozefow.cba.pl/ouini6
karumaengeki.web.fc2.com/f3ry4
kbridge.web.fc2.com/hj1fr
lacrima.ru/hvn1c
luzdevelas.es/9belfi
mbiurorachunkowe.republika.pl/6t6sz
motorkote.org/0gq654
okhtinka.ru.hoster-ok.com/qdiqooeo
papamama.com.sg/zhbepez
piggy.riffle.be/~gniff/r9bzz
robertstefan.home.ro/pycz4o
sav-krelingen.de/36r3qe8
schefman.info/snjqz
slit.xxxxxxxx.jp/l58gd3p
sv-r.ru/btawsoc
www.acheri.it/magii
www.andyschwietzer.homepage.t-online.de/r3a0tw
www.chantale.force9.co.uk/lsyeuw
www.clefranceitalie.org/cj937f7l
www.inari.net/ov5u1k
www.kan-therm.ru/qara9i
www.marinoderosas.com/59nue8uo
www.panella.org/eo9lk
www.rgtalp14.it/ykb84n40
www.ruyssinck-demeyer.be/v4xo5r28
www.schwarzer-baer-kastl.de/tt7ea
www.uasm.de/qwqiyk
yourparty.cba.pl/5avhe
zckupila.republika.pl/m6w6uu5f


C2 locations:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)


Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0


Wednesday, 27 July 2016

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be 
The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:

beauty-jasmine.ru/6dc2y

There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.

UPDATE

The C2 locations for this variant are:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)


Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30


Malware spam: "Sent from my Samsung device" leads to Locky

This spam comes in a few different variations:

From:    Lottie
Date:    27 July 2016 at 10:38
Subject:    scan0000510

Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:

alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765


The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)


(Thank you to my usual source for this data)

There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.

Recommended blocklist:
5.9.253.160/27
178.62.232.244


Tuesday, 31 May 2016

Malware spam: "You have 1 new message from bank manager. To read it, please open the attachment down below. "

This fake financial spam has a malicious attachment:

From:    Lanna Weall
Date:    31 May 2016 at 12:18
Subject:    New Message from your bank manager

You have 1 new message from bank manager. To read it, please open the attachment down below. 
In the sample I saw there was an attachment see_it_77235678.zip containing a malicious script warning_letter_Bdrh5W.js (detection rate 4/57) and the Malwr analysis of that sample shows that it downloads a binary from:

pvprojekt.pl/oLlqvX

The dropped binary is Locky ransomware with a detection rate of 4/56. All those reports plus these analyses [1] [2] [3] show network traffic to:

85.17.19.102 (Leaseweb, Netherlands)
195.154.69.90 (Iliad Entreprises, France)
93.170.123.60 (PE Gornostay Mikhailo Ivanovich / time-host.net, Ukraine)


A trusted source (thank you) indicated that there was a earlier Locky campaign today with the following donwload locations:

101consult.com/zZVPJj
adrianschubert.pl/7s56K8
affinityee.com/jkpziP
akcord.com/R4yjhg
alex-makhinin.ru/hPBy2R
altezzatrio.com/aAS841
amande-concerts.de/LNfOKy
amansur.com/sJIEQB
andresvazquez.net/1UaAWY
arajinqayler.com/V8lL2k
asworkstation.com/1Cq0Kk
baidainhatrang.xyz/bA2xZO
balifashion.ru/FMGbdV
belov24.ru/1msPTS
bestplumbersindallas.com/UZmYow
betulbasol.com/jmS4ts
bitcoinprservices.com/4Xc6Fy
canale78.it/I52NbK
c-a-r.at/QSa8sI
fm2030.us/BznLrm
handmee.com/hIPTXx
jestempiotr.pl/IiJlGp
kickoff.ru/WNwvki
kontarkum.org/Lntxhy
ktistakis.com/UHqig6
kvarcevaya-lampa.ru/fC9qZW
kwweb.it/tNTjZ2
ladohumano.cl/bnmYOE
leatherberryconsulting.com/gXTND7
lidgroup.ru/vV9c7l
lizdion.net/9cRXIl
makarenkostyle.net/IJlEqC
marca-ce.com/n859VM
maridadiproperties.com/pQIJGB
mckinleyhigh.org/lhAfaC
metakino.ru/onryuE
metaldesign.info/o12QeD
minutemanpress-randburg.co.za/UXJnqs
most.org.mk/oiNWQ0
muslimdate.com/mlB3PW
noplacelikejones.com/hati3x
norisys.com/EwX0sO
nwa-dizel.ru/D8kTfA
ohmyg-o-d.info/Ns4gf5
pasit.heutagon.com/PyG0Oc
pgcommunitycab.com/FAlx1b
polibloki.ru/nbTURt
primeautoglass.co.nz/wMcW5Z
puliziafacile.it/JvZ9cX
pvprojekt.pl/oLlqvX
quotidianieriviste.com/WIKuLk
redcurrantjobs.co.uk/9cgwZ5
revista.motociclismo.es/4HgJ7t
riobrancoperu.org/B3AlqT
rockmind.pl/bg6kKf
rotaharita.com/5NmH3b
sanariumspb.ru/Xm9xul


Recommended blocklist:
85.17.19.102
195.154.69.90
93.170.123.60


Thursday, 5 May 2016

Malware spam: "DocuCentre-IV" / "Scan Data"

This fake document scan appears to come from within the victim's own domain (but this is just a simple forgery) and has a malicious attachment:

From:    DocuCentre-IV [DocuCentre1230@victimdomain.tld]
Date:    5 May 2016 at 10:27
Subject:    Scan Data

Number of Images: 1
Attachment File Type: PDF

----=_Part_45251_4627454344.4826709420825--

Details vary slightly from message to message. Attached is a DOC file (not a PDF) starting with PIC, DOC or IMG in the samples I have seen plus a random number. Typical VirusTotal detection rates are 6/56 [1] [2] [3] [4] [5] [6]. Various automated analyses of these documents [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] show a binary being downloaded from the following locations:

fm1.ntlweb.org/87hcnrewe
iconigram.com/87hcnrewe
www.sammelarmband.de/87hcnrewe
hospice.psy.free.fr/87hcnrewe


This dropped file has a detection rate of 5/46. This Hybrid Analysis and this DeepViz report show subsequent network traffic to:

192.241.252.152 (Digital Ocean, US)
195.169.147.26 (Culturegrid.nl, Netherlands)
70.164.127.132 (Southland Technology, US)


The characteristics of the payload suggest this is the Dridex banking trojan.

Recommended blocklist:
192.241.252.152
195.169.147.26
70.164.127.132

Wednesday, 27 April 2016

Malware spam: Message from "RNP0BB8A7" / CLAUDIA MARTINEZ leads to Locky

This Spanish-language spam leads to malware:

From:    CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com]
Date:    27 April 2016 at 16:22
Subject:    Message from "RNP0BB8A7"

Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).

Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@victimdomain.tld
Attached is a  randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:

mebdco.com/8759j3f434
amwal.qa/8759j3f434
ecmacao.com/8759j3f434
lifeiscalling-sports.com/8759j3f434


This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:

absxpintranet.in/8759j3f434
amismaglaj.com.ba/8759j3f434
caegpa.com/8759j3f434
codeaweb.net/8759j3f434
coorgcalling.com/8759j3f434
gedvendo.com/8759j3f434
gedvendo.com.pe/8759j3f434
mc2academy.com/8759j3f434
teyseerlab.com/8759j3f434
www.adgroup.ae/8759j3f434
www.rumbafalcon.com/8759j3f434


This DeepViz report shows the malware phoning home to:

107.170.20.33 (Digital Ocean, US)
139.59.166.196 (Digital Ocean, Singapore)
146.185.155.126 (Digital Ocean, Netherlands)


There's a triple whammy for Digital Ocean! Well done them.

Recommended blocklist:
107.170.20.33
139.59.166.196
146.185.155.126

Malware spam: "Thank you. Our latest price list is attached. For additional information, please contact your local ITT office."

This fake financial spam leads to malware:

From:    Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date:    27 April 2016 at 12:23
Subject:    Price list

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.

Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:

aaacollectionsjewelry.com/ur8fgs
adamauto.nl/gdh46ss
directenergy.tv/l2isd
games-k.ru/n8eis
jurang.tk/n2ysk
lbbc.pt/n8wisd
l-dsk.com/k3isfa
mavrinscorporation.ru/hd7fs
myehelpers.com/j3ykf
onlinecrockpotrecipes.com/k2tspa
pediatriayvacunas.com/q0wps
soccerinsider.net/mys3ks
warcraft-lich-king.ru/i4ospd

haraccountants.co.uk/k9sjf

This downloads Locky ransomware. The executable then phones home to the following servers:

176.114.3.173 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
139.59.166.196 (Digital Ocean, Singapore)
107.170.20.33 (Digital Ocean, US)
146.185.155.126  (Digital Ocean, Netherlands)


Recommended blocklist:
176.114.3.173
139.59.166.196
107.170.20.33
146.185.155.126

Wednesday, 13 April 2016

Malware spam: "Prompt response required! Past due inv. #FPQ479660" / "Jake Gill"

This fake financial spam has a malicious attachment:

From:    Hillary Odonnell [Hillary.OdonnellF@eprose.fr]
Date:    13 April 2016 at 18:40
Subject:    Prompt response required! Past due inv. #FPQ479660

Hello,

I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?

Thank you,

Jake Gill

Accounts Receivable Department

Diploma plc

(094) 426 8112
The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).

There seem to be several different versions of the attachment, I checked four samples [1] [2] [3] [4] and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive [5] [6] [7] [8] (as are the Hybrid Analyses [9] [10] [11] [12]) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on 212.76.140.230 - MnogoByte, Russia). The payload appears to be Dridex.

We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with:

195.169.147.88 (Culturegrid.nl, Netherlands)
178.33.167.120 (OVH, Spain)
210.70.242.41 (TANET, Taiwan)
210.245.92.63 (FPT Telecom Company, Vietnam)


These are all good IPs to block.

According to DNSDB, these other domains have all been hosted on the 212.76.140.230 address:

onlineaccess.bleutree.com
egotayx.net
wgytaab.net
emoaxmyx.net
wmbyaxma.net
emeotalyx.net
ezhoyznyx.net
wmeybtala.net
wzhybyzna.net
onlineaccess.bleutree.info
onlineaccess.bleutree.mobi


You can bet that they are all malicious too.

Recommended blocklist:
212.76.140.230
195.169.147.88
178.33.167.120
210.70.242.41
210.245.92.63


Monday, 28 March 2016

Malware spam: "Envoi d’un message : 9758W-TERREDOC-RS62937-15000" / Christine Faure [c.faure@technicoflor.fr]

This French-language spam comes with a malicious attachment:
From:    Christine Faure [c.faure@technicoflor.fr]
Date:    28 March 2016 at 16:54
Subject:    Envoi d’un message : 9758W-TERREDOC-RS62937-15000

Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :

9758W-TERREDOC-RS62937-15000
Message de sécurité
To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:

store.brugomug.co.uk/765f46vb.exe
ggbongs.com/765f46vb.exe
dragonex.com/765f46vb.exe
homedesire.co.uk/765f46vb.exe

scorpena.com/765f46vb.exe
pockettypewriter.co.uk/765f46vb.exe
enduro.si/pdf/765f46vb.exe
185.130.7.22/files/qFBC5Y.exe

Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to:

83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)


All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.

The other binary appears to be another version of Locky which appears to phone home to the same servers.

Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100





Thursday, 24 March 2016

Malware spam: "FW: Payment Receipt" from multiple recipients leads to Locky

This fake financial spam comes from random recipients, for example:

From:    Marta Wood
Date:    24 March 2016 at 10:10
Subject:    FW: Payment Receipt

Dear [redacted],

Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.

Regards,
Marta Wood
Technical Manager - General Insurance

Attached is a ZIP file that incorporates the recipients name plus a word such as payment, details or receipt plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk.

VirusTotal detection rates for the scripts are fairly low (examples [1] [2] [3] [4] [5] [6]). Automated analysis [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] shows binary download locations at:

stie.pbsoedirman.com/msh4uys
projectpass.org/o3isua
natstoilet.com/l2ps0sa [404]
yourhappyjourney.com/asl2sd [404]


Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries, I will try to add a list later.

The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically is it Locky. Automated analyses [21] [22] [23] [24] [25] [26] show it phoning home to:

195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)


UPDATE

Some further download locations from another source (thank you!):

byprez.com/oeepsl3s
caidongrong.com/e5owzc
emprendamosjuntos.com/dk3oas
epicld.com/n3sjax
fallrunathon.com/pw9eoa
famouscouponcodes.com/nxj3sa
hudesign.com/k39skad
kanberdemir.com/b5uas
mqhchurch.net/k2usy
mskphilly.org/yt7wei
optionstrategiesinsiders.org/zpq9sa
plexcera.com/m4uxj2
tigabersaudara.com/k3isa
www.naturseife-gartetal.de/oe9fja


MD5s for downloaded binaries:

0b0f29dc216e481659e84efc349823e1
0bd4f9b53991e86e39945559be074f40
2aea58b3328728ee5f0117112f8d8bd1
3da8d515085dc46be0c5e8d0aa959a5d
8630de2e42fb8e26764a994a4b7c65a9
8b07f6a6b52462395ed8dc91c4b7e7e6
8b6bc36cf0fc6db4fe7f2257cdc75905
9b52fbfe6d763bdbd9156b308ce4cd9f
9ebc25f1e53a2174213ea128a3cdb166
ab7c78cbd32ca79dff83f00aec693b2c
c070835d983f162b48f4fc370e30cf02
c9be9e7751b8f164d04a31a71d0199c6
f5d668c551cecb12f6404214fb0c8251



Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39

Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk

This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:

From:    customer.service@axminster.co.uk
Date:    24 March 2016 at 10:11
Subject:    Your order has been despatched

Dear Customer

The attached document* provides details of items that have been packed and are ready for despatch.

Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.

Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm

Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)

Kind regards

Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk

* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8]  shows download locations at:

skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe


This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:

71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)


It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.

UPDATE

Some additional download locations from another source (thank you!)

webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe



Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41