Perhaps minimalist spam works better, there is currently a Locky spam run with on of the subjects Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript that looks like this [pastebin]. There is no body text.
These automated analyses [1] [2] [3] [4] show that it is Locky. My usual sources tell me that the various scripts download from one of the following locations:
abplhomes.com/g76dbf
alyatater.com/g76dbf
baedalapp.com/g76dbf
beaumontschool.com/g76dbf
blastspraypolish.com/g76dbf
codefinder.co/g76dbf
copperfilters.com/g76dbf
cultural-ecology.com/g76dbf
designera.org/g76dbf
dev.indonesiatextile.id/g76dbf
dwimultimakmur.com/g76dbf
dziennikarze.lo-kolaczyce.pl/g76dbf
easytravelvault.com/g76dbf
elitednadt.com/g76dbf
emreker.com/g76dbf
faisal-ibrahim.info/g76dbf
fpi-canada.com/g76dbf
fresflor.net/g76dbf
gellyrepin.com/g76dbf
himytutor.com/g76dbf
informing.asia/g76dbf
jciindia.in/g76dbf
kantoor.vescolub.nl/g76dbf
kendalpos.com/g76dbf
lamurindo.com/g76dbf
lilxtreme.com/g76dbf
lookbeauty.ir/g76dbf
mahendradesai.net/g76dbf
newdesign.well.pk/g76dbf
nitrogenwebs.com/g76dbf
panaceapeople.com/g76dbf
permars.com/g76dbf
privatestashstorage.com/g76dbf
promo.worldloft.ru/g76dbf
read4change.com/g76dbf
runmyaccounts.ch/g76dbf
rws1.com.au/g76dbf
samuderaciptaraya.com/g76dbf
sendat.vn/g76dbf
shopro.ir/g76dbf
srcc.co.th/g76dbf
swissmades.com/g76dbf
tacunair.com/g76dbf
tciislandguide.com/g76dbf
uatsa.cl/g76dbf
vicampro.com/g76dbf
web.justproductions.co.uk/g76dbf
wivebeday.com/g76dbf
www.fireballindia.com/g76dbf
www.jockytours.com/g76dbf
www.pb2bb2c.com/g76dbf
www.pharmaciela.com/g76dbf
The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh
A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56. The malware then phones home to one of the following locations:
185.127.27.100/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks.php (Volia DataCentre, Ukraine)
The malware also attempts to contact the following locations, all of which seem to be inactive:
mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php
Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221
Showing posts with label Ukraine. Show all posts
Showing posts with label Ukraine. Show all posts
Tuesday 25 October 2016
Monday 24 October 2016
Malware spam: "Complaint letter" leads to Locky
This spam leads to Locky ransomware:
My source tells me that this scripts download from one of the following locations:
adultmagstore.com/itc0h81
alkanshop.com/zrwcx8om
azaminsaat.com/nyzhvh2c
bwocc.org/dkttu
circolorisveglio.com/dw2hheb
coreywallace.com/qjkrlxp
corployalty.it-strategy.ru/p4icah5h
cruzdemiguel.com/jittrxkr
cz1321.com/zg4c4m
decorvise.com/g7k3n
denas-express.ru/fl5vy16
desthailand.com/wfmaq0az
disneyrentalvillas.com/k2ars5j2
downtownlaoffice.com/ixmh1
DSWRITINGS.ORG/lnf7gv
duvalitatli.com/umx3btc1
executivegolfmanagement.com/qtzsegm6
firephonesex.com/bxuobuam
fjbszl.com/m4q1pmr5
fraildata.net/09rz1jcj
fraildata.net/4s1szk77
fraildata.net/5ti18g
fraildata.net/9b8cba
getitsold.info/cndrdsu9
girlsoffire.com/d2k0b967
GNSTUDIO.NET/sxv6fhqo
greenmedicalgroup.org/dy7s5
gruffcrimp.com/352gr0
gruffcrimp.com/5inrze
gruffcrimp.com/8vzak
gruffcrimp.com/bki56h
gunnisonkoa.com/d5cw6
gzxyz.net/zznej
hetaitop.com/pgq8e
infopea.com/bm747o9
iwebmediasavvy.com/eu7mq36w
jejuep.com/jh7rrgbi
jejui.com/j1ldsf
julianhand.com/hollu
jzmkj.net/y7tf2
kak-vernut-devushku.gq/rwlr9
kirijones.net/2b8fnrqm
kirijones.net/4v7574mp
kirijones.net/66wey
kirijones.net/a2r3pme
lqfrdj.com/rbpkt
luobuma8.com/h5hq2que
myboatplans.net/p8gik2g8
nightpeople.co.il/o8le7
onlysalz.com/xjo100
payrentonline.org/l3mdiv7y
pblossom.com/t78u8
potchnoun.com/06p2vxua
potchnoun.com/38j2xn
potchnoun.com/5ngsn8g5
potchnoun.com/8x2nt
privateclubmag.com/wyztr73
prodesc.net/x7nlxq
relentlesspt.com/faisexor
riyuegu.net/o69ecb
royallife.co.uk/mx5nck
ryanrandom.com/hwv97p8
scope-t.com/loinhgm
sexybliss.co.uk/en8ds7nt
sunproductivity.com/m6ot1
taiyuwanli.com/cpkd9
theleadershipdoc.com/wm1bv
turservice.xaker007.net/k92b92
ukdistributionservices.com/x1397
vowedbutea.net/2f1okfif
vowedbutea.net/5491o
vowedbutea.net/8jtnj8nt
vowedbutea.net/apupuyh3
weekcoupon.com/hggbcg
wjyunfanbs.com/ihku0r53
www.studiorif.ru/toiu7
xn--80aa3c3a.xn--b1aajgfxm2a9g.xn--p1ai/xip5lltq
xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
yourrealestateconnection.us/rlfh0
The malware phones home to the following URLs:
109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)
The following URLs are also contacted but are not active:
mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php
Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
81.177.22.221
From "Justine Hodge"The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS scripts with a name starting with "saved letter".
Date Mon, 24 Oct 2016 19:27:53 +0600
Subject Complaint letter
Dear [redacted],
Client sent a complaint letter regarding the data file you provided.
The letter is attached.
Please review his concerns carefully and reply him as soon as possible.
Best regards,
Justine Hodge
My source tells me that this scripts download from one of the following locations:
adultmagstore.com/itc0h81
alkanshop.com/zrwcx8om
azaminsaat.com/nyzhvh2c
bwocc.org/dkttu
circolorisveglio.com/dw2hheb
coreywallace.com/qjkrlxp
corployalty.it-strategy.ru/p4icah5h
cruzdemiguel.com/jittrxkr
cz1321.com/zg4c4m
decorvise.com/g7k3n
denas-express.ru/fl5vy16
desthailand.com/wfmaq0az
disneyrentalvillas.com/k2ars5j2
downtownlaoffice.com/ixmh1
DSWRITINGS.ORG/lnf7gv
duvalitatli.com/umx3btc1
executivegolfmanagement.com/qtzsegm6
firephonesex.com/bxuobuam
fjbszl.com/m4q1pmr5
fraildata.net/09rz1jcj
fraildata.net/4s1szk77
fraildata.net/5ti18g
fraildata.net/9b8cba
getitsold.info/cndrdsu9
girlsoffire.com/d2k0b967
GNSTUDIO.NET/sxv6fhqo
greenmedicalgroup.org/dy7s5
gruffcrimp.com/352gr0
gruffcrimp.com/5inrze
gruffcrimp.com/8vzak
gruffcrimp.com/bki56h
gunnisonkoa.com/d5cw6
gzxyz.net/zznej
hetaitop.com/pgq8e
infopea.com/bm747o9
iwebmediasavvy.com/eu7mq36w
jejuep.com/jh7rrgbi
jejui.com/j1ldsf
julianhand.com/hollu
jzmkj.net/y7tf2
kak-vernut-devushku.gq/rwlr9
kirijones.net/2b8fnrqm
kirijones.net/4v7574mp
kirijones.net/66wey
kirijones.net/a2r3pme
lqfrdj.com/rbpkt
luobuma8.com/h5hq2que
myboatplans.net/p8gik2g8
nightpeople.co.il/o8le7
onlysalz.com/xjo100
payrentonline.org/l3mdiv7y
pblossom.com/t78u8
potchnoun.com/06p2vxua
potchnoun.com/38j2xn
potchnoun.com/5ngsn8g5
potchnoun.com/8x2nt
privateclubmag.com/wyztr73
prodesc.net/x7nlxq
relentlesspt.com/faisexor
riyuegu.net/o69ecb
royallife.co.uk/mx5nck
ryanrandom.com/hwv97p8
scope-t.com/loinhgm
sexybliss.co.uk/en8ds7nt
sunproductivity.com/m6ot1
taiyuwanli.com/cpkd9
theleadershipdoc.com/wm1bv
turservice.xaker007.net/k92b92
ukdistributionservices.com/x1397
vowedbutea.net/2f1okfif
vowedbutea.net/5491o
vowedbutea.net/8jtnj8nt
vowedbutea.net/apupuyh3
weekcoupon.com/hggbcg
wjyunfanbs.com/ihku0r53
www.studiorif.ru/toiu7
xn--80aa3c3a.xn--b1aajgfxm2a9g.xn--p1ai/xip5lltq
xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
yourrealestateconnection.us/rlfh0
The malware phones home to the following URLs:
109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)
The following URLs are also contacted but are not active:
mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php
Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
81.177.22.221
Monday 3 October 2016
Malware spam: "[Scan] 2016-1003 15:26:26" / "Sent with Genius Scan for iOS." leads to Locky
This fake document scan leads to Locky ransomware:
This Malwr analysis shows some of the infection in action. Overall my sources tell me that the various malicious macros download from:
acaciainvest.ro/jhg45s
alraysa.com/jhg45s
anthonycarducci.lawyerpublicity.com/jhg45s
antiquescollectablesandjuststuff.com/jhg45s
atronis.com/jhg45s
bluewaterappco.com/jhg45s
boservice.info/jhg45s
catlong.com/jhg45s
cedrussauna.com/jhg45s
craftsreviews.com/jhg45s
denvertracy.com/jhg45s
dickenshandchimes.com/jhg45s
far-infraredsaunas.com/jhg45s
foe-2.com/jhg45s
gcandcbuilderssite.aaomg.com/jhg45s
hostmyimage.biz/jhg45s
icdsarch.com/jhg45s
inmopromo.com/jhg45s
lesscellantshautegamme.ca/jhg45s
maxleather.aaomg.com/jhg45s
mmm2.aaomg.com/jhg45s
monkeysdragon.net/jhg45s
orhangazitur.com/jhg45s
parkerneem.com/jhg45s
test.cedrussauna.net/jhg45s
tsukasagiku.com/jhg45s
villadiana.lv/jhg45s
webhost911.com/jhg45s
C2 locations are:
149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou.info/apache_handler.php
krmwgapkey.work/apache_handler.php
hruicryqytbmc.xyz/apache_handler.php
vswaagv.org/apache_handler.php
smskymrtssawsjb.org/apache_handler.php
wvandssbv.org/apache_handler.php
ytxsbkfjmyxglvt.click/apache_handler.php
rqybmggvssutf.xyz/apache_handler.php
qaemlwlsvqvgcmbke.click/apache_handler.php
btlyarobjohheg.ru/apache_handler.php
civjvjrjjlv.pw/apache_handler.php
xlarkvixnlelbsvxl.xyz/apache_handler.php
A DLL is dropped with a detection rate of 19/57.
Recommended blocklist:
149.202.52.215
217.12.199.244
From: DAMON ASHBROOKThe name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat.
Date: 3 October 2016 at 10:56
Subject: [Scan] 2016-1003 15:26:26
--
Sent with Genius Scan for iOS.
This Malwr analysis shows some of the infection in action. Overall my sources tell me that the various malicious macros download from:
acaciainvest.ro/jhg45s
alraysa.com/jhg45s
anthonycarducci.lawyerpublicity.com/jhg45s
antiquescollectablesandjuststuff.com/jhg45s
atronis.com/jhg45s
bluewaterappco.com/jhg45s
boservice.info/jhg45s
catlong.com/jhg45s
cedrussauna.com/jhg45s
craftsreviews.com/jhg45s
denvertracy.com/jhg45s
dickenshandchimes.com/jhg45s
far-infraredsaunas.com/jhg45s
foe-2.com/jhg45s
gcandcbuilderssite.aaomg.com/jhg45s
hostmyimage.biz/jhg45s
icdsarch.com/jhg45s
inmopromo.com/jhg45s
lesscellantshautegamme.ca/jhg45s
maxleather.aaomg.com/jhg45s
mmm2.aaomg.com/jhg45s
monkeysdragon.net/jhg45s
orhangazitur.com/jhg45s
parkerneem.com/jhg45s
test.cedrussauna.net/jhg45s
tsukasagiku.com/jhg45s
villadiana.lv/jhg45s
webhost911.com/jhg45s
C2 locations are:
149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou.info/apache_handler.php
krmwgapkey.work/apache_handler.php
hruicryqytbmc.xyz/apache_handler.php
vswaagv.org/apache_handler.php
smskymrtssawsjb.org/apache_handler.php
wvandssbv.org/apache_handler.php
ytxsbkfjmyxglvt.click/apache_handler.php
rqybmggvssutf.xyz/apache_handler.php
qaemlwlsvqvgcmbke.click/apache_handler.php
btlyarobjohheg.ru/apache_handler.php
civjvjrjjlv.pw/apache_handler.php
xlarkvixnlelbsvxl.xyz/apache_handler.php
A DLL is dropped with a detection rate of 19/57.
Recommended blocklist:
149.202.52.215
217.12.199.244
Thursday 29 September 2016
Malware spam: "Receipt 103-526" / Receipt.xls
This spam leads to Locky ransomware:
opmsk.ru/g76ub76
There will be many other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:
89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
A malicious DLL is dropped with a detection rate of 6/57. Malicious IPs and domains overlap quite a bit with this earlier attack. This version of Locky encrypts files with a .odin extension.
UPDATE - a source indicates these are all the download locations in this attack:
1gouw.com/g76ub76
368lx.com/g76ub76
81millstreet.nl/g76ub76
alliswelltour.com/g76ub76
ampconnect.com/g76ub76
anhsaodem.info/g76ub76
aseandates.com/g76ub76
birthstory.com/g76ub76
cmcomunicacion.es/g76ub76
dedivan.ru/g76ub76
demo.website.pl/g76ub76
econopaginas.com/g76ub76
gadget24.ro/g76ub76
globalremoteservices.com/g76ub76
innogenap.com/g76ub76
juyinggroup.com/g76ub76
kelownatownhomes.com/g76ub76
mediumsize.org/g76ub76
opmsk.ru/g76ub76
parentchildmothergoose.com/g76ub76
parroquiansg.org/g76ub76
slaterarts.com/g76ub76
sonajp.com/g76ub76
studiorif.ru/g76ub76
unforgettabletymes.com/g76ub76
Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132
From rosalyn.gregory@gmail.comI cannot tell if there is any body text, however there is an attachment Receipt.xls which contains malicious code [pastebin] that in the case of the sample I analysed downloads a binary from:
Date Thu, 29 Sep 2016 21:07:46 +0800
Subject Receipt 103-526
opmsk.ru/g76ub76
There will be many other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:
89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
A malicious DLL is dropped with a detection rate of 6/57. Malicious IPs and domains overlap quite a bit with this earlier attack. This version of Locky encrypts files with a .odin extension.
UPDATE - a source indicates these are all the download locations in this attack:
1gouw.com/g76ub76
368lx.com/g76ub76
81millstreet.nl/g76ub76
alliswelltour.com/g76ub76
ampconnect.com/g76ub76
anhsaodem.info/g76ub76
aseandates.com/g76ub76
birthstory.com/g76ub76
cmcomunicacion.es/g76ub76
dedivan.ru/g76ub76
demo.website.pl/g76ub76
econopaginas.com/g76ub76
gadget24.ro/g76ub76
globalremoteservices.com/g76ub76
innogenap.com/g76ub76
juyinggroup.com/g76ub76
kelownatownhomes.com/g76ub76
mediumsize.org/g76ub76
opmsk.ru/g76ub76
parentchildmothergoose.com/g76ub76
parroquiansg.org/g76ub76
slaterarts.com/g76ub76
sonajp.com/g76ub76
studiorif.ru/g76ub76
unforgettabletymes.com/g76ub76
Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132
Malware spam: "Temporarily blocked" leads to Locky
The attachment on this spam email leads to Locky ransomware:
0793mobile.com/jetg2
109.73.234.241/dgq01p
18901350711.com/ll0wdsu
365jtoo.com/qw3r7arg
3ddentalimage.com/ytouk6
489ean.com/r2jdxy
51steel.org/s4b5ztgc
59jd.com/ggha9
5i5k.net/j0g1jk3
5iroom.com/vqv5yibr
91ise.info/pcre0ri4
abbiholland.com/f5ioimw
aldohuaman.com/52y3am
antamduc.com/ttbysvp
a-we.com/o0m5ayu
baankonkoh.com/hhon5mma
cielitodrive.com/x8vqc6
columbiaprintingservices.com/u542pjoi
cranioactive.com/l7vb0
cyprusnike.com/kkpno
domaks-dom.ru/mugr3gb1
exonbalai.com/1r1y6so
exonbalai.com/4dnv8
fhgmediaent.com/66aslu
hastarim.com/nyyjoec
immewrood.net/2j4z9px
immewrood.net/52y3am
inspirationbydesire.com/lfmlspp
jetpcl.com/m23gz0tv
joventa.sk/25fkt
jscompuserve.com/sqa5iq4
kayooo.net/67mxndh
khasitez.net/0a5lma5
khasitez.net/2m01898x
kidzvidz.com/miwn5
kitamachiweek.com/khcg0ta4
knigoboz.ru/nessj4k8
londonmusicclub.com/j6ln7cl
mayurinkorat.com/igxbat
ogeedfungo.net/0zqoae
ogeedfungo.net/3n4pwk
olimp-otel.ru/vevfq
pthcu.org/vnqdve7
redegamb.com/25fkt
redegamb.com/4gwca5b
rglogistic.com/var79sa
sewingwholesale.com/o8hn4
supplyglassess.com/gbnfsmh
szaloncukor.net/jelxoi
tolgaustun.com/drnag
touchasoul.org/nha0pkom
unwantedtattoos.co.uk/e1mbgfej
vaidia.com/y6m3en
viptabien.com/al9n7nh
web4-magento.com/cdlp4o
websitedesigncourse.net/p9580
wikichemicals.com/v1x7cfd
wirelessdd.com/692lrr
womenepic.com/89spy93v
The decoded malware then phones home to:
195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
gqackht.biz/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
bgldptjuwwq.org/apache_handler.php
cxnlxkdkxxxt.xyz/apache_handler.php
rcahcieii.work/apache_handler.php
uxaoooxqqyuslylw.click/apache_handler.php
vwktvjgpmpntoso.su/apache_handler.php
upsoxhfqut.work/apache_handler.php
nqchuuvgldmxifjg.click/apache_handler.php
ofoclobdcpeeqw.biz/apache_handler.php
kfvigurtippypgw.pl/apache_handler.php
toescilgrgvtjcac.work/apache_handler.php
Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132
From: "Ambrose Clements"Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download from one of the following locations:
Subject: Temporarily blocked
Date: Thu, 29 Sep 2016 13:37:53 +0400
Dear [redacted]
this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
We attached the scan of transactions. Please confirm whether you made these transactions.
0793mobile.com/jetg2
109.73.234.241/dgq01p
18901350711.com/ll0wdsu
365jtoo.com/qw3r7arg
3ddentalimage.com/ytouk6
489ean.com/r2jdxy
51steel.org/s4b5ztgc
59jd.com/ggha9
5i5k.net/j0g1jk3
5iroom.com/vqv5yibr
91ise.info/pcre0ri4
abbiholland.com/f5ioimw
aldohuaman.com/52y3am
antamduc.com/ttbysvp
a-we.com/o0m5ayu
baankonkoh.com/hhon5mma
cielitodrive.com/x8vqc6
columbiaprintingservices.com/u542pjoi
cranioactive.com/l7vb0
cyprusnike.com/kkpno
domaks-dom.ru/mugr3gb1
exonbalai.com/1r1y6so
exonbalai.com/4dnv8
fhgmediaent.com/66aslu
hastarim.com/nyyjoec
immewrood.net/2j4z9px
immewrood.net/52y3am
inspirationbydesire.com/lfmlspp
jetpcl.com/m23gz0tv
joventa.sk/25fkt
jscompuserve.com/sqa5iq4
kayooo.net/67mxndh
khasitez.net/0a5lma5
khasitez.net/2m01898x
kidzvidz.com/miwn5
kitamachiweek.com/khcg0ta4
knigoboz.ru/nessj4k8
londonmusicclub.com/j6ln7cl
mayurinkorat.com/igxbat
ogeedfungo.net/0zqoae
ogeedfungo.net/3n4pwk
olimp-otel.ru/vevfq
pthcu.org/vnqdve7
redegamb.com/25fkt
redegamb.com/4gwca5b
rglogistic.com/var79sa
sewingwholesale.com/o8hn4
supplyglassess.com/gbnfsmh
szaloncukor.net/jelxoi
tolgaustun.com/drnag
touchasoul.org/nha0pkom
unwantedtattoos.co.uk/e1mbgfej
vaidia.com/y6m3en
viptabien.com/al9n7nh
web4-magento.com/cdlp4o
websitedesigncourse.net/p9580
wikichemicals.com/v1x7cfd
wirelessdd.com/692lrr
womenepic.com/89spy93v
The decoded malware then phones home to:
195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
gqackht.biz/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
bgldptjuwwq.org/apache_handler.php
cxnlxkdkxxxt.xyz/apache_handler.php
rcahcieii.work/apache_handler.php
uxaoooxqqyuslylw.click/apache_handler.php
vwktvjgpmpntoso.su/apache_handler.php
upsoxhfqut.work/apache_handler.php
nqchuuvgldmxifjg.click/apache_handler.php
ofoclobdcpeeqw.biz/apache_handler.php
kfvigurtippypgw.pl/apache_handler.php
toescilgrgvtjcac.work/apache_handler.php
Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132
Wednesday 28 September 2016
Something evil on 69.64.63.77
This appears to be some sort of exploit kit leveraging hacked sites, for example:
OrgName: MegaHosterNetwork
OrgId: MEGAH
Address: Zaporozhskogo kazachestva 15
City: Zaporozhzhe
StateProv:
PostalCode: 69097
Country: UA
RegDate: 2012-09-02
Updated: 2012-09-02
Ref: https://whois.arin.net/rest/org/MEGAH
These other domains are hosted on the same IP:
[donotclick]j8le7s5q745e.org
[donotclick]3wdev4pqfw1u.org
[donotclick]fg1238tq38le.net
All of those domains are registered to:
Registrant Name: sergey muromov
Registrant Organization: sergey muromov
Registrant Street: veteranov 45-87
Registrant City: sank-tpeterburg
Registrant State/Province: leningradckaya
Registrant Postal Code: 458223
Registrant Country: RU
Registrant Phone: +7.66473838987
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: muromov96@bk.ru
It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking.
[donotclick]franchidiscarpa[.]com/index.phpYou can see this EK infecting a legitimate site in this URLquery report. The IP address appears to be a customer of ServerYou:
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
OrgName: MegaHosterNetwork
OrgId: MEGAH
Address: Zaporozhskogo kazachestva 15
City: Zaporozhzhe
StateProv:
PostalCode: 69097
Country: UA
RegDate: 2012-09-02
Updated: 2012-09-02
Ref: https://whois.arin.net/rest/org/MEGAH
These other domains are hosted on the same IP:
[donotclick]j8le7s5q745e.org
[donotclick]3wdev4pqfw1u.org
[donotclick]fg1238tq38le.net
All of those domains are registered to:
Registrant Name: sergey muromov
Registrant Organization: sergey muromov
Registrant Street: veteranov 45-87
Registrant City: sank-tpeterburg
Registrant State/Province: leningradckaya
Registrant Postal Code: 458223
Registrant Country: RU
Registrant Phone: +7.66473838987
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: muromov96@bk.ru
It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking.
Locky download and C2 locations 2016-09-28
It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.
Binary download locations:
agri-host.us/67fgbcni
bigballsincowtown.com/67fgbcni
deeryarch.me/67fgbcni
dfl210.ru/67fgbcni
dslayer.net/67fgbcni
hasatbey.com/67fgbcni
house-of-quality.com/67fgbcni
intesols.com/67fgbcni
ivankhoo.com/67fgbcni
kolonker.com/67fgbcni
komsutekstil.com/67fgbcni
lucianasaliani.com/67fgbcni
marlonmendieta.com/67fgbcni
muangbouge.com/67fgbcni
naughtypixelads.com/67fgbcni
noorgames.com/67fgbcni
obtenloya.com/67fgbcni
patriciaclarkfinley.com/67fgbcni
permanentmark.sk/67fgbcni
podaripodarok.ru/67fgbcni
ramsdale.org/67fgbcni
rikuzentakata-mpf.org/67fgbcni
sigglab.com/67fgbcni
thehotelandrea.com/67fgbcni
travicoperu.com/67fgbcni
villaangela.info/67fgbcni
wmediatraining.com/67fgbcni
zahrady-landart.sk/67fgbcni
bathecista.com/1xz8pu
bathecista.com/8rjz1fr
bildungsmedien.org/je62fq
casaxavier.com.mx/p5hq150
cdou.ru/mhr53p
centralfirepro.com/sba7l
chimesmedia.com/ecn343f
chole-ray.com/yb1ambd
cydotomasyon.com/o8sh8
cylooks.com/y1kj5y4i
czeladz24.com/qvms47
depersoneelskamer.nl/v2h0o
doorleads.com/d9txgc
drsearsprime-time.com/pzcpg
edunayok.org/i4qnmc13
etustime.com/xa7sajm4
fatquote.net/0znym9
fatquote.net/4kj0ecdq
formationinnovation.net/dvzeb154
galinakireeva.ru/tmdq8o9z
gideroto.com/gtslcf
gonenisi.com/f5f91g1
healingwaterscc.com/souanzj5
hobbydays.ru/rrzvs
housellaw.com/lhfxwgx7
i-mdv.com/yb7rwfj
inchallahrencontre.net/rax72ya
i-school-tutor.com/ucg4c8
izmirisgb.com/dknjf
linoteil.com/1fm2x9
linoteil.com/8ncfzoi
lordalexleon.com/vbsmt6d
mineralhound.com/micmlf
ncbwhb.com/padk5n
nevis-football.com/u7tohi
nvwriter.com/eh4zm
panusnikom.com/k6hk6
pblossom.com/a91a5u
portal.rimpro.ru/s20c5
powercomm.ie/v57lkb
rimiller.com/sw1axrg
roxyperu.com/j6qpb5eb
servisix.com/csavi3l
shendiaoqzj.com/az1j2cq
shinganist.com/hl8he62
softgallery.dk/x5yjlhh
sscsci.com/c761057
styleyate.net/0o9tl6d
styleyate.net/2sn8erda
sunteamvn.com/uda8s
susanthomas.net/mq9ea3
taitong.info/tl6q7zlc
tanerkaplama.com/oa9wr5p
teamindo.com/sfpkv
tzabanga.com/bnxg4hp
vicwulaw.com/vjbql
waspyfauna.com/0vzw8y
waspyfauna.com/4aegrg
xfjt.org/lcwg8o
youtuberankchecker.net/wkmdc
C2s:
176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh.biz/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
rluqypf.pw/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk.biz/apache_handler.php [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap.info/apache_handler.php
kdbbpmrdfnlno.pl/apache_handler.php
jlhxyspgvwcnjb.work/apache_handler.php
dceaordeoe.ru/apache_handler.php
gisydkcsxosyokkuv.work/apache_handler.php
mqlrmom.work/apache_handler.php
wfgtoxqbf.biz/apache_handler.php
ndyevynuwqe.su/apache_handler.php
vgcfwrnfrkkarc.work/apache_handler.php
Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158
Binary download locations:
agri-host.us/67fgbcni
bigballsincowtown.com/67fgbcni
deeryarch.me/67fgbcni
dfl210.ru/67fgbcni
dslayer.net/67fgbcni
hasatbey.com/67fgbcni
house-of-quality.com/67fgbcni
intesols.com/67fgbcni
ivankhoo.com/67fgbcni
kolonker.com/67fgbcni
komsutekstil.com/67fgbcni
lucianasaliani.com/67fgbcni
marlonmendieta.com/67fgbcni
muangbouge.com/67fgbcni
naughtypixelads.com/67fgbcni
noorgames.com/67fgbcni
obtenloya.com/67fgbcni
patriciaclarkfinley.com/67fgbcni
permanentmark.sk/67fgbcni
podaripodarok.ru/67fgbcni
ramsdale.org/67fgbcni
rikuzentakata-mpf.org/67fgbcni
sigglab.com/67fgbcni
thehotelandrea.com/67fgbcni
travicoperu.com/67fgbcni
villaangela.info/67fgbcni
wmediatraining.com/67fgbcni
zahrady-landart.sk/67fgbcni
bathecista.com/1xz8pu
bathecista.com/8rjz1fr
bildungsmedien.org/je62fq
casaxavier.com.mx/p5hq150
cdou.ru/mhr53p
centralfirepro.com/sba7l
chimesmedia.com/ecn343f
chole-ray.com/yb1ambd
cydotomasyon.com/o8sh8
cylooks.com/y1kj5y4i
czeladz24.com/qvms47
depersoneelskamer.nl/v2h0o
doorleads.com/d9txgc
drsearsprime-time.com/pzcpg
edunayok.org/i4qnmc13
etustime.com/xa7sajm4
fatquote.net/0znym9
fatquote.net/4kj0ecdq
formationinnovation.net/dvzeb154
galinakireeva.ru/tmdq8o9z
gideroto.com/gtslcf
gonenisi.com/f5f91g1
healingwaterscc.com/souanzj5
hobbydays.ru/rrzvs
housellaw.com/lhfxwgx7
i-mdv.com/yb7rwfj
inchallahrencontre.net/rax72ya
i-school-tutor.com/ucg4c8
izmirisgb.com/dknjf
linoteil.com/1fm2x9
linoteil.com/8ncfzoi
lordalexleon.com/vbsmt6d
mineralhound.com/micmlf
ncbwhb.com/padk5n
nevis-football.com/u7tohi
nvwriter.com/eh4zm
panusnikom.com/k6hk6
pblossom.com/a91a5u
portal.rimpro.ru/s20c5
powercomm.ie/v57lkb
rimiller.com/sw1axrg
roxyperu.com/j6qpb5eb
servisix.com/csavi3l
shendiaoqzj.com/az1j2cq
shinganist.com/hl8he62
softgallery.dk/x5yjlhh
sscsci.com/c761057
styleyate.net/0o9tl6d
styleyate.net/2sn8erda
sunteamvn.com/uda8s
susanthomas.net/mq9ea3
taitong.info/tl6q7zlc
tanerkaplama.com/oa9wr5p
teamindo.com/sfpkv
tzabanga.com/bnxg4hp
vicwulaw.com/vjbql
waspyfauna.com/0vzw8y
waspyfauna.com/4aegrg
xfjt.org/lcwg8o
youtuberankchecker.net/wkmdc
C2s:
176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh.biz/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
rluqypf.pw/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk.biz/apache_handler.php [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap.info/apache_handler.php
kdbbpmrdfnlno.pl/apache_handler.php
jlhxyspgvwcnjb.work/apache_handler.php
dceaordeoe.ru/apache_handler.php
gisydkcsxosyokkuv.work/apache_handler.php
mqlrmom.work/apache_handler.php
wfgtoxqbf.biz/apache_handler.php
ndyevynuwqe.su/apache_handler.php
vgcfwrnfrkkarc.work/apache_handler.php
Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158
Tuesday 20 September 2016
Malware spam: "Tracking data" leads to Locky
This spam has a malicious attachment leading to Locky ransomware:
The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.
Analysis of the attachments is pending.
UPDATE
Hybrid Analysis of various samples [1] [2] [3] [4] shows the script downloading from various locations:
akinave.ru/ckk7y
solenapeak.com/ha4n2
vetchsoda.org/uemmdt
akinave.ru/1e11lhrk
All of these are hosted on:
178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)
The malware then phones home to the following locations:
91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)
A DLL is dropped with a detection rate of 13/57.
Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202
From: Loretta Gilmore
Date: 20 September 2016 at 08:31
Subject: Tracking data
Good afternoon [redacted],
Your item #9122164-201609 has been sent to you by carrier.
He will arrive to you on 23th of September, 2016 at noon.
The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.
The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.
Analysis of the attachments is pending.
UPDATE
Hybrid Analysis of various samples [1] [2] [3] [4] shows the script downloading from various locations:
akinave.ru/ckk7y
solenapeak.com/ha4n2
vetchsoda.org/uemmdt
akinave.ru/1e11lhrk
All of these are hosted on:
178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)
The malware then phones home to the following locations:
91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)
A DLL is dropped with a detection rate of 13/57.
Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202
Monday 19 September 2016
Malware spam: "Express Parcel service" leads to Locky
This spam has a malicious attachment:
The Hybrid Analysis for one sample shows a download location of:
178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)
There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra.pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)
It drops a DLL with a detection rate of 8/54.
UPDATE
These Hybrid Analysis reports of other samples [1] [2] [3] [4] [5] show other download locations at:
roxieimshi.com/eppmn
roxieimshi.com/y4lf1neg
foveawaac.net/yjmaazj
foveawaac.net/wzwzjply
merofid.com/zn6mcj
All of these domains are hosted on evil IPs:
178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)
These domains are all related and should be considered malicious:
duelrid.com
merofid.com
pradran.com
adzebury.com
amrastacy.com
bulkreasy.com
sternhala.com
gobantakao.com
roxieimshi.com
tearyrecce.com
wyvesnarl.info
aborik.net
ecadxyst.net
maydayen.net
ponggirr.net
foveawaac.net
normadnex.net
pawlrubia.net
pradkevyn.net
satyrwelf.net
vernpucka.net
yerndrunk.net
latexuchee.net
maggycocoa.net
moismdheri.net
rokerlelia.net
sparmsov.org
citmowra.in
swagpaty.in
Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10
91.194.250.131
The last one listed in italics is part of the update.
From: Marla CampbellAttached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing.
Date: 19 September 2016 at 09:09
Subject: Express Parcel service
Dear [redacted], we have sent your parcel by Express Parcel service.
The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
Thank you.
The Hybrid Analysis for one sample shows a download location of:
178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)
There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra.pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)
It drops a DLL with a detection rate of 8/54.
UPDATE
These Hybrid Analysis reports of other samples [1] [2] [3] [4] [5] show other download locations at:
roxieimshi.com/eppmn
roxieimshi.com/y4lf1neg
foveawaac.net/yjmaazj
foveawaac.net/wzwzjply
merofid.com/zn6mcj
All of these domains are hosted on evil IPs:
178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)
These domains are all related and should be considered malicious:
duelrid.com
merofid.com
pradran.com
adzebury.com
amrastacy.com
bulkreasy.com
sternhala.com
gobantakao.com
roxieimshi.com
tearyrecce.com
wyvesnarl.info
aborik.net
ecadxyst.net
maydayen.net
ponggirr.net
foveawaac.net
normadnex.net
pawlrubia.net
pradkevyn.net
satyrwelf.net
vernpucka.net
yerndrunk.net
latexuchee.net
maggycocoa.net
moismdheri.net
rokerlelia.net
sparmsov.org
citmowra.in
swagpaty.in
Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10
91.194.250.131
The last one listed in italics is part of the update.
Tuesday 13 September 2016
Malware spam: "Attached is the tax invoice of your company. Please do the payment in an urgent manner." leads to Locky
This fake financial spam leads to Locky ransomware:
adzebur.com/dsd7gk [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
[78.212.131.10] (21 Century Telecom Ltd, Russia)
[31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
[23.95.106.223] (New Wave Netconnect, US)
[23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]
The payload then phones home to:
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php
Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71
UPDATE: further analysis gives these other IPs to block..
78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116
Subject: Tax invoiceThe name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:
From: Kris Allison (Allison.5326@resorts.com.mx)
Date: Tuesday, 13 September 2016, 11:22
Dear Client,
Attached is the tax invoice of your company. Please do the payment in an urgent manner.
Best regards,
Kris Allison
adzebur.com/dsd7gk [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
[78.212.131.10] (21 Century Telecom Ltd, Russia)
[31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
[23.95.106.223] (New Wave Netconnect, US)
[23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]
The payload then phones home to:
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php
Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71
UPDATE: further analysis gives these other IPs to block..
78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116
Labels:
France,
Locky,
Malware,
Montenegro,
Netherlands,
OVH,
Ransomware,
Russia,
Spam,
Ukraine,
Viruses
Monday 5 September 2016
Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."
This fake financial spam has a malicious attachment:
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k.ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)
Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
From: Tamika GoodThe spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_
Date: 5 September 2016 at 08:43
Subject: Credit card receipt
Dear [redacted],
We are sending you the credit card receipt from yesterday. Please match the card number and amount.
Sincerely yours,
Tamika Good
Account manager
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k.ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)
Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
Labels:
Hungary,
Locky,
Malware,
Netherlands,
Russia,
Spam,
TheFirst-RU,
Ukraine,
Viruses
Thursday 1 September 2016
Malware spam: "Please find attached invoice no" leads to Locky
This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.
158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g
The payload appears to be Locky ransomware. It phones home to:
188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php
This is similar to the list here.
Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24
Subject: Please find attached invoice no: 329218Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download from one of the following locations:
From: victim@victimdomain.tld
To: victim@victimdomain.tld
Date: Thursday, 1 September 2016, 12:42
Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
________________________________
Disclaimer
This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g
The payload appears to be Locky ransomware. It phones home to:
188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php
This is similar to the list here.
Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24
Malware spam: "Our shipping service is sending the order form due to the request from your company."
This fake shipping email comes with a malicious attachment:
Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4
Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24
Subject: Shipping informationThe sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.
From: Charles Burgess
Date: Thursday, 1 September 2016, 9:30
Dear customer,
Our shipping service is sending the order form due to the request from your company.
Please fill the attached form with precise information.
Very truly yours,
Charles Burgess
Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4
Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24
Wednesday 31 August 2016
Malware spam: "bank transactions"
This fake financial spam comes with a malicious attachment:
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.
According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):
www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis
Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24
From: Rueben Vazquez
Date: 31 August 2016 at 10:06
Subject: bank transactions
Good morning petrol.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Rueben Vazquez
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.
According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):
www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis
Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24
Labels:
Germany,
Hetzner,
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Ukraine,
Viruses
Monday 15 August 2016
Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"
This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV
The payload is Locky ransomware with a very low detection rate at present. It phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)
The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77
From: orderconfirmation@esab.co.ukAttached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:
Date: 15 August 2016 at 10:37
Subject: Order Confirmation-7069-2714739-20160815-292650
_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.
ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof.
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV
The payload is Locky ransomware with a very low detection rate at present. It phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)
The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77
Thursday 11 August 2016
Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"
This spam has a malicious attachment:
The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:
151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6
The malware is Locky ransomware, and it phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)
Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197
From: Ashley [Ashley747@victimdomail.tld]
Date: 11 August 2016 at 11:13
Subject: New Doc 6-6
Scanned by CamScanner
Sent from Yahoo Mail on Android
The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:
151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6
The malware is Locky ransomware, and it phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)
Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197
Thursday 4 August 2016
Malware spam: "Business card" / "I have attached the new business card design." leads to Locky
This spam email has a malicious attachment:
This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7
This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:
31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]
All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.
Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22
From: Glenna JohnsonSender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.
Date: 4 August 2016 at 10:18
Subject: Business card
Hello [redacted],
I have attached the new business card design.
Please let me know if you need a change
King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7
This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:
31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]
All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.
Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22
Monday 1 August 2016
Malware spam: "Please review the attached corrected annual report." / "Corrected report"
This spam comes with a malicious attachment:
121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a
The dropped binary then attempts to phone home to:
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
The host for that last one comes up over and over again, it's time to block that /22..
Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22
Subject: Corrected reportThe name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware from one of the following locations (thank you to my usual source for analysis):
From: Joey Cox (Cox.48@sodetel.net.lb)
Date: Monday, 1 August 2016, 13:37
Dear webmaster,
Please review the attached corrected annual report.
Yours faithfully
Joey Cox
121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a
The dropped binary then attempts to phone home to:
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
The host for that last one comes up over and over again, it's time to block that /22..
Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22
Labels:
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Ukraine,
Viruses
Friday 29 July 2016
Malware spam: "Voicemail from Anonymous" / SureVoIP [voicemailandfax@surevoip.co.uk]
This fake voicemail spam has a malicious attachment:
According to my trusted source (thank you as ever):
64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry
The downloaded binary is Locky ransomware, phoning home to:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139
From SureVoIP [voicemailandfax@surevoip.co.uk]The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf.
Date Fri, 29 Jul 2016 17:47:41 +0700
Subject Voicemail from Anonymous <Anonymous> 00:02:15
Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain.tld
According to my trusted source (thank you as ever):
64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry
The downloaded binary is Locky ransomware, phoning home to:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139
Labels:
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Ukraine,
Viruses,
Voice Mail
Tuesday 26 July 2016
Malware spam: "Attached Image" leads to Locky
This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.
www.isleofwightcomputerrepairs.talktalk.net/okp987g7v
There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216
From: victim@victimdomain.tldAttached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:
To: victim@victimdomain.tld
Date: 26 July 2016 at 10:27
Subject: Attached Image
**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************
www.isleofwightcomputerrepairs.talktalk.net/okp987g7v
There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216
Subscribe to:
Posts (Atom)