Subject: Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf) that looks like this.
From: KELLY MOORHOUSE (kelly.moorhouse@edbn.org)
Date: Wednesday, 9 November 2016, 12:52
KELLY MOORHOUSE
Last & Tricker Partnership
3 Lower Brook Mews
Lower Brook Street
Ipswich Suffolk IP4 1RA
T: 01473 252961 F: 01473 233709 M: 07778464004
email: kelly.moorhouse@edbn.org
This e-mail and any attachments may contain confidential and privileged
information and is intended only for the use of the individual or entity to
which it is addressed. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this e-mail and destroy any
copies from your system; you should not copy the message or disclose its
contents to anyone. Any dissemination, distribution or use of this
information by a person other than the intended recipient is unauthorized
and may be illegal. We cannot accept liability for any damage sustained as a
result of software viruses and advise you to carry out your own virus checks
before opening any attachment.
For one sample script, the Hybrid Analysis and Malwr report indicate a binary is downloaded from one of the following locations:
alamanconsulting.at/0ftce4?aGiszrIV=gRLYYDHSna
naka-dent.mobi/0ftce4?aGiszrIV=gRLYYDHSna
This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56.
85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)
These are the same C2s as seen here.
Recommended blocklist:
85.143.212.23
158.69.223.5
UPDATE
A full list of download locations from my usual source:
alamanconsulting.at/0ftce4
ayurvedic.by/0ftce4
ekaterinburg.kacatka.ru/0ftce4
hoangtranwater.com/0ftce4
hoteldseason.com/0ftce4
hotelvinayakpalace.in/0ftce4
hotloto.com/0ftce4
hqseconsulting.com/0ftce4
hupsoft.com/0ftce4
idontknow.eu/0ftce4
idplus.sg/0ftce4
ifreenet.it/0ftce4
ijai.fr/0ftce4
iloveyf.com/0ftce4
indospyshop.com/0ftce4
innsat.pl/0ftce4
inzt.net/0ftce4
iriscommunications.com.pk/0ftce4
istanbulsoft.com.tr/0ftce4
ivakil.com/0ftce4
jaysilverdp.com/0ftce4
jcuenca.es/0ftce4
jer.be/0ftce4
jingaiwang.com/0ftce4
joralan.es/0ftce4
jxhyhz.com/0ftce4
kembarastation.com/0ftce4
kenankaynak.com/0ftce4
ketoantamviet.edu.vn/0ftce4
konan.nl/0ftce4
kopeyskdom.ru/0ftce4
krasnodar-sp.ru/0ftce4
k-scope.ca/0ftce4
kyrre.cn/0ftce4
labtekindie.com/0ftce4
lacosanostra.co/0ftce4
lander.pl/0ftce4
laurenward.me/0ftce4
leftakis.gr/0ftce4
level3.tv/0ftce4
lifez.nl/0ftce4
lindafluge.no/0ftce4
lingerievalentine.ueuo.com/0ftce4
linkset.ro/0ftce4
lujin.ro/0ftce4
luke-woods.com/0ftce4
luostone.com/0ftce4
martos.pt/0ftce4
matbaa.be/0ftce4
mch.kz/0ftce4
mckm11.cba.pl/0ftce4
meditativyoga.net/0ftce4
micashu.org/0ftce4
michellemccarron.com/0ftce4
microscopiavirtual.cl/0ftce4
milagrotarim.com/0ftce4
mineralsteel.cl/0ftce4
mogadk.ru/0ftce4
mospi.ru/0ftce4
moydom.by/0ftce4
mschroll.de/0ftce4
mtsas.freehost.pl/0ftce4
muamusic.com/0ftce4
muellerhans.ch/0ftce4
musicphilicwinds.org/0ftce4
muziekupdate.nl/0ftce4
mvpdental.com/0ftce4
mypcdaddy.com/0ftce4
naarndonau.at/0ftce4
naka-dent.mobi/0ftce4
oontsheol.net/0ftce4
shukatsu-live.com/0ftce4
sport-grace.by/0ftce4
tikkatawgi.com/0ftce4
vologda.maxuma.ru/0ftce4
www.0898tz.com/0ftce4
www.limpotools.com/0ftce4