Sponsored by..

Friday 19 February 2016

Malware spam: "Rechnung Nr. 2016_131" / fueldner1A0@lfw-ludwigslust.de

This German language spam does not comes from LFW Ludwigsluster but is instead a simple forgery with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.

From:    fueldner1A0@lfw-ludwigslust.de
Date:    19 February 2016 at 09:10
Subject:    Rechnung Nr. 2016_131

Sehr geehrte Damen und Herren,

bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:

LFW Ludwigsluster Fleisch- und Wurstspezialitäten
GmbH & Co.KG

Vielen Dank!

Mit freundlichen Grüßen

Anke Füldner

Finanzbuchhaltung

Tel.: 03874-422038
Fax: 03874-4220844

LOGO LFW

LFW Ludwigsluster Fleisch- und Wurstspezialitäten
GmbH & Co.KG, Bauernallee 9, 19288 Ludwigslust
HRA 1715, Amtsgericht Schwerin
Geschäftsführer: U.Müller, U.Warncke
USt.-IdNr. DE202820580, St.Nr. 08715803209
Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressant sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese E-Mail und alle Anhänge und Ausdrucke unverzüglich.
Das Gebrauchen, Publizieren, Kopieren oder Ausdrucken sowie die unbefugte Weitergabe des Inhalts dieser E-Mail ist nicht erlaubt.
This e-mail and any attached files may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with zero detection rates at VirusTotal [1] [2]. Malwr analysis of one of the samples shows that a binary is downloaded from:

mondero.ru/system/logs/56y4g45gh45h

Other samples probably have different download locations. This executable has a detection rate of 7/53 and it appears to drop another executable with a relatively high detection rate of 26/55. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.

The malware phones home to:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)

But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you block it.

Incidentally, full credit to the company involved in putting this massive banner on their website warning people about the fake email..


UPDATE

An additional analysis from a trusted source (thank you). Download locations are:

mondero.ru/system/logs/56y4g45gh45h
tcpos.com.vn/system/logs/56y4g45gh45h
www.bag-online.com/system/logs/56y4g45gh45h


The malware phones home to:

46.4.239.76/main.php
94.242.57.45/main.php
wblejsfob.pw/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php


The active C2s (some may be sinkholes) appear to be:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)


Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70


No comments: