Dynamoo's Blog

Thursday 21 September 2017

Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment:

Subject:       Invoice RE-2017-09-21-00794
From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date:       Thu, September 21, 2017 9:21 am
Priority:       Normal

------------- Begin message -------------

Dear customer,

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace

==

[commMgrHmdToken:EVDOOCETFBECA]

------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid
for through our Amazon Payments system via our Shopping Cart or 1-Click. Our
Guarantee does not cover any payments that occur off Amazon.co.uk including wire
transfers, money orders, cash, check, or off-site credit card transactions.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=3149571).

[commMgrTok:EVDOOCETFBECA]

Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:

ahlbrandt.eu/IUGiwe8?
fulcar.info/p66/IUGiwe8
accuflowfloors.com/IUGiwe8?
aetozi.gr/IUGiwe8?
agricom.it/IUGiwe8?

An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1] [2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

UPDATE - additional download locations:
81552.com/IUGiwe8
adr-werbetechnik.de/IUGiwe8
afmance.it/IUGiwe8
afradem.com/IUGiwe8
agriturismobellaria.net/IUGiwe8
agro-kerler.de/IUGiwe8
moonmusic.com.au/IUGiwe8

Monday 18 September 2017

Malware spam: "Status of invoice" with .7z attachment

This spam leads to Locky ransomware:

Subject:       Status of invoice
From:       "Rosella Setter" ordering@[redacted]
Date:       Mon, September 18, 2017 9:30 am

Hello,

Could you please let me know the status of the attached invoice? I
appreciate your help!

Best regards,

Rosella Setter

Tel: 206-575-8068 x 100

Fax: 206-575-8094

*NEW*   Ordering@[redacted].com

* Kindly note we will be closed Monday in observance of Labor Day *

The name of the sender varies. Attached is a .7z arhive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename (examples here and here).

Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:

yildizmakina74.com/87thiuh3gfDGS?
miliaraic.ru/p66/87thiuh3gfDGS?
lanzensberger.de/87thiuh3gfDGS?
web-ch-team.ch/87thiuh3gfDGS?
abelfaria.pt/87thiuh3gfDGS?

An executable is dropped with a detection rate of 19/64 which Hybrid Analysis shows is phoning home to:

91.191.184.158/imageload.cgi (Monte Telecom, Estonia)
195.123.218.226/imageload.cgi (Layer 6, Bulgaria)

.7z files are popular with the bad guys pushing Locky at the moment. Blocking them at your mail perimiter may help.

Recommended blocklist:
195.123.218.226
91.191.184.158

Wednesday 6 September 2017

QTUM Cryptocurrency spam

This spam email appears to be sent by the Necurs botnet, advertising a new Bitcoin-like cryptocurrency called QTUM. Necurs is often used to pump malware, pharma and data spam and sometimes stock pump and dump.

There is no guarantee that this is actually being sent by the people running QTUM, it could simply be a Joe Job to disrupt operations. Given some of the wording alluding to illegal marketplaces, I suspect this could be the case.

Subject:       Qtum Main Network Launches September 13th, 2017
From:       "Lou Roberson"
Date:       Wed, September 6, 2017 6:37 am
Priority:       Normal

The Blockchain Made Ready for Business
Build Anonymous Decentralized Applications that Simply Work
Executable on mobile devices, compatible with major existing blockchain
ecosystems
TESTNET NOW LIVE!

    About

The Qtum Foundation is a Singapore based entity that promotes
adoption of the Qtum Blockchain. Project inception began in
March 2016, leading up to a successful crowdsale a year later.
Over 10,000 BTC and 72,000 ETH were raised in less than 5 days,
making Qtum one of the largest crowdfunded projects in history,
at $15.6 million dollars.

Investors received 51,000,000 Qtum tokens which will be
available for withdrawal on September 13, 2017.

The Qtum Foundation plans to be the anonymous blockchain for
business. Development efforts will allow us to market this
platform tovarious industries, such as: Mobile
Telecommunications, Counterfeit Protection, Finance, Industrial
Logistics (shipping, warranty,etc), Manufacturing, P2P Anonymous
Transfers and Anonymous Market Management from phone.
Build anonymous decentralized applications you can trust

Smart Contracts that Mean Business
Qtum makes it easier than ever for established sectors and
legacy institutions to interface with blockchain technology.
Create your own tokens, automate supply chain management and
engage in self-executing agreements in a standardized
environment, verified and tested for stability.


    Specification

    Total QTUM Supply: 100,000,000
    Block Target: 128 seconds
    Stake Return: ~4 QTUM
    Algorithm: SHA256




    QTUM SPARKNET

SPARKNET

Sparknet is designed primarily for developers, and as such
documentation at this point will be technical and suited more
for developers. Testnet tokens do not hold any value and should
not be traded for any monetary instruments. The testnet can be
reset or forked at anytime as deemed necessary for development.

Forum Announcement:
https://bitcointalk.org/index.php?topic=1720632.4220

Release on github:
https://github.com/qtumproject/qtum/releases/tag/testnet-sparknet

Qtum Sparknet Usage and Information: Please see:
https://github.com/qtumproject/qtum/blob/testnet-1/doc/sparknet-guide.md

    QTUM SPYNET

Aug 15 The 2nd Qtum Test Network, Skynet, is now live: SKYNET


Qtum Skynet, the second public testnet for the Qtum blockchain.
All tokens aqcuired during the testnet will cease to exist
when the mainnet is released which actually has tokens which
hold value. The purpose of the public testnet is to allow
developers to begin testing and developing applications, allow
early adopters to see a preview of how the network will behave,
and for the Qtum development team to run several load tests
which are not directly comparable when done on a private and
controlled network. Qtum Skynet will ideally have the same
consensus features and parameters as the Qtum mainnet.

Qtum Skynet Usage and Information:
Please see:
https://github.com/qtumproject/qtum/releases/tag/testnet-skynet
Please see:
https://github.com/qtumproject/qtum/releases/tag/testnet-skynet-v1.2

As soon as Main Network will be launched, you will be availaible
to build your own applications (DApps) or marketplaces. Fully
scalable and anonymous, so you can easy made any anonymous
marketplace which can be manage from your phone!

Just imagine, your own silkroad made on Qtum blockchain and
managed from your phone with fully anonymous transactions!

    No matter what kind of business you are building, all
transactions will be anonymous, and the network will never
reveal the ip addresses of the applications that are running
on it.

    Even if you sell weapons, drugs, trade in people and are
going to organize a coup d'?tat, you can be sure that you
will remain anonymous.

    Another thing is that it is illegal and sooner or later you
will receive the punishment that you deserve. But everyone
want to know how deep the rabbit hole goes.

    For our part, we can only provide a reliable, scalable and
anonymous ecosystem thanks to which any business can be
built on it and we guarantee that we will do everything
possible to make it sucesfull.

    We give you a choice - "blue pill or red pill"

        What Will your choice be?

    So, you have to prepare for Main Network launch Qtum Custom
Token Walkthrough

    CROWDSALE

The QTUM token supply will be allocated as follows:

    - 51% of Qtum tokens (51,000,000) will be distributed
through the crowdsale
    - 20% of Qtum tokens (20,000,000 QTUM) will be distributed
among founders, early backers and the development team
    - 29% of Qtum tokens (29,000,000 QTUM) will be allocated to
community initiatives concerning business development, as
    well as academic research, education, and market expansion

For a more detailed overview of QTUM token allocation visit our
website: https://qtum.org/en/crowdsale#question-2

    Exchanges

Coinone:   https://coinone.co.kr/exchange/trade/qtum/
Yunbi: https://yunbi.com/markets/qtumcny
Bittrex: https://bittrex.com/Market/Index?MarketName=BTC-QTUM
https://bittrex.com/Market/Index?MarketName=ETH-QTUM
CHBTC: https://www.chbtc.com/qtum
BTER: https://bter.com/trade/qtum_cny
https://bter.com/trade/qtum_eth
https://bter.com/trade/qtum_btc

Yubi: https://www.jubi.com/coin/qtum/
Yuanbao:   https://www.yuanbao.com/trade/qtum2cny
Binance:   https://www.binance.com/trade.html?symbol=QTUM_ETH
Allcoin: https://allcoin.com/markets/QTUM-BTC/0/
BTC9: https://btc9.com/trade/22
Biduobao: https://www.biduobao.com/market-qtum.html
Liqui: https://liqui.io/#/exchange/QTUM_USDT
https://liqui.io/#/exchange/QTUM_ETH
https://liqui.io/#/exchange/QTUM_BTC
Cryptopia: https://www.cryptopia.co.nz/Exchange?market=QTUM_BTC
COSS: https://exchange.coss.io/pair/qtum-eth
https://exchange.coss.io/pair/qtum-btc
HitBTC: https://hitbtc.com/exchange/QTUM-to-ETH/size
Novaexchange: https://novaexchange.com/market/BTC_QTUM/

    TEAM



See the full team at: https://qtum.org/en/team

    We are looking for developers to build the next generation
DApps on top of Qtum and invite you all to give our testnet
a try.

    We are always on the lookout to enrich our very talented
team, the next team member can be you!

    SEND YOUR RESUME TO OUR EMAIL: CAREERS@QTUM.ORG

    currently 4500+ Chinese community members

As far as I can see, there are no malicious links anywhere. This one can probably be marked down as an annoyance, and it should be easy enough to block or filter.

Tuesday 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

https://dropbox.com/file/9A30AA
--
Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA

Members of the CAERUS Capital Group

www.tayloredgroup.co.uk

Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system.

Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6] shows Locky ransomware attempting to phone home to the following locations:

91.234.35.170/imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75/imageload.cgi (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24

Friday 25 August 2017

Malware spam: "Voicemail Service" / "New voice message.."

The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.

Subject:       New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From:       "Voicemail Service" [vmservice@victimdomain.tdl]
Date:       Fri, August 25, 2017 12:36 pm

Dear user:

just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance. Thanks!

                                --Voicemail Service

Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too. These are the MD5s I've seen so far for the RAR files themselves:

04059E14170996725CD2ED2324E485F2
0839A18B1F5C1D09F3DF3DC260C07194
0BD5C04D2680B5C8A801B4C2E73BECCD
12D1FC37D223E823C80CF052920DA9AB
1AA539798341930B5492764F2D668987
1ADFF05EEA041B34682FD92CDE45DBFA
1CCF7445D771B7F803E95090E96D0EB2
20162EC71639C4A9080C24B253F5FDFF
24133B658F7730205BCC5789B4CA30F1
42947EBFEFFA9A5CFA3AADDA7EADA572
4AC35594445EB22FE6971A5F81EAB761
4D4DBBCEC5B48EBA30D7B09F994BC009
54E7C8863E161D5A601230E3CD590134
556A6FC4D5607210FA7EF3CAF3CE59D6
645C4FB3BE1A8B1188E8B5A54B1BC011
80D9CEBB286D79955F18013DD3415EEF
8C9B20A61368E8956B6C49DA9AFF30D1
9739211AD009B97EBE0DF353AB11BEB5
9CDDA6C72F41039340E450FA4374E748
A9C0D2F356C455EB40B707D570D27318
BAF4482ED9F6DEE8CBE6F69366AAC434
EA7D52C3328A5A8A0C8334AE3E3C580C
FEC76C943E1252D0DE7D6B7936510B9D

The VBS script is similar to this (variable names seem to change mostly) with a detection rate of about 15/59. Hybrid Analysis shows it dropping a Locky executable with a 18/65 detection rate which phones home to 46.17.44.153/imageload.cgi (Baxnet, Russia) which I recommend that you block.

Malware spam: "Your Sage subscription invoice is ready" / noreply@sagetop.com

This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery.

Subject:       Your Sage subscription invoice is ready
From:       "noreply@sagetop.com" [noreply@sagetop.com]
Date:       Thu, August 24, 2017 8:49 pm

Dear Customer

Your Sage subscription invoice is now ready to view.

Sage subscriptions

To view your Sage subscription invoice click here

Got a question about your invoice?

Call us on 0845 111 6604

If you're an Accountant, please call 0845 111 1197
If you're a Business Partner, please call 0845 111 7787

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service
message, not a marketing communication. This email was sent from an address that
cannot accept replies. Please use the contact details above if you need to get in
touch with us.

The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.

helpmatheogrow.com/SINV0709.rar
hendrikvankerkhove.be/SINV0709.rar
heinverwer.nl/SINV0709.rar
help.ads.gov.ba/SINV0709.rar
harvia.uz/SINV0709.rar

The RAR file itself contains a malicious VBS script that looks like this [pastebin] with a detection rate of 19/56, which attempts to download another component from:

go-coo.jp/HygHGF
hausgerhard.com/HygHGF
hausgadum.de/HygHGF
bromesterionod.net/af/HygHGF
hartwig-mau.de/HygHGF
hecam.de/HygHGF
haboosh-law.com/HygHGF
hbwconsultants.nl/HygHGF
hansstock.de/HygHGF
heimatverein-menne.de/HygHGF

Automated analysis of the file [1] [2] shows a dropped binary with a 39/64 detection rate, POSTing to 46.183.165.45/imageload.cgi (Reg.Ru, Russia)

Recommended blocklist:
46.183.165.45

Thursday 24 August 2017

Multiple badness on metoristrontgui.info / 119.28.100.249

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic.

Subject:       New BT Bill
From:       "BT Business" [btbusiness@bttconnect.com]
Date:       Thu, August 24, 2017 6:08 pm
Priority:       Normal

From BT
New BT Bill

Your bill amount is: $106.84
This doesn't include any amounts brought forward from any other bills.

We've put your latest BT bill for you to view. See your bill here

We'll take your payment from your account as usual by Direct Debit.

Reduce paper waste
You're still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?

Need some help?
Go to www.bt.com/business/support.

Thanks for choosing BT.

Robena Morath
CEO, BT Business

Payment processing fee: BT Payment Services Ltd, a BT Group Company, charges this fee.
This or confidential. It's meant only for the individual(s) email contains BT information, which may be privileged or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.

And a simpler one..

From:    Dianna Mcgrew
Date:    24 August 2017 at 14:50
Subject:    Bill-9835

Hi,

Here is a copy of your bill.

Thank you & have a great weekend!

Most (but not all) of the samples I have seen then lead to a single website to download the malicious payload, for example:

http://metoristrontgui.info/af/download.php
http://metoristrontgui.info/af/bill-201708.rar
http://metoristrontgui.info/af/bill-201708.7z

metoristrontgui.info is hosted on 119.28.100.249 (Tencent, China) which is an IP we've seen a few times recently [1] [2]. Let's check out that WHOIS:

Domain Name: METORISTRONTGUI.INFO
Registry Domain ID: D503300000042955753-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.eranet.com
Updated Date: 2017-08-24T14:02:07Z
Creation Date: 2017-08-24T13:24:23Z
Registry Expiry Date: 2018-08-24T13:24:23Z
Registrar Registration Expiration Date:
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C208152073-LRMS
Registrant Name: Robert Ruthven
Registrant Organization: Gamblin Artists Colors
Registrant Street: 323 SE Division Pl
Registrant City: Portland
Registrant State/Province: OR
Registrant Postal Code: 97202
Registrant Country: US
Registrant Phone: +1.5034359411
Registrant Phone Ext:
Registrant Fax: +1.5034359411
Registrant Fax Ext:
Registrant Email: jenniemarc@mail.com
Registry Admin ID: C208152073-LRMS
Admin Name: Robert Ruthven
Admin Organization: Gamblin Artists Colors
Admin Street: 323 SE Division Pl
Admin City: Portland
Admin State/Province: OR
Admin Postal Code: 97202
Admin Country: US
Admin Phone: +1.5034359411
Admin Phone Ext:
Admin Fax: +1.5034359411
Admin Fax Ext:
Admin Email: jenniemarc@mail.com
Registry Tech ID: C208152073-LRMS
Tech Name: Robert Ruthven
Tech Organization: Gamblin Artists Colors
Tech Street: 323 SE Division Pl
Tech City: Portland
Tech State/Province: OR
Tech Postal Code: 97202
Tech Country: US
Tech Phone: +1.5034359411
Tech Phone Ext:
Tech Fax: +1.5034359411
Tech Fax Ext:
Tech Email: jenniemarc@mail.com
Registry Billing ID: C208152073-LRMS
Billing Name: Robert Ruthven
Billing Organization: Gamblin Artists Colors
Billing Street: 323 SE Division Pl
Billing City: Portland
Billing State/Province: OR
Billing Postal Code: 97202
Billing Country: US
Billing Phone: +1.5034359411
Billing Phone Ext:
Billing Fax: +1.5034359411
Billing Fax Ext:
Billing Email: jenniemarc@mail.com
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

VirusTotal confirms a lot of badness here, with all of these evil domains on the same server:

drommazxitnnd7gsl.com
74jhdrommdtyis.net
rtozottosdossder.net
kabbionionsesions.net
ttytreffdrorseder.net
tyytrddofjrntions.net
mjhsdgc872bf432rdf.net
yrns7sg3kdn94hskxhbf.net
trmbobodortyuoiyrt.org
metoristrontgui.info
fsroosionsoulsda.info
aldirommestorr887.info
droohsdronfhystgfh.info

Downloads from this site can be a bit slow, unsurprisingly. The dropped EXE seems to be Locky ransomware with a detection rate of 19/65. Hybrid Analysis shows the sample POSTing to 185.179.190.31/imageload.cgi (Webhost LLC, Russia)

Recommended minimum blocklist:
185.179.190.31
119.28.100.249