Sponsored by..

Thursday 6 October 2016

Malware spam: "Invoice-123456-12345678-123-A1B2C3D4" / "01635 279370"

This fake financial spam leads to malware:

From:    invoices@[redacted].com
Date:    6 October 2016 at 07:16
Subject:    Invoice-365961-42888419-888-DE0628DA

Dear Customer,

Please find attached Invoice 42888419 for your attention.

Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

### This mail has been sent from an un-monitored mailbox ###

The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc.

The telephone number appears to belong to a company called Stearn who have absolutely nothing to do with this spam.

The sample I sent for automated analysis [1] [2] downloads some data from:

eaglemouth.org/d5436gh 

I know from my sources (thank you, you know who you are) that there are additional download locations at:

dabihfluky.com/d5436gh
fauseandre.net/d5436gh


This particular variant of Locky ransomware uses black hat hosting for this download location rather than a hacked legitimate site. All these domains are hosted on the following IPs:

62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France)


Furthermore, those IPs are associated with these malicious domains (active ones are in bold):


stenokeid.org
dabihfluky.com
veddanagor.net
eaglemouth.org

writewile.su
bebopamelu.su
anoamans.com
shuspong.com
tchawane.com
teetypoop.com
thokelieu.com
uredosafe.com
awaftaxled.com
clankcutup.com
droukulnad.com
gweedbizen.com
haikhhoose.com
muangbouge.com
ovinekusum.com
shinalumen.com
wellyzimme.com
grimkonde.net
steyjixie.net
pryerungot.net
unzenjerib.net
uphershoji.net
palialawi.org

All of these are tagged for malware by SURBL. Most of them have either anonymous registration or obviously fake details, although this one (for the domain steyjixie.net) stands out:

Registry Registrant ID:
Registrant Name: Taras Ponomarev
Registrant Organization: N/A
Registrant Street: g. Belgorod, ul. Malysheva 96, kv. 124
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 111111
Registrant Country: RU
Registrant Phone: +7.527221603
Registrant Fax: +7.527221603
Registrant Email: info@steyjixie.net
Registry Admin ID: 


A DLL is dropped with a detection rate of 13/56.

UPDATE

I completely forgot to include the C2. D'oh.

109.248.59.164/apache_handler.php (Netart, Russia)

Recommended blocklist:
62.84.69.75
85.118.45.12

109.248.59.164

No comments: