Sponsored by..

Showing posts with label Serbia. Show all posts
Showing posts with label Serbia. Show all posts

Monday, 29 June 2015

Malware spam: "Payslip for period end date 29/06/2015" / "noreply@fermanagh.gov.uk"

This fake financial spam comes with a malicious payload:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    29 June 2015 at 11:46
Subject:    Payslip for period end date 29/06/2015

Dear [redacted]

Please find attached your payslip for period end 29/06/2015

Payroll Section

Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:

http://audileon.com.mx/css/proxy_v29.exe

That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes:

69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is on this occassion.

Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242

MD5s:
71a42eaac6f432c8dc04465c065e48e1
4009cd042071c81ce9c1aaa13ac046f2


Wednesday, 24 June 2015

Malware spam: "Considerable law alternations" / "excerptum_from_the_implemented_rule.zip" / "Pamela Adams"

This fake legal spam comes with a malicious payload:
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations

Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above  .
Pamela Adams
Chief accountant

In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.

Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs:

93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)

The Malwr report and Hybrid Analysis report indicate a couple of  dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.

Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35

MD5s:
a85849c45667805231f2093e2eabe89d
e91e0424ac23193461c57ac1046e7dc1

Tuesday, 23 June 2015

Malware spam: "Hope this e-mail finds You well" / "Stacey Grimly"

This spam comes with a malicious attachment:

Date:    23 June 2015 at 14:14
Subject:    Hope this e-mail finds You well

Good day!

Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.

Stacey Grimly,
Project Manager
Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:

check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717

The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.

Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations:

93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)

These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:

104.174.123.66 (Time Warner Cable, US)

The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.

Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66

 MD5s:
67f05372a34534c5892defb29ba8ead7
267e23f6430999f4b71a074835f19fb2
cebf89f088458f3e89599ae44d03cddf
cfdcb1cbe8983707287be4a03cdb88b4
880ba84222524510c9fe3b3d80429816

Monday, 22 June 2015

Malware spam: "Tax inspection notification" / "tax_663-20845-0479-435.zip size=18288.zipsize=18288"

This fake tax notification comes with a malicious payload.

Date:    22 June 2015 at 19:10
Subject:    Tax inspection notification

Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check  as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor

Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.

This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:

http://93.93.194.202:13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK

That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to 37.57.144.177 (Triolan, Ukraine).

Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.

Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177

MD5s:
394c56133b323ce3bf038cfc7a00562a
4e9fec8e532664672bd3a022f4f0b4ec
14b8a0f6a9258f9e73f63a4269641ca0


Malware spam: "Shareholder alert" / "instructions.zip size=21154.zipsize=21154"

This fake financial spam comes with a malicious attachment:

Date:    22 June 2015 at 13:07
Subject:    Shareholder alert

Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to resolution of the Board of Directors. Please see attached.     Glen McCoy, Partner
Attached is a mis-named ZIP file called instructions.zip size=21154.zipsize=21154 containing a malicious executable instructions_document.exe which has a VirusTotal detection rate of 1/56.

The Malwr report indicates network traffic to:

http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK

93.93.194.202 is Orion Telekom in Serbia.

It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.

The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.

Recommended blocklist:
64.111.36.35
93.93.194.202

MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3


Friday, 19 June 2015

Malware spam: "New instructions" / "instructions_document.exe"

This rather terse spam comes with a malicious payload:
From:    tim [tim@thramb.com]
Date:    19 June 2015 at 16:40
Subject:    New instructions

New instructions payment of US banks, ask to read

Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe.

The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57]. Automated analysis tools [1] [2] [3] [4] show traffic to:

93.93.194.202:13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID

which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33:443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection.

In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.

Recommended blocklist:
93.93.194.202
66.196.63.33

MD5s:
329a2254cf4c110f3097aafdaa50c82a


Saturday, 22 February 2014

On the trail of 3NT Solutions LLP

Yesterday I blogged about a company called 3NT Solutions LLP apparently based in the UK and expressed my reservations about them as a business. They operate quite a large range of IP addresses, but a quick Google search shows pitifully little about this company.

Let's start our investigation by looking them up at Companies House. That gives some basic details:

3NT SOLUTIONS LLP
SUITE 4084
10 GREAT RUSSELL STREET
LONDON
ENGLAND
WC1B 3BQ
Company No. OC363382

LLPs are a relatively new type of company in the UK which allows a firm to be registered with the minimum of details, but there are reports that LLP structures are being widely abused. We'll have a look at the ownership in a moment, but first let's check out this grand-sounding office in Central London..


It is, in fact, the Bloomsbury branch of Mail Boxes Etc and "suite" is simply a euphemism for "mail box".. in other words, this is a mail drop address that most likely forwards any mail to another address, a trick that conceals the full owners of the company.

OK, so that address is a bust. But the WHOIS records for their IP blocks, and their previous address registered at Companies House is something different:

DALTON HOUSE
60 WINDSOR AVENUE
LONDON
SW19 2RR

We can trundle over to that on Google StreetView too..


Dalton House is basically the same thing as the MBE address, it offers a brass plaque somewhere and a mail forwarding service. So no real clues as to ownership here either.

A trip back to Companies House to find their Company Register information [rtf] reveals very little, except two related companies in Belize.



LLP DESIGNATED MEMBER:
DARL IMPEX LTD


Appointed:
01/04/2011


Nationality:
NATIONALITY UNKNOWN


No. of Appointments:
1


Address:
35 NEW ROAD



BELIZE



BELIZE



NA










LLP DESIGNATED MEMBER:
LEGRANT TRADING LTD.


Appointed:
19/03/2013


Nationality:
NATIONALITY UNKNOWN


No. of Appointments:
1


Address:
BLAKE BUILDING SUITE 102, GROUND FLOOR, BLAKE BUIL



CORNER EYRE&HUTSON STREETS



BELIZE CITY



BELIZE



NA





Belize is a pretty much a haven for offshore companies, so it is quite likely that these two Belize companies are owned by someone in a different country again.

The domain registration for 3nt.com doesn't really give any more information, and oddly enough their website is down (so how do they expect to attract business?). But if we do a WHOIS lookup on one of their IP ranges then it becomes much more clear.

inetnum:        5.61.32.0 - 5.61.47.255
netname:        INFERNO-NL-DE
descr:          ********************************************************
descr:          * We provide virtual and dedicated servers on this Subnet.
descr:          *
descr:          * Those services are self managed by our customers
descr:          * therefore, we are not using this IP space ourselves
descr:          * and it could be assigned to various end customers.
descr:          *
descr:          * In case of issues related with SPAM, Fraud,
descr:          * Phishing, DDoS, portscans or others,
descr:          * feel free to contact us with relevant info
descr:          * and we will shut down this server: abuse@3nt.com
descr:          ********************************************************
country:        DE
admin-c:        TNTS-RIPE
tech-c:         TNTS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-3NT
mnt-routes:     LEASEWEB-MNT
source:         RIPE # Filtered

person:         Neil Young
address:        3NT SOLUTIONS LLP
address:        DALTON HOUSE 60, WINDSOR AVENUE
address:        LONDON, UK
phone:          +442081333030
abuse-mailbox:  abuse@3nt.com
nic-hdl:        TNTS-RIPE
mnt-by:         MNT-3NT
source:         RIPE # Filtered

route:          5.61.32.0/20
descr:          Routed via LEASEWEB
origin:         AS16265
mnt-by:         OCOM-MNT
source:         RIPE # Filtered


Alright, let's cut a long story short because we know who this is.. it's Serbian web host inferno.name who have featured on this blog several times before all the way back to 2011. Similar records exist on all of 3NT's ranges, linking them firmly with inferno.name.

Not it's not a particular surprise to see that inferno.name is trading under a different name, as the scummy sites they host pretty much ruined their reputation. And yeah, this blog helped with that.

I had a look into some of 3NT's IP ranges and you can tell instantly from these samples [csv] that they are pretty low-grade spammy sites. What you can't tell from that list are the command and control servers that they run, and of course they also host malware.

The following IP range are allocated to 3NT Solutions LLP. I recommend that you block them.
5.45.64.0/21
5.45.72.0/22
5.45.76.0/22
5.61.32.0/20
37.1.192.0/21
37.1.200.0/21
37.1.208.0/21
37.1.216.0/21
37.252.2.0/24
37.252.12.0/24
130.0.232.0/21

In addition, these other (smaller) ranges are allocated to inferno.name and v3servers.net who are the same outfit. I also recommend that you block these:
 46.21.147.128/25
46.21.148.128/25
46.22.211.0/25
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
94.100.17.128/26
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

Wednesday, 27 February 2013

US Airways spam / berrybots.net

This very details but fake US Airways spam leads to malware on berrybots.net:

Date:      Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From:      bursarp1@email-usairways.com
Subject:      Your US Airways trip

US Airways - Your Reservation

Confirmation code:   B339AO

Date issued:   Tuesday, February 26, 2013


Barcode
[redacted]
Scan at any US Airways kiosk to check in
Passenger summary
Passenger name
Frequent flyer # (Airline)
Ticket number
Special needs
Angel Morris 40614552582 (US)   22401837506661    
Robert White   12938253579871     
Fly details Download to Outlook
Depart:    Philadelphia, PA  (PHL) Chicago, IL (O'Hare)  (ORD)

Date: Thursday, February 28, 2013
Flight #/ Carrier
Depart
Arrive
Travel time
Meal
Aircraft
Cabin
Seats
8766   
09:38 AM   PHL
10:56 AM   ORD
2h 18m
A320
Coach
236E 236A

Return:    Chicago, IL (O'Hare)  (ORD) Philadelphia, PA   (PHL)

Date: Wednesday, March 06, 2013
Flight #/ Carrier
Depart
Arrive
Travel time
Meal
Aircraft
Cabin
Seats
4394   
11:55 AM   ORD
02:49 PM  PHL
1h 54m
A320
Coach
10A 10B
  US Airways


Total travel cost (2 passengers)
2 Adults   $667.35 USD 
Taxes and fees  $95.25 USD 

Fare total $754.61 USD   

Total   $751.62 USD

Charged to
************XXX7 (Credit or Debit Card)

Helpful links


Bags

Pay for your checked bags when you check in online or at the airport! Read more about bags.
Carry ons* Carry-on bag Personal item
All flights $0 $0
Checked bags (each way/per person)* 1st bag 2nd bag
U.S. / Canada / Latin America / Caribbean / Bermuda / South America (except Brazil) $25 $35
Transatlantic $0 $100
Transpacific / Brazil (except Hawaii) $0 $0
*Carry-ons can be up to 40 lbs and up to 45 inches and a personal item is a handbag, briefcase or laptop bag.
**1st & 2nd checked bags can be up to 50 lbs and 62 inches except Brazil where you're allowed up to 70 lbs. Europe fees apply for travel to/from Asia through Europe. Baggage fees are non-refundable.


1st, 2nd and 3rd checked bag fees waived
  • Gold, Platinum and Chairman's Preferred members
  • Star Alliance Gold status members
1st and 2nd checked bag fees waived
  • (Overweight / oversize fees still apply)
  • Confirmed First Class and Envoy passengers
  • Active U.S. military with ID on personal travel
  • Active U.S. military with ID and dependents traveling with them on orders
  • Unaccompanied minors (with US Airways unaccompanied minor paid assistance)
1st checked bag fees waived
  • (Overweight / oversize fees still apply)
  • Silver Preferred members
  • Star Alliance Silver status members
Other guidelines:
  • Overweight/oversize fees and fees for 3 or more bags apply. Read all baggage policies.
  • If you're traveling with an infant, the child is allowed 1 fully collapsible stroller or 1 child restraint device or car seat (no charge). If you're traveling internationally with an infant in lap, your child is also allowed 1 checked bag (checked bag fees apply - max 62 in/157 cm and 50 lbs/23 kg).
  • If one or more of your flights is on a partner airline, please check with the other airline for information on optional fees.



Terms & conditions
  • Ticket is non-transferable.
  • You must contact US Airways on or before your scheduled departure to cancel any or all of your flights. If you don't, your entire itinerary will be cancelled and there may be no remaining value to use toward another ticket.
  • Any change to this reservation, including flights, dates, or cities, is subject to a fee per passenger (according to the rules of the original fare). The new itinerary will be priced at the lowest available published fare at the time of change, which may result in a fare increase.
  • Ticket expires one year from original date of issue. Unflown value expires one year from original date of issue.
  • Read more about all US Airways taxes and fees.
  • You have 24 hours to cancel your reservation for a full refund. Please view this link.
  • Checked baggage fees may apply.
  • Air transportation on US Airways is subject to the US Airways Contract of Carriage. View this document in PDF format.
  • Security regulations may require us to disclose to government agencies the data you provide to us in connection with this reservation.
  • Changes to the country of origin are not permitted, except for changes between the United States and U.S. territories.
  • Send US your compliments and/or complaints.

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com. Please do not reply to this email, it is not monitored. If you'd like to contact us, please visit our website.

Picture version (click to enlarge):
The malicious payload is at [donotclick]berrybots.net/detects/circulation-comparatively.php (report here) hosted on:118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)

Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma.com
lazaro-sosa.com
yoga-thegame.net
dekolink.net
saberdelvino.net
berrybots.net