Sponsored by..

Showing posts with label UAE. Show all posts
Showing posts with label UAE. Show all posts

Tuesday 5 July 2016

Malware spam: "Scanned image" leads to Locky

This fake document scan appears to come from within the victim's own domain but has a malicious attachment.

From:    administrator8991@victimdomain.com
Date:    5 July 2016 at 12:47
Subject:    Scanned image

Image data has been attached to this email.
Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52 and 6/52. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:

leafyrushy.com/98uhnvcx4x
sgi-shipping.com/98uhnvcx4x


There will be a lot more locations too. This drops a binary with a detection rate of 5/55 which appears to be Locky ransomware. Hybrid Analysis shows it phoning home to:

185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)


Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be be Locky ransomware.

Recommended blocklist:
185.106.122.0/24
185.129.148.0/24



Wednesday 11 May 2016

Malware spam: Emailing: Photo 05-11-2016, 03 26 04

This spam comes with a malicious attachment:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    11 May 2016 at 12:39
Subject:    Emailing: Photo 05-11-2016, 03 26 04

Your message is ready to be sent with the following file or link
attachments:

Photo 05-11-2016, 03 26 04


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
It appears to come from the sender's own email address, but this is a simple forgery (explained here). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
match the references in the email). It contains a .js file with a similar name.

Trusted third-party analysis (thank you!) shows the various scripts downloading from:

51941656.de.strato-hosting.eu/87yg7yyb
67.222.43.30/87yg7yyb
developinghands.com/87yg7yyb
gesdes.com/87yg7yyb
helpcomm.com/87yg7yyb
neihan8.tk/87yg7yyb
oldtimerfreunde-pfinztal.de/87yg7yyb
otakutamashi.cl/87yg7yyb
sarikamisotelleri.com/87yg7yyb


This drops a file with a detection rate of 3/56. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to:

185.82.202.170 (Host Sailor, United Arab Emirates)
88.214.236.11 (Overoptic Systems, UK / Russia)
5.34.183.40 (ITL, Ukraine)

According to a DeepViz report,  this sample has identical characteristics.

Recommended blocklist:
185.82.202.170
88.214.236.11
5.34.183.40

Sunday 6 April 2014

"Produce & Information" / Media Trade Company spam

This spam email links to a malicious file:
From:     Media Trade info@mediatrade.com
Reply-To:     ourmediatrade@yahoo.com
Date:     6 April 2014 16:26
Subject:     Produce & Information

Good Day

How are you today?
This is Media Trade Company, we have interest in your product. And our company is planing on placing an order with your company, Please open and click on the pdf icon to see the attached document of our produce information and company details.

Thank you and have a nice day

Best regards
THKS/B.RGDS

Attached is a file Our Produce Info.html which in turn contains a link to [donotclick]surevilla.h19.ru/Our%20Produce%20Info.exe hosted on 89.108.91.183 (Agava Ltd, Russia). This IP address is suspected of badness and blocking it would be an prudent idea, alternatively you could block the dynamic DNS domain of h19.ru which is being abused in this case.

The malicious file has a detection rate of 25/51 at VirusTotal with some indication that this is either a variant of Zbot or some sort of ransomware. The Malwr analysis shows some sort of download taking place from [donotclick]ourdailyshopping.com/images/win/check/file.php hosted on 91.223.82.188. Also, the Anubis analysis gives an idea as to the files created.

Of interest, this IP of 91.223.82.188 belongs to a company I have never heard of called International Widespread Services Limited aka IWS Networks Ltd of the UAE. They also provide the mail relay used in the spam which is 185.7.35.90.

Recommended blocklist:
89.108.91.183
91.223.82.188
surevilla.h19.ru
ourdailyshopping.com

I would also recommend that you consider blocking the domain h19.ru which may block some legitimate sites but should offer additional protection.

Tuesday 4 February 2014

WTF? WFP.org spam? Or is it emailciti.com?

This spam is promoting the UN's World Food Programme. I'm surprised the the WFP should sink so low, but perhaps they engaged the services of spammers without realising.

From:     World Food Programme newsletter@newsletter.loyaltyciti.com
Reply-To:     newsletter@newsletter.loyaltyciti.com
Date:     4 February 2014 09:58
Subject:     60% of people here don't have food
Signed by:     newsletter.loyaltyciti.com

If you are unable to see the message below, click here to view.

Share:     Delicious    Digg    Facebook    LinkedIn    Twitter   

world food programme
There’s a common link between a mother in Central African Republic, a father in South Sudan, and a child in Syria. Hunger. Fortunately, there’s also a common solution – The World Food Programme (WFP)..
WFP provides food assistance so families can break the cycle of poverty and hunger. Our goal? Zero hunger. We rely on the support of our online community to make this a reality.
Will you join us? Sign up at wfp.org/join to receive monthly updates and info about how you can help achieve a zero hunger world.
When conflict erupts, hunger soon follows. In CAR, South Sudan, and Syria, WFP is fighting for families who are being pushed to the brink. Find out how we’re responding to ensure families have the security that comes with a daily meal.
central african republic
level 3 emergency
See where we’re sounding the alarm.
remembering what matters         delivering despite
WFP’s Rasmus Egendal reflects on what really matters in Syria: The People.         Thanks to our supporters like you, WFP has been able to deliver food in South Sudan rom the start.
starting stars from car         reporting from damascus
Get the facts & figures you should know: 60% of families in Central African Republic have no food.         Watch an update from WFP’s Executive Director who met Syrian families relying on WFP assistance.
follow wfp     facebook     twitter

You have received this email message from EmailCiti, the leading Email Behavior and Lead Generation Company in the GCC & Middle East. Your email address has been recorded because you have subscribed to one of our email &newsletters services or are registered with one of our Partner and affiliate sites. For more information, visit www.emailciti.com
If you don't wish to receive these emails anymore please click here.
The email originates from 208.95.135.84 [mail3345.emailciti.mkt3942.com] (Silverpop Systems, US) and spamvertises an intermediate site at links.emailciti.mkt3941.com on 74.112.69.20 (Silverpop again) and then forwards to www.wfp.org/hunger-hot-spots if you click through.

The email itself is digitally signed, so we can be reasonable assure that it originates from loyaltyciti.com who are in Dubai:

Registry Registrant ID:
Registrant Name: mohammad Lahlouh
Registrant Organization: Emailciti
Registrant Street: Dubai Media City, Building #8
Registrant City: Dubai
Registrant State/Province: Dubai
Registrant Postal Code: 502382
Registrant Country: United Arab Emirates
Registrant Phone: +971.507735717
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mlahlouh@emailciti.com
Registry Admin ID: 


These people are persistent spammers who usually send through some unsolicited crap several times a week, using an email address that is effectively a spamtrap. What is really annoying is the the WFP is paying these spammers to run a campaign of dubious value when they could be helping to fee starving people.

Thursday 30 May 2013

Al Rowaad Advocates - scumbag, spammy lawyers

This scumbag law firm from the UAE advertises itself through spam.

From:     Professional Lawyers in the UAE [uaelawyers@gmx.com]
Reply-To:     uaelawyers@gmx.com
Date:     30 May 2013 18:52
Subject:     Al Rowaad Advocates - Monthly Newsletter - May 2013

Dear Sirs,

Please forgive our direct email which is intended to give a brief introduction to our law firm based in the United Arab Emirates.

Al Rowaad Advocates and Legal Consultancy is an astute, diverse firm of lawyers working for businesses and private clients, nationally and internationally. The firm is highly regarded, often recommended by other lawyers and is known for combining creative solutions with commercial pragmatism and a friendly, sensitive approach. The firm is also renowned for its integrity and experience in dealing with complex and varied legal issues. Al Rowaad has expertise in clinical negligence, corporate and commercial work, criminal litigation, dispute resolution, family law, employment, real estate and regulatory work.

Al Rowaad Advocates and Legal Consultancy is proud to introduce its monthly newsletter that will discuss topical issues in the legal profession. The newsletter will touch upon various areas of law in the UAE and analyse changes in complex legislative, governance and regulatory provisions.

If you wish to subscribe, please email us at uaelawyers@gmx.com.

Thank you,
Al Rowaad Advocates & Legal Consultancy
Tel.: +971 4 3254000
Fax: +971 4 358 9494

Integrity? Sending spam to an email address that you scraped off the web? I don't think so. The originating IP is 220.112.38.133 in China, presumably where they have outsourced their scummy marketing to.

Friday 26 October 2012

apl.de.ap spam

I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east.

Although those look like tinyurl links, they're not.. they go through a redirector at ykadl.net on 109.236.88.71, the same IP used to send the spam.

The WHOIS details for the spammer domain are:

Technical Name:                Domain Admin
Technical Company:        Create-Send.net
Technical Address:        57 Kingsway Avenue
Technical Address:        Auckland
Technical Address:       
Technical Address:        Auckland
Technical Address:        Na
Technical Address:        1010
Technical Address:        New Zealand
Technical Email:        info@create-send.net
Technical Tel:                +64.279237205


Anyway, here's the spam in case you really want to buy tickets from a shady bunch of spammers..

From:     DNA alex@ykadl.net
Reply-To:     DNA [alex@ykadl.net]
Date:     26 October 2012 04:48
Subject:     Black Eyed Peas/ APL DE AP in Dubai
Signed by:     ykadl.net

BLACK EYE PEAS founding member APL DE AP heads to Dubai

BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.

Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.

APL DE AP and the other members of the Black Eyed Peas have been on a hiatus from the band for the last year.In 2011 The Black Eyed Peas were ranked 12th on the Billboard's Decade-End Chart Artist of the Decade, the group performed in February 2011 at the halftime show of Super Bowl XLV.

✻TICKETS COST 165AED for this fabulous International Star event with full bar facilities, waiter service and live food stations.✻

TICKETS ARE NOW AVAILABLE ON:

✻TIMEOUT***TICKETINGCO***MARHABA***PLATINUM✻

TIMEOUT * http://tinyurl.com/bvrtjxx

PLATINUM LIST * http://tinyurl.com/cs8wdox

TICKETINGCO * http://tinyurl.com/cctq2s8

✻ FOR VIP TABLE RESERVATIONS CALL 050 1428363✻
For more info@dnapre.com✻21+ ✻ ID required ✻ Couples & mixed groups preferred.✻ Normal club policies apply ✻

✻THIS WILL BE A SELLOUT EVENT. Get your Tickets fast.✻

Share This
UnsubscribeForward to a Friend

inserted image

inserted image

Click here to opt-out

Wednesday 24 August 2011

Fake jobs: greece-career.com, il-career.com, mc-jobs.com and oae-career.com

Four new domains peddling fake jobs today, forming part of this very long running scam.

greece-career.com
il-career.com
mc-jobs.com
oae-career.com

The "jobs" offered are actually criminal activities such as money laundering. It may be that the email appears to come "from" you as well (the from address is trivially easy to fake, it doesn't mean that your machine is infected with anything).

Domains were registered two days ago to "Alexey Kernel", which is no doubt a fake name.

greece-career.com presumably targets Greek nationals, and il-career.com looks to be targeting Israelis. The other two are less clear, but our best guess is that mc-jobs.com might be targeting Macedonia (but the TLD is .mk) and oae-career.com might be the UAE and is just a typo. This continues the pattern of going after non-English speaking victims who might be fooled more easily by a scam email in their own language.

If you have any examples of this spam, please consider sharing them in the Comments. Thanks!

Thursday 21 July 2011

Etisalat - f*ck you very much

If you've never heard of Etisalat then you are probably lucky. Etisalat is the monopoly telecoms provider in the UAE, and like all monopoly providers it is basically crap.

Why am I bothered? Well, after receiving this same spam 4386 times with no sign of a let-up, then I thought it might be nice if Etisalat educated their customer. Unfortunately, Etisalat's abuse mailbox doesn't work, presumably because it is packed full of complaints and nobody from Etisalat can manage to shift their fat sweaty arses enough to look at it.

Now, not getting a response to abuse complaints is pretty typical and not really worth commenting on. However, I was eventually able to get a response from customer support. And it looked promising!
Thank you for contacting Etisalat Customer Care Center.

Further to your email, please accept our sincere apologies for any inconvenience happened. We had escalated the issue to the concerned department and will update you soon after we receive a reply. Kindly bear with us for the delay. reference number 388135

Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.
Great.. I thought. Better late than never. So I waited.. and the next reply was basically a "fuck you" from Etisalat:
Thank you for contacting Etisalat Customer Care Center.
Kindly enable sufficient anti spam settings or add filters in your email to overcome the situation.
Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.
Wait.. what? The solution to Etisalat allowing customers to spam is.. basically to block email from Etisalat? So basically it is just too much effort for Etisalat to actually do anything. Maybe the airconditioning is broken in the Etisalat support offices and their arses are just too fat and sweaty today..

Anyway, 86.96.226.150 is the culprit to block but if you follow Etisala's own recommendations then block email coming in from 86.96.226.0 - 86.96.239.255 (86.96.224.0/20) just to be on the safe side.

And Etisalat, in the words of the FCC Song, f*ck you very much.

Tuesday 5 July 2011

Sapphire Town Real Estate (sapphiretown.com) suck

I don't normally post twice on one spammer, but the idiots at Sapphire Town Real Estate seem to have hit new levels of stupidity with this spam that they have now sent 283 times, apparently about 1% into a dictionary attack (so I can expect to see it 28,000 more times!)

If they are this stupid when it comes to doing business then I would advise giving them a wide berth.

Update: now 4386 times and counting!