Sponsored by..

Showing posts with label Poland. Show all posts
Showing posts with label Poland. Show all posts

Tuesday, 24 May 2016

Evil network: OVH / kaminskiy@radiologist.net

Here's an Angler EK cluster, hosted on multiple ranges rented from OVH France.. working first from this list of Angler IPs in OVH address space we can see a common factor.

5.135.249.214
5.135.249.215
51.255.59.119
51.255.59.120
51.255.59.121
51.255.59.123
91.134.206.128
91.134.206.129
91.134.206.130
91.134.206.131
91.134.204.217
91.134.204.218
91.134.204.219
91.134.204.243
91.134.204.245
91.134.204.247

One handy thing that OVH does with suballocated ranges is give clear details about the customer. This certainly helps track down abusers. In this case, the ranges these IPs are in are allocated to:

organisation:   ORG-KM91-RIPE
org-name:       Kaminskiy Mark
org-type:       OTHER
address:        Bema 73
address:        01-244 Warszawa
address:        PL
e-mail:         kaminskiy@radiologist.net
abuse-mailbox:  kaminskiy@radiologist.net
phone:          +48.224269043
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-05-18T14:46:09Z
last-modified:  2016-05-18T14:46:09Z
source:         RIPE


That ORG-KM91-RIPE reference can be looked up on the RIPE database: giving more of these little /30 blocks:

5.135.249.212/30
51.255.59.116/30
51.255.59.120/30
51.255.59.124/30
91.134.206.128/30
91.134.204.212/30
91.134.204.216/30
91.134.204.220/30
91.134.204.240/30
91.134.204.244/30
91.134.204.248/30
91.134.204.252/30
164.132.223.192/30


OVH have been pretty good at cleaning up this sort of thing lately (unlike PlusServer) so hopefully they will get this under control.

If you want to find other Angler EK ranges then I have a bunch of 'em in my Pastebin.

Wednesday, 20 April 2016

Malware spam: "Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]" / "Document No™2958719"

This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:

From:    Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]
Date:    20 April 2016 at 11:01
Subject:    Document No™2958719

Thanks for using electronic billing

Please find your document attached

Regards


Beerhouse Self Drive
In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:

bi.pushthetraffic.com/87ty8hbvcr44

There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers:

193.90.12.221 (MultiNet AS, Norway)
212.126.59.41 (Letshost / Digiweb, Ireland)
93.104.211.103 (Contabo GmbH, Germany)
155.133.82.82 (FUFO Studio Agata Grabowska, Poland)
212.50.14.39 (Computers Equipnemt, Bulgaria)
91.194.251.204 (TOV Dream Line Holding, Ukraine)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)


Recommended blocklist:
193.90.12.221
212.126.59.41
93.104.211.103
155.133.82.82
212.50.14.39
91.194.251.204
194.116.73.71
64.76.19.251



Thursday, 24 March 2016

Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk

This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:

From:    customer.service@axminster.co.uk
Date:    24 March 2016 at 10:11
Subject:    Your order has been despatched

Dear Customer

The attached document* provides details of items that have been packed and are ready for despatch.

Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.

Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm

Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)

Kind regards

Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk

* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8]  shows download locations at:

skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe


This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:

71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)


It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.

UPDATE

Some additional download locations from another source (thank you!)

webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe



Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41




Friday, 18 March 2016

Malware spam: "Proof of Delivery Report: 16/03/16-17/03/16" / UKMail Customer Services [list_reportservices@ukmail.com]

This spam does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    UKMail Customer Services [list_reportservices@ukmail.com]
Date:    18 March 2016 at 02:46
Subject:    Proof of Delivery Report: 16/03/16-17/03/16

Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD



...........................................................................................................................................................................................
iMail Logo
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:

kervanburak.com/wp-content/plugins/hello123/r34t4g33.exe

There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis  show network traffic to:

64.147.192.68 (Dataconstructs, US)

I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.

UPDATE 1

This DeepViz report shows some additional IP addresses contacted:

64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


UPDATE 2

Some additional download locations from a trusted source (thank you!):

almexports.com/wp-content/plugins/hello123/r34t4g33.exe
cky.org.uk/wp-content/plugins/hello123/r34t4g33.exe
felipemachado.com/wp-content/plugins/hello123/r34t4g33.exe
ioy.co.il/wp-content/plugins/hello123/r34t4g33.exe
muhidin.eu.pn/wp-content/plugins/hello123/r34t4g33.exe
tribebe.com/wp-content/plugins/hello123/r34t4g33.exe
voiceofveterans.in/wp-content/plugins/hello123/r34t4g33.exe


Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78

Thursday, 17 March 2016

Malware spam: "Interparcel Documents" / Interparcel [bounce@interparcel.com]

This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
From:    Interparcel [bounce@interparcel.com]
Date:    17 March 2016 at 08:51
Subject:    Interparcel Documents

Your Interparcel collection has been booked and your documents are ready.

There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.

Thank you for booking with Interparcel.
Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:

gooddrink.com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots.com/wp-content/plugins/hello123/56h4g3b5yh.exe


The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to:

195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


As mentioned before, these characteristics look like the Dridex banking trojan.

Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78




Wednesday, 9 March 2016

Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]

This terse spam has a malicious attachment. There is no body text.
From:    Idris Mohammed [idrismohammed25@gmail.com]
Date:    9 March 2016 at 09:55
Subject:    DOC-Z21193008
Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
 
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe


There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:

64.76.19.251 (Impsat, Argentina)

I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.

UPDATE

A contact sent some more download locations (thank you!)

oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe


..and also some additional C2s..

188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234




Thursday, 3 March 2016

Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]

This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:

From     Sally Webb [swebb@thekmgroup.co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535

--

regards,
Sally


*Sally Webb*
Recruitment Media Sales Executive
KM Media Group

DDI : 01622 794500
Email : swebb@thekmgroup.co.uk

*KM Media Group is Kent's only independent multimedia company*

*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*

*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*

Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:

coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe


The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:

188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234


Monday, 29 February 2016

Malware spam: "Invoice #16051052/15" / "Dear costumer"


This fake financial email (sent to "Dear costumer") has a malicious attachment.

From:    Velma hodson
Date:    29 February 2016 at 16:49
Subject:    Invoice #16051052/15

Dear costumer,

You are receiving this informational letter because of the fact that you have a debt totaling $157,54 due to late payment of invoices dating March ‘15.

In attachment you will find a reconciliation of the past 12 months (year 2015).

Please study the file and contact us immediately to learn what steps you should take to avoid the accrual of penalties.


I have only seen a single sample with an attachment named Invoice_ref-16051052.zip which in turn contains a malicious script invoice_kOUEsX.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 2/55 and these automated analysis tools [1] [2] show that it attempts to download a binary from the following locations:

ohiyoungbuyff.com/69.exe?1
helloyungmenqq.com/69.exe?1


The domain names have a similar theme, indicating that the servers are malicious. It migh be worth blocking:

91.196.50.241 (EuroNet, Poland)
50.3.16.250 (Eonix, US)


This Malwr report  shows that the dropped payload is ransomware, calling home to the following domains:

biocarbon.com.ec
imagescroll.com
music.mbsaeger.com
stacon.eu


I recommend that you block traffic to those domains plus the two IPs, giving a recommended blocklist of:

91.196.50.241
50.3.16.250
biocarbon.com.ec
imagescroll.com
music.mbsaeger.com
stacon.eu



Friday, 15 January 2016

Malware spam: "Your order #7738326 From The Safety Supply Company" / Orders - TSSC [Orders@thesafetysupplycompany.co.uk]

This fake financial spam does not come from The Safety Supply Company but is instead a simple forgery with a malicious attachment:
From:    Orders - TSSC [Orders@thesafetysupplycompany.co.uk]
Date:    15 January 2016 at 09:06
Subject:    Your order #7738326 From The Safety Supply Company

Dear Customerl

Thank you for your recent purchase.

Please find the details of your order through The Safety Supply Company attached to this email.

Regards,

The Sales Team
So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.

UPDATE 1

This Hybrid Analysis on the first sample shows it downloading from:

149.156.208.41/~s159928/786585d/08g7g6r56r.exe

That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:

216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)


I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.

Dropped file MD5:
9138e36d70ab94349558c61e92ab9ae2

Attachment MD5s:
d5a25f10cb91e0afd00f970cee7c5f01
985bb69a8c292d90a5bd51b3dbec76ac


UPDATE 2

This related spam run gives some additional download locations:

nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe


Sources also tell me that there is one at:

204.197.242.166/~topbun1/786585d/08g7g6r56r.exe

Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41


Monday, 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:
From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )
I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.

UPDATE

I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:

bjdennehy.ie/~upload/89u87/454sd.exe

This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)


MD5s:
495d47eedde6566a12b74c652857887e
182db9fc18c5db0bfcb7dbe0cf61cae5
177948c68bc2d67218cde032cdaf1239
07c90e44adcf8b181b55d001cd495b7f


Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239

Thursday, 26 November 2015

Malware spam: "Invoice Document SI528880" / "Lucie Newlove [lucie@hiderfoods.co.uk]"

This fake invoice does not come from Hider Food Imports Ltd but is instead a simple forgery with a malicious attachment.

From     Lucie Newlove [lucie@hiderfoods.co.uk]
Date     Thu, 26 Nov 2015 16:03:04 +0500
Subject     Invoice Document SI528880

Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.

ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.

Hider Food Imports Ltd

REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA

Registered in England  Number : 842813

Main Tel: +44 (0)1482 561137
Sales Tel :+44 (0)1482 504333
Fax: +44 (0)1482 565668

E-Mail: mail@hiderfoods.co.uk
Website: http://www.hiderfoods.co.uk

DISCLAIMER: This e-mail and any attachments are private and confidential and are
intended solely for the use of the intended recipient(s).  If you are not the intended
recipient, you must not use, disclose, distribute, copy, print, or rely on this e-mail.
If you have received this e-mail in error, please advise the sender by return e-mail
immediately and delete all copies of this message and any attachments from your systems.
All prices quoted are subject to final confirmation. This e-mail and any other arrangements
between us will be subject to our terms and conditions of business, a copy of which
can be found at our website or available upon request.

ANTIVIRUS: Hider Food Imports Ltd regularly update and utilise current anti-virus
products.  Hider Food Imports Ltd however accept no liability for any damage which
may be caused by any virus transmitted by this e-mail or any attachments.  Recipients
should check this e-mail is free of Viruses.

The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54, and it contains this malicious macro [pastebin] which according to this Hybrid Analysis report downloads a malicious component from:

naceste2.czechian.net/76t89/32898u.exe

This executable has a detection rate of just 1/54 and automated analysis [1] [2] [3] [4] [5] shows network traffic to the following IPs:

94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
8.253.44.158 (Level 3, US)
37.128.132.96 (Memset, UK)
91.212.89.239 (Uzinfocom, Uzbekistan)
185.87.51.41 (Marosnet, Russia)
42.117.2.85 (FPT Telecom Company, Vietnam)
192.130.75.146 (Jyvaskylan Yliopisto, Finland)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
5.63.88.100 (Centr, Kazahkstan)


The payload is probably the Dridex banking trojan.

MD5s:
b8d83b04a06b6853ad3e79a977dd17af
43a1211146a1938cd4de5d46c68124eb

Recommended blocklist:
94.73.155.12
8.253.44.158
37.128.132.96
91.212.89.239
185.87.51.41
42.117.2.85
192.130.75.146
195.187.111.11
5.63.88.100


NOTE
I accidentally included 191.234.4.50 in a previous version of the blocklist. This IP is for Windows Update (I deleted it from the first list, not the second one!). If you have blocked this IP then I recommend that you unblock it.

Monday, 23 November 2015

Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

NOTE:  as of 22nd January 2016, a new version of this spam email is in circulation, described here.

This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    23 November 2015 at 11:06
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1] [2] [3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4] [5] [6] downloads a malware binary from the following locations:

www.capodorlandoweb.it/u654g/76j5h4g.exe
xsnoiseccs.bigpondhosting.com/u654g/76j5h4g.exe
cr9090worldrecord.wz.cz/u654g/76j5h4g.exe


This binary has a VirusTotal detection rate of 5/54. That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
89.108.71.148 (Agava Ltd, Russia)
91.212.89.239 (UZINFOCOM, Uzbekistan)
89.189.174.19 (Sibirskie Seti, Russia)
122.151.73.216 (M2 Telecommunications, Australia)
37.128.132.96 (Memset Ltd, UK)
195.187.111.11 (SGGW, Poland)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
77.221.140.99 (Infobox.ru, Russia)
195.251.145.79 (University Of The Aegean, Greece)


The payload is likely to be the Dridex banking trojan.

MD5s:
37f025e70ee90e40589e7a3fd763817c
3e25ba0c709f1b9e399e228d302dd732
e6f1003e4572691493ab1845cb983417
5b6c01ea40acfb7dff4337710cf0a56c

Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79

Monday, 29 June 2015

Malware spam: "Payslip for period end date 29/06/2015" / "noreply@fermanagh.gov.uk"

This fake financial spam comes with a malicious payload:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    29 June 2015 at 11:46
Subject:    Payslip for period end date 29/06/2015

Dear [redacted]

Please find attached your payslip for period end 29/06/2015

Payroll Section

Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:

http://audileon.com.mx/css/proxy_v29.exe

That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes:

69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is on this occassion.

Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242

MD5s:
71a42eaac6f432c8dc04465c065e48e1
4009cd042071c81ce9c1aaa13ac046f2


Tuesday, 19 May 2015

Malware spam: "Australian Taxation Office [noreply@ato.gov.au]" / "eFax message - 2 page(s)"

Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    19 May 2015 at 12:48
Subject:    eFax message - 2 page(s)

Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.

* The reference number for this fax is
min2_did16-0884196800-3877504043-49.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile.com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr.

This executable has a detection rate of 5/57. Automated analysis tools [1] [2] [3] shows that it downloads a further component from:

http://employmentrisk.com/images/1405uk77.exe

In turn, this has a detection rate of 4/57 and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).

Recommended blocklist:
employmentrisk.com
194.28.190.183

MD5s:
a6aa82995f4cb2bd29cdddedd3572461
b3b483c10d4f7eacd7cfa42f604968f8

Tuesday, 7 April 2015

Malware spam: "EBOLA INFORMATION" / "noreply@ggc-ooh.net"

This fake medical email contains a malicious attachment. It's a novel approach by the bad guys, but I doubt that many people will find it believable enough to click.

From:    noreply@ggc-ooh.net
Reply-To:    noreply@ggc-ooh.net
Date:    7 April 2015 at 08:58
Subject:    EBOLA INFORMATION

This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ggc-ooh.net

PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.

THANK YOU.
Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro [pastebin] which is contains a lot of girls names as variables (which makes a nice change from the randomly-generated stuff I suppose).

When decoded the macro downloads a component from:

http://deosiibude.de/deosiibude.de/220/68.exe

VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs (ones in bold are most likely static, the others look to be dynamic):

37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)

85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)

According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.

Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18


MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E



Wednesday, 11 March 2015

Malware spam: "Voicemail Message (07813297716) From:07813297716"

When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
From:     Voicemail admin@victimdomain
Date:     11/03/2015 11:48
Subject:     Voicemail Message (07813297716) From:07813297716

IP Office Voicemail redirected message

Attachment: MSG00311.WAV.ZIP
The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:

http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php

This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.

The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:

http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe


This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.

Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:

31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159




Sunday, 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

accounting-kent.net
aerostat-adventures.net
aim-darts.net
airnavrace.net
amia.cc
aqu.su
artplat.com
binfile.net
brigadiramoon170.com
ccl.su
clubkindergarten.net
combonicer200.com
ehk.su
flatroom.net
gefesosexwithjimmy.org
iceselinsgrove.com
kartaby.com
keksnownikolle.biz
kirr.cc
lollipollyboobs.org
lostpetutah.net
macdegredo.com
mecheti.com
megemind.com
onetimedns.com
orimylife.net
pcg.su
quarter.su
sandwars.net
sec-one-dns.com
security-apps24.com
securityappsmart.com
security-safedomains.com
security-trust.com
smis.cc
stepnitres.ru
studio-sands.net
unicttaskforce.com
usgunlavs.net
webercountyfairr.net
wildscot-tv.com
world-motorhome.net

12.42.61.221    (AT&T, US)   
19.214.121.54    (Ford Motor Company, US)    [ns]
22.15.199.21    (DOD, US)    [ns]
23.253.75.234    (Rackspace, US)   
31.210.107.33    (Radore Veri Merkezi Hizmetleri, Turkey)   
32.21.129.43    (AT&T, US)    [ns]
32.90.65.25    (AT&T, US)    [ns]
37.255.241.29    (TCE, Iran)   
41.66.55.3    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]
41.106.3.132    (FTTH, Algeria)    [ns]
42.96.195.183    (Alibaba, China)    [ns]
54.81.32.208    (Amazon AWS, US)   
65.27.155.176    (Time Warner Cable, US)   
79.88.112.206    (Societe Francaise du Radiotelephone, France)   
83.239.90.244    (OJSC Rostelecom Macroregional Branch South, Russia)   
89.39.83.177    (C&A Connect SRL, Romania)   
89.69.138.91    (UPC, Poland)   
92.84.13.131    (Romtelecom, Romania)    [ns]
93.190.137.5    (Worldstream, Netherlands)   
95.57.118.56    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)   
96.44.143.179    (Quadranet Inc, US)   
103.31.251.202    (Argon Data Communication, Indonesia)   
108.81.248.139    (William Allard / AT&T, US)   
109.24.255.129    (Societe Francaise du Radiotelephone, France)   
112.222.201.43    (LG DACOM Corporation, Korea)   
115.28.39.216    (Hichina Web Solutions, China)   
128.101.154.25    (University of Minnesota, US)    [ns]
128.199.235.196    (DigitialOcean Cloud, Singapore)   
130.255.185.19    (Bradler & Krantz, Germany)   
147.249.171.10    (IDD Information Services, US)    [ns]
152.46.17.236    (North Carolina Research and Education Network, US)   
162.243.39.118    (Digital Ocean, US)   
167.15.26.219    (Munich Reinsurance America Inc, US)    [ns]
167.120.25.43    (The Dow Chemical Company, US)    [ns]
171.76.101.11    (Bharti Cellular Ltd, India)    [ns]
175.107.192.56    (Cyber Internet Services Pakistan, Pakistan)   
176.53.125.6    (Radore Veri Merkezi Hizmetleri, Turkey)   
181.41.194.253    (HOST1FREE at Brazil, Brazil)   
184.154.170.10    (SingleHop, US)    [ns]
185.9.159.205    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)   
186.194.39.139    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]
186.202.184.178    (Locaweb Servi├žos de Internet S/A, Brazil)   
186.214.212.64    (Global Village Telecom, Brazil)   
188.165.91.216    (OVH, France / DoHost, Egypt)    [ns]
188.168.142.57    (Transtelecom CJSC, Russia)   
193.17.184.247    (Biznes-Host.pl, Poland)   
194.209.82.222    (blue-infinity, Switzerland)    [ns]
203.235.181.138    (KRNIC, Korea)   
208.167.238.115    (Choopa LLC, US)   
209.203.50.200    (Vox Telecom, South Africa)   
222.218.13.91    (Chinanet Guangxi Province Network , China)    [ns]


12.42.61.221
19.214.121.54
22.15.199.21
23.253.75.234
31.210.107.33
32.21.129.43
32.90.65.25
37.255.241.29
41.66.55.3
41.106.3.132
42.96.195.183
54.81.32.208
65.27.155.176
79.88.112.206
83.239.90.244
89.39.83.177
89.69.138.91
92.84.13.131
93.190.137.5
95.57.118.56
96.44.143.179
103.31.251.202
108.81.248.139
109.24.255.129
112.222.201.43
115.28.39.216
128.101.154.25
128.199.235.196
130.255.185.19
147.249.171.10
152.46.17.236
162.243.39.118
167.15.26.219
167.120.25.43
171.76.101.11
175.107.192.56
176.53.125.6
181.41.194.253
184.154.170.10
185.9.159.205
186.194.39.139
186.202.184.178
186.214.212.64
188.165.91.216
188.168.142.57
193.17.184.247
194.209.82.222
203.235.181.138
208.167.238.115
209.203.50.200
222.218.13.91

Tuesday, 13 August 2013

Pharma sites to block

These fake pharma sites and IPs seem related to these malware domains, and follows on from this list last week.

31.184.241.32 (Petersburg Internet Network, Russia)
46.29.18.176 (Sprint SA, Poland)
61.57.103.241 (Taoyuan TBC, Taiwan)
61.133.234.105 (Haidong Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.95 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
197.231.210.165 (Inspiring Networks LTD, Seychelles)
199.180.100.82 (PEG TECH INC, US)
199.180.100.85 (PEG TECH INC, US)

Recommended blocklist:
31.184.241.0/24
46.29.18.176
61.57.103.241
61.133.234.105
91.199.149.0/24
91.204.162.0/24
91.216.163.92
185.5.99.145
185.8.106.161
197.231.210.165
199.180.100.82
199.180.100.85
0xm0v3t1.mediastoreplus.com
17z2h9ue.mediastoreplus.com
1dsnx7pjs.mediastoreplus.com
2hdija03.mediastoreplus.com
2pillsonline.com
353.mediastoreplus.com
3qtpidpzlw.mediastoreplus.com
4ow5mu5.mediastoreplus.com
53zx71we.mediastoreplus.com
6gi.mediastoreplus.com
7boma.mediastoreplus.com
7umio9jjc.mediastoreplus.com
8hk0oib.mediastoreplus.com
8vi8.mediastoreplus.com
androidrugstoretablet.com
b6m0z.mediastoreplus.com
benedictaselie.com
bidh.ru
biotechealthcarepills.pl
boschmedicaremeds.com
briannecarlotta.com
b-wfkif3p.mediastoreplus.com
canadaipad.com
canadiancanada.com
coopaq.ru
danyetteeaster.com
dehxqc.elut.ru
dieein.com
dietrxhcg.com
dl6xmehg.mediastoreplus.com
drugslnessmedicine.com
drugstorepillsdrugs.com
drugstorepillwalgreens.com
dysm.ru
eyg.mediastoreplus.com
fvecare.com
gtyktdli.com
hece.ru
herbalburdette.com
herbalpillecstasy.com
htta.ru
inningmedicare.com
inningmedicare.pl
jdok.mediastoreplus.com
joam.ru
jsp0.mediastoreplus.com
jvtbkpmtkv.mediastoreplus.com
kaleic.ru
knei.ru
kxh.mediastoreplus.com
l3l1h.mediastoreplus.com
laug.ru
li2.mediastoreplus.com
mbid.ru
medicaidarmedicare.com
medicaretabletandroid.com
medicinetabletsurface.com
medopioid.pl
menono.ru
menutabmed.com
mwpzi.mediastoreplus.com
myviagragenerics.pl
n3zb4o5u9.mediastoreplus.com
nexuslevitra.com
nispw96.mediastoreplus.com
oshu.ru
patientsviagramedicare.com
pharmedtransplant.com
pharmreit.com
pharmysmartrend.com
pilldrugprescription.net
pillsstreetinsider.com
prescriptioncarecenter.com
prescriptionmedicinepatients.com
prescriptionmedwalgreen.com
qgb7zxj.mediastoreplus.com
quzkobeox.com
ruld.ru
rxdrugspills.ru
rxnicu.com
rzu1b.mediastoreplus.com
s5bw.mediastoreplus.com
shelbieleni.com
sieh.ru
skah.ru
tabcialbenghazi.com
tabherbalsummary.com
thegenericsprescription.com
torontocanadapharm.com
torontotab.pl
us0cyezkn.mediastoreplus.com
viagramedicaid.com
viagramedicineveterinary.com
viagramedicineveterinary.pl
vsn268zo3.mediastoreplus.com
w5lpytop.mediastoreplus.com
weightdietpharm.com
welnesslevinikita.com
welnessnsmt.com
wpakq.mediastoreplus.com
wroo.ru
ya3zwmrmgk.mediastoreplus.com
zva4p7457.mediastoreplus.com
zwig.ru

Tuesday, 6 August 2013

Pharma sites to block 6/8/13

A new list of pharma sites and IPs, related to this bunch.

61.150.109.186 (China Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
178.88.64.149 (Kazakh Telecom, Kazakhstan)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
190.55.85.133 (Telecentro S.A., Argentina)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
200.185.230.32 (Ajato Telecomunicacao Ltda, Brazil)
202.197.127.42 (CERNET, China)
218.92.160.138 (Funing Tianlong Netbar, China)

61.150.109.186
91.199.149.0/24
91.204.162.81
91.204.162.96
91.216.163.92
178.88.64.149
185.5.99.145
185.8.106.161
190.55.85.133
192.162.19.0/24
200.185.230.32
202.197.127.42
218.92.160.138
1bqmv6ir.tabletmedicinert.com
1n77x6up.mediastoreplus.com
54djq7gs.tabletmedicinert.com
5n2f.mediastoreplus.com
6tpvvfwl.mediastoreplus.com
6un8dtnf.mediastoreplus.com
7geh.mediastoreplus.com
8u4lrx6.mediastoreplus.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
avagdezc.net
biotechealthcarepills.pl
boschwelness.com
caloriesviagra.com
canadaipad.com
canadaviagracanadas.com
canadaviagracent.com
canadiancanada.com
canadian-pharmacy-ltd.org
carerxpatient.com
coopaq.ru
d5pz5c35.tabletmedicinert.com
d8chph3.mediastoreplus.com
dacl3uy1.tabletmedicinert.com
deii.ru
dieein.com
dietarymeds.com
dietwelweight.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
eari.ru
familymedicinerx.com
finding.dietpillgenerics.com
genericswelloch.com
ghwfloaf.com
gied.ru
gtyktdli.com
healthcarebiotechnology.net
hece.ru
herbalburdette.com
herbalprescriptiondrugs.com
htta.ru
iald.ru
in.taxwelnesslevitra.com
inningmedicare.pl
isoe.ru
jmwxxvyj.com
joam.ru
judact.ru
jx5nqjzf.tabletmedicinert.com
kindredhealthcaretab.pl
knei.ru
knr78b16.tabletmedicinert.com
korsinskytrarx.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanamedicalviagra.com
marl.myherbalpharmacy.com
mbid.ru
mediastoreplus.com
medicaltabgroup.com
medicaresupplementrx.net
medicinetabletsurface.com
medicinevitamin.com
mediterraneanpharmacydiet.com
medopioid.pl
medsherbalbosch.nl
myherbalpharmacy.com
myviagragenerics.pl
newpillcialis.eu
nmvwta.mediastoreplus.com
nrytgyxvom.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pharmedtransplant.com
phof.ru
pillcanadian.com
pillgenericsgroup.com
pillsmedicinepatients.com
pillssmartrend.com
pillsstreetinsider.com
pillstabletspharmacy.ru
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
rggrjipn.com
ruld.ru
satishmeds.pl
siew.ru
skah.ru
smartrendsale.com
sutasu.ru
tabletcareandroid.nl
tabletmedicaid.pl
tlar.ru
tmedf7c4j.mediastoreplus.com
torontotab.pl
tuo.mediastoreplus.com
tys.mediastoreplus.com
u0s3oqf6.tabletmedicinert.com
uney.ru
virv.ru
vitaminnutritionherbal.com
vomise.ru
welnessnsmt.com
wroo.ru
xior.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru



Tuesday, 30 July 2013

Pharma sites to block 30/7/13

This IPs host (fake) pharma sites which seem to be associated with this gang and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent.

88.190.218.27 (PROXAD Free SAS, France)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.200.13.15 (SKS-Lugan, Ukraine)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
94.152.188.165 (KEI, Poland)
94.242.239.4 (root SA, Luxemburg)
109.107.203.45 (Vodafone, Czech Republic)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
198.23.59.79 (LiquidNet US LLC, US)

Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79
1bqmv6ir.tabletmedicinert.com
3hpd38kt.tabletmedicinert.com
3j2ilmza.tabletmedicinert.com
3taa0484.tabletmedicinert.com
54djq7gs.tabletmedicinert.com
6tpvvfwl.mediastoreplus.com
6w8vrnw1.tabletmedicinert.com
9351s3cc.tabletmedicinert.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
androidsaletablet.com
bbji3ka1.tabletmedicinert.com
biotechpharmhealthcare.com
boschtrameds.com
caloriesviagra.com
canadaipad.com
canadamedsopioid.com
canadapharmcanadian.com
canadaviagracent.com
canadiancanada.com
carerxpatient.com
chof.ru
d5pz5c35.tabletmedicinert.com
dacl3uy1.tabletmedicinert.com
deii.ru
dispensariesrx.com
drugenericswelness.com
druggenericspharmacy.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
e66y531e.tabletmedicinert.com
familymedicinerx.com
flefdukt.com
gied.ru
healthcarebiotechnology.net
herbalburdette.com
iald.ru
in.taxwelnesslevitra.com
innovatory.vitaminnutritionherbal.com
isoe.ru
jaid.ru
jx5nqjzf.tabletmedicinert.com
knr78b16.tabletmedicinert.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanadispensariesmedical.com
marijuanamedicalviagra.com
mediastoreplus.com
medicaltabgroup.com
medicarewiqi.pl
medicinetabletsurface.com
medopioid.pl
medsherbalbosch.nl
mentalevitrapill.com
mymedicaretablet.com
mypharmacyherbal.com
myviagragenerics.pl
newpharmacyherbal.com
nmvwta.mediastoreplus.com
nrytgyxvom.com
nureri.ru
oc597g5g.tabletmedicinert.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pepras.ru
phof.ru
pillgenericsgroup.com
pillscialistorture.com
pillssmartrend.com
pillsstreetinsider.com
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
ro3dk20p.tabletmedicinert.com
ruld.ru
rxsmartrend.com
satishmeds.pl
siew.ru
skah.ru
sugh.ru
tabbosch.com
tabletmedicaid.pl
tabletmedicinert.com
taxwelnesslevitra.com
tlar.ru
tmdtmnv5.tabletmedicinert.com
ttds2eew.tabletmedicinert.com
u0s3oqf6.tabletmedicinert.com
uney.ru
vitaminnutritionherbal.com
vomise.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru