Sponsored by..

Wednesday 18 November 2015

Mystery "INTUIT QuickBooks" spam leads to unknown malware

This fake Intuit spam leads to malware:

From:    QuickBooks [qbsupport@services.intuit.com]
Date:    18 November 2015 at 14:34
Subject:    INTUIT QuickBooks                                                                                           
QuIckBooks.

As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 

The link in the email goes to:

kompuser.com/system/logs/update/doc.php?r=download&id=INTUIT-Browser-up1247.zip

This downloads a file INTUIT-Browser-up1247.zip which in turn contains a malicious executable up1247.exe (MD5 563a1f54b9d90965951db0d469ecea6d) which has a VirusTotal detection rate of 2/54. That VirusTotal report and this Hybrid Analysis report show that the malware POSTs data to:

onbrk.in/p7yqpgzemv/index.php

The Malwr report is inconclusive. The payload is unknown, however all of the following domains share the same nameservers and have also been used for malicious activity going back to August.

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The malicious .in domain is hosted on the following IPs:

31.210.116.68 (Veri Merkezi Hizmetleri A.s., Turkey)
188.247.102.215 (DataGroup Dnepr, Ukraine)
89.163.249.75 (myLoc managed IT AG, Germany)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)


Recommended blocklist:
31.210.116.68
188.247.102.215
89.163.249.75
95.173.164.212

kompuser.com
onbrk.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

UPDATE:
This entry at MalwareURL links the namesevers to the Nymaim ransomware.

1 comment:

Kayla Blanco said...

I've just received this email at 11:18am PST (san diego, ca) - mail server with host excellence

Header

X-Spam-Level:
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=dvrucgwixWsPmVxRUmfWNAJdiyYvzE"
X-Spam-Status: No, score=0.1 required=5.0 tests=HTML_MESSAGE,RDNS_NONE autolearn=disabled version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail1201.opentransfer.com
Return-Path:
List-Unsubscribe:
X-Originating-Ip: 76.162.254.110
Received: (qmail 17266 invoked by uid 399); 18 Nov 2015 19:18:14 -0000
Received: from unknown (HELO ironport-2.opentransfer.com) (none@76.162.254.110) by mail1201.opentransfer.com with ESMTPMMM; 18 Nov 2015 19:18:14 -0000
Received: from unknown (HELO dsl-109-221.bl27.telepac.pt) ([188.251.106.48]) by ironport-2.opentransfer.com with ESMTP; 18 Nov 2015 14:18:13 -0500



Link is to: http://cubes-s.com/system/logs/update/doc.php?r=download&id=INTUIT-Browser-up1247.zip

Thanks for the info.