Sponsored by..

Tuesday, 31 October 2017

Bogus porn blackmail attempt from adulthehappytimes.com

This blackmail attempt is completely bogus, sent from a server belonging to the adulthehappytimes.com domain.

From:    Hannah Taylor [bill@adulthehappytimes.com]
Reply-To:    bill@adulthehappytimes.com
To:    contact@victimdomail.tld
Date:    31 October 2017 at 15:06
Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life
Signed by:    adulthehappytimes.com


I sincerely anticipate that I will not hurt ur feelings. Shit happens, life didn’t give me a choice. I don’t hate people with special tastes, moreover only God can judge u. So:

Firstly, I put the particular virus on a web site with porn videos (I think you understood me).

Secondly, when you tapped on a video, soft instantly started working, all cams turned on and screen started recording, then my soft collected all contacts from emails, messengers etc. Im really proud for this soft, it makes devices act as remote desktop with keylogger function, impressive. This email address Ive collected from your device, I emailed u here because I think you will 100% going to check your corporative email.

Eventually, I edited a split screen video, with your participation and porn video from your screen, its very weird. Consequently, I can share this video with all your friends, colleagues, relatives etc. I guess it’s a big problem for you.

But we can resolve this problem. 305 Usd- in my opinion, very common cost for false like this.

I accept only bitcoin, this is my wallet’s address- 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY U have 45 hours after opening my letter to make transaction. I will see when u read this letter, I adjusted special tracking pixel in it. This time is sufficiently only to complete all verifications and transaction, so you have to think rapidly. If I wont get my «wage», I will share this video with all contact Ive received from ur device.

You can complain to cops for a help, but they wont search out me for even 150 hours, Im from Japan, so think twice. If Ill receive btc- all compromising evidence will be erased forever and I will never message you again.

U can reply, but this Will not make sense, I sent you this notification using my soft for anonymous messages, I don’t check the email after using it, because I contemplate about my safety too. Have a nice day, I hope u will make a good decision for you.
If you got one of these, the first thing to realise is that it is bullshit. This particular one was sent to the contact@ address of a random domain I own. You note there are no personal details in the email, and furthermore the claim that there's a tracking pixel in the email can easily be refuted by checking the HTML of the message itself.

The "from" address in the email is bill@adulthehappytimes.com and this matches the name of the sending email server, mta11.adulthehappytimes.com on

You might notice it says mta11 - indeed adulthehappytimes.com seems to have subdomains mta.adulthehappytimes.com through mta15.adulthehappytimes.com some of which are hosted at Heroku / AWS, but the ones that aren't are on the following IPs:

All of those belong to TimeWeb in Russia. The domain itself is also hosted on (mta1.adulthehappytimes.com) but it appears to be parked. However, however controls this domain has gone to the effort of setting up 16 different mail servers. The WHOIS details show that the domain is actually ten years old..

Domain ID: 1041994153_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domain.com
Registrar URL: www.domain.com
Updated Date: 2016-09-06T01:55:42Z
Creation Date: 2007-06-21T21:10:46Z
Registrar Registration Expiration Date: 2018-06-21T21:10:46Z
Registrar: Domain.com, LLC
Registrar IANA ID: 886
Registrar Abuse Contact Email: compliance@domain-inc.net
Registrar Abuse Contact Phone: +1.6027165396
Reseller: Netfirms
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID:
Registrant Name: Alexey Pokachalov
Registrant Organization: Alexey Pokachalov
Registrant Street: Stepana Razina 84-10
Registrant City: Togliatti
Registrant State/Province: NA
Registrant Postal Code: 445057
Registrant Country: RU
Registrant Phone: +17.9608367000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: genarur@gmail.com
Registry Admin ID: 

It's odd to see an old domain being used for spam like this, so perhaps the domain itself and the infrastructure has been hijacked. It is hard to be certain, but also you wouldn't post real contact details on the WHOIS and then solicit anonymous payments through BitCoin, so my hunch is that the domain owner doesn't even know it is happening.

I don't know if Bitcoin wallet 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY is common to all these spam emails, but at the moment nobody has sent money to that Bitcoin wallet.

Wednesday, 25 October 2017

Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges

When I was investigating IOCs for the recent outbreak of BadRabbit ransomware I discovered that it downloaded from a domain 1dnscontrol.com hosted on This IP belongs to a company called 3NT Solutions LLP that I have blogged about before.

It had been three-and-a-half years since I looked at their IP address ranges so I thought I would give them a refresh. My personal recommendation is that you block all of these, I have never seen anything of worth on any 3NT range. Note that inferno.name and V3Servers.net are the same outfit and I have included those too. If you know of any other ranges, please consider leaving a comment.

Tuesday, 24 October 2017

Malware spam: "Order acknowledgement for BEPO/N1/380006006(2)"

A change to the usual Necurs rubbish, this fake order has a malformed .z archive file which contains a malicious executable with an icon to make it look like an Office document.

Reply-To:    purchase@animalagriculture.org
To:    Recipients [DY]
Date:    24 October 2017 at 06:48
Subject:    FW: Order acknowledgement for BEPO/N1/380006006(2)

Dear All,
Kindly find the attached Purchase order# IT/IMP06/06-17 and arrange to send us the order acknowledgement by return mail.

Note: Please expedite
the delivery as this item is very urgently required.

Regards,  Raj Kiran

BHARAT ELECTRONICS LIMITED  BANGALORE  PH:9180-22195857  BEL Website : www.bel-india.com SRM PORTAL :https://hpcrmp.iscodom.com/irj/portal

Every Sheets of paper is made from a tree.. Save trees... Conserve Trees.... Go Green .... Don't print this email or any Files unless you really need to!!!!
Confidentiality Notice

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or support@bel.co.in immediately and destroy all copies of this message and any attachments.

Attached is a file Purchase order comfirmation.doc.z which contains a malicious executable Purchase order comfirmation.exe which currently has a detection rate of 12/66. It looks like the archive type does not actually match the extension..

If the intended target hides file extensions then it is easy to see how they could be fooled..

Incidentally, VirusTotal shows this information about the file:

Copyright: (c)1998 by RicoSoft
Product: System Investigation
Description: System Investigation for NT/9x
Original Name: SysInv2.exe
Internal Name: SysInv2
File Version:
Comments: Freeware / Careware from RicoSoft

Obviously that's fake, but a bit of Googling around shows SysInv2.exe being used in other similar attacks.

The Hybrid Analysis for is a little interesting (seemingly identifying it as Loki Bot), showing the malware phoning home to:

jerry.eft-dongle.ir/njet/five/fre.php   ( / Mizban Web Paytakht Co. Ltd., Iran)

Actually, the IP is leaded from OVH and claims to belong to dedicatedland.com in Birmingham, UK:

organisation:   ORG-MWPM1-RIPE
org-name:       Mizban Web Paytakht Mizban Web Paytakht
org-type:       OTHER
address:        55 Orion Building, 90 Navigation Street
address:        B5 4AA Birmingham
address:        GB
e-mail:         info@dedicatedland.com
abuse-mailbox:  info@dedicatedland.com
phone:          +44.7455017803
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2015-01-22T22:12:03Z
last-modified:  2015-01-22T22:12:03Z
source:         RIPE

The small range is marked as "failover IPs".  The WHOIS for dedicatedland.com comes up with a bogus looking address in Massachusetts:

Registrant Email: info@dedicatedland.com
Registry Admin ID: Not Available From Registry
Admin Name: Mizban Web Paytakht LLC
Admin Organization: irnameserver.com
Admin Street: Newton Center 
Admin City: Newton Center
Admin State/Province: Massachusetts
Admin Postal Code: 00000
Admin Country: US
Admin Phone: +1.00000000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext: 

However RIPE show them as being in Tehran:
Mizban Web Paytakht Co. Ltd.

No.43, North Ekhtiyariyeh St, Ekhtiyariyeh Sqr
1958743611 Tehran

phone:   +98 2122587469
fax:  +98 2122761180
e-mail:  info (at) dedicatedland (dot) com
Anyway, if you are not interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of as well. I'll make a guess that the range
may be insecure and could be worth blocking.

The email itself originates from which is allocated as follows:

CustName:       jason Richards
Address:        121 main street
City:           suffolk
StateProv:      VA
PostalCode:     23434
Country:        US
RegDate:        2017-01-16
Updated:        2017-01-16
Ref:            https://whois.arin.net/rest/customer/C06298370

You probably don't need to accept .z attachments at your mail perimeter, and any decent anti-spam tool should be able to look inside archives to determine was is in there.

Tuesday, 17 October 2017

Evil network: Fast Serv Inc / Qhoster.com

Checking these IOCs for this latest Flash 0-day came up with an interesting IP address of which belongs to Fast Serv Inc aka Qhoster, probably of Bulgaria but masquerading themselves as a Belize outfit.

I came across Fast Serv / Qhoster a lot last year during the Angler EK epidemic, where they had entire ranges full of badness, often with no discernable legitimate sites at all. It turns out that I'd blocked the /24 a year ago as it was full of EK servers. The full analysis I did of Fast Serv / Qhoster Angler ranges can be found in these Pastebins: [1] [2] [3] [4] [5] [6] [7]

So, this Flash 0 day gave me a renewed impetus to identify these ranges and keep them the hell off my network. Luckily HE's BGP tool can identify most of the allocated IPs of a /24 size or larger [8] [9] plus a bit of infill from other sources.

I can't guarantee that these ranges are free of legitimate sites, but even a quick glance at some of the ranges (the BGP tool is quite good for this [10]) shows signs of obvious badness in almost all of them. Use at your own risk :)

Note that these ranges are across many different ASes and hosts, although AS201630 is allocated to Qhoster themselves.

Sunday, 8 October 2017

Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk

This spam email is a scam:

Subject:       Help Your Child To Be A Professional Footballer.
From:       "FC Academy" [csa@sargas-tm.eu]
Date:       Sun, October 8, 2017 10:30 am
To:       "Recipients" [fcsa@sargas-tm.eu]
Priority:       Normal

Does your child desire to become a professional footballer?

Our football academy are currently scouting for young football player to participate in 3-6 months training and  our main purpose is to recruit young and talented footballers to help become a great football  player in Life and become a great star .  Our agent will train and linked your child up with big clubs in United Kingdom and Europe.

We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.

Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.

If you want to help your child achieve their soccer dream, reply us for more information.
Best Regards,

At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:

Domain name:

        NELSON OZI

    Registrant type:

    Registrant's address:
        404 sapphire tower
        404 sapphire tower
        United States

    Data validation:
        Nominet was not able to match the registrant's name and/or address against a 3rd party
source on 19-Sep-2017

        Web4Africa Ltd. t/a Web4Africa [Tag = WEB4AFRICA-GH]
        URL: https://www.web4africa.net

    Relevant dates:
        Registered on: 19-Sep-2017
        Expiry date:  19-Sep-2018
        Last updated:  19-Sep-2017

    Registration status:
        Registered until expiry date.

    Name servers:

WHOIS lookup made at 10:50:09 08-Oct-2017

There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:


These all seem to be connected with an IP range (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.

The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.

It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.

Thursday, 28 September 2017

Malware spam: "Emailing: Scan0xxx" from "Sales" delivers Locky or Trickbot

This fake document scan delivers different malware depending on the victim's location:

Subject:       Emailing: Scan0963
From:       "Sales" [sales@victimdomain.tld]
Date:       Thu, September 28, 2017 10:31 am

Your message is ready to be sent with the following file or link


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a .7z file with a name matching the "Scan" part in the header and body text. MD5s of those seen so far (there may be more):


Inside is a malicious VBS script (example) which exhibits a curious feature:

If you are in the UK, Australia, Ireland, Belgium or Luxembourg you get one binary [VT 12/64], everyone else gets another [VT 20/64]. My Online Security describes this in more detail - the first group get the Trickbot banking trojan and everyone gets Locky ransomware.

In the samples I saw, the Trickbot download locations were:


The Locky download locations:


There may be other locations too.

The following legitimate services are used for geolocation. They might be worth monitoring:


All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block or strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too.


A more complete list of download locations from a trusted source (thank you!)



Tuesday, 26 September 2017

Malware spam: "AutoPosted PI Notifier"

This spam has a .7z file leading to Locky ransomware.
From:      "AutoPosted PI Notifier" [NoReplyMailbox@redacted.tld]
Subject:      Invoice PIS9344608
Date:      Tue, September 26, 2017 5:29 pm

Please find Invoice PIS9344608 attached.
The number referenced in the spam varies, but attached is a .7z archive file with a matching filename. In turn, this contains one of a number of malicious VBS scripts (like this) that download an executable from one of the following locations (thanks to a trusted source for these):


The dropped file currently has a detection rate of 21/63. There are no C2s.

Thursday, 21 September 2017

Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment:

Subject:       Invoice RE-2017-09-21-00794
From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date:       Thu, September 21, 2017 9:21 am
Priority:       Normal

------------- Begin message -------------

Dear customer,

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace



------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid
for through our Amazon Payments system via our Shopping Cart or 1-Click. Our
Guarantee does not cover any payments that occur off Amazon.co.uk including wire
transfers, money orders, cash, check, or off-site credit card transactions.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee

Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:


An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1] [2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

UPDATE - additional download locations:

Monday, 18 September 2017

Malware spam: "Status of invoice" with .7z attachment

This spam leads to Locky ransomware:

Subject:       Status of invoice
From:       "Rosella Setter" ordering@[redacted]
Date:       Mon, September 18, 2017 9:30 am


Could you please let me know the status of the attached invoice? I
appreciate your help!

Best regards,

Rosella Setter

Tel: 206-575-8068 x 100

Fax: 206-575-8094

*NEW*   Ordering@[redacted].com

* Kindly note we will be closed Monday in observance of Labor Day *

The name of the sender varies. Attached is a .7z arhive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename (examples here and here).

Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:


An executable is dropped with a detection rate of 19/64 which Hybrid Analysis shows is phoning home to: (Monte Telecom, Estonia) (Layer 6, Bulgaria)

.7z files are popular with the bad guys pushing Locky at the moment. Blocking them at your mail perimiter may help.

Recommended blocklist:

Wednesday, 6 September 2017

QTUM Cryptocurrency spam

This spam email appears to be sent by the Necurs botnet, advertising a new Bitcoin-like cryptocurrency called QTUM. Necurs is often used to pump malware, pharma and data spam and sometimes stock pump and dump.

There is no guarantee that this is actually being sent by the people running QTUM, it could simply be a Joe Job to disrupt operations. Given some of the wording alluding to illegal marketplaces, I suspect this could be the case.

Subject:       Qtum Main Network Launches September 13th, 2017
From:       "Lou Roberson"
Date:       Wed, September 6, 2017 6:37 am
Priority:       Normal

The Blockchain Made Ready for Business
Build Anonymous Decentralized Applications that Simply Work
Executable on mobile devices, compatible with major existing blockchain
The Qtum Foundation is a Singapore based entity that promotes
adoption of the Qtum Blockchain. Project inception began in
March 2016, leading up to a successful crowdsale a year later.
Over 10,000 BTC and 72,000 ETH were raised in less than 5 days,
making Qtum one of the largest crowdfunded projects in history,
at $15.6 million dollars.

Investors received 51,000,000 Qtum tokens which will be
available for withdrawal on September 13, 2017.

The Qtum Foundation plans to be the anonymous blockchain for
business. Development efforts will allow us to market this
platform tovarious industries, such as: Mobile
Telecommunications, Counterfeit Protection, Finance, Industrial
Logistics (shipping, warranty,etc), Manufacturing, P2P Anonymous
Transfers and Anonymous Market Management from phone.
Build anonymous decentralized applications you can trust
Smart Contracts that Mean Business
Qtum makes it easier than ever for established sectors and
legacy institutions to interface with blockchain technology.
Create your own tokens, automate supply chain management and
engage in self-executing agreements in a standardized
environment, verified and tested for stability.


    Total QTUM Supply: 100,000,000
    Block Target: 128 seconds
    Stake Return: ~4 QTUM
    Algorithm: SHA256

Sparknet is designed primarily for developers, and as such
documentation at this point will be technical and suited more
for developers.  Testnet tokens do not hold any value and should
not be traded for any monetary instruments. The testnet can be
reset or forked at anytime as deemed necessary for development.

Forum Announcement:

Release on github:

Qtum Sparknet Usage and Information: Please see:

Aug 15 The 2nd Qtum Test Network, Skynet, is now live: SKYNET
Qtum Skynet, the second public testnet for the Qtum blockchain.
All tokens aqcuired during the testnet will cease to exist 
when the mainnet is released which actually has tokens which
hold value. The purpose of the public testnet is to allow
developers to begin testing and developing applications, allow
early adopters to see a preview of how the network will behave,
and for the Qtum development team to run several load tests
which are not directly comparable when done on a private and
controlled network. Qtum Skynet will ideally have the same
consensus features and parameters as the Qtum mainnet.

Qtum Skynet Usage and Information:
Please see:
Please see:

As soon as Main Network will be launched, you will be availaible
to build your own applications (DApps) or marketplaces. Fully
scalable and anonymous, so you can easy made any anonymous
marketplace which can be manage from your phone!

Just imagine, your own silkroad made on Qtum blockchain and
managed from your phone with fully anonymous transactions!

    No matter what kind of business you are building, all
transactions will be anonymous, and the network will never
reveal the ip addresses of the applications that are running
on it.

    Even if you sell weapons, drugs, trade in people and are
going to organize a coup d'?tat, you can be sure that you
will remain anonymous.

    Another thing is that it is illegal and sooner or later you
will receive the punishment that you deserve. But everyone
want to know how deep the rabbit hole goes.

    For our part, we can only provide a reliable, scalable and
anonymous ecosystem thanks to which any business can be
built on it and we guarantee that we will do everything
possible to make it sucesfull.

    We give you a choice - "blue pill or red pill"
        What Will your choice be?

    So, you have to prepare for Main Network launch  Qtum Custom
Token Walkthrough
The QTUM token supply will be allocated as follows:

    - 51% of Qtum tokens (51,000,000) will be distributed
through the crowdsale
    - 20% of Qtum tokens (20,000,000 QTUM) will be distributed
among founders, early backers and the development team
    - 29% of Qtum tokens (29,000,000 QTUM) will be allocated to
community initiatives concerning business development, as
    well as academic research, education, and market expansion

For a more detailed overview of QTUM token allocation visit our
website: https://qtum.org/en/crowdsale#question-2
Coinone:   https://coinone.co.kr/exchange/trade/qtum/
Yunbi: https://yunbi.com/markets/qtumcny
Bittrex: https://bittrex.com/Market/Index?MarketName=BTC-QTUM
CHBTC: https://www.chbtc.com/qtum
BTER: https://bter.com/trade/qtum_cny

Yubi: https://www.jubi.com/coin/qtum/
Yuanbao:   https://www.yuanbao.com/trade/qtum2cny
Binance:   https://www.binance.com/trade.html?symbol=QTUM_ETH
Allcoin: https://allcoin.com/markets/QTUM-BTC/0/
BTC9: https://btc9.com/trade/22
Biduobao: https://www.biduobao.com/market-qtum.html
Liqui: https://liqui.io/#/exchange/QTUM_USDT
Cryptopia: https://www.cryptopia.co.nz/Exchange?market=QTUM_BTC
COSS: https://exchange.coss.io/pair/qtum-eth
HitBTC: https://hitbtc.com/exchange/QTUM-to-ETH/size
Novaexchange: https://novaexchange.com/market/BTC_QTUM/
See the full team at: https://qtum.org/en/team

    We are looking for developers to build the next generation
DApps on top of Qtum and invite you all to give our testnet
a try.

    We are always on the lookout to enrich our very talented
team, the next team member can be you!


    currently 4500+ Chinese community members

As far as I can see, there are no malicious links anywhere. This one can probably be marked down as an annoyance, and it should be easy enough to block or filter.

Tuesday, 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
SO23 7TA

Members of the CAERUS Capital Group


Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system. 
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6]  shows Locky ransomware attempting to phone home to the following locations: (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine) (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:

Friday, 25 August 2017

Malware spam: "Voicemail Service" / "New voice message.."

The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.

Subject:       New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From:       "Voicemail Service" [vmservice@victimdomain.tdl]
Date:       Fri, August 25, 2017 12:36 pm

Dear user:

just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service
Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too. These are the MD5s I've seen so far for the RAR files themselves:


The VBS script is similar to this (variable names seem to change mostly) with a detection rate of about 15/59. Hybrid Analysis shows it dropping a Locky executable with a 18/65 detection rate which phones home to (Baxnet, Russia) which I recommend that you block.

Malware spam: "Your Sage subscription invoice is ready" / noreply@sagetop.com

This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery.

Subject:       Your Sage subscription invoice is ready
From:       "noreply@sagetop.com" [noreply@sagetop.com]
Date:       Thu, August 24, 2017 8:49 pm

Dear Customer

Your Sage subscription invoice is now ready to view.

Sage subscriptions

To view your Sage subscription invoice click here 

Got a question about your invoice?

Call us on 0845 111 6604

If you're an Accountant, please call 0845 111 1197
If you're a Business Partner, please call 0845 111 7787

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service
message, not a marketing communication. This email was sent from an address that
cannot accept replies. Please use the contact details above if you need to get in
touch with us.

The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.


The RAR file itself contains a malicious VBS script that looks like this [pastebin] with a detection rate of 19/56, which attempts to download another component from:


Automated analysis of the file [1] [2] shows a dropped binary with a 39/64 detection rate, POSTing to  (Reg.Ru, Russia)

Recommended blocklist:

Thursday, 24 August 2017

Multiple badness on metoristrontgui.info /

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic.

Subject:       New BT Bill
From:       "BT Business" [btbusiness@bttconnect.com]
Date:       Thu, August 24, 2017 6:08 pm
Priority:       Normal

From BT
New BT Bill

Your bill amount is: $106.84
This doesn't include any amounts brought forward from any other bills.

We've put your latest BT bill for you to view. See your bill here

We'll take your payment from your account as usual by Direct Debit.

Reduce paper waste
You're still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?

Need some help?
Go to www.bt.com/business/support.

Thanks for choosing BT.

Robena Morath
CEO, BT Business

Payment processing fee: BT Payment Services Ltd, a BT Group Company, charges this fee.
This or confidential. It's meant only for the individual(s) email contains BT information, which may be privileged or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.

And a simpler one..

From:    Dianna Mcgrew
Date:    24 August 2017 at 14:50
Subject:    Bill-9835


Here is a copy of your bill.

Thank you & have a great weekend!
Most (but not all) of the samples I  have seen then lead to a single website to download the malicious payload, for example:


metoristrontgui.info is hosted on (Tencent, China) which is an IP we've seen a few times recently [1] [2]. Let's check out that WHOIS:

Registry Domain ID: D503300000042955753-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.eranet.com
Updated Date: 2017-08-24T14:02:07Z
Creation Date: 2017-08-24T13:24:23Z
Registry Expiry Date: 2018-08-24T13:24:23Z
Registrar Registration Expiration Date:
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C208152073-LRMS
Registrant Name: Robert Ruthven
Registrant Organization: Gamblin Artists Colors
Registrant Street: 323 SE Division Pl
Registrant City: Portland
Registrant State/Province: OR
Registrant Postal Code: 97202
Registrant Country: US
Registrant Phone: +1.5034359411
Registrant Phone Ext:
Registrant Fax: +1.5034359411
Registrant Fax Ext:
Registrant Email: jenniemarc@mail.com
Registry Admin ID: C208152073-LRMS
Admin Name: Robert Ruthven
Admin Organization: Gamblin Artists Colors
Admin Street: 323 SE Division Pl
Admin City: Portland
Admin State/Province: OR
Admin Postal Code: 97202
Admin Country: US
Admin Phone: +1.5034359411
Admin Phone Ext:
Admin Fax: +1.5034359411
Admin Fax Ext:
Admin Email: jenniemarc@mail.com
Registry Tech ID: C208152073-LRMS
Tech Name: Robert Ruthven
Tech Organization: Gamblin Artists Colors
Tech Street: 323 SE Division Pl
Tech City: Portland
Tech State/Province: OR
Tech Postal Code: 97202
Tech Country: US
Tech Phone: +1.5034359411
Tech Phone Ext:
Tech Fax: +1.5034359411
Tech Fax Ext:
Tech Email: jenniemarc@mail.com
Registry Billing ID: C208152073-LRMS
Billing Name: Robert Ruthven
Billing Organization: Gamblin Artists Colors
Billing Street: 323 SE Division Pl
Billing City: Portland
Billing State/Province: OR
Billing Postal Code: 97202
Billing Country: US
Billing Phone: +1.5034359411
Billing Phone Ext:
Billing Fax: +1.5034359411
Billing Fax Ext:
Billing Email: jenniemarc@mail.com
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

VirusTotal confirms a lot of badness here, with all of these evil domains on the same server:


Downloads from this site can be a bit slow, unsurprisingly. The dropped EXE seems to be Locky ransomware with a detection rate of 19/65. Hybrid Analysis shows the sample POSTing to (Webhost LLC, Russia)

Recommended minimum blocklist:

Wednesday, 23 August 2017

Malware spam: "Customer Service" / "Copy of Invoice xxxx"

This fairly generic spam leads to the Locky ransomware:

Subject:       Copy of Invoice 3206
From:       "Customer Service"
Date:       Wed, August 23, 2017 9:12 pm

Please download file containing your order information.

If you have any further questions regarding your invoice, please call Customer Service.

Please do not reply directly to this automatically generated e-mail message.

Thank you.
Customer Service Department
A link in the email downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis has seen it all before. The download EXE (VT 21/64) script POSTS to (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler last year, so I would recommend blocking all traffic to

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx - name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP.

Subject:       Voice Message Attached from 001396445685 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:22 am

Time: Wed, 23 Aug 2017 14:52:12 +0530
Download <http://tyytrddofjrntions.net/af/VM20170823_193908.zip> file to listen
Voice Message

Subject:       Voice Message Attached from 055237805419 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:21 am

Time: Wed, 23 Aug 2017 14:51:13 +0530
Download <http://mjhsdgc872bf432rdf.net/af/VM20170823_193908.rar> file to listen
Voice Message
Both download locations of tyytrddofjrntions.net and mjhsdgc872bf432rdf.net are hosted on (Tencent, CN). This same IP was seen in this other recent spam run. Both the RAR and ZIP downloads (detection rate about 18/59 [1] [2]) contain the same malicious VBS script [pastebin]. The script tries to download an additional component from one of the following locations:


You'll note that most of those download locations start with "gr" which indicates that this is just a small subset of hacked servers under the control of the bad guys.

Automated analysis [3] [4] shows a dropped file with a VirusTotal detection rate of 14/64 (probably Locky). Those same analyses show traffic being sent to: (TheFirst-RU, RU - hostname: gpodlinov.letohost.com) (Just Hosting, RU - hostname: noproblem.one)

UPDATE:  Several other IPs in the range have been used to host malware in the past. I would recommend blocking the entire /24.

Recommended blocklist:

Tuesday, 22 August 2017

Malware spam from "Voicemail Service" [pbx@local]

This fake voicemail leads to malware:

Subject:       [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From:       "Voicemail Service" [pbx@local]
Date:       Tue, August 22, 2017 10:37 am
To:       "Evelyn Medina"
Priority:       Normal

Dear user:

        just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service

The numbers and details vary from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 14/59.

According to automated analysis [1] [2] the script reaches out to the following URLs: [ - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [ - Ligne Web Services, France]

A ransomware component is dropped (probably Locky) with a detection rate of 16/64.

Monday, 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm


*Sophia Passmore*

Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [ - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [ - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:

Wednesday, 19 July 2017

Necurs oddity II: avto111222@bigmir.net

Yesterday I saw a series spam emails from Necurs apparently attempting to collect replies to super.testtesttest2018@yahoo.com. Although that campaign is continuing today, a new spam run with similar characteristics has started this morning. For example:

From:    jKX Soto [ingmanz@redacted]
Reply-To:    jKX Soto [avto111222@bigmir.net]
Date:    19 July 2017 at 06:43
Subject:    CQJP


Subject, body text and vendor seem to be randomly generated. But in all cases, the Reply-To address is avto111222@bigmir.net (Bigmir is basically a Ukrainian version of Yahoo from what I can tell).

The purpose of this spam run is unclear, but spammers do sometimes launch probing attacks to see what kind of response they get from servers. This could be an attempt to clean up the Necurs email address database perhaps, perhaps for resale.

Tuesday, 18 July 2017

Necurs oddity: super.testtesttest2018@yahoo.com / "hi test"

This email is sent from the Necurs botnet and appears to be collecting automatic replies, using a Reply-To email address of super.testtesttest2018@yahoo.com.

From:    Randi Collier [zegrtocbjez@hometelco.net]
Reply-To:    Randi Collier [super.testtesttest2018@yahoo.com]
Date:    18 July 2017 at 10:08
Subject:    hi

hi test 

The name of the sender and the "From" email vary, however the "Reply-To" email is consistent, as is the subject and body text. The sending IP varies, but this does look like Necurs from the patterns I can see.

I can't see any particular purpose in harvesting bounce messages in this way. From Necurs samples I see, the bulk of the recipient addresses are invalid in any case.