Sponsored by..

Showing posts with label Germany. Show all posts
Showing posts with label Germany. Show all posts

Wednesday, 25 May 2016

Malware spam: "Weekly report" / "Please find attached the Weekly report."

This fake financial spam comes from random senders and companies and has a malicious attachment:

From:    Alicia Ramirez
Date:    25 May 2016 at 14:22
Subject:    Weekly report

Hi [redacted],


Please find attached the Weekly report.


King regards,

Alicia Ramirez
Castle (A.M.) & Co.
There are a large number of these, with a ZIP file attached containing a malicious scripts with a typical detection rate of 3/56. In this sample Malwr analysis, it downloads a file from:

test.glafuri.net/yxk6s

There will certainly be a LOT of other download locations. The dropped file GSKQtcnNu8MS.exe has a detection rate of 4/55 and that same VirusTotal report indicates C2 traffic to:

138.201.93.46 (Hetzner, Germany)
91.200.14.139 (PP SKS-LUGAN, Ukraine)
104.131.182.103 (Digital Ocean, US)
164.132.40.47 (OVH, France)


Even though other automated analysis failed [1] [2] this time we have previously identified two of those IPs as being Locky ransomware, so there is little doubt that this will be more of the same.

Recommended blocklist:
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47

Tuesday, 24 May 2016

Phish: "TNT Consignment Notification" via rit.edu

This fake TNT notification is phishing for credentials:

From:    TNT Express
Reply-To:    sh3llsh0p@yahoo.com
Date:    24 May 2016 at 11:34
Subject:    TNT Consignment Notification

Attention: [redacted],

TNT is pleased to advise you that ANTONIOU KONSTANTINOS has arranged for a shipment to be collected from them on May 23, 2016 , and delivered to You on 275th May 2016.
The shipment has a TNT CONSIGNMENT NOTE NUMBER: 119138390

To be able to check the status of the shipment simply visit or click below to track.



http://www.tnt.com/webtracker/tracking.do?navigation=1&searchType=CON&respLang=en&respCountry=GENERIC&genericSiteIdent=.&cons=119138390


From :
ANTONIOU KONSTANTINOS
Theokritou 5
THESSALONIKI
THESSALONIKIS
546 27
GR

Pieces : 1
Weight : 0.5 KG
Shipment reference :
Description : sample
If you would like to find out about the many ways TNT helps you to track your shipment, or if you would like to know more about the services provided by TNT, simply connect to www.tnt.com and select your location at any time.


---------------------------------------------------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.
Please consider the environmental impact before printing this document and its attachment(s). Print black and white and double-sided where possible.
------------------------------------------------------------------------------
The link in the email is disguised to make it look like a link to tnt.com, but in face it goes to:

heurica.dk/tnt1/?email=[redacted]

which then forwards to

booking-smart-swim-school.co.uk/images/TNT/index.php?rand=13InboxLightaspxn.1774256418&fid&1252899642&fid.1&fav.1&email=[redacted]

This URLquery report shows what is going on, as the victim ends up on a laughably fake phishing page:


Presumably this is phishing for general email credentials rather than a TNT login. Orignating IP is 87.106.178.108 (1&1, Germany) via an apparently compromised account or server at pmdf01b.rit.edu



Tuesday, 17 May 2016

Malware spam: "Per E-Mail senden: DOC0000329040"

This German-language spam comes with a malicious attachment. It appears to come from the victim themselves, but this is just a simple forgery.
From:    victim@victimdomain.tld
Date:    17 May 2016 at 13:28
Subject:    Per E-Mail senden: DOC0000329040

Folgende Dateien oder Links können jetzt als Anlage mit Ihrer Nachricht
gesendet werden:

DOC0000329040
Attached is a ZIP file that matches the reference number in the subject and body text. I have only seen one sample, downloading a binary from:

katyco.net/0uh8nb7

The VirusTotal detection rate is 4/57, the comments in that report indicate that this is Locky ransomware and the C&C servers are at:

188.127.231.124 (SmartApe, Russia)
176.53.21.105 (Radore Veri Merkezi Hizmetleri, Turkey)
217.12.199.151 (ITL, Ukraine)
107.181.174.15 (Total Server Solutions, US)


Recommended blocklist:
188.127.231.124
176.53.21.105
217.12.199.151
107.181.174.15



Tuesday, 3 May 2016

Malware spam: "Third Reminder - Outstanding Account" leads to Locky

This fake financial spam has a malicious attachment. It comes from random senders. Last week a fake "Second Reminder" spam was sent out.

From:    Ernestine Perkins
Date:    3 May 2016 at 08:54
Subject:    Third Reminder - Outstanding Account

 Dear Client,

We have recently sent you a number of letters to remind you that the balance of $9308.48 was overdue.
For details please check document attached to this mail


We ask again that if you have any queries or are not able to make full payment immediately, please contact us.


Regards,

Ernestine Perkins
Franchise - Sales Manager / Director - Business Co 

Attached is a ZIP file which in the samples I have seen begins with Scan_ or Document_ each one of which contains four identical copies of the same script, e.g.:

48524088_48524088 - copy (2).js
48524088_48524088 - copy (3).js
48524088_48524088 - copy (4).js
48524088_48524088 - copy.js
48524088_48524088.js


Typical detection rates for the scripts seem to be about 3/56.  The samples I have seen download a malicious binary from one of the following locations (there are probably more):

digigoweb.in/k3lxe
rfacine.com.br/z0odld
boontur.com/b2hskde


These binaries are all slightly different, with detection rates of 4 to 6 out of 56 [1] [2] [3]. Various automated analyses [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] show that this is Locky ransomware, and it phones home to:

31.184.197.126 (Petersburg Internet Network, Russia)
78.47.110.82 (Hetzner, Germany)
91.226.93.113 (Sobis, Russia)
91.219.29.64 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)


Recommended blocklist:
31.184.197.126
78.47.110.82
91.226.93.113
91.219.29.64

Tuesday, 26 April 2016

Malware spam: "Missing payments for invoices inside"

This fake financial spam leads to malware:

From:    Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com]
Date:    26 April 2016 at 12:58
Subject:    Missing payments for invoices inside

Hi there!

Hope you are good.

Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.

BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.

Kind Regards

Jeffry Rogers

Henderson Group

Tel: 337-338-4607
I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:

web.spartanburgcommunitycollege.com/gimme/some/loads_nigga.php

This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:

103.245.153.154 (OrionVM Retail Pty Ltd, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (FPT Telecom Company, Vietnam)
213.192.1.171 (EASY Net, Czech Republic)


The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.

Recommended blocklist:
103.245.153.154
176.9.113.214
210.245.92.63
213.192.1.171


Thursday, 21 April 2016

Malware spam: "FW: Latest order delivery details" is somewhat rude

This fake financial spam leads to malware:

From:    Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]
Date:    21 April 2016 at 17:45
Subject:    FW: Latest order delivery details

Good morning!

Hope you are good.

Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.

I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.

Many thanks and good luck

Milan Bell

DORIC NIMROD AIR ONE LTD

tel. 443-682-9021
The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.

This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:

trendmicro.healdsburgdistricthospital.com/RIB/assets.php

Cheekily the URL references a well-known security company.  The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:

176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)

You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:

103.245.153.154 (OrionVM, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (PT Telecom Company, Vietnam)
23.249.1.171 (Datacate , US)


It is not clear what the payload is, but there are indications it is the Dridex banking trojan.

Recommended blocklist:
176.103.56.30
103.245.153.154
176.9.113.214
210.245.92.63
23.249.1.171



Wednesday, 20 April 2016

Malware spam: "Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]" / "Document No™2958719"

This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:

From:    Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]
Date:    20 April 2016 at 11:01
Subject:    Document No™2958719

Thanks for using electronic billing

Please find your document attached

Regards


Beerhouse Self Drive
In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:

bi.pushthetraffic.com/87ty8hbvcr44

There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers:

193.90.12.221 (MultiNet AS, Norway)
212.126.59.41 (Letshost / Digiweb, Ireland)
93.104.211.103 (Contabo GmbH, Germany)
155.133.82.82 (FUFO Studio Agata Grabowska, Poland)
212.50.14.39 (Computers Equipnemt, Bulgaria)
91.194.251.204 (TOV Dream Line Holding, Ukraine)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)


Recommended blocklist:
193.90.12.221
212.126.59.41
93.104.211.103
155.133.82.82
212.50.14.39
91.194.251.204
194.116.73.71
64.76.19.251



Tuesday, 12 April 2016

PlusServer has a PlusSized problem with Angler

PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again.

So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).

85.25.102.0/24
85.25.107.0/24
85.25.160.0/24 
85.93.93.0/24
188.138.17.0/24
188.138.70.0/24 
188.138.71.0/24
188.138.75.0/24
188.138.102.0/24
188.138.105.0/24 
188.138.125.0/24 
217.172.189.0/24
217.172.190.0/24

Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too.

UPDATE 2016-04-25

Here are some more PlusServer ranges where Angler has been rampant:

85.25.218.0/24
85.25.237.0/24
188.138.25.0/24
188.138.68.0/24

UPDATE 2016-05-10

Heavy Angler activity has also been spotted in the following ranges:

62.75.203.0/24
62.75.207.0/24
85.25.43.0/24 
85.25.79.0/24
85.25.159.0/24
85.25.217.0/24
188.138.33.0/24
188.138.68.0/24
188.138.125.0/24

In addition, some Angler activity has been observed in the following ranges but is not yet widespread (I will update if I see more activity):

62.75.167.0/24
85.25.41.0/24

85.25.74.0/24

85.25.106.0/24
85.25.207.0/24

188.138.41.0/24
188.138.57.0/24
188.138.69.0/24
188.138.102.0/24

PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in 188.138.105.0/24) that the only safe option is to block traffic to those network ranges.

With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed.

Tuesday, 29 March 2016

Malware spam: "CCE29032016_00034" / "Sent from my iPhone"

The malware spammers have been busy again today. I haven't had time to look at this massive spam run yet, so I am relying on a trusted third party analysis (thank you!)

These spam emails look like the victim is sending them to themselves (but they aren't). Reference numbers vary a little between emails, but the basic pattern is:

From:    victim
To:    victim
Date:    29 March 2016 at 17:50
Subject:    CCE29032016_00034

Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:

3r.com.ua/ty43ff333.exe
canadattparts.com/ty43ff333.exe
chilloutplanet.com/ty43ff333.exe
gazoccaz.com/ty43ff333.exe
hindleys.com/ty43ff333.exe
jeweldiva.com/ty43ff333.exe
kandyprive.com/ty43ff333.exe
labonacarn.com/ty43ff333.exe
silvec.com/ty43ff333.exe
tbde.com.vn/ty43ff333.exe
zecapesca.com/ty43ff333.exe


This payload has a detection rate of 4/56. The malware calls back to:

84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)


McHost is almost purely a black-hat ISP in my opinion and should be blocked on sight.

Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24

Monday, 28 March 2016

Malware spam: "Envoi d’un message : 9758W-TERREDOC-RS62937-15000" / Christine Faure [c.faure@technicoflor.fr]

This French-language spam comes with a malicious attachment:
From:    Christine Faure [c.faure@technicoflor.fr]
Date:    28 March 2016 at 16:54
Subject:    Envoi d’un message : 9758W-TERREDOC-RS62937-15000

Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :

9758W-TERREDOC-RS62937-15000
Message de sécurité
To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:

store.brugomug.co.uk/765f46vb.exe
ggbongs.com/765f46vb.exe
dragonex.com/765f46vb.exe
homedesire.co.uk/765f46vb.exe

scorpena.com/765f46vb.exe
pockettypewriter.co.uk/765f46vb.exe
enduro.si/pdf/765f46vb.exe
185.130.7.22/files/qFBC5Y.exe

Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to:

83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)


All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.

The other binary appears to be another version of Locky which appears to phone home to the same servers.

Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100





Thursday, 24 March 2016

Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk

This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:

From:    customer.service@axminster.co.uk
Date:    24 March 2016 at 10:11
Subject:    Your order has been despatched

Dear Customer

The attached document* provides details of items that have been packed and are ready for despatch.

Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.

Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm

Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)

Kind regards

Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk

* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8]  shows download locations at:

skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe


This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:

71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)


It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.

UPDATE

Some additional download locations from another source (thank you!)

webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe



Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41




Monday, 21 March 2016

Malware spam: "FX Service" / "Fax transmission" spoofing victim's domain

This fake fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple forgery with a malicious attachment.

From:    FX Service [emailsend@w.e191.victimdomain.tld]
Date:    21 March 2016 at 14:32
Subject:    Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff

Please find attached to this email a facsimile transmission we
have just received on your behalf

(Do not reply to this email as any reply will not be read by
a real person)
Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:

http://modaeli.com/89h766b.exe
http://spormixariza.com/89h766b.exe
http://sebastiansanni.org/wp-content/plugins/hello123/89h766b.exe
http://cideac.mx/wp-content/plugins/hello123/89h766b.exe


There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56.  This Malwr report of the payload indicates that it is Locky ransomware.

All of those sources plus this Deepviz report show network traffic to the following IPs:

195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine)


If I receive more information I will post it here.

Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90






Friday, 18 March 2016

Malware spam: "Proof of Delivery Report: 16/03/16-17/03/16" / UKMail Customer Services [list_reportservices@ukmail.com]

This spam does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    UKMail Customer Services [list_reportservices@ukmail.com]
Date:    18 March 2016 at 02:46
Subject:    Proof of Delivery Report: 16/03/16-17/03/16

Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD



...........................................................................................................................................................................................
iMail Logo
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:

kervanburak.com/wp-content/plugins/hello123/r34t4g33.exe

There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis  show network traffic to:

64.147.192.68 (Dataconstructs, US)

I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.

UPDATE 1

This DeepViz report shows some additional IP addresses contacted:

64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


UPDATE 2

Some additional download locations from a trusted source (thank you!):

almexports.com/wp-content/plugins/hello123/r34t4g33.exe
cky.org.uk/wp-content/plugins/hello123/r34t4g33.exe
felipemachado.com/wp-content/plugins/hello123/r34t4g33.exe
ioy.co.il/wp-content/plugins/hello123/r34t4g33.exe
muhidin.eu.pn/wp-content/plugins/hello123/r34t4g33.exe
tribebe.com/wp-content/plugins/hello123/r34t4g33.exe
voiceofveterans.in/wp-content/plugins/hello123/r34t4g33.exe


Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78

Thursday, 17 March 2016

Malware spam: "Interparcel Documents" / Interparcel [bounce@interparcel.com]

This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
From:    Interparcel [bounce@interparcel.com]
Date:    17 March 2016 at 08:51
Subject:    Interparcel Documents

Your Interparcel collection has been booked and your documents are ready.

There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.

Thank you for booking with Interparcel.
Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:

gooddrink.com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots.com/wp-content/plugins/hello123/56h4g3b5yh.exe


The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to:

195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


As mentioned before, these characteristics look like the Dridex banking trojan.

Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78




Thursday, 10 March 2016

Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"

This fake financial spam comes with a malicious attachment:

From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833

Dear Client!

For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994


Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:

http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1


These sites are hosted on:

142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)


This Malwr report and this Hybrid Analysis shows communications with:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)


The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.

These domains are also associated with some of the IPs. Consider them all to be evil:

t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146



Wednesday, 9 March 2016

Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]

This terse spam has a malicious attachment. There is no body text.
From:    Idris Mohammed [idrismohammed25@gmail.com]
Date:    9 March 2016 at 09:55
Subject:    DOC-Z21193008
Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
 
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe


There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:

64.76.19.251 (Impsat, Argentina)

I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.

UPDATE

A contact sent some more download locations (thank you!)

oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe


..and also some additional C2s..

188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234




Thursday, 3 March 2016

Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]

This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:

From     Sally Webb [swebb@thekmgroup.co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535

--

regards,
Sally


*Sally Webb*
Recruitment Media Sales Executive
KM Media Group

DDI : 01622 794500
Email : swebb@thekmgroup.co.uk

*KM Media Group is Kent's only independent multimedia company*

*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*

*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*

Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:

coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe


The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:

188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234


Wednesday, 24 February 2016

Malware spam: "VAT Invoice - Quote Ref: ES0142570" / CardiffC&MFinance@centrica.com

This fake financial spam is not from British Gas / Centrica but is instead a simple forgery with a malicious attachment.

From:    CardiffC&MFinance [CardiffC&MFinance@centrica.com]
Date:    24 February 2016 at 09:09
Subject:    VAT Invoice - Quote Ref: ES0142570


Good Afternoon,

Please find attached a copy of the VAT invoice as requested.

Regards
Tracy Whitehouse
Finance Team
British Gas Business| Floor 1| 4 Callaghan Square| Cardiff| CF10 5BT
http://intranet/C12/C12/Brand%20and%20communications%20toolk/Email%20signatures/British-Gas-Top-25-gptw.jpg




_____________________________________________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside England and Wales).

The views expressed in this email are not necessarily the views of Centrica plc, and the company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.

PH Jones is a trading name of British Gas Social Housing Limited. British Gas Social Housing Limited (company no: 01026007), British Gas Trading Limited (company no: 03078711), British Gas Services Limited (company no: 3141243), British Gas Insurance Limited (company no: 06608316), British Gas New Heating Limited (company no: 06723244), British Gas Services (Commercial) Limited (company no: 07385984) and Centrica Energy (Trading) Limited (company no: 02877397) are all wholly owned subsidiaries of Centrica plc (company no: 3033654). Each company is registered in England and Wales with a registered office at Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD.

British Gas Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. British Gas Services Limited and Centrica Energy (Trading) Limited are authorised and regulated by the Financial Conduct Authority. British Gas Trading Limited is an appointed representative of British Gas Services Limited which is authorised and regulated by the Financial Conduct Authority.

In the only sample I have seen before, there is an attached file named archive-0910001923884.docm which has a VirusTotal detection rate of 3/52. Analysis of this document is pending, but it is likely to drop either the Dridex banking trojan or Locky ransomware.

UPDATE 1

The Hybrid Analysis of the document plus the VirusTotal scan of the dropped EXE look like Dridex. The download location for that document was:

skropotov.ru/system/logs/87h754.exe

C2 to block:
80.86.91.232 (PlusServer, Germany)

UPDATE 2 

The comments on this VT report indicate other download locations:

school62.dp.ua/new_year/balls/87h754.exe
skropotov.ru/system/logs/87h754.exe
designis.com.ua/admin/images/87h754.exe
armo.sk/system/logs/87h754.exe
eyesquare.tn/system/logs/87h754.exe


Friday, 19 February 2016

Malware spam: "Unpaid Invoice #350" / credit control [invoices@thistleremovals.co.uk]

This fake financial spam does not come from Thistle Removals but is instead a simple forgery with a malicious attachment.
From     credit control [invoices@thistleremovals.co.uk]
Date     Fri, 19 Feb 2016 17:52:49 +0200
Subject     Unpaid Invoice #350
Message text

Please see attached letter and a copy of the original invoice.
Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).

Third party analysis (thank you) indicates that this then phones home to the following locations:

91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php
(Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)

The payload is the Locky ransomware.

Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106


Malware spam: "Invoice FEB-23456789" from "Accounting Specialist"

This fake financial spam comes from random senders, the attachment is malicious and drops the Locky ransomware:

From:    Kenya Becker
Date:    19 February 2016 at 11:59
Subject:    Invoice FEB-92031923


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Kenya Becker
Accounting Specialist

==================

From:    Toni Jacobson
Date:    19 February 2016 at 12:10
Subject:    Invoice FEB-63396033


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Toni Jacobson
Accounting Specialist 
Attached is a file with a semirandom name similar to invoice_feb-92031923.doc (Sample VirusTotal report) which contains XML that looks like this [pastebin]. Malwr analysis of these samples [1] [2] shows it downloading a malicious executable from:

ratgeber-beziehung.de/5/5.exe
www.proteusnet.it/6/6.exe

If recent patterns are followed, there will be several different download locations with different versions of the file at each. I will let you know if I get these locations. The binaries has a detection rate of 7/55 and 6/54 and these Malwr reports [1] [2] [3] indicate that it phones home to:

85.25.138.187 (PlusServer AG, Germany)
31.41.47.3 (Relink Ltd, Russia)


Other samples are being analysed, but in the meantime I recommend that you block traffic to:

85.25.138.187
31.41.47.3


UPDATE 1

Some additional download locations from these Malwr reports [1] [2] [3]:

ecoledecorroy.be/1/1.exe
animar.net.pl/3/3.exe
luigicalabrese.it/7/7.exe


..stil working on those other locations!

UPDATE 2

Two other locations are revealed in these Malwr reports [1] [2]:

http://lasmak.pl/2/2.exe
http://suicast.de/4/4.exe