Sponsored by..

Showing posts with label Hungary. Show all posts
Showing posts with label Hungary. Show all posts

Wednesday 7 September 2016

Malware spam: "Agreement form" leads to Locky

This fake financial spam leads to malware:

Subject:     Agreement form
From:     Marlin Gibson
Date:     Wednesday, 7 September 2016, 9:35

Hi there,

Roberta assigned you to make the payment agreement for the new coming employees.

Here is the agreement form. Please finish it urgently.

Best Regards,
Marlin Gibson
Support Manager
The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..

308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js


Automated analysis [1] [2] shows that the scripts [partly deobfuscated example] attempt to download a binary from one of the following locations:

donttouchmybaseline.ws/ecf2k1o
canonsupervideo4k.ws/afeb6
malwinstall.wang/fsdglygf
listofbuyersus.co.in/epzugs


Of those locations, only the first three resolve, as follows:

donttouchmybaseline.ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k.ws   51.255.227.230 (OVH, France / Kitdos)
malwinstall.wang       51.255.227.230 (OVH, France / Kitdos)


The registration details for all those domains are the same:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:

These are the same details as found here. We know from that incident that the download locations are actually spread around a bit:

23.95.106.206 (New Wave NetConnect, US)
51.255.227.230 (OVH, France / Kitdos)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
216.244.68.195 (Wowrack, US)
217.13.103.48 (1B Holding ZRT, Hungary)


The following also presumably evil sites are also hosted on those IPs:

bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name


Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:

51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48

bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name


UPDATE

My trusted source (thank you) says that it phones home to the following IPs and URLs:

91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota.org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg.work/data/info.php
balichpjuamrd.work/data/info.php
mvvdhnix.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti.work/data/info.php
iruglwxkasnrcq.pl/data/info.php
xketxpqxj.work/data/info.php
qkmecehteogblx.su/data/info.php
bbskrcwndcyow.su/data/info.php
nqjacfrdpkiyuen.ru/data/info.php
ucjpevjjl.work/data/info.php
nyxgjdcm.info/data/info.php


In addition to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55



Monday 5 September 2016

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.


Sincerely yours,
Tamika Good
Account manager
The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:

canonsupervideo4k.ws/1bcpr7xx

This appears to be multihomed on the following IP addresses:

23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)


Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru


Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57.  These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:

91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48

91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55


Tuesday 16 February 2016

Malware spam: fmis@oldham.gov.uk / Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530

This spam does not come from Oldham Council but is is instead a simple forgery with a malicious attachment. The timestamp in the subject line varies, probably generated by the infected computer sending the spam.

From:    fmis@oldham.gov.uk
Date:    16 February 2016 at 08:48
Subject:    Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530


**********************************************************************
Confidentiality: This email and its contents and any attachments are intended
only for the above named. As the email may contain confidential or legally privileged information,
if you are not, or suspect that you are not, the above named or the person responsible
for delivery of the message to the above named, please delete or destroy the
email and any attachments immediately.”

Security and Viruses: This note confirms that this email message has been
swept for the presence of computer viruses. However, we advise that in keeping
with good management practice, the recipient should ensure that the email together
with any attachments are virus free by running a virus scan themselves.
We cannot accept any responsibility for any damage or loss caused by software viruses.

Monitoring: The Council undertakes monitoring of both incoming and outgoing emails.
You should therefore be aware that if you send an email to a person within the Council
it may be subject to any monitoring deemed necessary by the organisation from time to time.
The views of the author may not necessarily reflect those of the Council.

Access as a public body: The Council may be required to disclose this email (or any response to it)
under the Freedom of Information Act, 2000, unless the information in it is covered
by one of the exemptions in the Act.

Legal documents: The Council does not accept service of legal documents by email.
**********************************************************************
I have only seen a single copy of this spam, with an attachment 201602_4_2218.docm which has a VirusTotal detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.

UPDATE

This spam is related to this one.  Automated analysis of the samples [1] [2] [3] [4] plus some private sources indicate download locations for this and other related campaigns today at:

labelleflowers.co.uk/09u8h76f/65fg67n
lepeigneur.power-heberg.com/09u8h76f/65fg67n
yurtdisiegitim.tv/09u8h76f/65fg67n
hg9.free.fr/09u8h76f/65fg67n
jtonimages.perso.sfr.fr/09u8h76f/65fg67n
test.blago.md/09u8h76f/65fg67n


This file has a detection rate of 3/54. According to those reports, it phones home to:

151.248.117.140 (Reg.ru, Russia)
87.229.86.20 (Znet Telekom, Hungary)
50.56.184.194 (Rackspace, US)


Recommended blocklist:
151.248.117.140
87.229.86.20
50.56.184.194


Friday 12 February 2016

Malware spam: "DVSA RECEIPT" / FPO.CC.15@vosa.gsi.gov.uk

This spam email does not come from a UK government agency, but is instead a simple forgery with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi.gov.uk.

From     FPO.CC.15@vosa.gsi.gov.uk
Date     Fri, 12 Feb 2016 12:47:20 +0300
Subject     DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.
*********************************************************************


The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.
Attached is a file Fixed Penalty Receipt.docm which comes in at least ten different variants with the following MD5s:



1cb27d23f9999d9d196a5d20c28fbd4e
68225ddcb35694eff28a2300e8d60399
a99d6c25218add7ece55b2503666b664
57ab4224e7d2274d341020767a6609fd
51f5960ae726906a50b5db4e9253c3c2
7a43a911e0ad208adf4e492345349269
4aae160341b6d96adc2c911ddc941222
f34460da1e77ae4a3b178532800300a2
58a01b254b9d7b90d1d0f80c14f5a089
50e1c94e43f05f593babddb488f1a2f9


I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:

raysoft.de/09u8h76f/65fg67n
xenianet.org/09u8h76f/65fg67n
steinleitner-online.net/09u8h76f/65fg67n [reported here]

This dropped file has a detection rate of 5/54 (MD5 7bf7df5e630242182fa95adff4963921). This Hybrid Analysis report indicates subsequent traffic to:

192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)


The payload is the Dridex banking trojan.

Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231



Thursday 11 February 2016

Malware spam: "Scan from KM1650" / "Please find attached your recent scan" / "scanner@victimdomain.tld"

This fake document scan leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.

From:    scanner@victimdomain.tld
Date:    11 February 2016 at 10:24
Subject:    Scan from KM1650

Please find attached your recent scan  
Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1] [2] [3]). The Malwr reports [4] [5] [6] indicate the the macro in the document downloads a malicious executable from:

maraf0n.vv.si/09u8h76f/65fg67n
www.sum-electronics.co.jp/09u8h76f/65fg6
7n

The dropped executable has a detection rate of 2/54. As with this earlier spam run it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

Block traffic to that IP. The payload is the Dridex banking trojan.



Malware spam: "INT242343 Unpaid Invoice - Your Services May Be Suspended" / payments@wavenetuk.com

This spam does not come from Wavenet Group but is instead a simple forgery with a malicious attachment:

From     payments [payments@wavenetuk.com]
Date     Thu, 11 Feb 2016 15:14:59 +0530
Subject     INT242343 Unpaid Invoice - Your Services May Be Suspended

PLEASE NOTE:  THIS IS A NO REPLY EMAIL ACCOUNT

Dear Customer
        Please find attached to this email your statement
You can view the invoices listed on our e-billing site at www.netbills.co.uk
If you have any queries regarding use of the e-billing site or this statement please
call us on 08444 12 7777.


Accounts Department
Wavenet Group
Incorporating - Titan Technology, Centralcom and S1 Network Services
Tel 08444127777


This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. Wavenet
Ltd Registered in England No 3919664. Registered address: Friars Gate 2, 1011 Stratford
Road, Shirley, Solihull, West Midlands, B90 4BN. If you are not the intended recipient
of this email and its attachments, you must take no action based upon them, nor must
you copy or show them to anyone. Please contact the sender if you believe you have
received this email in error. Wavenet Ltd reserves the right to monitor email communications
through its networks.

This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. If you
are not the intended recipient of this email and its attachments, you must take no
action based upon them, nor must you copy or show them to anyone. Please contact
the sender if you believe you have received this email in error. Wavenet Ltd reserves
the right to monitor email communications through its networks
I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53. The Malwr analysis shows that this script downloads an executable from:

gp-training.net/09u8h76f/65fg67n

There are probably a few other download locations. This binary has a detection rate of 2/54.  The Malwr report also indicates that it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Wednesday 10 February 2016

Malware spam: Emailing: MX62EDO 10.02.2016 / documents@dmb-ltd.co.uk

This spam has a malicious attachment:

From     documents@dmb-ltd.co.uk
Date     Wed, 10 Feb 2016 11:12:41 +0200
Subject     Emailing: MX62EDO 10.02.2016

Your message is ready to be sent with the following file or link
attachments:

MX62EDO  10.02.2016 SERVICE SHEET


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a malicious document named MX62EDO 10.02.2016.doc. I haven't had time to analyse these myself, but a trusted source (thank you) says that there are three different variants of documents, downloading a malicious executable from the following locations:

calflytech.com/09u8h76f/65fg67n
g-t-c.co.uk/09u8h76f/65fg67n
opoai.com/09u8h76f/65fg67n


This drops an executable with a VirusTotal detection rate of 6/55.  This malware calls back to the following IPs:

87.229.86.20 (ZNET Telekom Zrt, Hungary)
50.56.184.194 (Rackspace, US)
144.76.73.3 (Hetzner, Germany)


The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.

Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3
 






Thursday 7 November 2013

Fake "Financial Times Survey Team" spam / ft-survey.com and AlfainHost

This fake Financial Times spam is a bit of a mystery:

From: The Financial Times [mailto:ft448516@surveymonkey.com]
Sent: Thu 07/11/2013 18:58
Subject: We value your opinion and we need your help


Dear British businessman,

We at the Financial Times are doing a survey among British business owners and managers regarding Euroscepticism.

As you are currently aware David Cameron on Monday confronted critics in his party who want to withdraw from the EU and close Britains borders, arguing there was no use hiding away from the world. And a lot more will follow.

We are contacting as many subscribers and people who commented on our business related articles to ask for their own opinion.

If you would like to be heard and help us build an article that will be on the first page in the next few weeks please help us.

Send us an E-mail at eu@ft-survey.com with the following information:

If your business is connected by import or export with the European Union, if it is Export please add us a few more details like what do you sell, or the services you provide;
What countries do you trade within the European Union;
Your opinion on Euroscepticism and the effect it has on your business;

Thank you so much for your help and contribution.

The Financial Times Survey Team,
eu@ft-survey.com
There are no links in the email apart from a mailto: for the email address, and there are no attachments. The email was sent to a UK user and concerns a matter specific to people in the UK, so it appears to be targeted in some way.

So, what's wrong with this email? Let's start by looking at the domain ft-survey.com which was registered just one day ago on 6th November to a registrant using the Panamanian privatewhois.net service to hide their details. The real Financial Times site at ft.com clearly identifies its owner. If you visit ft-survey.com (not recommended) then you get a 302 redirect to the legitimate ft.com website.

Next, ft-survey.com is hosted and receives mail on 204.188.238.143 which nominally belongs to some outfit called Sharktech in Las Vegas, but is actually suballocated to a customer in Pakistan:

%rwhois V-1.5:003eff:00 rwhois.sharktech.net (by Network Solutions, Inc. V-1.5.9.6)
network:Auth-Area:204.188.192.0/18
network:Class-Name:network
network:OrgName:AlfainHost
network:OrgID;I:MADIH-ULLAH-RIAZ
network:Address:Clifton Court #16
network:City:Karachi
network:StateProv:Sindh
network:PostalCode:74400
network:Country:PK
network:NetRange:204.188.238.140 - 204.188.238.143
network:CIDR:204.188.238.140/30
network:NetName:AlfainHost-204.188.238.140
network:OrgAbuseHandle:MADIH-ULLAH-RIAZ
network:OrgAbuseName:ABUSE department
network:OrgAbusePhone:923218913810
network:OrgAbuseEmail:madihrb@alfainhost.com
network:OrgNOCHandle:NOC2002-ARIN
network:OrgNOCName:Network Operations Center
network:OrgNOCPhone:+1-312-846-7642
network:OrgNOCEmail:abuse@sharktech.net
network:OrgTechHandle:TMT-ARIN
network:OrgTechName:Tim Timrawi
network:OrgTechPhone:+1-312-846-7642
network:OrgTechEmail:timt@sharktech.net
network:RegDate:20130723
network:Updated:20131106


It would be unlikely that the Financial Times would be using such a small outfit. Furthermore, 204.188.238.143 appears to contain a number of scam domains that look like phishing or money mule recruitment sites, as indeed does the entire 204.188.238.140/30 block.. more of which below.

The email headers are also suspect, and appear to show an originating IP of 94.21.75.226 (A Digi Ltd Customer in Hungary) mis-using a PHP script on rockyourworldsummit.com 66.147.242.87 (Unified Layer, US) which then bounces mail through a mailserver on 67.222.51.224 (also Unified Layer).

Received: from oproxy14-pub.mail.unifiedlayer.com (HELO oproxy14-pub.mail.unifiedlayer.com) (67.222.51.224)
  by [redacted] with SMTP; 7 Nov 2013 18:59:02 -0000
Received: (qmail 24735 invoked by uid 0); 7 Nov 2013 18:59:00 -0000
Received: from unknown (HELO box487.bluehost.com) (66.147.242.87)
  by oproxy14.mail.unifiedlayer.com with SMTP; 7 Nov 2013 18:59:00 -0000
Received: from localhost ([127.0.0.1]:41772 helo=box487.bluehost.com)
    by box487.bluehost.com with esmtp (Exim 4.80)
    (envelope-from <bigspark@box487.bluehost.com>)
    id 1VeUnD-0006y7-Se
    for [redacted]; Thu, 07 Nov 2013 11:58:59 -0700
Date: Thu, 07 Nov 2013 11:58:59 -0700
To: [redacted]
Subject: We value your opinion and we need your help
X-PHP-Script: www.rockyourworldsummit.com/wp-content/editor/help-text.php for 94.21.75.226
From:  The Financial Times <ft448516@surveymonkey.com>
Reply-To: <ft448516@surveymonkey.com>
Message-ID: <c06381c27d6d17e9f0e266ea45bae788@live.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Identified-User: {:box487.bluehost.com:bigspark:box487.bluehost.com} {sentby:program running on server}
X-OriginalArrivalTime: 07 Nov 2013 19:03:53.0922 (UTC) FILETIME=[1A3BE220:01CEDBEC]


The domains hosted on 204.188.238.140/30 look rather phishy and spammy, download the report here in a CSV file. WOT ratings indicate low trustworthiness, Google has identified a number of malware and phishing sites and the SURBL codes also indicate some spam and malware. However, a look at some of the domains in use will lead you in no doubt that there are a large number of phishing domains hosted in this block. I would strongly recommend that you block it.


Quite what the point of this spam is I do not know, however I suspect that answering the so-called survery will open you up to other attacks including spear phishing.



Thursday 21 March 2013

"Data Processing Service" spam / airtrantran.com

This spam leads to malware on

Date:      Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
From:      Data Processing Service [customerservice@dataprocessingservice.com]
Subject:      ACH file ID "973.995"  has been processed successfully

Files Processing Service

SUCCESS Notification
We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
FILE SUMMARY:
Item count: 21
Total debits: $17,903.59
Total credits: $17,903.59

For addidional info    review it here

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
airtrantran.com
basic-printers.com
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
crackedserverz.com
cyberage-poker.net
dyntic.com
fenvid.com
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
ricepad.net
rockbandsongs.net
smartsecurityapp.com
teenlocal.net
webpageparking.net

Monday 18 March 2013

Malware spam "New Pope Sued For Not Wearing Seat Belt In Popemobile" / webpageparking.net

This pope themed spam leads to malware on webpageparking.net:

Date:      Mon, 18 Mar 2013 20:20:54 +0200
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com


Powered by    
* Please note, the sender's email address has not been verified.

You have received the following link from BreakingNews@mail.cnn.com:    
       
Click the following to access the sent link:
       
New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com*
   
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The link goes through a legitimate hacked site and leads to a malicious payload at [donotclick]webpageparking.net/kill/borrowing_feeding_gather-interesting.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom KFT, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

BLOCKLIST:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
fenvid.com
gatovskiedelishki.ru
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
porftechasgorupd.ru
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com
teenlocal.net

UPDATE: another version of this is doing the rounds with a subject "Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases? - CNN.com"

Friday 14 December 2012

Something evil on 87.229.26.138

This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example).

There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.

The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha@yahoo.com


The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen@yahoo.com


If you can block the IP address then it will be the simplest option as there are rather a lot of domains here:

krvrkh.in
pmkvyh.in
hqzzpk.in
wkhmyk.in
ymjjjm.in
lupszm.in
gguwvn.in
znztip.in
onylkp.in
jlqrnp.in
yyssyr.in
nxwktt.in
zpjhjv.in
zjmnwv.in
ypmptx.in
humswz.in

quoorh.eu
zxlngj.eu
lxtnmm.eu
lrqjrn.eu
knxhsn.eu
pzgztn.eu
wokjpq.eu
lkowgs.eu
hiikrs.eu
knvutt.eu
smqtnu.eu
tmkvmv.eu
ihltwv.eu
prhhvw.eu
sowxyw.eu
utppry.eu

anshg.quoorh.eu
hjzg.quoorh.eu
utkvvk.quoorh.eu
krqm.quoorh.eu
rueyn.quoorh.eu
cdnro.quoorh.eu
xdxp.quoorh.eu
qrhxp.quoorh.eu
vtr.quoorh.eu
zrlrrs.quoorh.eu
dvyy.quoorh.eu
vymf.zxlngj.eu
xjpf.zxlngj.eu
xxvcj.zxlngj.eu
radcm.zxlngj.eu
lixcmn.zxlngj.eu
nnn.zxlngj.eu
hwpdq.zxlngj.eu
akiy.zxlngj.eu
mvtrn.lxtnmm.eu
ygz.lxtnmm.eu
hkauh.lrqjrn.eu
aqsf.knxhsn.eu
mqjpl.pzgztn.eu
wmmj.wokjpq.eu
plfztn.wokjpq.eu
fyqwrv.wokjpq.eu
prz.wokjpq.eu
ygh.lkowgs.eu
jasiv.hiikrs.eu
gechga.knvutt.eu
dxcypc.knvutt.eu
pod.knvutt.eu
sie.knvutt.eu
pdlgf.knvutt.eu
qvxqj.knvutt.eu
xdp.knvutt.eu
ikp.knvutt.eu
foxq.knvutt.eu
snt.knvutt.eu
wou.knvutt.eu
env.knvutt.eu
xor.knvutt.eu
pllrcn.knvutt.eu
stgc.smqtnu.eu
uknqc.smqtnu.eu
ynkf.smqtnu.eu
sgph.smqtnu.eu
sgo.smqtnu.eu
nlcowd.tmkvmv.eu
amp.tmkvmv.eu
wbs.tmkvmv.eu
uvpne.ihltwv.eu
vfjrn.ihltwv.eu
zlpttn.ihltwv.eu
xlt.ihltwv.eu
kcvvct.prhhvw.eu
kda.sowxyw.eu
kvb.sowxyw.eu
jbjol.sowxyw.eu
hegr.sowxyw.eu
maizss.sowxyw.eu
jfeu.sowxyw.eu
ozku.sowxyw.eu
rgpxz.sowxyw.eu
houqw.utppry.eu

Wednesday 23 November 2011

Virus: "Help! I'm in trouble!"

Another virus-laden email, technically very similar to this one yesterday:

Date: Wed, 23 Nov 2011 08:28:46 +0700
From: Saffi@victimdomain.com
To: victim@victimdomain.com
Subject: Help! I'm in trouble!

I was at a party, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light many times, I've just got the pictures, maybe you know him?
Here is the photo

I need to find him urgently!

Thank you
Saffi
The name of the sender varies, but the approach is to use the same domain as the victim to make it look more believable. In the sample I have, the "Here is the photo" link 404s, but you can guarantee that it is malware.. so don't click that link!

Update: the malicious payload is on blredret.ru  (94.199.51.108) at 23vnet Kft in Budapest (again). The Wepawet report is here. Blocking that IP proactively is probably wise.

Update: this spam run is happening again, but with a different set of malicious IPs (read more)

Virus: "Hello! Look, I've received an unfamiliar bill, have you ordered anything?"

Here's a piece of fairly clever social engineering:

Date:      Tue, 22 Nov 2011 12:48:52 +0200
From:      "LILLIE Stinson" [accounting@victimdomain.com]
To:      [victim@victimdomain.com]
Subject:      Need your help!

Hello! Look, I've received an unfamiliar bill, have you ordered anything?
Here is the bill

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

Looking forward to your answer

Fingerprint: 9caf6417-d5b308e2

The link goes to a legitimate website that has been hacked, which then redirects to bsredret.ru on 94.199.51.108 (23VNet, Hungary). A Wepawet report for the target page can be found here.

There are a variety of similar emails doing the rounds at the moment, and the IP and URL with the payload seems to change every day. It might be prudent to warn any users you are responsible for to look out..

Wednesday 21 September 2011

Evil network: RONET / ro-net.eu (91.229.90.0/23)

RONET (aka. ro-net.eu) seems to be a new netblock occupying the 91.229.90.0/23 (91.229.90.0 - 91.229.91.255) range. This block has several sites recently moved from Netserv Consult SRL (who have a very bad reputation), all of which appear to be involved in criminal activity.

Although the number of sites is very low at present (just 30), the use of a /23 block indicates the perhaps this will be used for more sites very soon. Blocking 91.229.90.0/23 preemptively would probably be an excellent idea.

Here are some examples of evilness:

bywordelectronics.com [91.229.90.11]
Money mule scam / fake jobs [1] [2] [3] [4]

admagnet1.com [91.229.90.35]
Malware distribution [5] [6] [7]

eyebluster-sv1.com [91.229.90.37]
Malware distribution [8]  [9]

Other domains are registered with fake WHOIS details which is never a good sign.

The 91.229.90.0/23 range is registered to:

inetnum:         91.229.90.0 - 91.229.91.255
netname:         RONET
descr:           FOP Varovaev Leonid Gennadevich
country:         EU
org:             ORG-VARO1-RIPE
admin-c:         AV6418-RIPE
tech-c:          AV6418-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          VAROVAEV-MNT
mnt-routes:      VAROVAEV-MNT
mnt-domains:     VAROVAEV-MNT
source:          RIPE # Filtered

organisation:    ORG-VARO1-RIPE
org-name:        FOP Varovaev Leonid Gennadevich
org-type:        OTHER
address:         H-1120 Budapest,  Street Gabor Denes, 4, Hungary
mnt-ref:         VAROVAEV-MNT
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

person:          Anton Varnai
address:         H-1120 Budapest
address:         Street Gabor Denes, 4
address:         Hungary
abuse-mailbox:   abuse@ro-net.eu
phone:           +3614585544
nic-hdl:         AV6418-RIPE
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

% Information related to '91.229.90.0/23AS6753'

route:           91.229.90.0/23
descr:           RONET
origin:          AS6753
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

Of note is the fact that ro-net.eu was only registered two weeks ago with anonymous registration details. Also, note that although the address is in Hungary, the RONET name would indicate that it still has a ROmanian connection.

Another oddity is that the network announces itself as part of AS17088 which is allocated to Currenex, Inc. There seems to be no connection at all between Currenex, Inc and RONET, so perhaps this is an error or some kind of forgery.

You can find a full list of domains and MyWOT ratings in this CSV file. Alternatively, the currently hosted domains are listed below.

admagnet1.com
adopsassistant.com
amaltheiatech.com
arctosinbrasilia.com
bestpccleaners.org
bywordelectronics.com
combo-parts.com
easycleaners.org
eyebluster-stat.com
eyebluster-sv1.com
fixpcexperts.com
hidedns.org
jjoor.com
mediamindcal.com
mediamind-tech.com
mediatechadvice.com
mr-srv.com
newco-op.com
newsecsolutions.com
pc-syscleaner.com
pc-syscleaner.net
pc-syscleaner.org
proton-micro.com
quickwebsupport.net
ro-net.eu
searchelcome.org
softsecsolutions.net
supportnetmail.com
trackingpxl.com
vi-hosts.com

Tuesday 26 April 2011

Evil network: Leksim Ltd / RELNET-NET AS5577 (62.122.72.0/21)

Implicated in malware distribution, botnet C&Cs and spam, the network range 62.122.72.0/21 (62.122.72.0 - 62.122.79.255) is currently quite active in evil activities (you can find examples here and here and the SiteVet report here).

There aren't many sites in this block, and they are almost all either in 62.122.73.0/24 and 62.122.75.0/24 (but blocking the /21 is safer).. but the vast majority of sites are rated deep red at MyWOT (a full list of sites and ratings can be downloaded here).

Who owns the block? The RIPE WHOIS details are:

inetnum:         62.122.72.0 - 62.122.79.255
netname:         RELNET-NET
descr:           "Leksim" Ltd.
country:         EU
remarks:         trouble: spam/scam/abuse issues send *ONLY* to: abuse@rel-net.eu
org:             ORG-TA388-RIPE
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
tech-c:          MR10655-RIPE
status:          ASSIGNED PI
mnt-by:          RELNET
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-routes:      RELNET
mnt-domains:     RELNET
source:          RIPE # Filtered
mnt-routes:      ROOT-MNT

organisation:    ORG-TA388-RIPE
org-name:        "Leksim" Ltd.
org-type:        OTHER
address:         Stationsplein 30, 2910 MJ Capelle aan den IJssel,  The Netherlands
phone:           +31 10 2391391
fax-no:          +31 10 2391392
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
mnt-ref:         RELNET
mnt-by:          RELNET
source:          RIPE # Filtered

person:          Justin Thomson
address:         Stationsplein 30
address:         2910 MJ Capelle aan den IJssel
address:         THE NETHERLANDS
abuse-mailbox:   abuse@rel-net.eu
mnt-by:          RELNET
phone:           +31 10 2391391
nic-hdl:         JT384-RIPE
source:          RIPE # Filtered

person:          Bernd Spiess
address:         Gabelsberger Strasse 15
address:         9021 Klagenfurt
address:         AUSTRIA
mnt-by:          RELNET
phone:           +43 46 3223501
nic-hdl:         BS594-RIPE
source:          RIPE # Filtered

person:          Marcel Russo
address:         31, z.a. am Bann
address:         L-3375 Leudelange
address:         LUXEMBURG
mnt-by:          RELNET
phone:           + 352 2551301
nic-hdl:         MR10655-RIPE
source:          RIPE # Filtered


But is this "Leksim Ltd" or Relnet? Relnet's contact details (for rel-net.eu, relnet.eu, relnet.hu) are very different:

domain:        relnet.hu
registrant:    Relnet Technologia Ltd.
registrant:    Relnet Technológia Kft.
    
tech-c:    Dávid András
address:   VésÅ‘ 7
address:   1133 Budapest
address:   HU
phone:     06-70-452-4603
fax-no:    06-1-350-1355
e-mail:    hostmaster@relnet.hu
hun-id:    2000466058

If you Google the first three names you get some very telling results.

Blocking the /21 is probably the best idea. I can identify the following domains in this block in case you want to block by domain name, or for more detail download the CSV version.

abussgf.com
adnologi.com
apicurl.com
asherhiftn.com
banner-count.com
belliali.com
best-figure.com
biznage.com
blank-record.com
cahodofo.com
chethole.com
clckil.com
clckli.com
cr0zybaner.com
cr0zybanner.com
croozybannir.com
crozybannir.com
data-saver.org
denizab.com
dhfodminmont.com
eleophy.com
fathone.com
fr0udsafetycheck0n.com
goodse.org
gredigns.com
gulderpoin.com
ineloitond.com
kicksho.com
krasivoe-telo.com
lineacount.info
lineweather.com
livesecpayment.com
livesecsuite.com
live-sec-suite.com
live-security-suite.com
liveslicense.com
livespayment.com
livessupport.com
lkckclckli1i.com
lsspayment.com
lsssupport.com
luffer.info
majusef.com
maketh.info
minteddi.com
mizaterp.com
monitor-info.com
mypersonalhttp.com
nonepersonal.com
nuensmidts.com
onlinedietolog.net
osago-msk.com
perleme.com
pinokolder.com
sileeber.com
spy-soft.org
tangoing.info
telemarker.ru
thestopbadware.com
thyrogl.com
tinnily.info
uatwdminmont.com
umogultvon.com
unmarine.info
virtepgulm.com
vkontacte.org
vkontakle.net
warwork.info
w-opay.com
w-optim.com
wovens.info
yafraudcheckonline.com
yledmanager.com
zblvdminmont.com
zumugolter.com