Malware spam: "Documentxx" apparently coming from the victim leads to Locky

This spam appears to come from the victim, but this is just a simple forgery (explained here). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is no body text. Here is an example:

From:    victim@domain.tld
To:    victim@domain.tld
Date:    17 March 2016 at 10:37
Subject:    Document32

Inside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13]  indicate that the script attempts to download a binary from the following locations:

escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel.pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados.com.br/wp-content/plugins/hello123/89h8btyfde445.exe

The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to:

78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)

This is Locky ransomware.

Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114

Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"

This fake financial spam comes with a malicious attachment:

From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833

Dear Client!

For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994


Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:

http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1

These sites are hosted on:

142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)

This Malwr report and this Hybrid Analysis shows communications with:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)

The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.

These domains are also associated with some of the IPs. Consider them all to be evil:

t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146

Malware spam: "Attached File" / canon@victimdomain.tld leads to Locky

This spam has a malicious attachment. It appears to come from within the sender's own domain. There is no body text.

From:    canon@victimdomain.tld
Date:    10 March 2016 at 09:02
Subject:    Attached File

In the sample I saw, there was an attachment victimname@victimdomain.tld_07567_273772.zip which contained a randomly-named script with a detection rate of 5/57. Automated analysis [1] [2] shows that this is the Locky ransomware, and it downloads a binary from:

buyfuntees.com/system/logs/7t6f65g.exe

This binary has a detection rate of  just 1/56. Those reports indicate that the malware phones home to:

31.184.196.78 (Petersburg Internet Network Ltd, Russia)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)

There are probably many other download locations and some more C2s as well, I will update this post if I see them.

UPDATE

This additional analysis is from a trusted third party (thank you!)

Additional download locations:

behrozan.ir/system/logs/7t6f65g.exe
fashion-boutique.com.ua/system/logs/7t6f65g.exe
fortyseven.com.ar/system/logs/7t6f65g.exe
iwear.md/system/logs/7t6f65g.exe
lady-idol.6te.net/system/logs/7t6f65g.exe
ncrweb.in/system/logs/7t6f65g.exe
xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe

Additional C2s:

91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
91.234.33.149 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)

Sender is canon or copier or epson or scanner or xerox at the victim's domain.

Recommended blocklist:
31.184.196.78
78.40.108.39
91.219.30.254
91.234.33.149

Malware spam: "Please find attached 2 invoices for processing." leads to Locky

These fake financial spam emails come from random sources with different names and reference numbers:

From:    Melisa Keller
Date:    9 March 2016 at 12:08
Subject:    FW: Invoice 2016-M#111812

Dear server,

Please find attached 2 invoices for processing.

Yours sincerely,

Melisa Keller
Financial Manager


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

Attached is a file with a name similar to Payment_2016_March_111812.zip which contains two scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates [1] [2] [3] [4] [5] [6]. The Malwr reports for those samples [7] [8] [9] [10] [11] [12] show that the scripts download a binary from:

ihsanind.com/system/logs/87jhg44g5
nguoitieudungthongthai.com/system/logs/987i6u5y4t
astralia.ro/08o76g445g [404]

Only two of the download locations work, dropping binaries with a detection rate of 5/55 [1] [2]. Note that there may be other download locations.

The Malwr reports indicate that the malware phones home to:

78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)

The payload is the Locky ransomware.

UPDATE

I received the following information from another source (thank you)

Additional download locations:

ari-ev.com/system/logs/765uy453gt5
hipnotixx.com/27h8n
myonlinedeals.pk/system/logs/43d5f67n8
planetarchery.com.au/system/logs/q32r45g54
saachi.co/system/logs/43ghy8n
shofukai.web.fc2.com/23rt54y56
www.ekowen.sk/09y8j

Payload MD5s:

252957f37b8bd7a57473eab5f1a65d5c
39443da2c5454e0cb3ab42e407266d12
536162e0df26db751c3aa192af512413
6d42c5aa20117483b47b6e9c10444626
80baac1953a3fa6b74c2cd9689a0d81c
84a47c9c74efe890d7e0e9935fc96bda
b81006520f0d50317a66c0eb9d2185a5
e12fde01606227d45e8048fb4e5cc88c
eebb1e3a4fefcbacf3a7076b32180673

Additional C2s:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)


Recommended blocklist:
78.40.108.39
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18

Malware spam: "Message from mibser_00919013013"

I have only one sample of this rather terse email with no body text:

From:    scan@victimdomain
Reply-To:    scan@victimdomain
To:    hiett@victimdomain
Date:    30 November 2015 at 09:22
Subject:    Message from mibser_00919013013

The spam appears to originate from within the victim's own domain, but it does not. In the sample I saw, the attachment was named Smibser_00915110211090.xls, had a VirusTotal detection rate of 3/54 and contained this malicious macro [pastebin]. .

According to this Hybrid Analysis report and this Malwr report the macro downloads a malicious executable from:

velitolu.com/89u87/454sd.exe

This binary has a detection rate of 3/55. Automated report tools [1] [2] show network traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
42.117.2.85 (FPT Telecom Company, Russia)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
5.63.88.100 (Centr, Kazakhstan)

The payload is likely to be the Dridex banking trojan:

MD5s:
1fac282d89e9af6fd548db2c71124c38
b77b2b6b80968b458e838d3a40e10551

Recommended blocklist:
94.73.155.12
42.117.2.85
89.189.174.19
5.63.88.100

Malware spam: "Invoice Document SI528880" / "Lucie Newlove [lucie@hiderfoods.co.uk]"

This fake invoice does not come from Hider Food Imports Ltd but is instead a simple forgery with a malicious attachment.

From     Lucie Newlove [lucie@hiderfoods.co.uk]
Date     Thu, 26 Nov 2015 16:03:04 +0500
Subject     Invoice Document SI528880

Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.

ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.

Hider Food Imports Ltd

REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA

Registered in England  Number : 842813

Main Tel: +44 (0)1482 561137
Sales Tel :+44 (0)1482 504333
Fax: +44 (0)1482 565668

E-Mail: mail@hiderfoods.co.uk
Website: http://www.hiderfoods.co.uk

DISCLAIMER: This e-mail and any attachments are private and confidential and are
intended solely for the use of the intended recipient(s).  If you are not the intended
recipient, you must not use, disclose, distribute, copy, print, or rely on this e-mail.
If you have received this e-mail in error, please advise the sender by return e-mail
immediately and delete all copies of this message and any attachments from your systems.
All prices quoted are subject to final confirmation. This e-mail and any other arrangements
between us will be subject to our terms and conditions of business, a copy of which
can be found at our website or available upon request.

ANTIVIRUS: Hider Food Imports Ltd regularly update and utilise current anti-virus
products.  Hider Food Imports Ltd however accept no liability for any damage which
may be caused by any virus transmitted by this e-mail or any attachments.  Recipients
should check this e-mail is free of Viruses.

The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54, and it contains this malicious macro [pastebin] which according to this Hybrid Analysis report downloads a malicious component from:

naceste2.czechian.net/76t89/32898u.exe

This executable has a detection rate of just 1/54 and automated analysis [1] [2] [3] [4] [5] shows network traffic to the following IPs:

94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
8.253.44.158 (Level 3, US)
37.128.132.96 (Memset, UK)
91.212.89.239 (Uzinfocom, Uzbekistan)
185.87.51.41 (Marosnet, Russia)
42.117.2.85 (FPT Telecom Company, Vietnam)
192.130.75.146 (Jyvaskylan Yliopisto, Finland)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
5.63.88.100 (Centr, Kazahkstan)

The payload is probably the Dridex banking trojan.

MD5s:
b8d83b04a06b6853ad3e79a977dd17af
43a1211146a1938cd4de5d46c68124eb

Recommended blocklist:
94.73.155.12
8.253.44.158
37.128.132.96
91.212.89.239
185.87.51.41
42.117.2.85
192.130.75.146
195.187.111.11
5.63.88.100

NOTE
I accidentally included 191.234.4.50 in a previous version of the blocklist. This IP is for Windows Update (I deleted it from the first list, not the second one!). If you have blocked this IP then I recommend that you unblock it.