Sponsored by..

Showing posts with label Spain. Show all posts
Showing posts with label Spain. Show all posts

Monday, 31 October 2016

Malware spam: "Wrong tracking number" leads to Locky

This spam email leads to Locky ransomware:

From     "Samuel Rodgers"
Date     Mon, 31 Oct 2016 15:21:22 +0530
Subject     Wrong tracking number

It looks like the delivery company gave us the wrong tracking number.

Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.
The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script [pastebin] named something like tracking number A99DB PDF.vbs.

That script tries to download a component from:

tastebudsmarketing.com/uw6lin
mechap.com/xd7uh
coffeeteashop.ru/daz2rp
ficussalm.com/0bqzcn96
waynesinew.com/0fqt9he1

There will no doubt be other locations. At present I do not have those or the C2 servers, but will update this post if I get them.

UPDATE

The full list of download locations is as follows (thank you to my usual source):

365cuit.com/d9x9f0
7ut.ru/ge9j0et2
8hly.com/jc45tun
a1akeyssportfishing.com/etrt5
academy24.nl/k6lxc
aconetrick.com/2ejczfc
aconetrick.com/564nr0
aconetrick.com/6yoajl7
aconetrick.com/bwt2ixo
ami-mo.ca/k5xhdz2
ami-mo.ca/kr641jxw
archilog.at/imwjmt
architectureetenvironnement.ma/g31701d
badznaptak.pl/inlgm49
bebmila.it/eczde9
buenotour.com/j97s7
business-cambodia.com/he8wtc
campossa.com/vjbfdtj
cdqdms.com/d887wn9
cintasuci.com/cl6pa
coffeeteashop.ru/daz2rp
comistus.net/j6y95
customrestaurantapps.com/gn7c2se
dgtoca.net/d1wr3
dicresco.vn/gq1bjtbb
ecig-ok.com/luflbx4
eijsvogel.nl/gpbka1n2
elgrandia.com.mx/ginlp2f
epsihologie.com/jd2qrzg
eredmenyek.net/ff2i98t
ficussalm.com/0bqzcn96
ficussalm.com/2m6u1jt9
ficussalm.com/65s3r
ficussalm.com/8pmjmwp
financesystem.net/inliid
frijaflail.com/21fpb
frijaflail.com/37cu2
frijaflail.com/6u982pak
frijaflail.com/bnrxxvsk
mcmustard.com/u6ll6y
mechap.com/xd7uh
personalizar.net/nrwnmk
personalizar.net/qz5x2mmr
robertocostama.com/xyulv
shouwangstudio.com/xkocl94
sintasia.com/ziyd0iap
tastebudsmarketing.com/uw6lin
thegioitructuyen.org/rw6ost0e
timwhid.com/1mdm3
timwhid.com/33ck9bxc
timwhid.com/6twktm
timwhid.com/bnkxqf
tjbjpw.com/wsdou72d
tonglizhongji.com/xia3fu0
tropicalcoffeebreak.com/mqomzf
utopiamanali.com/tylv91
valpit.ru/syrwg2r3
vedexpert.com/zt4ug
visualtopshop.com/svnjzk9
warisstyle.com/sq1sae
wayneboyce.com/u5ahu
waynesinew.com/0fqt9he1
waynesinew.com/2psuru2
waynesinew.com/67egbs
waynesinew.com/9li2sv1r
wbakerpsych.com/mm3kuv
wedding-pix.net/u39ssq
wei58.com/wnticba
wklm.it/qjv1ap
xa12580.com/pq2xb
xhumbrella.com/rb374woh
yurtdax.com/wgltz
zbdesignsas.com/m13o692o
znany-lekarz.pl/wd7zj

The malware phones home to:

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
5.187.7.111/linuxsucks.php (Fornet Hosting, Spain)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152

Wednesday, 27 April 2016

Malware spam: Message from "RNP0BB8A7" / CLAUDIA MARTINEZ leads to Locky

This Spanish-language spam leads to malware:

From:    CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com]
Date:    27 April 2016 at 16:22
Subject:    Message from "RNP0BB8A7"

Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).

Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@victimdomain.tld
Attached is a  randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:

mebdco.com/8759j3f434
amwal.qa/8759j3f434
ecmacao.com/8759j3f434
lifeiscalling-sports.com/8759j3f434


This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:

absxpintranet.in/8759j3f434
amismaglaj.com.ba/8759j3f434
caegpa.com/8759j3f434
codeaweb.net/8759j3f434
coorgcalling.com/8759j3f434
gedvendo.com/8759j3f434
gedvendo.com.pe/8759j3f434
mc2academy.com/8759j3f434
teyseerlab.com/8759j3f434
www.adgroup.ae/8759j3f434
www.rumbafalcon.com/8759j3f434


This DeepViz report shows the malware phoning home to:

107.170.20.33 (Digital Ocean, US)
139.59.166.196 (Digital Ocean, Singapore)
146.185.155.126 (Digital Ocean, Netherlands)


There's a triple whammy for Digital Ocean! Well done them.

Recommended blocklist:
107.170.20.33
139.59.166.196
146.185.155.126

Wednesday, 13 April 2016

Malware spam: "Prompt response required! Past due inv. #FPQ479660" / "Jake Gill"

This fake financial spam has a malicious attachment:

From:    Hillary Odonnell [Hillary.OdonnellF@eprose.fr]
Date:    13 April 2016 at 18:40
Subject:    Prompt response required! Past due inv. #FPQ479660

Hello,

I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?

Thank you,

Jake Gill

Accounts Receivable Department

Diploma plc

(094) 426 8112
The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).

There seem to be several different versions of the attachment, I checked four samples [1] [2] [3] [4] and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive [5] [6] [7] [8] (as are the Hybrid Analyses [9] [10] [11] [12]) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on 212.76.140.230 - MnogoByte, Russia). The payload appears to be Dridex.

We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with:

195.169.147.88 (Culturegrid.nl, Netherlands)
178.33.167.120 (OVH, Spain)
210.70.242.41 (TANET, Taiwan)
210.245.92.63 (FPT Telecom Company, Vietnam)


These are all good IPs to block.

According to DNSDB, these other domains have all been hosted on the 212.76.140.230 address:

onlineaccess.bleutree.com
egotayx.net
wgytaab.net
emoaxmyx.net
wmbyaxma.net
emeotalyx.net
ezhoyznyx.net
wmeybtala.net
wzhybyzna.net
onlineaccess.bleutree.info
onlineaccess.bleutree.mobi


You can bet that they are all malicious too.

Recommended blocklist:
212.76.140.230
195.169.147.88
178.33.167.120
210.70.242.41
210.245.92.63


Thursday, 10 March 2016

Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"

This fake financial spam comes with a malicious attachment:

From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833

Dear Client!

For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994


Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:

http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1


These sites are hosted on:

142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)


This Malwr report and this Hybrid Analysis shows communications with:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)


The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.

These domains are also associated with some of the IPs. Consider them all to be evil:

t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146



Tuesday, 8 March 2016

Malware spam: "Compensation - Reference Number #368380" leads to Locky

This fake financial spam comes with a malicious attachment:

From:    Orval Burgess
Date:    8 March 2016 at 11:10
Subject:    Compensation - Reference Number #368380

Dear Customer,

The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.


Sincerely,
Orval Burgess
Account Manager

Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:

ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf


Those same reports indicate the malware attempts to phone home to the following IPs:

89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)


Those automated reports all indicate that this is the Locky ransomware.

UPDATE

A trusted source also informs me of these additional download locations;

51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4


In addition, there is another IP address the malware phones home to:

212.47.223.19 (Web Hosting Solutions Oy, Estonia)



Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196

212.47.223.19

Tuesday, 1 December 2015

Malware spam: "Card Receipt" / "Tracey Smith" [tracey.smith@aquaid.co.uk]

This fake financial spam does not come from AquAid, but is instead a simple forgery with a malicious attachment. Poor AquAid were hit by the same thing several time earlier this year.

From     "Tracey Smith" [tracey.smith@aquaid.co.uk]
Date     Tue, 01 Dec 2015 10:54:15 +0200
Subject     Card Receipt

Hi

Please find attached receipt of payment made to us today

Regards
Tracey
 
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk

AquAid really is the only drinks supplier you will ever need with our huge
product range. With products ranging from bottled and mains fed coolers ranging up
to coffee machines and bespoke individual one off units we truly have the
right solution for all environments. We offer a refreshing ethical approach
to drinks supply in that we support both Christian Aid and Pump Aid with a
donation from all sales.  All this is done while still offering a highly
focused local service and competitive pricing. A personalised sponsorship
certificate is available for all clients showing how you are helping and we
offer £25 for any referral that leads to business.

*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with
registered number 3505477 and registered office at 51 Newnham Road,
Cambridge, CB3 9EY, UK. This message is intended only for use by the named
addressee and may contain privileged and/or confidential information. If you
are not the named addressee you should not disseminate, copy or take any
action in reliance on it. If you have received this message in error please
notify the sender and delete the message and any attachments accompanying it
immediately. Neither AquAid nor any of its Affiliates accepts liability for
any corruption, interception, amendment, tampering or viruses occurring to
this message in transit or for any message sent by its employees which is
not in compliance with AquAid corporate policy.
Attached is a file CAR014 151238.doc which comes in at least two different versions with a VirusTotal detection rate of 3/55 for both [1] [2]. According to these Malwr reports [3] [4] the macro in the document downloads a file from one of the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe


This binary has a detection rate of 3/54. The Malwr report for that file shows that it phones home to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)

There are other bad IPs in the 94.73.155.8 - 94.73.155.15 range, so I strongly recommend that you block all traffic to 94.73.155.8/29.

These two Hybrid Analysis reports [1] [2] also show malicious traffic to the following IPs:

89.248.99.231 (Interdominios S.A., Spain)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
221.132.35.56 (Post and Telecom Company, Vietnam)
78.24.14.20 (VSHosting s.r.o., Czech Republic)


The payload here is probably the Dridex banking trojan.

MD5s:
e590d72e4a7a26aefcf4aa2b438dbb64
42a897dcd53bd7a045282205281892e4
b815797e050e45e3be435d3ecf48bfb0


Recommended blocklist:
94.73.155.8/29
89.248.99.231
103.252.100.44
89.108.71.148
221.132.35.56
78.24.14.20

Wednesday, 8 April 2015

Malware spam: "Invoice from COMPANY NAME" / 31.24.30.12 / 46.30.43.102

This Dridex spam takes a slightly different approach from other recent ones. Instead of attaching a malicious Office document, it downloads it from a compromised server instead.

The example I saw read:
From:    Mitchel Levy
Date:    8 April 2015 at 13:45
Subject:    Invoice from MOTHERCARE

Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.

Download your invoice here.

Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.

Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:

http://victimbfe.afinanceei.com/victim@victim.domain/

This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:

I guess perhaps the bad guys didn't notice "Califonia Institute of Technology" written behind "Information Management Systems & Services". The link in the email downloads a file from:

http://31.24.30.12/api/Invoice.xls

At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://31.24.30.12/api/ shows a fake page pretending to be from Australian retailer Kogan.



As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:


That's pretty easy to decode, and it instructs the computer to download a malicious binary from:

http://46.30.43.102/cves/kase.jpg

This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC.

This binary has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] [4] show it communicating with the following IPs:

109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)

In addition there are some Akamai IPs which look benign:

184.25.56.212
184.25.56.205
2.22.234.90

According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.

Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12

MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478

UPDATE 1:

There is at least one other server at  95.163.121.22 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 95.163.121.0/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range

abiliingfinance.com
abilingffinance.com
abilingfienance.com
abilingfinaance.com
abilingfinancee.com
abilingfinancey.com
abilingfinnance.com
abilingggfinance.com
abilinngfinance.com
afinanccebifling.com
afinanccebiling.com
afinanceas.com
afinancebbi.com
afinancebill.com
afinancecc.com
afinanceebb.com
afinanceei.com
afinancei.com
afinanceobilhing.com
afinanceobiling.com
afinanceqbilzing.com
afinancesh.com
afinancewbidling.com
afinanceyer.com
afinancrebiling.com
afinancrebixling.com
afinandebiling.com
afinangebiling.com
afinangebilqing.com
afinanrebileing.com
afinanrebiling.com
afinansebiling.com
afinansebilling.com
afinanwebiling.com
afinanwebilsing.com
asfinancebbi.com
asfinancebill.com
asfinancecc.com
asfinancee.com
asfinanceebb.com
asfinanceei.com
asfinancei.com
asfinancesh.com
asfinanceyer.com
assfinanceas.com
bbbilingfinancee.com
bbiliingfinance.com
bbilingffinance.com
bbilingfienance.com
bbilingfinaance.com
bbilingfinancee.com
bbilingfinancey.com
bbilingfinnance.com
bbilingggfinance.com
bbilinngfinance.com
bbillingfinance.com
biliingfinance.com
bilingffinance.com
bilingfienance.com
bilingfinaance.com
bilingfinancee.com
bilingfinancey.com
bilingfinnance.com
bilingggfinance.com
bilinngfinance.com
cfinanccebifling.com
cfinanceobilhing.com
cfinanceqbilzing.com
cfinancewbidling.com
cfinancrebixling.com
cfinandebilping.com
cfinangebilqing.com
cfinansebilling.com
cfinanwebilsing.com
financcebifling.com
financcebiling.com
financeobilhing.com
financeobiling.com
financeqbilzing.com
financewbidling.com
financewbiling.com
financrebiling.com
financrebixling.com
finandebilping.com
finangebiling.com
finangebilqing.com
finanrebileing.com
finanrebiling.com
finansebiling.com
finansebilling.com
finanwebiling.com
finanwebilsing.com

Wednesday, 1 April 2015

Malware spam: "Your Remittance Advice COMPANY NAME"

Yet another malware spam run today, this time from randomly-named but legitimate companies, for example:

From:    Kate Coffey
Date:    1 April 2015 at 15:00
Subject:    Your Remittance Advice PEEL SOUTH EAST

Dear sir or Madam,

Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.

Best regards
PEEL SOUTH EAST

Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:

http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif


Those servers are almost certainly entirely malicious, with IPs assigned to:

31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)

This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:

188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)

According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.

Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78

MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9

Tuesday, 17 February 2015

An analysis of reported Equation Group IP ranges and domains

There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks [1] [2] [3] [4].

Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.

Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.

The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.

There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.

(Updated 18/2/15 to remove an OpenDNS sinkhole and add 41.222.35.70)

FLAG Telecom / Reliance Globalcom

62.216.152.64/28
80.77.2.160/27
80.77.4.0/26

Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:

team4heat.net
forgotten-deals.com
phoneysoap.com
cigape.net
mimicrice.com
charmedno1.com
functional-business.com
rehabretie.com
advancing-technology.com
crisptic01.net
tropiccritics.com
cribdare2no.com
following-technology.com
teatac4bath.com

Verizon

194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
202.95.84.32/27
210.81.52.96/27
212.177.108.192/27

Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:

honarkhaneh.net
meevehdar.com
parskabab.com
ad-noise.net
ad-void.com
aynachatsrv.com
damavandkuh.com
fnlpic.com
monster-ads.net
nowruzbakher.com
sherkhundi.com
quickupdateserv.com
goodbizez.com
www.dt1blog.com
www.forboringbusinesses.com
timelywebsitehostesses.com
technicads.com
darakht.com
ghalibaft.com
adservicestats.com
downloadmpplayer.com
honarkhabar.com
techsupportpwr.com
webbizwild.com
zhalehziba.com

Global Telecom & Technology Americas Inc. / Cogent / PSInet

149.12.71.0/26

This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:

avidnewssource.com
rubi4edit.com
listennewsnetwork.com
unite3tubes.com

Colombia: Alfan Empaques Flexibles S.A. / Columbus Networks / IFX Networks / Terremark

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
190.60.202.0/28
190.60.202.0/28

The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:

selective-business.com
technicalconsumerreports.com
technicaldigitalreporting.com
technology-revealed.com
melding-technology.com

Czech Republic: Master Internet / IT-PRO / 4D Praha

81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27

A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:

islamicmarketing.net
noticiasftpsrv.com
coffeehausblog.com
platads.com
nickleplatedads.com
arabtechmessenger.net

Spain: Terremark / GTT Global Telecom

84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28


Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:

businessedgeadvance.com
business-made-fun.com
rampagegramar.com
unwashedsound.com
businessdealsblog.com
industry-deals.com
itemagic.net
posed2shade.com
slayinglance.com
rubiccrum.com
rubriccrumb.com

Netherlands: Tripartz-Atrato / IX Reach / Claranet / FiberRing

212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109

In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.

arm2pie.com
businessdirectnessource.com
housedman.com
taking-technology.com
micraamber.net
charging-technology.com
brittlefilet.com
dowelsobject.com
speedynewsclips.com

Malaysia: Piradius NET

124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29

Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.

roshanavar.com
adsbizsimple.com
bazandegan.com
amazinggreentechshop.com
foroushi.net
technicserv.com
afkarehroshan.com
thesuperdeliciousnews.com
sherkatkonandeh.com
mashinkhabar.com

Other ranges and hosts

  • RACSA in Costa Rica hosts customerscreensavers.com and xlivehost.com on 196.40.84.8/29.
  • EasySpeed in Denmark hosts  quik-serv.com and goldadpremium.com on 82.103.134.48/30.
  • Cyber Cast International in Panama hosts havakhosh.com and toofanshadid.com on 200.115.174.254.
  • EM Technologies in Panama hosts technicupdate.com and rapidlyserv.com on 201.218.238.128/26.
  • INET in Thailand hosts globalnetworkanalys.com on 203.150.231.49 with an apparently hardcoded IP of 203.150.231.73 in use as well.
  • American Internet Services hosts suddenplot.com on 207.158.58.102.
  • GoDaddy hosts serv-load.com and wangluoruanjian.com on 97.74.104.208.
  • Quadranet / GZ Systems hosts fliteilex.com plus some other questionable domains on 67.215.237.104/29.
  • Vegas Linkup LLC hosts standardsandpraiserepurpose.com on 209.59.42.97.
  • Vox Telecom in South Africa hosts mysaltychocolateballs.com on 41.222.35.70 having previously hosted forboringbusinesses.com.
In all the following network blocks and IPs appear to be hosting servers connected to the Equation Group:

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
69.42.114.96/28
196.40.84.8/29
81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27
82.103.134.48/30
80.77.2.160/27
84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
212.177.108.192/27
210.81.52.96/27
124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29
212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
200.115.174.254
201.218.238.128/26
202.95.84.32/27
203.150.231.49
203.150.231.73
62.216.152.64/28
207.158.58.102
149.12.71.0/26
80.77.4.0/26
97.74.104.208
67.215.237.104/29
209.59.42.97
41.222.35.70

I recommend that you look at the data before you do drastic things with these IP ranges.

Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..

Monday, 19 August 2013

Malware sites to block 19/8/13

These sites and IPs belong to this gang, and this list follows one from this one:

5.39.14.148 (OVH, France)
24.173.170.230 (Time Warner Cable, US)
31.52.14.209 (BT Broadband, UK)
37.200.69.43 (Selectel Ltd, Russia)
42.121.84.12 (Aliyun Computing Co, China)
59.124.33.215 (Chunghwa Telecom Co, Taiwan)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime Inc, US)
70.184.34.191 (Cox Communications, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
86.183.191.35 (BT, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
114.112.172.34 (Beijing STTD Communication Technology Co, China)
140.113.160.149 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.242.123.152 (Volumedrive, US)
177.53.80.39 (Telecom Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
193.147.49.154 (Universidad Rey Juan Carlos, Spain)
196.1.95.44 (Ensut-computer Department, Senegal)
198.52.243.229 (Centarra Networks Inc, US)
198.211.115.228 (Digital Ocean, US)
212.68.34.88 (Mars Global Datacenter Services LLC, Turkey)
216.158.67.42 (TMZHosting LLC, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)
221.133.1.21 (Saigon Postel Corporation, Vietnam)
222.35.102.133 (China Tietong Telecommunications Corporation, China)

5.39.14.148
24.173.170.230
31.52.14.209
37.200.69.43
42.121.84.12
59.124.33.215
61.36.178.236
66.230.163.86
66.230.190.249
70.184.34.191
74.207.251.67
75.147.133.49
78.47.248.101
86.183.191.35
95.87.1.19
95.111.32.249
95.188.76.14
114.112.172.34
140.113.160.149
140.116.72.75
173.242.123.152
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
193.147.49.154
196.1.95.44
198.52.243.229
198.211.115.228
212.68.34.88
216.158.67.42
217.64.107.108
221.133.1.21
222.35.102.133
actiry.com
amnsreiuojy.ru
arriowzzetobe.net
askfox.net
avini.ru
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
bluavoughogma.com
bnamecorni.com
boardsxmeta.com
breakfast.su
businessdocu.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
checklistsseesmics.su
condalekskajaunini77.net
condrskajaumaksa66.net
controlsalthoug.com
cosamortranas.com
countyforsetttttt21.net
credit-find.net
culturalasia.net
cyberflorists.su
devicesta.ru
dolekotoukart.com
dulethcentury.net
ehnihjrkenpj.ru
evishop.net
exhilaratingwiki.net
facebook.com.n.find-friends.lindoliveryct.net
fitstimekeepe.net
fivelinenarro.net
frutpass.ru
gaphotoid.net
garmonievieraboti50.net
gatumi.com
gonulpalace.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
isightbiowares.su
jdbcandschema.su
jessesautobody.net.rcom-dns.eu
kneeslapperz.net
komsetup.com
labscaner.com
legalizacionez.com
liliputttt9999.info
lindoliveryct.net
logovend.net
lsstats.ru
lucams.net
magiklovsterd.net
mcneillseptictall.net
medusascream.net
melexcia.com
micnetwork100.com
mirris.ru
mobile-unlocked.net
musicstudioseattle.net
myaxioms.com
namastelearning.net
netbeirut.net
nightclubdisab.su
nvufvwieg.com
oneuppositions.net
ordersdeluxe.com
partyspecialty.su
pure-botanical.net
qualysguardviewin.su
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
restlesz.su
ringosfulmobile.com
secureprotection5.com
shawnlautzlaw.net
srddesigns.net
suburban.su
tagcentriccent.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
wildgames-orb.net
x-pertwindscreens.net
zestrecommend.com
zinvolarstikel.com



Friday, 12 July 2013

"TAX Return Reminder" / cpa.state.tx.us.tax-returns.mattwaltererie.net

This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie.net:

--- Version 1 --------------------

Date:      Fri, 12 Jul 2013 14:35:31 +0300
From:      DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=035549412645

For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.


--- Version 2 --------------------


Date:      Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From:      tax.help@STATE.TX.GOV.US
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.

A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=488702484517

For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.
Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate hacked site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie.net/news/tax_refund-caseid7436463593.php?[snip] (example 1, example 2) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).

cpa.state.tx.us.tax-returns.mattwaltererie.net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The domain mattwaltererie.net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from).

      Marilyn Clark
      13578 Calderon Rd
      SAN DIEGO, CA 92129
      US
      Phone: +1.7143435399
      Email: tekassis@usa.com


Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
delines.ru
ehnihenransivuennd.net
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
linkedin.com-update-report.taltondark.net
m.krasalco.com
magiklovsterd.net
mattwaltererie.net
nvufvwieg.com
offeringshowt.com
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
taltondark.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com




Tuesday, 9 July 2013

"Payment File Successfully Processed" spam / autorize.net.models-and-kits.net

This spam leads to malware on autorize.net.models-and-kits.net:

Date:      Tue, 9 Jul 2013 15:36:42 -0500
From:      batchprovider@eftps.gov
Subject:      Payment File Successfully Processed

*** PLEASE DO NOT REPLY TO THIS MESSAGE***

Dear Batch Provider,

This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358

Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS

Contact Us: EFTPS Batch Provider Customer Service
at this link
A sender's email address of batchprovider@email.eftpsmail.gov is seen in another sample. The link goes through a legitimate hacked site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits.net/news/shortest-caused-race.php (report here) hosted on:

77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)

All these IPs and more can be found in this recommended blocklist. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..

77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
autorize.net.models-and-kits.net
charismasalonme.net
chinadollars.net
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
eftps.gov.charismasalonme.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
fulty.net
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
m.krasalco.com
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
quipbox.com
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Update: a different spam is also circulating with the same payload:


Date:      Tue, 9 Jul 2013 06:56:26 -0800
From:      "Authorize . Net" [emailreceipts@news.authorizemail.net]
Subject:      Successful Credit Card Settlement Report.

Your Authorize.Net ID is: 1263577
Dear [redacted],

The following is your Credit Card settlement report for Sunday, July 09, 2013.

Transaction Volume Statistics for Settlement Batch dated 9-Jul-2013 11:0:55 PDT:
Batch ID: 668271114
Business Day: 09-Jul-2013
Net Batch Total: 9,917.74 (USD)
Number of Charge Transactions: 99
Amount of Charge Transactions: 9,917.74
Number of Refund Transactions: 7
Amount of Refund Transactions: 105.64

Warning! Your Batch limits for July exceeded!
To view details, please click here to log into the Merchant Interface.

If you have any questions regarding this settlement report, please contact your bank or you can contact Customer Support at this link.

Thank You,
Authorize.Net

*** You received this email because you chose to be a Credit Card Report recipient. You may change your email options by logging into the Merchant Interface. Click on Settings and Profile in the Main Menu, and select Manage Contacts from the General section. To edit a contact, click the Edit link next to the contact that you would like to edit. Under Email Types, select or deselect the Email types you would like to receive. Click Submit to save any changes. Please do not reply to this email.



Malware sites to block 9/7/13

These are the current IPs and domains that appear to be in use by this gang. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting:
5.135.198.41 (OVH, France)
14.63.198.119 (Korea Telecom, Korea)
24.173.170.230 (Time Warner Cable, US)
46.14.182.109 (Swisscom, Switzerland)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
54.232.86.91 (Amazon AWS, Brazil)
59.124.33.215 (Chungwa Telecom, Taiwan)
62.165.254.220 (Tvnetwork, Hungary)
62.169.58.22 (Phoenix Informatica, Italy)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.63.195.131 (Limestone Networks, US)
74.93.56.83 (Comcast Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
80.52.135.172 (Telekomunikacja Polska, Poland)
80.218.115.92 (Cablecom, Switzerland)
82.79.4.33 (RCS & RDS Business, Romania)
82.165.41.13 (1&1 Internet, Philippines)
89.45.83.92 (Nlink SRL, Romania)
89.93.219.156 (Bouygues Telecom, France)
89.96.141.43 (IPS SRL, Italy)
89.248.161.137 (Ecatel, Netherlands)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel, Bulgaria)
95.173.187.8 (Netinternet Bilgisayar Telekominukasyo, Turkey)
97.79.214.75 (Time Warner Cable, US)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
109.169.86.196 (iomart / ThrustVPS, UK)
109.234.84.213 (Servicleop, Spain)
113.161.207.101 (VNPT, Vietnam)
115.28.45.30 (HiChina Web Solutions / Alibaba, China)
115.146.93.25 (Nectar Research Cloud, Australia)
116.251.213.12 (OneAsiaHost, Singapore)
117.102.102.170 (Servo Buana Resources, Indonesia)
117.239.224.145 (ZAD Institute, India)
123.30.50.245 (VNPT, Vietnam)
129.64.95.45 (Brandeis University, US)
134.159.143.12 (Telstra-Telewhite, Hong Kong)
138.80.14.27 (Charles Darwin University, Australia)
143.239.87.38 (University College Cork, Ireland)
151.155.25.111 (Novell Inc, US)
172.246.122.111 (Enzu Inc, US)
173.167.54.139 (Iceweb Storage Corp, US)
173.245.7.158 (Leland Private Systems, US)
177.87.104.21 (Alberto Torres Barreto, Brazil)
181.54.174.204 (Telmex Colombia, Colombia)
184.22.36.4 (HostNOC, US)
184.105.135.29 (Hurricane Electric, US)
186.227.53.43 (Via Cabo Provedor de Internet e Informática Ltda, Brazil)
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (TDP ERX, Peru)
192.210.205.208 (New Wave Netconnect / Colocrossing, US)
193.242.126.78 (Lemminkainen Oyj, Finland)
195.241.208.160 (Telfort / Tiscali / KPN, Netherlands)
198.46.131.100 (New Wave Netconnect / Colocrossing, US)
198.50.136.166 (OVH, Brazil)
198.175.124.17 (DNSSLAVE.COM, US)
198.199.70.149 (Digital Ocean, US)
199.233.234.83 (Nodedeploy, US)
202.28.69.195 (UniNet, Thailand)
202.56.170.28 (Ningnet, Indonesia)
203.235.181.181 (GNGAS Enterprise Networks, Korea)
207.254.1.17 (Virtacore Systems, US)
210.200.0.95 (Asia Pacific On-line Services Inc, Taiwan)
213.56.125.97 (OBS, France)
222.20.90.25 (HuaZhong University of Science and Technology, China)

5.135.198.41
14.63.198.119
24.173.170.230
46.14.182.109
46.45.182.27
54.232.86.91
59.124.33.215
62.165.254.220
62.169.58.22
64.49.246.226
69.162.76.10
74.63.195.131
74.93.56.83
77.240.118.69
78.108.86.169
80.52.135.172
80.218.115.92
82.79.4.33
82.165.41.13
89.45.83.92
89.93.219.156
89.96.141.43
89.248.161.137
89.248.161.146
95.111.32.249
95.173.187.8
97.79.214.75
103.9.23.34
109.169.86.196
109.234.84.213
113.161.207.101
115.28.45.30
115.146.93.25
116.251.213.12
117.102.102.170
117.239.224.145
123.30.50.245
129.64.95.45
134.159.143.12
138.80.14.27
143.239.87.38
151.155.25.111
172.246.122.111
173.167.54.139
173.245.7.158
177.87.104.21
181.54.174.204
184.22.36.4
184.105.135.29
186.227.53.43
189.84.25.188
190.85.249.159
190.238.107.240
192.210.205.208
193.242.126.78
195.241.208.160
198.46.131.100
198.50.136.166
198.175.124.17
198.199.70.149
199.233.234.83
202.28.69.195
202.56.170.28
203.235.181.181
207.254.1.17
210.200.0.95
213.56.125.97
222.20.90.25
101ndstreetymha.com
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
andertiua200.com
androv.pl
aniolyfarmacij.com
astarts.ru
auditbodies.net
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
blacklistsvignet.pl
bnamecorni.com
boats-sale.net
brandeddepend.com
buycushion.net
cardpalooza.su
centow.ru
centsvisualcaf.net
chairsantique.net
chrismortonlaw.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cirormdnivneinted40.ru
cocainism.net
collegialwar.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
dirvers.net
doorandstoned.com
driversupdate.pw
editionscode.com
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
enchantingfluid.com
enuhhdijsnenbude40.ru
ergopets.com
feminineperceiv.pl
filmstripstyl.com
fincal.pl
firefoxupd.pw
first4supplies.net
freakable.net
fulty.net
gamnnbienwndd70.net
gatorovnskeinbueed60.ru
genie-enterprises.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanisienviwjunlp.ru
gnanosnugivnehu.ru
grivnichesvkisejj50.ru
hdmltextvoice.net
heidipinks.com
hexactos.com
hingpressplay.net
hospitalinstitutee.com
hotkoyou.net
independinsy.net
infostarter.net
initiationtune.su
insectiore.net
joinproportio.com
jonkrut.ru
letsgofit.net
lexus-lfa.net
libulionstreet.su
lifeline-tv.net
lifestylelbinfo.com
linefisher.com
liocolostrum.net
magiklovsterd.net
mail1.infostarter.net
modshows.net
mychildrenss.com
ns1.infostarter.net
nvufvwieg.com
organizerrescui.pl
oydahrenlitu346357.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.com
quipbox.com
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
secrettapess.com
securednshooki.com
sendkick.com
smartsecurity-app.com
soberimages.com
spros.pl
streetgreenlj.com
susubaby.net
syncbinderanalog.net
tagcentriccent.net
tagcentriccent.pl
telecomerra.com
tor-connect-secure.com
transplantee.net
tstatbox.ru
ukbash.ru
usenet4ever.net
utraining.us
vahvahchicas.ru
ventstandart.net
vip-proxy-to-tor.com
voippromotion.su
webhelphighestp.net
wic-office.com
widnows.net
winodwsupd.pw
wow-included.com
zestrecommend.com

Monday, 8 July 2013

Amex spam / americanexpress.com.krasalco.com

This fake Amex spam leads to malware on americanexpress.com.krasalco.com:

    
From: American Express [mailto:AmericanExpress@emalsrv.aexpmail.org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received


Check your account balance online at any time


   

    Hello, [redacted]
            



________________________________________    View Account

Make a Payment

   
Manage Alerts Preferences





Payment Received   

________________________________________    Check Balance



   
   
       
We received a payment for your Card account.

     Date Received:
         Mon, Jul 08, 2013
     Payment Amount:
         $2,511.92

Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.

Thank you for your Cardmembership.

American Express Customer Care

Was this e-mail helpful? Please click here to give us your feedback.

If you'd like to stop receiving this alert, simply click here.
   
   




Like Us on Facebook


Follow Us on Twitter


Subscribe to our channel


Share with Foursquare friends

   
       
    Contact Us
|    Privacy Statement
|    Add us to your address book


Your Cardmember information is included in the upper-right corner to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us via customer service.

© 2013 American Express. All rights reserved.

AU0S0RF76947278       


The link in the email goes through a legitimate hacked site to end up on a malicious landing page at [donoclick]americanexpress.com.krasalco.com/news/slightly_some_movie.php (report here) hosted on the following IPs:

77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)

Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
americanexpress.com.krasalco.com
aniolyfarmacij.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Tuesday, 2 July 2013

Malware sites to block 2/7/13

These sites belong to this gang and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block.

37.123.103.159 (Salay Telekomunikasyon, Turkey)
38.64.161.163 (Stratonexus Technologies Corp, Canada)
58.196.7.174 (CERNET, China)
77.237.190.22 (Parsun Network Solutions, Iran)
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
85.214.53.47 (Strato AG, Germany)
87.255.149.99 (Societe Francaise du Radiotelephone, France)
88.81.239.98 (Top Net PJSC, Ukraine)
88.86.100.2 (Supernetwork, Czech Republic)
89.248.161.148 (Ecatel, Netherlands)
95.111.32.249 (Mobitel EAD, Bulgaria)
98.223.199.185 (Comcast Communications, US)
108.174.61.198 (FTN Services, US)
108.177.140.2 (Nobis Technology Group, US)
113.161.207.101 (VietNam Post and Telecom Corporation, Vietnam)
114.4.27.219 (IDIA Kantor Arsip, Indonesia)
114.130.5.145 (MANGO CA Service, Bangladesh)
119.147.137.31 (China Telecom, China)
120.124.28.131 (TANet, Taiwan)
124.232.165.52 (China Telecom, China)
134.159.143.12 (Telstra Telewhite, Hong Kong)
140.122.184.45 (TANet, Taiwan)
140.135.112.169 (TANet, Taiwan)
151.155.25.111 (Novell, US)
172.245.216.69 (Colocrossing, US)
172.246.122.110 (Enzu Inc, US)
173.232.105.66 (Blue Deals Fly, US)
174.140.166.239 (Directspace, US)
176.67.10.163 (McLaut ISP, Ukraine)
178.211.46.123 (Radore Veri Merkezi Hizmetleri, Turkey)
181.54.174.204 (Telmex Colombia, Colombia)
186.103.163.222 (Telefonica Empresas, Chile)
186.227.53.43 (Via Cabo Provedor de Internet e Informática, Brazil)
188.32.153.31 (National Cable Networks, Russia)
188.120.235.236 (TheFirst-RU, Russia)
189.1.144.243 (Silva & Silveira, Brazil)
195.241.208.160 (Koninklijke / Tiscali / Telfort, Netherlands)
198.46.136.86 (New Wave NetConnect, US)
202.56.170.28 (Ning Internet, Indonesia)
203.80.17.155 (MYREN, Malaysia)
203.185.97.126 (ThaiSARN, Thailand)
208.81.165.252 (Gamewave Hongkong Holdings, US)
210.42.103.141 (CERNET, China)


37.123.103.159
38.64.161.163
58.196.7.174
77.237.190.22
77.240.118.69
78.108.86.169
85.214.53.47
87.255.149.99
88.81.239.98
88.86.100.2
89.248.161.148
95.111.32.249
98.223.199.185
108.174.61.198
108.177.140.2
113.161.207.101
114.4.27.219
114.130.5.145
119.147.137.31
120.124.28.131
124.232.165.52
134.159.143.12
140.122.184.45
140.135.112.169
151.155.25.111
172.245.216.69
172.246.122.110
173.232.105.66
174.140.166.239
176.67.10.163
178.211.46.123
181.54.174.204
186.103.163.222
186.227.53.43
188.32.153.31
188.120.235.236
189.1.144.243
195.241.208.160
198.46.136.86
202.56.170.28
203.80.17.155
203.185.97.126
208.81.165.252
210.42.103.141


101ndstreetymha.com
abacs.pl
addressadatal.net
afabind.com
all24hours.net
amimeseason.net
andertiua200.com
antidoctorpj.com
antitationed200.com
auditbodies.net
avastsurveyor.com
bebomsn.net
beirutyinfo.comu
bermudcity.net
bestsloankettering.com
biati.net
blackragnarok.net
blindsay-law.net
boats-sale.net
boyd-lawyer.net
brasilmatics.net
buycushion.net
cardpalooza.su
chairsantique.net
chinadollars.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cocainism.net
condalinarad72234652.ru
condalinaradushko.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinra2735.ru
condalinradishevo.ru
condalnua745746.ru
condalnuashyochetto.ru
confideracia.ru
controlnieprognoz.ru
cyberwoodlike.com
dirvers.net
dollsinterfer.net
doorandstoned.com
drivesr.com
dulethcentury.net
e-eleves.net
ehchernomorskihu.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
elrrueitoenidd10.ru
enway.pl
ergopets.com
ermitajohrmited.ru
ernutkskiepro.ru
estimateddeta.com
extichetvorish.ru
fenvid.com
firefoxupd.pw
garohoviesupi.ru
gatoversignie.ru
genown.ru
ghroumingoviede.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
gondatskenbiehu.ru
gorondibndiiend10.ru
greli.net
gromimolniushed.ru
gstoryofmygame.ru
headbuttingfo.net
heavygear.net
heidipinks.com
highsecure155.com
historuronded.com
hotamortisation.net
hotkoyou.net
huang.pl
iberiti.com
icensol.net
independinsy.net
ingrestrained.com
insectiore.net
inutesnetworks.su
itracrions.pl
joinproportio.com
jsecure5.com
letsgofit.net
linguaape.net
lmbcakes.com
mantrapura.net
metalcrew.net
meticulousmus.net
meynerlandislaw.net
mifiesta.ru
mmafightsearch.net
myfreecamgirls.net
newtimedescriptor.com
obovate.net
ochengorit.ru
outbounduk.net
oxfordxtg.net
oydahrenlitutskazata.ru
patrihotel.net
patriotskit.ru
pc-liquidations.net
peertag.com
photosuitechos.su
pinterest.com.reports0701.net
pizdecnujzno.ru
pleak.pl
pnpnews.net
porschetr-ml.com
potteryconvention.ru
radiovaweonearch.com
ratenames.net
recorderbooks.net
rentipod.ru
reportingglan.com
reports0701.net
reveck.com
safe-browser.biz
safe-time.net
sartorilaw.net
secrettapess.com
secureaction120.com
securepanel35.com
sendkick.com
sensetegej100.com
shopkeepersne.net
smartsecurity-app.com
soberimages.com
spanishafair.com
stilos.pl
susubaby.net
televisionhunter.com
time-update.net
toldia.com
trleaart.net
ukbash.ru
unabox.pl
unitmusiceditior.com
unreality.biz
vahvahchicas.ru
wic-office.com
widnows.net
winne2000.net
winodwsupd.pw
winudpater.com
wow-included.com
xenaidaivanov.ru
zoneagainstre.com

Thursday, 27 June 2013

OfficeWorld.com spam / sartorilaw.net

This fake OfficeWorld spam leads to malware on sartorilaw.net:

Date:      Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
From:      customerservice@emalsrv.officeworldmail.net
Subject:      Confirmation notification for order 1265953

Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!

Please review your order details below. If you have any questions, please Contact Us


Helpful Tips:
--------------------------------------------------------------------
- Please SAVE or PRINT this confirmation for your records.
- ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
- If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
--------------------------------------------------------------------

Order:  1265953
Date:           6/27/2013
Ship To:        My Default

Credit Card:    MasterCard


Product Qty     Price   Unit    Extended
--------------------------------------------------------------------
HEWCC392A    1       $9703.09  EA      $15.15         
AVE5366 1       $27.49  BX      $27.49         
SAF3081 2       $56.29  EA      $112.58        


Product Total:     $9855.22
--------------------------------------------------------------------
Total:          $9855.22

OfficeWorld.com values your business!
The link in the email goes through a legitimate hacked site and then on to [donotclick]sartorilaw.net/news/source_fishs.php (report here) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)

Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2
afabind.com
chinadollars.net
condalnuashyochetto.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com



Friday, 21 June 2013

luntravel.com are a bunch of stupid spammers

Like most people I get of lot of spam. Sometimes it makes me cross. Here's one sent to scraped email address that is effectively a spamtrap.

From:     Luntravel [noreply@luntravelmail.com]
Reply-To:     Luntravel [noreply@luntravelmail.com]
Date:     21 June 2013 13:03
Subject:     New offers from £49
Mailing list:     c425d640a3819ebec8af23ba171be24c


So far, just a spam with a graphic in, but the email footer is what got my goat..

You receive this newsletter because you used google sometime and we send you our best deals.
Prices shown as 'from' point to the lowest bidder at the time of sending this communication, so we can not guarantee that they remain in force at the time you receive this newsletter.
Save our info@luntravelmail.com address in your e-book for the best deals do not end up in the SPAM folder.
To unsubscribe from receipt of this message, you can click on Unsubscribe, our private site is Luntravel.com
Wait.. I received this spam because I use Google? I've never used any Google product in my life. Not even blogger. And then it goes on to say that the prices quoted may as well be completely made up. Which no doubt they are. Oh yes, SPAM spelled in CAPITALS is a trademark for a brand of tinned meat.

All of the content, trademarks, logos, images, etc. displayed on the Website are protected by the intellectual and industrial property rights, patents, trademarks and copyrights of Luntravel, which are expressly reserved by Luntravel and, when applicable, any other persons or companies that figure as the authors or holders of such rights. Any violation of the abovementioned rights shall be prosecuted in accordance with currently effective legislation. Therefore, it is strictly prohibited to reproduce, exploit, alter, distribute or publicly communicate any of the Website content through any means for any use other than legitimate informational purposes or for the User to contract the services offered therein. In any event, doing so shall require the prior written consent of Luntravel.
The User acknowledges that the operation of this service is governed by Spanish legislation. Luntravel reserves the right to make any changes it deems appropriate in observance of the terms and conditions envisaged in the General Law in Defence of Consumers and Users (Law No. 1/2007), the various regulations governing the activities of travel agencies in the Autonomous Communities and the various legal amendments to and supplemental regulations of the legislation related to free access to the activities of services and their performance.
Now the stupid legal blurb which basically says we can spam you but you can't publish anything about our website, and now we'll quote some Spanish laws which may or may not exist but we are probably breaking by sending the spam (actually the relevant law is Act 34/2002 of 11 July on Information Society Services and Electronic Commerce, but I don't think they have read it).

Oh what was that about logos?


Say again?

The spam originates from 93.159.211.199 (CPC Servicios Informaticos SL, Spain) with links to newsletters.tradaticket.com on 93.159.209.72 (also CPC) and then onto luntravel.com on 94.23.82.229 (OVH, France) [report here]. luntravel.com is registered to:

  miguel angel lancho milan
  Lancho milan Miguel angel
  C/ General Barroso 37-21
  Valencia, 46017
  ES
  +34.963788523
  7i54o32ibghg27t42930@b.o-w-o.info
  
Dealing with spammers is never a good idea. I would avoid this bunch.

Thursday, 20 June 2013

ADP spam / planete-meuble-pikin.com

This fake ADP spam leads to malware on planete-meuble-pikin.com:

Date:      Thu, 20 Jun 2013 07:12:28 -0600
From:      EasyNetDoNotReply@clients.adpmail.org
Subject:      ADP EasyNet: Bank Account Change Alert

Dear Valued ADP Client,

As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:

** Dominic Johnson **
** Ayden Campbell **

Use this links to: Review or Decline this changes.

If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.

This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
Sincerely,

Your ADP Service Team

This e-mail comes from an unattended mailbox. Please do not reply.
The link in the email goes through a legitimate but hacked site and end up on a malware landing page at [donotclick]planete-meuble-pikin.com/news/network-watching.php (report here) hosted on:
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)

Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.211
appasnappingf.com
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
ghroumingoviede.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
jetaqua.com
joinproportio.com
multipliedfor.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
pc-liquidations.net
planete-meuble-pikin.com
pnpnews.net
profurnituree.com
reportingglan.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winne2000.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
www.condalinarad72234652.ru


Thursday, 28 February 2013

"Contract of 09.07.2011" spam / forumny.ru

This contracts-themed spam leads to malware on forumny.ru:

Date:      Thu, 28 Feb 2013 11:43:15 +0400
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fw: Contract of 09.07.2011
Attachments:     Contract_Scan_IM0826.htm

Dear Sirs,

In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.

Best regards,

SHERLENE DARBY, secretary
The attachment Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny.ru:8080/forum/links/column.php (report here) on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
carmennavarro.es
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
filialkas.ru
finalions.ru
forumbmwr.ru
forumkinza.ru
forumligandaz.ru
forummersedec.ru
forummoskowciti.ru
forumny.ru
forumrogario.ru
forumusaaa.ru
forumvvz.ru
fuigadosi.ru
fzukungda.ru



Wednesday, 27 February 2013

"End of Aug. Statement" spam / forumusaaa.ru

This invoice-themed spam leads to malware on forumusaaa.ru:

Date:      Thu, 28 Feb 2013 06:04:08 +0530
From:      "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_JAN-2966.htm

Good day,

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards

Lisa HAGEN
The malware is hosted at [donotclick]forumusaaa.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumligandaz.ru
forumvvz.ru
forumusaaa.ru