Sponsored by..

Showing posts with label Teslacrypt. Show all posts
Showing posts with label Teslacrypt. Show all posts

Monday 14 March 2016

Malware spam: "Traffic report ID: 62699928" leads to Teslacrypt

This fake legal email has a malicious attachment:

From:    Myrna baker
Date:    14 March 2016 at 15:58
Subject:    Traffic report ID: 62699928

Dear Citizen,

We are contacting you on behalf of a local Traffic Violation Bureau.

Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 49757
Unfortunately, we will have no other option rather than passing this case to the local police authorities.

Please, see the report with the documents proofs attached for more information on this case.
Details in the email vary from message to message. The payload is Teslacrypt ransomware, as see in this earlier spam run.

Malware spam: "Credit details ID: 87320357" leads to Teslacrypt

So many Teslacrypt campaigns, so little time... I've had to rely on third party analysis on this particular one (thank you!)
From:    Ladonna feather
Date:    14 March 2016 at 14:50
Subject:    Credit details ID: 87320357

Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply. 
Send names, references and attachment names vary. The malicious scripts in the attachment attempt to download from:

giveitallhereqq.com/69.exe?1
washitallawayff.com/69.exe?1
giveitallhereqq.com/80.exe?1
washitallawayff.com/80.exe?1


This is Teslacrypt ransomware with VirusTotal detection rates of 1/57 [1] [2]. The malware attempts to phone home to:

198.1.95.93/~deveconomytravel/cache/binstr.php
kel52.com/wp-content/plugins/ajax-admin/binstr.php
myredhour.com/blog//wp-content/themes/berlinproof/binstr.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/binstr.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/wcspng.php


The download locations for the executable files can all be considered as malicious:

54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)

178.18.99.23 (Maginfo JSC, Russia)
31.47.179.11 (Baikal TransTeleCom, Russia)
31.134.39.52 (IRONNET Ltd, Russia)
119.247.218.165 (Hong Kong Broadband Network Ltd, Hong Kong)
113.252.180.39 (Hutchison Global Communications, Hong Kong)
37.115.24.106 (Kyivstar GSM, Ukraine)
5.248.2.179 (Kyivstar GSM, Ukraine)
193.169.134.215 (SDS-Vostok Ltd, Russia)
5.166.207.194 (ER-Telecom Holding, Russia)
46.172.219.246 (Krym Infostroy Ltd, Ukraine)

Out of these, only the first three (for giveitallhereqq.com) appear to be static IPs, the others (for washitallawayff.com) are dynamic and are likely part of a botnet, so blocking the domain might be better.

Recommended blocklist:
54.212.162.6
212.119.87.77
78.135.108.94

washitallawayff.com

Malware spam: "Blocked Transaction. Case No 19706002" leads to Teslacrypt

This fake financial transaction has a malicious attachment:

From:    Judy brittain
Date:    14 March 2016 at 08:12
Subject:    Blocked Transaction. Case No 19706002

The Automated Clearing House transaction (ID: 19706002), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID: 09293
Transaction Amount: 607,89 USD
Sender e-mail: brittainJudy056@panick.com.ar
Reason of Termination: See attached statement
The sender's name, references and dollar amounts vary from message to messages. The attachment names are randomly-generated (the format seems the same as this) containing either one or four malicious scripts. According to this analysis the scripts download from:

ohelloguyzzqq.com/85.exe?1

Although the infection mechanism seems the same as this spam run, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here.

Sunday 13 March 2016

Malware spam: "Debt #85533 , Customer Case Nr.: 878" leads to Teslacrypt

The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments, however.

From:    Lamar drury
Date:    13 March 2016 at 18:43
Subject:    Debt #85533 , Customer Case Nr.: 878

Dear Customer,

Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.

We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.

Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.

We hope on your understanding.

Kind regards,
Finance Department
Lamar drury
878 N Davis St, Jacksonville,
FL 85533
Phone nr: 464-182-2340 
Attached is a ZIP file, that in the samples I saw starts with:
  • doc_scan_
  • money_
  • payment_details_
  • payment_
  • warning_
  • see_it_
  • payment_scan_
  • finance_
  • warning_letter_
  • report_
  • transaction_
  • details_
  • incorrect_operation_
  • confirmation_
  • document_
  • problem_
  • financial_judgement_
 ..plus a random number. Inside are one to four malicious .js scripts, named in the following format:

  • details_
  • mail_
  • post_
  • Post_Parcel_Case_id00-
  • Post_Parcel_Confirmation_id00-
  • Post_Parcel_Label_id00-
  • Post_Shipment_Confirmation_id00-
  • Post_Shipment_Label_id00-
  • Post_Tracking_Case_id00-
  • Post_Tracking_Confirmation_id00-
  • Post_Tracking_Label_id00-
The first three have a random string, the ones beginning with "Post" are followed by a random number and a #.  There are at least 22 unique scripts with the following MD5s:

05A44DF4418EA3F133A3708D4D829DC7
84A57069907726FFADE1DE7DDF6E34CD
6F9726C410B3FCE2FC1EAF75C5015BFC
97D6643DE12E4430CD11412D7917C8B2
ADB1CF98CD632B0E55358C045114ED6A
732314E639426E42B9342B1470798E02
AC2D6B033C943AF864F6A6E2A143E0CD
EA9BE11F3267D14CDF3A88786E2D69C8
E831A7247D30F9EB406A3F5AFCB63EDE
D5B74B58E9971BE84AA83B2E1D46B414
1A177FAF482FC924D2439F4111428D9F
0FB3CD12FB2BF4AC7ABB909383E2EEB8
A810DCD3DE5DA723940D3C44075D3314
F1B4DF8D16F81FFC543E252594DF5C03
3FE0BD9E25B3D0A36A898BE6E579780E
060990306E189A6022E2CCB041912588
6F963C39333F751D097D8DB8A2EEF525
DBF2B52926B5925E382BCF4024E5C8F7
4193D7D43CA5981EDB6E790ED568E5F3
AED7397352E43C0E2F0281AA2F4AACB2
ED8919841E31422C6318978BDAE5612B
C6D52DA9375DA4C33776D68407CC9B0D


These appear [1] [2] to download a malicious binary from one of the following locations:

ohelloguyff.com/70.exe
ohelloguyzzqq.com/85.exe?1


Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56.

The download locations have the following IP addresses:

185.35.108.109 (DA International Group Ltd, Bulgaria)
204.44.102.164 (Quadranet Inc, US)
54.212.162.6 (Amazon AWS, US)
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)


Those IP addresses can be considered as evil, and they also host the following sites:

returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
howareyouqq.com
ohelloguyqq.com
bonjovijonqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
ohelloguyff.com
ohelloguymyff.com
joecockerhereff.com
howisittomorrowff.com
thunicodenamespace.com
wioutpudforcontents.com
idendnsletbarcamednstwo.com
leadhoffmanclassapplico.com
insensitivityinterpreted.com
placegrantthenoticesmust.com
dns1.beforeyougogg.net
dns1.ohimyfriendff.net
dns2.ohimyfriendff.net
dns1.kaktotakvot.pw
dns2.martuswalmart.pw
dns2.beforeyougogg.net
dns2.microtexreglyt.net
microtexregyts.net
gdemoidomaine.info
daimoidomainemne.info
mydomainebizness.info


Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94


Saturday 12 March 2016

Malware spam: "Urgent Notice # 78815053" leads to Teslacrypt

This spam comes from random senders, and has random references, dollar amounts and attachment names:

From:    Donnie emily
Date:    12 March 2016 at 14:01
Subject:    Urgent Notice # 78815053

Dear Customer!

According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.

Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.

We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.

Please check out the file and do not hesitate to pay off the debt.

Otherwise we will have to start a legal action against you.

Regards,
Donnie emily
758 N Davis St, Jacksonville,
FL 17323
Phone nr: 026-762-3482 
Attached is a randomly-named ZIP file, in the sample I have seen they begin with:
  • letter_
  • confirm_
  • access_
  • unconfirmed_operation_
  • operation_
  • details_
..plus a random number. There may be other formats. Inside is a malicious script beginning with:
  • details_
  • post_
  • mail_
..plus a random string of characters. I have seen six versions of this script, I do not know how many there are in total. VirusTotal results show detection rates between 4 and 7 out of 57 [1] [2] [3] [4] [5] [6] and automated analysis tools [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] show the script attempting to download a binary from:

bonjovijonqq.com/69.exe?1
bonjovijonqq.com/80.exe?1


This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:

vtechshop.net/wcspng.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
shirongfeng.cn/images/lurd/wcspng.php


It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:

31.184.196.78 (Petersburg Internet Network Ltd, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Russia)


The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:

192.210.144.130 (Hudson Valley Host  / Colocrossing, US)
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)


The following malicious domains are also on the same servers:

nnrtsdf34dsjhb23rsdf.spannflow.com
bonjovijonqq.com
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
howareyouqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.

Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone.com
sappmtraining.com
shirongfeng.cn
vtechshop.net


Monday 7 March 2016

Malware spam: "Order Confirmation - Payment Successful, Ref. 81096454" leads to ransomware

This fake financial spam comes from various senders with different references, amounts and slightly different addresses. There is a malicious attachment which appears to be ransomware.

From:    Ellen thorp
Date:    7 March 2016 at 07:08
Subject:    Order Confirmation - Payment Successful, Ref. 81096454

Dear Client,

Thank you for your transaction of $477,84. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.

We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.

Double check please the document enclosed to this email.

Thank you for your order and we hope to see you again as our customer.

Respectfully,
Ellen thorp
Chief Accountant
95 N Forks Ave,
Forks, WA 30212
Phone: 028-959-7736 

Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary [1] [2] [3] [4] [5] [6]. These Hybrid Analysis reports on three of the samples [7] [8] [9] show the script download a malicious binary from:

blablaworldqq.com/80.exe?1
hellomydearqq.com/69.exe?1
hellomydearqq.com/80.exe?1

At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:

51.254.226.223 (OVH, France)
173.82.74.197 (Multacom Corporation, US)


The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54 [1] [2]. Analysis of these files [3] [4] [5] [6] indicates behaviour consistent with ransomware, and these binaries attempt to phone home to the following domains:

conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com



The two IPs specified as binary download locations have hosted a number of other evil sites:

pren874bwsdbmbwe.returnyourfiless.ru
itsyourtimeqq.su
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
thisisyourchangeqq.com
gutentagmeinliebeqq.com
returnyourfiless.ru
pren874bswsdbmbwe.returnyourfiless.ru
83gd65jfh24jbrwke43.brocksard.su
gubbosiak.su
yy4nfsdp4hpfas7hefp4w.gubbosiak.su
golemmalik.su
bb34dbsjneefnsdefjsn.golemmalik.su
hellomenqq.su
helloguysqq.su
hellowomenqq.su
invoiceholderqq.su
3j2gdpsipa74bgm441.biz
mayofish.com
l4rdnvb5jskjb45sdfb.mayofish.com
skuawill.com
belableqq.com
fausttime.com
pot98bza3sgfjr35t.fausttime.com
maniupulp.com
h5534bvnrnkj345.maniupulp.com
sifetsere.com
p47kjndfbj8hsdfsd3e.sifetsere.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
wakonratio.com
sdfsdfsd.wakonratio.com
fjfhsflj54t8ak439sm.wakonratio.com
ball-provide.com
piglyeleutqq.com
helloworldqqq.com
helloyungmenqq.com
hpareyouhereqq.com
pigglywigglyqq.com
lastooooomene3ie3.com
lastooooomene2ie2e.com
promsortirovochnie.com
belahhoast.net

Recommended blocklist:
51.254.226.223
173.82.74.197
conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com

Thursday 3 March 2016

Malware spam: "Order Delay - Package Ref. 30432839"

This spam comes with a malicious attachment. The name of the sender and the reference number will vary from message to message.

From:    Lorna trevor-roper [trevor-roperLorna54235@cable.net.co]
Date:    3 March 2016 at 17:28
Subject:    Order Delay - Package Ref. 30432839


Respected Customer,

The delay of your parcel ref. # 30432839 cannot be controlled due to the unstable weather conditions in our region.

We are doing everything we can to arrange the best shipping time for your package.

Please check the information on your purchase in the attached file. There your will also find the info on the new delivery time.

Sincerely,
Sales Department Manager
Lorna trevor-roper
3000 E Grand Ave,
Des Moines, IA 27222
308-590-9335 
So far I have seen three samples, with attachments named in the format Invoice_ref-30432839.zip containing a malicious script starting with invoice_ and then having some variable elements in it. These have detection rates of 3/55 or so [1] [2] [3] and which the Malwr reports [4] [5] [6] indicate attempt to GET a binary from one of the following locations:

isthereanybodyqq.com/69.exe?1
isthereanybodyqq.com/80.exe?1
ujajajgogoff.com/69.exe?1
ujajajgogoff.com/80.exe?1

Data is then POSTed to:

dustinhansenbook.com/wstr.php
agri-distribution.net/wstr.php
onegiantstore.com/wp-includes/theme-compat/wstr.php

The VirusTotal reports for the dropped binary [1] [2] indicate Ransomware, but those Malwr reports look more like the Dridex banking trojan. Either way it is Nothing Good.

The download locations are interesting, hosted on the following IPs:

78.135.108.94 (Sadecehosting, Turkey)
162.211.67.244 (Secure Dragon LLC, US)


The following domains are either hosted on these IPs or use them as namesevers. They all look highly suspect and worthy of futher analysis:

ohelloweuqq.com
ujajajgogoff.com
ohellohowru.ws
ujajajgogo.ws
gangthatgirlfast.ws
gutentagmenliebe.ws
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com


Recommended blocklist:
78.135.108.94
162.211.67.244


UPDATE

Smarter folks than I think this is Teslacrypt.


Thursday 17 December 2015

Malware spam: "Required your attention" leads to Teslacrypt

This spam email has a malicious attachment:

From:    Brittany Quinn
Date:    17 December 2015 at 10:52
Subject:    Required your attention

Dear Partner,

As per your request, we have made special prices for you, which leave us only a very small margin.

Kindly find attached the prices with your personal discount, and if you need anything else, don’t hesitate to contact us.

Our best wishes, The sales team
The sender's name varies from email to email, as does the name of the attachment but it in a format similar to SCAN_PRICES_01106759.zip. Contained within is a malicious obfuscated Javascript with a detection rate of 6/54 which is a bit clear when deobfuscated, and it downloads from:

whatdidyaysay.com/97.exe?1
iamthewinnerhere.com/97.exe?1

This has a detection rate of 3/53. Automated analysis is inconclusive [1] [2] but this is Teslacrypt and is likely to be similar in characteristics to this spam run.



Wednesday 16 December 2015

Malware spam: "Your account has a debt and is past due" leads to Teslacrypt

This fake financial spam comes with an interesting error in the part that is meant to randomly-generate the dollar amount:
From:    Frances Figueroa
Date:    16 December 2015 at 17:22
Subject:    Your account has a debt and is past due

Dear Customer,

Our records show that your account has a debt of $345.{rand(10,99)}}. Previous attempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.
The value, sender's name and attachment name are randomly generated. The attachment is named in the format SCAN_INVOICE_79608749.zip which contains a malicious script that attempts to download Teslacrypt ransomware from the following locations:

whatdidyaysay.com/80.exe?1
iamthewinnerhere.com/80.exe?1


This has a VirusTotal detection rate of 3/54 and an MD5 of 5c2a687f9235dd536834632c8185b32e. Those download locations have been registered specifically for this purpose (they are not hacked sites) and are hosted on:

176.99.12.87 (Global Telecommunications Ltd., Russia)
185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
5.178.71.10 (Serverius, Netherlands)


The following malicious sites are also hosted on those IPs:

dns1.ojwekhsdfs.in
dns2.ojwekhsdfs.in
whatdidyaysay.com
washawaydesctrucion.com
dns1.mikymaus.in
dns2.mikymaus.in
dns1.saymylandgoodbye.in
dns2.saymylandgoodbye.in
dns2.auth-mail.ru
gammus.com
ifyougowegotoo.com
iamthewinnerhere.com
thewelltakeberlin.com
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
ns2.directly-truimph.com

These automated reports [1] [2] [3] show that the malware calls home to these following legitimate but hacked domains:

sofiehughesphotography.com
goedkoop-weekendjeweg.net
coatesarchitecture.com
hotbizlist.com
adamhughes.in
magaz.mdoy.pro

Recommended minimum blocklist:
176.99.12.87
185.69.152.145
5.178.71.10

whatdidyaysay.com
iamthewinnerhere.com

Malware spam: "Unpaid Invoice from Staples Inc., Ref. 09123456, Urgent Notice" leads to Teslacrypt

This fake financial spam is not from Staples or Realty Solutions but is instead a simple forgery with a malicious attachment.

From:    Virgilio Bradley
Date:    16 December 2015 at 14:37
Subject:    Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice

Dear Valued Customer,

This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.

Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.


Regards,
Virgilio Bradley
Customer Service Department
Realty Solutions
182 Shobe Lane
Denver, CO 80216

The names, amounts and reference numbers change from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55.

According to this Malwr report, the macro in the document downloads a binary from:

iamthewinnerhere.com/97.exe

This appears to be Teslacrypt ransomware and it has a detection rate of 5/53. Unlike some other malware, the domain iamthewinnerhere.com has been registered specifically to host this malware, and is located on:

185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
84.200.69.60 (Ideal-Hosting UG, Germany)


Nameservers are DNS1.SAYMYLANDGOODBYE.IN and DNS2.SAYMYLANDGOODBYE.IN. Other suspect sites on these IPs are:

dns2.auth-mail.ru
metiztransport.ru
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
dns2.mikymaus.in
dns2.dlhosting.in
dns2.donaldducks.in
dns2.saymylandgoodbye.in
dns1.gogodns.ru
dns2.gogodns.ru
gammus.com
testsfds.com
waschmaschinen.testsfds.com
miracleworld1.com
ifyougowegotoo.com
hellofromjamaica.com
www.hellofromjamaica.com
firstwetakemanhat.com
thewelltakeberlin.com
mixer.testsg.net
abfalleimer.testsg.net
buegeleisen.testsg.net
bodenwischer.testsg.net
wasserfilter.testsg.net
kuechenmaschinen.testsg.net
testzd.net
staubsauger.testzd.net
waschtrockner.testzd.net
kaffeevollautomat.testzd.net
izfrynscrek.net
ftp.lazur.info
aspirateurs.lazur.info

According to this Malwr report, it then phones back to these legitimate but hacked domains:

sofiehughesphotography.com
magaz.mdoy.pro
adamhughes.in
goedkoop-weekendjeweg.net
hotbizlist.com
coatesarchitecture.com

MD5s:
3999736909019a7e305bc435eb4168fd
8f4bd99c810d517fb2d2b89280759862

Recommended minimum blocklist:
iamthewinnerhere.com
185.69.152.145
84.200.69.60



Tuesday 15 December 2015

Malware spam: "Reference Number #89044096, Notice of Unpaid Invoice" leads to Teslacrypt

This fake financial spam comes with a malicious attachment.

From:    Carol Mcgowan
Date:    15 December 2015 at 09:09
Subject:    Reference Number #89044096, Notice of Unpaid Invoice

Dear Valued Customer,

It seems that your account has a past due balance of $263,49. Previous attempts to collect the outstanding amount have failed.

Please remit $263,49 from invoice #89044096 within three days or your account will be closed, any outstanding orders will be cancelled and this matter will be referred to a collection agency.

The payment notice is enclosed to the letter down below.

Attached is a file invoice_89044096_scan.doc which has a VirusTotal detection rate of 2/54, and which contains this malicious macro [pastebin] which attempts to download a binary from the following location:

thewelltakeberlin.com/92.exe 

This domain was registered only today, and at the moment is not resolving properly. The payload here is likely to be Teslacrypt.

The WHOIS details for it are:

Registrant Name: Quinciano Huerta
Registrant Organization: Quinciano Huerta
Registrant Street: Vila Fonteles 163  
Registrant City: Fortaleza
Registrant State/Province: CE
Registrant Postal Code: 60741-080
Registrant Country: BR
Registrant Phone: +55.8568257712
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: wexel@thewelltakeberlin.com


Nameservers are dns1.saymylandgoodbye.in and dns2.saymylandgoodbye.in hosted on 5.178.71.5 (Serverius, Netherlands) and 83.69.233.102 (Awax Telecom, Russia)

Those two IPs host or have recently hosted the following potentially malicious domains:

buildites.com
dauth-mail.ru
ddonaldducks.in
directly-success.com
dmikymaus.in
dsaymylandgoodbye.in
dsoftextrain644.com
gammus.com
hackeroff.net
kalamarkesof.org
linuxczar.com
metiztransport.ru
miracleworld1.com
obamalox.com
outreel.ru
pro100now.ru
rapdacity.ru
remarkablyxj.top
staringpartnerk.com
sufficientbe.top
superiorityci.top
trillionstudio.com
vmark.su
workcccbiz.in

Recommended minimum blocklist:
thewelltakeberlin.com
83.69.233.102
5.178.71.5

UPDATE
There is a good analysis of this malware at TechHelpList including the C2 domains involved.

Monday 14 December 2015

Malware spam: "Your order #12345678" / "11 Money Way, Pittsburgh, PA 15226"

This fake financial spam leads to malware:

From:    Giuseppe Sims
Date:    14 December 2015 at 14:19
Subject:    Your order #25333445

Dear Valued Customer,

This letter was sent to you as a formal notice that you are obligated to repay our company the sum of 2,760$ which was advanced to you from our company on October 16, 2015.
Please, find the invoice enclosed down below.

This amount must be repaid until the date of maturity to payment obligation, December 28, 2015 and you have failed to repay our company the same despite repeated requests for this payment.

Thank you in advance for your prompt attention to this matter. We look forward to your remittance. If you have any questions, please do not hesitate to contact us.

Sincerely,
Giuseppe Sims
11 Money Way
Pittsburgh, PA 15226
The sender's name is randomly-generated but is always female. Also random are the order number and value, and there is an attachment in the format invoice_12345678_scan.zip that matches the reference in the document.

Inside that ZIP file is a uniquely generated .JS file in the format invoice_XXXXXX.js or invoice_copy_XXXXXX.js which is highly obfuscated (like this) and deobfuscates to something like this.

The various versions of the macro attempts to download a binary from the following location:

miracleworld1.com/80.exe?1

I cannot get this to resolve at the moment, it turns out that the domain was only registered today.

Domain Name:miracleworld1.com
Registry Domain ID:
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: webnic.cc
Updated Date:2015-12-14 21:24:21
Creation Date:2015-12-14 21:21:12
Registrar Registration Expiration Date:2016-12-14 13:21:11
Registrar:WEBCC
Registrar IANA ID:460
Registrar Abuse Contact Email:compliance_abuse@webnic.cc
Registrar Abuse Contact Phone:+603 8996 6799
Domain Status:Active
Registry Registrant ID:
Registrant Name:Eliisa Laukkanen
Registrant Organization:Eliisa Laukkanen
Registrant Street:Etelaesplanadi 89
Registrant City:Ingermaninkyla
Registrant State/Province:Ingermaninkyla
Registrant Postal Code:07810
Registrant Country:FI
Registrant Phone:+358.0460879234
Registrant Phone Ext:
Registrant Fax:+358.0460879234
Registrant Fax Ext:
Registrant Email:bomb@miracleworld1.com
I think they started spamming before the domain records could be pushed out fully. Shame.

Nameservers are DNS1.DONALDDUCKS.IN and DNS2.DONALDDUCKS.IN on 93.189.42.21 (NTCOM, Russia) and 178.33.200.177 (Dmitry Shestakov, Belize / OVH, France) respectively.

Looking at the nameservers, I can see that the following malicious domains are part of the same cluster, and I recommend you block all of them:

gammus.com
miracleworld1.com
soft2webextrain.com


Although I have not been able to acquire the payload, it is almost definitely Teslacrypt.

UPDATE

An updated version of the script is being spammed out that looks like this when deobfuscated. This attempts to download Teslacrypt from the following URLs:

firstwetakemanhat.com/91.exe?1
miracleworld1.com/91.exe?1


This has a detection rate of 4/55. firstwetakemanhat.com was registered just today and is hosted on:


193.150.0.78 (PE Govoruhin Vitaliy Sergeevich, Russia)
84.200.69.60 (Ideal-Hosting UG, Germany)



Nameservers are DNS1.GOGODNS.RU and DNS2.GOGODNS.RU which are hosted on the same two IPs.

The Malwr report shows more details, however this is my recommended blocklist (updated):
193.150.0.78
84.200.69.60 
gammus.com
miracleworld1.com
soft2webextrain.com

firstwetakemanhat.com

Friday 11 December 2015

Malware sites and evil networks to block (2015-12-11)

This group of domains and IPs are related to this Teslacrypt attack, sharing infrastructure with some of the malicious domains in question. In addition to Teslacrypt, some of these are connected with PoSeidon, Pony and Gozi malware.

The analysis [csv] includes SURBL and Google ratings, ISP information and a recommended blocklist.

Malicious domains:
auth-mail.ru
blagooooossss.com
brostosoosossss.com
chromedoors.ru
debatelocator.ru
ggergregre.com
growthtoys.ru
hagurowrob.ru
hedtheresran.ru
listfares.ru
littmahedtbo.ru
mikymaus.in
mytorsmired.ru
poponkia.com
soft2webextrain.com
softextrain64.com
softextrain644.com
toftevenghertbet.ru
wordlease.ru
workcccbiz.in

Partly or wholly malicious IPs:
46.166.168.106
80.87.202.52
96.8.119.3
104.232.34.141
149.202.234.190
176.103.48.223
185.18.53.247
185.118.64.182

Recommended blocklist:
46.166.168.64/26 (Duomenu Centras, UA)
80.87.202.0/24 (JSC Server, RU)
96.8.119.0/27 (New Wave NetConnect, US)
104.232.34.128/27 (Net3 Inc, US)
149.202.234.188/30 (OVH / Dmitry Shestakov, BZ)
176.103.48.0/20 (PE Ivanov Vitaliy Sergeevich, UA)
185.18.53.247 (Fornex Hosting, NL)
185.118.64.176/28 (CloudSol LLC, Russia)

I've blocked traffic to 176.103.48.0/20 for two years with no ill-effects, it seems to be a particularly bad network. There may be a few legitimate sites hosted in these ranges, they would mostly be Russian.. so if you don't usually visit Russian websites then the collateral damage might be acceptable.

Malware spam: "Invoice #66626337/BA2DEB0F" leads to Teslacrypt

I have only seen one sample of this fake invoice spam, so it is possible that the invoice references and sender names are randomly generated.

From:    Jarvis Miranda
Date:    11 December 2015 at 08:25
Subject:    Invoice #66626337/BA2DEB0F

Dear Client,

Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.

Thank you for understanding.
In the sample I saw, the attached file was named SCAN_invoice_66626337.zip which contained a malicious javascript [pastebin] with a VirusTotal detection rate of 5/54. When deobfuscated it becomes a bit clearer that it is trying to download a binary from:

soft2webextrain.com/87.exe?1
46.151.52.231/87.exe?1


This behaviour can be seen in these automated reports [1] [2]. The downloaded executable has a detection rate of 6/55 and an MD5 of 56214f61a768c64e003b68bae7d67cd2. This Malwr report gives a clearer indication of what the binary is doing, attempting to pull information from:

kochstudiomaashof.de

The screenshots indicate clearly that this is ransomware, specifically Teslacrypt.

Note that the soft2webextrain.com domain is on the same server as softextrain64.com seen yesterday, so 185.118.64.182 (CloudSol LLC, Russia) can be considered to be malicious.


UPDATE
I didn't spot originally that the "soft2webextrain.com" website is multhomed with another IP address on 149.202.234.190 which is an OVH IP allocated to a customer "Dmitry Shestakov" an which forms a small block of 149.202.234.188/30 which is probably also worth blocking.

UPDATE 2
I made an error with one of the IP addresses and specified 185.118.64.183 and it should have been 185.118.64.182.

Recommended blocklist:
185.118.64.182
149.202.234.188/30
46.151.52.231
kochstudiomaashof.de

Thursday 10 December 2015

Malware spam: "Foreman&Clark Ltd" / "Last Payment Notice" leads to Teslacrypt

This fake financial spam does not come from the long-defunct Foreman & Clark, but instead it comes with a malicious attachment that leads to ransomware.
From:    Harlan Gardner
Date:    10 December 2015 at 08:48
Subject:    Reference Number #20419955, Last Payment Notice

Dear Client,

This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $8,151.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.

Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.

Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.

Sincerely,
Harlan Gardner
Sales Manager

Foreman&Clark Ltd.
256 Raccoon RunSeattle,
WA 98101

In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:

46.151.52.196/86.exe?1
softextrain64.com/86.exe?1


This pattern is the same as the spam run yesterday. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55 and the Malwr report indicates that it pulls data from the following domains:

graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
gjesdalbrass.no


The characteristics of this malware indicate the Teslacrypt ransomware.

Recommended blocklist:
46.151.52.196
softextrain64.com
gjesdalbrass.no
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com

Wednesday 9 December 2015

Fake "Fretter Inc" spam leads to Teslacrypt ransomware

This email claims to be from the long-dead retailer Fretter Inc, but it is not. Instead it comes with a malicious attachment leading to the Teslacrypt ransomware.

From:    Tonia Graves [GravesTonia8279@ikom.rs]
Date:    9 December 2015 at 14:50
Subject:    Your order #11004118 - Corresponding Invoice #B478192D

Dear Valued Customer,

We are pleased to inform you that your order #11004118 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don't hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.

We look forward to your remittance and will the dispatch the goods.

Thank you for choosing our services we sincerely hope to continue doing business with you again.

Sincerely,
Tonia Graves


Sales Department Manager
Fretter Inc.
2715 Sycamore Road
Nyssa, OR 97913
There sender's name and the reference numbers change in each version. Attached is a file copy_invoice_11004118.zip which in turn contains a malicious script [VT 5/54] which in the sample I investigated was named invoice_iU9A2Y.js. When deofuscated it looks like this.

The Malwr report for that script shows it downloading from:

softextrain64.com/86.exe?1

The script itself shows an alternate location of:

46.151.52.197/86.exe?1

This has a VirusTotal detection rate of 3/55. A Malwr report on just the executable plus this Hybrid Analysis report shows it connecting to:

gjesdalbrass.no

It also tries to identify the IP address of the host by connecting to http://myexternalip.com/raw which is a benign service that you might consider to be a good indicator of compromise.

You can see in the screenshots of that Malwr report that this is ransomware, specifically Teslacrypt.

Recommended blocklist:
gjesdalbrass.no
softextrain64.com
46.151.52.197

Wednesday 2 December 2015

Malware spam: "Invoice from PASSION BEAUTY SUPPLY LTD" leads to Teslacrypt

Following on from this earlier spam run, this email has a malicious attachment that loads Teslacrypt ransomware.

From:    Monique Chen [ChenMonique412@magicleafstudio.com]
Date:    2 December 2015 at 19:22
Subject:    Invoice from PASSION BEAUTY SUPPLY LTD

Dear Customer ,

Please review the attached copy of your Invoice (number: IN78350434) for an amount of $470.49.


Thank you for your business
The attachment is named invoice_copy_78350434.zip and it contains a malicious script invoice_copy_BD2E45I62A129S.js which has a VirusTotal detection rate of 2/55. The script is obfuscated (see example) but according to these analyses [1] [2] downloads a malicious executable from:

74.117.183.84/76.exe?1

This has a detection rate of 3/55. The hosts contacts are the same as for the earlier spam run and I recommend you block them.

Malware spam: "November Invoice #60132748" leads to Teslacrypt

This fake financial spam comes with a malicious attachment.


From:    Valarie Davenport
Date:    2 December 2015 at 11:59
Subject:    November Invoice #60132748


Hello ,

Please review the attached copy of your Electronic document.

A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.

Thank you for your business.

Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js [Pastebin obfuscated / deobfuscated] and this downloads a malicious file from:

74.117.183.84/76.exe?1

It also tries to contact 5.39.222.193, but this times out. An attempt to download from bestsurfinglessons.com comes up with a 404 error.

The Malwr report and Hybrid Analysis indicates that this communicates with the following compromised domains:

ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org


Both those reports indicate that this is the Teslacrypt ransomware.


Furthermore, the Hybrid Analysis report also shows other traffic to:

tsbfdsv.extr6mchf.com
alcov44uvcwkrend.onion.to
rbtc23drs.7hdg13udd.com


MD5s:
72c15108b68a0f07fdc4d17bd58aa368
0352acd36fedd29e12aceb0068c66b49
f16692fc9170ff68321a5d060b93e2e7


Recommended blocklist:
74.117.183.84
5.39.222.193
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
extr6mchf.com
alcov44uvcwkrend.onion.to
7hdg13udd.com