Sponsored by..

Showing posts with label Spain. Show all posts
Showing posts with label Spain. Show all posts

Monday 31 October 2016

Malware spam: "Wrong tracking number" leads to Locky

This spam email leads to Locky ransomware:

From     "Samuel Rodgers"
Date     Mon, 31 Oct 2016 15:21:22 +0530
Subject     Wrong tracking number

It looks like the delivery company gave us the wrong tracking number.

Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.
The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script [pastebin] named something like tracking number A99DB PDF.vbs.

That script tries to download a component from:

tastebudsmarketing.com/uw6lin
mechap.com/xd7uh
coffeeteashop.ru/daz2rp
ficussalm.com/0bqzcn96
waynesinew.com/0fqt9he1

There will no doubt be other locations. At present I do not have those or the C2 servers, but will update this post if I get them.

UPDATE

The full list of download locations is as follows (thank you to my usual source):

365cuit.com/d9x9f0
7ut.ru/ge9j0et2
8hly.com/jc45tun
a1akeyssportfishing.com/etrt5
academy24.nl/k6lxc
aconetrick.com/2ejczfc
aconetrick.com/564nr0
aconetrick.com/6yoajl7
aconetrick.com/bwt2ixo
ami-mo.ca/k5xhdz2
ami-mo.ca/kr641jxw
archilog.at/imwjmt
architectureetenvironnement.ma/g31701d
badznaptak.pl/inlgm49
bebmila.it/eczde9
buenotour.com/j97s7
business-cambodia.com/he8wtc
campossa.com/vjbfdtj
cdqdms.com/d887wn9
cintasuci.com/cl6pa
coffeeteashop.ru/daz2rp
comistus.net/j6y95
customrestaurantapps.com/gn7c2se
dgtoca.net/d1wr3
dicresco.vn/gq1bjtbb
ecig-ok.com/luflbx4
eijsvogel.nl/gpbka1n2
elgrandia.com.mx/ginlp2f
epsihologie.com/jd2qrzg
eredmenyek.net/ff2i98t
ficussalm.com/0bqzcn96
ficussalm.com/2m6u1jt9
ficussalm.com/65s3r
ficussalm.com/8pmjmwp
financesystem.net/inliid
frijaflail.com/21fpb
frijaflail.com/37cu2
frijaflail.com/6u982pak
frijaflail.com/bnrxxvsk
mcmustard.com/u6ll6y
mechap.com/xd7uh
personalizar.net/nrwnmk
personalizar.net/qz5x2mmr
robertocostama.com/xyulv
shouwangstudio.com/xkocl94
sintasia.com/ziyd0iap
tastebudsmarketing.com/uw6lin
thegioitructuyen.org/rw6ost0e
timwhid.com/1mdm3
timwhid.com/33ck9bxc
timwhid.com/6twktm
timwhid.com/bnkxqf
tjbjpw.com/wsdou72d
tonglizhongji.com/xia3fu0
tropicalcoffeebreak.com/mqomzf
utopiamanali.com/tylv91
valpit.ru/syrwg2r3
vedexpert.com/zt4ug
visualtopshop.com/svnjzk9
warisstyle.com/sq1sae
wayneboyce.com/u5ahu
waynesinew.com/0fqt9he1
waynesinew.com/2psuru2
waynesinew.com/67egbs
waynesinew.com/9li2sv1r
wbakerpsych.com/mm3kuv
wedding-pix.net/u39ssq
wei58.com/wnticba
wklm.it/qjv1ap
xa12580.com/pq2xb
xhumbrella.com/rb374woh
yurtdax.com/wgltz
zbdesignsas.com/m13o692o
znany-lekarz.pl/wd7zj

The malware phones home to:

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
5.187.7.111/linuxsucks.php (Fornet Hosting, Spain)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152

Wednesday 27 April 2016

Malware spam: Message from "RNP0BB8A7" / CLAUDIA MARTINEZ leads to Locky

This Spanish-language spam leads to malware:

From:    CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com]
Date:    27 April 2016 at 16:22
Subject:    Message from "RNP0BB8A7"

Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).

Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@victimdomain.tld
Attached is a  randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:

mebdco.com/8759j3f434
amwal.qa/8759j3f434
ecmacao.com/8759j3f434
lifeiscalling-sports.com/8759j3f434


This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:

absxpintranet.in/8759j3f434
amismaglaj.com.ba/8759j3f434
caegpa.com/8759j3f434
codeaweb.net/8759j3f434
coorgcalling.com/8759j3f434
gedvendo.com/8759j3f434
gedvendo.com.pe/8759j3f434
mc2academy.com/8759j3f434
teyseerlab.com/8759j3f434
www.adgroup.ae/8759j3f434
www.rumbafalcon.com/8759j3f434


This DeepViz report shows the malware phoning home to:

107.170.20.33 (Digital Ocean, US)
139.59.166.196 (Digital Ocean, Singapore)
146.185.155.126 (Digital Ocean, Netherlands)


There's a triple whammy for Digital Ocean! Well done them.

Recommended blocklist:
107.170.20.33
139.59.166.196
146.185.155.126

Wednesday 13 April 2016

Malware spam: "Prompt response required! Past due inv. #FPQ479660" / "Jake Gill"

This fake financial spam has a malicious attachment:

From:    Hillary Odonnell [Hillary.OdonnellF@eprose.fr]
Date:    13 April 2016 at 18:40
Subject:    Prompt response required! Past due inv. #FPQ479660

Hello,

I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?

Thank you,

Jake Gill

Accounts Receivable Department

Diploma plc

(094) 426 8112
The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).

There seem to be several different versions of the attachment, I checked four samples [1] [2] [3] [4] and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive [5] [6] [7] [8] (as are the Hybrid Analyses [9] [10] [11] [12]) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on 212.76.140.230 - MnogoByte, Russia). The payload appears to be Dridex.

We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with:

195.169.147.88 (Culturegrid.nl, Netherlands)
178.33.167.120 (OVH, Spain)
210.70.242.41 (TANET, Taiwan)
210.245.92.63 (FPT Telecom Company, Vietnam)


These are all good IPs to block.

According to DNSDB, these other domains have all been hosted on the 212.76.140.230 address:

onlineaccess.bleutree.com
egotayx.net
wgytaab.net
emoaxmyx.net
wmbyaxma.net
emeotalyx.net
ezhoyznyx.net
wmeybtala.net
wzhybyzna.net
onlineaccess.bleutree.info
onlineaccess.bleutree.mobi


You can bet that they are all malicious too.

Recommended blocklist:
212.76.140.230
195.169.147.88
178.33.167.120
210.70.242.41
210.245.92.63


Thursday 10 March 2016

Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"

This fake financial spam comes with a malicious attachment:

From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833

Dear Client!

For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994


Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:

http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1


These sites are hosted on:

142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)


This Malwr report and this Hybrid Analysis shows communications with:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)


The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.

These domains are also associated with some of the IPs. Consider them all to be evil:

t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146



Tuesday 8 March 2016

Malware spam: "Compensation - Reference Number #368380" leads to Locky

This fake financial spam comes with a malicious attachment:

From:    Orval Burgess
Date:    8 March 2016 at 11:10
Subject:    Compensation - Reference Number #368380

Dear Customer,

The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.


Sincerely,
Orval Burgess
Account Manager

Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:

ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf


Those same reports indicate the malware attempts to phone home to the following IPs:

89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)


Those automated reports all indicate that this is the Locky ransomware.

UPDATE

A trusted source also informs me of these additional download locations;

51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4


In addition, there is another IP address the malware phones home to:

212.47.223.19 (Web Hosting Solutions Oy, Estonia)



Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196

212.47.223.19

Tuesday 1 December 2015

Malware spam: "Card Receipt" / "Tracey Smith" [tracey.smith@aquaid.co.uk]

This fake financial spam does not come from AquAid, but is instead a simple forgery with a malicious attachment. Poor AquAid were hit by the same thing several time earlier this year.

From     "Tracey Smith" [tracey.smith@aquaid.co.uk]
Date     Tue, 01 Dec 2015 10:54:15 +0200
Subject     Card Receipt

Hi

Please find attached receipt of payment made to us today

Regards
Tracey
 
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk

AquAid really is the only drinks supplier you will ever need with our huge
product range. With products ranging from bottled and mains fed coolers ranging up
to coffee machines and bespoke individual one off units we truly have the
right solution for all environments. We offer a refreshing ethical approach
to drinks supply in that we support both Christian Aid and Pump Aid with a
donation from all sales.  All this is done while still offering a highly
focused local service and competitive pricing. A personalised sponsorship
certificate is available for all clients showing how you are helping and we
offer £25 for any referral that leads to business.

*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with
registered number 3505477 and registered office at 51 Newnham Road,
Cambridge, CB3 9EY, UK. This message is intended only for use by the named
addressee and may contain privileged and/or confidential information. If you
are not the named addressee you should not disseminate, copy or take any
action in reliance on it. If you have received this message in error please
notify the sender and delete the message and any attachments accompanying it
immediately. Neither AquAid nor any of its Affiliates accepts liability for
any corruption, interception, amendment, tampering or viruses occurring to
this message in transit or for any message sent by its employees which is
not in compliance with AquAid corporate policy.
Attached is a file CAR014 151238.doc which comes in at least two different versions with a VirusTotal detection rate of 3/55 for both [1] [2]. According to these Malwr reports [3] [4] the macro in the document downloads a file from one of the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe


This binary has a detection rate of 3/54. The Malwr report for that file shows that it phones home to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)

There are other bad IPs in the 94.73.155.8 - 94.73.155.15 range, so I strongly recommend that you block all traffic to 94.73.155.8/29.

These two Hybrid Analysis reports [1] [2] also show malicious traffic to the following IPs:

89.248.99.231 (Interdominios S.A., Spain)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
221.132.35.56 (Post and Telecom Company, Vietnam)
78.24.14.20 (VSHosting s.r.o., Czech Republic)


The payload here is probably the Dridex banking trojan.

MD5s:
e590d72e4a7a26aefcf4aa2b438dbb64
42a897dcd53bd7a045282205281892e4
b815797e050e45e3be435d3ecf48bfb0


Recommended blocklist:
94.73.155.8/29
89.248.99.231
103.252.100.44
89.108.71.148
221.132.35.56
78.24.14.20

Wednesday 8 April 2015

Malware spam: "Invoice from COMPANY NAME" / 31.24.30.12 / 46.30.43.102

This Dridex spam takes a slightly different approach from other recent ones. Instead of attaching a malicious Office document, it downloads it from a compromised server instead.

The example I saw read:
From:    Mitchel Levy
Date:    8 April 2015 at 13:45
Subject:    Invoice from MOTHERCARE

Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.

Download your invoice here.

Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.

Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:

http://victimbfe.afinanceei.com/victim@victim.domain/

This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:

I guess perhaps the bad guys didn't notice "Califonia Institute of Technology" written behind "Information Management Systems & Services". The link in the email downloads a file from:

http://31.24.30.12/api/Invoice.xls

At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://31.24.30.12/api/ shows a fake page pretending to be from Australian retailer Kogan.



As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:


That's pretty easy to decode, and it instructs the computer to download a malicious binary from:

http://46.30.43.102/cves/kase.jpg

This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC.

This binary has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] [4] show it communicating with the following IPs:

109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)

In addition there are some Akamai IPs which look benign:

184.25.56.212
184.25.56.205
2.22.234.90

According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.

Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12

MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478

UPDATE 1:

There is at least one other server at  95.163.121.22 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 95.163.121.0/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range

abiliingfinance.com
abilingffinance.com
abilingfienance.com
abilingfinaance.com
abilingfinancee.com
abilingfinancey.com
abilingfinnance.com
abilingggfinance.com
abilinngfinance.com
afinanccebifling.com
afinanccebiling.com
afinanceas.com
afinancebbi.com
afinancebill.com
afinancecc.com
afinanceebb.com
afinanceei.com
afinancei.com
afinanceobilhing.com
afinanceobiling.com
afinanceqbilzing.com
afinancesh.com
afinancewbidling.com
afinanceyer.com
afinancrebiling.com
afinancrebixling.com
afinandebiling.com
afinangebiling.com
afinangebilqing.com
afinanrebileing.com
afinanrebiling.com
afinansebiling.com
afinansebilling.com
afinanwebiling.com
afinanwebilsing.com
asfinancebbi.com
asfinancebill.com
asfinancecc.com
asfinancee.com
asfinanceebb.com
asfinanceei.com
asfinancei.com
asfinancesh.com
asfinanceyer.com
assfinanceas.com
bbbilingfinancee.com
bbiliingfinance.com
bbilingffinance.com
bbilingfienance.com
bbilingfinaance.com
bbilingfinancee.com
bbilingfinancey.com
bbilingfinnance.com
bbilingggfinance.com
bbilinngfinance.com
bbillingfinance.com
biliingfinance.com
bilingffinance.com
bilingfienance.com
bilingfinaance.com
bilingfinancee.com
bilingfinancey.com
bilingfinnance.com
bilingggfinance.com
bilinngfinance.com
cfinanccebifling.com
cfinanceobilhing.com
cfinanceqbilzing.com
cfinancewbidling.com
cfinancrebixling.com
cfinandebilping.com
cfinangebilqing.com
cfinansebilling.com
cfinanwebilsing.com
financcebifling.com
financcebiling.com
financeobilhing.com
financeobiling.com
financeqbilzing.com
financewbidling.com
financewbiling.com
financrebiling.com
financrebixling.com
finandebilping.com
finangebiling.com
finangebilqing.com
finanrebileing.com
finanrebiling.com
finansebiling.com
finansebilling.com
finanwebiling.com
finanwebilsing.com

Wednesday 1 April 2015

Malware spam: "Your Remittance Advice COMPANY NAME"

Yet another malware spam run today, this time from randomly-named but legitimate companies, for example:

From:    Kate Coffey
Date:    1 April 2015 at 15:00
Subject:    Your Remittance Advice PEEL SOUTH EAST

Dear sir or Madam,

Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.

Best regards
PEEL SOUTH EAST

Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:

http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif


Those servers are almost certainly entirely malicious, with IPs assigned to:

31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)

This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:

188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)

According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.

Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78

MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9

Tuesday 17 February 2015

An analysis of reported Equation Group IP ranges and domains

There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks [1] [2] [3] [4].

Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.

Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.

The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.

There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.

(Updated 18/2/15 to remove an OpenDNS sinkhole and add 41.222.35.70)

FLAG Telecom / Reliance Globalcom

62.216.152.64/28
80.77.2.160/27
80.77.4.0/26

Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:

team4heat.net
forgotten-deals.com
phoneysoap.com
cigape.net
mimicrice.com
charmedno1.com
functional-business.com
rehabretie.com
advancing-technology.com
crisptic01.net
tropiccritics.com
cribdare2no.com
following-technology.com
teatac4bath.com

Verizon

194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
202.95.84.32/27
210.81.52.96/27
212.177.108.192/27

Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:

honarkhaneh.net
meevehdar.com
parskabab.com
ad-noise.net
ad-void.com
aynachatsrv.com
damavandkuh.com
fnlpic.com
monster-ads.net
nowruzbakher.com
sherkhundi.com
quickupdateserv.com
goodbizez.com
www.dt1blog.com
www.forboringbusinesses.com
timelywebsitehostesses.com
technicads.com
darakht.com
ghalibaft.com
adservicestats.com
downloadmpplayer.com
honarkhabar.com
techsupportpwr.com
webbizwild.com
zhalehziba.com

Global Telecom & Technology Americas Inc. / Cogent / PSInet

149.12.71.0/26

This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:

avidnewssource.com
rubi4edit.com
listennewsnetwork.com
unite3tubes.com

Colombia: Alfan Empaques Flexibles S.A. / Columbus Networks / IFX Networks / Terremark

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
190.60.202.0/28
190.60.202.0/28

The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:

selective-business.com
technicalconsumerreports.com
technicaldigitalreporting.com
technology-revealed.com
melding-technology.com

Czech Republic: Master Internet / IT-PRO / 4D Praha

81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27

A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:

islamicmarketing.net
noticiasftpsrv.com
coffeehausblog.com
platads.com
nickleplatedads.com
arabtechmessenger.net

Spain: Terremark / GTT Global Telecom

84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28


Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:

businessedgeadvance.com
business-made-fun.com
rampagegramar.com
unwashedsound.com
businessdealsblog.com
industry-deals.com
itemagic.net
posed2shade.com
slayinglance.com
rubiccrum.com
rubriccrumb.com

Netherlands: Tripartz-Atrato / IX Reach / Claranet / FiberRing

212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109

In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.

arm2pie.com
businessdirectnessource.com
housedman.com
taking-technology.com
micraamber.net
charging-technology.com
brittlefilet.com
dowelsobject.com
speedynewsclips.com

Malaysia: Piradius NET

124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29

Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.

roshanavar.com
adsbizsimple.com
bazandegan.com
amazinggreentechshop.com
foroushi.net
technicserv.com
afkarehroshan.com
thesuperdeliciousnews.com
sherkatkonandeh.com
mashinkhabar.com

Other ranges and hosts

  • RACSA in Costa Rica hosts customerscreensavers.com and xlivehost.com on 196.40.84.8/29.
  • EasySpeed in Denmark hosts  quik-serv.com and goldadpremium.com on 82.103.134.48/30.
  • Cyber Cast International in Panama hosts havakhosh.com and toofanshadid.com on 200.115.174.254.
  • EM Technologies in Panama hosts technicupdate.com and rapidlyserv.com on 201.218.238.128/26.
  • INET in Thailand hosts globalnetworkanalys.com on 203.150.231.49 with an apparently hardcoded IP of 203.150.231.73 in use as well.
  • American Internet Services hosts suddenplot.com on 207.158.58.102.
  • GoDaddy hosts serv-load.com and wangluoruanjian.com on 97.74.104.208.
  • Quadranet / GZ Systems hosts fliteilex.com plus some other questionable domains on 67.215.237.104/29.
  • Vegas Linkup LLC hosts standardsandpraiserepurpose.com on 209.59.42.97.
  • Vox Telecom in South Africa hosts mysaltychocolateballs.com on 41.222.35.70 having previously hosted forboringbusinesses.com.
In all the following network blocks and IPs appear to be hosting servers connected to the Equation Group:

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
69.42.114.96/28
196.40.84.8/29
81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27
82.103.134.48/30
80.77.2.160/27
84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
212.177.108.192/27
210.81.52.96/27
124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29
212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
200.115.174.254
201.218.238.128/26
202.95.84.32/27
203.150.231.49
203.150.231.73
62.216.152.64/28
207.158.58.102
149.12.71.0/26
80.77.4.0/26
97.74.104.208
67.215.237.104/29
209.59.42.97
41.222.35.70

I recommend that you look at the data before you do drastic things with these IP ranges.

Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..

Friday 12 July 2013

"TAX Return Reminder" / cpa.state.tx.us.tax-returns.mattwaltererie.net

This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie.net:

--- Version 1 --------------------

Date:      Fri, 12 Jul 2013 14:35:31 +0300
From:      DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=035549412645

For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.


--- Version 2 --------------------


Date:      Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From:      tax.help@STATE.TX.GOV.US
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.

A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=488702484517

For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.
Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate hacked site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie.net/news/tax_refund-caseid7436463593.php?[snip] (example 1, example 2) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).

cpa.state.tx.us.tax-returns.mattwaltererie.net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The domain mattwaltererie.net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from).

      Marilyn Clark
      13578 Calderon Rd
      SAN DIEGO, CA 92129
      US
      Phone: +1.7143435399
      Email: tekassis@usa.com


Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
delines.ru
ehnihenransivuennd.net
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
linkedin.com-update-report.taltondark.net
m.krasalco.com
magiklovsterd.net
mattwaltererie.net
nvufvwieg.com
offeringshowt.com
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
taltondark.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com




Tuesday 9 July 2013

"Payment File Successfully Processed" spam / autorize.net.models-and-kits.net

This spam leads to malware on autorize.net.models-and-kits.net:

Date:      Tue, 9 Jul 2013 15:36:42 -0500
From:      batchprovider@eftps.gov
Subject:      Payment File Successfully Processed

*** PLEASE DO NOT REPLY TO THIS MESSAGE***

Dear Batch Provider,

This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358

Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS

Contact Us: EFTPS Batch Provider Customer Service
at this link
A sender's email address of batchprovider@email.eftpsmail.gov is seen in another sample. The link goes through a legitimate hacked site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits.net/news/shortest-caused-race.php (report here) hosted on:

77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)

All these IPs and more can be found in this recommended blocklist. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..

77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
autorize.net.models-and-kits.net
charismasalonme.net
chinadollars.net
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
eftps.gov.charismasalonme.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
fulty.net
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
m.krasalco.com
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
quipbox.com
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Update: a different spam is also circulating with the same payload:


Date:      Tue, 9 Jul 2013 06:56:26 -0800
From:      "Authorize . Net" [emailreceipts@news.authorizemail.net]
Subject:      Successful Credit Card Settlement Report.

Your Authorize.Net ID is: 1263577
Dear [redacted],

The following is your Credit Card settlement report for Sunday, July 09, 2013.

Transaction Volume Statistics for Settlement Batch dated 9-Jul-2013 11:0:55 PDT:
Batch ID: 668271114
Business Day: 09-Jul-2013
Net Batch Total: 9,917.74 (USD)
Number of Charge Transactions: 99
Amount of Charge Transactions: 9,917.74
Number of Refund Transactions: 7
Amount of Refund Transactions: 105.64

Warning! Your Batch limits for July exceeded!
To view details, please click here to log into the Merchant Interface.

If you have any questions regarding this settlement report, please contact your bank or you can contact Customer Support at this link.

Thank You,
Authorize.Net

*** You received this email because you chose to be a Credit Card Report recipient. You may change your email options by logging into the Merchant Interface. Click on Settings and Profile in the Main Menu, and select Manage Contacts from the General section. To edit a contact, click the Edit link next to the contact that you would like to edit. Under Email Types, select or deselect the Email types you would like to receive. Click Submit to save any changes. Please do not reply to this email.



Monday 8 July 2013

Amex spam / americanexpress.com.krasalco.com

This fake Amex spam leads to malware on americanexpress.com.krasalco.com:

    
From: American Express [mailto:AmericanExpress@emalsrv.aexpmail.org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received


Check your account balance online at any time


   

    Hello, [redacted]
            



________________________________________    View Account

Make a Payment

   
Manage Alerts Preferences





Payment Received   

________________________________________    Check Balance



   
   
       
We received a payment for your Card account.

     Date Received:
         Mon, Jul 08, 2013
     Payment Amount:
         $2,511.92

Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.

Thank you for your Cardmembership.

American Express Customer Care

Was this e-mail helpful? Please click here to give us your feedback.

If you'd like to stop receiving this alert, simply click here.
   
   




Like Us on Facebook


Follow Us on Twitter


Subscribe to our channel


Share with Foursquare friends

   
       
    Contact Us
|    Privacy Statement
|    Add us to your address book


Your Cardmember information is included in the upper-right corner to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us via customer service.

© 2013 American Express. All rights reserved.

AU0S0RF76947278       


The link in the email goes through a legitimate hacked site to end up on a malicious landing page at [donoclick]americanexpress.com.krasalco.com/news/slightly_some_movie.php (report here) hosted on the following IPs:

77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)

Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
americanexpress.com.krasalco.com
aniolyfarmacij.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Thursday 27 June 2013

OfficeWorld.com spam / sartorilaw.net

This fake OfficeWorld spam leads to malware on sartorilaw.net:

Date:      Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
From:      customerservice@emalsrv.officeworldmail.net
Subject:      Confirmation notification for order 1265953

Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!

Please review your order details below. If you have any questions, please Contact Us


Helpful Tips:
--------------------------------------------------------------------
- Please SAVE or PRINT this confirmation for your records.
- ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
- If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
--------------------------------------------------------------------

Order:  1265953
Date:           6/27/2013
Ship To:        My Default

Credit Card:    MasterCard


Product Qty     Price   Unit    Extended
--------------------------------------------------------------------
HEWCC392A    1       $9703.09  EA      $15.15         
AVE5366 1       $27.49  BX      $27.49         
SAF3081 2       $56.29  EA      $112.58        


Product Total:     $9855.22
--------------------------------------------------------------------
Total:          $9855.22

OfficeWorld.com values your business!
The link in the email goes through a legitimate hacked site and then on to [donotclick]sartorilaw.net/news/source_fishs.php (report here) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)

Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2
afabind.com
chinadollars.net
condalnuashyochetto.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com



Friday 21 June 2013

luntravel.com are a bunch of stupid spammers

Like most people I get of lot of spam. Sometimes it makes me cross. Here's one sent to scraped email address that is effectively a spamtrap.

From:     Luntravel [noreply@luntravelmail.com]
Reply-To:     Luntravel [noreply@luntravelmail.com]
Date:     21 June 2013 13:03
Subject:     New offers from £49
Mailing list:     c425d640a3819ebec8af23ba171be24c


So far, just a spam with a graphic in, but the email footer is what got my goat..

You receive this newsletter because you used google sometime and we send you our best deals.
Prices shown as 'from' point to the lowest bidder at the time of sending this communication, so we can not guarantee that they remain in force at the time you receive this newsletter.
Save our info@luntravelmail.com address in your e-book for the best deals do not end up in the SPAM folder.
To unsubscribe from receipt of this message, you can click on Unsubscribe, our private site is Luntravel.com
Wait.. I received this spam because I use Google? I've never used any Google product in my life. Not even blogger. And then it goes on to say that the prices quoted may as well be completely made up. Which no doubt they are. Oh yes, SPAM spelled in CAPITALS is a trademark for a brand of tinned meat.

All of the content, trademarks, logos, images, etc. displayed on the Website are protected by the intellectual and industrial property rights, patents, trademarks and copyrights of Luntravel, which are expressly reserved by Luntravel and, when applicable, any other persons or companies that figure as the authors or holders of such rights. Any violation of the abovementioned rights shall be prosecuted in accordance with currently effective legislation. Therefore, it is strictly prohibited to reproduce, exploit, alter, distribute or publicly communicate any of the Website content through any means for any use other than legitimate informational purposes or for the User to contract the services offered therein. In any event, doing so shall require the prior written consent of Luntravel.
The User acknowledges that the operation of this service is governed by Spanish legislation. Luntravel reserves the right to make any changes it deems appropriate in observance of the terms and conditions envisaged in the General Law in Defence of Consumers and Users (Law No. 1/2007), the various regulations governing the activities of travel agencies in the Autonomous Communities and the various legal amendments to and supplemental regulations of the legislation related to free access to the activities of services and their performance.
Now the stupid legal blurb which basically says we can spam you but you can't publish anything about our website, and now we'll quote some Spanish laws which may or may not exist but we are probably breaking by sending the spam (actually the relevant law is Act 34/2002 of 11 July on Information Society Services and Electronic Commerce, but I don't think they have read it).

Oh what was that about logos?


Say again?

The spam originates from 93.159.211.199 (CPC Servicios Informaticos SL, Spain) with links to newsletters.tradaticket.com on 93.159.209.72 (also CPC) and then onto luntravel.com on 94.23.82.229 (OVH, France) [report here]. luntravel.com is registered to:

  miguel angel lancho milan
  Lancho milan Miguel angel
  C/ General Barroso 37-21
  Valencia, 46017
  ES
  +34.963788523
  7i54o32ibghg27t42930@b.o-w-o.info
  
Dealing with spammers is never a good idea. I would avoid this bunch.

Thursday 20 June 2013

ADP spam / planete-meuble-pikin.com

This fake ADP spam leads to malware on planete-meuble-pikin.com:

Date:      Thu, 20 Jun 2013 07:12:28 -0600
From:      EasyNetDoNotReply@clients.adpmail.org
Subject:      ADP EasyNet: Bank Account Change Alert

Dear Valued ADP Client,

As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:

** Dominic Johnson **
** Ayden Campbell **

Use this links to: Review or Decline this changes.

If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.

This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
Sincerely,

Your ADP Service Team

This e-mail comes from an unattended mailbox. Please do not reply.
The link in the email goes through a legitimate but hacked site and end up on a malware landing page at [donotclick]planete-meuble-pikin.com/news/network-watching.php (report here) hosted on:
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)

Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.211
appasnappingf.com
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
ghroumingoviede.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
jetaqua.com
joinproportio.com
multipliedfor.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
pc-liquidations.net
planete-meuble-pikin.com
pnpnews.net
profurnituree.com
reportingglan.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winne2000.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
www.condalinarad72234652.ru


Thursday 28 February 2013

"Contract of 09.07.2011" spam / forumny.ru

This contracts-themed spam leads to malware on forumny.ru:

Date:      Thu, 28 Feb 2013 11:43:15 +0400
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fw: Contract of 09.07.2011
Attachments:     Contract_Scan_IM0826.htm

Dear Sirs,

In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.

Best regards,

SHERLENE DARBY, secretary
The attachment Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny.ru:8080/forum/links/column.php (report here) on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
carmennavarro.es
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
filialkas.ru
finalions.ru
forumbmwr.ru
forumkinza.ru
forumligandaz.ru
forummersedec.ru
forummoskowciti.ru
forumny.ru
forumrogario.ru
forumusaaa.ru
forumvvz.ru
fuigadosi.ru
fzukungda.ru



Wednesday 27 February 2013

"End of Aug. Statement" spam / forumusaaa.ru

This invoice-themed spam leads to malware on forumusaaa.ru:

Date:      Thu, 28 Feb 2013 06:04:08 +0530
From:      "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_JAN-2966.htm

Good day,

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards

Lisa HAGEN
The malware is hosted at [donotclick]forumusaaa.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumligandaz.ru
forumvvz.ru
forumusaaa.ru

Tuesday 26 February 2013

Intuit spam / forumligandaz.ru

This fake Intuit spam leads to malware on forumligandaz.ru:

Date:      Tue, 26 Feb 2013 01:27:09 +0330
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.

    Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
    amount to be seceded: 3373 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]forumligandaz.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumvvz.ru
forumligandaz.ru

Thursday 13 December 2012

"Copies of Policies" spam / awoeionfpop.ru:

This spam leads to malware on awoeionfpop.ru:

Date:      Thu, 13 Dec 2012 09:08:32 -0400
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Fwd: Deshaun - Copies of Policies

Unfortunately, I cannot obtain electronic copies of the SPII policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Deshaun ZAMORA,
The malicious payload is at [donotclick]awoeionfpop.ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:


75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)

The following domains are also on these IPs:
pelamutrika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
amnaosogo.ru
dimarikanko.ru
aofngppahgor.ru
awoeionfpop.ru

Tuesday 27 November 2012

FedEx spam / PostalReceipt.zip


A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip

Date:      Tue, 27 Nov 2012 13:04:37 -0400
From:      "Office Mail" [no_replyFRL@cleveland.com]
Subject:      ID (I)JI74 384 428 2295 7492

FedEx   
  
Order: AX-7608-99659670234   
Order Date: Sunday, 25 November 2012, 10:35 AM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

GET POSTAL RECEIPT


Best Regards, The FedEx Team.
  
� FedEx 1995-2012 
In this case the download site was [donotclick]amsterdam.cathedralsoft.com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft.com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft.com have been compromised in this attack.

VirusTotal detection rates are very low. I don't currently have an analysis of the malicious payload.

Update: here is another variant, downloading from  [donotclick]brandandreputation.net/NOHDPQWPJJ.html  (195.249.40.193, TeamInternet Denmark)

Date:      Wed, 28 Nov 2012 A.D. 07:34:52 -0400
From:      "First-Class UPS logistics" [no.reply-FG@houston.com]
Subject:      Tracking Number (A)PSO79 089 360 1947 4933

FedEx    
   
Order: MN-8474-09876452234    
Order Date: Sunday, 24 November 2012, 11:36 AM

Dear Customer,

Your parcel has arrived at the post office at November 26.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

Detection rates are pretty miserable for this one too. It looks like a Bredolab variant.

Update 2:  another variant of the malware, this time downloading via [donotclick]www.cantoncityutah.com/OXSJOVVYOE.html (this tries to open PostalReceipt.zip in a window). Again, VirusTotal detection is not good.


Date:      Thu, 29 Nov 2012 A.D. 14:29:38 +0200
From:      "Office Mail" [NoReply@baltimore.com]
Subject:      Tracking Number (K)IR46 545 922 5276 0059

FedEx    
   
Order: HD-5468-483254683    
Order Date: Monday, 25 November 2012, 03:41 PM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012     

Update 3: yet another variant.. the payload wasn't working on this one though.

Date:      Fri, 30 Nov 2012 A.D. 07:57:38 -0400
From:      "First-Class logistics" [NoReply.368@tucson.com]
Subject:      Number (N)GDE82 422 446 0527 6243



FedEx
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    
Update 4: this variant attempts to download [donotclick]catercut.ie/Postal-Receipt.zip (VirusTotal results here) via [donotclick]catercut.ie/KANHEPGVVM.html:

Date:      Fri, 30 Nov 2012 A.D. 14:33:35 -0400
From:      "UPS Mail" [NOreplyEAY@baltimore.com]
Subject:      ID (P)NRB90 564 295 9947 6165

FedEx    
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012     
Update 5: another spam run, same payload as last time (updated VirusTotal results here). Link leads to [donotreply]drillsaw.com.au/VYWFBRIUBU.html which leads to a payload at [donotreply]drillsaw.com.au/Postal-Receipt.zip

Date:      Fri, 30 Nov 2012 A.D. 22:47:44 -0700
From:      "logistics UPS" [no.reply-UAC@losangeles.com]
Subject:      Tracking Detail (L)OK73 487 973 8524 5206


FedEx    
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012
Update 6: yet another variant, this time downloading from [donotclick]exodionline.com/job.php?php=receipt (VirusTotal results here).

Date:      Sun, 02 Dec 2012 A.D. 15:13:18 -0400
From:      "UPS Receipt" [NOreply.815@irvine.com]
Subject:      Tracking ID (T)SB58 793 555 5502 9056

FedEx    
   
Order: RM-8723-2307345234    
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Update 7: this variant downloads from [donotclick]www.850spider.de/TYKXVHIFQH.html (report here):


Date:      Sat, 01 Dec 2012 A.D. 19:50:18 -0500
From:      "First-Class logistics" [NoReply-QEP@baltimore.com]
Subject:      Tracking Detail (K)HW33 625 799 6339 9731

FedEx    
   
Order: RM-8723-2307345234    
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    
Update 8: this one attempts (and fails) to download the payload from [donotclick]aucs.de/job.php?php=receipt - I haven't seen the payload for this yet.

Date:      Tue, 04 Dec 2012 05:13:30 -0600
From:      "U.P.S.Service" [no_replyQQW@tampa.com]
Subject:      Tracking Number (X)SO21 772 224 4605 7903

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Update 9: another slightly different version, this one 404s:

Date:      Wed, 05 Dec 2012 A.D. 06:52:19 -0400
From:      "U.P.S.Service" [NOreplyPCP@birmingham.com]
Subject:      ID (I)PFP44 818 840 9369 1257

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012
Update 10: another version, this downloads from [donotclick]gaffashion.de/KUHZNRQXSG.php?php=receipt , VirusTotal results are patchy.

Date:      Wed, 05 Dec 2012 13:21:13 -0400
From:      "logistics UPS" [no.replyDD@cincinnati.com]
Subject:      Tracking Number (O)UBF96 497 677 7945 1347

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Update 11: even more of these today, the volumes seem to be ramping up. Detection rates are pretty miserable.

Subjects spotted:
Tracking Detail (S)AR71 347 275 0953 6096
Number (H)OY68 102 257 0143 6263
Tracking Number (A)WF09 061 710 9662 3209
Tracking Detail (Y)XEY08 661 121 7788 5937
ID (T)TU26 454 839 5856 0273
Number (651)36-651-651-7313-7313
Number (N)QGW24 822 128 6967 5066
Tracking Detail (J)RD66 396 145 5017 2968
Tracking ID (G)EQI40 177 581 4008 9333 

Dowload sites:
[donotclick]www.andovar.de/LNYYNMZAMK.php?php=receipt
[donotclick]biggis-musiktruhe.de/PQRZPJPCBG.php?php=receipt
[donotclick]threesolution.org/OGIKYWHWNJ.php?php=receipt
[donotclick]s375670599.online.de/RTJQIUZQOJ.php?php=receipt
[donotclick]Joeyscafeok.com/PHLNPDFSRV.php?php=receipt
[donotclick]www.edibaer.at/CPDWHUDQDM.php?php=receipt

[donotclick]architetturapc.altervista.org/VOWORTEUWM.php?php=receipt
[donotclick]myinci.net/XIGTTUBPNV.php?php=receipt


Update 12: another version with a tweaked malicious binary:

Date:      Fri, 07 Dec 2012 08:33:17 -0400
From:      "UPS Receipt" [NOreply.IDH@riverside.com]
Subject:      ID (D)RH64 621 035 9749 7042

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

In this case, the link goes to [donotclick]www.dol2day.com/QGYAMKOOBH.php?php=receipt which downloads Postal-Receipt.zip containing Postal-Receipt.exe. The VirusTotal results are not good. Another version uses the subject Number (A)CV88 683 994 7812 3447 

Update 13another couple of variants, the payload has morphed again and VirusTotal results are predictably very poor.


Date:      Sun, 09 Dec 2012 A.D. 12:20:15 -0400
From:      "Priority Mail Postal Service" [GJX_308@neworleans.com]
Subject:      Tracking Detail (Y)VH30 307 516 2676 5647

FedEx    
Order: SGH-3818-3779326179    
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

====================

Date:      Sat, 08 Dec 2012 14:11:29 -0700
From:      "UPS Receipt" [NOreply.094@shreveport.com]
Subject:      Number (X)UJ39 079 034 0694 8327

FedEx    
   
Order: SGH-0987-4616781861    
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Some other subject lines:
Number (A)CFV63 149 496 9260 0620
Tracking Detail (S)ESQ89 729 953 7596 6283

Some download sites (don't visit these unless you know what you are doing)
www.musikschule-nvp.de/SNDDAAWTBR.php?php=receipt
www.mcfcdonegal.com/OPMUYUCCIV.php?php=receipt
www.beller-das.de/NWAPXATXVT.php?php=receipt
www.trude-hau-rein.de/UWQNZZWFXZ.php?php=receipt

Update 14: just in time for Christmas..

Date:      Tue, 25 Dec 2012 00:07:07 +0200
From:      "Office 852" [mu-852@orlando.com]
Subject:      Tracking Detail (193)92-193-193-9477-9477

FedEx    
   
Order: VGH-4658-1148074435    
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
The binary has changed again, detection rates are patchy. Anubis reports that the malware calls home to 74.80.220.148:60000 which would make it a Zbot variant.

Update 15: this one loads via [donotclick]www.eurogleuf.nl/DERZRCUKKY.php?php=receipt , VitusTotal detection rates are just 7/46.

From:     Express Mail Service [user-989@louisville.com]
date:     26 December 2012 10:46
subject:     Tracking ID (580)53-580-580-3103-3103

FedEx    
   
Order: VGH-2024-9642451224    
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.

Update 16: just in time for New Year's day, this one loads via [donotclick]www.subclix.com/QJXBJWUUEJ.php?php=receipt. VT detections are again patchy.

Date:      Sun, 06 Jan 2013 A.D. 05:11:30 -0500
From:      "Worldwide Express Mail Service" <support_489@coloradosprings.com>
To:      [redacted]
Subject:      Tracking Number (I)FG03 107 566 0859 2689

FedEx    
   
Order: HJF-8295-96674032    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

================


Date:      Sat, 05 Jan 2013 19:25:48 -0400
From:      "Worldwide Express Mail" <support.800@portland.com>
To:      [redacted]
Subject:      Number (M)EG25 627 586 0611 4432

*+++
FedEx   
   
Order: HJF-9667-27583280    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

================


Date:      Sat, 05 Jan 2013 A.D. 13:57:18 -0400
From:      "First-Class Mail Postal Service" <support.813@baltimore.com>
To:      [redacted]
Subject:      Number (V)TGS29 427 081 6880 9243

FedEx    
   
Order: HJF-3918-81582364    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

================


Date:      Sat, 05 Jan 2013 09:05:00 -0400
From:      "First-Class Mail Service" <DTU.160@baltimore.com>
To:      [redacted]
Subject:      Tracking Detail (S)JYD60 835 496 0448 5921

FedEx    
   
Order: HJF-8882-94725648    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Example download sites:
[donotclick]omahadisability.com/UWOJIEUBLS.php?php=receipt
[donotclick]p-g-maintenance.co.uk/YLFDRZWNJP.php?php=receipt
[donotclick]cctvsecuritysystemshouston.com/XUAJAIPISI.php?php=receipt
[donotclick]itiyam.com/WEQOHWFEAK.php?php=receipt

Note the these URLs seem to be hardened against analysis, if you can't access them check your user agent and referrer strings.

Update 17: and more, this time with the following details:

Tracking Number (B)TXP55 992 494 4822 1645
Number (N)DD46 790 881 6344 2460

Order: HJF-4121-39707012
Order: HJF-2424-11089225

[donotclick]jcpub.com/SXYUXBKFQF.php?php=receipt
[donotclick]travelclinicsswansea.com/INJIETKYXV.php?php=receipt

 Update 18: another spam run, detection rates are a bit better for this one:

Date:      Wed, 09 Jan 2013 06:35:16 +0200
From:      "Shipping Service" [IAL_792@chesapeake.com]
Subject:      Tracking Detail (V)QT48 601 848 0556 8882

FedEx    
   
Order: JN-3254-98757378    
Order Date: Thursday, 3 January 2013, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at January 6.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

GET & PRINT RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Variants:
Tracking ID (R)EBE08 923 976 4800 2506
Tracking ID (Y)OKX60 559 414 2225 0045
Order: JN-8274-10502299
Order: JN-9593-93771591

Sample download sites:
[donotclick]fibam.be/CMNVTXINXV.php?php=receipt
[donotclick]sofa-session.ch/PRRVWKCUQJ.php?php=receipt

Update 19: another spam run with the following characteristics:

Subject: Tracking Number (E)KA09 359 952 5829 0864
Order: JN-9160-75660784
Download site: [donotclick]endlich-ein-dsl-anschluss.de/HUPAHPNHTC.php?receipt=ss00_323
VirusTotal report

Update 20: another one, this time downloading from [donotclick]businesscoaching24.com/BWMIZNPQAT.php?receipt=802_195210783

Date:      Sun, 27 Jan 2013 13:09:22 +0100
From:      "Priority Mail Postal Service" [clients-669@columbus.com]
Subject:      Number (L)BVT74 159 159 2182 2182

Fed Ex    
   
Order: HCD-7626-14749451    
Order Date: Thursday, 17 January 2013, 11:10 AM

Dear Customer,

Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

GET & PRINT RECEIPT
   
Best Regards, The FedEx Team.
   
FedEx 1995-2012    
Detection rates are patchy according to VirusTotal. The ThreatExpert report is here.

Update 21: another sample, this time from [donotclick]mydrugstoreus.net/get_file.php?print_receipt=ss00_323, VirusTotal results are 16/46.

Date:      Tue, 05 Feb 2013 19:20:36 -0400
From:      "Manager David Riddle" [manager@tampa.us]
Subject:      Order Detail

FedEx    
   
Tracking ID: 4013-85911016    
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013    
Update 22: this one downloads from [donotclick]zdsw.net/get_file.php?receipt_print=ss00_323 with VirusTotal detections at 12/46.

Date:      Wed, 06 Feb 2013 18:29:28 -0400
From:      "Manager William Burt" [service@greensboro.us]
Subject:      Shipping Info

FedEx    
   
Tracking ID: 5739-64600336    
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013     
According to ThreatExpert, this version attempts to connect to the following IP addresses which may be worth blocking:

46.4.178.174
66.84.10.68
66.232.145.174
77.79.81.166
80.90.198.43
81.93.248.152
84.38.159.166
85.186.22.146
85.214.50.161
89.19.20.202
94.101.86.146
173.255.203.178
190.111.176.13
202.153.132.24
202.169.224.202
217.11.63.194

Update 23: this variant downloads from [donotclick]www.ocadaval.com/tmp/vsgnpg.php?receipt_print=ss00_323 with VirusTotal detections of 16/46:

From: Manager Jayden Dickson [support@santaana.us]
Date: 8 February 2013 03:33:48 CET
Subject: Tracking Info
FedEx    
   
7475-42208096     Monday, 4 January 2013, 08:24 AM

Your parcel has arrived at February 6.Courier was unable to deliver the parcel to you at 6 February 05:51 PM.
To receive your parcel, please, print this receipt and go to the nearest office.    
          Print Receipt

Best Regards, The FedEx Team.        
       
FedEx 1995-2013        
Update 24: downloading from [donotclick]www.olmuccio.com/tmp/0iuziv.php?receipt_print=ss00_323 and with VirusTotal detections of just 10/46.

Date:      Mon, 11 Feb 2013 A.D. 13:35:56 -0500
From:      "Manager Daniel Acevedo" [manager@lexington.us]
Subject:      Order Information

FedEx    
   
Tracking ID: 2803-20131928    
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
Update 25: downloading from [donotclick]www.onzeklus.com/tmp/gnnvyg.php?receipt_print=ss00_323 with VirusTotal detections at just 7/44.

Date:      Wed, 13 Feb 2013 A.D. 16:28:00 -0400
From:      "Manager William Burt" [client@wichita.us]
Subject:      Shipping Service

FedEx    
   
Tracking ID: 2890-49318193    
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
Update 26: downloading from [donotclick]www.assembleserver.net/clients/comp/mirror.php?receipt_print=ss00_323 with VirusTotal detections of just 5/46.

Date:      Fri, 15 Feb 2013 10:44:44 -0400
From:      "Manager Jayden Soto" [manager@norfolk.us]
Subject:      Shipping Info

FedEx    
   
Tracking ID: 4374-23102840    
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 14.Courier was unable to deliver the parcel to you at 14 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013    
According to Anubis, the malware attempts to call home to the following IPs:
66.84.10.68
72.29.84.159
87.118.122.19
94.101.86.146
173.255.203.178

Update 27: downloading from[donotclick]/phillipsflorist.co.uk/wp-content/plugins/akismet/mirror.php?receipt=ss00_323 with a detection rate of 4/45.
Date:      Wed, 20 Feb 2013 10:00:38 -0400
From:      "Manager Mason Marsh" [service@anaheim.us]
Subject:      Order Shipped

FedEx    
   
Tracking ID: 9702-66479247    
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 18.Courier was unable to deliver the parcel to you at 18 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
According to Anubis, this malware tries to call home to:
50.115.116.201
81.93.248.152
87.118.122.19
94.23.193.229
190.111.176.13
213.229.106.32



Update 28: another version, with a download site of [donotclick]www.2handhome.com/components/.ebgv3m.php?receipt=838_129704313 and a VirusTotal score of just 6/45.

Date:      Wed, 13 Mar 2013 05:54:18 -0700
From:      "Manager Liam Ortega" [support@lincoln.us]
Subject:      Tracking Information

FedEx    
   
Tracking ID: 6673-95490112    
Date: Monday, 4 March 2013, 10:22 AM

Dear Client,

Your parcel has arrived at March 7.Courier was unable to deliver the parcel to you at 7 March 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

 Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
According to Anubis, the malware calls home to:
87.106.51.52:8080
91.121.156.162:8080
80.67.6.226:8080
93.125.30.232:8080
174.120.225.57:8080
91.121.28.146:8080
193.23.226.15:8080