Sponsored by..

Friday 25 August 2017

Malware spam: "Voicemail Service" / "New voice message.."

The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.

Subject:       New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From:       "Voicemail Service" [vmservice@victimdomain.tdl]
Date:       Fri, August 25, 2017 12:36 pm

Dear user:

just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service
Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too. These are the MD5s I've seen so far for the RAR files themselves:

04059E14170996725CD2ED2324E485F2
0839A18B1F5C1D09F3DF3DC260C07194
0BD5C04D2680B5C8A801B4C2E73BECCD
12D1FC37D223E823C80CF052920DA9AB
1AA539798341930B5492764F2D668987
1ADFF05EEA041B34682FD92CDE45DBFA
1CCF7445D771B7F803E95090E96D0EB2
20162EC71639C4A9080C24B253F5FDFF
24133B658F7730205BCC5789B4CA30F1
42947EBFEFFA9A5CFA3AADDA7EADA572
4AC35594445EB22FE6971A5F81EAB761
4D4DBBCEC5B48EBA30D7B09F994BC009
54E7C8863E161D5A601230E3CD590134
556A6FC4D5607210FA7EF3CAF3CE59D6
645C4FB3BE1A8B1188E8B5A54B1BC011
80D9CEBB286D79955F18013DD3415EEF
8C9B20A61368E8956B6C49DA9AFF30D1
9739211AD009B97EBE0DF353AB11BEB5
9CDDA6C72F41039340E450FA4374E748
A9C0D2F356C455EB40B707D570D27318
BAF4482ED9F6DEE8CBE6F69366AAC434
EA7D52C3328A5A8A0C8334AE3E3C580C
FEC76C943E1252D0DE7D6B7936510B9D


The VBS script is similar to this (variable names seem to change mostly) with a detection rate of about 15/59. Hybrid Analysis shows it dropping a Locky executable with a 18/65 detection rate which phones home to 46.17.44.153/imageload.cgi (Baxnet, Russia) which I recommend that you block.

Malware spam: "Your Sage subscription invoice is ready" / noreply@sagetop.com

This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery.

Subject:       Your Sage subscription invoice is ready
From:       "noreply@sagetop.com" [noreply@sagetop.com]
Date:       Thu, August 24, 2017 8:49 pm

Dear Customer

Your Sage subscription invoice is now ready to view.

Sage subscriptions

To view your Sage subscription invoice click here 

Got a question about your invoice?

Call us on 0845 111 6604

If you're an Accountant, please call 0845 111 1197
If you're a Business Partner, please call 0845 111 7787

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service
message, not a marketing communication. This email was sent from an address that
cannot accept replies. Please use the contact details above if you need to get in
touch with us.

The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.

helpmatheogrow.com/SINV0709.rar
hendrikvankerkhove.be/SINV0709.rar
heinverwer.nl/SINV0709.rar
help.ads.gov.ba/SINV0709.rar
harvia.uz/SINV0709.rar

The RAR file itself contains a malicious VBS script that looks like this [pastebin] with a detection rate of 19/56, which attempts to download another component from:

go-coo.jp/HygHGF
hausgerhard.com/HygHGF
hausgadum.de/HygHGF
bromesterionod.net/af/HygHGF
hartwig-mau.de/HygHGF
hecam.de/HygHGF
haboosh-law.com/HygHGF
hbwconsultants.nl/HygHGF
hansstock.de/HygHGF
heimatverein-menne.de/HygHGF

Automated analysis of the file [1] [2] shows a dropped binary with a 39/64 detection rate, POSTing to 46.183.165.45/imageload.cgi  (Reg.Ru, Russia)

Recommended blocklist:
46.183.165.45




Thursday 24 August 2017

Multiple badness on metoristrontgui.info / 119.28.100.249

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic.

Subject:       New BT Bill
From:       "BT Business" [btbusiness@bttconnect.com]
Date:       Thu, August 24, 2017 6:08 pm
Priority:       Normal

From BT
New BT Bill

Your bill amount is: $106.84
This doesn't include any amounts brought forward from any other bills.

We've put your latest BT bill for you to view. See your bill here


We'll take your payment from your account as usual by Direct Debit.

Reduce paper waste
You're still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?


Need some help?
Go to www.bt.com/business/support.

Thanks for choosing BT.

Robena Morath
CEO, BT Business

Payment processing fee: BT Payment Services Ltd, a BT Group Company, charges this fee.
This or confidential. It's meant only for the individual(s) email contains BT information, which may be privileged or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.

And a simpler one..

From:    Dianna Mcgrew
Date:    24 August 2017 at 14:50
Subject:    Bill-9835

Hi,

Here is a copy of your bill.

Thank you & have a great weekend!
Most (but not all) of the samples I  have seen then lead to a single website to download the malicious payload, for example:

http://metoristrontgui.info/af/download.php
http://metoristrontgui.info/af/bill-201708.rar
http://metoristrontgui.info/af/bill-201708.7z

metoristrontgui.info is hosted on 119.28.100.249 (Tencent, China) which is an IP we've seen a few times recently [1] [2]. Let's check out that WHOIS:

Domain Name: METORISTRONTGUI.INFO
Registry Domain ID: D503300000042955753-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.eranet.com
Updated Date: 2017-08-24T14:02:07Z
Creation Date: 2017-08-24T13:24:23Z
Registry Expiry Date: 2018-08-24T13:24:23Z
Registrar Registration Expiration Date:
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C208152073-LRMS
Registrant Name: Robert Ruthven
Registrant Organization: Gamblin Artists Colors
Registrant Street: 323 SE Division Pl
Registrant City: Portland
Registrant State/Province: OR
Registrant Postal Code: 97202
Registrant Country: US
Registrant Phone: +1.5034359411
Registrant Phone Ext:
Registrant Fax: +1.5034359411
Registrant Fax Ext:
Registrant Email: jenniemarc@mail.com
Registry Admin ID: C208152073-LRMS
Admin Name: Robert Ruthven
Admin Organization: Gamblin Artists Colors
Admin Street: 323 SE Division Pl
Admin City: Portland
Admin State/Province: OR
Admin Postal Code: 97202
Admin Country: US
Admin Phone: +1.5034359411
Admin Phone Ext:
Admin Fax: +1.5034359411
Admin Fax Ext:
Admin Email: jenniemarc@mail.com
Registry Tech ID: C208152073-LRMS
Tech Name: Robert Ruthven
Tech Organization: Gamblin Artists Colors
Tech Street: 323 SE Division Pl
Tech City: Portland
Tech State/Province: OR
Tech Postal Code: 97202
Tech Country: US
Tech Phone: +1.5034359411
Tech Phone Ext:
Tech Fax: +1.5034359411
Tech Fax Ext:
Tech Email: jenniemarc@mail.com
Registry Billing ID: C208152073-LRMS
Billing Name: Robert Ruthven
Billing Organization: Gamblin Artists Colors
Billing Street: 323 SE Division Pl
Billing City: Portland
Billing State/Province: OR
Billing Postal Code: 97202
Billing Country: US
Billing Phone: +1.5034359411
Billing Phone Ext:
Billing Fax: +1.5034359411
Billing Fax Ext:
Billing Email: jenniemarc@mail.com
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/


VirusTotal confirms a lot of badness here, with all of these evil domains on the same server:

drommazxitnnd7gsl.com
74jhdrommdtyis.net
rtozottosdossder.net
kabbionionsesions.net
ttytreffdrorseder.net
tyytrddofjrntions.net
mjhsdgc872bf432rdf.net
yrns7sg3kdn94hskxhbf.net
trmbobodortyuoiyrt.org
metoristrontgui.info
fsroosionsoulsda.info
aldirommestorr887.info
droohsdronfhystgfh.info

Downloads from this site can be a bit slow, unsurprisingly. The dropped EXE seems to be Locky ransomware with a detection rate of 19/65. Hybrid Analysis shows the sample POSTing to 185.179.190.31/imageload.cgi (Webhost LLC, Russia)

Recommended minimum blocklist:
185.179.190.31
119.28.100.249




Wednesday 23 August 2017

Malware spam: "Customer Service" / "Copy of Invoice xxxx"

This fairly generic spam leads to the Locky ransomware:

Subject:       Copy of Invoice 3206
From:       "Customer Service"
Date:       Wed, August 23, 2017 9:12 pm


Please download file containing your order information.

If you have any further questions regarding your invoice, please call Customer Service.


Please do not reply directly to this automatically generated e-mail message.

Thank you.
Customer Service Department
A link in the email downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis has seen it all before. The download EXE (VT 21/64) script POSTS to 5.196.99.239/imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler last year, so I would recommend blocking all traffic to 5.196.99.0/24.

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx - name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP.

Subject:       Voice Message Attached from 001396445685 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:22 am

Time: Wed, 23 Aug 2017 14:52:12 +0530
Download <http://tyytrddofjrntions.net/af/VM20170823_193908.zip> file to listen
Voice Message

Subject:       Voice Message Attached from 055237805419 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:21 am

Time: Wed, 23 Aug 2017 14:51:13 +0530
Download <http://mjhsdgc872bf432rdf.net/af/VM20170823_193908.rar> file to listen
Voice Message
Both download locations of tyytrddofjrntions.net and mjhsdgc872bf432rdf.net are hosted on 119.28.100.249 (Tencent, CN). This same IP was seen in this other recent spam run. Both the RAR and ZIP downloads (detection rate about 18/59 [1] [2]) contain the same malicious VBS script [pastebin]. The script tries to download an additional component from one of the following locations:

grlarquitectura.com/Mvgjh67?
grundschulmarkt.com/Mvgjh67?
aldirommestorr887.info/af/Mvgjh67?
grupoegeria.net/Mvgjh67?
gestionale-orbit.it/Mvgjh67?
gdrural.com.au/Mvgjh67?
geocean.co.id/Mvgjh67?
grupoajedrecisticoaleph.com/Mvgjh67?
grupofergus.com.bo/Mvgjh67?
gruppostolfaedilizia.it/Mvgjh67?

You'll note that most of those download locations start with "gr" which indicates that this is just a small subset of hacked servers under the control of the bad guys.

Automated analysis [3] [4] shows a dropped file with a VirusTotal detection rate of 14/64 (probably Locky). Those same analyses show traffic being sent to:

62.109.16.214/imageload.cgi (TheFirst-RU, RU - hostname: gpodlinov.letohost.com)
5.196.99.239/imageload.cgi (Just Hosting, RU - hostname: noproblem.one)

UPDATE:  Several other IPs in the 5.196.99.0/24 range have been used to host malware in the past. I would recommend blocking the entire /24.

Recommended blocklist:
119.28.100.249
62.109.16.214
5.196.99.0/24


Tuesday 22 August 2017

Malware spam from "Voicemail Service" [pbx@local]

This fake voicemail leads to malware:

Subject:       [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From:       "Voicemail Service" [pbx@local]
Date:       Tue, August 22, 2017 10:37 am
To:       "Evelyn Medina"
Priority:       Normal

Dear user:

        just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service

The numbers and details vary from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 14/59.

According to automated analysis [1] [2] the script reaches out to the following URLs:

5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]

A ransomware component is dropped (probably Locky) with a detection rate of 16/64.




Monday 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*


Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249