Sponsored by..

Showing posts with label Viruses. Show all posts
Showing posts with label Viruses. Show all posts

Thursday 10 May 2018

Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com

This fake Barclays spam seems to lead to the Trickbot banking trojan.

From:    Barclays [service@barclaysdownloads.co.uk]
Date:    10 May 2018, 13:16
Subject:    New documents available for download
Signed by:    barclaysdownloads.co.uk
Security:    Standard encryption (TLS) Learn more

Barclays Bank PLC Has Sent You Important Account Documents to Sign

You can view the document in your Barclays Cloud account. For additional security, the sender has set an open password for this document.

Documents assigned to: jlines@[redacted]
Your unique download password: "CJ98oZOwye"

To view or download the document please click here.

The submission number is id: bc7729-272sec912-91navc.
Please quote this number in any communications with Barclays.

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Barclays IBE.

Copyright 2018 Barclays PLC. All rights reserved. 

The download password and submission number are the same in all cases I have seen. Clicking the link leads to a landing page at barclaysdownloads.com.


Entering the password downloads a document AccountDocuments.doc with a VirusTotal detection rate of 14/58, and Hybrid Analysis indicates that this uses an Equation Editor flaw to run a Powershell that downloads an additional component from:

http://basedow-bilder.de/kporto.bin
http://crimefiles.net/logo.bin


The .bin file is saved as %TEMP%\lovemete.exe and this currently has a detection rate of 15/65. Hybrid Analysis indicates this is Trickbot.

barclaysdownloads.co.uk and barclaysdownloads.com have both been registered for this purpose, the latter of which is hosted at Cloudflare.

Tuesday 24 October 2017

Malware spam: "Order acknowledgement for BEPO/N1/380006006(2)"

A change to the usual Necurs rubbish, this fake order has a malformed .z archive file which contains a malicious executable with an icon to make it look like an Office document.

Reply-To:    purchase@animalagriculture.org
To:    Recipients [DY]
Date:    24 October 2017 at 06:48
Subject:    FW: Order acknowledgement for BEPO/N1/380006006(2)

Dear All,
Kindly find the attached Purchase order# IT/IMP06/06-17 and arrange to send us the order acknowledgement by return mail.

Note: Please expedite
the delivery as this item is very urgently required.


Regards,  Raj Kiran

(SUDARSHAN SS)  NAVAL SYSTEMS (S&CS)
BHARAT ELECTRONICS LIMITED  BANGALORE  PH:9180-22195857  BEL Website : www.bel-india.com SRM PORTAL :https://hpcrmp.iscodom.com/irj/portal



Every Sheets of paper is made from a tree.. Save trees... Conserve Trees.... Go Green .... Don't print this email or any Files unless you really need to!!!!
Confidentiality Notice


The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or support@bel.co.in immediately and destroy all copies of this message and any attachments.

Attached is a file Purchase order comfirmation.doc.z which contains a malicious executable Purchase order comfirmation.exe which currently has a detection rate of 12/66. It looks like the archive type does not actually match the extension..


If the intended target hides file extensions then it is easy to see how they could be fooled..

Incidentally, VirusTotal shows this information about the file:


Copyright: (c)1998 by RicoSoft
Product: System Investigation
Description: System Investigation for NT/9x
Original Name: SysInv2.exe
Internal Name: SysInv2
File Version:2.3.1.37
Comments: Freeware / Careware from RicoSoft

Obviously that's fake, but a bit of Googling around shows SysInv2.exe being used in other similar attacks.

The Hybrid Analysis for is a little interesting (seemingly identifying it as Loki Bot), showing the malware phoning home to:

jerry.eft-dongle.ir/njet/five/fre.php   (188.165.162.201 / Mizban Web Paytakht Co. Ltd., Iran)

Actually, the IP is leaded from OVH and claims to belong to dedicatedland.com in Birmingham, UK:

organisation:   ORG-MWPM1-RIPE
org-name:       Mizban Web Paytakht Mizban Web Paytakht
org-type:       OTHER
address:        55 Orion Building, 90 Navigation Street
address:        B5 4AA Birmingham
address:        GB
e-mail:         info@dedicatedland.com
abuse-mailbox:  info@dedicatedland.com
phone:          +44.7455017803
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2015-01-22T22:12:03Z
last-modified:  2015-01-22T22:12:03Z
source:         RIPE


The small 188.165.162.200/29 range is marked as "failover IPs".  The WHOIS for dedicatedland.com comes up with a bogus looking address in Massachusetts:

Registrant Email: info@dedicatedland.com
Registry Admin ID: Not Available From Registry
Admin Name: Mizban Web Paytakht LLC
Admin Organization: irnameserver.com
Admin Street: Newton Center 
Admin City: Newton Center
Admin State/Province: Massachusetts
Admin Postal Code: 00000
Admin Country: US
Admin Phone: +1.00000000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext: 


However RIPE show them as being in Tehran:
Mizban Web Paytakht Co. Ltd.

No.43, North Ekhtiyariyeh St, Ekhtiyariyeh Sqr
1958743611 Tehran
IRAN, ISLAMIC REPUBLIC OF

phone:   +98 2122587469
fax:  +98 2122761180
e-mail:  info (at) dedicatedland (dot) com
Anyway, if you are not interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of 185.165.40.0/22 as well. I'll make a guess that the 188.165.162.200/29 range
may be insecure and could be worth blocking.

The email itself originates from 104.171.114.204 which is allocated as follows:

CustName:       jason Richards
Address:        121 main street
City:           suffolk
StateProv:      VA
PostalCode:     23434
Country:        US
RegDate:        2017-01-16
Updated:        2017-01-16
Ref:            https://whois.arin.net/rest/customer/C06298370


You probably don't need to accept .z attachments at your mail perimeter, and any decent anti-spam tool should be able to look inside archives to determine was is in there.

Thursday 28 September 2017

Malware spam: "Emailing: Scan0xxx" from "Sales" delivers Locky or Trickbot

This fake document scan delivers different malware depending on the victim's location:

Subject:       Emailing: Scan0963
From:       "Sales" [sales@victimdomain.tld]
Date:       Thu, September 28, 2017 10:31 am


Your message is ready to be sent with the following file or link
attachments:

Scan0963


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a .7z file with a name matching the "Scan" part in the header and body text. MD5s of those seen so far (there may be more):

58B76A9DC942AF73CFADFAF764637A48
627A8A6C3F73365161B94ABF5472E5C0
8927AE38D6F84DF1940D0E13491015F9
1CD93386F4FD7D5771A8119C5E9E6C98
A406E870D20A5913B17C4F9D6D52CDCD
EB087BB59BEED8039FC7B7E48F099E79
1D94DC6ECAED3D33D840E61DDAD7AC07
FDB76F480AF0A8D01DA2E4A3098A549F
320401A216CC7A3BA6B9C12163B3EB60
1AC6D2DA56FAA27C60A22CFD2099435F
1BD79C90F2CC8390170A4D6231282328

Inside is a malicious VBS script (example) which exhibits a curious feature:


If you are in the UK, Australia, Ireland, Belgium or Luxembourg you get one binary [VT 12/64], everyone else gets another [VT 20/64]. My Online Security describes this in more detail - the first group get the Trickbot banking trojan and everyone gets Locky ransomware.

In the samples I saw, the Trickbot download locations were:

autoecole-jeanpierre.com/9hciunery8g?
autoecoleathena.com/9hciunery8g?
conlin-boats.com/9hciunery8g?
flooringforyou.co.uk/9hciunery8g?
fls-portal.co.uk/9hciunery8g?
fmarson.com/9hciunery8g?
freevillemusic.com/9hciunery8g?
geeks-online.de/9hciunery8g?
jakuboweb.com/9hciunery8g?
jaysonmorrison.com/9hciunery8g?
melting-potes.com/9hciunery8g?
sherylbro.net/p66/LUYTbjnrf
camerawind.com/9hciunery8g?


The Locky download locations:

americanbulldogradio.com/LUYTbjnrf?
anarakdesert.com/LUYTbjnrf?
atlantarecyclingcenters.com/LUYTbjnrf?
augustinechua.com/LUYTbjnrf?
classactionlawsuitnewscenter.com/LUYTbjnrf?
davidstephensbanjo.com/LUYTbjnrf?
e-westchesterpropertytax.com/LUYTbjnrf?
felicesfiestas.com.mx/LUYTbjnrf?
financeforautos.com/LUYTbjnrf?
mtblanc-let.co.uk/LUYTbjnrf?
plumanns.com/LUYTbjnrf?
poemsan.info/p66/d8743fgh
asnsport-bg.com/LUYTbjnrf?


There may be other locations too.

The following legitimate services are used for geolocation. They might be worth monitoring:

https://ipinfo.io/json
http://www.geoplugin.net/json.gp
http://freegeoip.net/json/


All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block or strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too.

UPDATE

A more complete list of download locations from a trusted source (thank you!)

ambrogiauto.com/9hciunery8g
autoecoleathena.com/9hciunery8g
autoecoleboisdesroches.com/9hciunery8g
autoecole-jeanpierre.com/9hciunery8g
camerawind.com/9hciunery8g
conlin-boats.com/9hciunery8g
feng-lian.com.tw/9hciunery8g
flooringforyou.co.uk/9hciunery8g
fls-portal.co.uk/9hciunery8g
fmarson.com/9hciunery8g
freevillemusic.com/9hciunery8g
geeks-online.de/9hciunery8g
givensplace.com/9hciunery8g
jakuboweb.com/9hciunery8g
jaysonmorrison.com/9hciunery8g
melting-potes.com/9hciunery8g
patrickreeves.com/9hciunery8g
sherylbro.net/p66/LUYTbjnrf

americanbulldogradio.com/LUYTbjnrf
anarakdesert.com/LUYTbjnrf
asnsport-bg.com/LUYTbjnrf
astilleroscotnsa.com/LUYTbjnrf
atlantarecyclingcenters.com/LUYTbjnrf
augustinechua.com/LUYTbjnrf
classactionlawsuitnewscenter.com/LUYTbjnrf
davidstephensbanjo.com/LUYTbjnrf
essenza.co.id/LUYTbjnrf
evlilikpsikolojisi.com/LUYTbjnrf
e-westchesterpropertytax.com/LUYTbjnrf
felicesfiestas.com.mx/LUYTbjnrf
financeforautos.com/LUYTbjnrf
fincasoroel.es/LUYTbjnrf
kailanisilks.com/LUYTbjnrf
mediatrendsistem.com/LUYTbjnrf
modaintensa.com/LUYTbjnrf
mtblanc-let.co.uk/LUYTbjnrf
plumanns.com/LUYTbjnrf
poemsan.info/p66/d8743fgh

Tuesday 26 September 2017

Malware spam: "AutoPosted PI Notifier"

This spam has a .7z file leading to Locky ransomware.
From:      "AutoPosted PI Notifier" [NoReplyMailbox@redacted.tld]
Subject:      Invoice PIS9344608
Date:      Tue, September 26, 2017 5:29 pm

Please find Invoice PIS9344608 attached.
The number referenced in the spam varies, but attached is a .7z archive file with a matching filename. In turn, this contains one of a number of malicious VBS scripts (like this) that download an executable from one of the following locations (thanks to a trusted source for these):

camerawind.com/jkhguygv73
envirotambang.com/jkhguygv73
fianceevisa101.com/jkhguygv73
fiancevisacover.com/jkhguygv73
financeforautos.com/jkhguygv73
fincasoroel.es/jkhguygv73
fmarson.com/jkhguygv73
formareal.com/jkhguygv73
fwbcondo.com/jkhguygv73
gaestehaus-im-vogelsang.de/jkhguygv73
gbvm.nl/jkhguygv73
geeks-online.de/jkhguygv73
playbrief.info/p66/jkhguygv73

The dropped file currently has a detection rate of 21/63. There are no C2s.

Thursday 21 September 2017

Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment:

Subject:       Invoice RE-2017-09-21-00794
From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date:       Thu, September 21, 2017 9:21 am
Priority:       Normal

------------- Begin message -------------

Dear customer,

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace

==



[commMgrHmdToken:EVDOOCETFBECA]

------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid
for through our Amazon Payments system via our Shopping Cart or 1-Click. Our
Guarantee does not cover any payments that occur off Amazon.co.uk including wire
transfers, money orders, cash, check, or off-site credit card transactions.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=3149571).



[commMgrTok:EVDOOCETFBECA]
Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:

ahlbrandt.eu/IUGiwe8?
fulcar.info/p66/IUGiwe8
accuflowfloors.com/IUGiwe8?
aetozi.gr/IUGiwe8?
agricom.it/IUGiwe8?


An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1] [2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

UPDATE - additional download locations:
81552.com/IUGiwe8
adr-werbetechnik.de/IUGiwe8
afmance.it/IUGiwe8
afradem.com/IUGiwe8
agriturismobellaria.net/IUGiwe8
agro-kerler.de/IUGiwe8
moonmusic.com.au/IUGiwe8

Monday 18 September 2017

Malware spam: "Status of invoice" with .7z attachment

This spam leads to Locky ransomware:

Subject:       Status of invoice
From:       "Rosella Setter" ordering@[redacted]
Date:       Mon, September 18, 2017 9:30 am

Hello,

Could you please let me know the status of the attached invoice? I
appreciate your help!

Best regards,

Rosella Setter

Tel: 206-575-8068 x 100

Fax: 206-575-8094

*NEW*   Ordering@[redacted].com

* Kindly note we will be closed Monday in observance of Labor Day *


The name of the sender varies. Attached is a .7z arhive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename (examples here and here).


Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:





yildizmakina74.com/87thiuh3gfDGS?
miliaraic.ru/p66/87thiuh3gfDGS?
lanzensberger.de/87thiuh3gfDGS?
web-ch-team.ch/87thiuh3gfDGS?
abelfaria.pt/87thiuh3gfDGS?

An executable is dropped with a detection rate of 19/64 which Hybrid Analysis shows is phoning home to:

91.191.184.158/imageload.cgi (Monte Telecom, Estonia)
195.123.218.226/imageload.cgi (Layer 6, Bulgaria)


.7z files are popular with the bad guys pushing Locky at the moment. Blocking them at your mail perimiter may help.

Recommended blocklist:
195.123.218.226
91.191.184.158



Tuesday 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

https://dropbox.com/file/9A30AA
--
Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA

Members of the CAERUS Capital Group

www.tayloredgroup.co.uk

Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system. 
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6]  shows Locky ransomware attempting to phone home to the following locations:

91.234.35.170/imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75/imageload.cgi (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24

Friday 25 August 2017

Malware spam: "Voicemail Service" / "New voice message.."

The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.

Subject:       New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From:       "Voicemail Service" [vmservice@victimdomain.tdl]
Date:       Fri, August 25, 2017 12:36 pm

Dear user:

just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service
Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too. These are the MD5s I've seen so far for the RAR files themselves:

04059E14170996725CD2ED2324E485F2
0839A18B1F5C1D09F3DF3DC260C07194
0BD5C04D2680B5C8A801B4C2E73BECCD
12D1FC37D223E823C80CF052920DA9AB
1AA539798341930B5492764F2D668987
1ADFF05EEA041B34682FD92CDE45DBFA
1CCF7445D771B7F803E95090E96D0EB2
20162EC71639C4A9080C24B253F5FDFF
24133B658F7730205BCC5789B4CA30F1
42947EBFEFFA9A5CFA3AADDA7EADA572
4AC35594445EB22FE6971A5F81EAB761
4D4DBBCEC5B48EBA30D7B09F994BC009
54E7C8863E161D5A601230E3CD590134
556A6FC4D5607210FA7EF3CAF3CE59D6
645C4FB3BE1A8B1188E8B5A54B1BC011
80D9CEBB286D79955F18013DD3415EEF
8C9B20A61368E8956B6C49DA9AFF30D1
9739211AD009B97EBE0DF353AB11BEB5
9CDDA6C72F41039340E450FA4374E748
A9C0D2F356C455EB40B707D570D27318
BAF4482ED9F6DEE8CBE6F69366AAC434
EA7D52C3328A5A8A0C8334AE3E3C580C
FEC76C943E1252D0DE7D6B7936510B9D


The VBS script is similar to this (variable names seem to change mostly) with a detection rate of about 15/59. Hybrid Analysis shows it dropping a Locky executable with a 18/65 detection rate which phones home to 46.17.44.153/imageload.cgi (Baxnet, Russia) which I recommend that you block.

Malware spam: "Your Sage subscription invoice is ready" / noreply@sagetop.com

This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery.

Subject:       Your Sage subscription invoice is ready
From:       "noreply@sagetop.com" [noreply@sagetop.com]
Date:       Thu, August 24, 2017 8:49 pm

Dear Customer

Your Sage subscription invoice is now ready to view.

Sage subscriptions

To view your Sage subscription invoice click here 

Got a question about your invoice?

Call us on 0845 111 6604

If you're an Accountant, please call 0845 111 1197
If you're a Business Partner, please call 0845 111 7787

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service
message, not a marketing communication. This email was sent from an address that
cannot accept replies. Please use the contact details above if you need to get in
touch with us.

The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.

helpmatheogrow.com/SINV0709.rar
hendrikvankerkhove.be/SINV0709.rar
heinverwer.nl/SINV0709.rar
help.ads.gov.ba/SINV0709.rar
harvia.uz/SINV0709.rar

The RAR file itself contains a malicious VBS script that looks like this [pastebin] with a detection rate of 19/56, which attempts to download another component from:

go-coo.jp/HygHGF
hausgerhard.com/HygHGF
hausgadum.de/HygHGF
bromesterionod.net/af/HygHGF
hartwig-mau.de/HygHGF
hecam.de/HygHGF
haboosh-law.com/HygHGF
hbwconsultants.nl/HygHGF
hansstock.de/HygHGF
heimatverein-menne.de/HygHGF

Automated analysis of the file [1] [2] shows a dropped binary with a 39/64 detection rate, POSTing to 46.183.165.45/imageload.cgi  (Reg.Ru, Russia)

Recommended blocklist:
46.183.165.45




Thursday 24 August 2017

Multiple badness on metoristrontgui.info / 119.28.100.249

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic.

Subject:       New BT Bill
From:       "BT Business" [btbusiness@bttconnect.com]
Date:       Thu, August 24, 2017 6:08 pm
Priority:       Normal

From BT
New BT Bill

Your bill amount is: $106.84
This doesn't include any amounts brought forward from any other bills.

We've put your latest BT bill for you to view. See your bill here


We'll take your payment from your account as usual by Direct Debit.

Reduce paper waste
You're still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?


Need some help?
Go to www.bt.com/business/support.

Thanks for choosing BT.

Robena Morath
CEO, BT Business

Payment processing fee: BT Payment Services Ltd, a BT Group Company, charges this fee.
This or confidential. It's meant only for the individual(s) email contains BT information, which may be privileged or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.

And a simpler one..

From:    Dianna Mcgrew
Date:    24 August 2017 at 14:50
Subject:    Bill-9835

Hi,

Here is a copy of your bill.

Thank you & have a great weekend!
Most (but not all) of the samples I  have seen then lead to a single website to download the malicious payload, for example:

http://metoristrontgui.info/af/download.php
http://metoristrontgui.info/af/bill-201708.rar
http://metoristrontgui.info/af/bill-201708.7z

metoristrontgui.info is hosted on 119.28.100.249 (Tencent, China) which is an IP we've seen a few times recently [1] [2]. Let's check out that WHOIS:

Domain Name: METORISTRONTGUI.INFO
Registry Domain ID: D503300000042955753-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.eranet.com
Updated Date: 2017-08-24T14:02:07Z
Creation Date: 2017-08-24T13:24:23Z
Registry Expiry Date: 2018-08-24T13:24:23Z
Registrar Registration Expiration Date:
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C208152073-LRMS
Registrant Name: Robert Ruthven
Registrant Organization: Gamblin Artists Colors
Registrant Street: 323 SE Division Pl
Registrant City: Portland
Registrant State/Province: OR
Registrant Postal Code: 97202
Registrant Country: US
Registrant Phone: +1.5034359411
Registrant Phone Ext:
Registrant Fax: +1.5034359411
Registrant Fax Ext:
Registrant Email: jenniemarc@mail.com
Registry Admin ID: C208152073-LRMS
Admin Name: Robert Ruthven
Admin Organization: Gamblin Artists Colors
Admin Street: 323 SE Division Pl
Admin City: Portland
Admin State/Province: OR
Admin Postal Code: 97202
Admin Country: US
Admin Phone: +1.5034359411
Admin Phone Ext:
Admin Fax: +1.5034359411
Admin Fax Ext:
Admin Email: jenniemarc@mail.com
Registry Tech ID: C208152073-LRMS
Tech Name: Robert Ruthven
Tech Organization: Gamblin Artists Colors
Tech Street: 323 SE Division Pl
Tech City: Portland
Tech State/Province: OR
Tech Postal Code: 97202
Tech Country: US
Tech Phone: +1.5034359411
Tech Phone Ext:
Tech Fax: +1.5034359411
Tech Fax Ext:
Tech Email: jenniemarc@mail.com
Registry Billing ID: C208152073-LRMS
Billing Name: Robert Ruthven
Billing Organization: Gamblin Artists Colors
Billing Street: 323 SE Division Pl
Billing City: Portland
Billing State/Province: OR
Billing Postal Code: 97202
Billing Country: US
Billing Phone: +1.5034359411
Billing Phone Ext:
Billing Fax: +1.5034359411
Billing Fax Ext:
Billing Email: jenniemarc@mail.com
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/


VirusTotal confirms a lot of badness here, with all of these evil domains on the same server:

drommazxitnnd7gsl.com
74jhdrommdtyis.net
rtozottosdossder.net
kabbionionsesions.net
ttytreffdrorseder.net
tyytrddofjrntions.net
mjhsdgc872bf432rdf.net
yrns7sg3kdn94hskxhbf.net
trmbobodortyuoiyrt.org
metoristrontgui.info
fsroosionsoulsda.info
aldirommestorr887.info
droohsdronfhystgfh.info

Downloads from this site can be a bit slow, unsurprisingly. The dropped EXE seems to be Locky ransomware with a detection rate of 19/65. Hybrid Analysis shows the sample POSTing to 185.179.190.31/imageload.cgi (Webhost LLC, Russia)

Recommended minimum blocklist:
185.179.190.31
119.28.100.249




Wednesday 23 August 2017

Malware spam: "Customer Service" / "Copy of Invoice xxxx"

This fairly generic spam leads to the Locky ransomware:

Subject:       Copy of Invoice 3206
From:       "Customer Service"
Date:       Wed, August 23, 2017 9:12 pm


Please download file containing your order information.

If you have any further questions regarding your invoice, please call Customer Service.


Please do not reply directly to this automatically generated e-mail message.

Thank you.
Customer Service Department
A link in the email downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis has seen it all before. The download EXE (VT 21/64) script POSTS to 5.196.99.239/imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler last year, so I would recommend blocking all traffic to 5.196.99.0/24.

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx - name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP.

Subject:       Voice Message Attached from 001396445685 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:22 am

Time: Wed, 23 Aug 2017 14:52:12 +0530
Download <http://tyytrddofjrntions.net/af/VM20170823_193908.zip> file to listen
Voice Message

Subject:       Voice Message Attached from 055237805419 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:21 am

Time: Wed, 23 Aug 2017 14:51:13 +0530
Download <http://mjhsdgc872bf432rdf.net/af/VM20170823_193908.rar> file to listen
Voice Message
Both download locations of tyytrddofjrntions.net and mjhsdgc872bf432rdf.net are hosted on 119.28.100.249 (Tencent, CN). This same IP was seen in this other recent spam run. Both the RAR and ZIP downloads (detection rate about 18/59 [1] [2]) contain the same malicious VBS script [pastebin]. The script tries to download an additional component from one of the following locations:

grlarquitectura.com/Mvgjh67?
grundschulmarkt.com/Mvgjh67?
aldirommestorr887.info/af/Mvgjh67?
grupoegeria.net/Mvgjh67?
gestionale-orbit.it/Mvgjh67?
gdrural.com.au/Mvgjh67?
geocean.co.id/Mvgjh67?
grupoajedrecisticoaleph.com/Mvgjh67?
grupofergus.com.bo/Mvgjh67?
gruppostolfaedilizia.it/Mvgjh67?

You'll note that most of those download locations start with "gr" which indicates that this is just a small subset of hacked servers under the control of the bad guys.

Automated analysis [3] [4] shows a dropped file with a VirusTotal detection rate of 14/64 (probably Locky). Those same analyses show traffic being sent to:

62.109.16.214/imageload.cgi (TheFirst-RU, RU - hostname: gpodlinov.letohost.com)
5.196.99.239/imageload.cgi (Just Hosting, RU - hostname: noproblem.one)

UPDATE:  Several other IPs in the 5.196.99.0/24 range have been used to host malware in the past. I would recommend blocking the entire /24.

Recommended blocklist:
119.28.100.249
62.109.16.214
5.196.99.0/24


Tuesday 22 August 2017

Malware spam from "Voicemail Service" [pbx@local]

This fake voicemail leads to malware:

Subject:       [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From:       "Voicemail Service" [pbx@local]
Date:       Tue, August 22, 2017 10:37 am
To:       "Evelyn Medina"
Priority:       Normal

Dear user:

        just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service

The numbers and details vary from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 14/59.

According to automated analysis [1] [2] the script reaches out to the following URLs:

5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]

A ransomware component is dropped (probably Locky) with a detection rate of 16/64.




Monday 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*


Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249

Tuesday 18 July 2017

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity
   
   
ACCOUNT NO
******969    
   
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

       
    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
   
       
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

   
Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.


In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)


Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95




Monday 5 June 2017

Malware spam: "John Miller Limited" / "Invoice"

This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does not match the company being spoofed, and varies from message to message.

From:    Felix Holmes
Date:    5 June 2017 at 10:20
Subject:    Invoice


Regards



Felix Holmes

cid:image001.jpg@01D00F00.660A92D0
Kirkburn Ind. Estate
Lockerbie
Dumfries and Galloway
DG11 2FF

Tel – 01576 208 741 (Accounts) 01576 208 747 (Main line)
Fax – 01576 208 748
Ext – 1008/1006
‘’New Website launched 30.05.2014 – visit www.[redacted].uk’’


Attached is a PDF file with a name similar to A4 Inv_Crd 914605.pdf - opening it up (NOT recommended) displays something fairly minimal.

The attachment currently has a detection rate of about 9/56. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis shows the malicious file downloading a component from cartus-imprimanta.ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other variants possibly exist.


A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:

192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)


The payload is not clear at this time, but it will be nothing good.

Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177



Thursday 11 May 2017

Malware spam with "nm.pdf" attachment

Currently underway is a malicious spam run with various subjects, for example:

Scan_5902
Document_10354
File_43359


Senders are random, and there is no body text. In all cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED or 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].

The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58.

Putting the .docm file back into Hybrid Analysis and Malwr [5] [6] shows the same sort of results, namely a download from:

easysupport.us/f87346b

Given that this seems to be coming from the Necurs botnet, this is probably Locky or Dridex.

UPDATE

A contact pointed out this Hybrid Analysis which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which matches this Tweet about something called "Jaff ransomware".

That report also gives two other locations to look out for:

trialinsider.com/f87346b
fkksjobnn43.org/a5/


This currently gives a recommended blocklist of:
47.91.107.213
trialinsider.com
easysupport.us

Tuesday 2 May 2017

Malware spam: DHL Shipment 458878382814 Delivered

Another day and another fake DHL message leading to an evil .js script.

From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
To: [redacted]
Subject: DHL Shipment 458878382814 Delivered

You can track this order by clicking on the following link:
https://www.dhl.com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother

Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.

All weights are estimated.

The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.

This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.

Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.

In this case the link goes to parkpaladium.com/DHL24/18218056431/  and downloads a file DHL-134843-May-02-2017-55038-8327373-1339347112.js which looks like this.

According to Malwr and Hybrid Analysis the script downloads a binary from micromatrices.com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38  - UK2, UK) and then subsequently attempts communication with

75.25.153.57 (AT&T, US)
79.170.95.202 (XL Internet Services, Netherlands)
87.106.148.126 (1&1, Germany)
78.47.56.162 (Mediaforge, Germany)
81.88.24.211 (dogado GmbH, Germany)
92.51.129.235 (Host Europe, Germany)
74.50.57.220 (RimuHosting, US)


The dropped binary has a VirusTotal detection rate of 10/60.

Recommended blocklist:
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220

Thursday 27 April 2017

Malware spam: Scotiabank / "Secure email communication" / Secure.Mail@scotiabankmail.com

This fake financial spam leads to malware:

From:    ScotiaBank [Secure.Mail@scotiabankmail.com]
Date:    27 April 2017 at 14:13
Subject:    Secure email communication
Signed by:    scotiabankmail.com


Scotia Secure Email Logo
Secure mail waiting: (Secure)
Scotiabank has sent you a secure, encrypted e-mail message. To view this e-mail, please visit "Scotiabank Secure Email Service" or check attach file. For further information on how to use this service please reffer to "the Secure Email User Guide".
The email you receive from Scotiabank, including any attachments, may contain confidential and/or privileged information for the intended recipient(s) only and the sender does not waive any related legal rights or privilege. Any use or disclosure of the information by an unintended recipient is unauthorized and prohibited. If you have received an email message in error, please delete the entire message, including attachments if any, and inform us by return email. 

Opening the attached document SecureMail.doc leads to a simple page that tries to get you to enable Active Content (not recommended!).

Hybrid Analysis shows a download from elevationstairs.ca/fonts/dde60c5776c175c54d23d2b0c.png [70.33.246.140 - Host Papa, US] leading to a dropped file Pscou.exe which has a detection rate of 11/61 and appears to be Upatre.

Malwr Analysis of the downloaded file shows attempted communications to:

82.146.94.86 (Ringnett, Norway)
8.254.243.46 (Level 3, US)
217.31.111.153 (Ringnett, Norway)


scotiabankmail.com has been registered specifically for this attack, or you can block the sending IP of 89.40.216.186 (City Network Hosting AB, Sweden)

Recommended blocklist:
scotiabankmail.com [email]
89.40.216.186 [email]
70.33.246.140
82.146.94.86
8.254.243.46
217.31.111.153

Malware spam: Royal Mail Grоup / "Delivery attempt fail notice"

This fake Royal Mail email leads to malware.

From: Aretha Stickles [mailto:support@360modshop.com]
Sent: 27 April 2017 12:31
Subject: Delivery attempt fail notice

Dеаr customеr [redacted]

Your pаrcel has been in the post office for a very long time.
You must to receive it it within five days.

TRACKING: RB379949016UK
Expeсted Delivery Dаte: April 21, 2017
Class: Packagе Servicеs
Sеrvicе: Delivery Confirmatiоn
Stаtus: eNote Sent
Tо downloаd thе shipping invоicе, visit the link:

http://www.rоyalmail.cоm/business/services/sending/parcels-uk/3463434535

If you do not take it within the specified time, we will have to return it to the sender.
Please print out an order for your pack and take it at the post office.

Kind Regards,

© Royal Mail Grоup Ltd. 2017. All rights rеsеrved

Despite the link appearing to be from "royalmail.com" it's actually a Google redirector..

https://www.google.com/url?hl=ru&q=http://centregold.org&source=gmail&ust=1493375994142000&usg=AFQjCNHEBmT_B17AS-dHem213ejXdbjNAg#bkfhzzat

This bounces to centregold.org [185.133.40.23 - Krek Ltd, Russia] then a load balancer at rns.tobeylabs.com/tracking/delivery/tracking.php?id=554 [31.148.219.65 - KingServers, Netherlands] then either http://booniff.com/delivery/Pack_9356667UK.zip [216.24.167.58 - Amino Communications, US] or https://purolator.topatlantanursinghomelawyer.com/tracking/parcel/Notification_37352742UK.zip [185.159.80.100 - KingServers, Netherlands].

Note that the name of the .ZIP is generated dynamically, so there is some variation in filenames.

Inside the ZIP files is a malicious script (e.g. Pack_9356667UK.js) which according to Hybrid Analysis then communicates with a website at 31.148.219.208 [the same KingServers /24 as before!] and it drops a file mstsc.exe with VirusTotal detection rate of 11/57.

Recommended blocklist:
31.148.219.0/24
185.133.40.0/24
185.159.80.0/24
216.24.167.58