Sponsored by..

Showing posts with label Voice Mail. Show all posts
Showing posts with label Voice Mail. Show all posts

Monday, 31 October 2016

Malware spam: "SureVoIP" / "Voicemail from.." leads to Locky

This fake voicemail message leads to Locky ransomware:

Subject:     Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
From:     SureVoIP (voicemailandfax@[redacted])
Date:     Monday, 31 October 2016, 11:17


Message From "Catalina rigby 02355270166" 02355270166
Created: 2016.10.31 14:46:53 PM
Duration: 00:01:22
Account: voicemailandfax@[redacted]
Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component from one of the following locations.

1y9y.com/g7cberv
3922group.net/g7cberv
abraszczecin.pl/g7cberv
afh-indy.org/g7cberv
ajaraheritage.ge/g7cberv
alifaruk.com/g7cberv
andrewclark.com.au/g7cberv
arabian-link.com/g7cberv
artanatrade.com/g7cberv
artemon.gr/g7cberv
ashbury.bg/g7cberv
atelier13.ro/g7cberv
bandenland.be/g7cberv
beasee.com/g7cberv
bemassive.nl/g7cberv
bertedu.com/g7cberv
bestroyalart.com/g7cberv
blogmepro.com/g7cberv
bobyfrancisandpradeep.com/g7cberv
bolat-zhol.kz/g7cberv
buynolvadexonlineshop.com/g7cberv
bwdianji.com/g7cberv
carama.info/g7cberv
caseycarrental.com/g7cberv
ceil.hk/g7cberv
cetinakademi.com/g7cberv
charistia.info/g7cberv
crossroadsmgmt.com/g7cberv
ctrlalt.de/g7cberv
dapos.ru/g7cberv
dbtsites.com/g7cberv
decoracionbebes.com/g7cberv
detectodecolombia.com/g7cberv
devinkellerart.com/g7cberv
ditjenp2p.info/g7cberv
dobromoda.ru/g7cberv
doolotto.com/g7cberv
dor29.ru/g7cberv
drevenefasady.eu/g7cberv
drpneu.ro/g7cberv
ekotracks.com/g7cberv
emg.su/g7cberv
en.fitgrp.com/g7cberv
enliveshow.com/g7cberv
fortuneprixgroup.com/g7cberv
freehosted.netai.net/g7cberv
gopa1.ru/g7cberv
grupotalents.com/g7cberv
halimbamdad.ir/g7cberv
haydistributing.com/g7cberv
hundeschulegoerg.de/g7cberv
inventionsteel.com/g7cberv
ipmart.co.in/g7cberv
jianshu100.com/g7cberv
jnzbookkeeping.com/g7cberv
kavehconsultancy.co/g7cberv
liftaccessory.com/g7cberv
lux-luster.com/g7cberv
lzeshine.com/g7cberv
monoadage.net/g7cberv
nbjzpx.com/g7cberv
net2008.com/g7cberv
newdawnexperience.com/g7cberv
nixvector.com/g7cberv
oakridge-realty.com/g7cberv
oualili.org/g7cberv
pandoracharm.ru/g7cberv
panel.steelpars.com/g7cberv
paulasalamanca.com/g7cberv
peskara.com/g7cberv
pidaco.com/g7cberv
reviewprimer.com/g7cberv
ri-vyoo.com/g7cberv
rkanswers.com/g7cberv
rktest.net/g7cberv
rndled.com/g7cberv
trustcarts.com/g7cberv
unoldontal.com/g7cberv
webframez.com/g7cberv
www.a2zportals.com/g7cberv
www.shavash.ir/g7cberv
www.webframez.com/g7cberv
xn--72c6awi9b2bj7ixcg4c.com/g7cberv
zist-konkur.ir/g7cberv

The C2 servers overlap with the ones found here.

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152



Friday, 29 July 2016

Malware spam: "Voicemail from Anonymous" / SureVoIP [voicemailandfax@surevoip.co.uk]

This fake voicemail spam has a malicious attachment:
From     SureVoIP [voicemailandfax@surevoip.co.uk]
Date     Fri, 29 Jul 2016 17:47:41 +0700
Subject     Voicemail from Anonymous <Anonymous> 00:02:15

Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain.tld
The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf.

According to my trusted source (thank you as ever):

64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry


The downloaded binary is Locky ransomware, phoning home to:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]

Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139

Thursday, 6 August 2015

Malware spam: "Voice message from 07773403290" / ""tel: 07773403290" [non-mail-user@voiplicity.co.uk]"

This fake voicemail spam comes with a malicious attachment:

From     "tel: 07773403290" [non-mail-user@voiplicity.co.uk]
Date     Thu, 06 Aug 2015 11:54:43 +0300
Subject     RE: Voice message from 07773403290
I was not able to determine if there was any body text from my sample collector, however each sample had an identical attachment message_01983527496.wav.zip which contains a malicious executable message_01983527496.exe. This has a VirusTotal detection rate of 5/55 and automated analysis tools [1] [2] show it POSTing to:

wedspa.su/go/gate.php

This is hosted on a RU-Center IP address of 185.26.113.229 in Russia. Furthmore, a malicious executable is downloaded from the following locations:

globalconspiracy.hj.cx/1.exe
mastiksoul.org/1.exe


In turn, this has a detection rate of 2/55 and automated analysis of this [1] [2] show that it phones home to 212.47.196.149 (Web Hosting Solutions, Estonia).

The payload is unclear at this point, but you can guarantee that it will be nothing good.

Recommended blocklist:
185.26.113.229
212.47.196.149

MD5s:
da575b916f419b9e8bfea12168fa9902
f3ede4ebcd4b6debf15646a3d1a8bbd1






Wednesday, 11 March 2015

Malware spam: "Voicemail Message (07813297716) From:07813297716"

When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
From:     Voicemail admin@victimdomain
Date:     11/03/2015 11:48
Subject:     Voicemail Message (07813297716) From:07813297716

IP Office Voicemail redirected message

Attachment: MSG00311.WAV.ZIP
The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:

http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php

This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.

The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:

http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe


This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.

Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:

31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159




Thursday, 23 October 2014

"Voice Mail" (voicemail_sender@voicemail.com) spam

Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, don't open it.
From:  "Voice Mail" [voicemail_sender@voicemail.com]
Date:  Thu, 23 Oct 2014 14:31:22 +0200
Subject:  voice message from 598-978-8974 for mailbox 833

You have received a voice mail message from 598-978-8974
Message length is 00:00:33. Message size is 264 KB.

Download your voicemail message from dropbox service below (Google Disk
Drive Inc.):

http://itsallaboutrice.com/documents/doc.php
Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51.

The Malwr report for that binary shows it communicating with the following URLs:

http://188.165.214.6:18608/2310uk1/HOME/0/51-SP3/0/
http://188.165.214.6:18608/2310uk1/HOME/1/0/0/
http://188.165.214.6:18608/2310uk1/HOME/41/5/1/
http://inaturfag.com/files/2310uk1.oss

188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system, nlsio.exe (VT 4/48, Malwr report) and qhcjp.exe (VT 0/51, Malwr report).

Recommended blocklist:
188.165.214.6
inaturfag.com



Friday, 26 September 2014

Malware spam: "Employee Documents - Internal Use" / "You have a new voice" / "BACS Transfer : Remittance for JSAG244GBP" / "New Fax"

Whoever is running this spam run is evolving it day after day, with different types of spam to increase clickthrough rates and now some tricky tools to prevent analysis of the malware.

Employee Documents - Internal Use

From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://iqmaintenance.com.au/Documents/document26092014-20.pdf

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

You have a new voice

From:     Voice Mail [Voice.Mail@victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs4004011004_001

The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E

To download and listen your voice mail please follow the link below: http://www.sjorg.com/Documents/voice26092014-18

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.

RBS: BACS Transfer : Remittance for JSAG244GBP

From:     Douglas Byers [creditdepart@rbs.co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP

We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link below:

http://plugdeals.com/Documents/payment26092014-15

New Fax

From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax

You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here : http://montfort.dk/Documents/faxmessage26092014-16
The links in the emails I have seen go to the following locations (there are probably many, many more):

http://plugdeals.com/Documents/payment26092014-15
http://iqmaintenance.com.au/Documents/document26092014-20.pdf
http://www.sjorg.com/Documents/voice26092014-18
http://montfort.dk/Documents/faxmessage26092014-16


The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block.

A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.

The landing page script looks like this [pastebin] which is a bit harder to deal with, but nonetheless an malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55. The Anubis report shows the malware attempting to phone home to padav.com which is probably worth blocking.

Tuesday, 23 September 2014

According to this spam.. "You have a new voice". Really?

This strangely titled spam leads to malware.

From:     Voice Mail
Date:     23 September 2014 10:17
Subject:     You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs8213783583_001

The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH

To download and listen your voice mail please follow the link below: http://www.ezysoft.in/ocjnvzulsx/begmnbjiae.html

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
Hang on.. cough cough.. la la la la la la.. testing testing. Nope, my voice sounds pretty much the same as it usually does.

The link in the email downloads a file from www.ezysoft.in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54.

According to this Anubis report the malware attempts to phone home to very-english.co.uk which might be worth blocking.