Sponsored by..

Showing posts with label Ukraine. Show all posts
Showing posts with label Ukraine. Show all posts

Tuesday, 25 October 2016

Malware spam: "Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data" leads to Locky

Perhaps minimalist spam works better, there is currently a Locky spam run with on of the subjects Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript that looks like this [pastebin]. There is no body text.

These automated analyses [1] [2] [3] [4] show that it is Locky. My usual sources tell me that the various scripts download from one of the following locations:

abplhomes.com/g76dbf
alyatater.com/g76dbf
baedalapp.com/g76dbf
beaumontschool.com/g76dbf
blastspraypolish.com/g76dbf
codefinder.co/g76dbf
copperfilters.com/g76dbf
cultural-ecology.com/g76dbf
designera.org/g76dbf
dev.indonesiatextile.id/g76dbf
dwimultimakmur.com/g76dbf
dziennikarze.lo-kolaczyce.pl/g76dbf
easytravelvault.com/g76dbf
elitednadt.com/g76dbf
emreker.com/g76dbf
faisal-ibrahim.info/g76dbf
fpi-canada.com/g76dbf
fresflor.net/g76dbf
gellyrepin.com/g76dbf
himytutor.com/g76dbf
informing.asia/g76dbf
jciindia.in/g76dbf
kantoor.vescolub.nl/g76dbf
kendalpos.com/g76dbf
lamurindo.com/g76dbf
lilxtreme.com/g76dbf
lookbeauty.ir/g76dbf
mahendradesai.net/g76dbf
newdesign.well.pk/g76dbf
nitrogenwebs.com/g76dbf
panaceapeople.com/g76dbf
permars.com/g76dbf
privatestashstorage.com/g76dbf
promo.worldloft.ru/g76dbf
read4change.com/g76dbf
runmyaccounts.ch/g76dbf
rws1.com.au/g76dbf
samuderaciptaraya.com/g76dbf
sendat.vn/g76dbf
shopro.ir/g76dbf
srcc.co.th/g76dbf
swissmades.com/g76dbf
tacunair.com/g76dbf
tciislandguide.com/g76dbf
uatsa.cl/g76dbf
vicampro.com/g76dbf
web.justproductions.co.uk/g76dbf
wivebeday.com/g76dbf
www.fireballindia.com/g76dbf
www.jockytours.com/g76dbf
www.pb2bb2c.com/g76dbf
www.pharmaciela.com/g76dbf

The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh

A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56. The malware then phones home to one of the following locations:

185.127.27.100/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks.php (Volia DataCentre, Ukraine)


The malware also attempts to contact the following locations, all of which seem to be inactive:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221

Monday, 24 October 2016

Malware spam: "Complaint letter" leads to Locky

This spam leads to Locky ransomware:

From     "Justine Hodge"
Date     Mon, 24 Oct 2016 19:27:53 +0600
Subject     Complaint letter

Dear [redacted],

Client sent a complaint letter regarding the data file you provided.
The letter is attached.

Please review his concerns carefully and reply him as soon as possible.

Best regards,
Justine Hodge
The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS scripts with a name starting with "saved letter".

My source tells me that this scripts download from one of the following locations:

adultmagstore.com/itc0h81
alkanshop.com/zrwcx8om
azaminsaat.com/nyzhvh2c
bwocc.org/dkttu
circolorisveglio.com/dw2hheb
coreywallace.com/qjkrlxp
corployalty.it-strategy.ru/p4icah5h
cruzdemiguel.com/jittrxkr
cz1321.com/zg4c4m
decorvise.com/g7k3n
denas-express.ru/fl5vy16
desthailand.com/wfmaq0az
disneyrentalvillas.com/k2ars5j2
downtownlaoffice.com/ixmh1
DSWRITINGS.ORG/lnf7gv
duvalitatli.com/umx3btc1
executivegolfmanagement.com/qtzsegm6
firephonesex.com/bxuobuam
fjbszl.com/m4q1pmr5
fraildata.net/09rz1jcj
fraildata.net/4s1szk77
fraildata.net/5ti18g
fraildata.net/9b8cba
getitsold.info/cndrdsu9
girlsoffire.com/d2k0b967
GNSTUDIO.NET/sxv6fhqo
greenmedicalgroup.org/dy7s5
gruffcrimp.com/352gr0
gruffcrimp.com/5inrze
gruffcrimp.com/8vzak
gruffcrimp.com/bki56h
gunnisonkoa.com/d5cw6
gzxyz.net/zznej
hetaitop.com/pgq8e
infopea.com/bm747o9
iwebmediasavvy.com/eu7mq36w
jejuep.com/jh7rrgbi
jejui.com/j1ldsf
julianhand.com/hollu
jzmkj.net/y7tf2
kak-vernut-devushku.gq/rwlr9
kirijones.net/2b8fnrqm
kirijones.net/4v7574mp
kirijones.net/66wey
kirijones.net/a2r3pme
lqfrdj.com/rbpkt
luobuma8.com/h5hq2que
myboatplans.net/p8gik2g8
nightpeople.co.il/o8le7
onlysalz.com/xjo100
payrentonline.org/l3mdiv7y
pblossom.com/t78u8
potchnoun.com/06p2vxua
potchnoun.com/38j2xn
potchnoun.com/5ngsn8g5
potchnoun.com/8x2nt
privateclubmag.com/wyztr73
prodesc.net/x7nlxq
relentlesspt.com/faisexor
riyuegu.net/o69ecb
royallife.co.uk/mx5nck
ryanrandom.com/hwv97p8
scope-t.com/loinhgm
sexybliss.co.uk/en8ds7nt
sunproductivity.com/m6ot1
taiyuwanli.com/cpkd9
theleadershipdoc.com/wm1bv
turservice.xaker007.net/k92b92
ukdistributionservices.com/x1397
vowedbutea.net/2f1okfif
vowedbutea.net/5491o
vowedbutea.net/8jtnj8nt
vowedbutea.net/apupuyh3
weekcoupon.com/hggbcg
wjyunfanbs.com/ihku0r53
www.studiorif.ru/toiu7
xn--80aa3c3a.xn--b1aajgfxm2a9g.xn--p1ai/xip5lltq
xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
yourrealestateconnection.us/rlfh0

The malware phones home to the following URLs:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)


The following URLs are also contacted but are not active:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
 
81.177.22.221



Malware spam: fake "Receipt" leads to the unwelcome return of Locky

Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example spam with a format similar to the following is currently being sent out:

Date: Mon, 24 Oct 2016 16:03:30 +0530
From: christa.hazelgreave@gmail.com
Subject: Receipt 68-508
Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta.

You can see some of the malicious activity in this Hybrid Analysis. My sources (thank you!) give the download locations for this particular spam run as:

103.15.50.73/076wc
117.239.70.228/076wc
absxpintranet.in/076wc
acanac.wysework.com/076wc
asadraza.ca/076wc
bagnet.ir/076wc
checkimage.comuf.com/076wc
cignitech.com/076wc
cynosurejobs.net/076wc
dolphinom.com/076wc
grupoecointerpreis.com/076wc
ledenergythai.com/076wc
naacllc.com/076wc
thaitooling.net/076wc
tifa-awards.net/076wc
wkreation.com/076wc
www.pspgemencheh.edu.my/076wc
www.pspmrsmag.com/076wc

The malware is Locky ransomware phoning home to:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt.work/linuxsucks.php   [208.100.26.234] (Steadfast, US)

The following don't seem to resolve:
fqtdrnqmeofknd.biz/linuxsucks.php
fyrtopd.info/linuxsucks.php
wsrcyjnmrfyej.ru/linuxsucks.php
dvrudoqhwxbxrob.info/linuxsucks.php
ooyjnteswckystd.info/linuxsucks.php
vrruwpuccbud.info/linuxsucks.php
jdjnhiwgnxks.info/linuxsucks.php
pcjbfqivrejipumc.pw/linuxsucks.php
gktccomjjk.pl/linuxsucks.php
aolqgoweq.biz/linuxsucks.php
vholevsjx.pl/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234





Thursday, 6 October 2016

Malware spam: "Your Order" and the inevitable Locky

This fake financial spam leads to Locky ransomware:

From:    Adrian Salinas
Date:    6 October 2016 at 10:13
Subject:    Your Order

Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.
Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js

According to my source, these various scripts then download a component from one of the following locations:

activexsearch.com/yggv8
allinfo.xyz.com/zzi5zq2
aquatixbottle.com/yqr8i
askmeproperties.com/xc3db
asknaija.com/wvv5yh
atstory.com/zm2uojf
autokover.ru/z2oc4
b2c-batteries.com/hcgc64j
badimalik.com/dzqzl
bantayan.net/z3z3cc
baomoji.com/y6amo
betwer.com/t21j21t
booltom.com/19abb0h0
booltom.com/5nqlax
booltom.com/7dp0k
booltom.com/8qm9ldj
dipsite.com/r4f2wug
distribuidorabmk.com/wuv2rw
dvdworldmagazine.com/ptibu73
escolaemacao.com/rksgyuj
facerecognition.com.ba/cffdw
feuduprid.com/1xrdgx1j
feuduprid.com/6cpar
feuduprid.com/7sv4ygr9
feuduprid.com/aohsi
fifieoho.com/10a74fd
fifieoho.com/4u29v4
fifieoho.com/74uf3
fifieoho.com/8gplb
hdyzzs.com/qis3lqzw
kristiantouborg.com/trdmz3c
kronosmd.com/oqyxt
kuzeydogalgaz.com/gspiqv
laisou8.com/c4ecj8n
mayrice.net/07il79
mayrice.net/3w7eqv5
mayrice.net/6zok4n
mayrice.net/7uh0f
mgrshs.com/arabn
mmpang.com/h71zo4
mplaylist.com/mw921
nbjzpx.com/n9ih0k
net2008.com/mx93j63z
njykvalve.com/crk5x
numberoneenglish.com/b2v8x8
ofertacar.com/lzdp0id1
oguzhannakliyat.net/nhl290
onji.org/hox0lh
optimize4youseo.com/il9e7
oualili.org/kys133ec
ougelook.com/f7fr3
ozgurbasin.net/ceo09c
pandalove.ru/meft1bs5
peskara.com/n01afb
phaseiv.org/b0uo1
pioneerschina.com/xwks4
pmofmichigan.com/p1inbvn
prettymeuk.com/btvcc
print800.com/p3tw0nst
pro-units.ru/e8uosl
rbwm.ru/wvz996u
relishyomama.org/ebugjjni
sanalgelisim.com/pdjrz8w6
sccxtx.com/gdywsb9
sellflash.com/pjphz
sladetahil.com/1oiyflq
sladetahil.com/6763jdl
sladetahil.com/7fedf3f
sladetahil.com/99f2zg
speakrz.com/oa7ev
tbcthebillingcompany.com/u8uq8t5g
test1.unihost.link/rhh8saz
test.personne.ru/h3x2h682
vudie.com/uco3h8o
westpommern.com/ha0jaeo
winterferienhaus.com/sqfjn29
woodmode-eg.com/o47tu
yepi-games.net/wpp6wl0
zakscott.com/obg7n
zhiwuba.com/ogtkhy

The malware then phones home to the following IPs (belonging pretty much to the usual suspects):

46.8.44.105/apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76/apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21/apache_handler.php (TheFirst-RU, Russia)
217.12.223.78/apache_handler.php (ITL, Ukraine)
46.183.221.134/apache_handler.php (Dataclub, Latvia)

It attempts to contact the following domains, none of which were resolving for me:

vrqhyhyhfoqtetjj.su/apache_handler.php
aukahiofk.click/apache_handler.php
mbjyucltybuujwrec.pl/apache_handler.php
odktufycxibodtlgc.xyz/apache_handler.php
oglvsqvesshcq.work/apache_handler.php
tfgyuhlggusls.ru/apache_handler.php
senawhlqiyl.biz/apache_handler.php
gsrhrrx.su/apache_handler.php
sodugmdutpwo.click/apache_handler.php
ibmwyjowwkvquhftq.info/apache_handler.php
knsyllstwjfv.org/apache_handler.php
pxeuwhmghsnffbn.info/apache_handler.php

Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78


Monday, 3 October 2016

Malware spam: "[Scan] 2016-1003 15:26:26" / "Sent with Genius Scan for iOS." leads to Locky

This fake document scan leads to Locky ransomware:

From:    DAMON ASHBROOK
Date:    3 October 2016 at 10:56
Subject:    [Scan] 2016-1003 15:26:26

--
Sent with Genius Scan for iOS.
The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat.

This Malwr analysis shows some of the infection in action. Overall my sources tell me that the various malicious macros download from:

acaciainvest.ro/jhg45s
alraysa.com/jhg45s
anthonycarducci.lawyerpublicity.com/jhg45s
antiquescollectablesandjuststuff.com/jhg45s
atronis.com/jhg45s
bluewaterappco.com/jhg45s
boservice.info/jhg45s
catlong.com/jhg45s
cedrussauna.com/jhg45s
craftsreviews.com/jhg45s
denvertracy.com/jhg45s
dickenshandchimes.com/jhg45s
far-infraredsaunas.com/jhg45s
foe-2.com/jhg45s
gcandcbuilderssite.aaomg.com/jhg45s
hostmyimage.biz/jhg45s
icdsarch.com/jhg45s
inmopromo.com/jhg45s
lesscellantshautegamme.ca/jhg45s
maxleather.aaomg.com/jhg45s
mmm2.aaomg.com/jhg45s
monkeysdragon.net/jhg45s
orhangazitur.com/jhg45s
parkerneem.com/jhg45s
test.cedrussauna.net/jhg45s
tsukasagiku.com/jhg45s
villadiana.lv/jhg45s
webhost911.com/jhg45s

C2 locations are:

149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou.info/apache_handler.php
krmwgapkey.work/apache_handler.php
hruicryqytbmc.xyz/apache_handler.php
vswaagv.org/apache_handler.php
smskymrtssawsjb.org/apache_handler.php
wvandssbv.org/apache_handler.php
ytxsbkfjmyxglvt.click/apache_handler.php
rqybmggvssutf.xyz/apache_handler.php
qaemlwlsvqvgcmbke.click/apache_handler.php
btlyarobjohheg.ru/apache_handler.php
civjvjrjjlv.pw/apache_handler.php
xlarkvixnlelbsvxl.xyz/apache_handler.php

A DLL is dropped with a detection rate of 19/57.

Recommended blocklist:
149.202.52.215
217.12.199.244

Thursday, 29 September 2016

Malware spam: "Receipt 103-526" / Receipt.xls

This spam leads to Locky ransomware:

From     rosalyn.gregory@gmail.com
Date     Thu, 29 Sep 2016 21:07:46 +0800
Subject     Receipt 103-526
I cannot tell if there is any body text, however there is an attachment Receipt.xls which contains malicious code [pastebin] that in the case of the sample I analysed downloads a binary from:

opmsk.ru/g76ub76

There will be many other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:

89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

A malicious DLL is dropped with a detection rate of 6/57. Malicious IPs and domains overlap quite a bit with this earlier attack. This version of Locky encrypts files with a .odin extension.

UPDATE - a source indicates these are all the download locations in this attack:

1gouw.com/g76ub76
368lx.com/g76ub76
81millstreet.nl/g76ub76
alliswelltour.com/g76ub76
ampconnect.com/g76ub76
anhsaodem.info/g76ub76
aseandates.com/g76ub76
birthstory.com/g76ub76
cmcomunicacion.es/g76ub76
dedivan.ru/g76ub76
demo.website.pl/g76ub76
econopaginas.com/g76ub76
gadget24.ro/g76ub76
globalremoteservices.com/g76ub76
innogenap.com/g76ub76
juyinggroup.com/g76ub76
kelownatownhomes.com/g76ub76
mediumsize.org/g76ub76
opmsk.ru/g76ub76
parentchildmothergoose.com/g76ub76
parroquiansg.org/g76ub76
slaterarts.com/g76ub76
sonajp.com/g76ub76
studiorif.ru/g76ub76
unforgettabletymes.com/g76ub76

Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132

Malware spam: "Temporarily blocked" leads to Locky

The attachment on this spam email leads to Locky ransomware:

From: "Ambrose Clements"
Subject: Temporarily blocked
Date: Thu, 29 Sep 2016 13:37:53 +0400

Dear [redacted]

this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.

We attached the scan of transactions. Please confirm whether you made these transactions.
 Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download from one of the following locations:

0793mobile.com/jetg2
109.73.234.241/dgq01p
18901350711.com/ll0wdsu
365jtoo.com/qw3r7arg
3ddentalimage.com/ytouk6
489ean.com/r2jdxy
51steel.org/s4b5ztgc
59jd.com/ggha9
5i5k.net/j0g1jk3
5iroom.com/vqv5yibr
91ise.info/pcre0ri4
abbiholland.com/f5ioimw
aldohuaman.com/52y3am
antamduc.com/ttbysvp
a-we.com/o0m5ayu
baankonkoh.com/hhon5mma
cielitodrive.com/x8vqc6
columbiaprintingservices.com/u542pjoi
cranioactive.com/l7vb0
cyprusnike.com/kkpno
domaks-dom.ru/mugr3gb1
exonbalai.com/1r1y6so
exonbalai.com/4dnv8
fhgmediaent.com/66aslu
hastarim.com/nyyjoec
immewrood.net/2j4z9px
immewrood.net/52y3am
inspirationbydesire.com/lfmlspp
jetpcl.com/m23gz0tv
joventa.sk/25fkt
jscompuserve.com/sqa5iq4
kayooo.net/67mxndh
khasitez.net/0a5lma5
khasitez.net/2m01898x
kidzvidz.com/miwn5
kitamachiweek.com/khcg0ta4
knigoboz.ru/nessj4k8
londonmusicclub.com/j6ln7cl
mayurinkorat.com/igxbat
ogeedfungo.net/0zqoae
ogeedfungo.net/3n4pwk
olimp-otel.ru/vevfq
pthcu.org/vnqdve7
redegamb.com/25fkt
redegamb.com/4gwca5b
rglogistic.com/var79sa
sewingwholesale.com/o8hn4
supplyglassess.com/gbnfsmh
szaloncukor.net/jelxoi
tolgaustun.com/drnag
touchasoul.org/nha0pkom
unwantedtattoos.co.uk/e1mbgfej
vaidia.com/y6m3en
viptabien.com/al9n7nh
web4-magento.com/cdlp4o
websitedesigncourse.net/p9580
wikichemicals.com/v1x7cfd
wirelessdd.com/692lrr
womenepic.com/89spy93v

The decoded malware then phones home to:

195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo.pw/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
gqackht.biz/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
bgldptjuwwq.org/apache_handler.php
cxnlxkdkxxxt.xyz/apache_handler.php
rcahcieii.work/apache_handler.php
uxaoooxqqyuslylw.click/apache_handler.php
vwktvjgpmpntoso.su/apache_handler.php
upsoxhfqut.work/apache_handler.php
nqchuuvgldmxifjg.click/apache_handler.php
ofoclobdcpeeqw.biz/apache_handler.php
kfvigurtippypgw.pl/apache_handler.php
toescilgrgvtjcac.work/apache_handler.php

Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132




Wednesday, 28 September 2016

Something evil on 69.64.63.77

This appears to be some sort of exploit kit leveraging hacked sites, for example:
[donotclick]franchidiscarpa[.]com/index.php
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
You can see this EK infecting a legitimate site in this URLquery report. The IP address appears to be a customer of ServerYou:

OrgName:        MegaHosterNetwork
OrgId:          MEGAH
Address:        Zaporozhskogo kazachestva 15
City:           Zaporozhzhe
StateProv:     
PostalCode:     69097
Country:        UA
RegDate:        2012-09-02
Updated:        2012-09-02
Ref:            https://whois.arin.net/rest/org/MEGAH


These other domains are hosted on the same IP:

[donotclick]j8le7s5q745e.org
[donotclick]3wdev4pqfw1u.org
[donotclick]fg1238tq38le.net

All of those domains are registered to:

Registrant Name: sergey muromov
Registrant Organization: sergey muromov
Registrant Street: veteranov 45-87
Registrant City: sank-tpeterburg
Registrant State/Province: leningradckaya
Registrant Postal Code: 458223
Registrant Country: RU
Registrant Phone: +7.66473838987
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: muromov96@bk.ru


It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking.


Locky download and C2 locations 2016-09-28

It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.

Binary download locations:

agri-host.us/67fgbcni
bigballsincowtown.com/67fgbcni
deeryarch.me/67fgbcni
dfl210.ru/67fgbcni
dslayer.net/67fgbcni
hasatbey.com/67fgbcni
house-of-quality.com/67fgbcni
intesols.com/67fgbcni
ivankhoo.com/67fgbcni
kolonker.com/67fgbcni
komsutekstil.com/67fgbcni
lucianasaliani.com/67fgbcni
marlonmendieta.com/67fgbcni
muangbouge.com/67fgbcni
naughtypixelads.com/67fgbcni
noorgames.com/67fgbcni
obtenloya.com/67fgbcni
patriciaclarkfinley.com/67fgbcni
permanentmark.sk/67fgbcni
podaripodarok.ru/67fgbcni
ramsdale.org/67fgbcni
rikuzentakata-mpf.org/67fgbcni
sigglab.com/67fgbcni
thehotelandrea.com/67fgbcni
travicoperu.com/67fgbcni
villaangela.info/67fgbcni
wmediatraining.com/67fgbcni
zahrady-landart.sk/67fgbcni
bathecista.com/1xz8pu
bathecista.com/8rjz1fr
bildungsmedien.org/je62fq
casaxavier.com.mx/p5hq150
cdou.ru/mhr53p
centralfirepro.com/sba7l
chimesmedia.com/ecn343f
chole-ray.com/yb1ambd
cydotomasyon.com/o8sh8
cylooks.com/y1kj5y4i
czeladz24.com/qvms47
depersoneelskamer.nl/v2h0o
doorleads.com/d9txgc
drsearsprime-time.com/pzcpg
edunayok.org/i4qnmc13
etustime.com/xa7sajm4
fatquote.net/0znym9
fatquote.net/4kj0ecdq
formationinnovation.net/dvzeb154
galinakireeva.ru/tmdq8o9z
gideroto.com/gtslcf
gonenisi.com/f5f91g1
healingwaterscc.com/souanzj5
hobbydays.ru/rrzvs
housellaw.com/lhfxwgx7
i-mdv.com/yb7rwfj
inchallahrencontre.net/rax72ya
i-school-tutor.com/ucg4c8
izmirisgb.com/dknjf
linoteil.com/1fm2x9
linoteil.com/8ncfzoi
lordalexleon.com/vbsmt6d
mineralhound.com/micmlf
ncbwhb.com/padk5n
nevis-football.com/u7tohi
nvwriter.com/eh4zm
panusnikom.com/k6hk6
pblossom.com/a91a5u
portal.rimpro.ru/s20c5
powercomm.ie/v57lkb
rimiller.com/sw1axrg
roxyperu.com/j6qpb5eb
servisix.com/csavi3l
shendiaoqzj.com/az1j2cq
shinganist.com/hl8he62
softgallery.dk/x5yjlhh
sscsci.com/c761057
styleyate.net/0o9tl6d
styleyate.net/2sn8erda
sunteamvn.com/uda8s
susanthomas.net/mq9ea3
taitong.info/tl6q7zlc
tanerkaplama.com/oa9wr5p
teamindo.com/sfpkv
tzabanga.com/bnxg4hp
vicwulaw.com/vjbql
waspyfauna.com/0vzw8y
waspyfauna.com/4aegrg
xfjt.org/lcwg8o
youtuberankchecker.net/wkmdc

C2s:

176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh.biz/apache_handler.php  [69.195.129.70] (Joe's Datacenter, US)
rluqypf.pw/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk.biz/apache_handler.php  [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap.info/apache_handler.php
kdbbpmrdfnlno.pl/apache_handler.php
jlhxyspgvwcnjb.work/apache_handler.php
dceaordeoe.ru/apache_handler.php
gisydkcsxosyokkuv.work/apache_handler.php
mqlrmom.work/apache_handler.php
wfgtoxqbf.biz/apache_handler.php
ndyevynuwqe.su/apache_handler.php
vgcfwrnfrkkarc.work/apache_handler.php

Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158

Tuesday, 20 September 2016

Malware spam: "Tracking data" leads to Locky

This spam has a malicious attachment leading to Locky ransomware:

From:    Loretta Gilmore
Date:    20 September 2016 at 08:31
Subject:    Tracking data


Good afternoon [redacted],

Your item #9122164-201609 has been sent to you by carrier.
He will arrive to you on 23th of September, 2016 at noon.



The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.


The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.

Analysis of the attachments is pending.

UPDATE

Hybrid Analysis of various samples [1] [2] [3] [4] shows the script downloading from various locations:

akinave.ru/ckk7y
solenapeak.com/ha4n2
vetchsoda.org/uemmdt
akinave.ru/1e11lhrk


All of these are hosted on:

178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)


The malware then phones home to the following locations:

91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php  [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)

A DLL is dropped with a detection rate of 13/57.

Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202

Monday, 19 September 2016

Malware spam: "Express Parcel service" leads to Locky

This spam has a malicious attachment:

From:    Marla Campbell
Date:    19 September 2016 at 09:09
Subject:    Express Parcel service

Dear [redacted], we have sent your parcel by Express Parcel service.

The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.


Thank you.
Attached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing.

The Hybrid Analysis for one sample shows a download location of:

178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)

There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:

195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra.pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)

It drops a DLL with a detection rate of 8/54.

UPDATE

These Hybrid Analysis reports of other samples [1] [2] [3] [4] [5] show other download locations at:

roxieimshi.com/eppmn
roxieimshi.com/y4lf1neg
foveawaac.net/yjmaazj
foveawaac.net/wzwzjply
merofid.com/zn6mcj


All of these domains are hosted on evil IPs:

178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)


These domains are all related and should be considered malicious:

duelrid.com
merofid.com
pradran.com
adzebury.com
amrastacy.com
bulkreasy.com
sternhala.com
gobantakao.com
roxieimshi.com
tearyrecce.com
wyvesnarl.info
aborik.net
ecadxyst.net
maydayen.net
ponggirr.net
foveawaac.net
normadnex.net
pawlrubia.net
pradkevyn.net
satyrwelf.net
vernpucka.net
yerndrunk.net
latexuchee.net
maggycocoa.net
moismdheri.net
rokerlelia.net
sparmsov.org
citmowra.in
swagpaty.in


Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10

91.194.250.131

The last one listed in italics is part of the update.


Tuesday, 13 September 2016

Malware spam: "Attached is the tax invoice of your company. Please do the payment in an urgent manner." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Tax invoice
From:     Kris Allison (Allison.5326@resorts.com.mx)
Date:     Tuesday, 13 September 2016, 11:22

Dear Client,

Attached is the tax invoice of your company. Please do the payment in an urgent manner.


Best regards,
Kris Allison
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:

adzebur.com/dsd7gk  [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
            [78.212.131.10] (21 Century Telecom Ltd, Russia)
            [31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f   [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
            [23.95.106.223] (New Wave Netconnect, US)
            [23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]

The payload then phones home to:

91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php   [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php   [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php


Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71


UPDATE: further analysis gives these other IPs to block..

78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116

Monday, 5 September 2016

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.


Sincerely yours,
Tamika Good
Account manager
The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:

canonsupervideo4k.ws/1bcpr7xx

This appears to be multihomed on the following IP addresses:

23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)


Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru


Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57.  These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:

91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48

91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55


Thursday, 1 September 2016

Malware spam: "Please find attached invoice no" leads to Locky

This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.

Subject:     Please find attached invoice no: 329218
From:     victim@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Thursday, 1 September 2016, 12:42

Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
________________________________

Disclaimer

This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download from one of the following locations:

158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g

The payload appears to be Locky ransomware. It phones home to:

188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php

This is similar to the list here.

Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24


Malware spam: "Our shipping service is sending the order form due to the request from your company."

This fake shipping email comes with a malicious attachment:

Subject:     Shipping information
From:     Charles Burgess
Date:     Thursday, 1 September 2016, 9:30

Dear customer,

Our shipping service is sending the order form due to the request from your company.

Please fill the attached form with precise information.

Very truly yours,
Charles Burgess
The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.

Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):


joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4

Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:

5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably Locky ransomware.

Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24

Wednesday, 31 August 2016

Malware spam: "bank transactions"

This fake financial spam comes with a malicious attachment:

From:    Rueben Vazquez
Date:    31 August 2016 at 10:06
Subject:    bank transactions


Good morning petrol.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.


Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.

According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):

www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis

Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:

95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably the Locky ransomware.

Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24


Monday, 15 August 2016

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Thursday, 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Thursday, 4 August 2016

Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change


King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:

escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7


This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:

31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22






Monday, 1 August 2016

Malware spam: "Please review the attached corrected annual report." / "Corrected report"

This spam comes with a malicious attachment:

Subject:     Corrected report
From:     Joey Cox (Cox.48@sodetel.net.lb)
Date:     Monday, 1 August 2016, 13:37

Dear webmaster,

Please review the attached corrected annual report.

Yours faithfully
Joey Cox
The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware from one of the following locations (thank you to my usual source for analysis):

121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a


The dropped binary then attempts to phone home to:

91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

The host for that last one comes up over and over again, it's time to block that /22..

Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22