Sponsored by..

Showing posts with label Viruses. Show all posts
Showing posts with label Viruses. Show all posts

Tuesday, 22 August 2017

Malware spam from "Voicemail Service" [pbx@local]

This fake voicemail leads to malware:

Subject:       [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From:       "Voicemail Service" [pbx@local]
Date:       Tue, August 22, 2017 10:37 am
To:       "Evelyn Medina"
Priority:       Normal

Dear user:

        just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service

The numbers and details vary from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 14/59.

According to automated analysis [1] [2] the script reaches out to the following URLs:

5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]

A ransomware component is dropped (probably Locky) with a detection rate of 16/64.




Monday, 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*


Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249

Tuesday, 18 July 2017

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity
   
   
ACCOUNT NO
******969    
   
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

       
    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
   
       
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

   
Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.


In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)


Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95




Monday, 5 June 2017

Malware spam: "John Miller Limited" / "Invoice"

This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does not match the company being spoofed, and varies from message to message.

From:    Felix Holmes
Date:    5 June 2017 at 10:20
Subject:    Invoice


Regards



Felix Holmes

cid:image001.jpg@01D00F00.660A92D0
Kirkburn Ind. Estate
Lockerbie
Dumfries and Galloway
DG11 2FF

Tel – 01576 208 741 (Accounts) 01576 208 747 (Main line)
Fax – 01576 208 748
Ext – 1008/1006
‘’New Website launched 30.05.2014 – visit www.[redacted].uk’’


Attached is a PDF file with a name similar to A4 Inv_Crd 914605.pdf - opening it up (NOT recommended) displays something fairly minimal.

The attachment currently has a detection rate of about 9/56. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis shows the malicious file downloading a component from cartus-imprimanta.ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other variants possibly exist.


A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:

192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)


The payload is not clear at this time, but it will be nothing good.

Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177



Thursday, 11 May 2017

Malware spam with "nm.pdf" attachment

Currently underway is a malicious spam run with various subjects, for example:

Scan_5902
Document_10354
File_43359


Senders are random, and there is no body text. In all cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED or 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].

The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58.

Putting the .docm file back into Hybrid Analysis and Malwr [5] [6] shows the same sort of results, namely a download from:

easysupport.us/f87346b

Given that this seems to be coming from the Necurs botnet, this is probably Locky or Dridex.

UPDATE

A contact pointed out this Hybrid Analysis which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which matches this Tweet about something called "Jaff ransomware".

That report also gives two other locations to look out for:

trialinsider.com/f87346b
fkksjobnn43.org/a5/


This currently gives a recommended blocklist of:
47.91.107.213
trialinsider.com
easysupport.us

Tuesday, 2 May 2017

Malware spam: DHL Shipment 458878382814 Delivered

Another day and another fake DHL message leading to an evil .js script.

From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
To: [redacted]
Subject: DHL Shipment 458878382814 Delivered

You can track this order by clicking on the following link:
https://www.dhl.com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother

Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.

All weights are estimated.

The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.

This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.

Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.

In this case the link goes to parkpaladium.com/DHL24/18218056431/  and downloads a file DHL-134843-May-02-2017-55038-8327373-1339347112.js which looks like this.

According to Malwr and Hybrid Analysis the script downloads a binary from micromatrices.com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38  - UK2, UK) and then subsequently attempts communication with

75.25.153.57 (AT&T, US)
79.170.95.202 (XL Internet Services, Netherlands)
87.106.148.126 (1&1, Germany)
78.47.56.162 (Mediaforge, Germany)
81.88.24.211 (dogado GmbH, Germany)
92.51.129.235 (Host Europe, Germany)
74.50.57.220 (RimuHosting, US)


The dropped binary has a VirusTotal detection rate of 10/60.

Recommended blocklist:
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220

Thursday, 27 April 2017

Malware spam: Scotiabank / "Secure email communication" / Secure.Mail@scotiabankmail.com

This fake financial spam leads to malware:

From:    ScotiaBank [Secure.Mail@scotiabankmail.com]
Date:    27 April 2017 at 14:13
Subject:    Secure email communication
Signed by:    scotiabankmail.com


Scotia Secure Email Logo
Secure mail waiting: (Secure)
Scotiabank has sent you a secure, encrypted e-mail message. To view this e-mail, please visit "Scotiabank Secure Email Service" or check attach file. For further information on how to use this service please reffer to "the Secure Email User Guide".
The email you receive from Scotiabank, including any attachments, may contain confidential and/or privileged information for the intended recipient(s) only and the sender does not waive any related legal rights or privilege. Any use or disclosure of the information by an unintended recipient is unauthorized and prohibited. If you have received an email message in error, please delete the entire message, including attachments if any, and inform us by return email. 

Opening the attached document SecureMail.doc leads to a simple page that tries to get you to enable Active Content (not recommended!).

Hybrid Analysis shows a download from elevationstairs.ca/fonts/dde60c5776c175c54d23d2b0c.png [70.33.246.140 - Host Papa, US] leading to a dropped file Pscou.exe which has a detection rate of 11/61 and appears to be Upatre.

Malwr Analysis of the downloaded file shows attempted communications to:

82.146.94.86 (Ringnett, Norway)
8.254.243.46 (Level 3, US)
217.31.111.153 (Ringnett, Norway)


scotiabankmail.com has been registered specifically for this attack, or you can block the sending IP of 89.40.216.186 (City Network Hosting AB, Sweden)

Recommended blocklist:
scotiabankmail.com [email]
89.40.216.186 [email]
70.33.246.140
82.146.94.86
8.254.243.46
217.31.111.153

Malware spam: Royal Mail Grоup / "Delivery attempt fail notice"

This fake Royal Mail email leads to malware.

From: Aretha Stickles [mailto:support@360modshop.com]
Sent: 27 April 2017 12:31
Subject: Delivery attempt fail notice

Dеаr customеr [redacted]

Your pаrcel has been in the post office for a very long time.
You must to receive it it within five days.

TRACKING: RB379949016UK
Expeсted Delivery Dаte: April 21, 2017
Class: Packagе Servicеs
Sеrvicе: Delivery Confirmatiоn
Stаtus: eNote Sent
Tо downloаd thе shipping invоicе, visit the link:

http://www.rоyalmail.cоm/business/services/sending/parcels-uk/3463434535

If you do not take it within the specified time, we will have to return it to the sender.
Please print out an order for your pack and take it at the post office.

Kind Regards,

© Royal Mail Grоup Ltd. 2017. All rights rеsеrved

Despite the link appearing to be from "royalmail.com" it's actually a Google redirector..

https://www.google.com/url?hl=ru&q=http://centregold.org&source=gmail&ust=1493375994142000&usg=AFQjCNHEBmT_B17AS-dHem213ejXdbjNAg#bkfhzzat

This bounces to centregold.org [185.133.40.23 - Krek Ltd, Russia] then a load balancer at rns.tobeylabs.com/tracking/delivery/tracking.php?id=554 [31.148.219.65 - KingServers, Netherlands] then either http://booniff.com/delivery/Pack_9356667UK.zip [216.24.167.58 - Amino Communications, US] or https://purolator.topatlantanursinghomelawyer.com/tracking/parcel/Notification_37352742UK.zip [185.159.80.100 - KingServers, Netherlands].

Note that the name of the .ZIP is generated dynamically, so there is some variation in filenames.

Inside the ZIP files is a malicious script (e.g. Pack_9356667UK.js) which according to Hybrid Analysis then communicates with a website at 31.148.219.208 [the same KingServers /24 as before!] and it drops a file mstsc.exe with VirusTotal detection rate of 11/57.

Recommended blocklist:
31.148.219.0/24
185.133.40.0/24
185.159.80.0/24
216.24.167.58



Wednesday, 19 April 2017

Malware spam: "Copy of your 123-reg invoice" / no-reply@123-reg.co.uk

This fake financial spam does not come from 123-Reg (nor is it sent to 123-Reg customers). It has a malicious attachment.

From     no-reply@123-reg.co.uk
Date     Wed, 19 Apr 2017 17:19:51 +0500
Subject     Copy of your 123-reg invoice ( 123-093702027 )

Hi [redacted],

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg
Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.
https://www.123-reg.co.uk
The invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf).

This PDF file appears to drop an Office document according to VirusTotal results.

Hybrid Analysis shows the document dropping a malicious executable with a detection rate of 15/61. It appears to contact the following IPs (some of which contain legitimate sites):

216.87.186.15 (Affinity Internet, US)
216.177.132.93 (Alentus Corporation, US)
152.66.249.132 (Budapest University of Technology and Economics, Budapest)
85.214.113.207 (Strato AG, Germany)
192.184.84.119 (RamNode LLC, US)

The general prognosis seems to be that this is dropping the Dridex banking trojan.

Recommended blocklist:
216.87.186.15
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119



Monday, 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Thursday, 13 April 2017

Malware spam: "Company Documents" / WebFilling@companieshousemail.co.uk and companieshouseemail.co.uk plus others

This spam email does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From:    Companies House [WebFilling@companieshousemail.co.uk]
Date:    13 April 2017 at 11:10
Subject:    Company Documents
Signed by:    companieshousemail.co.uk



CH Logo

Company Documents

This message has been generated in response to the company complaint submitted to Companies House WebFiling service.

Please note: all forms must be answered or the form will be returned.

Service Desk tel +44 (0)303 8097 432 or email enquiries@companieshouse.gov.uk

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
 
Companies House 
Crown way
Maindy
Cardiff
CF14 3UZ
Crown Logo



Documents.doc
48K



---

I observed the email coming from the fake domains companieshousemail.co.uk and companieshouseemail.co.uk  but it looks like there may be more. Email is being send from servers in the 94.237.36.0/24 range (Upcloud Ltd, Finland) and I can see other servers set up to do the same thing:

companieshouseemail.co.uk  94.237.36.104
companieshouseemail.co.uk  94.237.36.145
companieshousemail.co.uk  94.237.36.146
companieshousemail.co.uk  94.237.36.147
companieshousesecure.co.uk  94.237.36.150
companieshousesecure.co.uk  94.237.36.151


Blocking email from the entire 94.237.36.0/24 range at least temporarily might be prudent.

The WHOIS details for these indicate they were registered today with presumably fake details, but that the registrar Nominet have somehow "verified".

Registrant:
Charlene hogg

Registrant type:
Unknown

Registrant's address:
37 Maberley Road
London
SE19 2JA
United Kingdom

Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 13-Apr-2017

Registrar:
GoDaddy.com, LLP. [Tag = GODADDY]
URL: http://uk.godaddy.com

Relevant dates:
Registered on: 13-Apr-2017
Expiry date:  13-Apr-2019
Last updated:  13-Apr-2017

Registration status:
Registered until expiry date.

Name servers:
ns29.domaincontrol.com
ns30.domaincontrol.com
All the attachments I have seen are the same with a current detection rate of 6/55. Hybrid Analysis of the document shows it downloading a component from shuswapcomputer.ca/images/banners/bannerlogo.png and a malicious executable %APPDATA%\pnwshqr.exe is dropped with a detection rate of 14/62.

Automated analysis of the binary [1] [2] show potentially malicious traffic going to:

107.181.161.221 (Total Server Solutions, US)
185.25.51.118 (Informacines sistemos ir technologijos UAB aka bacloud,com, Lithuania)


There are probably other destinations too. The payload appears to be Dyre / Dyreza.

Recommended blocklist:
94.237.36.0/24 (temporary email block only)
shuswapcomputer.ca
185.25.51.118
107.181.161.221





Tuesday, 11 April 2017

Malware spam: "DHL Urgent Delivery"

This fake DHL spam includes the recipients real name. In this case it was sent to someone in Germany, but written in English. The malware payload is identical to this one in Polish.

Von: DHL Parcel [mailto:info@glaefcke.de]
Gesendet: Dienstag, 11. April 2017 11:03
An: [redacted]
Betreff: DHL Urgent Delivery

YOUR DELIVERY IS TODAY


Hi, [redacted]

The scheduled delivery is Tue Apr 11 2017 before End of Day.

Please check your shipment and contact details below. If you need to make a change or track your shipment, click

http://nolp.dhl.com/set_identcodes.do&email=[redacted] . (JS-Document)
SHIPMENT CONTENTS:DELIVERY INFORMATION


Shipment number: 9670515551
Scheduled Delivery Date: Tue Apr 11 2017
Delivery Time: before End of Day
Email Address: [redacted]

Thank you for using On Demand Delivery.

DHL Express - Excellence. Simply delivered. 


Malware spam: "Sprawdź stan przesylki DHL"

This spam targeting Polish victims seems quite widespread. It leads to malware. The email is personalised with the victim's real name which has been harvested from somewhere.

From: DHL Express (Poland) [mailto:biuro@nawigatorxxi.pl]
Sent: Monday, April 10, 2017 7:09 PM
To: [redacted]
Subject: Sprawdź stan przesylki DHL

Sprawdź stan przesylki DHL
Szanowny Kliencie, [redacted]

Informujemy, że w serwisie DHL24 zostało zarejestrowane zlecenie realizacji przesyłki, której jesteś odbiorcą.

Dane zlecenia:
- numer zlecenia:
9653788657

- data złożenia zlecenia:
poniedziałek, 10. kwietnia

Informacje o aktualnym statusie przesyłki znajdziesz na http://dhl24.com.pl/report.html&report=JavaScript&email=[redacted]. (JavaScript Raport)

Niniejsza wiadomość została wygenerowana automatycznie.

Dziękujemy za skorzystanie z naszych usług i aplikacji DHL24.

DHL Parcel (Poland)

UWAGA: Wiadomość ta została wygenerowana automatycznie. Prosimy nie odpowiadać funkcją Reply/Odpowiedz 

The link goes to a malicious Javascript [example here] [Malwr report] which downloads a binary from:

freight.eu.com/download3696 (159.100.181.107 - World Wide Web Hosting LLC, Netherlands)

..this has a detection rate of 10/60. This Malwr report plus observed activity show traffic to the following IPs and ports:

5.196.73.150:443 (OVH, France)
31.220.44.11:8080 (HostHatch, Netherlands)
46.165.212.76:8080 (Leaseweb, Germany)
109.228.13.169:443 (Fasthosts, UK)
119.82.27.246:8080 (Tsukaeru.net, Japan)
173.230.137.155:8080 (Linode, US)
173.255.229.121:443 (Linode, US)
203.121.145.40:8080 (Pacific Internet, Thailand)
206.214.220.79:8080 (ServInt, US)


There may be other phone home locations not observed.

Recommended blocklist:
5.196.73.150
31.220.44.11
46.165.212.76
109.228.13.169
119.82.27.246
159.100.181.107
173.230.137.155
173.255.229.121
203.121.145.40
206.214.220.79





Thursday, 30 March 2017

Malware spam: "Re:Payment Remittance Copy"

This fake financial spam leads to malware.


From:    AL HUDA LTD [ap.office@triumftools.sk]
Date:    30 March 2017 at 09:05
Subject:    Re:Payment Remittance Copy
Signed by:    triumftools.sk

Dear Sir,

As instructed by your customer for your payment,

Find attached formal remittance copy received from our bank and contact your  client for payment confirmation. All payment details is in the attached HSBC TT-Copy.

Please Confirm
Best regards,
================================
Alan Bostock
Manager - Finance and Administration
HSBC Exchanger
TEL: (965) 24338094 -620                                  
FAX: (965) 24332815 Mobile: (965) 600-11-868
==================================


Attached is a .GZ archive HSBC TT-Copy.pdf.gz (this assumes you have a program on your Windows PC that can handle .gz files). This contains a malicious executable doc9876543234500001.exe which currently has a VirusTotal detection rate of 32/60.

Analysis of the binary is pending. You can be certain that it is nothing good.

Monday, 20 March 2017

More highly personalised malspam using hijacked domains

Following on from this spam some weeks ago, another one comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).

From: customerservice@newshocks.com [mailto:customerservice@newshocks.com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details




Hello [redacted],
We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
If you have an online account with us, you can log in here to see the current status of your order.
You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address:

[Name and address redacted]

If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
Best regards and many thanks,

Contact Us Opening Times Delivery Options Returns Policy Privacy Policy Terms & Conditions


The newshocks.com domain used in the "From" field matches the sending server of rel209.newshocks.com (also mail.newshocks.com) on 185.141.164.209. This appears to be a legitimate but unused domain belonging to a distributor of car parts.

The link in the email goes to clipartwin.com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit or similar. This is using another hijacked but apparently legitimate web server.

I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient. If you have seen something similar or have an idea of where the data came from, please leave a comment below.