Sponsored by..

Showing posts sorted by relevance for query Valeriyovuch. Sort by date Show all posts
Showing posts sorted by relevance for query Valeriyovuch. Sort by date Show all posts

Thursday, 29 September 2016

Malware spam: "Temporarily blocked" leads to Locky

The attachment on this spam email leads to Locky ransomware:

From: "Ambrose Clements"
Subject: Temporarily blocked
Date: Thu, 29 Sep 2016 13:37:53 +0400

Dear [redacted]

this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.

We attached the scan of transactions. Please confirm whether you made these transactions.
 Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download from one of the following locations:

0793mobile.com/jetg2
109.73.234.241/dgq01p
18901350711.com/ll0wdsu
365jtoo.com/qw3r7arg
3ddentalimage.com/ytouk6
489ean.com/r2jdxy
51steel.org/s4b5ztgc
59jd.com/ggha9
5i5k.net/j0g1jk3
5iroom.com/vqv5yibr
91ise.info/pcre0ri4
abbiholland.com/f5ioimw
aldohuaman.com/52y3am
antamduc.com/ttbysvp
a-we.com/o0m5ayu
baankonkoh.com/hhon5mma
cielitodrive.com/x8vqc6
columbiaprintingservices.com/u542pjoi
cranioactive.com/l7vb0
cyprusnike.com/kkpno
domaks-dom.ru/mugr3gb1
exonbalai.com/1r1y6so
exonbalai.com/4dnv8
fhgmediaent.com/66aslu
hastarim.com/nyyjoec
immewrood.net/2j4z9px
immewrood.net/52y3am
inspirationbydesire.com/lfmlspp
jetpcl.com/m23gz0tv
joventa.sk/25fkt
jscompuserve.com/sqa5iq4
kayooo.net/67mxndh
khasitez.net/0a5lma5
khasitez.net/2m01898x
kidzvidz.com/miwn5
kitamachiweek.com/khcg0ta4
knigoboz.ru/nessj4k8
londonmusicclub.com/j6ln7cl
mayurinkorat.com/igxbat
ogeedfungo.net/0zqoae
ogeedfungo.net/3n4pwk
olimp-otel.ru/vevfq
pthcu.org/vnqdve7
redegamb.com/25fkt
redegamb.com/4gwca5b
rglogistic.com/var79sa
sewingwholesale.com/o8hn4
supplyglassess.com/gbnfsmh
szaloncukor.net/jelxoi
tolgaustun.com/drnag
touchasoul.org/nha0pkom
unwantedtattoos.co.uk/e1mbgfej
vaidia.com/y6m3en
viptabien.com/al9n7nh
web4-magento.com/cdlp4o
websitedesigncourse.net/p9580
wikichemicals.com/v1x7cfd
wirelessdd.com/692lrr
womenepic.com/89spy93v

The decoded malware then phones home to:

195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo.pw/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
gqackht.biz/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
bgldptjuwwq.org/apache_handler.php
cxnlxkdkxxxt.xyz/apache_handler.php
rcahcieii.work/apache_handler.php
uxaoooxqqyuslylw.click/apache_handler.php
vwktvjgpmpntoso.su/apache_handler.php
upsoxhfqut.work/apache_handler.php
nqchuuvgldmxifjg.click/apache_handler.php
ofoclobdcpeeqw.biz/apache_handler.php
kfvigurtippypgw.pl/apache_handler.php
toescilgrgvtjcac.work/apache_handler.php

Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132




Thursday, 21 March 2013

NACHA spam / encodeshole.org

This fake NACHA spam leads to malware on encodeshole.org:

From: "Тимур.Родионов@direct.nacha.org" [mailto:biker@wmuttkecompany.com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High

Dear Sirs,

Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Click here for more information

Please apply to your financial institution to get the necessary updates of the Direct Deposit software.

Best regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548
The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:

91.234.33.187
encodeshole.org
rotariesnotify.org
rigidembraces.info
storeboughtmodelers.info


Tuesday, 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

https://dropbox.com/file/9A30AA
--
Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA

Members of the CAERUS Capital Group

www.tayloredgroup.co.uk

Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system. 
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6]  shows Locky ransomware attempting to phone home to the following locations:

91.234.35.170/imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75/imageload.cgi (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24

Thursday, 1 September 2016

Malware spam: "Our shipping service is sending the order form due to the request from your company."

This fake shipping email comes with a malicious attachment:

Subject:     Shipping information
From:     Charles Burgess
Date:     Thursday, 1 September 2016, 9:30

Dear customer,

Our shipping service is sending the order form due to the request from your company.

Please fill the attached form with precise information.

Very truly yours,
Charles Burgess
The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.

Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):


joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4

Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:

5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably Locky ransomware.

Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24

Tuesday, 1 November 2016

Malware spam: "This is to inform that the transaction you made yesterday is declined." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Transaction declined
From:     Chandra Frye
Date:     Tuesday, 1 November 2016, 10:48

Dear [redacted],

This is to inform that the transaction you made yesterday is declined.

Please look through the attachment for the verification of the card details.

Best Regards,
Chandra Frye
The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs) which looks like this [pastebin]. That particular sample plus one other I received communicates with the URLs below, but you can be sure that there are many more examples:

51qudu.com/mqy2pj4
bjzst.cn/qgq4dx
danapardaz.net/zrr8rtz
litchloper.com/66qpos7m
creaciones-alraune.es/dx8a5
adasia.my/f5qyi10
alecrim50.pt/g28w495t
zizzhaida.com/a0s9b
silscrub.net/07ifycb

Hybrid Analysis is inconclusive. If I get hold of the C2s or other download locations then I will post them here.

UPDATE

My usual reliable source tells me that these are all the download locations:

17173wang.com/f6w0p
176.9.41.156/rodru
4office.pl/zyjkry6
51qudu.com/mqy2pj4
akbarcab.com/p8vw992v
alpinivel.pt/as4jcmm
americanjuniorgolfschool.com/hkba7
apiaa.ro/jqm6ltfw
atech.co.th/lyyrdp9
badyna.pl/saf0zv
baoan99.com/jllkv
baranteks.com/hrnf0q44
beesket.com/jrd8d411
bikebrowse.com/mjjoy
biolume.nl/rq8mabk
bionorica.md/m61yk
birim.org/x5s8d
bisskultur.de/rawmjx
bjsunny.net/claocm
bjzst.cn/qgq4dx
blastech.cc/nsg5xyi
carsmotor.net/stab2
cascinamatine.com/a7w59h
cdxybg.com/iribzm
charoenpan.com/jv4fj
chbeirlaw.com/oyem1
civc.co.uk/y5rcauj
containermx.com/vzndc
creaciones-alraune.es/dx8a5
crossfitgladstone.com/orfx8
cvanchen.com/m61yk
danapardaz.net/zrr8rtz
daricacicekci.com/jqec1k7r
doctornauchebe.it-strategy.ru/k1d7d
eatfatlosefat.com/yx7s1
ebooks.w8w.pl/slhj1l
econsult.com.tw/dqtvy
fieldserviceca.net/dndovr
koranjebus.net/1bpsrbfa
koranjebus.net/4rwg5
koranjebus.net/94rgo
koranjebus.net/9fif0
litchloper.com/2be1xz
litchloper.com/66qpos7m
litchloper.com/96iq4o
litchloper.com/9qknusm
nbsbjt.net/icefdwl
silscrub.net/40l8w
silscrub.net/79d6w4
sonsytaint.com/0dqj0dd
sonsytaint.com/4mgxlrf
sonsytaint.com/89hs1ix
zizzhaida.com/3m6ij
zizzhaida.com/98g4ubq

These are the C2s:

91.234.32.202/linuxsucks.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
81.177.22.164/linuxsucks.php (NETPLACE, Russia)


Recommended blocklist:
91.234.32.202
81.177.22.164

Wednesday, 31 August 2016

Malware spam: "bank transactions"

This fake financial spam comes with a malicious attachment:

From:    Rueben Vazquez
Date:    31 August 2016 at 10:06
Subject:    bank transactions


Good morning petrol.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.


Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.

According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):

www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis

Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:

95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably the Locky ransomware.

Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24


Saturday, 12 March 2016

Malware spam: "Urgent Notice # 78815053" leads to Teslacrypt

This spam comes from random senders, and has random references, dollar amounts and attachment names:

From:    Donnie emily
Date:    12 March 2016 at 14:01
Subject:    Urgent Notice # 78815053

Dear Customer!

According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.

Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.

We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.

Please check out the file and do not hesitate to pay off the debt.

Otherwise we will have to start a legal action against you.

Regards,
Donnie emily
758 N Davis St, Jacksonville,
FL 17323
Phone nr: 026-762-3482 
Attached is a randomly-named ZIP file, in the sample I have seen they begin with:
  • letter_
  • confirm_
  • access_
  • unconfirmed_operation_
  • operation_
  • details_
..plus a random number. There may be other formats. Inside is a malicious script beginning with:
  • details_
  • post_
  • mail_
..plus a random string of characters. I have seen six versions of this script, I do not know how many there are in total. VirusTotal results show detection rates between 4 and 7 out of 57 [1] [2] [3] [4] [5] [6] and automated analysis tools [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] show the script attempting to download a binary from:

bonjovijonqq.com/69.exe?1
bonjovijonqq.com/80.exe?1


This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:

vtechshop.net/wcspng.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
shirongfeng.cn/images/lurd/wcspng.php


It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:

31.184.196.78 (Petersburg Internet Network Ltd, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Russia)


The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:

192.210.144.130 (Hudson Valley Host  / Colocrossing, US)
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)


The following malicious domains are also on the same servers:

nnrtsdf34dsjhb23rsdf.spannflow.com
bonjovijonqq.com
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
howareyouqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.

Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone.com
sappmtraining.com
shirongfeng.cn
vtechshop.net


Friday, 29 April 2016

Malware spam: "Second Reminder - Unpaid Invoice"

This fake financial spam leads to malware:

From:    Janis Faulkner [FaulknerJanis8359@ono.com]
Date:    29 April 2016 at 11:13
Subject:    Second Reminder - Unpaid Invoice

 We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail

Regards,

Janis Faulkner
Chief Executive Officer - Food Packaging Company 

Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.


The scripts I have seen download slightly different binaries from the following locations:

cafeaparis.eu/f7yhsad
amatic.in/hdy3ss
zona-sezona.com.ua/hj1lsp
avcilarinpazari.com/u7udssd


VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2] [3] [4]. In addition to those reports, various automated analyses [5] [6] [7] [8] [9] show that this is Locky ransomware phoning home to:

91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
83.217.8.155 (Park-web Ltd, Russia)
31.41.44.246 (Relink Ltd, Russia)
89.108.84.155 (Agava Ltd, Russia)
51.254.240.60 (Relink, Russia / OVH, France)


I strongly recommend that you block traffic to:

91.234.32.19
83.217.8.155
31.41.44.246
89.108.84.155
51.254.240.60




Thursday, 28 April 2016

Malware spam: "FW: Invoice" from multiple senders

This fake financial spam comes from randomly-generated senders, for example:

From:    Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br]
Date:    28 April 2016 at 11:40
Subject:    FW: Invoice

Please find attached invoice #342012

Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:

http://rabitaforex.com/pw3ksl
http://tribalsnedkeren.dk/n4jca
http://banketcentr.ru/v8usja
http://3dphoto-rotate.ru/h4ydjs
http://switchright.com/2yshda
http://cafe-vintage68.ru/asad2fl
http://minisupergame.ru/a9osfg


The payload looks like Locky ransomware. The DeepViz report shows it phoning home to:

83.217.26.168 (Firstbyte, Russia)
31.41.44.246 (Relink, Russia)
91.219.31.18 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.60 (Relink, Russia / OVH, France)
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua.  Ukraine)


These two Hybrid Analysis reports [1] [2] show Locky more clearly.

Recommended blocklist:
83.217.26.168
31.41.44.246
91.219.31.18
51.254.240.60
91.234.32.19

Thursday, 10 March 2016

Malware spam: "Attached File" / canon@victimdomain.tld leads to Locky

This spam has a malicious attachment. It appears to come from within the sender's own domain. There is no body text.

From:    canon@victimdomain.tld
Date:    10 March 2016 at 09:02
Subject:    Attached File

In the sample I saw, there was an attachment victimname@victimdomain.tld_07567_273772.zip which contained a randomly-named script with a detection rate of 5/57. Automated analysis [1] [2] shows that this is the Locky ransomware, and it downloads a binary from:

buyfuntees.com/system/logs/7t6f65g.exe

This binary has a detection rate of  just 1/56. Those reports indicate that the malware phones home to:

31.184.196.78 (Petersburg Internet Network Ltd, Russia)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)


There are probably many other download locations and some more C2s as well, I will update this post if I see them.

UPDATE

This additional analysis is from a trusted third party (thank you!)

Additional download locations:

behrozan.ir/system/logs/7t6f65g.exe
fashion-boutique.com.ua/system/logs/7t6f65g.exe
fortyseven.com.ar/system/logs/7t6f65g.exe
iwear.md/system/logs/7t6f65g.exe
lady-idol.6te.net/system/logs/7t6f65g.exe
ncrweb.in/system/logs/7t6f65g.exe
xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe


Additional C2s:

91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
91.234.33.149 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)


Sender is canon or copier or epson or scanner or xerox at the victim's domain.

Recommended blocklist:
31.184.196.78
78.40.108.39

91.219.30.254
91.234.33.149




Friday, 11 March 2016

Malware spam: Your Amazon order #137-89653734-2688148 / AMAZON.COM [Mailer-daemon@amazon.com]

This fake Amazon spam comes with a malicious attachment:

From:    AMAZON.COM [Mailer-daemon@amazon.com]
Date:    11 March 2016 at 09:09
Subject:    Your Amazon order #137-89653734-2688148

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order #137-89653734-2688148 Placed on March 11, 2016

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.com 

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:

mercadohiper.com.br/system/logs/uy78hn654e.exe

That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to:

31.184.196.75 (Petersburg Internet Network, Russia)
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)


There are probably other download locations and C2s, I will update this post if I find out what they are.

UPDATE

Some additional C2s from various sources:

78.40.108.39 (PS Internet Company LLC. Kazakhstan)
31.184.196.78 (Petersburg Internet Network, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)


Some additional download locations for this and other locky spam runs today:

solucionesdubai.com.ve/system/logs/uy78hn654e.exe
ghayatv.com/system/logs/uy78hn654e.exe
dolcevita-ykt.ru/system/logs/uy78hn654e.exe


Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192


Thursday, 29 September 2016

Malware spam: "Receipt 103-526" / Receipt.xls

This spam leads to Locky ransomware:

From     rosalyn.gregory@gmail.com
Date     Thu, 29 Sep 2016 21:07:46 +0800
Subject     Receipt 103-526
I cannot tell if there is any body text, however there is an attachment Receipt.xls which contains malicious code [pastebin] that in the case of the sample I analysed downloads a binary from:

opmsk.ru/g76ub76

There will be many other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:

89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

A malicious DLL is dropped with a detection rate of 6/57. Malicious IPs and domains overlap quite a bit with this earlier attack. This version of Locky encrypts files with a .odin extension.

UPDATE - a source indicates these are all the download locations in this attack:

1gouw.com/g76ub76
368lx.com/g76ub76
81millstreet.nl/g76ub76
alliswelltour.com/g76ub76
ampconnect.com/g76ub76
anhsaodem.info/g76ub76
aseandates.com/g76ub76
birthstory.com/g76ub76
cmcomunicacion.es/g76ub76
dedivan.ru/g76ub76
demo.website.pl/g76ub76
econopaginas.com/g76ub76
gadget24.ro/g76ub76
globalremoteservices.com/g76ub76
innogenap.com/g76ub76
juyinggroup.com/g76ub76
kelownatownhomes.com/g76ub76
mediumsize.org/g76ub76
opmsk.ru/g76ub76
parentchildmothergoose.com/g76ub76
parroquiansg.org/g76ub76
slaterarts.com/g76ub76
sonajp.com/g76ub76
studiorif.ru/g76ub76
unforgettabletymes.com/g76ub76

Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132

Wednesday, 27 April 2016

Malware spam: "Thank you. Our latest price list is attached. For additional information, please contact your local ITT office."

This fake financial spam leads to malware:

From:    Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date:    27 April 2016 at 12:23
Subject:    Price list

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.

Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:

aaacollectionsjewelry.com/ur8fgs
adamauto.nl/gdh46ss
directenergy.tv/l2isd
games-k.ru/n8eis
jurang.tk/n2ysk
lbbc.pt/n8wisd
l-dsk.com/k3isfa
mavrinscorporation.ru/hd7fs
myehelpers.com/j3ykf
onlinecrockpotrecipes.com/k2tspa
pediatriayvacunas.com/q0wps
soccerinsider.net/mys3ks
warcraft-lich-king.ru/i4ospd

haraccountants.co.uk/k9sjf

This downloads Locky ransomware. The executable then phones home to the following servers:

176.114.3.173 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
139.59.166.196 (Digital Ocean, Singapore)
107.170.20.33 (Digital Ocean, US)
146.185.155.126  (Digital Ocean, Netherlands)


Recommended blocklist:
176.114.3.173
139.59.166.196
107.170.20.33
146.185.155.126

Tuesday, 26 July 2016

Malware spam: "Attached Image" leads to Locky

This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    26 July 2016 at 10:27
Subject:    Attached Image

**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************
Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:

www.isleofwightcomputerrepairs.talktalk.net/okp987g7v

There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:

31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)


Recommended blocklist:
31.41.47.41
91.234.35.216