Sponsored by..

Showing posts with label Russia. Show all posts
Showing posts with label Russia. Show all posts

Thursday, 8 March 2018

"Faster payment" scam is not quite what it seems

I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here.

From:    Ravi [Redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [Redacted] <ravi@victimdomain.com-3.eu>
To:    accounts@victimdomain.com
Date:    23 February 2018 at 12:02
Subject:    Arrange this payment

Pleаsе make а £9,627.00 faster раyment for thе nеw contrаctor.

Sort сode: 30-62-15
Acc. numbеr: 10255956
Paуeе: Olivia Hаrris

I will send the doсs as soon аs i'll sort out my stuff.
Lеаve a rерly oncе сomрlеted or in casе you get аnу рroblеm while sеtting it up.

Ravi [Redacted]

Sent from my iPhonе.


From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-0.eu>
To:    sarah@victimdomain.com
Date:    5 March 2018 at 10:31
Subject:    5 Mar. faster payment

Morning Sаrah

Plеаse sеtup a £9,736.00 fastеr рауmеnt in fаvour of the new bеnеfiсiаrу.

Sort code: 30-61-10
Acс. number: 10811231
Pауее: Thеa Smith

I will sеnd the doсs аs soon аs i'm lеss busу.
Leave a rерly once сomрletеd or if уou get аnу рroblеm whilе sеtting it uр.

Andreа [Redacted]

Sеnt from mу iPhone.


From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    karen@victimdomain.com
Date:    7 March 2018 at 11:08
Subject:    Arrange this payment

Hi Karеn

I nеed you to аrrаnge а £8,643.00 fastеr рауmеnt for the nеw bеnеficiarу.

Sort code: 30-62-12
Acc. numbеr: 10240298
Benefiсiarу: Beatriсe Evans

I will sеnd thе doсumеnts as soon as i'm less busу.
Lеavе а rеply oncе donе or if you get аnу problem whilе sеtting it uр.

Andrеа [Redacted]

Sеnt from my iPhonе.


From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    mary@victimdomain.com
Date:    8 March 2018 at 11:03
Subject:    8 Mar. faster payment

Hi Mаrу

I neеd уou to mаke a £8,839.00 faster раymеnt for the new supрlier.

Sort codе: 30-62-12
Acс. numbеr: 10738345
Benеficiаry: Emmа Brown

I will send the рapеrwork onсе i'll sort out mу stuff.
Lеаve а reрly once donе or if you gеt аny рroblem whilе setting it up.

Andrea [Redacted]

Sent from mу iPhone.

"Andrea" and "Ravi" are not random people, they are both directors of a legitimate company with a name very similar (but unconnected) with one I blogged about years ago. In $dayjob the sample email I saw was from that company's chief counsel, so I believe these are targeted but just incorrect.

Normally with this sort of scam, the "boss" is asking for payment to be wired to the bank details in the email. But in this case, the sort codes for the banks (30-62-12, 30-61-10 and 30-62-15) don't exist. If you tried to wire money to them, the transfer would fail.

So, presumably when the bank transfer fails, the victim emails back the "fake boss", but it isn't all it seems. Although the "From" address looks to be genuine, there's a "Reply-To" address which goes to something a but more subtle.

For example in one of the examples about the email appears to come from andrea@victimdomain.com (i.e. whatever the victim's genuine domain is) but replies go back to something similar but different, for example andrea@victimdomain.com-v.eu - at which point the fraudsters probably then come up with different bank account details.

At the moment the email replies go to a server at (hostname uk-v.eu) in the Netherlands, but these domains and servers get shut down quickly.

All these following domains are linked to the scam (there are probably more):

This variation of an old scam seems to be quite new. Remember, if your boss emails you out of the blue and asks you to set up a payment without giving much information, always check that the request is valid and don't simply reply to the email.

UPDATE 2018-03-12

Another version..

From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    helen@victimdomain.com
Date:    12 March 2018 at 12:57
Subject:    Handle this payment

Hi Hеlеn

Pleasе makе a £8,909.00 fastеr payment for the nеw vеndor.

Sort сodе: 30-64-15
Acс. number: 10576602
Pаyeе: Elizabeth Moore

I will send the paperwork oncе i'll sort out mу stuff.
Lеave a rерlу whеn thе oреration is сomplеtе or in cаsе уou gеt аnу problеm whilе setting it up.

Andrеа [redacted]

Sеnt from my iPhone.
This uses the domain com-w.eu and is hosted on (hostname uk-w.eu) along with uk-b.eu.

UPDATE 2018-03-13

Two more examples with the same pattern:

From:    Ravi [redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [redacted] <ravi@victimdomain.com-w.eu>
To:    keith@victimdomain.com
Date:    13 March 2018 at 09:52
Subject:    Payment due 13 mar.

Hi Keith

Plеase аrrange a £8,563.00 fаstеr paуment for the new benefiсiarу.

Sort code: 30-60-41
Acc. number: 10638574
Pауeе: Rosе Clarke

I will sеnd the pаperwork as soon аs i'm lеss busу.
Lеаvе а rеplу when the oрerаtion is сomрlеte or if уou gеt аny problem whilе setting it up.

Rаvi [redacted]

Sеnt from my iPhonе.


From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    emma@victimdomain.com
Date:    13 March 2018 at 09:26
Subject:    Settle up this payment

Hi Emmа

Please mаkе a £8,999.00 fаstеr pаymеnt for the nеw benеfiсiаrу.

Sort codе: 30-60-41
Aсс. numbеr: 10167445
Bеnеficiаrу: Aisha Robinson

I will forward the docs onсe i'll sort out my stuff.
Lеаve a rеply once completed or in cаse уou get аny problеm while setting it uр.

Andreа [redacted]

Sеnt from mу iPhonе.

What I hadn't noticed before is that the spam is using homoglyphs in the text to avoid filters. For example, the word "pаymеnt" in the email above does not acutally say "payment", but it uses a couple of cyrillic (i.e. Russian) characters in place of the "a" and "e" that just look the same.

For the latest spam messages, the email relays through various hosts but always seems to originate from (hostname: lmasko22.example.com). As with the other infrastructure this belongs to a company called MoreneHost in Russia.

Tuesday, 31 October 2017

Bogus porn blackmail attempt from adulthehappytimes.com

This blackmail attempt is completely bogus, sent from a server belonging to the adulthehappytimes.com domain.

From:    Hannah Taylor [bill@adulthehappytimes.com]
Reply-To:    bill@adulthehappytimes.com
To:    contact@victimdomail.tld
Date:    31 October 2017 at 15:06
Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life
Signed by:    adulthehappytimes.com


I sincerely anticipate that I will not hurt ur feelings. Shit happens, life didn’t give me a choice. I don’t hate people with special tastes, moreover only God can judge u. So:

Firstly, I put the particular virus on a web site with porn videos (I think you understood me).

Secondly, when you tapped on a video, soft instantly started working, all cams turned on and screen started recording, then my soft collected all contacts from emails, messengers etc. Im really proud for this soft, it makes devices act as remote desktop with keylogger function, impressive. This email address Ive collected from your device, I emailed u here because I think you will 100% going to check your corporative email.

Eventually, I edited a split screen video, with your participation and porn video from your screen, its very weird. Consequently, I can share this video with all your friends, colleagues, relatives etc. I guess it’s a big problem for you.

But we can resolve this problem. 305 Usd- in my opinion, very common cost for false like this.

I accept only bitcoin, this is my wallet’s address- 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY U have 45 hours after opening my letter to make transaction. I will see when u read this letter, I adjusted special tracking pixel in it. This time is sufficiently only to complete all verifications and transaction, so you have to think rapidly. If I wont get my «wage», I will share this video with all contact Ive received from ur device.

You can complain to cops for a help, but they wont search out me for even 150 hours, Im from Japan, so think twice. If Ill receive btc- all compromising evidence will be erased forever and I will never message you again.

U can reply, but this Will not make sense, I sent you this notification using my soft for anonymous messages, I don’t check the email after using it, because I contemplate about my safety too. Have a nice day, I hope u will make a good decision for you.
If you got one of these, the first thing to realise is that it is bullshit. This particular one was sent to the contact@ address of a random domain I own. You note there are no personal details in the email, and furthermore the claim that there's a tracking pixel in the email can easily be refuted by checking the HTML of the message itself.

The "from" address in the email is bill@adulthehappytimes.com and this matches the name of the sending email server, mta11.adulthehappytimes.com on

You might notice it says mta11 - indeed adulthehappytimes.com seems to have subdomains mta.adulthehappytimes.com through mta15.adulthehappytimes.com some of which are hosted at Heroku / AWS, but the ones that aren't are on the following IPs:

All of those belong to TimeWeb in Russia. The domain itself is also hosted on (mta1.adulthehappytimes.com) but it appears to be parked. However, however controls this domain has gone to the effort of setting up 16 different mail servers. The WHOIS details show that the domain is actually ten years old..

Domain ID: 1041994153_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domain.com
Registrar URL: www.domain.com
Updated Date: 2016-09-06T01:55:42Z
Creation Date: 2007-06-21T21:10:46Z
Registrar Registration Expiration Date: 2018-06-21T21:10:46Z
Registrar: Domain.com, LLC
Registrar IANA ID: 886
Registrar Abuse Contact Email: compliance@domain-inc.net
Registrar Abuse Contact Phone: +1.6027165396
Reseller: Netfirms
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID:
Registrant Name: Alexey Pokachalov
Registrant Organization: Alexey Pokachalov
Registrant Street: Stepana Razina 84-10
Registrant City: Togliatti
Registrant State/Province: NA
Registrant Postal Code: 445057
Registrant Country: RU
Registrant Phone: +17.9608367000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: genarur@gmail.com
Registry Admin ID: 

It's odd to see an old domain being used for spam like this, so perhaps the domain itself and the infrastructure has been hijacked. It is hard to be certain, but also you wouldn't post real contact details on the WHOIS and then solicit anonymous payments through BitCoin, so my hunch is that the domain owner doesn't even know it is happening.

I don't know if Bitcoin wallet 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY is common to all these spam emails, but at the moment nobody has sent money to that Bitcoin wallet.

Sunday, 8 October 2017

Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk

This spam email is a scam:

Subject:       Help Your Child To Be A Professional Footballer.
From:       "FC Academy" [csa@sargas-tm.eu]
Date:       Sun, October 8, 2017 10:30 am
To:       "Recipients" [fcsa@sargas-tm.eu]
Priority:       Normal

Does your child desire to become a professional footballer?

Our football academy are currently scouting for young football player to participate in 3-6 months training and  our main purpose is to recruit young and talented footballers to help become a great football  player in Life and become a great star .  Our agent will train and linked your child up with big clubs in United Kingdom and Europe.

We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.

Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.

If you want to help your child achieve their soccer dream, reply us for more information.
Best Regards,

At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:

Domain name:

        NELSON OZI

    Registrant type:

    Registrant's address:
        404 sapphire tower
        404 sapphire tower
        United States

    Data validation:
        Nominet was not able to match the registrant's name and/or address against a 3rd party
source on 19-Sep-2017

        Web4Africa Ltd. t/a Web4Africa [Tag = WEB4AFRICA-GH]
        URL: https://www.web4africa.net

    Relevant dates:
        Registered on: 19-Sep-2017
        Expiry date:  19-Sep-2018
        Last updated:  19-Sep-2017

    Registration status:
        Registered until expiry date.

    Name servers:

WHOIS lookup made at 10:50:09 08-Oct-2017

There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:


These all seem to be connected with an IP range (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.

The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.

It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.

Tuesday, 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
SO23 7TA

Members of the CAERUS Capital Group


Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system. 
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6]  shows Locky ransomware attempting to phone home to the following locations: (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine) (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:

Friday, 25 August 2017

Malware spam: "Voicemail Service" / "New voice message.."

The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.

Subject:       New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From:       "Voicemail Service" [vmservice@victimdomain.tdl]
Date:       Fri, August 25, 2017 12:36 pm

Dear user:

just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service
Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too. These are the MD5s I've seen so far for the RAR files themselves:


The VBS script is similar to this (variable names seem to change mostly) with a detection rate of about 15/59. Hybrid Analysis shows it dropping a Locky executable with a 18/65 detection rate which phones home to (Baxnet, Russia) which I recommend that you block.

Malware spam: "Your Sage subscription invoice is ready" / noreply@sagetop.com

This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery.

Subject:       Your Sage subscription invoice is ready
From:       "noreply@sagetop.com" [noreply@sagetop.com]
Date:       Thu, August 24, 2017 8:49 pm

Dear Customer

Your Sage subscription invoice is now ready to view.

Sage subscriptions

To view your Sage subscription invoice click here 

Got a question about your invoice?

Call us on 0845 111 6604

If you're an Accountant, please call 0845 111 1197
If you're a Business Partner, please call 0845 111 7787

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service
message, not a marketing communication. This email was sent from an address that
cannot accept replies. Please use the contact details above if you need to get in
touch with us.

The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.


The RAR file itself contains a malicious VBS script that looks like this [pastebin] with a detection rate of 19/56, which attempts to download another component from:


Automated analysis of the file [1] [2] shows a dropped binary with a 39/64 detection rate, POSTing to  (Reg.Ru, Russia)

Recommended blocklist:

Thursday, 24 August 2017

Multiple badness on metoristrontgui.info /

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic.

Subject:       New BT Bill
From:       "BT Business" [btbusiness@bttconnect.com]
Date:       Thu, August 24, 2017 6:08 pm
Priority:       Normal

From BT
New BT Bill

Your bill amount is: $106.84
This doesn't include any amounts brought forward from any other bills.

We've put your latest BT bill for you to view. See your bill here

We'll take your payment from your account as usual by Direct Debit.

Reduce paper waste
You're still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?

Need some help?
Go to www.bt.com/business/support.

Thanks for choosing BT.

Robena Morath
CEO, BT Business

Payment processing fee: BT Payment Services Ltd, a BT Group Company, charges this fee.
This or confidential. It's meant only for the individual(s) email contains BT information, which may be privileged or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.

And a simpler one..

From:    Dianna Mcgrew
Date:    24 August 2017 at 14:50
Subject:    Bill-9835


Here is a copy of your bill.

Thank you & have a great weekend!
Most (but not all) of the samples I  have seen then lead to a single website to download the malicious payload, for example:


metoristrontgui.info is hosted on (Tencent, China) which is an IP we've seen a few times recently [1] [2]. Let's check out that WHOIS:

Registry Domain ID: D503300000042955753-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.eranet.com
Updated Date: 2017-08-24T14:02:07Z
Creation Date: 2017-08-24T13:24:23Z
Registry Expiry Date: 2018-08-24T13:24:23Z
Registrar Registration Expiration Date:
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C208152073-LRMS
Registrant Name: Robert Ruthven
Registrant Organization: Gamblin Artists Colors
Registrant Street: 323 SE Division Pl
Registrant City: Portland
Registrant State/Province: OR
Registrant Postal Code: 97202
Registrant Country: US
Registrant Phone: +1.5034359411
Registrant Phone Ext:
Registrant Fax: +1.5034359411
Registrant Fax Ext:
Registrant Email: jenniemarc@mail.com
Registry Admin ID: C208152073-LRMS
Admin Name: Robert Ruthven
Admin Organization: Gamblin Artists Colors
Admin Street: 323 SE Division Pl
Admin City: Portland
Admin State/Province: OR
Admin Postal Code: 97202
Admin Country: US
Admin Phone: +1.5034359411
Admin Phone Ext:
Admin Fax: +1.5034359411
Admin Fax Ext:
Admin Email: jenniemarc@mail.com
Registry Tech ID: C208152073-LRMS
Tech Name: Robert Ruthven
Tech Organization: Gamblin Artists Colors
Tech Street: 323 SE Division Pl
Tech City: Portland
Tech State/Province: OR
Tech Postal Code: 97202
Tech Country: US
Tech Phone: +1.5034359411
Tech Phone Ext:
Tech Fax: +1.5034359411
Tech Fax Ext:
Tech Email: jenniemarc@mail.com
Registry Billing ID: C208152073-LRMS
Billing Name: Robert Ruthven
Billing Organization: Gamblin Artists Colors
Billing Street: 323 SE Division Pl
Billing City: Portland
Billing State/Province: OR
Billing Postal Code: 97202
Billing Country: US
Billing Phone: +1.5034359411
Billing Phone Ext:
Billing Fax: +1.5034359411
Billing Fax Ext:
Billing Email: jenniemarc@mail.com
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

VirusTotal confirms a lot of badness here, with all of these evil domains on the same server:


Downloads from this site can be a bit slow, unsurprisingly. The dropped EXE seems to be Locky ransomware with a detection rate of 19/65. Hybrid Analysis shows the sample POSTing to (Webhost LLC, Russia)

Recommended minimum blocklist:

Wednesday, 23 August 2017

Malware spam: "Customer Service" / "Copy of Invoice xxxx"

This fairly generic spam leads to the Locky ransomware:

Subject:       Copy of Invoice 3206
From:       "Customer Service"
Date:       Wed, August 23, 2017 9:12 pm

Please download file containing your order information.

If you have any further questions regarding your invoice, please call Customer Service.

Please do not reply directly to this automatically generated e-mail message.

Thank you.
Customer Service Department
A link in the email downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis has seen it all before. The download EXE (VT 21/64) script POSTS to (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler last year, so I would recommend blocking all traffic to

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx - name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP.

Subject:       Voice Message Attached from 001396445685 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:22 am

Time: Wed, 23 Aug 2017 14:52:12 +0530
Download <http://tyytrddofjrntions.net/af/VM20170823_193908.zip> file to listen
Voice Message

Subject:       Voice Message Attached from 055237805419 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:21 am

Time: Wed, 23 Aug 2017 14:51:13 +0530
Download <http://mjhsdgc872bf432rdf.net/af/VM20170823_193908.rar> file to listen
Voice Message
Both download locations of tyytrddofjrntions.net and mjhsdgc872bf432rdf.net are hosted on (Tencent, CN). This same IP was seen in this other recent spam run. Both the RAR and ZIP downloads (detection rate about 18/59 [1] [2]) contain the same malicious VBS script [pastebin]. The script tries to download an additional component from one of the following locations:


You'll note that most of those download locations start with "gr" which indicates that this is just a small subset of hacked servers under the control of the bad guys.

Automated analysis [3] [4] shows a dropped file with a VirusTotal detection rate of 14/64 (probably Locky). Those same analyses show traffic being sent to: (TheFirst-RU, RU - hostname: gpodlinov.letohost.com) (Just Hosting, RU - hostname: noproblem.one)

UPDATE:  Several other IPs in the range have been used to host malware in the past. I would recommend blocking the entire /24.

Recommended blocklist:

Tuesday, 22 August 2017

Malware spam from "Voicemail Service" [pbx@local]

This fake voicemail leads to malware:

Subject:       [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From:       "Voicemail Service" [pbx@local]
Date:       Tue, August 22, 2017 10:37 am
To:       "Evelyn Medina"
Priority:       Normal

Dear user:

        just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service

The numbers and details vary from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 14/59.

According to automated analysis [1] [2] the script reaches out to the following URLs: [ - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [ - Ligne Web Services, France]

A ransomware component is dropped (probably Locky) with a detection rate of 16/64.

Tuesday, 18 July 2017

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.

In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to: (Netcup, Germany) (Telefonica , Chile) (Mediasoft Ekspert, Russia) (Sphere Ltd, Russia)

Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:

Thursday, 27 April 2017

Malware spam: Royal Mail Grоup / "Delivery attempt fail notice"

This fake Royal Mail email leads to malware.

From: Aretha Stickles [mailto:support@360modshop.com]
Sent: 27 April 2017 12:31
Subject: Delivery attempt fail notice

Dеаr customеr [redacted]

Your pаrcel has been in the post office for a very long time.
You must to receive it it within five days.

Expeсted Delivery Dаte: April 21, 2017
Class: Packagе Servicеs
Sеrvicе: Delivery Confirmatiоn
Stаtus: eNote Sent
Tо downloаd thе shipping invоicе, visit the link:


If you do not take it within the specified time, we will have to return it to the sender.
Please print out an order for your pack and take it at the post office.

Kind Regards,

© Royal Mail Grоup Ltd. 2017. All rights rеsеrved

Despite the link appearing to be from "royalmail.com" it's actually a Google redirector..


This bounces to centregold.org [ - Krek Ltd, Russia] then a load balancer at rns.tobeylabs.com/tracking/delivery/tracking.php?id=554 [ - KingServers, Netherlands] then either http://booniff.com/delivery/Pack_9356667UK.zip [ - Amino Communications, US] or https://purolator.topatlantanursinghomelawyer.com/tracking/parcel/Notification_37352742UK.zip [ - KingServers, Netherlands].

Note that the name of the .ZIP is generated dynamically, so there is some variation in filenames.

Inside the ZIP files is a malicious script (e.g. Pack_9356667UK.js) which according to Hybrid Analysis then communicates with a website at [the same KingServers /24 as before!] and it drops a file mstsc.exe with VirusTotal detection rate of 11/57.

Recommended blocklist:

Monday, 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund

It seems we can claim a refund from the FTC.
Check this out and give me a call.
Thank you
James Newman
Senior Accountant

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.

Automated analysis [1] [2] shows network traffic to:


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:


Perhaps more usefully, we can associate that registrant with the following IPs: [hostname: nejokexulag.example.com] (Servachok Ltd, Russia) (PS Internet Company LLC, Kazakhstan) (Sinarohost, Netherlands) (HZ Hosting, Bulgaria) (SmartApe, Russia) (Sia Vps Hosting, Latvia) [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia) (PE Dobrogivskiy Muroslav Petrovich, Ukraine) (Prometey Ltd, Russia) [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine) (Alibaba.com, China) [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia) (Keyweb AG, Germany) (Overoptic Systems, Russia) [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia) (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

Thursday, 19 January 2017

Malware spam: "The Insolvency Service" / "Investigations Inquiry Notification" / chucktowncheckin.com / chapelnash.com

This malware spam in unusual in many respects. The payload may be some sort of ransomware [UPDATE: this appears to be Cerber].

From: The Insolvency Service [mailto:service@chucktowncheckin.com]
Sent: 19 January 2017 12:22
Subject: EGY 318NHAR12 - Investigations Inquiry Notification

Company Investigations Inquiry
Informing You that we have received appeal regarding your company which indicates corporate misconduct.
Your Inquiry Number: 84725UPTN583
As part of this occasion we have made our own background investigation and if it occurs to be in the public interest, we can apply to the court to wind up the company and stop it trading.
Also if the performance of the director(s) who run the company is questionable enough, we can commence proceedings to disqualify them from governing a limited company for a time span up to 15 years.
The investigation can give us information that we can transmit to another regulatory body that has more suitable powers to deal with any concerns the investigation uncovers.
Help Cookies Contact Terms and conditions Rhestr o Wasanaethau Cymraeg
Built by the Government Digital Service
All content is available under the Open Government Licence v3.0, except where otherwise stated   
© Crown copyright

Sample subjects are:

LSV 354EMPU31 -  Investigations Inquiry Reminder
JXI 647TESR39 -  Investigations Inquiry Reminder
SHV 622WYXP68 -  Investigations Inquiry Notice
QPY 661APWZ41 -  Investigations Inquiry Notice
FHF 338SYBV85 -  Investigations Inquiry Notice
EGY 318NHAR12 -  Investigations Inquiry Notification
IZJ 296CNWP92 -  Investigations Inquiry Notice

All the senders I have seen come from the chucktowncheckin.com domain. Furthermore, all of the sending servers are in the same /24:

All the servers have names like kvm42.chapelnash.com in a network block controlled by Reg.ru in Russia.

The link in the email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect.com e.g. 2vo4.uk-insolvencydirect.com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:

Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js) that looks like this [Pastebin].

Hybrid Analysis of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool).

The script downloads a component from www.studiolegaleabbruzzese.com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53.

Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:

soumakereceivedthiswith.ru ( - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor.ru ( - Online Technologies, Ukraine)
programuserandussource.ru (does not resolve)
maytermsmodiall.ru (does not resolve)

It isn't exactly clear what the malware does, but you can bet it is Nothing Good™.

I recommend that you block email traffic from:

and block web traffic to


Monday, 19 December 2016

Malware spam: "Payslip for the month Dec 2016." leads to Locky

This fake financial spam leads to Locky ransomware:

Date:    19 December 2016 at 10:12
Subject:    Payslip for the month Dec 2016.

Dear customer,

We are sending your payslip for the month Dec 2016 as an attachment with this mail.

Note: This is an auto-generated mail. Please do not reply.
The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55.

This Hybrid Analysis clearly shows Locky ransomware in action when the document is opened.

According to my usual reliable source, the various versions of this download a component from one of the following locations:


The malware then phones home to one of the following locations: (Rinet LLC, Ukraine) (PE Tetyana Mysyk, Ukraine) (SmartApe, Russia) (Infium, Latvia / Ukraine)

A DLL is dropped with a detection rate of 12/52.

Recommended blocklist:

Thursday, 15 December 2016

Malware spam: "Amount Payable" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Lynn Drake
Date:    15 December 2016 at 09:55
Subject:    Amount Payable

Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.

Best Regards,
Lynn Drake
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js. The highly obfuscated script of one sample can be seen here. Typical detection rates for the script are around 16/54.

There are many different scripts, downloading a component from one of the following locations (thanks to my usual reliable source):


According to this Malwr analysis, a DLL is dropped with a detection rate of 18/55.  This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers: (Rustelekom, Russia) (MWTV, Latvia) (Rustelekom, Russia)

MWTV is a known bad host, so I recommend blocking the entire /24.

Recommended blocklist:

Monday, 12 December 2016

Malware spam: "Invoice number: 947781" leads to Locky

This fake financial spam comes from multiple senders and leads to Locky ransomware:

Date:    12 December 2016 at 10:40
Subject:    Invoice number: 947781

Please find attached a copy of your invoice.

Tel: 0800 170 7234
Fax: 0161 850 0404

For all your stationery needs please visit Stationerybase.
The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56.

Automated analysis of a couple of these files [1] [2] [3] [4] show the macro downloading a component from miel-maroc.com/874ghv3  (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57.

All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to: (Rinet LLC, Ukraine) (Overoptic Systems, UK / Russia) (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

Recommended blocklist:

Friday, 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.

King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to: [hostname: saluk1.example.com] (Total Server Solutions, US) (OVH, France)

It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows: [hostname: mrn46.powerfulsecurities.com] (Miran, Russia) [hostame: prujio.com] (Layer6, Latvia) [hostname: free.example.com] (Informtehtrans, Russia) (Rinet LLC, Ukraine) (Agava, Russia) (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)

Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:

Monday, 5 December 2016

Malware spam: "Shipping status changed for your parcel # 1996466" / ups@ups-service.com

This fake UPS spam has a malicious attachment:

From:    UPS Quantum View [ups@ups-service.com]
Date:    5 December 2016 at 17:38
Subject:    Shipping status changed for your parcel # 1996466

Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.

There must be someone present at the destination address, on the delivery day, to receive the parcel.

Shipping type: UPS 3 Day Select
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.

The delivery invoice  can be downloaded from our website :

Thank you for shipping with UPS

Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.
The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:


Those two locations are legitimate hacked sites. This has a detection rate of 7/56 plus a DLL with a detetion rate of 37/56. The malware appears to be Hancitor / Pony / Vawtrak, phoning home to:


Both of these are hosted on the same IP address of (Planetahost, Russia). The following malicious domains are also hosted on the same IP:


Recommended blocklist:

Malware spam: "Please Consider This" leads to Locky

This fake financial spam leads to malware:

From:    Aimee Guy
Date:    5 December 2016 at 13:32
Subject:    Please Consider This

Dear [redacted],

Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.

Please confirm the amount and let us know if you have any questions.

Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date.

The scripts download another component from one of the following locations, according to my usual reliable source:


It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54. The malware then phones home to the following locations: [hostname: smtp-server1.ru] (Miran, Russia) (EkaComp, Russia)

These IPs were also used in this earlier attack.

Recommended blocklist: