Sponsored by..

Showing posts with label Viruses. Show all posts
Showing posts with label Viruses. Show all posts

Tuesday, 22 November 2016

Malware spam: "Invoice 123456" from random sender in victim's own domain

This fake financial spam appears to come from a random sender in the victim's own domain, but this is just a simple forgery. The payload is Locky ransomware.

Subject:     Invoice 5639438
From:     random sender (random.sender@victimdomain.tld)
Date:     Tuesday, 22 November 2016, 8:43

Attached is the document 'Invoice 5639438'.

The reference number varies from email to email, but is consistent in the subject, body and the name of the attachment (e.g. Invoice 5639438.zip). This ZIP file contains a malicious WSF script (e.g. Invoice 7868933153.wsf) that looks like this.

According the the Malwr analysis, that script downloads from:

manage.parafx.com/98y4h?AdIXigNCmu=UdJVux

There are no doubt many other locations. That same analysis shows a DLL being dropped with an MD5 of de5d8250edf98262f335cd87fe6f6740 and a detection rate of 9/56. The Hybrid Analysis of the same sample shows the malware contacting the following C2 locations:

89.108.73.124/information.cgi (Agava, Russia)
91.211.119.98/information.cgi (Zharkov Mukola Mukolayovuch aka 0x2a.com.ua, Ukraine)
94.242.55.81/information.cgi (RNet, Russia)


Recommended blocklist:
89.108.73.0/24
91.211.119.98
94.242.55.81


UPDATE

My usual reliable source came up with these additional download locations:

adoptshawm.net/98y4h
hotelmm.ro/98y4h
houseller.eu/98y4h
huaphoto.net/98y4h
huduanjichuang.com/98y4h
i12.ir/98y4h
ifsaiumumi.com/98y4h
illinoisnavhda.org/98y4h
inkubator.biz.pl/98y4h
interdean.hu/98y4h
iphoneservices.com.ua/98y4h
iran-bazaar.ir/98y4h
irandivinggroup.com/98y4h
islandspirits.ca/98y4h
izww.cn/98y4h
jain4jain.com/98y4h
jaydeepuk.com/98y4h
jazz.kvalitne.cz/98y4h
jinqiaonkyy.com/98y4h
jkshea.com/98y4h
joesrv.com/98y4h
joplinglobeonline.com/98y4h
junhao8.com/98y4h
justsport.co.il/98y4h
kabele.ru/98y4h
klaxcar.ro/98y4h
kongkhak.go.th/98y4h
korbastudio.com/98y4h
krepiec.pl/98y4h
kstm.or.th/98y4h
kuponik.eu/98y4h
lanphuong.vn/98y4h
lesmouf.com/98y4h
lhesh.com/98y4h
lifanpower.pl/98y4h
lomtalay.com/98y4h
lp511.com/98y4h
ltinvest.de/98y4h
luanasahian.ro/98y4h
lumitech.ro/98y4h
manage.parafx.com/98y4h
maroeg.com/98y4h
maxifitness.ru/98y4h
mckains.net/98y4h
mediawax.be/98y4h
megalingeriemall.com/98y4h
melzer-casting.de/98y4h
microsupport.net/98y4h
militarydirect.com/98y4h
minmin.in/98y4h
mirokon30.ru/98y4h
mooymedia.nl/98y4h
morgoo.es/98y4h
mudrahviezda.sk/98y4h
mybankofgold.com/98y4h
mysolosource.com/98y4h
natalija.ru/98y4h
reoilmaya.com/98y4h

Malware spam: "Delivery status" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Delivery status
From:     Gilbert Hancock
Date:     Tuesday, 22 November 2016, 8:51

Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.

In the sample I analysed there was an attachment named document_recipientname.zip (i.e. the first part of the recipient's email address was in the name), containing a malicious javascript with a random name. This particular script (and there are probably many others) attempts to download a component from one of the following locations:

sbdma.com/ri3xnzkaoz
robertocostama.com/qpnst8glsz
kettycoony.com/ahkzls3w
sadhekoala.com/efgqy4tdw
sdwsgs.com/voh7


According to this Malwr analysis, a malicious DLL is dropped with an MD5 of ebf03567c2a907705a026ff0821d8e63 and a detection rate of 6/55. The Hybrid Analysis reveals the following C2 locations:

91.201.202.130/information.cgi [hostname: dominfo.dp.ua] (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
188.120.250.138/information.cgi [hostname: olezhkakovtonyuk.fvds.ru] (TheFirst-RU, Russia)
213.32.66.16/information.cgi (OVH, France)

For those Russian and Ukranian networks I would be tempted to block the entire /24 at least, but this is my minimum recommended blocklist:

91.201.202.130
95.213.186.93
188.120.250.138
213.32.66.16

UPDATE

These are additional download locations for this variant (thank you to my usual source):

87.244.17.86/bhigobrbr
beachbreak.com/beachbreak/hk7mqlgs
bursacicekmagazasi.com/yqrws0c
campossa.com/ped2hwz3
cniplc.com/1cbgu
convertus.com/3p80kj
csplane.com/ej7irq
dmsoinfo.com/1buigkyvl
dtinsani.com/1gon5mmzk
fabriquekorea.com/1f3mauxvzb
facerecognition.com.ba/9b7aecm
girlstravelling.com/llnza
girlstravelling.com/zj3ij
gto-cro.com/zcvofb
gtodo.com.ar/shvssbgwh
gumorca.com/ydsojspvx
gxaiq.com/y6lhc
hairchinadirect.com/iryscuex9
hancebile.com/03aviw5ree
hancebile.com/cmlucpol
hancebile.com/fppm5myp7r
hancebile.com/rk9q4pf1
hjertearken.dk/pxyti0
kettycoony.com/ahkzls3w
kettycoony.com/cx55khn
kettycoony.com/gl74xldx
kettycoony.com/qllgov6rp
lauiatraps.net/90iuiatl
lauiatraps.net/lknfc
lauiatraps.net/tltnctyadf
lauiatraps.net/zyqjw08qqt
liftaccessory.com/crvjl4
marvicedo.com/drvf1s5x
mcmustard.com/lotojt3
misicka.com/ho6guo1jn
monowheels.ru/2nbknagte9
newautolatino.com/wa7lm4i7vo
nuociss.com/css5igxfe
oualili.org/afdnzqtmbc
paidforall.com/wnvppxdp0
parskavand.com/wekzwe
pattumalamatha.com/biwkk3sp
phaseiv.org/9utjgbof
poltec.com.au/wjzfftju
profilab.ru/wsmie0k
remixsarkilar.com/um5mvc53
rndled.com/adf4t5s3
robertocostama.com/qpnst8glsz
rsahosting.com/quudvvjxe
sadhekoala.com/efgqy4tdw
sadhekoala.com/lvqh1
sadhekoala.com/qg7bhfv3sa
sadhekoala.com/vjhxxwuo
sbdma.com/ri3xnzkaoz
sdwsgs.com/voh7l
shouwangstudio.com/uddj8u
snehil.com/8jp3sr
starmakersentertainment.com/vvaury
suziemorris.net/qz3wodtpqe
talentinzicht.eu/2szzeegt
thegioitructuyen.org/lalvx1nrj
thegoldclubs.com/soaiga
thirdchild.org/ratorfeybm
touroflimassol.com/uekc5dx
touroflimassol.com/vil8begqiq
ulmustway.com/gggsslzj1c
ulmustway.com/jm2hp
ulmustway.com/kzqnerxm
ulmustway.com/stj6o
unkalojistik.com/hhwh0xv9
valpit.ru/kn3jm
vedexpert.com/qbaiegzzu
verdianthy.com/iool1e
warisstyle.com/mjuurbt2bx
wbakerpsych.com/j00gr8z
whatsapphd.com/fqi0a
woodmode-eg.com/dsi79s
xa12580.com/lzwkiqsi8s
xhumbrella.com/jb5c396v
znany-lekarz.pl/nrpfqwwq

Wednesday, 9 November 2016

Malware spam: "Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016" leads to Locky

This spam has an interestingly malformed subject, however the attachment leads to Locky ransomware:

Subject:     Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016
From:     KELLY MOORHOUSE (kelly.moorhouse@edbn.org)
Date:     Wednesday, 9 November 2016, 12:52

KELLY MOORHOUSE

Last & Tricker Partnership

3 Lower Brook Mews
Lower Brook Street
Ipswich Suffolk IP4 1RA
T: 01473 252961  F: 01473 233709  M: 07778464004
email: kelly.moorhouse@edbn.org

This e-mail and any attachments may contain confidential and privileged
information and is intended only for the use of the individual or entity to
which it is addressed. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this e-mail and destroy any
copies from your system; you should not copy the message or disclose its
contents to anyone. Any dissemination, distribution or use of this
information by a person other than the intended recipient is unauthorized
and may be illegal. We cannot accept liability for any damage sustained as a
result of software viruses and advise you to carry out your own virus checks
before opening any attachment.
Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf) that looks like this.

For one sample script, the Hybrid Analysis and Malwr report indicate a binary is downloaded from one of the following locations:

alamanconsulting.at/0ftce4?aGiszrIV=gRLYYDHSna
naka-dent.mobi/0ftce4?aGiszrIV=gRLYYDHSna

This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56.

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)


These are the same C2s as seen here.

Recommended blocklist:
85.143.212.23
158.69.223.5


UPDATE

A full list of download locations from my usual source:
 
alamanconsulting.at/0ftce4
ayurvedic.by/0ftce4
ekaterinburg.kacatka.ru/0ftce4
hoangtranwater.com/0ftce4
hoteldseason.com/0ftce4
hotelvinayakpalace.in/0ftce4
hotloto.com/0ftce4
hqseconsulting.com/0ftce4
hupsoft.com/0ftce4
idontknow.eu/0ftce4
idplus.sg/0ftce4
ifreenet.it/0ftce4
ijai.fr/0ftce4
iloveyf.com/0ftce4
indospyshop.com/0ftce4
innsat.pl/0ftce4
inzt.net/0ftce4
iriscommunications.com.pk/0ftce4
istanbulsoft.com.tr/0ftce4
ivakil.com/0ftce4
jaysilverdp.com/0ftce4
jcuenca.es/0ftce4
jer.be/0ftce4
jingaiwang.com/0ftce4
joralan.es/0ftce4
jxhyhz.com/0ftce4
kembarastation.com/0ftce4
kenankaynak.com/0ftce4
ketoantamviet.edu.vn/0ftce4
konan.nl/0ftce4
kopeyskdom.ru/0ftce4
krasnodar-sp.ru/0ftce4
k-scope.ca/0ftce4
kyrre.cn/0ftce4
labtekindie.com/0ftce4
lacosanostra.co/0ftce4
lander.pl/0ftce4
laurenward.me/0ftce4
leftakis.gr/0ftce4
level3.tv/0ftce4
lifez.nl/0ftce4
lindafluge.no/0ftce4
lingerievalentine.ueuo.com/0ftce4
linkset.ro/0ftce4
lujin.ro/0ftce4
luke-woods.com/0ftce4
luostone.com/0ftce4
martos.pt/0ftce4
matbaa.be/0ftce4
mch.kz/0ftce4
mckm11.cba.pl/0ftce4
meditativyoga.net/0ftce4
micashu.org/0ftce4
michellemccarron.com/0ftce4
microscopiavirtual.cl/0ftce4
milagrotarim.com/0ftce4
mineralsteel.cl/0ftce4
mogadk.ru/0ftce4
mospi.ru/0ftce4
moydom.by/0ftce4
mschroll.de/0ftce4
mtsas.freehost.pl/0ftce4
muamusic.com/0ftce4
muellerhans.ch/0ftce4
musicphilicwinds.org/0ftce4
muziekupdate.nl/0ftce4
mvpdental.com/0ftce4
mypcdaddy.com/0ftce4
naarndonau.at/0ftce4
naka-dent.mobi/0ftce4
oontsheol.net/0ftce4
shukatsu-live.com/0ftce4
sport-grace.by/0ftce4
tikkatawgi.com/0ftce4
vologda.maxuma.ru/0ftce4
www.0898tz.com/0ftce4
www.limpotools.com/0ftce4

Malware spam: "Account temporarily suspended" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Nicole Roman
Date:    9 November 2016 at 10:44
Subject:    Account temporarily suspended

Dear Customer.

You have exceeded the limit of operations on your credit card.
Thus, we have temporarily blocked your account.
The full itemization of transactions and instructions are given in the document attached to this message.

Best regards.
The name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script that looks like this

That particular script attempts to download a binary from one of the following locations (you can be sure there are others);

hippaupsup.com/3gc7c2rp
melkar.com/icfi5mg
inspireyouths.org/j48tb3
ausulifer.net/3xwpi
koratwifi.info/io4h3

This Hybrid Analysis and this Malwr report show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56.

No C2 locations have been identified yet. I will post them here if I get them.


Malware spam: "Your Amazon.com order has dispatched" leads to Locky

Overnight there has been a massive fake Amazon spam run leading to Locky ransomware:

From:    Amazon Inc [auto-shipping27@amazon.com]
Date:    8 November 2016 at 23:10
Subject:    Your Amazon.com order has dispatched (#021-3323415-8170076)

Dear Customer,

Greetings from Amazon.com,

We are writing to let you know that the following item has been sent using  DHL Express.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.com/your-account

Your order #021-3323415-8170076 (received November 8, 2016)


Your right to cancel:
At Amazon.com we want you to be delighted every time you shop with us.  O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at:  http://www.amazon.com/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
 video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
 accept returns of complete product, which is unused and in an "as new" con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label.  Ple=
ase go to http://www.amazon.com/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.com customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.com/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20
http://www.amazon.com/help

If you've explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.com

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
All the versions I have seen contain those same formatting errors. Details vary from message to message (e.g. carrier, reference numbers). Attached is a malicious ZIP file (e.g. ORDER-608-0848796-6857907.zip) containing a malicious javascript file (e.g. F-9295287522-9444213500-201611165156-2601.js) that looks like this.

My usual source (thank you) tells me that the various scripts download a component from these locations:

adultmagstore.co.uk/7845gf
asrcargo.ru/7845gf
bygg-molde.no/7845gf
chewysissy.net/7845gf
elektrickekefky.sk/7845gf
examsbank.com/7845gf
facerecognition.com.ba/7845gf
gadgetdealz.net/7845gf
girdap.org/7845gf
gpsfiles.nl/7845gf
heatsavingsystems.com/7845gf
helpcomm.com/7845gf
hnzhengzhou.com/7845gf
holzhaus.cl/7845gf
hud3.net/7845gf
hunt-magazine.com/7845gf
hydroservis.sk/7845gf
hz9m.com/7845gf
iaam.com.br/7845gf
igraficas.com/7845gf
immobilienbegleitung.de/7845gf
infosors.com/7845gf
inkjetss.com/7845gf
interabc.nl/7845gf
inteza.pl/7845gf
ipaper.ro/7845gf
irinka.ru/7845gf
islamhizmeti.com/7845gf
i-solutions.cz/7845gf
ivocal.fr/7845gf
izmirisgb.com/7845gf
janzwolinski.freehost.pl/7845gf
jgtour.wz.cz/7845gf
jlxzy.net/7845gf
jpvintage.nl/7845gf
jrockish.bravepages.com/7845gf
julian-g.ro/7845gf
karacanalbum.com/7845gf
kedaikerinchi.com/7845gf
khashchevato42.ru/7845gf
kiannaghsh.ir/7845gf
kleansys.com/7845gf
kolumbia.free.bg/7845gf
krd-php.ru/7845gf
kurdinfo.ru/7845gf
lekstom.ru/7845gf
lloveras.com/7845gf
mapbook.ir/7845gf
markanltd.com/7845gf
markscheffel.de/7845gf
masiled.es/7845gf
masterimob.ro/7845gf
materlux.ru/7845gf
mavicicek.com/7845gf
maytinhcaobang.net/7845gf
mdk-wear.ru/7845gf
mediclo.pl/7845gf
meshok.com.ua/7845gf
mh500.com/7845gf
minoritycounselor.com/7845gf
minunat.eu/7845gf
mischiefexpeditions.asia/7845gf
mjtmak.com/7845gf
mokinukai.lt/7845gf
monkey-drum.com/7845gf
monster-high.com.ua/7845gf
moveus.com.br/7845gf
mtgchile.cl/7845gf
mtntelekom.com/7845gf
muaban86.net/7845gf
musicrecruiting.com/7845gf
muzica-evenimente.ro/7845gf
mw077.ru/7845gf
myhtar.ru/7845gf
myxos.be/7845gf
naruby.kvalitne.cz/7845gf
natalilife.ru/7845gf
sport-grace.by/7845gf
teazexebec.com/7845gf
yastrebov25.sat34.ru/7845gf

It appears to drop a malicious DLL with a detection rate of 32/56. The following C2 servers have been identified:

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)


UPDATE
According to the Hybrid Analysis the dropped Locky binary actually has an MD5 of ad6fb318002df4ffc80795cc31d529b4 and a detection rate of 28/56.

Recommended blocklist:
85.143.212.23
158.69.223.5



Tuesday, 8 November 2016

Malware spam: "Suspicious movements" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Suspicious movements
From:     Marlene Parrish
Date:     Tuesday, 8 November 2016, 12:52

Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.
---
King regards,
Marlene Parrish
Account Manager
Tel.: 202-328-1800
U.S. Office of Personnel Management
1189 E Street, NW
Washington, DC 20415-1000
The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js) which looks like this (note the insane amount of whitespace).

That particular script downloads a malicious component from one of the following locations:

vexerrais.net/6sbdh
centinel.ca/wkr1j6n
3-50-90.ru/u4y5t
alpermetalsanayi.com/vuvls
flurrbinh.net/6mz3c5q


There will probably be other download locations. This Hybrid Analysis and this Malwr report show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56.

UPDATE

My usual reliable source (thank you) informs me that there are indeed C2 servers (see the end of the post). The download locations are as follows:

3-50-90.ru/u4y5t
365aiwu.net/hbdo6
85.92.144.157/y8giadzn
abclala.com/r2kvg2
abercrombiesales.com/nmuch6
accenti.mx/nryojp
acrilion.ru/84m9t
adriandomini.com.ar/bq62dx10
agorarestaurant.ro/cg06f
ajmontanaro.com/q9giar
alpermetalsanayi.com/vuvls
antivirus.co.th/jukwebgk
apidesign.ca/ijau8q2z
archmod.com/sapma828
assetcomputers.com.au/lkfpyww
avon2you.ru/ayz1waqm
ayurvedic.by/b9kk9k
babuandanji.jp/lq9kay
bepxep.com/mo05j41
berrysbarber.com/q6qsnfpf
bielpak.pl/a79a64h
bjshicheng.com/blewwab
bst.tw/gnjeebt
cafedelrey.es/snby1c
centinel.ca/wkr1j6n
cgrs168.com/xmej0mc
chandrphen.com/h4b1k
chaturk.com/mxaxemv1
cheedellahousing.com/h24ph1
ck.co.th/r2k6i6
codanuscorp.com/ay5v52r1
comovan.t5.com.br/byev5nd
competc.ca/qrc9n
concern-block.ru/nijp1xq
corinnenewton.ca/ctlt8b
cosmobalance.com/jsqlt0g
dekoral.eu/twnyr1s
dessde.com/zcwaya
dinglihn.com/zg3pnsj
dmamart.com/c5l2p
donrigsby.com/nts0mk
dowfrecap.net/0d08tp
dowfrecap.net/3muv7
dowfrecap.net/6f9tho
dowfrecap.net/7qd7rck9
drkitchen.ca/y5jllxe
drmulchandani.com/d6ymtf62
dunyam.ru/jge1b3e
dwcell.com/dph861ws
earthboundpermaculture.org/okez95b
edrian.com/dfc33k67
edubit.eu/b6ye94wv
eldamennska.is/h4yim
elektronstore.it/z298ejb9
elleart.nl/gn3pim41
eroger.be/918p2q
fibrotek.com/deoq2
flurrbinh.net/0nbir64
flurrbinh.net/3nrgpb
flurrbinh.net/6mz3c5q
flurrbinh.net/7wi66hp
geethikabedcollege.com/766epkuj
handsomegroup.com/ae2y1hr0
inzt.net/lbrisge
lashouli.com/rq4xoq3
odinmanto.com/0cz2zwz
odinmanto.com/2rw12
odinmanto.com/57evyr
odinmanto.com/7gplz
pastelesallegro.mx/ex67ri8
thisnspeel.com/04u77s
thisnspeel.com/2qrn06f
thisnspeel.com/3ypojyl0
thisnspeel.com/766epkuj
vexerrais.net/1jk8n
vexerrais.net/3nx3w
vexerrais.net/6sbdh
vexerrais.net/84fwijj
villaamericana.net/84fwijj
www.cutillas.fr/lmc80sdb

C2s:

185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd, Ukraine)
195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Latvia)
185.102.136.127/message.php [hostname: koltsov12.mgn-host.ru] (MGNHost, Russia)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
185.67.0.102
195.123.211.229
185.102.136.127
188.65.211.181



Monday, 7 November 2016

Malware spam: "Financial documents" leads to Locky

The never-ending Locky ransomware onslaught continues. This fake financial spam has a malicious attachment:

Subject:     Financial documents
From:     Judy Herman
To:     [redacted]
Date:     Monday, 7 November 2016, 10:53

Hi [redacted],

These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.

Best Wishes,
Judy Herman 
Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:

http://coachatelier.nl/lg8s2
http://bechsautomobiler.dk/m8idi9j
http://desertkingwaterproofing.com/ma4562
http://zapashydro.net/6sgto2bd
http://owkcon.com/6xgohg6i

According to this Hybrid Analysis, the malware then phones home to:

195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181




Thursday, 3 November 2016

Malware spam: "!!! Urgent payment request" from random senders leads to Locky

This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.


Subject:     !!! Urgent payment request
From:     erika.whitwell@hillcrestlife.org (erika.whitwell@hillcrestlife.org)
Date:     Thursday, 3 November 2016, 10:01

ERIKA WHITWELL

Telefon: +49 1592 / 51-2545
Fax: +49 1592 / 5166-2545
E-Mail:
erika.whitwell@hillcrestlife.org

Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js) which looks like this [pastebin].

Analysis is pending. Please check back later.

UPDATE

This Hybrid Analysis shows the script downloading from:

dornovametoda.sk/jhb6576?jPUTusVX=GXNaiircxm

There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here):

194.28.87.26/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
109.234.34.227/message.php (McHost.Ru, Russia)


Recommended blocklist:
194.28.87.26
93.170.123.119
109.234.34.0/24




Moar Locky 2016-11-03

I haven't had much time to look at the Locky runs overnight, but here is a data dump of download locations and C2s (at the bottom) from my usual reliable source:

Download locations:
10minutesto1.net/d05k5d
1stop-entertainment.com/ztpt8d0
3rock.ie/qdq1fv4c
3tr.ru/f92o6
a1match.dk/spcmi8qp
ac-elektrik.com/tvb20i
affordablewebsitesolutions.net/hdeaf
akira-sushi34.ru/przgzq
alexchen.name/aw9yipi
alexchen.name/c3ortzkj
alexeliades.com/fxhrz4
alkatech.gr/x3z70
allgameserver.com/ewxhiknt
allur.com.ua/skiz8q
alphabet-city.com.au/cbfi1
amadistrit.com/1bnao0hm
amadistrit.com/47r6wm
amadistrit.com/7exev9x1
amadistrit.com/9qci0
asambleacristiana.com.ar/e6q09un
assuredtenancyagreement.co.uk/yrz0c4v
astrainks.com/wdb2s8ny
ateliebucal.com/mxxnu
batavia-restaurant.nl/vk3p2se
bddja.com/p0u44p8z
bestcomp.ge/cp0oag4r
beta-net.lt/htfpant
beyondthedeals.com/iv41b8mg
bios.gr/mwrbr
burgeravenue.ru/tl0wf2ls
camdo89.com/rs0o9
campagno.com.au/gz4lot
carblogger.net/tzf9ba
ceramacity.ru/v6fjk
cnesa.cn/au6rql7
cokealong.com/0l609
cokealong.com/2ylfay
cokealong.com/6z1n11
cokealong.com/8qa1in
cokseyvar.com/fsodg2ho
colagung.com/izm4t243
contiades.gr/lhj4kx6
cxsite.net/l8tn0z
cyrilunrun.com/07ubcvl
cyrilunrun.com/2jnf9f8b
cyrilunrun.com/4x9yp6
cyrilunrun.com/7u1lgycs
dadashop.no/yfks5f9z
damoresilvia.com.ar/aulkfvs
deadpuppetsociety.com.au/mzgtl9z
de-btc.ru/xe1j6kx
decoulissen.be/vtdn792
derekbrooker.ca/xzziio9
dh1789.com/tu4ry8
dhback.com/hgp825l
diplocam.cm/zec5nk
douledu.com/h5vpn
dpshop.it/cq2we
drukarnia.lodz.pl/olsyi7
dtmx.pl/o0ico52
dulawa.pl/hbskw
edeldental.hu/rv97fz
edrsoft.com/atttlti
ertebat24.ir/n2khs
evotrade.ro/toz1iqw
exideworld.com.cn/zh2xd6
ezimu.com/dziykl
f8development.be/at2fpz
fiveclean.com/14msj3
fiveclean.com/3mz5l6t
fiveclean.com/76wl2
fiveclean.com/9q8jjta
kekjacint.hu/nygdhk
meskatha.com/2ccjhik
meskatha.com/49x930
meskatha.com/7i1ko82
meskatha.com/a0flf
www.50mi.cn/lbcc88r
www.compsec.co.nz/lpmn9vw
www.cvdesign.nl/h7fid1op
028happy.com/kjg56f7
1140746.net/kjg56f7
abercrombiesales.com/kjg56f7
accenti.mx/kjg56f7
acrilion.ru/kjg56f7
ahmetaksan.com/kjg56f7
alphabureau.ma/kjg56f7
antivirus.co.th/kjg56f7
apidesign.ca/kjg56f7
asastaff.com/kjg56f7
auwm.ru/kjg56f7
babuandanji.jp/kjg56f7
babyparka.ca/kjg56f7
bazkomp.pl/kjg56f7
bemmart.net/kjg56f7
bepxep.com/kjg56f7
bilisimarsivi.com/kjg56f7
blakslee.com/kjg56f7
boraba.net/kjg56f7
brokerclub.lt/kjg56f7
budeanu.ro/kjg56f7
buh-uchet71.ru/kjg56f7
byensbilleje.dk/kjg56f7
canals.cn/kjg56f7
capitalintroductionservices.com/kjg56f7
chaturk.com/kjg56f7
chuandishe.com/kjg56f7
cip.edu.pk/kjg56f7
cluster09server.com/kjg56f7
concern-block.ru/kjg56f7
daivupaint.com/kjg56f7
damai0769.com/kjg56f7
dela-cruz.eu/kjg56f7
delfin-lait.ru/kjg56f7
dienmaykhanhhuy.com/kjg56f7
dinglihn.com/kjg56f7
ding.sk/kjg56f7
discuzshop.com/kjg56f7
dongwooclean.com/kjg56f7
donrigsby.com/kjg56f7
draiveris.lt/kjg56f7
drede.ro/kjg56f7
dudenman.net/kjg56f7
dunyam.ru/kjg56f7
earthboundpermaculture.org/kjg56f7
edrian.com/kjg56f7
efson.707.cz/kjg56f7
eplotery.pl/kjg56f7
ev-entertainment.nl/kjg56f7
fcarmida.ru/kjg56f7
fedsav.com/kjg56f7
guardrupia.com/kjg56f7
inzt.net/kjg56f7
morgkelly.net/kjg56f7
365aiwu.net/43ftybb8
421pfyy.com/43ftybb8
677spo.com/43ftybb8
abgr.ru/43ftybb8
abrahams.ch/43ftybb8
adasulamasistemleri.com/43ftybb8
aifgroup.jp/43ftybb8
aircrew.co.in/43ftybb8
alkfor.ru/43ftybb8
allebanken.net/43ftybb8
almaks-mr.ru/43ftybb8
animals.org.il/43ftybb8
anime-one.com/43ftybb8
arnaudgranata.com/43ftybb8
atart.cn/43ftybb8
atforum.pl/43ftybb8
autoabs.lt/43ftybb8
automaler.ru/43ftybb8
awaelschool.com/43ftybb8
ayulduz.biz/43ftybb8
baraonda.gr/43ftybb8
basketballninja.com/43ftybb8
bassguitartips.com/43ftybb8
battleduck.ch/43ftybb8
bdvdo.net/43ftybb8
beamit.be/43ftybb8
beautyexpress.com.au/43ftybb8
bechsautomobiler.dk/43ftybb8
bestprservices.com/43ftybb8
bha-group.eu/43ftybb8
bhatiarasayanudyog.in/43ftybb8
birthdaystoday.net/43ftybb8
bluehost.hu/43ftybb8
bogaziciradyo.com/43ftybb8
bst.tw/43ftybb8
buhlmend.net/43ftybb8
bvn.lt/43ftybb8
cabanaionela.ro/43ftybb8
carmenortigosa.com/43ftybb8
casadalocacao.com/43ftybb8
chandrphen.com/43ftybb8
cheappaintball.net/43ftybb8
cheedellahousing.com/43ftybb8
chinatea.ro/43ftybb8
christen-in-nuernberg.de/43ftybb8
christmas-metal-meeting.de/43ftybb8
city-charger.ru/43ftybb8
classicnet.ir/43ftybb8
club-impact.ro/43ftybb8
coachatelier.nl/43ftybb8
coinobras.com/43ftybb8
consardproiectare.ro/43ftybb8
contserv.ro/43ftybb8
corinnenewton.ca/43ftybb8
cxsd.com.cn/43ftybb8
cyclingpromotion.com.au/43ftybb8
cyprushealthservices.com/43ftybb8
d2dlaundry.com/43ftybb8
debki-klara.pl/43ftybb8
deborahshallcross.com/43ftybb8
decactus.cl/43ftybb8
delanothayer.cl/43ftybb8
dersiz.com/43ftybb8
desertkingwaterproofing.com/43ftybb8
diandiandx.com/43ftybb8
drossell.com/43ftybb8
dwcell.com/43ftybb8
ecomission.com.au/43ftybb8
edu-net.ro/43ftybb8
ejiavip.com/43ftybb8
eldamennska.is/43ftybb8
el-sklep.com/43ftybb8
enkobud.dp.ua/43ftybb8
erotes.gr/43ftybb8
eskopb.com/43ftybb8
eurotrading.com.ua/43ftybb8
evogelbacher.de/43ftybb8
fazilusta.com/43ftybb8
fibrotek.com/43ftybb8
filmsites.nl/43ftybb8
gzycgj.com/43ftybb8
irk.24abcd.ru/43ftybb8
pastelesallegro.mx/43ftybb8
wonnapian.com/43ftybb8
ws.osenilo.com/43ftybb8
xiguacity.com/43ftybb8

C2s:
51.255.107.20/message.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
85.143.215.209/message.php (PrdmService LLC / Comfortel Ltd / Trader soft LLC, Russia)
91.230.211.103/message.php (Optibit LLC, Russia)
91.239.232.171/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
194.28.87.26/message.php (Hostpro Ltd, Ukraine)
51.255.107.20/linuxsucks.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
194.28.87.26/linuxsucks.php (Hostpro Ltd, Ukraine)

Recommended blocklist:
51.255.107.20
85.143.215.209
91.230.211.103
91.239.232.171
93.170.123.119
194.1.239.152
194.28.87.26

Wednesday, 2 November 2016

Malware spam: "Companies House - new company complaint" / noreply@companies-house.me.uk / noreply@companieshouses.co.uk leads to TrickBot

This fake Companies House spam leads to TrickBot malware:

From:    Companies House [noreply@companieshouses.co.uk]
Date:    2 November 2016 at 11:51
Subject:    Companies House - new company complaint
Signed by:    companieshouses.co.uk

Investigations and Enforcement Services

This message has been auto-generated in response to the company complaint submitted to our WebFiling  service.

The submission number is ID109202DLK02911

Please find the attached document for your review.

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500

The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday) 
Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.


The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:

    Registrant:
        Camell Williams

    Registrant type:
        Unknown

    Registrant's address:
        550 HOLTS LAKE CT STE 101
        Suite 101
        Apopka
        Florida
        32703
        United States


Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.

All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.

Attached is a Word document Complaint.doc  (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:

futuras.com/img/dododocdoc.exe

This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.

The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:

78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)


The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.

Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117


Tuesday, 1 November 2016

Malware spam: "This is to inform that the transaction you made yesterday is declined." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Transaction declined
From:     Chandra Frye
Date:     Tuesday, 1 November 2016, 10:48

Dear [redacted],

This is to inform that the transaction you made yesterday is declined.

Please look through the attachment for the verification of the card details.

Best Regards,
Chandra Frye
The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs) which looks like this [pastebin]. That particular sample plus one other I received communicates with the URLs below, but you can be sure that there are many more examples:

51qudu.com/mqy2pj4
bjzst.cn/qgq4dx
danapardaz.net/zrr8rtz
litchloper.com/66qpos7m
creaciones-alraune.es/dx8a5
adasia.my/f5qyi10
alecrim50.pt/g28w495t
zizzhaida.com/a0s9b
silscrub.net/07ifycb

Hybrid Analysis is inconclusive. If I get hold of the C2s or other download locations then I will post them here.

UPDATE

My usual reliable source tells me that these are all the download locations:

17173wang.com/f6w0p
176.9.41.156/rodru
4office.pl/zyjkry6
51qudu.com/mqy2pj4
akbarcab.com/p8vw992v
alpinivel.pt/as4jcmm
americanjuniorgolfschool.com/hkba7
apiaa.ro/jqm6ltfw
atech.co.th/lyyrdp9
badyna.pl/saf0zv
baoan99.com/jllkv
baranteks.com/hrnf0q44
beesket.com/jrd8d411
bikebrowse.com/mjjoy
biolume.nl/rq8mabk
bionorica.md/m61yk
birim.org/x5s8d
bisskultur.de/rawmjx
bjsunny.net/claocm
bjzst.cn/qgq4dx
blastech.cc/nsg5xyi
carsmotor.net/stab2
cascinamatine.com/a7w59h
cdxybg.com/iribzm
charoenpan.com/jv4fj
chbeirlaw.com/oyem1
civc.co.uk/y5rcauj
containermx.com/vzndc
creaciones-alraune.es/dx8a5
crossfitgladstone.com/orfx8
cvanchen.com/m61yk
danapardaz.net/zrr8rtz
daricacicekci.com/jqec1k7r
doctornauchebe.it-strategy.ru/k1d7d
eatfatlosefat.com/yx7s1
ebooks.w8w.pl/slhj1l
econsult.com.tw/dqtvy
fieldserviceca.net/dndovr
koranjebus.net/1bpsrbfa
koranjebus.net/4rwg5
koranjebus.net/94rgo
koranjebus.net/9fif0
litchloper.com/2be1xz
litchloper.com/66qpos7m
litchloper.com/96iq4o
litchloper.com/9qknusm
nbsbjt.net/icefdwl
silscrub.net/40l8w
silscrub.net/79d6w4
sonsytaint.com/0dqj0dd
sonsytaint.com/4mgxlrf
sonsytaint.com/89hs1ix
zizzhaida.com/3m6ij
zizzhaida.com/98g4ubq

These are the C2s:

91.234.32.202/linuxsucks.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
81.177.22.164/linuxsucks.php (NETPLACE, Russia)


Recommended blocklist:
91.234.32.202
81.177.22.164

Monday, 31 October 2016

Malware spam: "SureVoIP" / "Voicemail from.." leads to Locky

This fake voicemail message leads to Locky ransomware:

Subject:     Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
From:     SureVoIP (voicemailandfax@[redacted])
Date:     Monday, 31 October 2016, 11:17


Message From "Catalina rigby 02355270166" 02355270166
Created: 2016.10.31 14:46:53 PM
Duration: 00:01:22
Account: voicemailandfax@[redacted]
Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component from one of the following locations.

1y9y.com/g7cberv
3922group.net/g7cberv
abraszczecin.pl/g7cberv
afh-indy.org/g7cberv
ajaraheritage.ge/g7cberv
alifaruk.com/g7cberv
andrewclark.com.au/g7cberv
arabian-link.com/g7cberv
artanatrade.com/g7cberv
artemon.gr/g7cberv
ashbury.bg/g7cberv
atelier13.ro/g7cberv
bandenland.be/g7cberv
beasee.com/g7cberv
bemassive.nl/g7cberv
bertedu.com/g7cberv
bestroyalart.com/g7cberv
blogmepro.com/g7cberv
bobyfrancisandpradeep.com/g7cberv
bolat-zhol.kz/g7cberv
buynolvadexonlineshop.com/g7cberv
bwdianji.com/g7cberv
carama.info/g7cberv
caseycarrental.com/g7cberv
ceil.hk/g7cberv
cetinakademi.com/g7cberv
charistia.info/g7cberv
crossroadsmgmt.com/g7cberv
ctrlalt.de/g7cberv
dapos.ru/g7cberv
dbtsites.com/g7cberv
decoracionbebes.com/g7cberv
detectodecolombia.com/g7cberv
devinkellerart.com/g7cberv
ditjenp2p.info/g7cberv
dobromoda.ru/g7cberv
doolotto.com/g7cberv
dor29.ru/g7cberv
drevenefasady.eu/g7cberv
drpneu.ro/g7cberv
ekotracks.com/g7cberv
emg.su/g7cberv
en.fitgrp.com/g7cberv
enliveshow.com/g7cberv
fortuneprixgroup.com/g7cberv
freehosted.netai.net/g7cberv
gopa1.ru/g7cberv
grupotalents.com/g7cberv
halimbamdad.ir/g7cberv
haydistributing.com/g7cberv
hundeschulegoerg.de/g7cberv
inventionsteel.com/g7cberv
ipmart.co.in/g7cberv
jianshu100.com/g7cberv
jnzbookkeeping.com/g7cberv
kavehconsultancy.co/g7cberv
liftaccessory.com/g7cberv
lux-luster.com/g7cberv
lzeshine.com/g7cberv
monoadage.net/g7cberv
nbjzpx.com/g7cberv
net2008.com/g7cberv
newdawnexperience.com/g7cberv
nixvector.com/g7cberv
oakridge-realty.com/g7cberv
oualili.org/g7cberv
pandoracharm.ru/g7cberv
panel.steelpars.com/g7cberv
paulasalamanca.com/g7cberv
peskara.com/g7cberv
pidaco.com/g7cberv
reviewprimer.com/g7cberv
ri-vyoo.com/g7cberv
rkanswers.com/g7cberv
rktest.net/g7cberv
rndled.com/g7cberv
trustcarts.com/g7cberv
unoldontal.com/g7cberv
webframez.com/g7cberv
www.a2zportals.com/g7cberv
www.shavash.ir/g7cberv
www.webframez.com/g7cberv
xn--72c6awi9b2bj7ixcg4c.com/g7cberv
zist-konkur.ir/g7cberv

The C2 servers overlap with the ones found here.

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152



Malware spam: "Wrong tracking number" leads to Locky

This spam email leads to Locky ransomware:

From     "Samuel Rodgers"
Date     Mon, 31 Oct 2016 15:21:22 +0530
Subject     Wrong tracking number

It looks like the delivery company gave us the wrong tracking number.

Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.
The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script [pastebin] named something like tracking number A99DB PDF.vbs.

That script tries to download a component from:

tastebudsmarketing.com/uw6lin
mechap.com/xd7uh
coffeeteashop.ru/daz2rp
ficussalm.com/0bqzcn96
waynesinew.com/0fqt9he1

There will no doubt be other locations. At present I do not have those or the C2 servers, but will update this post if I get them.

UPDATE

The full list of download locations is as follows (thank you to my usual source):

365cuit.com/d9x9f0
7ut.ru/ge9j0et2
8hly.com/jc45tun
a1akeyssportfishing.com/etrt5
academy24.nl/k6lxc
aconetrick.com/2ejczfc
aconetrick.com/564nr0
aconetrick.com/6yoajl7
aconetrick.com/bwt2ixo
ami-mo.ca/k5xhdz2
ami-mo.ca/kr641jxw
archilog.at/imwjmt
architectureetenvironnement.ma/g31701d
badznaptak.pl/inlgm49
bebmila.it/eczde9
buenotour.com/j97s7
business-cambodia.com/he8wtc
campossa.com/vjbfdtj
cdqdms.com/d887wn9
cintasuci.com/cl6pa
coffeeteashop.ru/daz2rp
comistus.net/j6y95
customrestaurantapps.com/gn7c2se
dgtoca.net/d1wr3
dicresco.vn/gq1bjtbb
ecig-ok.com/luflbx4
eijsvogel.nl/gpbka1n2
elgrandia.com.mx/ginlp2f
epsihologie.com/jd2qrzg
eredmenyek.net/ff2i98t
ficussalm.com/0bqzcn96
ficussalm.com/2m6u1jt9
ficussalm.com/65s3r
ficussalm.com/8pmjmwp
financesystem.net/inliid
frijaflail.com/21fpb
frijaflail.com/37cu2
frijaflail.com/6u982pak
frijaflail.com/bnrxxvsk
mcmustard.com/u6ll6y
mechap.com/xd7uh
personalizar.net/nrwnmk
personalizar.net/qz5x2mmr
robertocostama.com/xyulv
shouwangstudio.com/xkocl94
sintasia.com/ziyd0iap
tastebudsmarketing.com/uw6lin
thegioitructuyen.org/rw6ost0e
timwhid.com/1mdm3
timwhid.com/33ck9bxc
timwhid.com/6twktm
timwhid.com/bnkxqf
tjbjpw.com/wsdou72d
tonglizhongji.com/xia3fu0
tropicalcoffeebreak.com/mqomzf
utopiamanali.com/tylv91
valpit.ru/syrwg2r3
vedexpert.com/zt4ug
visualtopshop.com/svnjzk9
warisstyle.com/sq1sae
wayneboyce.com/u5ahu
waynesinew.com/0fqt9he1
waynesinew.com/2psuru2
waynesinew.com/67egbs
waynesinew.com/9li2sv1r
wbakerpsych.com/mm3kuv
wedding-pix.net/u39ssq
wei58.com/wnticba
wklm.it/qjv1ap
xa12580.com/pq2xb
xhumbrella.com/rb374woh
yurtdax.com/wgltz
zbdesignsas.com/m13o692o
znany-lekarz.pl/wd7zj

The malware phones home to:

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
5.187.7.111/linuxsucks.php (Fornet Hosting, Spain)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152

Friday, 28 October 2016

Malware spam: "Payment history" leads to Locky

Another morning, another spam run pushing Locky ransomware:

Subject:     Payment history
From:     Theodore Wilkins
Date:     Friday, 28 October 2016, 10:09

The payment history for the first week of October 2016 is attached as you requested.

Please review it and let us know if you have any question.
The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script [pastebin] (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].

There are many different variants of the script, downloading components from:

2rtt-2rm.ru/grb7c
92hanju.com/utl41nrt
a1plus2.de/ljwxw6vh
accubattery.eu/sjc2at
aegischina.com/yrp6eyv
agrobiciuffa.com.ar/l5e7m6i
allaboutseniors.in/wtm1i0yg
alpha-next.com/ssvmwa
angundoviz.com/lhk96wx
aoteatrial.net/02yls0
aoteatrial.net/142y5x
aoteatrial.net/4865ht
aoteatrial.net/7gojeo
artmusic.dk/izpv2d39
autoreal16.ru/r1j54weq
bachledowka.net/xausf
beauty-link.jp/umjwg8f
bikemielec.com/b7owupi
bircansigorta.com/s84vkrx
blaauw-woonidee.nl/hvlqf9v4
bts-site.nl/fb80j
bumbocubeb.net/04s7752
bumbocubeb.net/163yebg7
bumbocubeb.net/4rjsepe
bumbocubeb.net/8p54eb8
burdur-bld.gov.tr/usl1pm4
buron.dk/t8nh96d
butterflytiger.com/o7eancbx
caraudiogdl.com/zm74gwvw
cavafis.gr/ouyrvo
chanet.jp/mrf40le
chernozem-msk.ru/l5wvp4nc
clinicaharvard.com/umuyki
cmmsrilanka.lk/xztuej9
codelime.net/u9dhbjib
cronos-com.ru/hbxxkshz
dadou0531.com/gych5
dcproduction.fr/wrs9q6
dohere.net/zyme3z
dollheiser.de/v5oqpb4
doogo.com.ar/vw280ik8
drewnianaskrzynka.pl/nfw15wn9
eajhosting.nl/q7jijj3k
edhalper.it/tmnm2v
efb-demarco.de/ywkdd
eflproject.org/vco8bi
egda.pl/unu16fq9
elma.7080.ru/qe3sp3
energiclima.com/sesmgrv4
enzyma.es/lpzd1gev
er-mecanicautomotriz.com/fxlkkv
e-testers.it/jy5ipe3
eurobnr.ro/qd0gn425
euromac.es/oodhs
expert-as.ru/ulfzbh
finahistory.com/jhrni
hellomissdance.com/a03sf
helsby.biz/apwms
hltrader.com/audu4f4o
huodaibbs.com/bqmvde
ilmdesign.com/aos8ly25
joshdult.net/0ia6e4
joshdult.net/3c554n2
joshdult.net/73eqx7oc
joshdult.net/9p4eh
nowon.dk/woqb5j
plookseri.net/097ga
plookseri.net/1s4bzaa1
plookseri.net/5t9nja
plookseri.net/9jyg2s70
shop.ukrtk.com/ck6jfe2e
verdianthy.com/diqlfy1
weddingandfashion.it/djzuf5c
zencart.alpm.gogzmermedia.com/h0woq
zlotysalmo.net/0zx0ken3
zlotysalmo.net/3v8va8ov
zlotysalmo.net/75vepy6f
zlotysalmo.net/9v50aob

(Thank you to my usual source for this data). The malware phones home to:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks.php [hostname: tarasik1.infium.net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks.php (Dunaevskiy Denis Leonidovich, Ukraine)


It also attempts to contact the following URLs which appear to be dead:

pqrifsjpryygmip.pw/linuxsucks.php
uxpxpirusm.xyz/linuxsucks.php
wbaskcsxiffiax.info/linuxsucks.php
kcydflvipqsvqxw.work/linuxsucks.php
haxkbqwyudoeghlhj.biz/linuxsucks.php
mdecrwmtscal.su/linuxsucks.php
pqpmswodyqlbbjmwm.pl/linuxsucks.php
yppsuvfjmnsbi.org/linuxsucks.php
fpeuwdde.xyz/linuxsucks.php
qggdljlijbygeutc.click/linuxsucks.php
juiweirqvt.su/linuxsucks.php
gyhbiuo.ru/linuxsucks.php

A DLL is dropped with a detection rate of 12/57.

Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79

Thursday, 27 October 2016

Moar Locky 2016-10-27

Lots of Locky today, here are some additional download locations for those naughty .wsf scripts.

139.162.29.193/g67eihnrv
1water.com.au/g67eihnrv
adenadataediting.com/g67eihnrv
aghadiinfotechforclient.com/g67eihnrv
agile-scrum-training.com/g67eihnrv
anandlab.com/g67eihnrv
axzio.com/g67eihnrv
banatlebanon.com/g67eihnrv
banknifty.com/g67eihnrv
bindaasdelhi.org/g67eihnrv
bmbuildingpteltd.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cfolio.uk/g67eihnrv
cibr.in/g67eihnrv
ctc.crru.ac.th/g67eihnrv
cttcleaning.com/g67eihnrv
davaomarbled.com/g67eihnrv
dev.searchthruster.com/g67eihnrv
dmlevents.com/g67eihnrv
dollsdelight.com/g67eihnrv
dreamruntech.com/g67eihnrv
drhairchandigarh.in/g67eihnrv
dryilmazyildirim.com/g67eihnrv
dssstaging.net/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eurofranq.com/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
flyingbtc.com/g67eihnrv
ftp-reklama.gpd24.pl/g67eihnrv
fullservicetech.com/g67eihnrv
goldseparator.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
infomazza.com/g67eihnrv
intomim.com/g67eihnrv
intralab.co.id/g67eihnrv
intrekmedya.com/g67eihnrv
italics.in/g67eihnrv
jackpotfutures.com/g67eihnrv
joshturansky.com/g67eihnrv
jus2chat.com/g67eihnrv
kakapublicity.com/g67eihnrv
kalkashimlataxiservice.in/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kaushikjanmejay.com/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
kursuskomputer.web.id/g67eihnrv
librahost.com/g67eihnrv
livingfreehomeramps.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
mgregency.com/g67eihnrv
micaraland.com/g67eihnrv
mileshilton-barber.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
olivierimmobiliare.com/g67eihnrv
paihotel.in/g67eihnrv
physioandpain.com/g67eihnrv
projects.seawindsolution.com/g67eihnrv
prototypingjob.com/g67eihnrv
pubbligrafica360.it/g67eihnrv
riverlifechurch.tv/g67eihnrv
saurabh-kachhadiya.comyr.com/g67eihnrv
scpolytechnic.com/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
srisaioilfield.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
tasveeranarts.in/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
tutorialcodeigniter.16mb.com/g67eihnrv
twoj-sennik.pl/g67eihnrv
ui.worklab.in/g67eihnrv
uniquebulldogpuppies.com/g67eihnrv
uniquecoders.in/g67eihnrv
videoregistrator.bg/g67eihnrv
vkwelaarts.co.za/g67eihnrv
webihawks.com/g67eihnrv
www.3shadz.com/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.camko-motor.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.hayatesabz.ir/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv
zinger.nl/g67eihnrv

Malware spam: "E-TICKET 41648" leads to Locky

More Locky ransomware today..

From     "Matthew standaloft"
Date     Thu, 27 Oct 2016 15:20:27 +0530
Subject     E-TICKET 41648

Dear Sir ,

Please find the attached E-ticket as per your requested.


Thanks & Regards ,

Matthew standaloft
Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil from one of the following locations (according to my usual source):

agile-scrum-training.com/g67eihnrv
axzio.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cttcleaning.com/g67eihnrv
dmlevents.com/g67eihnrv
dreamruntech.com/g67eihnrv
dryilmazyildirim.com/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
fullservicetech.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
intomim.com/g67eihnrv
jackpotfutures.com/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
librahost.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
micaraland.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
riverlifechurch.tv/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
vkwelaarts.co.za/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv

This drops a malicious DLL with a detection rate of 9/56. The following C2 servers are contacts:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks.php (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
213.159.214.86/linuxsucks.php (JSC Server, Russia)


Recommeded blocklist (also see this other spam run today):
83.217.11.193
91.201.202.12
213.159.214.86 

Malware spam: "This is from the Telephone Company to remind you that your bill is overdue." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Bill overdue
From:     Alexandria Maxwell
Date:     Thursday, 27 October 2016, 9:35

This is from the Telephone Company to remind you that your bill is overdue.

Please see the attached bill for the fine charge.
The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script [pastebin] detailed bill C43A9.vbs

The Malwr Report and Hybrid Analysis for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download from:

198zc.com/f7ss3oy
3d-schilling.de/jrz8hn
502mm.com/wwe0mac6
88cui.de/rwl8ov
abmelectric.ca/q0o4780r
actiononsports.com/kq0u93a1
aiccard.co.th/dvja1te
alefunny.pl/fksf4
alvida.de/klv2aog3
antiguarelojeria.com/kkzyr
ardnas.nl/f2v5o
art-yoga.myjino.ru/r1es12r
astra-antiques.com/bt32u5
atgem.ch/okl2jok
ayubatikpekalongan.com/cb2it0jj
babilon.by/sws2z1
bachvietxd.com/cbm2v
bathboating.co.uk/fptmhcm
bazalt-gracze.pl/cux57
begbuilders.com/i7ux0sxr
bestseptik.ru/zkmdw66
bibigame.net/ilc753c
bibob-hairshop.nl/fm0tue
bluecuracao.nl/iplibwz
brkos.borec.cz/dwz8li
buypc.ro/vds7o
callideo.fr/msn9ar
casadecandomble.com.br/rhn2dn
cneedu.cn/t1k2wlus
cztaxes.cz/rx19j
dabar.name/hscgqx
dadaniu.cn/o1ws9s
danor.ro/ip9f85t
dicatex.com.ar/tx3or
digicap.net/s6bhb6
dmtya.ru/mpozceu
dont.pl/cvjjw1
dovgan.bclas.ru/gtyvx
dzx800.com/j3sll
dzyncreative.com/o2ilww
ebgboz.nl/pzxc1je
ecentz.com/nvp7s9t
edepolama.com/o56szw
eiskgd.ru/vgvr31
ekofil.pl/o3pp6
elektrik1.ru/vn2q7au
englishukcentral.com/gw59b8
enrico.ru/wqhni
esysports.com/k3qsnhm
favourfinance.com/ouzoy
fbstone.com/gud0y
fengxiaohui.com/k5sqnm
fightsportuk.com/s9e9qdm
flutygoy.net/1b2sy4r
flutygoy.net/48jc5on
flutygoy.net/82okzzkq
flutygoy.net/9vvgvtk
guguhah.com/0w6rv87d
guguhah.com/3mikeq
guguhah.com/7ut2t95
guguhah.com/9bxqzgzo
khstarter.com/fy5cns7
monecouth.net/1gz0ae
monecouth.net/702t90
monecouth.net/8qxfzegf
monecouth.net/atb1yedm
morenaart.com/ng8if4c
njlsyb.com/rp7pn
sozluktr.com/x65mjo
szylbx.com/bgmhcx14
tahradeep.com/0u0zb
tahradeep.com/1tuqd
tahradeep.com/7emuv
tahradeep.com/94rttn
theatosc.net/1clhtqam
theatosc.net/558x66
theatosc.net/8j3wm
theatosc.net/a952l

A DLL is dropped with a detection rate of 11/56, and the malware then phones home to:


91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)


Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150

Wednesday, 26 October 2016

Malware spam: "Your order has been proceeded." leads to Locky

This curiously worded spam email leads to Locky ransomware:

Subject:     Your order has been proceeded
From:     Elijah Farrell
Date:     Wednesday, 26 October 2016, 12:41


Your order has been proceeded.

Attached is the invoice for your order 2026326638.

Kindly keep the slip in case you would like to return or state your product's warranty.
The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name.

The various scripts download a component from one of the following locations (thank you to my usual source for this):

198zc.com/vnrymi
3d-schilling.de/ytm08hf
abaffbedip.net/0ec4sb62
abaffbedip.net/1roef5v
abaffbedip.net/5k4oh5
abaffbedip.net/8b0lk2p
actiononsports.com/yduc1
aiccard.co.th/sy7hb7
alefunny.pl/vjjw0
alvida.de/zhw8nw6
antiguarelojeria.com/zg28jio
ayso722.org/ny8s6fn
banana2.jp/zsf0952
begbuilders.com/xjtb9k
bibliocultura.org/hdhwx7sf
bluecuracao.nl/xt8w2p3
bonetti.nl/bqc565q
brkos.borec.cz/skxkk33b
callideo.fr/zwg1d
caulgreet.com/0gxgwa
caulgreet.com/2sqh38d1
caulgreet.com/6o04pdt
caulgreet.com/9gl7t
chuvafeatherstone.com/rve6j
ciscscout.net/rvkbiv3t
cloudafis.com/kpw6h4uh
cngmalaysia.org/f4cda
cpugame.com/r3octl
cryochoice.com/n4801d
dadaniu.cn/cyk9hpr
danor.ro/xnnhp5
dmtya.ru/zqzii
dominoassociates.com/keg4g
dongyigg.com/onirn0r
dont.pl/stuf3
dovgan.bclas.ru/wk7tah
dzyncreative.com/v1djrmn
ecentz.com/sbvv8md
edepolama.com/xlyrh
edu02.ru/nk6z1
entersukses.com/cudm8
ergobois.com/j87ns
esteticapro.com/tje1ya
esysports.com/ybn7qw
exquisiteescape.com/fa8f7fk9
fazendacristal.com/djgyn
fbstone.com/xjlq6
fengxiaohui.com/yulge
filenetp8.info/esg742j9
flw123.com/kygiq6t
gerardfetter.com/fudjm1m
gongzuoshu.com/lojhvcj7
grandfm.com/my98xg7a
guymorgandaily.com/ilgx8tki
hankookm.com/lun77kyf
hfhhk.com/edfwyi1
hotsigns.net/ayxpi
jean-ealogy.com/dauwq7a
khstarter.com/w8811bg
landondavid.com/d5t56y4b
lanmaicao.com/bxyi91
lcmaya.com/d79p8w
mannersfromtheheart.com/cn450b
milianjie.com/dg1ie
morenaart.com/qbwnl
nakedglobal.com/d6s6f
roweliced.net/12fi9dc
roweliced.net/35lz355g
roweliced.net/6vgrs4
roweliced.net/a1f8yb
sheatcatan.com/1cb7jn
sheatcatan.com/3oze6ie
sheatcatan.com/74mqu
sheatcatan.com/awcdu3
titmaius.net/0f7ygeg
titmaius.net/1zsxe
titmaius.net/6g32j
titmaius.net/8u0ie

The downloaded binary then phones home to:

78.46.170.94/linuxsucks.php [hostname: k-42.ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks.php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost.hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks.php [hostname: weblinks-3424.ru] (Sobis, Russia)


It also tries to phone home to these URLs which are currently not resolving:

umjjvccteg.biz/linuxsucks.php
hbnatserncelosskp.biz/linuxsucks.php
rqnegynlpkohoohp.pw/linuxsucks.php
ymrorgauixirigj.biz/linuxsucks.php
ayyxamwyvfyqidija.pw/linuxsucks.php
yfjxvok.ru/linuxsucks.php
lbbauqqpynjem.xyz/linuxsucks.php
tnvnmjdyokgyj.pl/linuxsucks.php
hoiedes.pl/linuxsucks.php
toaqabrl.xyz/linuxsucks.php
leacfrc.info/linuxsucks.php
jkjxnrnirmqt.pw/linuxsucks.php

Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225




Malware spam: "Western Union Help Desk" / "Proof" leads to Adwind

Just by way of a change, here's some malspam that doesn't lead to Locky..

From:    Western Union Help Desk [mes@prosselltda.cl]
Reply-to:    Western Union Help Desk [mes@prosselltda.cl]
Date:    26 October 2016 at 20:07
Subject:    Proof

Dear All,

To comply with customer service standards, we need to have the Proof of Payment for the following attached transaction that has been marked as paid by one of your Locations.

Please e-mail us a copy of the ?To Receive Money Form?  as a Proof of Payment. If no TRMF or reason for delay were received by the above mentioned due date, we will consider the Transaction as Paid in Error and will proceed to reinstate it accordingly charging Paying Account.

In case there are an Automatic Customer Receipt (ACR) and a Handwritten Form, please send us both.

Click To View  Click to download  Click to open on browser

Thanks

Shameer Illyas

| Agent Support Officer |

|  Western Union Money Transfer |


In this case, the link in the email goes to:

linamhost.com/host/Western_Union_Agent_Statement_and_summary_pdf.jar

This is a Java file, if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it won't run. VirusTotal identifies it as the Adwind Backdoor. The Malwr report shows it attempting to contact:

boscpakloka.myvnc.com     [158.69.56.128] (OVH, US)

A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis. Check the Dropped Files section of the Malwr Report for more.

Personally, I recommend blocking all dynamic DNS domains such as myvnc.com in corporate environments. At the very least I recommend blocking 158.69.56.128.

Tuesday, 25 October 2016

Malware spam: "Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data" leads to Locky

Perhaps minimalist spam works better, there is currently a Locky spam run with on of the subjects Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript that looks like this [pastebin]. There is no body text.

These automated analyses [1] [2] [3] [4] show that it is Locky. My usual sources tell me that the various scripts download from one of the following locations:

abplhomes.com/g76dbf
alyatater.com/g76dbf
baedalapp.com/g76dbf
beaumontschool.com/g76dbf
blastspraypolish.com/g76dbf
codefinder.co/g76dbf
copperfilters.com/g76dbf
cultural-ecology.com/g76dbf
designera.org/g76dbf
dev.indonesiatextile.id/g76dbf
dwimultimakmur.com/g76dbf
dziennikarze.lo-kolaczyce.pl/g76dbf
easytravelvault.com/g76dbf
elitednadt.com/g76dbf
emreker.com/g76dbf
faisal-ibrahim.info/g76dbf
fpi-canada.com/g76dbf
fresflor.net/g76dbf
gellyrepin.com/g76dbf
himytutor.com/g76dbf
informing.asia/g76dbf
jciindia.in/g76dbf
kantoor.vescolub.nl/g76dbf
kendalpos.com/g76dbf
lamurindo.com/g76dbf
lilxtreme.com/g76dbf
lookbeauty.ir/g76dbf
mahendradesai.net/g76dbf
newdesign.well.pk/g76dbf
nitrogenwebs.com/g76dbf
panaceapeople.com/g76dbf
permars.com/g76dbf
privatestashstorage.com/g76dbf
promo.worldloft.ru/g76dbf
read4change.com/g76dbf
runmyaccounts.ch/g76dbf
rws1.com.au/g76dbf
samuderaciptaraya.com/g76dbf
sendat.vn/g76dbf
shopro.ir/g76dbf
srcc.co.th/g76dbf
swissmades.com/g76dbf
tacunair.com/g76dbf
tciislandguide.com/g76dbf
uatsa.cl/g76dbf
vicampro.com/g76dbf
web.justproductions.co.uk/g76dbf
wivebeday.com/g76dbf
www.fireballindia.com/g76dbf
www.jockytours.com/g76dbf
www.pb2bb2c.com/g76dbf
www.pharmaciela.com/g76dbf

The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh

A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56. The malware then phones home to one of the following locations:

185.127.27.100/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks.php (Volia DataCentre, Ukraine)


The malware also attempts to contact the following locations, all of which seem to be inactive:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221