Sponsored by..

Showing posts with label Ransomware. Show all posts
Showing posts with label Ransomware. Show all posts

Monday, 7 November 2016

Malware spam: "Financial documents" leads to Locky

The never-ending Locky ransomware onslaught continues. This fake financial spam has a malicious attachment:

Subject:     Financial documents
From:     Judy Herman
To:     [redacted]
Date:     Monday, 7 November 2016, 10:53

Hi [redacted],

These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.

Best Wishes,
Judy Herman 
Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:

http://coachatelier.nl/lg8s2
http://bechsautomobiler.dk/m8idi9j
http://desertkingwaterproofing.com/ma4562
http://zapashydro.net/6sgto2bd
http://owkcon.com/6xgohg6i

According to this Hybrid Analysis, the malware then phones home to:

195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181




Thursday, 3 November 2016

Moar Locky 2016-11-03

I haven't had much time to look at the Locky runs overnight, but here is a data dump of download locations and C2s (at the bottom) from my usual reliable source:

Download locations:
10minutesto1.net/d05k5d
1stop-entertainment.com/ztpt8d0
3rock.ie/qdq1fv4c
3tr.ru/f92o6
a1match.dk/spcmi8qp
ac-elektrik.com/tvb20i
affordablewebsitesolutions.net/hdeaf
akira-sushi34.ru/przgzq
alexchen.name/aw9yipi
alexchen.name/c3ortzkj
alexeliades.com/fxhrz4
alkatech.gr/x3z70
allgameserver.com/ewxhiknt
allur.com.ua/skiz8q
alphabet-city.com.au/cbfi1
amadistrit.com/1bnao0hm
amadistrit.com/47r6wm
amadistrit.com/7exev9x1
amadistrit.com/9qci0
asambleacristiana.com.ar/e6q09un
assuredtenancyagreement.co.uk/yrz0c4v
astrainks.com/wdb2s8ny
ateliebucal.com/mxxnu
batavia-restaurant.nl/vk3p2se
bddja.com/p0u44p8z
bestcomp.ge/cp0oag4r
beta-net.lt/htfpant
beyondthedeals.com/iv41b8mg
bios.gr/mwrbr
burgeravenue.ru/tl0wf2ls
camdo89.com/rs0o9
campagno.com.au/gz4lot
carblogger.net/tzf9ba
ceramacity.ru/v6fjk
cnesa.cn/au6rql7
cokealong.com/0l609
cokealong.com/2ylfay
cokealong.com/6z1n11
cokealong.com/8qa1in
cokseyvar.com/fsodg2ho
colagung.com/izm4t243
contiades.gr/lhj4kx6
cxsite.net/l8tn0z
cyrilunrun.com/07ubcvl
cyrilunrun.com/2jnf9f8b
cyrilunrun.com/4x9yp6
cyrilunrun.com/7u1lgycs
dadashop.no/yfks5f9z
damoresilvia.com.ar/aulkfvs
deadpuppetsociety.com.au/mzgtl9z
de-btc.ru/xe1j6kx
decoulissen.be/vtdn792
derekbrooker.ca/xzziio9
dh1789.com/tu4ry8
dhback.com/hgp825l
diplocam.cm/zec5nk
douledu.com/h5vpn
dpshop.it/cq2we
drukarnia.lodz.pl/olsyi7
dtmx.pl/o0ico52
dulawa.pl/hbskw
edeldental.hu/rv97fz
edrsoft.com/atttlti
ertebat24.ir/n2khs
evotrade.ro/toz1iqw
exideworld.com.cn/zh2xd6
ezimu.com/dziykl
f8development.be/at2fpz
fiveclean.com/14msj3
fiveclean.com/3mz5l6t
fiveclean.com/76wl2
fiveclean.com/9q8jjta
kekjacint.hu/nygdhk
meskatha.com/2ccjhik
meskatha.com/49x930
meskatha.com/7i1ko82
meskatha.com/a0flf
www.50mi.cn/lbcc88r
www.compsec.co.nz/lpmn9vw
www.cvdesign.nl/h7fid1op
028happy.com/kjg56f7
1140746.net/kjg56f7
abercrombiesales.com/kjg56f7
accenti.mx/kjg56f7
acrilion.ru/kjg56f7
ahmetaksan.com/kjg56f7
alphabureau.ma/kjg56f7
antivirus.co.th/kjg56f7
apidesign.ca/kjg56f7
asastaff.com/kjg56f7
auwm.ru/kjg56f7
babuandanji.jp/kjg56f7
babyparka.ca/kjg56f7
bazkomp.pl/kjg56f7
bemmart.net/kjg56f7
bepxep.com/kjg56f7
bilisimarsivi.com/kjg56f7
blakslee.com/kjg56f7
boraba.net/kjg56f7
brokerclub.lt/kjg56f7
budeanu.ro/kjg56f7
buh-uchet71.ru/kjg56f7
byensbilleje.dk/kjg56f7
canals.cn/kjg56f7
capitalintroductionservices.com/kjg56f7
chaturk.com/kjg56f7
chuandishe.com/kjg56f7
cip.edu.pk/kjg56f7
cluster09server.com/kjg56f7
concern-block.ru/kjg56f7
daivupaint.com/kjg56f7
damai0769.com/kjg56f7
dela-cruz.eu/kjg56f7
delfin-lait.ru/kjg56f7
dienmaykhanhhuy.com/kjg56f7
dinglihn.com/kjg56f7
ding.sk/kjg56f7
discuzshop.com/kjg56f7
dongwooclean.com/kjg56f7
donrigsby.com/kjg56f7
draiveris.lt/kjg56f7
drede.ro/kjg56f7
dudenman.net/kjg56f7
dunyam.ru/kjg56f7
earthboundpermaculture.org/kjg56f7
edrian.com/kjg56f7
efson.707.cz/kjg56f7
eplotery.pl/kjg56f7
ev-entertainment.nl/kjg56f7
fcarmida.ru/kjg56f7
fedsav.com/kjg56f7
guardrupia.com/kjg56f7
inzt.net/kjg56f7
morgkelly.net/kjg56f7
365aiwu.net/43ftybb8
421pfyy.com/43ftybb8
677spo.com/43ftybb8
abgr.ru/43ftybb8
abrahams.ch/43ftybb8
adasulamasistemleri.com/43ftybb8
aifgroup.jp/43ftybb8
aircrew.co.in/43ftybb8
alkfor.ru/43ftybb8
allebanken.net/43ftybb8
almaks-mr.ru/43ftybb8
animals.org.il/43ftybb8
anime-one.com/43ftybb8
arnaudgranata.com/43ftybb8
atart.cn/43ftybb8
atforum.pl/43ftybb8
autoabs.lt/43ftybb8
automaler.ru/43ftybb8
awaelschool.com/43ftybb8
ayulduz.biz/43ftybb8
baraonda.gr/43ftybb8
basketballninja.com/43ftybb8
bassguitartips.com/43ftybb8
battleduck.ch/43ftybb8
bdvdo.net/43ftybb8
beamit.be/43ftybb8
beautyexpress.com.au/43ftybb8
bechsautomobiler.dk/43ftybb8
bestprservices.com/43ftybb8
bha-group.eu/43ftybb8
bhatiarasayanudyog.in/43ftybb8
birthdaystoday.net/43ftybb8
bluehost.hu/43ftybb8
bogaziciradyo.com/43ftybb8
bst.tw/43ftybb8
buhlmend.net/43ftybb8
bvn.lt/43ftybb8
cabanaionela.ro/43ftybb8
carmenortigosa.com/43ftybb8
casadalocacao.com/43ftybb8
chandrphen.com/43ftybb8
cheappaintball.net/43ftybb8
cheedellahousing.com/43ftybb8
chinatea.ro/43ftybb8
christen-in-nuernberg.de/43ftybb8
christmas-metal-meeting.de/43ftybb8
city-charger.ru/43ftybb8
classicnet.ir/43ftybb8
club-impact.ro/43ftybb8
coachatelier.nl/43ftybb8
coinobras.com/43ftybb8
consardproiectare.ro/43ftybb8
contserv.ro/43ftybb8
corinnenewton.ca/43ftybb8
cxsd.com.cn/43ftybb8
cyclingpromotion.com.au/43ftybb8
cyprushealthservices.com/43ftybb8
d2dlaundry.com/43ftybb8
debki-klara.pl/43ftybb8
deborahshallcross.com/43ftybb8
decactus.cl/43ftybb8
delanothayer.cl/43ftybb8
dersiz.com/43ftybb8
desertkingwaterproofing.com/43ftybb8
diandiandx.com/43ftybb8
drossell.com/43ftybb8
dwcell.com/43ftybb8
ecomission.com.au/43ftybb8
edu-net.ro/43ftybb8
ejiavip.com/43ftybb8
eldamennska.is/43ftybb8
el-sklep.com/43ftybb8
enkobud.dp.ua/43ftybb8
erotes.gr/43ftybb8
eskopb.com/43ftybb8
eurotrading.com.ua/43ftybb8
evogelbacher.de/43ftybb8
fazilusta.com/43ftybb8
fibrotek.com/43ftybb8
filmsites.nl/43ftybb8
gzycgj.com/43ftybb8
irk.24abcd.ru/43ftybb8
pastelesallegro.mx/43ftybb8
wonnapian.com/43ftybb8
ws.osenilo.com/43ftybb8
xiguacity.com/43ftybb8

C2s:
51.255.107.20/message.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
85.143.215.209/message.php (PrdmService LLC / Comfortel Ltd / Trader soft LLC, Russia)
91.230.211.103/message.php (Optibit LLC, Russia)
91.239.232.171/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
194.28.87.26/message.php (Hostpro Ltd, Ukraine)
51.255.107.20/linuxsucks.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
194.28.87.26/linuxsucks.php (Hostpro Ltd, Ukraine)

Recommended blocklist:
51.255.107.20
85.143.215.209
91.230.211.103
91.239.232.171
93.170.123.119
194.1.239.152
194.28.87.26

Tuesday, 1 November 2016

Malware spam: "This is to inform that the transaction you made yesterday is declined." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Transaction declined
From:     Chandra Frye
Date:     Tuesday, 1 November 2016, 10:48

Dear [redacted],

This is to inform that the transaction you made yesterday is declined.

Please look through the attachment for the verification of the card details.

Best Regards,
Chandra Frye
The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs) which looks like this [pastebin]. That particular sample plus one other I received communicates with the URLs below, but you can be sure that there are many more examples:

51qudu.com/mqy2pj4
bjzst.cn/qgq4dx
danapardaz.net/zrr8rtz
litchloper.com/66qpos7m
creaciones-alraune.es/dx8a5
adasia.my/f5qyi10
alecrim50.pt/g28w495t
zizzhaida.com/a0s9b
silscrub.net/07ifycb

Hybrid Analysis is inconclusive. If I get hold of the C2s or other download locations then I will post them here.

UPDATE

My usual reliable source tells me that these are all the download locations:

17173wang.com/f6w0p
176.9.41.156/rodru
4office.pl/zyjkry6
51qudu.com/mqy2pj4
akbarcab.com/p8vw992v
alpinivel.pt/as4jcmm
americanjuniorgolfschool.com/hkba7
apiaa.ro/jqm6ltfw
atech.co.th/lyyrdp9
badyna.pl/saf0zv
baoan99.com/jllkv
baranteks.com/hrnf0q44
beesket.com/jrd8d411
bikebrowse.com/mjjoy
biolume.nl/rq8mabk
bionorica.md/m61yk
birim.org/x5s8d
bisskultur.de/rawmjx
bjsunny.net/claocm
bjzst.cn/qgq4dx
blastech.cc/nsg5xyi
carsmotor.net/stab2
cascinamatine.com/a7w59h
cdxybg.com/iribzm
charoenpan.com/jv4fj
chbeirlaw.com/oyem1
civc.co.uk/y5rcauj
containermx.com/vzndc
creaciones-alraune.es/dx8a5
crossfitgladstone.com/orfx8
cvanchen.com/m61yk
danapardaz.net/zrr8rtz
daricacicekci.com/jqec1k7r
doctornauchebe.it-strategy.ru/k1d7d
eatfatlosefat.com/yx7s1
ebooks.w8w.pl/slhj1l
econsult.com.tw/dqtvy
fieldserviceca.net/dndovr
koranjebus.net/1bpsrbfa
koranjebus.net/4rwg5
koranjebus.net/94rgo
koranjebus.net/9fif0
litchloper.com/2be1xz
litchloper.com/66qpos7m
litchloper.com/96iq4o
litchloper.com/9qknusm
nbsbjt.net/icefdwl
silscrub.net/40l8w
silscrub.net/79d6w4
sonsytaint.com/0dqj0dd
sonsytaint.com/4mgxlrf
sonsytaint.com/89hs1ix
zizzhaida.com/3m6ij
zizzhaida.com/98g4ubq

These are the C2s:

91.234.32.202/linuxsucks.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
81.177.22.164/linuxsucks.php (NETPLACE, Russia)


Recommended blocklist:
91.234.32.202
81.177.22.164

Monday, 31 October 2016

Malware spam: "SureVoIP" / "Voicemail from.." leads to Locky

This fake voicemail message leads to Locky ransomware:

Subject:     Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
From:     SureVoIP (voicemailandfax@[redacted])
Date:     Monday, 31 October 2016, 11:17


Message From "Catalina rigby 02355270166" 02355270166
Created: 2016.10.31 14:46:53 PM
Duration: 00:01:22
Account: voicemailandfax@[redacted]
Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component from one of the following locations.

1y9y.com/g7cberv
3922group.net/g7cberv
abraszczecin.pl/g7cberv
afh-indy.org/g7cberv
ajaraheritage.ge/g7cberv
alifaruk.com/g7cberv
andrewclark.com.au/g7cberv
arabian-link.com/g7cberv
artanatrade.com/g7cberv
artemon.gr/g7cberv
ashbury.bg/g7cberv
atelier13.ro/g7cberv
bandenland.be/g7cberv
beasee.com/g7cberv
bemassive.nl/g7cberv
bertedu.com/g7cberv
bestroyalart.com/g7cberv
blogmepro.com/g7cberv
bobyfrancisandpradeep.com/g7cberv
bolat-zhol.kz/g7cberv
buynolvadexonlineshop.com/g7cberv
bwdianji.com/g7cberv
carama.info/g7cberv
caseycarrental.com/g7cberv
ceil.hk/g7cberv
cetinakademi.com/g7cberv
charistia.info/g7cberv
crossroadsmgmt.com/g7cberv
ctrlalt.de/g7cberv
dapos.ru/g7cberv
dbtsites.com/g7cberv
decoracionbebes.com/g7cberv
detectodecolombia.com/g7cberv
devinkellerart.com/g7cberv
ditjenp2p.info/g7cberv
dobromoda.ru/g7cberv
doolotto.com/g7cberv
dor29.ru/g7cberv
drevenefasady.eu/g7cberv
drpneu.ro/g7cberv
ekotracks.com/g7cberv
emg.su/g7cberv
en.fitgrp.com/g7cberv
enliveshow.com/g7cberv
fortuneprixgroup.com/g7cberv
freehosted.netai.net/g7cberv
gopa1.ru/g7cberv
grupotalents.com/g7cberv
halimbamdad.ir/g7cberv
haydistributing.com/g7cberv
hundeschulegoerg.de/g7cberv
inventionsteel.com/g7cberv
ipmart.co.in/g7cberv
jianshu100.com/g7cberv
jnzbookkeeping.com/g7cberv
kavehconsultancy.co/g7cberv
liftaccessory.com/g7cberv
lux-luster.com/g7cberv
lzeshine.com/g7cberv
monoadage.net/g7cberv
nbjzpx.com/g7cberv
net2008.com/g7cberv
newdawnexperience.com/g7cberv
nixvector.com/g7cberv
oakridge-realty.com/g7cberv
oualili.org/g7cberv
pandoracharm.ru/g7cberv
panel.steelpars.com/g7cberv
paulasalamanca.com/g7cberv
peskara.com/g7cberv
pidaco.com/g7cberv
reviewprimer.com/g7cberv
ri-vyoo.com/g7cberv
rkanswers.com/g7cberv
rktest.net/g7cberv
rndled.com/g7cberv
trustcarts.com/g7cberv
unoldontal.com/g7cberv
webframez.com/g7cberv
www.a2zportals.com/g7cberv
www.shavash.ir/g7cberv
www.webframez.com/g7cberv
xn--72c6awi9b2bj7ixcg4c.com/g7cberv
zist-konkur.ir/g7cberv

The C2 servers overlap with the ones found here.

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152



Malware spam: "Wrong tracking number" leads to Locky

This spam email leads to Locky ransomware:

From     "Samuel Rodgers"
Date     Mon, 31 Oct 2016 15:21:22 +0530
Subject     Wrong tracking number

It looks like the delivery company gave us the wrong tracking number.

Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.
The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script [pastebin] named something like tracking number A99DB PDF.vbs.

That script tries to download a component from:

tastebudsmarketing.com/uw6lin
mechap.com/xd7uh
coffeeteashop.ru/daz2rp
ficussalm.com/0bqzcn96
waynesinew.com/0fqt9he1

There will no doubt be other locations. At present I do not have those or the C2 servers, but will update this post if I get them.

UPDATE

The full list of download locations is as follows (thank you to my usual source):

365cuit.com/d9x9f0
7ut.ru/ge9j0et2
8hly.com/jc45tun
a1akeyssportfishing.com/etrt5
academy24.nl/k6lxc
aconetrick.com/2ejczfc
aconetrick.com/564nr0
aconetrick.com/6yoajl7
aconetrick.com/bwt2ixo
ami-mo.ca/k5xhdz2
ami-mo.ca/kr641jxw
archilog.at/imwjmt
architectureetenvironnement.ma/g31701d
badznaptak.pl/inlgm49
bebmila.it/eczde9
buenotour.com/j97s7
business-cambodia.com/he8wtc
campossa.com/vjbfdtj
cdqdms.com/d887wn9
cintasuci.com/cl6pa
coffeeteashop.ru/daz2rp
comistus.net/j6y95
customrestaurantapps.com/gn7c2se
dgtoca.net/d1wr3
dicresco.vn/gq1bjtbb
ecig-ok.com/luflbx4
eijsvogel.nl/gpbka1n2
elgrandia.com.mx/ginlp2f
epsihologie.com/jd2qrzg
eredmenyek.net/ff2i98t
ficussalm.com/0bqzcn96
ficussalm.com/2m6u1jt9
ficussalm.com/65s3r
ficussalm.com/8pmjmwp
financesystem.net/inliid
frijaflail.com/21fpb
frijaflail.com/37cu2
frijaflail.com/6u982pak
frijaflail.com/bnrxxvsk
mcmustard.com/u6ll6y
mechap.com/xd7uh
personalizar.net/nrwnmk
personalizar.net/qz5x2mmr
robertocostama.com/xyulv
shouwangstudio.com/xkocl94
sintasia.com/ziyd0iap
tastebudsmarketing.com/uw6lin
thegioitructuyen.org/rw6ost0e
timwhid.com/1mdm3
timwhid.com/33ck9bxc
timwhid.com/6twktm
timwhid.com/bnkxqf
tjbjpw.com/wsdou72d
tonglizhongji.com/xia3fu0
tropicalcoffeebreak.com/mqomzf
utopiamanali.com/tylv91
valpit.ru/syrwg2r3
vedexpert.com/zt4ug
visualtopshop.com/svnjzk9
warisstyle.com/sq1sae
wayneboyce.com/u5ahu
waynesinew.com/0fqt9he1
waynesinew.com/2psuru2
waynesinew.com/67egbs
waynesinew.com/9li2sv1r
wbakerpsych.com/mm3kuv
wedding-pix.net/u39ssq
wei58.com/wnticba
wklm.it/qjv1ap
xa12580.com/pq2xb
xhumbrella.com/rb374woh
yurtdax.com/wgltz
zbdesignsas.com/m13o692o
znany-lekarz.pl/wd7zj

The malware phones home to:

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
5.187.7.111/linuxsucks.php (Fornet Hosting, Spain)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152

Friday, 28 October 2016

Malware spam: "Payment history" leads to Locky

Another morning, another spam run pushing Locky ransomware:

Subject:     Payment history
From:     Theodore Wilkins
Date:     Friday, 28 October 2016, 10:09

The payment history for the first week of October 2016 is attached as you requested.

Please review it and let us know if you have any question.
The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script [pastebin] (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].

There are many different variants of the script, downloading components from:

2rtt-2rm.ru/grb7c
92hanju.com/utl41nrt
a1plus2.de/ljwxw6vh
accubattery.eu/sjc2at
aegischina.com/yrp6eyv
agrobiciuffa.com.ar/l5e7m6i
allaboutseniors.in/wtm1i0yg
alpha-next.com/ssvmwa
angundoviz.com/lhk96wx
aoteatrial.net/02yls0
aoteatrial.net/142y5x
aoteatrial.net/4865ht
aoteatrial.net/7gojeo
artmusic.dk/izpv2d39
autoreal16.ru/r1j54weq
bachledowka.net/xausf
beauty-link.jp/umjwg8f
bikemielec.com/b7owupi
bircansigorta.com/s84vkrx
blaauw-woonidee.nl/hvlqf9v4
bts-site.nl/fb80j
bumbocubeb.net/04s7752
bumbocubeb.net/163yebg7
bumbocubeb.net/4rjsepe
bumbocubeb.net/8p54eb8
burdur-bld.gov.tr/usl1pm4
buron.dk/t8nh96d
butterflytiger.com/o7eancbx
caraudiogdl.com/zm74gwvw
cavafis.gr/ouyrvo
chanet.jp/mrf40le
chernozem-msk.ru/l5wvp4nc
clinicaharvard.com/umuyki
cmmsrilanka.lk/xztuej9
codelime.net/u9dhbjib
cronos-com.ru/hbxxkshz
dadou0531.com/gych5
dcproduction.fr/wrs9q6
dohere.net/zyme3z
dollheiser.de/v5oqpb4
doogo.com.ar/vw280ik8
drewnianaskrzynka.pl/nfw15wn9
eajhosting.nl/q7jijj3k
edhalper.it/tmnm2v
efb-demarco.de/ywkdd
eflproject.org/vco8bi
egda.pl/unu16fq9
elma.7080.ru/qe3sp3
energiclima.com/sesmgrv4
enzyma.es/lpzd1gev
er-mecanicautomotriz.com/fxlkkv
e-testers.it/jy5ipe3
eurobnr.ro/qd0gn425
euromac.es/oodhs
expert-as.ru/ulfzbh
finahistory.com/jhrni
hellomissdance.com/a03sf
helsby.biz/apwms
hltrader.com/audu4f4o
huodaibbs.com/bqmvde
ilmdesign.com/aos8ly25
joshdult.net/0ia6e4
joshdult.net/3c554n2
joshdult.net/73eqx7oc
joshdult.net/9p4eh
nowon.dk/woqb5j
plookseri.net/097ga
plookseri.net/1s4bzaa1
plookseri.net/5t9nja
plookseri.net/9jyg2s70
shop.ukrtk.com/ck6jfe2e
verdianthy.com/diqlfy1
weddingandfashion.it/djzuf5c
zencart.alpm.gogzmermedia.com/h0woq
zlotysalmo.net/0zx0ken3
zlotysalmo.net/3v8va8ov
zlotysalmo.net/75vepy6f
zlotysalmo.net/9v50aob

(Thank you to my usual source for this data). The malware phones home to:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks.php [hostname: tarasik1.infium.net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks.php (Dunaevskiy Denis Leonidovich, Ukraine)


It also attempts to contact the following URLs which appear to be dead:

pqrifsjpryygmip.pw/linuxsucks.php
uxpxpirusm.xyz/linuxsucks.php
wbaskcsxiffiax.info/linuxsucks.php
kcydflvipqsvqxw.work/linuxsucks.php
haxkbqwyudoeghlhj.biz/linuxsucks.php
mdecrwmtscal.su/linuxsucks.php
pqpmswodyqlbbjmwm.pl/linuxsucks.php
yppsuvfjmnsbi.org/linuxsucks.php
fpeuwdde.xyz/linuxsucks.php
qggdljlijbygeutc.click/linuxsucks.php
juiweirqvt.su/linuxsucks.php
gyhbiuo.ru/linuxsucks.php

A DLL is dropped with a detection rate of 12/57.

Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79

Thursday, 27 October 2016

Moar Locky 2016-10-27

Lots of Locky today, here are some additional download locations for those naughty .wsf scripts.

139.162.29.193/g67eihnrv
1water.com.au/g67eihnrv
adenadataediting.com/g67eihnrv
aghadiinfotechforclient.com/g67eihnrv
agile-scrum-training.com/g67eihnrv
anandlab.com/g67eihnrv
axzio.com/g67eihnrv
banatlebanon.com/g67eihnrv
banknifty.com/g67eihnrv
bindaasdelhi.org/g67eihnrv
bmbuildingpteltd.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cfolio.uk/g67eihnrv
cibr.in/g67eihnrv
ctc.crru.ac.th/g67eihnrv
cttcleaning.com/g67eihnrv
davaomarbled.com/g67eihnrv
dev.searchthruster.com/g67eihnrv
dmlevents.com/g67eihnrv
dollsdelight.com/g67eihnrv
dreamruntech.com/g67eihnrv
drhairchandigarh.in/g67eihnrv
dryilmazyildirim.com/g67eihnrv
dssstaging.net/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eurofranq.com/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
flyingbtc.com/g67eihnrv
ftp-reklama.gpd24.pl/g67eihnrv
fullservicetech.com/g67eihnrv
goldseparator.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
infomazza.com/g67eihnrv
intomim.com/g67eihnrv
intralab.co.id/g67eihnrv
intrekmedya.com/g67eihnrv
italics.in/g67eihnrv
jackpotfutures.com/g67eihnrv
joshturansky.com/g67eihnrv
jus2chat.com/g67eihnrv
kakapublicity.com/g67eihnrv
kalkashimlataxiservice.in/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kaushikjanmejay.com/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
kursuskomputer.web.id/g67eihnrv
librahost.com/g67eihnrv
livingfreehomeramps.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
mgregency.com/g67eihnrv
micaraland.com/g67eihnrv
mileshilton-barber.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
olivierimmobiliare.com/g67eihnrv
paihotel.in/g67eihnrv
physioandpain.com/g67eihnrv
projects.seawindsolution.com/g67eihnrv
prototypingjob.com/g67eihnrv
pubbligrafica360.it/g67eihnrv
riverlifechurch.tv/g67eihnrv
saurabh-kachhadiya.comyr.com/g67eihnrv
scpolytechnic.com/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
srisaioilfield.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
tasveeranarts.in/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
tutorialcodeigniter.16mb.com/g67eihnrv
twoj-sennik.pl/g67eihnrv
ui.worklab.in/g67eihnrv
uniquebulldogpuppies.com/g67eihnrv
uniquecoders.in/g67eihnrv
videoregistrator.bg/g67eihnrv
vkwelaarts.co.za/g67eihnrv
webihawks.com/g67eihnrv
www.3shadz.com/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.camko-motor.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.hayatesabz.ir/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv
zinger.nl/g67eihnrv

Malware spam: "E-TICKET 41648" leads to Locky

More Locky ransomware today..

From     "Matthew standaloft"
Date     Thu, 27 Oct 2016 15:20:27 +0530
Subject     E-TICKET 41648

Dear Sir ,

Please find the attached E-ticket as per your requested.


Thanks & Regards ,

Matthew standaloft
Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil from one of the following locations (according to my usual source):

agile-scrum-training.com/g67eihnrv
axzio.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cttcleaning.com/g67eihnrv
dmlevents.com/g67eihnrv
dreamruntech.com/g67eihnrv
dryilmazyildirim.com/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
fullservicetech.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
intomim.com/g67eihnrv
jackpotfutures.com/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
librahost.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
micaraland.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
riverlifechurch.tv/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
vkwelaarts.co.za/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv

This drops a malicious DLL with a detection rate of 9/56. The following C2 servers are contacts:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks.php (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
213.159.214.86/linuxsucks.php (JSC Server, Russia)


Recommeded blocklist (also see this other spam run today):
83.217.11.193
91.201.202.12
213.159.214.86 

Malware spam: "This is from the Telephone Company to remind you that your bill is overdue." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Bill overdue
From:     Alexandria Maxwell
Date:     Thursday, 27 October 2016, 9:35

This is from the Telephone Company to remind you that your bill is overdue.

Please see the attached bill for the fine charge.
The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script [pastebin] detailed bill C43A9.vbs

The Malwr Report and Hybrid Analysis for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download from:

198zc.com/f7ss3oy
3d-schilling.de/jrz8hn
502mm.com/wwe0mac6
88cui.de/rwl8ov
abmelectric.ca/q0o4780r
actiononsports.com/kq0u93a1
aiccard.co.th/dvja1te
alefunny.pl/fksf4
alvida.de/klv2aog3
antiguarelojeria.com/kkzyr
ardnas.nl/f2v5o
art-yoga.myjino.ru/r1es12r
astra-antiques.com/bt32u5
atgem.ch/okl2jok
ayubatikpekalongan.com/cb2it0jj
babilon.by/sws2z1
bachvietxd.com/cbm2v
bathboating.co.uk/fptmhcm
bazalt-gracze.pl/cux57
begbuilders.com/i7ux0sxr
bestseptik.ru/zkmdw66
bibigame.net/ilc753c
bibob-hairshop.nl/fm0tue
bluecuracao.nl/iplibwz
brkos.borec.cz/dwz8li
buypc.ro/vds7o
callideo.fr/msn9ar
casadecandomble.com.br/rhn2dn
cneedu.cn/t1k2wlus
cztaxes.cz/rx19j
dabar.name/hscgqx
dadaniu.cn/o1ws9s
danor.ro/ip9f85t
dicatex.com.ar/tx3or
digicap.net/s6bhb6
dmtya.ru/mpozceu
dont.pl/cvjjw1
dovgan.bclas.ru/gtyvx
dzx800.com/j3sll
dzyncreative.com/o2ilww
ebgboz.nl/pzxc1je
ecentz.com/nvp7s9t
edepolama.com/o56szw
eiskgd.ru/vgvr31
ekofil.pl/o3pp6
elektrik1.ru/vn2q7au
englishukcentral.com/gw59b8
enrico.ru/wqhni
esysports.com/k3qsnhm
favourfinance.com/ouzoy
fbstone.com/gud0y
fengxiaohui.com/k5sqnm
fightsportuk.com/s9e9qdm
flutygoy.net/1b2sy4r
flutygoy.net/48jc5on
flutygoy.net/82okzzkq
flutygoy.net/9vvgvtk
guguhah.com/0w6rv87d
guguhah.com/3mikeq
guguhah.com/7ut2t95
guguhah.com/9bxqzgzo
khstarter.com/fy5cns7
monecouth.net/1gz0ae
monecouth.net/702t90
monecouth.net/8qxfzegf
monecouth.net/atb1yedm
morenaart.com/ng8if4c
njlsyb.com/rp7pn
sozluktr.com/x65mjo
szylbx.com/bgmhcx14
tahradeep.com/0u0zb
tahradeep.com/1tuqd
tahradeep.com/7emuv
tahradeep.com/94rttn
theatosc.net/1clhtqam
theatosc.net/558x66
theatosc.net/8j3wm
theatosc.net/a952l

A DLL is dropped with a detection rate of 11/56, and the malware then phones home to:


91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)


Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150

Wednesday, 26 October 2016

Malware spam: "Your order has been proceeded." leads to Locky

This curiously worded spam email leads to Locky ransomware:

Subject:     Your order has been proceeded
From:     Elijah Farrell
Date:     Wednesday, 26 October 2016, 12:41


Your order has been proceeded.

Attached is the invoice for your order 2026326638.

Kindly keep the slip in case you would like to return or state your product's warranty.
The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name.

The various scripts download a component from one of the following locations (thank you to my usual source for this):

198zc.com/vnrymi
3d-schilling.de/ytm08hf
abaffbedip.net/0ec4sb62
abaffbedip.net/1roef5v
abaffbedip.net/5k4oh5
abaffbedip.net/8b0lk2p
actiononsports.com/yduc1
aiccard.co.th/sy7hb7
alefunny.pl/vjjw0
alvida.de/zhw8nw6
antiguarelojeria.com/zg28jio
ayso722.org/ny8s6fn
banana2.jp/zsf0952
begbuilders.com/xjtb9k
bibliocultura.org/hdhwx7sf
bluecuracao.nl/xt8w2p3
bonetti.nl/bqc565q
brkos.borec.cz/skxkk33b
callideo.fr/zwg1d
caulgreet.com/0gxgwa
caulgreet.com/2sqh38d1
caulgreet.com/6o04pdt
caulgreet.com/9gl7t
chuvafeatherstone.com/rve6j
ciscscout.net/rvkbiv3t
cloudafis.com/kpw6h4uh
cngmalaysia.org/f4cda
cpugame.com/r3octl
cryochoice.com/n4801d
dadaniu.cn/cyk9hpr
danor.ro/xnnhp5
dmtya.ru/zqzii
dominoassociates.com/keg4g
dongyigg.com/onirn0r
dont.pl/stuf3
dovgan.bclas.ru/wk7tah
dzyncreative.com/v1djrmn
ecentz.com/sbvv8md
edepolama.com/xlyrh
edu02.ru/nk6z1
entersukses.com/cudm8
ergobois.com/j87ns
esteticapro.com/tje1ya
esysports.com/ybn7qw
exquisiteescape.com/fa8f7fk9
fazendacristal.com/djgyn
fbstone.com/xjlq6
fengxiaohui.com/yulge
filenetp8.info/esg742j9
flw123.com/kygiq6t
gerardfetter.com/fudjm1m
gongzuoshu.com/lojhvcj7
grandfm.com/my98xg7a
guymorgandaily.com/ilgx8tki
hankookm.com/lun77kyf
hfhhk.com/edfwyi1
hotsigns.net/ayxpi
jean-ealogy.com/dauwq7a
khstarter.com/w8811bg
landondavid.com/d5t56y4b
lanmaicao.com/bxyi91
lcmaya.com/d79p8w
mannersfromtheheart.com/cn450b
milianjie.com/dg1ie
morenaart.com/qbwnl
nakedglobal.com/d6s6f
roweliced.net/12fi9dc
roweliced.net/35lz355g
roweliced.net/6vgrs4
roweliced.net/a1f8yb
sheatcatan.com/1cb7jn
sheatcatan.com/3oze6ie
sheatcatan.com/74mqu
sheatcatan.com/awcdu3
titmaius.net/0f7ygeg
titmaius.net/1zsxe
titmaius.net/6g32j
titmaius.net/8u0ie

The downloaded binary then phones home to:

78.46.170.94/linuxsucks.php [hostname: k-42.ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks.php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost.hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks.php [hostname: weblinks-3424.ru] (Sobis, Russia)


It also tries to phone home to these URLs which are currently not resolving:

umjjvccteg.biz/linuxsucks.php
hbnatserncelosskp.biz/linuxsucks.php
rqnegynlpkohoohp.pw/linuxsucks.php
ymrorgauixirigj.biz/linuxsucks.php
ayyxamwyvfyqidija.pw/linuxsucks.php
yfjxvok.ru/linuxsucks.php
lbbauqqpynjem.xyz/linuxsucks.php
tnvnmjdyokgyj.pl/linuxsucks.php
hoiedes.pl/linuxsucks.php
toaqabrl.xyz/linuxsucks.php
leacfrc.info/linuxsucks.php
jkjxnrnirmqt.pw/linuxsucks.php

Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225




Tuesday, 25 October 2016

Malware spam: "Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data" leads to Locky

Perhaps minimalist spam works better, there is currently a Locky spam run with on of the subjects Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript that looks like this [pastebin]. There is no body text.

These automated analyses [1] [2] [3] [4] show that it is Locky. My usual sources tell me that the various scripts download from one of the following locations:

abplhomes.com/g76dbf
alyatater.com/g76dbf
baedalapp.com/g76dbf
beaumontschool.com/g76dbf
blastspraypolish.com/g76dbf
codefinder.co/g76dbf
copperfilters.com/g76dbf
cultural-ecology.com/g76dbf
designera.org/g76dbf
dev.indonesiatextile.id/g76dbf
dwimultimakmur.com/g76dbf
dziennikarze.lo-kolaczyce.pl/g76dbf
easytravelvault.com/g76dbf
elitednadt.com/g76dbf
emreker.com/g76dbf
faisal-ibrahim.info/g76dbf
fpi-canada.com/g76dbf
fresflor.net/g76dbf
gellyrepin.com/g76dbf
himytutor.com/g76dbf
informing.asia/g76dbf
jciindia.in/g76dbf
kantoor.vescolub.nl/g76dbf
kendalpos.com/g76dbf
lamurindo.com/g76dbf
lilxtreme.com/g76dbf
lookbeauty.ir/g76dbf
mahendradesai.net/g76dbf
newdesign.well.pk/g76dbf
nitrogenwebs.com/g76dbf
panaceapeople.com/g76dbf
permars.com/g76dbf
privatestashstorage.com/g76dbf
promo.worldloft.ru/g76dbf
read4change.com/g76dbf
runmyaccounts.ch/g76dbf
rws1.com.au/g76dbf
samuderaciptaraya.com/g76dbf
sendat.vn/g76dbf
shopro.ir/g76dbf
srcc.co.th/g76dbf
swissmades.com/g76dbf
tacunair.com/g76dbf
tciislandguide.com/g76dbf
uatsa.cl/g76dbf
vicampro.com/g76dbf
web.justproductions.co.uk/g76dbf
wivebeday.com/g76dbf
www.fireballindia.com/g76dbf
www.jockytours.com/g76dbf
www.pb2bb2c.com/g76dbf
www.pharmaciela.com/g76dbf

The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh

A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56. The malware then phones home to one of the following locations:

185.127.27.100/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks.php (Volia DataCentre, Ukraine)


The malware also attempts to contact the following locations, all of which seem to be inactive:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221

Monday, 24 October 2016

Malware spam: "Complaint letter" leads to Locky

This spam leads to Locky ransomware:

From     "Justine Hodge"
Date     Mon, 24 Oct 2016 19:27:53 +0600
Subject     Complaint letter

Dear [redacted],

Client sent a complaint letter regarding the data file you provided.
The letter is attached.

Please review his concerns carefully and reply him as soon as possible.

Best regards,
Justine Hodge
The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS scripts with a name starting with "saved letter".

My source tells me that this scripts download from one of the following locations:

adultmagstore.com/itc0h81
alkanshop.com/zrwcx8om
azaminsaat.com/nyzhvh2c
bwocc.org/dkttu
circolorisveglio.com/dw2hheb
coreywallace.com/qjkrlxp
corployalty.it-strategy.ru/p4icah5h
cruzdemiguel.com/jittrxkr
cz1321.com/zg4c4m
decorvise.com/g7k3n
denas-express.ru/fl5vy16
desthailand.com/wfmaq0az
disneyrentalvillas.com/k2ars5j2
downtownlaoffice.com/ixmh1
DSWRITINGS.ORG/lnf7gv
duvalitatli.com/umx3btc1
executivegolfmanagement.com/qtzsegm6
firephonesex.com/bxuobuam
fjbszl.com/m4q1pmr5
fraildata.net/09rz1jcj
fraildata.net/4s1szk77
fraildata.net/5ti18g
fraildata.net/9b8cba
getitsold.info/cndrdsu9
girlsoffire.com/d2k0b967
GNSTUDIO.NET/sxv6fhqo
greenmedicalgroup.org/dy7s5
gruffcrimp.com/352gr0
gruffcrimp.com/5inrze
gruffcrimp.com/8vzak
gruffcrimp.com/bki56h
gunnisonkoa.com/d5cw6
gzxyz.net/zznej
hetaitop.com/pgq8e
infopea.com/bm747o9
iwebmediasavvy.com/eu7mq36w
jejuep.com/jh7rrgbi
jejui.com/j1ldsf
julianhand.com/hollu
jzmkj.net/y7tf2
kak-vernut-devushku.gq/rwlr9
kirijones.net/2b8fnrqm
kirijones.net/4v7574mp
kirijones.net/66wey
kirijones.net/a2r3pme
lqfrdj.com/rbpkt
luobuma8.com/h5hq2que
myboatplans.net/p8gik2g8
nightpeople.co.il/o8le7
onlysalz.com/xjo100
payrentonline.org/l3mdiv7y
pblossom.com/t78u8
potchnoun.com/06p2vxua
potchnoun.com/38j2xn
potchnoun.com/5ngsn8g5
potchnoun.com/8x2nt
privateclubmag.com/wyztr73
prodesc.net/x7nlxq
relentlesspt.com/faisexor
riyuegu.net/o69ecb
royallife.co.uk/mx5nck
ryanrandom.com/hwv97p8
scope-t.com/loinhgm
sexybliss.co.uk/en8ds7nt
sunproductivity.com/m6ot1
taiyuwanli.com/cpkd9
theleadershipdoc.com/wm1bv
turservice.xaker007.net/k92b92
ukdistributionservices.com/x1397
vowedbutea.net/2f1okfif
vowedbutea.net/5491o
vowedbutea.net/8jtnj8nt
vowedbutea.net/apupuyh3
weekcoupon.com/hggbcg
wjyunfanbs.com/ihku0r53
www.studiorif.ru/toiu7
xn--80aa3c3a.xn--b1aajgfxm2a9g.xn--p1ai/xip5lltq
xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
yourrealestateconnection.us/rlfh0

The malware phones home to the following URLs:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)


The following URLs are also contacted but are not active:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
 
81.177.22.221



Malware spam: fake "Receipt" leads to the unwelcome return of Locky

Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example spam with a format similar to the following is currently being sent out:

Date: Mon, 24 Oct 2016 16:03:30 +0530
From: christa.hazelgreave@gmail.com
Subject: Receipt 68-508
Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta.

You can see some of the malicious activity in this Hybrid Analysis. My sources (thank you!) give the download locations for this particular spam run as:

103.15.50.73/076wc
117.239.70.228/076wc
absxpintranet.in/076wc
acanac.wysework.com/076wc
asadraza.ca/076wc
bagnet.ir/076wc
checkimage.comuf.com/076wc
cignitech.com/076wc
cynosurejobs.net/076wc
dolphinom.com/076wc
grupoecointerpreis.com/076wc
ledenergythai.com/076wc
naacllc.com/076wc
thaitooling.net/076wc
tifa-awards.net/076wc
wkreation.com/076wc
www.pspgemencheh.edu.my/076wc
www.pspmrsmag.com/076wc

The malware is Locky ransomware phoning home to:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt.work/linuxsucks.php   [208.100.26.234] (Steadfast, US)

The following don't seem to resolve:
fqtdrnqmeofknd.biz/linuxsucks.php
fyrtopd.info/linuxsucks.php
wsrcyjnmrfyej.ru/linuxsucks.php
dvrudoqhwxbxrob.info/linuxsucks.php
ooyjnteswckystd.info/linuxsucks.php
vrruwpuccbud.info/linuxsucks.php
jdjnhiwgnxks.info/linuxsucks.php
pcjbfqivrejipumc.pw/linuxsucks.php
gktccomjjk.pl/linuxsucks.php
aolqgoweq.biz/linuxsucks.php
vholevsjx.pl/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234





Thursday, 6 October 2016

Malware spam: "Your Order" and the inevitable Locky

This fake financial spam leads to Locky ransomware:

From:    Adrian Salinas
Date:    6 October 2016 at 10:13
Subject:    Your Order

Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.
Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js

According to my source, these various scripts then download a component from one of the following locations:

activexsearch.com/yggv8
allinfo.xyz.com/zzi5zq2
aquatixbottle.com/yqr8i
askmeproperties.com/xc3db
asknaija.com/wvv5yh
atstory.com/zm2uojf
autokover.ru/z2oc4
b2c-batteries.com/hcgc64j
badimalik.com/dzqzl
bantayan.net/z3z3cc
baomoji.com/y6amo
betwer.com/t21j21t
booltom.com/19abb0h0
booltom.com/5nqlax
booltom.com/7dp0k
booltom.com/8qm9ldj
dipsite.com/r4f2wug
distribuidorabmk.com/wuv2rw
dvdworldmagazine.com/ptibu73
escolaemacao.com/rksgyuj
facerecognition.com.ba/cffdw
feuduprid.com/1xrdgx1j
feuduprid.com/6cpar
feuduprid.com/7sv4ygr9
feuduprid.com/aohsi
fifieoho.com/10a74fd
fifieoho.com/4u29v4
fifieoho.com/74uf3
fifieoho.com/8gplb
hdyzzs.com/qis3lqzw
kristiantouborg.com/trdmz3c
kronosmd.com/oqyxt
kuzeydogalgaz.com/gspiqv
laisou8.com/c4ecj8n
mayrice.net/07il79
mayrice.net/3w7eqv5
mayrice.net/6zok4n
mayrice.net/7uh0f
mgrshs.com/arabn
mmpang.com/h71zo4
mplaylist.com/mw921
nbjzpx.com/n9ih0k
net2008.com/mx93j63z
njykvalve.com/crk5x
numberoneenglish.com/b2v8x8
ofertacar.com/lzdp0id1
oguzhannakliyat.net/nhl290
onji.org/hox0lh
optimize4youseo.com/il9e7
oualili.org/kys133ec
ougelook.com/f7fr3
ozgurbasin.net/ceo09c
pandalove.ru/meft1bs5
peskara.com/n01afb
phaseiv.org/b0uo1
pioneerschina.com/xwks4
pmofmichigan.com/p1inbvn
prettymeuk.com/btvcc
print800.com/p3tw0nst
pro-units.ru/e8uosl
rbwm.ru/wvz996u
relishyomama.org/ebugjjni
sanalgelisim.com/pdjrz8w6
sccxtx.com/gdywsb9
sellflash.com/pjphz
sladetahil.com/1oiyflq
sladetahil.com/6763jdl
sladetahil.com/7fedf3f
sladetahil.com/99f2zg
speakrz.com/oa7ev
tbcthebillingcompany.com/u8uq8t5g
test1.unihost.link/rhh8saz
test.personne.ru/h3x2h682
vudie.com/uco3h8o
westpommern.com/ha0jaeo
winterferienhaus.com/sqfjn29
woodmode-eg.com/o47tu
yepi-games.net/wpp6wl0
zakscott.com/obg7n
zhiwuba.com/ogtkhy

The malware then phones home to the following IPs (belonging pretty much to the usual suspects):

46.8.44.105/apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76/apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21/apache_handler.php (TheFirst-RU, Russia)
217.12.223.78/apache_handler.php (ITL, Ukraine)
46.183.221.134/apache_handler.php (Dataclub, Latvia)

It attempts to contact the following domains, none of which were resolving for me:

vrqhyhyhfoqtetjj.su/apache_handler.php
aukahiofk.click/apache_handler.php
mbjyucltybuujwrec.pl/apache_handler.php
odktufycxibodtlgc.xyz/apache_handler.php
oglvsqvesshcq.work/apache_handler.php
tfgyuhlggusls.ru/apache_handler.php
senawhlqiyl.biz/apache_handler.php
gsrhrrx.su/apache_handler.php
sodugmdutpwo.click/apache_handler.php
ibmwyjowwkvquhftq.info/apache_handler.php
knsyllstwjfv.org/apache_handler.php
pxeuwhmghsnffbn.info/apache_handler.php

Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78


Wednesday, 5 October 2016

Malware spam: "complaint letter" leads to Locky

This spam email message has a malicious attachment that leads to Locky ransomware:

Subject:     complaint letter
From:     Jae Mason
Date:     Wednesday, 5 October 2016, 10:48

Dear [redacted], client sent a complaint letter regarding the data file you provided.

The letter is attached. Please review his concerns carefully and reply him as soon as possible.
The sender name will vary. Attached is a ZIP file with a name in the format complaint_letter_955ce806.zip which contains a malicious .WSF script.

My source tells me that the scripts download from one of the following locations:

all-rides.com/owav14
bbs.vlibang.com/ojojbry
caggynext.net/0vm80
caggynext.net/1yz517
caggynext.net/36z66i
caggynext.net/6mcco3s
carpetcleaningwestchesterny.net/j2pkoex
dom-dekor.net/q62g3
drewolea.net/0fuhybw0
drewolea.net/1lc09
drewolea.net/25do4q7
drewolea.net/3r9jke
enricobasili.com/m4fqj4lt
goodkiddy.com/pvn5l
idealuze.com/lu814bj
instantstamp.com/j50mt
kencaedu.com/25do4q7
klamathkinetic.org/11c84e3
knoozroom.com/igv7j9e
lanamusty.net/11c84e3
lanamusty.net/1z5vbh
lanamusty.net/3b33zp
lanamusty.net/72mjp
lev-pr.com/i2acpqa1
lgbtbookstore.com/gech2hc
lzeshine.com/girq6q
markjenningsbates.com/72mjp
mediaalias.com/lplgnnaf
minoritycounselor.com/j8365gb
motionthatmovesme.com/h1n2ix7
mysolosource.com/l3x3oczx
ndsemi.com/gy5tw
nuntatimisoara.com/ekrc0i6
nuociss.com/b5ebfsuy
nytaihao.com/ffaw7
pattumalamatha.com/e7r2v1t
phohchaui.com/0mvwos0
phohchaui.com/1xqbcjm
pmfaccountant.com/ggbvw1nj
pobreloco.com/36z66i
praxis-blechert.de/t86h1a
rdoent.com/okq0h9
sasguildford.com/yccemkwd
semes.sk/y0fmps
shingpohk.com/wc2mp0d
snehil.com/vfksxp
sotaygiadinh.net/t9ifk7j
sportowy.info/tbccuj
supergem.net/mri7i
talentinzicht.eu/va7tgx6
technix.ca/jbatquey
theshopwiz.com/t6epks
tiaocuo.org/z4nyglmm
tulisasource.com/rne42v8
turkbyte.com/q7zorra
upper-classmen.com/k1hd6
vincentsvineyard.com/z02mw8ab
www.resumebuddy.net/rcz888
yinstrage.com/0g9b921
yinstrage.com/1tsi2zr
yinstrage.com/2ld6aep
yinstrage.com/5s56ss

There are no C2 servers.

Malware spam: "Document from.." leads to Locky

I have only received a single sample of this spam, presumably it comes from random senders. There is no body text in my sample.

Subject:     Document from Paige
From:     Paige cuddie (Paige592035@gmail.com)
Date:     Wednesday, 5 October 2016, 9:37 
In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script [pastebin] DOC-20161005-WA0002715.wsf.

Automated analysis [1] [2] shows this sample downloads from:

euple.com/65rfgb?EfTazSrkG=eLKWKtL

There will be many other locations besides this.

Those same reports show the malware (in this case Locky ransomware) phoning home to:

88.214.236.36/apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100/apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)


The sample I found downloaded a legitimate binary from ciscobinary.openh264.org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.

Recommended blocklist:
88.214.236.0/23
109.248.59.0/24


Monday, 3 October 2016

Malware spam: "I have shipped your packet. Please check the report enclosed here to view more info."

This spam email leads to Cerber ransomware:

From:    Trevor David
Date:    3 October 2016 at 13:46
Subject:    Pede Industries

Hello
I have shipped your packet. Please check the report enclosed here to view more info.

Word doc password: JqpcGrKK9


Pede Industries
Company names and senders are randomly generated. Attached is a randomly-named .DOT file with password protection. The password protection makes it hard to analyse, but my source tell me that these documents download from:

www.ldlogistic.it/kls.doc
csir.bdx6.siteinternet.com/kls.doc

The dropped malware apparently has an MD5 of 0e7913875724151d8e822add07ec75b2.

Once downloaded, the malware attempts to make a C2 connection to an IP in the range
31.184.234.0/23:6892 (GTO, Montenegro and Virty.io, Russia). I don't know which is the active IP, but blocking the entire /23 might be a good precaution.

Malware spam: "[Scan] 2016-1003 15:26:26" / "Sent with Genius Scan for iOS." leads to Locky

This fake document scan leads to Locky ransomware:

From:    DAMON ASHBROOK
Date:    3 October 2016 at 10:56
Subject:    [Scan] 2016-1003 15:26:26

--
Sent with Genius Scan for iOS.
The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat.

This Malwr analysis shows some of the infection in action. Overall my sources tell me that the various malicious macros download from:

acaciainvest.ro/jhg45s
alraysa.com/jhg45s
anthonycarducci.lawyerpublicity.com/jhg45s
antiquescollectablesandjuststuff.com/jhg45s
atronis.com/jhg45s
bluewaterappco.com/jhg45s
boservice.info/jhg45s
catlong.com/jhg45s
cedrussauna.com/jhg45s
craftsreviews.com/jhg45s
denvertracy.com/jhg45s
dickenshandchimes.com/jhg45s
far-infraredsaunas.com/jhg45s
foe-2.com/jhg45s
gcandcbuilderssite.aaomg.com/jhg45s
hostmyimage.biz/jhg45s
icdsarch.com/jhg45s
inmopromo.com/jhg45s
lesscellantshautegamme.ca/jhg45s
maxleather.aaomg.com/jhg45s
mmm2.aaomg.com/jhg45s
monkeysdragon.net/jhg45s
orhangazitur.com/jhg45s
parkerneem.com/jhg45s
test.cedrussauna.net/jhg45s
tsukasagiku.com/jhg45s
villadiana.lv/jhg45s
webhost911.com/jhg45s

C2 locations are:

149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou.info/apache_handler.php
krmwgapkey.work/apache_handler.php
hruicryqytbmc.xyz/apache_handler.php
vswaagv.org/apache_handler.php
smskymrtssawsjb.org/apache_handler.php
wvandssbv.org/apache_handler.php
ytxsbkfjmyxglvt.click/apache_handler.php
rqybmggvssutf.xyz/apache_handler.php
qaemlwlsvqvgcmbke.click/apache_handler.php
btlyarobjohheg.ru/apache_handler.php
civjvjrjjlv.pw/apache_handler.php
xlarkvixnlelbsvxl.xyz/apache_handler.php

A DLL is dropped with a detection rate of 19/57.

Recommended blocklist:
149.202.52.215
217.12.199.244

Malware spam: "please sign" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     please sign
From:     Ricardo Buchanan
Date:     Monday, 3 October 2016, 10:27

Hi [redacted],

I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.



Best Wishes,
Ricardo Buchanan
CEO
In the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name. This obfuscated script [pastebin] appears to download Locky ransomware. Analysis is pending.

UPDATE

This Hybrid Analysis clearly shows Locky in action. According to my sources there are no C2s, and the download locations are:

027tzx.com/lscpv
5v5.net/wmas4
a1hose.com/j9ccher
arabhashtag.com/q2aatrh
arcworks.ca/xmz948l8
AVTORESURS.NET/n5rz8w
basofttech.com/lf7agf
bassbudsgame.com/ptqrx0bl
bradjones.com.au/qglrydv
champi.nl/v5zovddy
charge2go.com/coplbr
clinicaavellaneda.com/ovg45gh
crossroadspd.com/515grm
dangras.net/1f5d4mlo
dangras.net/3geg2zj
dangras.net/5edbite
dangras.net/6lebt
demo.academia-moscow.ru/f6wmma
demo.hostfabrica.ru/n8ygd
dotcom-enterprises.com/cpgskvx9
edrozd.net/zuz15wuc
eskrow.ru/gk2sabe
ferumusky.com/229k9z
ferumusky.com/3surnwl
ferumusky.com/5o11b5s
ferumusky.com/6nfhu0lt
galelaure.com/gvn4j9eq
glosalonline.com/adsry1c
hoamiu.info/lgvdn1l
honeine.com/h03dyzp
hrbqcc.com/kz3vidu6
jetxaviation.com/xbvqdt
joplinglobeonline.com/cc3al2x7
klipink.com/vfvlqynq
louisirby.com/cmlfoyb
louisirby.com/ejtocks
medicangka.com/0s7ygu
medicangka.com/2wn3r
medicangka.com/515grm
medicangka.com/65l4byy
mlsmaids.com/b2ofgow7
mrwebdirectory.net/vl4h091
mucicsitta.net/09xhx
mucicsitta.net/2imhkap
mucicsitta.net/4li3zc
mucicsitta.net/64vvi
mutiarafurniture.com/qwal3v9
netclip.ro/v6wj6yln
nonprofitbenefit.com/h6lne
ossiatzki.com/dyke9
p2pbikini.com/cm9s56to
parasaymamakina.net/ja152
relianceclouds.com/tr56dz8z
remont-vanosa.ru/j292hr
rondeaho.com/08dqn
rondeaho.com/24agob
rondeaho.com/4h2vq
rondeaho.com/5ubi0cxh
rosewong.com/va8asq
sentedesign.pt/pbery0
shinipri.com/brzvbi
softwaregolower.com/rddt0z
superoriente.com/kbgt8m4
syncfish.com/k7brjhgm
tandjsalon.com/gd5ke
tinoprins.nl/uji62x
trulytechnology.com/xs5t4q8
verafleischer.com/eh36e
vinabuhmwoo.com/64vvi
vipmarketing.co.il/ub0ybv5
welsell.com/tgtmzm
www.4u-byme.com/ay7ugmad
yogajourneyretreat.com/ewgjrey
yoobux.com/euy7k8
youspeak.pt/l5j3iw
yuzhuyuan.com/65l4byy
zachmacphoto.com/be8il1jb
zsvlomnica.sk/229k9z



Thursday, 29 September 2016

Malware spam: "Receipt 103-526" / Receipt.xls

This spam leads to Locky ransomware:

From     rosalyn.gregory@gmail.com
Date     Thu, 29 Sep 2016 21:07:46 +0800
Subject     Receipt 103-526
I cannot tell if there is any body text, however there is an attachment Receipt.xls which contains malicious code [pastebin] that in the case of the sample I analysed downloads a binary from:

opmsk.ru/g76ub76

There will be many other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:

89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

A malicious DLL is dropped with a detection rate of 6/57. Malicious IPs and domains overlap quite a bit with this earlier attack. This version of Locky encrypts files with a .odin extension.

UPDATE - a source indicates these are all the download locations in this attack:

1gouw.com/g76ub76
368lx.com/g76ub76
81millstreet.nl/g76ub76
alliswelltour.com/g76ub76
ampconnect.com/g76ub76
anhsaodem.info/g76ub76
aseandates.com/g76ub76
birthstory.com/g76ub76
cmcomunicacion.es/g76ub76
dedivan.ru/g76ub76
demo.website.pl/g76ub76
econopaginas.com/g76ub76
gadget24.ro/g76ub76
globalremoteservices.com/g76ub76
innogenap.com/g76ub76
juyinggroup.com/g76ub76
kelownatownhomes.com/g76ub76
mediumsize.org/g76ub76
opmsk.ru/g76ub76
parentchildmothergoose.com/g76ub76
parroquiansg.org/g76ub76
slaterarts.com/g76ub76
sonajp.com/g76ub76
studiorif.ru/g76ub76
unforgettabletymes.com/g76ub76

Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132