From "UK2Fax" [fax2@fax1.uk2fax.co.uk]Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the same Upatre/Dyre payload as seen it this attack also seen today.
Date Thu, 10 Sep 2015 14:07:11 +0100
Subject New Fax - 3901535011
UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT
Showing posts with label Upatre. Show all posts
Showing posts with label Upatre. Show all posts
Thursday 10 September 2015
Malware spam: "New Fax - 3901535011" / "UK2Fax" [fax2@fax1.uk2fax.co.uk]
This fake fax spam comes with a malicious attachment:
Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:
In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.
MD5:
4dbdf9e73db481b001774b8b9b522ebe
From "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.
Date Thu, 10 Sep 2015 06:32:37 -0500
Subject Payroll Received by Intuit
Dear, petrol
We received your payroll on Sep 10, 2015 at 09:01.
Attached is a copy of your Remittance. Please click on the attachment in order to
view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
paid two (2) banking days from the date received or on your paycheck date, whichever
is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you
have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list
of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services
IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this
email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect
is a phishing email, please forward it to immediately to spoof@intuit.com.
© 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
trademarks and/or registered service marks of Intuit Inc. in the United States and
other countries. All other marks are the property of their respective owners, should
be treated as such, and may be registered in various jurisdictions.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706
In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.
MD5:
4dbdf9e73db481b001774b8b9b522ebe
Monday 7 September 2015
Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]
This spam does not come from Companies House, but is instead a simple forgery with a malicious attachment:
The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.
This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.
MD5:
f1d62047d22f352a14fe6dc0934be3bb
From "Companies House" [WebFiling@companieshouse.gov.uk]
Date Mon, 7 Sep 2015 12:40:01 +0100
Subject RE: Case 0676414
The submission number is: 0676414
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.
Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500
The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.
This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.
MD5:
f1d62047d22f352a14fe6dc0934be3bb
Tuesday 1 September 2015
Malware spam: "Complaint of your Internet activity"
This spam comes with a malicious attachment:
This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor:
197.149.90.166 (Cobranet, Nigeria)
Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494
From: Margret KuhicAll the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a valid attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56.
Date: 1 September 2015 at 16:10
Subject: Complaint of your Internet activity
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Margret Kuhic
Dynamic Communications Agent
T: 1-679-732-5379
F: 100.173.9045
This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor:
197.149.90.166 (Cobranet, Nigeria)
Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494
Malware spam: "Private message notification 41447" / "Adrien Abbott"
This spam comes with a malicious attachment:
197.149.90.166 (Cobranet, Nigeria)
..which is an IP that has been used several time for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor.
MD5:
7c94abe2e3b60f8a72b7358d50d04ee0
From: Adrien AbbottI have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other variants could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56, the Hybrid Analysis report shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to:
Date: 1 September 2015 at 12:34
Subject: Private message notification 41447
You've received a private message. Please open the attached to view it.
Adrien Abbott
Chief Tactics Executive
home: 1-583-761-3793
work: 380.022.2492
twitter: @nicole
skype: nicole
messenger: nicole
197.149.90.166 (Cobranet, Nigeria)
..which is an IP that has been used several time for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor.
MD5:
7c94abe2e3b60f8a72b7358d50d04ee0
Thursday 27 August 2015
Malware spam: "Payslip for period end date 27/08/2015" / "noreply@fermanagh.gov.uk"
This spam does not come from Fermanagh District Council. Of course it doesn't. It is instead a simple forgery with a malicious attachment:
Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.
This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.
MD5:
fdea30868df48bff9e7c2b2605431d23
From: noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date: 27 August 2015 at 12:28
Subject: Payslip for period end date 27/08/2015
Dear administrator
Please find attached your payslip for period end 27/08/2015
Payroll Section
Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.
This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.
MD5:
fdea30868df48bff9e7c2b2605431d23
Wednesday 26 August 2015
Fake fax spam spoofs multiple senders, has malicious payload
This fake fax spam comes from random senders - company names and attachment names vary from spam to spam.
The Hybrid Analysis report shows it phoning home to:
197.149.90.166/260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166/260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.
From: "Heaney, Vandervort and Hilll"Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56 detection rate at VirusTotal.
Subject: Fax #AhnxlQ8 from Donny Kub
Date: Wed, 26 Aug 2015 14:02:30 +0000
You have a fax.
Data sent: Wed, 26 Aug 2015 14:03:30 +0000
TO: info@victimdomain.com
*********************************
We are a new fax delivery service - Heaney, Vandervort and Hilll.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: "Fast. Cheap. Best quality."
*********************************
The Hybrid Analysis report shows it phoning home to:
197.149.90.166/260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166/260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.
Thursday 20 August 2015
Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"
This fake TfL spam comes with a malicious attachment:
93.185.4.90:12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90:12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM
These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you block it.
Those Hybrid Analysis reports also identify some botnet IPs and dropped files, which I suggest that you study if interested.
From "Transport for London" [noresponse@cclondon.com]The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56 and 1/57. These two Hybrid Analysis reports [1] [2] show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:
Date Thu, 20 Aug 2015 17:04:26 +0530
Subject Email from Transport for London
Dear Customer
Please open the attached file(7887775.zip) to view correspondence from Transport
for London.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com
Thank you for contacting Transport for London.
Business Operations
Customer Service Representative
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.
93.185.4.90:12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90:12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM
These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you block it.
Those Hybrid Analysis reports also identify some botnet IPs and dropped files, which I suggest that you study if interested.
Labels:
Czech Republic,
Dyre,
EXE-in-ZIP,
Malware,
Spam,
Upatre,
Viruses
Friday 7 August 2015
Malware spam: "Sleek Granite Computer" / "saepe 422-091-2468.zip" / "nulla.exe"
What the heck is a Sleek Granite Computer? As clickbait it is kind of weird.. but perhaps interesting enough to get people to click on the malicious attachment is comes with.
This has a VirusTotal detection rate of 4/55 with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre / Dyre traffic pattern to:
195.154.241.208:12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208:12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM
This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom.eu. Traffic is also spotted to:
37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)
There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.
Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50
MD5:
9520d04a140c7ca00e3c4e75dd9ccd9f
From: mafecoandohob [mafecoandohob@bawhhorur.com]The only sample of this I had was malformed and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe.
To: Karley Pollich
Date: 7 August 2015 at 13:17
Subject: Sleek Granite Computer
Good day!
If you remember earlier this week we discussed with You our new project which we intend to start next month.
For Your kind review we enclose here the business plan and all the related documents.
Please send us an e-mail in case You have any comments or proposed changes.
According to our calculations the project will start bringing profit in 6 months.
Thanks in advance.
Karley Pollich
Dynamic Response Strategist
Pagac and Sons
Toys, Games & Jewelery
422-091-2468
This has a VirusTotal detection rate of 4/55 with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre / Dyre traffic pattern to:
195.154.241.208:12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208:12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM
This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom.eu. Traffic is also spotted to:
37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)
There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.
Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50
MD5:
9520d04a140c7ca00e3c4e75dd9ccd9f
Labels:
Czech Republic,
Dyre,
EXE-in-ZIP,
France,
Malware,
Spam,
Ukraine,
Upatre,
Viruses
Wednesday 22 July 2015
Malware spam: HMRC application with reference XXXX XXXX XXXX XXXX received / noreply@hmrc.gov.uk
These spam emails do not come from HMRC (the UK tax office) but are instead a simple forgery with a malicious attachment.
Attached is a file 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc with a VirusTotal detection rate of 7/55 which if opened (not advised) pretends to be an encrypted document that requires Active Content to be enabled.
According to this Hybrid Analysis report the embedded macro contacts the following hosts to download components:
vinestreetfilms.com/wp-content/plugins/jetpack/_inc/genericons/genericons/rtl/78672738612836.txt
midlandspestcontrol.net/wp-includes/js/tinymce/themes/advanced/skins/o2k7/78672738612836.txt
midlandspestcontrol.net//wp-includes/js/tinymce/themes/advanced/skins/o2k7/fafa.txt
This includes another malicious script. This then leads to the download of a malicious binary from:
anacornel.com/images/desene/united.exe
This has a VirusTotal detection rate of just 2/55. Automated analysis is pending.
MD5s:
605905df205b6c266856990a49abdfef
1fdb0af80d01739410a3eef67c4144ff
UPDATE: a Hybrid Analysis report is here, but it does not add much more detail.
From: noreply@hmrc.gov.uk [noreply@hmrc.gov.uk]
Date: 22 July 2015 at 13:19
Subject: HMRC application with reference 5CSS 1QDX 27KH LRFM received
The application with reference number 5CSS 1QDX 27KH LRFM submitted by you or your agent to register for HM Revenue & Customs (HMRC) has been received and will now be verified. HMRC will contact you if further information is needed.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
Attached is a file 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc with a VirusTotal detection rate of 7/55 which if opened (not advised) pretends to be an encrypted document that requires Active Content to be enabled.
According to this Hybrid Analysis report the embedded macro contacts the following hosts to download components:
vinestreetfilms.com/wp-content/plugins/jetpack/_inc/genericons/genericons/rtl/78672738612836.txt
midlandspestcontrol.net/wp-includes/js/tinymce/themes/advanced/skins/o2k7/78672738612836.txt
midlandspestcontrol.net//wp-includes/js/tinymce/themes/advanced/skins/o2k7/fafa.txt
This includes another malicious script. This then leads to the download of a malicious binary from:
anacornel.com/images/desene/united.exe
This has a VirusTotal detection rate of just 2/55. Automated analysis is pending.
MD5s:
605905df205b6c266856990a49abdfef
1fdb0af80d01739410a3eef67c4144ff
UPDATE: a Hybrid Analysis report is here, but it does not add much more detail.
Tuesday 21 July 2015
Malware spam: "Administrator - EDCSRP earmarking (Update 07_21_2015).doc" / "Internal ONLY"
These two spam email messages have the same malicious payload:
phudge.ca/wordpress/wp-content/themes/canvas/includes/.svn/props/78672738612836.txt
kedros.ch//modules/mod_araticlhess/78672738612836.txt
Automated analysis didn't work on this and frankly instead of reinventing the wheel I refer you to this note from @Techhelplistcom which reveals an executable being downloaded from:
umontreal-ca.com/ualberta/philips.exe
This domain was registered just yesterday to an anonymous person and is hosted on 89.144.10.200 (ISP4P, Germany) so we can assume that it is malicious. But here's an interesting detail.. if you look at the Word document itself it does actually claim to be from the University of Montreal (click to enlarge).
That seems like a lot of effort to go to, more than is usual for this type of drive-by attack.The malicious executable philips.exe has a detection rate of 13/55 and again, the Comments field has a useful list of IP address to block thanks to @Techhelplistcom.
This whole thing is Upatre dropping the Dyre banking trojan, and it's quite clever stuff. Perhaps your best defence is a user education programme about not enabling active content on suspect emails..
Recommended minimum blocklist:
89.144.10.200
MD5s:
e945383e19955c420789bf5b3b415d00
015774e058bcb1828726848d2edd93f9
From: Administrator@badeleke [Administrator@victimdomain]Note the odd dates on the spam email. In all cases, the attachment is called EDCSRP earmarking (Update 08_21_2015).doc and at present it has a VirusTotal detection rate of 7/55. It contains a complex macro [pastebin] which (according to Hybrid Analysis) downloads additional components from:
To: badeleke@victimdomain
Date: 24 July 2014 at 10:30
Subject: Administrator - EDCSRP earmarking (Update 07_21_2015).doc
badeleke,
This attachment(EDCSRP earmarking (Update 07_21_2015).doc) provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.
Thank you,
Administrator
http://www.victimdomain
----------------------
From: Incoming Fax [Incoming.Fax@victimdomain]
To: administrator@victimdomain
Date: 18 September 2014 at 08:35
Subject: Internal ONLY
**********Important - Internal ONLY**********
File Validity: 07/21/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: Internal_report_07212015_5542093.doc
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
phudge.ca/wordpress/wp-content/themes/canvas/includes/.svn/props/78672738612836.txt
kedros.ch//modules/mod_araticlhess/78672738612836.txt
Automated analysis didn't work on this and frankly instead of reinventing the wheel I refer you to this note from @Techhelplistcom which reveals an executable being downloaded from:
umontreal-ca.com/ualberta/philips.exe
This domain was registered just yesterday to an anonymous person and is hosted on 89.144.10.200 (ISP4P, Germany) so we can assume that it is malicious. But here's an interesting detail.. if you look at the Word document itself it does actually claim to be from the University of Montreal (click to enlarge).
|
|
This whole thing is Upatre dropping the Dyre banking trojan, and it's quite clever stuff. Perhaps your best defence is a user education programme about not enabling active content on suspect emails..
Recommended minimum blocklist:
89.144.10.200
MD5s:
e945383e19955c420789bf5b3b415d00
015774e058bcb1828726848d2edd93f9
Friday 17 July 2015
Malware spam: "You've earned it" / "You've deserved it" etc
This is another randomly-generated round of malware spam, following on from this one.
or bonusinfo.doc [VT detection rate 6/55], but the content is the same. If a potential victim opens it, the document looks like this:
If the user follows these steps, this malicious macro [pastebin] will run, infecting their machine. The Hybrid Analysis report shows the macro downloading various components from:
www.buck.tv/cms/wp-content/uploads/78672738612836.txt
www.bereciartua.com/wp-content/themes/bereciartua/78672738612836.txt
www.bereciartua.com/wp-content/themes/bereciartua/papa.txt
All of these files are actually scripts, and they appear to download a malicious executable from:
195.154.93.8/123a.exe
This has a VirusTotal detection rate of 4/55, and that same VirusTotal report shows it phoning home to:
93.185.4.90:12328/ETU2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBLGBEID
93.185.4.90:12328/ETU2/<MACHINE_NAME>/41/5/4/MEBEFEBLGBEID
We've seen the 93.185.4.90 a few times recently, and it is absolutely worth blocking and/or monitoring traffic to this IP.
Date: 17 July 2015 at 16:04In the samples I have seen, the attachment is called bounty.doc, Giftinfo.doc, bonus.doc,
Subject: You've earned it
You have done a great business for our company. Even when someone else lost their heart , you managed with those nuisances and pushed it through.
The luck completely goes to you. We pay attention how you toiled to make it great , and you deserve more except superior's thanks or compliments.
You have got big capability and capacity , and I'm personally sure that you'll renew that luck over and over again. We appreciate that we have you on our group.
Our head management couldn't find better words and would like to give you a exclusive bounty only for you. Please view this applied gift
Date: 17 July 2015 at 17:06
Subject: You've earned this
You did a great work for our group. Even when everyone else lost their heart , you met with those inconveniences and struggle it.
This success certainly appertains to you. We note how you toiled to do it perfect , and you earn more except our acknowledgements or congratulations.
You have great genius and productivity , and I'm individually sure that you'll repeat the same winning over and over again. All of us appreciate that we have you on our group.
Company's head office can't find better words and want to give you a deluxe bonus just for you. Please accept the enclosed present
Date: 17 July 2015 at 17:08
Subject: You've earned this
You did a good thing for our company. Even when everyone else lost their heart , you met with those obstacles and exert yourself to the utmost extent.
This success undoubtedly belongs to you. We note how hard you worked to do it super , and you deserve more except superior's acknowledgements or congratulations.
You have big talent and potential , and I'm individually confident that you'll repeat the same triumph over and over again. All of us appreciate that we are with you in company's group.
Our head management can't find better words and would like to make a exclusive bonus only for you. Please accept the enclosed bonus
Date: 17 July 2015 at 17:02
Subject: You've deserved it
You did a excellent work for our group. Even when someone else lost their hope , you managed with those discommodes and pushed it through.
The victory certainly goes to you. We know how you toiled to make it good , and you must get more than management's thanks or compliments.
You have got tremendous capability and performance , and I'm individually assured that you'll redo this triumph over and over again. All of us appreciate that we got you on department's group.
Company's general department couldn't find better words and want to give you a deluxe donation just for you. Please take this enclosed bounty
or bonusinfo.doc [VT detection rate 6/55], but the content is the same. If a potential victim opens it, the document looks like this:
If the user follows these steps, this malicious macro [pastebin] will run, infecting their machine. The Hybrid Analysis report shows the macro downloading various components from:
www.buck.tv/cms/wp-content/uploads/78672738612836.txt
www.bereciartua.com/wp-content/themes/bereciartua/78672738612836.txt
www.bereciartua.com/wp-content/themes/bereciartua/papa.txt
All of these files are actually scripts, and they appear to download a malicious executable from:
195.154.93.8/123a.exe
This has a VirusTotal detection rate of 4/55, and that same VirusTotal report shows it phoning home to:
93.185.4.90:12328/ETU2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBLGBEID
93.185.4.90:12328/ETU2/<MACHINE_NAME>/41/5/4/MEBEFEBLGBEID
We've seen the 93.185.4.90 a few times recently, and it is absolutely worth blocking and/or monitoring traffic to this IP.
Malware spam: eFax message from "unknown" - 1 page(s), Caller-ID: 1-123-456-7890
This fake fax spam leads to malware:
Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but hacked site at:
breedandco.com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of 6/55 and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55. Automated analysis [1] [2] [3] shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90:12325/ETK7/<MACHINE_NAME>/0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90:12325/ETK7/<MACHINE_NAME>/41/5/1/GKBIMBFDBEEE
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip.dyndns.org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55] and vastuvut.exe [VT 6/55].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106
MD5s:
777ea29053d4e3e4eeb5689523a5ed11
2cb619f59c10a9877b672d66ab17edf9
efa2887ab892c34a5025aa3f943f49a9
debfdeb9b14dda4ed068a73b78ce5a24
From: eFax [message@inbound.efax.com]
To: administrator@victimdomain
Date: 17 July 2015 at 10:42
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-357-457-4655
Fax Message [Caller-ID: 1-357-457-4655
You have received a 1 page fax at Fri, 17 Jul 2015 15:12:25 +0530.
* The reference number for this fax is atl_did1-1400166434-67874083637-154.
Click here to view this fax using your PDF reader.
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but hacked site at:
breedandco.com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of 6/55 and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55. Automated analysis [1] [2] [3] shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90:12325/ETK7/<MACHINE_NAME>
93.185.4.90:12325/ETK7/<MACHINE_NAME>
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip.dyndns.org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55] and vastuvut.exe [VT 6/55].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106
MD5s:
777ea29053d4e3e4eeb5689523a5ed11
2cb619f59c10a9877b672d66ab17edf9
efa2887ab892c34a5025aa3f943f49a9
debfdeb9b14dda4ed068a73b78ce5a24
Friday 10 July 2015
Malware spam: "Invoice reminder" / "morgan-motor.co.uk"
Nope, you haven't ordered an esoteric British sports car. This malware spam is not from the Morgan Motor Company, but is instead a simple forgery with a malicious attachment.
The Malwr report shows that this is the Upatre downloader, which always leads to the Dyre banking trojan. The characteristic callback pattern can be seen in the network traffic:
http://38.65.142.12:12569/RT77/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://38.65.142.12:12569/RT77/HOME/41/5/1/ELHBEDIBEHGBEHK
We've seen that IP before. Another characteristic bit of traffic (but not malicious) is a HTTP request to icanhazip.com. Although this is a legitimate service to determine the IP address of the client, it is also a pretty good indicate of Upatre/Dyre infection and is worth looking out for on your network.
The downloader seems to drop a modified version of itself, in this case called aloyzan.exe and also having a 3/55 detection rate. In additional, a file named whicalous.exe [VT 1/55] is dropped.
Recommended blocklist:
38.65.142.12
MD5s:
ef068f3b4e1927de34273d98c88d3abc
cd90c812c9e8a1168ecd89fb8f64ea05
99960df0cddf89e2e8eac54f371da63b
1f8e40aa49e9c3e633e450e85a888ba2
From "Marie Atkins" [Marie.Atkins@morgan-motor.co.uk]Other senders spotted are Effie.Henry@morgan-motor.co.uk and Carmine.Randolph@morgan-motor.co.uk although there are probably others. Attached is a ZIP file named invoice-ITK709415.zip [VT 13/54] which contains a malicious executable invoice-ITK709415.scr, this has a VirusTotal detection rate of 3/55.
Date Fri, 10 Jul 2015 12:50:54 +0200
Subject Invoice reminder
Please note that so far we had not received the outstanding amounts in accordance
with the invoice enclosed below.
Unfortunately, we cannot wait another week for amounts to be settled. Kindly ask
You to arrange the payment in the nearest future (2 days).
In case the funds are not received in two days we reserve the right to use legal
approaches in order to resolve this issue.
We hope You will duly react to this notification and save good business relationships
with us.
The Malwr report shows that this is the Upatre downloader, which always leads to the Dyre banking trojan. The characteristic callback pattern can be seen in the network traffic:
http://38.65.142.12:12569/RT77/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://38.65.142.12:12569/RT77/HOME/41/5/1/ELHBEDIBEHGBEHK
We've seen that IP before. Another characteristic bit of traffic (but not malicious) is a HTTP request to icanhazip.com. Although this is a legitimate service to determine the IP address of the client, it is also a pretty good indicate of Upatre/Dyre infection and is worth looking out for on your network.
The downloader seems to drop a modified version of itself, in this case called aloyzan.exe and also having a 3/55 detection rate. In additional, a file named whicalous.exe [VT 1/55] is dropped.
Recommended blocklist:
38.65.142.12
MD5s:
ef068f3b4e1927de34273d98c88d3abc
cd90c812c9e8a1168ecd89fb8f64ea05
99960df0cddf89e2e8eac54f371da63b
1f8e40aa49e9c3e633e450e85a888ba2
Wednesday 8 July 2015
Malware spam: "Strange bank account operation" / "Unauthorised bank account activity" / "Illegal bank account transfer" etc
This fake financial spam comes with a malicious payload. It appears to be randomly generated in part, here are some examples:
Attached is a Word document [VT 6/55]with various filenames:
extract_of_bank_document.doc
fragment_of_bank_fax.doc
original_of_bank_report.doc
scan-copy_of_bank_document.doc
transcript_of_bank_statement.doc
All the samples I have seen have an identical document with different names, containing this malicious macro which then goes off and downloads various other components according to the Hybrid Analysis report, using the following URLs:
midwestlabradoodle.com/wp-content/plugins/really-simple-captcha/6727156315273.txt
artyouneed.com/wp-includes/theme-compat/6727156315273.txt
artyouneed.com/wp-includes/theme-compat/kaka.txt
These appear to download as a set of malicious scripts [1] [2] [3] which then download a further component from:
bluemagicwarranty.com/wp-includes/theme-compat/getrichtoday.exe
This binary has a detection rate of 3/55. The Malwr report shows that it drops two other files, named as Zlatowef.exe [VT 3/55] and redtytme4.exe [VT 9/55] and it also downloads components from:
38.65.142.12:12551/ON12/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
38.65.142.12:12551/ON12/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP is allocated to Cogent Communications in Mexico. The download is Upatre which means that the payload is almost definitely the Dyre banking trojan, even though the delivery mechanism of a Word document is unusual for Dyre.
Recommended blocklist:
38.65.142.12
midwestlabradoodle.com
artyouneed.com
bluemagicwarranty.com
MD5s:
8d547f5ef829d9033c3eb5d4ce1602c1
5cff4106fd4c393f4b935e8e97277351
21023e02a33ec1d924f489378d1f01d5
e8f2c4845008d3064948ed336c1a9852
Date: 8 July 2015 at 18:02
Subject: Strange bank account operation
Kindly be informed that bank did noticed suspect attempt of money withdrawal relating to Your debit card.
Please find enclosed bank e-mail sent by financial department on Monday.
As well attached are security details for Your review.
Michael Morgan
Senior Manager
==========
Date: 1 January 1970 at 00:00
Subject: Suspicious bank account operation
Kindly be acknowledged that bank had found unauthorised attempt of amounts withdrawal from Your credit card.
Please find enclosed bank warning provided by bank manager earlier.
Also enclosed are security details for Your affirmation.
Robin Owen
Chief accountant
==========
Date: 8 July 2015 at 17:59
Subject: Illegal bank account transfer
Kindly be informed that bank security department has found illegal attempt of money withdrawal from Your Mastercard account.
Please check the enclosed bank publication provided by banking department today.
As well attached are security details for Your approval.
Clive Adams
Tax Consultant
=========
Date: 8 July 2015 at 16:55
Subject: Strange bank account transfer
Kindly note that bank did noticed suspect attempt of amounts withdrawal related to Your Mastercard.
Please examine the enclosed bank statement sent by manager on Monday.
Furthermore attached are personal details for Your confirmation.
Martin Morgan
Tax authority
==========
Date: 8 July 2015 at 17:51
Subject: Unauthorised bank account activity
Kindly be acknowledged that bank security department had detected suspect attempt of money withdrawal related to Your debit card.
Please check the enclosed bank statement forwarded by banking department today.
In addition attached are security details for Your control.
Robin Willis
Senior Manager
Attached is a Word document [VT 6/55]with various filenames:
extract_of_bank_document.doc
fragment_of_bank_fax.doc
original_of_bank_report.doc
scan-copy_of_bank_document.doc
transcript_of_bank_statement.doc
All the samples I have seen have an identical document with different names, containing this malicious macro which then goes off and downloads various other components according to the Hybrid Analysis report, using the following URLs:
midwestlabradoodle.com/wp-content/plugins/really-simple-captcha/6727156315273.txt
artyouneed.com/wp-includes/theme-compat/6727156315273.txt
artyouneed.com/wp-includes/theme-compat/kaka.txt
These appear to download as a set of malicious scripts [1] [2] [3] which then download a further component from:
bluemagicwarranty.com/wp-includes/theme-compat/getrichtoday.exe
This binary has a detection rate of 3/55. The Malwr report shows that it drops two other files, named as Zlatowef.exe [VT 3/55] and redtytme4.exe [VT 9/55] and it also downloads components from:
38.65.142.12:12551/ON12/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
38.65.142.12:12551/ON12/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP is allocated to Cogent Communications in Mexico. The download is Upatre which means that the payload is almost definitely the Dyre banking trojan, even though the delivery mechanism of a Word document is unusual for Dyre.
Recommended blocklist:
38.65.142.12
midwestlabradoodle.com
artyouneed.com
bluemagicwarranty.com
MD5s:
8d547f5ef829d9033c3eb5d4ce1602c1
5cff4106fd4c393f4b935e8e97277351
21023e02a33ec1d924f489378d1f01d5
e8f2c4845008d3064948ed336c1a9852
Wednesday 1 July 2015
Malware spam: "Notice of Underreported Income" / "noreply@hmrc.gov.uk"
The second HMRC spam run of the day..
In this case, the link goes to bahiasteel.com/secure_storage/get_document.html however, the payload is Upatre leading to the Dyre banking trojan, as seen in this other spam run today.
From: HM Revenue and Customs [noreply@hmrc.gov.uk]
Date: 1 July 2015 at 11:36
Subject: Notice of Underreported Income
Taxpayer ID: ufwsd-000004152670UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form herc
In this case, the link goes to bahiasteel.com/secure_storage/get_document.html however, the payload is Upatre leading to the Dyre banking trojan, as seen in this other spam run today.
Wednesday 24 June 2015
Malware spam: "Considerable law alternations" / "excerptum_from_the_implemented_rule.zip" / "Pamela Adams"
This fake legal spam comes with a malicious payload:
In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.
Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs:
93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.
Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35
MD5s:
a85849c45667805231f2093e2eabe89d
e91e0424ac23193461c57ac1046e7dc1
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations
Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above .
Pamela Adams
Chief accountant
In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.
Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs:
93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.
Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35
MD5s:
a85849c45667805231f2093e2eabe89d
e91e0424ac23193461c57ac1046e7dc1
Tuesday 23 June 2015
Malware spam: "Hope this e-mail finds You well" / "Stacey Grimly"
This spam comes with a malicious attachment:
check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717
The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.
Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations:
93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)
These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:
104.174.123.66 (Time Warner Cable, US)
The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.
Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66
MD5s:
67f05372a34534c5892defb29ba8ead7
267e23f6430999f4b71a074835f19fb2
cebf89f088458f3e89599ae44d03cddf
cfdcb1cbe8983707287be4a03cdb88b4
880ba84222524510c9fe3b3d80429816
Date: 23 June 2015 at 14:14Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:
Subject: Hope this e-mail finds You well
Good day!
Hope this e-mail finds You well.
Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.
Stacey Grimly,
Project Manager
check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717
The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.
Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations:
93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)
These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:
104.174.123.66 (Time Warner Cable, US)
The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.
Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66
MD5s:
67f05372a34534c5892defb29ba8ead7
267e23f6430999f4b71a074835f19fb2
cebf89f088458f3e89599ae44d03cddf
cfdcb1cbe8983707287be4a03cdb88b4
880ba84222524510c9fe3b3d80429816
Monday 22 June 2015
Malware spam: "Tax inspection notification" / "tax_663-20845-0479-435.zip size=18288.zipsize=18288"
This fake tax notification comes with a malicious payload.
Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.
This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http://93.93.194.202:13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to 37.57.144.177 (Triolan, Ukraine).
Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177
MD5s:
394c56133b323ce3bf038cfc7a00562a
4e9fec8e532664672bd3a022f4f0b4ec
14b8a0f6a9258f9e73f63a4269641ca0
Date: 22 June 2015 at 19:10
Subject: Tax inspection notification
Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor
Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.
This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http://93.93.194.202:13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to 37.57.144.177 (Triolan, Ukraine).
Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177
MD5s:
394c56133b323ce3bf038cfc7a00562a
4e9fec8e532664672bd3a022f4f0b4ec
14b8a0f6a9258f9e73f63a4269641ca0
Malware spam: "Shareholder alert" / "instructions.zip size=21154.zipsize=21154"
This fake financial spam comes with a malicious attachment:
The Malwr report indicates network traffic to:
http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK
93.93.194.202 is Orion Telekom in Serbia.
It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.
The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.
Recommended blocklist:
64.111.36.35
93.93.194.202
MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3
Date: 22 June 2015 at 13:07Attached is a mis-named ZIP file called instructions.zip size=21154.zipsize=21154 containing a malicious executable instructions_document.exe which has a VirusTotal detection rate of 1/56.
Subject: Shareholder alert
Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to resolution of the Board of Directors. Please see attached. Glen McCoy, Partner
The Malwr report indicates network traffic to:
http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK
93.93.194.202 is Orion Telekom in Serbia.
It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.
The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.
Recommended blocklist:
64.111.36.35
93.93.194.202
MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3
Subscribe to:
Posts (Atom)