Sponsored by..

Showing posts with label Austria. Show all posts
Showing posts with label Austria. Show all posts

Friday 2 September 2016

Malware spam: "Scanned image from MX2310U@victimdomain.tld" leads to Locky

This fake document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.

Subject:     Scanned image from MX2310U@victimdomain.tld
From:     office@victimdomain.tld (office@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 2 September 2016, 2:29

Reply to: office@victimdomain.tld [office@victimdomain.tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception

File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
Adobe(R)Reader(R) can be downloaded from the following URL:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other countries.

    http://www.adobe.com/

Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component from on of the following locations:

body-fitness.net/lagmslh
bushman-rest.com/aoeueyk
capannoneinliguria.com/lijrnub
foerschl.gmxhome.de/emyomqa
imakarademo.web.fc2.com/akwhorc
inge28.mytactis.com/cqmoxef
pennylanecupcakes.com.au/mhkqxia
rabbitfood.web.fc2.com/ixvnfyj
sakon118.web.fc2.com/srmrsgf
sebangou8.xxxxxxxx.jp/kfkdpvl
sojasaude.com.br/ahtoijg
sp-moto.ru/vodusim
t-schoener.de/mdexigc
www.bytove.jadro.szm.com/dgsqens
www.callisto.cba.pl/oqmfnar
www.ccnprodusenaturiste.home.ro/hiogthu
www.coropeppinumereu.it/xyhhytf
www.one-clap.jp/pourpjr
www.parrucchieriagiacomo.com/dekjxus
www.radicegioielli.com/aayfixd
www.sieas.com/mkndcbn
www.spiritueelcentrumaum.net/ksqoyps
www.vanetti.it/inywdjo
www.whitakerpd.co.uk/ymmcguk
www.xolod-teplo.ru/ygpwfty
yggithuq.utawebhost.at/getatoj

The payload is Locky ransomware, phoning home to:

212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers.xyz] (EDIS, Austria)

Recommended blocklist:
212.109.192.235
149.154.152.108

Friday 13 March 2015

Malware spam: "pentafoods.com" / "Invoice: 2262004"

This fake Penta Foods spam run is another variant of this and it comes with a malicious attachment. Penta Foods are not sending this email, instead it is a simple forgery.

From:    cc18923@pentafoods.com
Date:    13 March 2015 at 07:50
Subject:    Invoice: 2262004

Please find attached invoice :  2262004
  Any queries please contact us.

--
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.

Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:

http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe

This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:

62.76.179.44 (Clodo-Cloud / IT House, Russia)

My sources also indicate that it phones home to:

212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)

According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.

Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12


Friday 18 October 2013

Malware sites to block 18/10/2013

These IPs and domains are associated with this spam run. Some of these servers have been compromised for some time by the looks of things. There's a plain list for copy-and-pasting at the end.

12.46.52.147 (Compact Information Systems / AT&T, US)
41.203.18.120 (Hetzner, South Africa)
62.75.246.191 (Intergenia, Germany)
62.76.42.58 (Clodo-Cloud / IT House, Russia)
69.46.253.241 (RapidDSL & Wireless, US)
70.159.17.146 (F G Wilson / AT&T , US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
94.102.14.239 (Netinternet , Turkey)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
140.174.98.150 (NTT America, US)
163.18.62.51 (TANET, Taiwan)
182.237.17.180 (Uclix, India)
201.151.0.164 (Alestra, Mexico)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156 (PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.5.182.144 (RackSRV Communications, UK)
213.143.121.133 (Wien Energie, Austria)
213.214.74.5 (BBC Cable, Bulgaria)

12.46.52.147
41.203.18.120
62.75.246.191
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
201.151.0.164
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5
alenikaofsa.ru
alionadorip.ru
dynamooblog.ru
inkrediblehalk.ru
intro2seo.ru

Added:
hankoksuper.ru is now active on those same IPs.

Friday 7 June 2013

Malware sites to block 7/6/13

Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:

faggyppvers5.info
finger2.climaoluhip.org
linkstoads.net
node1.hostingstatics.org
node2.hostingstatics.org

Injecting some of the same sites as the domains on the above IPs is jstoredirect.net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect.net was online it managed to infect over 1500 sites.

Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb.com
netstoragehost.com
connecthostad.net
climaoluhip.org
hostingstatics.org
systemnetworkscripts.org
numstatus.com
linkstoads.net
faggyppvers5.info
jstoredirect.net

Tuesday 28 May 2013

Something (a bit) evil on 158.255.212.96 and 158.255.212.97

The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example for fussball-gsv.de). These two examples report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware.

The following sites are hosted on those two domains, plus a link to the Google Safebrowsing diagnostics:
linkstoads.net [no malware reported]
node1.hostingstatics.org [malware reported]
node2.hostingstatics.org
nodeph.hostingstatics.org
numstatus.com [no malware reported]
systemnetworkscripts.org [no malware reported]
finger2.climaoluhip.org [malware reported]
connecthostad.net [malware reported]
netstoragehost.com [malware reported]
nethostingdb.com [no malware reported]

In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so.

I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1
hostingstatics.org
climaoluhip.org
numstatus.com
linkstoads.net
systemnetworkscripts.org
connecthostad.net
netstoragehost.com
nethostingdb.com