Sponsored by..

Showing posts with label Hetzner. Show all posts
Showing posts with label Hetzner. Show all posts

Monday 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*


Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249

Wednesday 2 November 2016

Malware spam: "Companies House - new company complaint" / noreply@companies-house.me.uk / noreply@companieshouses.co.uk leads to TrickBot

This fake Companies House spam leads to TrickBot malware:

From:    Companies House [noreply@companieshouses.co.uk]
Date:    2 November 2016 at 11:51
Subject:    Companies House - new company complaint
Signed by:    companieshouses.co.uk

Investigations and Enforcement Services

This message has been auto-generated in response to the company complaint submitted to our WebFiling  service.

The submission number is ID109202DLK02911

Please find the attached document for your review.

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500

The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday) 
Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.


The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:

    Registrant:
        Camell Williams

    Registrant type:
        Unknown

    Registrant's address:
        550 HOLTS LAKE CT STE 101
        Suite 101
        Apopka
        Florida
        32703
        United States


Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.

All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.

Attached is a Word document Complaint.doc  (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:

futuras.com/img/dododocdoc.exe

This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.

The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:

78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)


The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.

Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117


Tuesday 1 November 2016

Malware spam: "New Fax Message" / administrator@local-fax.com leads to TrickBot

This fake fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

From:    Administrator [administrator@local-fax.com]
To:    annie@[redacted]
Date:    1 November 2016 at 13:28
Subject:    New Fax Message
Signed by:    local-fax.com

Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.

[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]

Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.



Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54. Both the Malwr report and Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:

www.tessaban.com/img/safafaasfasdddd.exe

This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr and Hybrid Analysis reports give the following suspect traffic:

91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)

I can match all those IPs except the last to this ThreatGeek report, those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (highlighted):

5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)
37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)
68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


3NT Solutions (aka Inferno Solutions / inferno.name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit. FLP Kochenov Aleksej Vladislavovich aka uadomen.com has appeared here so many times [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] that really I have to categorise that as an Evil Network too.

If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a recommended blocklist of:

37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24


However, there's more to this too. The original email message is actually signed by local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.

All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..


Wednesday 26 October 2016

Malware spam: "Your order has been proceeded." leads to Locky

This curiously worded spam email leads to Locky ransomware:

Subject:     Your order has been proceeded
From:     Elijah Farrell
Date:     Wednesday, 26 October 2016, 12:41


Your order has been proceeded.

Attached is the invoice for your order 2026326638.

Kindly keep the slip in case you would like to return or state your product's warranty.
The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name.

The various scripts download a component from one of the following locations (thank you to my usual source for this):

198zc.com/vnrymi
3d-schilling.de/ytm08hf
abaffbedip.net/0ec4sb62
abaffbedip.net/1roef5v
abaffbedip.net/5k4oh5
abaffbedip.net/8b0lk2p
actiononsports.com/yduc1
aiccard.co.th/sy7hb7
alefunny.pl/vjjw0
alvida.de/zhw8nw6
antiguarelojeria.com/zg28jio
ayso722.org/ny8s6fn
banana2.jp/zsf0952
begbuilders.com/xjtb9k
bibliocultura.org/hdhwx7sf
bluecuracao.nl/xt8w2p3
bonetti.nl/bqc565q
brkos.borec.cz/skxkk33b
callideo.fr/zwg1d
caulgreet.com/0gxgwa
caulgreet.com/2sqh38d1
caulgreet.com/6o04pdt
caulgreet.com/9gl7t
chuvafeatherstone.com/rve6j
ciscscout.net/rvkbiv3t
cloudafis.com/kpw6h4uh
cngmalaysia.org/f4cda
cpugame.com/r3octl
cryochoice.com/n4801d
dadaniu.cn/cyk9hpr
danor.ro/xnnhp5
dmtya.ru/zqzii
dominoassociates.com/keg4g
dongyigg.com/onirn0r
dont.pl/stuf3
dovgan.bclas.ru/wk7tah
dzyncreative.com/v1djrmn
ecentz.com/sbvv8md
edepolama.com/xlyrh
edu02.ru/nk6z1
entersukses.com/cudm8
ergobois.com/j87ns
esteticapro.com/tje1ya
esysports.com/ybn7qw
exquisiteescape.com/fa8f7fk9
fazendacristal.com/djgyn
fbstone.com/xjlq6
fengxiaohui.com/yulge
filenetp8.info/esg742j9
flw123.com/kygiq6t
gerardfetter.com/fudjm1m
gongzuoshu.com/lojhvcj7
grandfm.com/my98xg7a
guymorgandaily.com/ilgx8tki
hankookm.com/lun77kyf
hfhhk.com/edfwyi1
hotsigns.net/ayxpi
jean-ealogy.com/dauwq7a
khstarter.com/w8811bg
landondavid.com/d5t56y4b
lanmaicao.com/bxyi91
lcmaya.com/d79p8w
mannersfromtheheart.com/cn450b
milianjie.com/dg1ie
morenaart.com/qbwnl
nakedglobal.com/d6s6f
roweliced.net/12fi9dc
roweliced.net/35lz355g
roweliced.net/6vgrs4
roweliced.net/a1f8yb
sheatcatan.com/1cb7jn
sheatcatan.com/3oze6ie
sheatcatan.com/74mqu
sheatcatan.com/awcdu3
titmaius.net/0f7ygeg
titmaius.net/1zsxe
titmaius.net/6g32j
titmaius.net/8u0ie

The downloaded binary then phones home to:

78.46.170.94/linuxsucks.php [hostname: k-42.ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks.php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost.hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks.php [hostname: weblinks-3424.ru] (Sobis, Russia)


It also tries to phone home to these URLs which are currently not resolving:

umjjvccteg.biz/linuxsucks.php
hbnatserncelosskp.biz/linuxsucks.php
rqnegynlpkohoohp.pw/linuxsucks.php
ymrorgauixirigj.biz/linuxsucks.php
ayyxamwyvfyqidija.pw/linuxsucks.php
yfjxvok.ru/linuxsucks.php
lbbauqqpynjem.xyz/linuxsucks.php
tnvnmjdyokgyj.pl/linuxsucks.php
hoiedes.pl/linuxsucks.php
toaqabrl.xyz/linuxsucks.php
leacfrc.info/linuxsucks.php
jkjxnrnirmqt.pw/linuxsucks.php

Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225




Wednesday 31 August 2016

Malware spam: "bank transactions"

This fake financial spam comes with a malicious attachment:

From:    Rueben Vazquez
Date:    31 August 2016 at 10:06
Subject:    bank transactions


Good morning petrol.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.


Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.

According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):

www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis

Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:

95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably the Locky ransomware.

Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24


Monday 15 August 2016

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Friday 12 August 2016

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs


The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190


Thursday 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Monday 1 August 2016

Scam: Fanrong Europe Fund / fanrongfund.info / fanrongeuropefund.info / fanrongeuropefund.com

This spam email advertising a "too good to be true" investment is a scam:

From:    Tim Hoffman [letter@612.com]
To:    contact [contact@victimdomain.tld]
Date:    30 July 2016 at 09:26
Subject:    Fanrong Europe Fund – 1 Half 2016 return +32.69%.

Dear Sirs,

Please be informed that the Fanrong Europe Fund reported strong 1 Half 2016 with return +32.69%.

Fanrong Europe Fund is a registered hedge fund that managed by a team of stock market experts that located in Zurich, Switzerland. The Fanrong Europe Fund Strategy is Long/Short Equity. The Fund was launched in April 2014. It is open-ended hedge fund. We are open for new investors.

We welcome you to contact us through our web-site to learn more about investing with us:
www.FanrongFund.info

Kind regards,
Tim Hoffman
e-marketing manager
Fanrong Europe Fund
www.FanrongFund.info


Reply to: marketing@fanrongfund.info

If you do not want to receive this newsletter send an email to: unsubscribe@fanrongfund.info

NOTICE: Your address was obtained from open sources where you were agreed to receive the marketing information from third parties.
I have received two of these emails, one coming from the IPs 188.69.207.57 and 188.69.223.168 which are both allocated to a mobile phone provider in Lithuania (UPDATE: also 188.69.223.54). The website fanrongfund.info was created just a few days ago (28th July 2016) and is registed to the following (presumably fake) registrant:

Registrant ID: JLD4030131633
Registrant Name: James Dean
Registrant Organization:
Registrant Street: Vorstadt 20
Registrant City: Zug
Registrant State/Province:
Registrant Postal Code: 6300
Registrant Country: CH
Registrant Phone: +41.417120101
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jd767@yahoo.com


The site is hosted (apparently) in the British Virgin Islands on an IP allocated to the Public Domain Registry (PDR). It uses nameservers from Russian company AYBHOST.COM.

The website is pretty generic looking and opens with these words of wisdom:

Our main trade approach is:
"Close the position if it runs to loss, and hold it if it runs to profit".

Hans Messner
fund manager "Fanrong Europe Fund"

What next. "Buy low, sell high"? Here are some screenshots in case you see another version of this on your travels:






The "About" page carries this text:
We are the EU-domiciled investment manager with successful experience in stock trade in EU. Our professional assets managers have personal approach to trade with bear and bulls market. We use self-made investment strategy that allows getting the constant positive result in short-term horizon. All investment process is in full accordance with IIS (International Investment Standards) of Fanrong Capital (Hong Kong) (fanrongcapital.com).
Presumably this is copied off an earlier scam site, in this case there is an official warning about that particular firm.

fanrongfund.info appears to have mirrors at:

fanrongeuropefund.info
fanrongeuropefund.com

Both of these are hosted on 46.4.24.196 (Hetzner, Germany). The WHOIS details for those are inconsistent with each other.

fanrongeuropefund.info
Registrant ID: HSM1859139253
Registrant Name: Hans Messner
Registrant Organization: Fanrong Europe Fund
Registrant Street: Leutschenbachstrasse 95
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8050
Registrant Country: CH
Registrant Phone: +41.445632589
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.info


fanrongeuropefund.com
Registry Registrant ID: Not Available From Registry
Registrant Name: Li Yong
Registrant Organization:
Registrant Street: Schwingerstrasse 9
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8006
Registrant Country: CH
Registrant Phone: +41.442289632
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.com


For completeness, the domain fanrongcapital.com is hosted on 5.100.152.26  (the same block as fanrongfund.info) and this particular corporation seems to be using a free email address..

Registry Registrant ID: Not Available From Registry
Registrant Name: Wei Zhang
Registrant Organization: Fanrong Capital
Registrant Street: 20F, 1 Harbor View Street
Registrant City: Hong Kong
Registrant State/Province: Hong Kong
Registrant Postal Code: 111000
Registrant Country: HK
Registrant Phone: +852.58085536
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: fanrongcapital@yahoo.com


Nothing about this offer is legitimate. Avoid it, or if you have invested money in this fictitious firm then you should contact the police immediately.

Wednesday 27 July 2016

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be 
The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:

beauty-jasmine.ru/6dc2y

There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.

UPDATE

The C2 locations for this variant are:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)


Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30


Malware spam: "Sent from my Samsung device" leads to Locky

This spam comes in a few different variations:

From:    Lottie
Date:    27 July 2016 at 10:38
Subject:    scan0000510

Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:

alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765


The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)


(Thank you to my usual source for this data)

There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.

Recommended blocklist:
5.9.253.160/27
178.62.232.244


Wednesday 25 May 2016

Malware spam: "Weekly report" / "Please find attached the Weekly report."

This fake financial spam comes from random senders and companies and has a malicious attachment:

From:    Alicia Ramirez
Date:    25 May 2016 at 14:22
Subject:    Weekly report

Hi [redacted],


Please find attached the Weekly report.


King regards,

Alicia Ramirez
Castle (A.M.) & Co.
There are a large number of these, with a ZIP file attached containing a malicious scripts with a typical detection rate of 3/56. In this sample Malwr analysis, it downloads a file from:

test.glafuri.net/yxk6s

There will certainly be a LOT of other download locations. The dropped file GSKQtcnNu8MS.exe has a detection rate of 4/55 and that same VirusTotal report indicates C2 traffic to:

138.201.93.46 (Hetzner, Germany)
91.200.14.139 (PP SKS-LUGAN, Ukraine)
104.131.182.103 (Digital Ocean, US)
164.132.40.47 (OVH, France)


Even though other automated analysis failed [1] [2] this time we have previously identified two of those IPs as being Locky ransomware, so there is little doubt that this will be more of the same.

Recommended blocklist:
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47

Tuesday 3 May 2016

Malware spam: "Third Reminder - Outstanding Account" leads to Locky

This fake financial spam has a malicious attachment. It comes from random senders. Last week a fake "Second Reminder" spam was sent out.

From:    Ernestine Perkins
Date:    3 May 2016 at 08:54
Subject:    Third Reminder - Outstanding Account

 Dear Client,

We have recently sent you a number of letters to remind you that the balance of $9308.48 was overdue.
For details please check document attached to this mail


We ask again that if you have any queries or are not able to make full payment immediately, please contact us.


Regards,

Ernestine Perkins
Franchise - Sales Manager / Director - Business Co 

Attached is a ZIP file which in the samples I have seen begins with Scan_ or Document_ each one of which contains four identical copies of the same script, e.g.:

48524088_48524088 - copy (2).js
48524088_48524088 - copy (3).js
48524088_48524088 - copy (4).js
48524088_48524088 - copy.js
48524088_48524088.js


Typical detection rates for the scripts seem to be about 3/56.  The samples I have seen download a malicious binary from one of the following locations (there are probably more):

digigoweb.in/k3lxe
rfacine.com.br/z0odld
boontur.com/b2hskde


These binaries are all slightly different, with detection rates of 4 to 6 out of 56 [1] [2] [3]. Various automated analyses [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] show that this is Locky ransomware, and it phones home to:

31.184.197.126 (Petersburg Internet Network, Russia)
78.47.110.82 (Hetzner, Germany)
91.226.93.113 (Sobis, Russia)
91.219.29.64 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)


Recommended blocklist:
31.184.197.126
78.47.110.82
91.226.93.113
91.219.29.64

Tuesday 26 April 2016

Malware spam: "Missing payments for invoices inside"

This fake financial spam leads to malware:

From:    Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com]
Date:    26 April 2016 at 12:58
Subject:    Missing payments for invoices inside

Hi there!

Hope you are good.

Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.

BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.

Kind Regards

Jeffry Rogers

Henderson Group

Tel: 337-338-4607
I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:

web.spartanburgcommunitycollege.com/gimme/some/loads_nigga.php

This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:

103.245.153.154 (OrionVM Retail Pty Ltd, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (FPT Telecom Company, Vietnam)
213.192.1.171 (EASY Net, Czech Republic)


The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.

Recommended blocklist:
103.245.153.154
176.9.113.214
210.245.92.63
213.192.1.171


Thursday 21 April 2016

Malware spam: "FW: Latest order delivery details" is somewhat rude

This fake financial spam leads to malware:

From:    Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]
Date:    21 April 2016 at 17:45
Subject:    FW: Latest order delivery details

Good morning!

Hope you are good.

Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.

I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.

Many thanks and good luck

Milan Bell

DORIC NIMROD AIR ONE LTD

tel. 443-682-9021
The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.

This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:

trendmicro.healdsburgdistricthospital.com/RIB/assets.php

Cheekily the URL references a well-known security company.  The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:

176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)

You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:

103.245.153.154 (OrionVM, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (PT Telecom Company, Vietnam)
23.249.1.171 (Datacate , US)


It is not clear what the payload is, but there are indications it is the Dridex banking trojan.

Recommended blocklist:
176.103.56.30
103.245.153.154
176.9.113.214
210.245.92.63
23.249.1.171



Monday 18 April 2016

Malware spam: "Please do confirm the Quote Price and get back to me as soon as possible"

This fake financial spam leads to malware:
From: khlee@ahnchem.com sales
To
Date: Mon, 18 Apr 2016 13:46:21 +0100
Subject: Re: Quote Price

Dear Sir

FYI,

Please do confirm the Quote Price and get back to me as soon as possible.

Regards
Sales Department
Attached is a fie with an unusual extension, ORDER LIST.ace which is actually a compressed archive (basically a modified ZIP file). It contains an executable ORDER LIST.exe which has a VirusTotal detection rate of 15/56. That same VirusTotal report indicates traffic to:

booksam.tk/pony/gate.php

This is hosted on:

46.4.100.109 (Hetzner, Germany)

That IP address might be worth blocking. The Hybrid Analysis indicates that this steals FTP and perhaps other passwords. This is a Pony loader which will probably try to download additional malware, but it is not clear what that it might be.

Friday 18 March 2016

Malware spam: "Proof of Delivery Report: 16/03/16-17/03/16" / UKMail Customer Services [list_reportservices@ukmail.com]

This spam does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    UKMail Customer Services [list_reportservices@ukmail.com]
Date:    18 March 2016 at 02:46
Subject:    Proof of Delivery Report: 16/03/16-17/03/16

Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD



...........................................................................................................................................................................................
iMail Logo
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:

kervanburak.com/wp-content/plugins/hello123/r34t4g33.exe

There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis  show network traffic to:

64.147.192.68 (Dataconstructs, US)

I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.

UPDATE 1

This DeepViz report shows some additional IP addresses contacted:

64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


UPDATE 2

Some additional download locations from a trusted source (thank you!):

almexports.com/wp-content/plugins/hello123/r34t4g33.exe
cky.org.uk/wp-content/plugins/hello123/r34t4g33.exe
felipemachado.com/wp-content/plugins/hello123/r34t4g33.exe
ioy.co.il/wp-content/plugins/hello123/r34t4g33.exe
muhidin.eu.pn/wp-content/plugins/hello123/r34t4g33.exe
tribebe.com/wp-content/plugins/hello123/r34t4g33.exe
voiceofveterans.in/wp-content/plugins/hello123/r34t4g33.exe


Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78

Thursday 17 March 2016

Malware spam: "Interparcel Documents" / Interparcel [bounce@interparcel.com]

This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
From:    Interparcel [bounce@interparcel.com]
Date:    17 March 2016 at 08:51
Subject:    Interparcel Documents

Your Interparcel collection has been booked and your documents are ready.

There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.

Thank you for booking with Interparcel.
Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:

gooddrink.com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots.com/wp-content/plugins/hello123/56h4g3b5yh.exe


The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to:

195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


As mentioned before, these characteristics look like the Dridex banking trojan.

Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78




Wednesday 9 March 2016

Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]

This terse spam has a malicious attachment. There is no body text.
From:    Idris Mohammed [idrismohammed25@gmail.com]
Date:    9 March 2016 at 09:55
Subject:    DOC-Z21193008
Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
 
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe


There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:

64.76.19.251 (Impsat, Argentina)

I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.

UPDATE

A contact sent some more download locations (thank you!)

oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe


..and also some additional C2s..

188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234




Thursday 3 March 2016

Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]

This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:

From     Sally Webb [swebb@thekmgroup.co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535

--

regards,
Sally


*Sally Webb*
Recruitment Media Sales Executive
KM Media Group

DDI : 01622 794500
Email : swebb@thekmgroup.co.uk

*KM Media Group is Kent's only independent multimedia company*

*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*

*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*

Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:

coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe


The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:

188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234