Sponsored by..

Showing posts with label Saudi Arabia. Show all posts
Showing posts with label Saudi Arabia. Show all posts

Monday 14 March 2016

Malware spam: "Credit details ID: 87320357" leads to Teslacrypt

So many Teslacrypt campaigns, so little time... I've had to rely on third party analysis on this particular one (thank you!)
From:    Ladonna feather
Date:    14 March 2016 at 14:50
Subject:    Credit details ID: 87320357

Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply. 
Send names, references and attachment names vary. The malicious scripts in the attachment attempt to download from:

giveitallhereqq.com/69.exe?1
washitallawayff.com/69.exe?1
giveitallhereqq.com/80.exe?1
washitallawayff.com/80.exe?1


This is Teslacrypt ransomware with VirusTotal detection rates of 1/57 [1] [2]. The malware attempts to phone home to:

198.1.95.93/~deveconomytravel/cache/binstr.php
kel52.com/wp-content/plugins/ajax-admin/binstr.php
myredhour.com/blog//wp-content/themes/berlinproof/binstr.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/binstr.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/wcspng.php


The download locations for the executable files can all be considered as malicious:

54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)

178.18.99.23 (Maginfo JSC, Russia)
31.47.179.11 (Baikal TransTeleCom, Russia)
31.134.39.52 (IRONNET Ltd, Russia)
119.247.218.165 (Hong Kong Broadband Network Ltd, Hong Kong)
113.252.180.39 (Hutchison Global Communications, Hong Kong)
37.115.24.106 (Kyivstar GSM, Ukraine)
5.248.2.179 (Kyivstar GSM, Ukraine)
193.169.134.215 (SDS-Vostok Ltd, Russia)
5.166.207.194 (ER-Telecom Holding, Russia)
46.172.219.246 (Krym Infostroy Ltd, Ukraine)

Out of these, only the first three (for giveitallhereqq.com) appear to be static IPs, the others (for washitallawayff.com) are dynamic and are likely part of a botnet, so blocking the domain might be better.

Recommended blocklist:
54.212.162.6
212.119.87.77
78.135.108.94

washitallawayff.com

Sunday 13 March 2016

Malware spam: "Debt #85533 , Customer Case Nr.: 878" leads to Teslacrypt

The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments, however.

From:    Lamar drury
Date:    13 March 2016 at 18:43
Subject:    Debt #85533 , Customer Case Nr.: 878

Dear Customer,

Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.

We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.

Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.

We hope on your understanding.

Kind regards,
Finance Department
Lamar drury
878 N Davis St, Jacksonville,
FL 85533
Phone nr: 464-182-2340 
Attached is a ZIP file, that in the samples I saw starts with:
  • doc_scan_
  • money_
  • payment_details_
  • payment_
  • warning_
  • see_it_
  • payment_scan_
  • finance_
  • warning_letter_
  • report_
  • transaction_
  • details_
  • incorrect_operation_
  • confirmation_
  • document_
  • problem_
  • financial_judgement_
 ..plus a random number. Inside are one to four malicious .js scripts, named in the following format:

  • details_
  • mail_
  • post_
  • Post_Parcel_Case_id00-
  • Post_Parcel_Confirmation_id00-
  • Post_Parcel_Label_id00-
  • Post_Shipment_Confirmation_id00-
  • Post_Shipment_Label_id00-
  • Post_Tracking_Case_id00-
  • Post_Tracking_Confirmation_id00-
  • Post_Tracking_Label_id00-
The first three have a random string, the ones beginning with "Post" are followed by a random number and a #.  There are at least 22 unique scripts with the following MD5s:

05A44DF4418EA3F133A3708D4D829DC7
84A57069907726FFADE1DE7DDF6E34CD
6F9726C410B3FCE2FC1EAF75C5015BFC
97D6643DE12E4430CD11412D7917C8B2
ADB1CF98CD632B0E55358C045114ED6A
732314E639426E42B9342B1470798E02
AC2D6B033C943AF864F6A6E2A143E0CD
EA9BE11F3267D14CDF3A88786E2D69C8
E831A7247D30F9EB406A3F5AFCB63EDE
D5B74B58E9971BE84AA83B2E1D46B414
1A177FAF482FC924D2439F4111428D9F
0FB3CD12FB2BF4AC7ABB909383E2EEB8
A810DCD3DE5DA723940D3C44075D3314
F1B4DF8D16F81FFC543E252594DF5C03
3FE0BD9E25B3D0A36A898BE6E579780E
060990306E189A6022E2CCB041912588
6F963C39333F751D097D8DB8A2EEF525
DBF2B52926B5925E382BCF4024E5C8F7
4193D7D43CA5981EDB6E790ED568E5F3
AED7397352E43C0E2F0281AA2F4AACB2
ED8919841E31422C6318978BDAE5612B
C6D52DA9375DA4C33776D68407CC9B0D


These appear [1] [2] to download a malicious binary from one of the following locations:

ohelloguyff.com/70.exe
ohelloguyzzqq.com/85.exe?1


Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56.

The download locations have the following IP addresses:

185.35.108.109 (DA International Group Ltd, Bulgaria)
204.44.102.164 (Quadranet Inc, US)
54.212.162.6 (Amazon AWS, US)
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)


Those IP addresses can be considered as evil, and they also host the following sites:

returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
howareyouqq.com
ohelloguyqq.com
bonjovijonqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
ohelloguyff.com
ohelloguymyff.com
joecockerhereff.com
howisittomorrowff.com
thunicodenamespace.com
wioutpudforcontents.com
idendnsletbarcamednstwo.com
leadhoffmanclassapplico.com
insensitivityinterpreted.com
placegrantthenoticesmust.com
dns1.beforeyougogg.net
dns1.ohimyfriendff.net
dns2.ohimyfriendff.net
dns1.kaktotakvot.pw
dns2.martuswalmart.pw
dns2.beforeyougogg.net
dns2.microtexreglyt.net
microtexregyts.net
gdemoidomaine.info
daimoidomainemne.info
mydomainebizness.info


Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94


Saturday 12 March 2016

Malware spam: "Urgent Notice # 78815053" leads to Teslacrypt

This spam comes from random senders, and has random references, dollar amounts and attachment names:

From:    Donnie emily
Date:    12 March 2016 at 14:01
Subject:    Urgent Notice # 78815053

Dear Customer!

According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.

Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.

We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.

Please check out the file and do not hesitate to pay off the debt.

Otherwise we will have to start a legal action against you.

Regards,
Donnie emily
758 N Davis St, Jacksonville,
FL 17323
Phone nr: 026-762-3482 
Attached is a randomly-named ZIP file, in the sample I have seen they begin with:
  • letter_
  • confirm_
  • access_
  • unconfirmed_operation_
  • operation_
  • details_
..plus a random number. There may be other formats. Inside is a malicious script beginning with:
  • details_
  • post_
  • mail_
..plus a random string of characters. I have seen six versions of this script, I do not know how many there are in total. VirusTotal results show detection rates between 4 and 7 out of 57 [1] [2] [3] [4] [5] [6] and automated analysis tools [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] show the script attempting to download a binary from:

bonjovijonqq.com/69.exe?1
bonjovijonqq.com/80.exe?1


This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:

vtechshop.net/wcspng.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
shirongfeng.cn/images/lurd/wcspng.php


It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:

31.184.196.78 (Petersburg Internet Network Ltd, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Russia)


The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:

192.210.144.130 (Hudson Valley Host  / Colocrossing, US)
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)


The following malicious domains are also on the same servers:

nnrtsdf34dsjhb23rsdf.spannflow.com
bonjovijonqq.com
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
howareyouqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.

Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone.com
sappmtraining.com
shirongfeng.cn
vtechshop.net


Thursday 3 December 2015

Malware spam: "Invoice from DATANET the Private Cloud Solutions Company" / "Holly Humphreys [Holly.Humphreys@datanet.co.uk]"

This fake financial email does not come from Datanet but is instead a simple forgery with a malicious attachment:
From:    Holly Humphreys [Holly.Humphreys@datanet.co.uk]
Date:    3 December 2015 at 08:57
Subject:    Invoice from DATANET the Private Cloud Solutions Company

Dear Accounts Dept  :

Your invoice is attached, thank you for your business.

If you have any queries please do not hesitate to contact us.

Regards

DATANET.CO.UK
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday

Please reply to Accounts@datanet.co.uk
________________________________
 Holly Humphreys
Operations
Datanet - Hosting & Connectivity
E:

Holly.Humphreys@datanet.co.uk

W:

www.datanet.co.uk

T:

01252 810010

F:

01252 813391

S:

01252 813396 - Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24x7


DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of "CIA" - "Confidentiality, Integrity and Availability" at the heart of our private cloud solutions.

Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.

Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England - No. 03214053
I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro [pastebin] and has a VirusTotal detection rate of 3/55.

According to this Malwr report and this Hybrid Analysis the XLS file downloads a malicious binary from :

encre.ie/u5y432/h54f3.exe

There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55 and that report plus this Malwr report  indicate malicious network traffic to:

162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)


The payload is almost definitely the Dridex banking trojan.

MD5s:
1bfd7cdc2731ec85617555f63473e3c9
0dcb805a3efa215bde97aa1f32559b77


Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169


UPDATE

I have seen another version of the document with an MD5 of c7fa6a1f345aec2f1db349a80257f459 and a VirusTotal result of 3/54. According to this Malwr report it downloads from:

parentsmattertoo.org/u5y432/h54f3.exe



Monday 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:
From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )
I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.

UPDATE

I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:

bjdennehy.ie/~upload/89u87/454sd.exe

This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)


MD5s:
495d47eedde6566a12b74c652857887e
182db9fc18c5db0bfcb7dbe0cf61cae5
177948c68bc2d67218cde032cdaf1239
07c90e44adcf8b181b55d001cd495b7f


Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239

Friday 27 November 2015

Malware spam: "Invoice" / "Ivan Jarman [IJarman@sportsafeuk.com]"

This fake invoice does not come from Sportsafe UK Ltd but is instead a simple forgery with a malicious attachment.

From     Ivan Jarman [IJarman@sportsafeuk.com]
Date     Fri, 27 Nov 2015 17:21:27 +0530
Subject     Invoice

Sent 27 NOV 15 09:35

Sportsafe UK Ltd
Unit 2 Moorside
Eastgates
Colchester
Essex
CO1 2TJ

Telephone 01206 795265
Fax 01206 795284 
I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54 and which contains this malicious macro [pastebin].

This Malwr report shows the macro downloads from:

kidsmatter2us.org/~parentsm/76f6d5/54sdfg7h8j.exe

The executable has a detection rate of 3/55. The Hybrid Analysis report shows network traffic to:

198.57.243.108 (Unified Layer, US)
94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
77.221.140.99 (ZAO National Communications / Infobox.ru, Russia)
37.128.132.96 (Memset, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
217.160.110.232 (1&1, Germany)
202.137.31.219 (Linknet, Indonesia)
91.212.89.239 (Uzinfocom, Uzbekistan)


The payload is probably the Dridex banking trojan.

MD5s:
6e5654da58c03df6808466f0197207ed
b7bb1381da652290534605e5254361bd

Recommended blocklist:
198.57.243.108
94.73.155.8/29
77.221.140.99
37.128.132.96
37.99.146.27
217.160.110.232
202.137.31.219
91.212.89.239


Monday 23 November 2015

Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

NOTE:  as of 22nd January 2016, a new version of this spam email is in circulation, described here.

This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    23 November 2015 at 11:06
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1] [2] [3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4] [5] [6] downloads a malware binary from the following locations:

www.capodorlandoweb.it/u654g/76j5h4g.exe
xsnoiseccs.bigpondhosting.com/u654g/76j5h4g.exe
cr9090worldrecord.wz.cz/u654g/76j5h4g.exe


This binary has a VirusTotal detection rate of 5/54. That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
89.108.71.148 (Agava Ltd, Russia)
91.212.89.239 (UZINFOCOM, Uzbekistan)
89.189.174.19 (Sibirskie Seti, Russia)
122.151.73.216 (M2 Telecommunications, Australia)
37.128.132.96 (Memset Ltd, UK)
195.187.111.11 (SGGW, Poland)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
77.221.140.99 (Infobox.ru, Russia)
195.251.145.79 (University Of The Aegean, Greece)


The payload is likely to be the Dridex banking trojan.

MD5s:
37f025e70ee90e40589e7a3fd763817c
3e25ba0c709f1b9e399e228d302dd732
e6f1003e4572691493ab1845cb983417
5b6c01ea40acfb7dff4337710cf0a56c

Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79