Malware spam: Serafini_Billing_Statement 2003 / Statement.zip leads to Cryptowall

This fake financial spam leads to ransomware:

From:    Scrimpsher [mumao82462308wd@163.com]
Date:    24 November 2015 at 16:57
Subject:    Serafini_Billing_Statement 2003
Signed by:    163.com

Hi Please see attached a copy of your statement for the month of Nov 2015
Sincerely
Lynda Ang

As with many recent ransomware attacks, this appears to have been sent through webmail (it really is from 163.com, it is not being spoofed). Attached is a file Statement.zip which contains a malicious javascript statement.js [pastebin] [VT 7/53]  which then downloads a component from:

46.30.45.73/mert.exe

That IP belongs to Eurobyte LLC in Russia. I recommend that you block it.

This is saved as %TEMP%\122487254.exe and it has a VirusTotal detection rate of 5/55 and an MD5 of 68940329224ab93ce4b688df33a9274f. The application's icon and metadata is designed to make it look like a copy of VNC, but instead the VirusTotal detection indicates that it is Cryptowall. This Hybrid Analysis report demonstrates the ransomware in action most clearly.

One unusual characteristic is that it POSTs to a lot of webservers (also listed in these reports [1] [2] [3]) although I don't know how significant it is. Almost all the domain names being with "A":

81moxing.com
acid909.co.uk
alaska-ushuaia-ecotrip.cashew.fr
alettewinckler.com
allaboutt.co.nz
allegrostudio.ca
allergitejp.se
allsystemsrepair.com
allwinmusic.com
a-louise.com
alper.ro
alsaauto.com
alterweb.com.ua
amirhosseinnouri.com
anellovaffa.it
apinside.it
applemuseum.us
appmedia.se
arcgraphics.co.uk
armekonomi.se
armenia.e5p.eu
aroapulsa.com
aromasupply.nl
arot.altervista.org
asc-architect.com
a-s-g.fr
asiatiquegay.fr
atlanticinsulationservices.co.uk
audicarti.com
autohes.cz
autooutfitters.biz
autoservice-piehler.de
aviatorek.pl
b-52mebli.com.ua

Malware spam: "Domain [domain] Suspension Notice" / abuse@enom.com.org

There appear to be many versions of this spam, aimed at domain owners and apparently coming from the actual registrar of the domain. For added authenticity, the owner's name is included in the spam. Here is one example that I got.. it would have been very convincing, except that I had the heads up on this attack a couple of day ago.

From:    ENOM, INC. [abuse@enom.com.org]
Date:    30 October 2015 at 04:11
Subject:    Domain LAPTOP-MEMORY.COM Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:

Domain Name: LAPTOP-MEMORY.COM
Registrar: ENOM, INC.
Registrant Name: CONRAD LONGMORE

Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-406-7704

In this case, clicking on the link goes to edecisions.com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify any domain name and it gives a matching file.

Before we look at the analysis of the downloaded executable, let's look at the domain name edecisions.com. It looks like the sort of domain that might contain abuse reports, but in fact it is a hijacked GoDaddy domain hosted on 65.78.174.100 and a quick look at VirusTotal indicates that one of the other 4 sites on the same server was also compromised and was serving up malware in 2013. This is definitely a good candidate to block.

The downloaded file has a VirusTotal detection rate of 2/55. Automated analysis tools [1] [2] [3] indicate that whatever the hell this is, it tries to contact a LOT of other servers. We can see that the following domain names are accessed (mostly POST attempts):

0tv.co
abettertravelagent.com
agentclicktocall.com
airconditioning12601.com
all-inclusiveresortstravel.com
allgroupstravel.com
allreadytravel.com
ameliastyle.com
anabolicsteroidsrx.com
anunciamicasa.com
aprovechatudia.com
armangarzon.info
beachhouseplans.com
bigboattravel.com
biznal.com
bloccailmutuo.com
boilersandfurnaces.com
breakerhub.com
breathtakingsolutions.com
brindegenie.com
cameroonmarket.com
camirate.com
carltonchambers.co.uk
certifiedphytoceramides.com
chuckwhitlock.com
ciiapparelblog.com
circuitbreakerhub.com
colebar.com
cpasolutiononline.com
cruiseandtravel.agency
cruises-travelandmore.com
cruisetravelpros.com
cruisewithdawn.com
cruisingatdawn.com
cywellness.com
dallascircuitbreaker.co
dallascircuitbreaker.com
dallaselectricalsurplus.com
dallasreconditionedtransformers.com
dangerousgarciniacambogia.com
dawat-restaurant.com
designbrossard.com
designingartinstitute.com
designtravelagency.com
destinycruiseandtravel.com
enterrealtyny.com
superfunshoes.com
tarkshyainc.com

Note that almost everything is in the A-D range, which makes me suspect that this is only a fraction of the compromised domains. If we look at the IP addresses of those domains, then it gets even more interesting:

50.87.144.249 (Unified Layer, US)
50.87.151.145 (Unified Layer, US)
108.167.140.175 (WebSiteWelcome, US) [13 instances]
162.144.0.215 (Unified Layer, US)
162.144.12.115 (Unified Layer, US)
192.185.5.33 (WebSiteWelcome, US) [2 instances]
192.185.16.67 (WebSiteWelcome, US) [7 instances]
192.185.19.115 (WebSiteWelcome, US)
192.185.21.162 (WebSiteWelcome, US)
192.185.22.63 (WebSiteWelcome, US) [4 instances]
192.185.90.237 (WebSiteWelcome, US)
192.185.101.210 (WebSiteWelcome, US)
192.185.140.214 (WebSiteWelcome, US)
192.185.152.133 (WebSiteWelcome, US) [2 instances]
192.185.183.81 (WebSiteWelcome, US)
192.185.226.164 (WebSiteWelcome, US)
192.254.186.85 (WebSiteWelcome, US) [2 instances]
192.254.231.138 (WebSiteWelcome, US)
192.254.234.204 (WebSiteWelcome, US)
198.57.242.171 (Unified Layer, US) [4 instances]
198.57.244.38 (Unified Layer, US)
208.109.119.156 (GoDaddy, US)

A check of those WebSiteWelcome and Unified Layer IPs on VirusTotal (for example 192.185.226.164) indicates several compromised domains on the same server, indicating that the entire box has been popped.

It isn't clear what the payload is, but given the fact that it is aimed at domain owners and given the unusual characteristics of the malware, I can make a guess that it is some sort of password stealer, possibly harvesting domains or server admin credentials. If you are not using multi-factor authentication for your domains, then perhaps now would be a good time to choose to do so.

Recommended blocklist:
50.87.144.249
50.87.151.145
108.167.140.175
162.144.0.215
162.144.12.115
192.185.5.33
192.185.16.67
192.185.19.115
192.185.21.162
192.185.22.63
192.185.90.237
192.185.101.210
192.185.140.214
192.185.152.133
192.185.183.81
192.185.226.164
192.254.186.85
192.254.231.138
192.254.234.204
198.57.242.171
198.57.244.38
65.78.174.100

UPDATE:

The payload appears to be the Cryptowall ransomware.

Malware spam: "id:9828_My_Resume"

This fake résumé spam comes with a malicious attachment. It seems that the names are randomly-generated from a list.

From:    Trinh [zhanxing1497kcuo@163.com]
Date:    27 October 2015 at 18:30
Subject:    id:9828_My_Resume
Signed by:    163.com

Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster

In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55, mostly detecting a generic macro downloader.

The macro looks like this [pastebin] and the Hybrid Analysis of the document shows traffic coming FROM 46.30.41.150 (EuroByte LLC, Russia) and being POSTED to the following:

all-inclusiveresortstravel.com
designtravelagency.com
bigboattravel.com
cpasolutiononline.com
ciiapparelblog.com

The first three are on 108.167.140.175 and the second two are on 192.185.101.210 which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely compromised.

The Hybrid Analysis report shows that the malware has some characteristics that make it look like ransomware.

Recommended blocklist:
46.30.41.150
108.167.140.175
192.185.101.210

UPDATE:
This Tweet indicates that the payload is Cryptowall.

Malware spam: "RE:resume" aka "What happened to your files?" / Cryptowall 3.0

This fake résumé spam leads to ransomware:

From:     fredrickkroncke@yahoo.com
Date:    5 September 2015 at 03:50
Subject:    RE:resume
Signed by:    yahoo.com

Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply

Kind regards

Teresa Alexander

The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:

Protected Document
This document is protected by Microsoft Office.
Please enable Editing and Content to see this document.

Can’t view? Follow the steps below.
Open the document in Microsoft Office. Previewing online does not work for protected documents.
If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
Once you have enabled editing, please hit “Enable Content” on the yellow bar above.

Following these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.

The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:

46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga.net)
192.186.235.39 (satisgoswamicollege.org)
52.88.9.255 (entriflex.com)
23.229.143.32 (eliasgreencondo.com)

Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.

Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)

This further references another bunch of domains that you might want to block, especially in a corporate environment:

namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com

This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:

68.178.254.208 (erointernet.com)

Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.

The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.

Recommended blocklist:
46.30.46.0/24
gaiga.net
satisgoswamicollege.org
entriflex.com
eliasgreencondo.com
erointernet.com
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com

MD5s:
d6b3573944a4b400d6e220aabf0296ec
5b311508910797c91cc9c9eb4b4edb0c

Malware spam: "RE:resume" leads to Cryptowall

This fake resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware.

In the only sample I saw, the spam looks like this:

From:    emmetrutzmoser@yahoo.com
To:   
Date:    26 August 2015 at 23:29
Subject:    RE:resume
Signed by:    yahoo.com

Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply

Best regards

Janet Ronald

Attached was a file Janet_Ronald_resume.doc [VT 5/56] which (of course) contains a malicious macro that looks like this [pastebin].

The format of this message is very similar to this other fake resume spam seen recently, and a key feature here is that the message is really sent through Yahoo! and is not a forgery.

Deobfuscating the macro shows that a file is downloaded from http://46.30.46.60/444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report shows some of this in action, but Techhelplist did the hard work of decrypting it..

To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report which has some nice screenshots.

Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:

46.30.46.60 (Eurobyte, Russia)
linecellardemo.net / 23.229.194.224 (GoDaddy, US)

You might want to block the entire 46.30.46.0/24 range because.. well, Russia really.

MD5s:
41177ea4a2c88a2b0d320219389ce27d
d1e23b09bb8f5c53c9e4d01f66db3654

Malware spam: "Gabriel Daniel" / "Resume" / "Gabriel_Daniel_resume.doc"

This fake résumé comes with a malicious attachment:

From:    alvertakarpinskykcc@yahoo.com
Date:    10 August 2015 at 19:40
Subject:    Resume
Signed by:    yahoo.com

Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter

Kind regards

Gabriel Daniel

Interestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro [pastebin] which has a VirusTotal detection rate of 2/56.

As far as I can tell, it appears to download a disguised JPG file from 46.30.43.179/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on..

So, it is pretty clear that the payload here is Cryptowall (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:

conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?v=c91jzn46yr
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?b=86v97tziud5m
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?o=ups5xom3u2sb01

It also directs the visitor to various personalised ransom pages hosted on 80.78.251.170 (Agava, Russia).

Recommended blocklist:
46.30.43.179
80.78.251.170
conopizzauruguay.com

MD5:
e34cf893098bd17ae9ef18b04cff58aa

Something evil on 5.196.143.0/28 and 5.196.141.24/29 (verelox.com)

This quite interesting blog post from Cyphort got me digging into that part of the infection chain using nonsense .eu domains. It uncovered a whole series of IPs and domains that have been used to spread Cryptowall (possibly other malware too), hosted in the 5.196.143.0/28 and 5.196.141.24/29 ranges (and possibly more).

These are OVH IP ranges, suballocated to a customer called Verelox.com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers.

The first range is 5.196.141.24/29 which has apparently compromised servers at:

 

5.196.141.24

5.196.141.25

5.196.141.26

5.196.141.27

..you can see a dump of probably evil domains in this pastebin. The second range is 5.196.143.0/28 with apparently compromised servers at:

5.196.143.3

5.196.143.4

5.196.143.5

5.196.143.6

5.196.143.7

5.196.143.8

5.196.143.10

5.196.143.11

5.196.143.12

5.196.143.13

..you can see a list of those domains in this pastebin. 

Registration details of the domains vary, including some that use the somewhat amusing email address reach4keys@gmail.com. Some of the .eu domains and the .xyz domains have contact details as follows:

Registrant ID: INTE54fjkzffmcv1
Registrant Name: Ramil Jamaletdinov
Registrant Organization:
Registrant Street: Bolshaya str, 15, kv.12
Registrant City: Moscow
Registrant State/Province:
Registrant Postal Code: 105553
Registrant Country: RU
Registrant Phone: +7.90988766754
Registrant Phone Ext:
Registrant Fax: +7.
Registrant Fax Ext:
Registrant Email: jramil889@gmail.com

I don't know if this person actually exists or indeed has anything to do with this, all searches come up blank.

In addition to this, some of these domains use nameservers on the following IP addresses:

168.235.70.106
168.235.69.219

These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth blocking traffic to.

Note that Cyphort identift these C&C servers for the malware:
asthalproperties.com:4444
pratikconsultancy.com:8080

The following IPs and domain names all seem to be connected and I would recommend blocking at least the IP addresses and domains in bold (the other domains look like they are probably throwaway ones):

5.196.143.0/28
5.196.141.24/29
168.235.69.219
168.235.70.106
asthalproperties.com
pratikconsultancy.com
2hk7.eu
8m3a.eu
aaawq1.eu
aaawq2.eu
aaawq3.eu
asoooe1.eu
asoooe2.eu
asoooe3.eu
asw1.eu
asw2.eu
asw3.eu
bilipa.eu
bimbino.eu
bindarov.eu
c4c7.eu
cemtro3.eu
demotikvk.eu
dnor1.eu
dnor2.eu
dnor3.eu
efrai1.eu
efrai2.eu
fesvom.eu
fliston.eu
g19f.eu
gerww3.eu
giuyt5.eu
giuyt6.eu
grannu1.eu
gremn2.eu
gremn3.eu
gyyf.eu
happer1.eu
happer2.eu
happer3.eu
happer4.eu
happer5.eu
happer6.eu
hewoq5.eu
hewoq6.eu
hrt1.eu
hrt2.eu
huayolo.eu
joybul.eu
kalinda.eu
manike.eu
nicjaa5.eu
nicjaa6.eu
ponrel.eu
sindy5.eu
slanecom.eu
slawq2.eu
solonecem.eu
timona.eu
volosq.eu
vvyyyx.eu
kreni.xyz
slanecom.xyz
solonecem.xyz

"To All Employee's - Important Address UPDATE" spam leads to Cryptowall

This fake HR spam leads to a malicious ZIP file:

From:     Administrator [administrator@victimdomain.com]
Date:     11 September 2014 22:25
Subject:     To All Employee's - Important Address UPDATE

To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address.Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=6871049687 If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=6871049687. Administrator,http://victimdomain.com

To All Employee's:
The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=6871049687
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=6871049687.

 Administrator,
http://victimdomain.com

 The link in the email goes to the same site as described in this earlier post, which means that the payload is Cryptowall.

eFax spam leads to Cryptowall

Yet another fake eFax spam. I mean really I cannot remember the last time someone sent me a fax. What's next? "Someone has sent you a telegram"?

From:     eFax [message@inbound.efax.com]
Date:     11 September 2014 20:35
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935

Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.

* The reference number for this fax is atl_did1-1400166434-52051792384-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

I bet you've already guessed that the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game.com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55.

The ThreatTrack report clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data to the following locations:

188.165.204.210/1109inst2/NODE01/0/51-SP3/0/
188.165.204.210/1109inst2/NODE01/1/0/0/
mtsvp.com/files/3/install2.tar
suspendedwar.com/87n3hdh5wi04gy
suspendedwar.com/ttfvku8z7jn
goodbookideas.com/wp-content/themes/twentyeleven/111.exe
suspendedwar.com/gwfqwaratrpl2c
suspendedwar.com/h0nxfsskh0xu
suspendedwar.com/kvlfhc0hjgo6sgo

The 111.exe has a much wider detection rate of 22/53 and according the the ThreatTrack analysis of that binary there is some sort of network connection to the following IPs:

193.169.86.151
193.19.184.20

Overall, the web hosts involved are:
46.151.145.11 (Swift Trace Ltd, Crimea)
50.63.85.76 (GoDaddy, US)
76.74.170.149 (Daiger Sydes Gustafson LLC / Peer 1, US)
188.165.204.210 (OVH, France)
193.19.184.20 (PE Intechservice-B, Ukraine)
193.169.86.151 (Ivanov Vitaliy Sergeevich, Ukraine)

I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas.com
mtsvp.com
suspendedwar.com