From: Jen [Jen@purple-office.com]Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here and here.
Date: 15 August 2016 at 14:10
Subject: Documents from Purple Office - IN00003993
Please find attached invoice/credit from Purple Office.
Best regards,
Purple Office
Showing posts with label Locky. Show all posts
Showing posts with label Locky. Show all posts
Monday 15 August 2016
Malware spam: "Jen [Jen@purple-office.com]" / "Documents from Purple Office - IN00003993"
These fake financial documents have a malicious attachment:
Malware spam: "Emma Critchley (emmacritchley@advantage-finance.co.uk)" / "Emailing - 9104896607509"
This fake financial spam has a malicious attachment. It does not come from Advantage Finance but is instead a simple forgery.
devierdemuur.50webs.com/HJ6bhGHV
kittoyakudatu.web.fc2.com/HJ6bhGHV
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
rondoncompany.bake-neko.net/HJ6bhGHV
topfireart.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.bozenan.swk.vectranet.pl/HJ6bhGHV
www.carrosserie-promocar.net/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.scoutvda.it/HJ6bhGHV
www.tecnohellas.gr/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV
This phones home to the same servers as mentioned in this post.
Subject: Emailing - 9104896607509Attached is a DOCM file with a name that matches the subject. There are various versions, all of which download Locky ransomware from one of the following locations (thank you to my source):
From: Emma Critchley (emmacritchley@advantage-finance.co.uk)
Date: Monday, 15 August 2016, 13:28
Hi
Vicky has asked me to forward you the finance documents (Please see attached)
Many Thanks
devierdemuur.50webs.com/HJ6bhGHV
kittoyakudatu.web.fc2.com/HJ6bhGHV
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
rondoncompany.bake-neko.net/HJ6bhGHV
topfireart.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.bozenan.swk.vectranet.pl/HJ6bhGHV
www.carrosserie-promocar.net/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.scoutvda.it/HJ6bhGHV
www.tecnohellas.gr/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV
This phones home to the same servers as mentioned in this post.
Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"
This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV
The payload is Locky ransomware with a very low detection rate at present. It phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)
The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77
From: orderconfirmation@esab.co.ukAttached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:
Date: 15 August 2016 at 10:37
Subject: Order Confirmation-7069-2714739-20160815-292650
_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.
ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof.
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV
The payload is Locky ransomware with a very low detection rate at present. It phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)
The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77
Friday 12 August 2016
Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).
This spam comes with a malicious attachment:
This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:
birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs
The malware phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.
Recommended blocklist:
185.129.148.0/24
138.201.56.190
Subject: Message from "CUKPR0317276"The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf
From: scanner@victimdomain.tld (scanner@victimdomain.tld)
To: webmaster@victimdomain.tld;
Date: Friday, 12 August 2016, 14:00
This E-mail was sent from "CUKPR0329001" (Aficio MP C305).
Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:
birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs
The malware phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.
Recommended blocklist:
185.129.148.0/24
138.201.56.190
Thursday 11 August 2016
Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"
This spam has a malicious attachment:
The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:
151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6
The malware is Locky ransomware, and it phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)
Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197
From: Ashley [Ashley747@victimdomail.tld]
Date: 11 August 2016 at 11:13
Subject: New Doc 6-6
Scanned by CamScanner
Sent from Yahoo Mail on Android
The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:
151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6
The malware is Locky ransomware, and it phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)
Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197
Thursday 4 August 2016
Malware spam: "Please sign the receipt attached for the arrival of new office facilities." leads to Locky
Yet another Locky campaign today..
This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run.
From: Erica Hutchinson
Date: 4 August 2016 at 12:34
Subject: please sign
Dear [redacted]
Please sign the receipt attached for the arrival of new office facilities.
Best regards,
Erica Hutchinson
This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run.
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "Emailing: Sheet / Document / Invoice" with a .docm leads to Locky
This malware-laden spam comes with a variety of subjects, for example:
Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf
There is no body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component from one of the following locations:
abi64.com/h78r3gfe
bikepaintpureworks.web.fc2.com/h78r3gfe
brupuoli.tempsite.ws/h78r3gfe
composit.vtrbandaancha.net/h78r3gfe
film-online.bejbiblues.cba.pl/h78r3gfe
ftp.bergamo.chiesacattolica.it/h78r3gfe
innal.com.mx/h78r3gfe
karnat.cba.pl/h78r3gfe
mbc.nekonikoban.org/h78r3gfe
potato.chottu.net/h78r3gfe
schello4u.de/h78r3gfe
tyouseikan.web.fc2.com/h78r3gfe
www.agriturismolapiana.net/h78r3gfe
www.artistsagainstwar.it/h78r3gfe
www.bwmodels.com/h78r3gfe
www.comunedicanischio.it/h78r3gfe
www.ekstraciuchy.pl/h78r3gfe
www.kishazy.hu/h78r3gfe
(Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here.
Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf
There is no body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component from one of the following locations:
abi64.com/h78r3gfe
bikepaintpureworks.web.fc2.com/h78r3gfe
brupuoli.tempsite.ws/h78r3gfe
composit.vtrbandaancha.net/h78r3gfe
film-online.bejbiblues.cba.pl/h78r3gfe
ftp.bergamo.chiesacattolica.it/h78r3gfe
innal.com.mx/h78r3gfe
karnat.cba.pl/h78r3gfe
mbc.nekonikoban.org/h78r3gfe
potato.chottu.net/h78r3gfe
schello4u.de/h78r3gfe
tyouseikan.web.fc2.com/h78r3gfe
www.agriturismolapiana.net/h78r3gfe
www.artistsagainstwar.it/h78r3gfe
www.bwmodels.com/h78r3gfe
www.comunedicanischio.it/h78r3gfe
www.ekstraciuchy.pl/h78r3gfe
www.kishazy.hu/h78r3gfe
(Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here.
Malware spam: "Business card" / "I have attached the new business card design." leads to Locky
This spam email has a malicious attachment:
This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7
This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:
31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]
All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.
Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22
From: Glenna JohnsonSender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.
Date: 4 August 2016 at 10:18
Subject: Business card
Hello [redacted],
I have attached the new business card design.
Please let me know if you need a change
King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7
This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:
31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]
All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.
Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22
Wednesday 3 August 2016
Malware spam: "Confirmation letter" leads to Locky
Another spam run leading to Locky ransomware..
From: Mavis Howe [Howe.4267@croestate.com]The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here.
Date: 3 August 2016 at 13:32
Subject: Confirmation letter
Hi [redacted],
I attached the employment confirmation letter I prepared.
Please check it before you send it out.
Best regards
Mavis Howe
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "As you directed, I send the attachment containing the data about the new invoices"
Another day, another Locky ransomware run:
Attached is a randomly-named ZIP file which contains a highly obfuscated .js script which according to this Malwr analysis downloads a binary from..
blog-aida.cba.pl/2zensi7t
..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]
This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]
Both those IPs are in known bad blocks.
Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24
From: Marian Mcgowan
Date: 3 August 2016 at 11:15
Subject: Fw: New invoices
As you directed, I send the attachment containing the data about the new invoices
Attached is a randomly-named ZIP file which contains a highly obfuscated .js script which according to this Malwr analysis downloads a binary from..
blog-aida.cba.pl/2zensi7t
..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]
This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]
Both those IPs are in known bad blocks.
Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24
Labels:
Latvia,
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Viruses
Monday 1 August 2016
Malware spam: "Please review the attached corrected annual report." / "Corrected report"
This spam comes with a malicious attachment:
121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a
The dropped binary then attempts to phone home to:
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
The host for that last one comes up over and over again, it's time to block that /22..
Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22
Subject: Corrected reportThe name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware from one of the following locations (thank you to my usual source for analysis):
From: Joey Cox (Cox.48@sodetel.net.lb)
Date: Monday, 1 August 2016, 13:37
Dear webmaster,
Please review the attached corrected annual report.
Yours faithfully
Joey Cox
121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a
The dropped binary then attempts to phone home to:
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
The host for that last one comes up over and over again, it's time to block that /22..
Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22
Labels:
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Ukraine,
Viruses
Friday 29 July 2016
Malware spam: "Voicemail from Anonymous" / SureVoIP [voicemailandfax@surevoip.co.uk]
This fake voicemail spam has a malicious attachment:
According to my trusted source (thank you as ever):
64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry
The downloaded binary is Locky ransomware, phoning home to:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139
From SureVoIP [voicemailandfax@surevoip.co.uk]The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf.
Date Fri, 29 Jul 2016 17:47:41 +0700
Subject Voicemail from Anonymous <Anonymous> 00:02:15
Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain.tld
According to my trusted source (thank you as ever):
64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry
The downloaded binary is Locky ransomware, phoning home to:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139
Labels:
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Ukraine,
Viruses,
Voice Mail
Malware spam: "Bank account record" leads to Locky
This fake financial spam leads to malware:
The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attacked is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record" (sample here).
According to the Hybrid Analysis on that script and Malwr report on a partly deobfuscated version the script downloads a binary from:
oleanderhome.com/q59ldt5r
This dropped binary has a detection rate of 5/55 and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2].
The is also traffic to kassa.p0.ru which is more of a puzzle and doesn't look particularly malicious. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs.
If I get more information on this I will post it here.
UPDATE
My trusted source (thank you) gives the following download locations:
211.18.200.4/~tlas021/3rwcozqv
80.241.232.207/fefj1r
agazoumi.com/t30z6j8
alci.dommel.be/clf26lu
amandinearmand.perso.sfr.fr/6piy70m
azmusclemart.com/pb79s
bartocha-photography.com/~fib-naturfoto/99xny
blekitniproba.cba.pl/fo1k6o
chelmy.cba.pl/yv7h2r3
childmoon.web.fc2.com/coy0nl
fcc-thechamps.de/6g5vo1a
garo903.web.fc2.com/2mf4v0
handball-literatur.de/3ua7j
happurg-schulanger.atspace.org/0s6lyu6
hw.srca.org/iwg54jh
impregui.com/h3cywm
inhouserecording.atspace.com/t4wj9316
intracorpwestsidecollection.com/ifs0j92
joslinsalesltd.com/kro1gx
jyoumon.web.fc2.com/7tcec
kenestyonline.com/h782hd
minocki.republika.pl/nvlx7
minocki.republika.pl/s125d6
newt150.tripod.com/4bcsv
oleanderhome.com/q59ldt5r
ratnam.fx.perso.sfr.fr/vtpm9k
senzai.nobu-naga.net/2jv74
smc.psuti.ru/3rcxu
theuniongroup.com/5sv0c
tomart3d.cba.pl/3ivctw
voisin-sa.com/~voisin9689/vnsaumj
vova318.vline.ru/mkmkr
wbbs176.web.fc2.com/20srj
wktkwkbaaan.web.fc2.com/0mm9qx
wn420pjpa.homepage.t-online.de/046ss5
www.13one.de/vz8gl5a
www.astool.com/ljgzai
www.attivita-antroposofiche-roma.org/gpjjr5u
www.damasoinfante.com/7pmfw
www.dukewayne.talktalk.net/todga
www.erikacostruzioni.com/0z1hkf
www.ferresur.es/3k58w8z
www.fotosdelburgo.com/oerwg1
www.frank-nickel.de/7e46f9t5
www.hydroenergie.fr/yzhhkit
www.istruiscus.it/qzdy65b0
www.istruiscus.it/r5ncu
www.kassa.p0.ru
www.snvl-ptrc.go.ro/srhgx
zauber-fred.de/0zth9jfv
C2 servers are the same as found here.
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139
Subject: Bank account record
From: Stephen Ford (Ford.24850@aworkofartcontracting.com)
Date: Friday, 29 July 2016, 10:56
Good morning,
Did you forget to finish the Bank account record?
Read the attachment and let me know if there is anything I didn't make clear.
Yours sincerely,
Stephen Ford
57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe
The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attacked is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record" (sample here).
According to the Hybrid Analysis on that script and Malwr report on a partly deobfuscated version the script downloads a binary from:
oleanderhome.com/q59ldt5r
This dropped binary has a detection rate of 5/55 and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2].
The is also traffic to kassa.p0.ru which is more of a puzzle and doesn't look particularly malicious. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs.
If I get more information on this I will post it here.
UPDATE
My trusted source (thank you) gives the following download locations:
211.18.200.4/~tlas021/3rwcozqv
80.241.232.207/fefj1r
agazoumi.com/t30z6j8
alci.dommel.be/clf26lu
amandinearmand.perso.sfr.fr/6piy70m
azmusclemart.com/pb79s
bartocha-photography.com/~fib-naturfoto/99xny
blekitniproba.cba.pl/fo1k6o
chelmy.cba.pl/yv7h2r3
childmoon.web.fc2.com/coy0nl
fcc-thechamps.de/6g5vo1a
garo903.web.fc2.com/2mf4v0
handball-literatur.de/3ua7j
happurg-schulanger.atspace.org/0s6lyu6
hw.srca.org/iwg54jh
impregui.com/h3cywm
inhouserecording.atspace.com/t4wj9316
intracorpwestsidecollection.com/ifs0j92
joslinsalesltd.com/kro1gx
jyoumon.web.fc2.com/7tcec
kenestyonline.com/h782hd
minocki.republika.pl/nvlx7
minocki.republika.pl/s125d6
newt150.tripod.com/4bcsv
oleanderhome.com/q59ldt5r
ratnam.fx.perso.sfr.fr/vtpm9k
senzai.nobu-naga.net/2jv74
smc.psuti.ru/3rcxu
theuniongroup.com/5sv0c
tomart3d.cba.pl/3ivctw
voisin-sa.com/~voisin9689/vnsaumj
vova318.vline.ru/mkmkr
wbbs176.web.fc2.com/20srj
wktkwkbaaan.web.fc2.com/0mm9qx
wn420pjpa.homepage.t-online.de/046ss5
www.13one.de/vz8gl5a
www.astool.com/ljgzai
www.attivita-antroposofiche-roma.org/gpjjr5u
www.damasoinfante.com/7pmfw
www.dukewayne.talktalk.net/todga
www.erikacostruzioni.com/0z1hkf
www.ferresur.es/3k58w8z
www.fotosdelburgo.com/oerwg1
www.frank-nickel.de/7e46f9t5
www.hydroenergie.fr/yzhhkit
www.istruiscus.it/qzdy65b0
www.istruiscus.it/r5ncu
www.kassa.p0.ru
www.snvl-ptrc.go.ro/srhgx
zauber-fred.de/0zth9jfv
C2 servers are the same as found here.
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Thursday 28 July 2016
Malware spam: "Self Billing Statement" / Kathryn Smith [kathryn@powersolutions.com] leads to Locky
This fake financial spam comes with a malicious attachment:
Analysis by a trusted party shows that these scripts download a component from one of the following locations:
apachost.com/j988765
avon-beraterin-mank.de/j988765
cukiernia_izabela.republika.pl/j988765
dawstaw.cba.pl/j988765
gnetgnethouse.web.fc2.com/j988765
gumka.strefa.pl/j988765
kreacjonizm.cba.pl/j988765
levivanesch.nl/j988765
maka.ken-shin.net/j988765
okhtinka.ru.hoster-ok.com/j988765
robertstefan.home.ro/j988765
sardain.fr/j988765
sonomama.kan-be.com/j988765
taityou0615.web.fc2.com/j988765
tolearn.tora.ru/j988765
www.andyschwietzer.homepage.t-online.de/j988765
www.aspadeljaen.com/j988765
www.camelu.com/j988765
www.flagships.de/j988765
www.schwarzer-baer-kastl.de/j988765
www.uasm.de/j988765
This originally dropped this payload since updated to this payload, both of which are Locky ransomware. The C2 servers to block are exactly the same as found in this earlier spam run.
From Kathryn Smith [kathryn@powersolutions.com]I do not know if there is any body text at present. Attached is a file with a name similar to Self Billing Statement_431.zip which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js)
Date Thu, 28 Jul 2016 16:21:41 +0530
Subject Self Billing Statement
Analysis by a trusted party shows that these scripts download a component from one of the following locations:
apachost.com/j988765
avon-beraterin-mank.de/j988765
cukiernia_izabela.republika.pl/j988765
dawstaw.cba.pl/j988765
gnetgnethouse.web.fc2.com/j988765
gumka.strefa.pl/j988765
kreacjonizm.cba.pl/j988765
levivanesch.nl/j988765
maka.ken-shin.net/j988765
okhtinka.ru.hoster-ok.com/j988765
robertstefan.home.ro/j988765
sardain.fr/j988765
sonomama.kan-be.com/j988765
taityou0615.web.fc2.com/j988765
tolearn.tora.ru/j988765
www.andyschwietzer.homepage.t-online.de/j988765
www.aspadeljaen.com/j988765
www.camelu.com/j988765
www.flagships.de/j988765
www.schwarzer-baer-kastl.de/j988765
www.uasm.de/j988765
This originally dropped this payload since updated to this payload, both of which are Locky ransomware. The C2 servers to block are exactly the same as found in this earlier spam run.
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "Please check the attached invoice and confirm me if I sent the right data" leads to Locky
This fake financial spam leads to malware:
The Malwr analysis for the partially deobfuscated script and this Hybrid Analysis show this particular sample downloading from:
83.235.64.44/~typecent/xvsb58
This drops a malicious Locky ransomware binary with a detection rate of 7/55. Analysis of this binary is pending.
UPDATE
Thank you to my usual source for this analysis. The download locations for the various scripts are:
01ad681.netsolhost.com/7j0jlq3
12-land.co.jp/vrquj
178.78.87.8/xjzhm
83.235.64.44/~typecent/xvsb58
arabian-horse-highlights.homepage.t-online.de/kzm2n
bajasae.grupos.usb.ve/4y13jg1
baldwinhistory.portalstream.net/rqbljjx
billy-hanjo.homepage.t-online.de/2r713u
blanquerna.eresmas.net/tt2e8s4
burkersdorf.eu/8y5n3f
campustouren.de/k6tkk
christilipp.com/cnb0o
creartnet.com/5ylah
dev12.gammat.net/oxg2m3
exclusive-closet.com/fld2h8
fremdesland.x.fc2.com/iya9qt
gkxxx.x.fc2.com/dxfom
idd00dnu.eresmas.net/wdmlqe
it4cio.servicos.ws/u8c3x
jozefow.cba.pl/ouini6
karumaengeki.web.fc2.com/f3ry4
kbridge.web.fc2.com/hj1fr
lacrima.ru/hvn1c
luzdevelas.es/9belfi
mbiurorachunkowe.republika.pl/6t6sz
motorkote.org/0gq654
okhtinka.ru.hoster-ok.com/qdiqooeo
papamama.com.sg/zhbepez
piggy.riffle.be/~gniff/r9bzz
robertstefan.home.ro/pycz4o
sav-krelingen.de/36r3qe8
schefman.info/snjqz
slit.xxxxxxxx.jp/l58gd3p
sv-r.ru/btawsoc
www.acheri.it/magii
www.andyschwietzer.homepage.t-online.de/r3a0tw
www.chantale.force9.co.uk/lsyeuw
www.clefranceitalie.org/cj937f7l
www.inari.net/ov5u1k
www.kan-therm.ru/qara9i
www.marinoderosas.com/59nue8uo
www.panella.org/eo9lk
www.rgtalp14.it/ykb84n40
www.ruyssinck-demeyer.be/v4xo5r28
www.schwarzer-baer-kastl.de/tt7ea
www.uasm.de/qwqiyk
yourparty.cba.pl/5avhe
zckupila.republika.pl/m6w6uu5f
C2 locations:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)
Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0
Subject: InvoiceThe name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted".
From: Kendall Harrison (Harrison.59349@chazsmedley.com)
Date: Thursday, 28 July 2016, 10:33
Hello,
Please check the attached invoice and confirm me if I sent the right data
Yours sincerely,
Kendall Harrison
320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3
The Malwr analysis for the partially deobfuscated script and this Hybrid Analysis show this particular sample downloading from:
83.235.64.44/~typecent/xvsb58
This drops a malicious Locky ransomware binary with a detection rate of 7/55. Analysis of this binary is pending.
UPDATE
Thank you to my usual source for this analysis. The download locations for the various scripts are:
01ad681.netsolhost.com/7j0jlq3
12-land.co.jp/vrquj
178.78.87.8/xjzhm
83.235.64.44/~typecent/xvsb58
arabian-horse-highlights.homepage.t-online.de/kzm2n
bajasae.grupos.usb.ve/4y13jg1
baldwinhistory.portalstream.net/rqbljjx
billy-hanjo.homepage.t-online.de/2r713u
blanquerna.eresmas.net/tt2e8s4
burkersdorf.eu/8y5n3f
campustouren.de/k6tkk
christilipp.com/cnb0o
creartnet.com/5ylah
dev12.gammat.net/oxg2m3
exclusive-closet.com/fld2h8
fremdesland.x.fc2.com/iya9qt
gkxxx.x.fc2.com/dxfom
idd00dnu.eresmas.net/wdmlqe
it4cio.servicos.ws/u8c3x
jozefow.cba.pl/ouini6
karumaengeki.web.fc2.com/f3ry4
kbridge.web.fc2.com/hj1fr
lacrima.ru/hvn1c
luzdevelas.es/9belfi
mbiurorachunkowe.republika.pl/6t6sz
motorkote.org/0gq654
okhtinka.ru.hoster-ok.com/qdiqooeo
papamama.com.sg/zhbepez
piggy.riffle.be/~gniff/r9bzz
robertstefan.home.ro/pycz4o
sav-krelingen.de/36r3qe8
schefman.info/snjqz
slit.xxxxxxxx.jp/l58gd3p
sv-r.ru/btawsoc
www.acheri.it/magii
www.andyschwietzer.homepage.t-online.de/r3a0tw
www.chantale.force9.co.uk/lsyeuw
www.clefranceitalie.org/cj937f7l
www.inari.net/ov5u1k
www.kan-therm.ru/qara9i
www.marinoderosas.com/59nue8uo
www.panella.org/eo9lk
www.rgtalp14.it/ykb84n40
www.ruyssinck-demeyer.be/v4xo5r28
www.schwarzer-baer-kastl.de/tt7ea
www.uasm.de/qwqiyk
yourparty.cba.pl/5avhe
zckupila.republika.pl/m6w6uu5f
C2 locations:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)
Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0
Labels:
Germany,
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Viruses
Wednesday 27 July 2016
Malware spam: "Attached is the updated details about the company account you needed"
This spam has a malicious attachment:
beauty-jasmine.ru/6dc2y
There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.
UPDATE
The C2 locations for this variant are:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)
Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30
Subject: updated detailsThe spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:
From: Faith Davidson (Davidson.43198@optimaestate.com)
Date: Wednesday, 27 July 2016, 11:13
Attached is the updated details about the company account you needed
King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be
beauty-jasmine.ru/6dc2y
There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.
UPDATE
The C2 locations for this variant are:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)
Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30
Malware spam: "Sent from my Samsung device" leads to Locky
This spam comes in a few different variations:
The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:
alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765
The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
(Thank you to my usual source for this data)
There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.
Recommended blocklist:
5.9.253.160/27
178.62.232.244
From: Lottie
Date: 27 July 2016 at 10:38
Subject: scan0000510
Sent from my Samsung device
The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:
alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765
The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
(Thank you to my usual source for this data)
There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.
Recommended blocklist:
5.9.253.160/27
178.62.232.244
Labels:
DOC,
Germany,
Hetzner,
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Viruses
Tuesday 26 July 2016
Malware spam: "list of activities" leads to Locky
This fake business spam has a malicious attachment:
akva-sarat.nichost.ru/bokkdolx
There will be many other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55. Further analysis is pending, however it is quite likely that this sample uses the same C2 servers as seen earlier today.
From "Penelope Phelps"The sender's name, company and "Security-ID" vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script that looks like this. This Malwr report and this Hybrid Analysis show this particular sample downloading from:
Date Tue, 26 Jul 2016 23:02:43 +1100
Subject list of activities
Hello,
Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.
Warm regards,
Penelope Phelps
ALLIED MINDS LTD
Security-ID: 4d2c95a750fe26a3560ffddfe374ff5c5c064bd78fea30
akva-sarat.nichost.ru/bokkdolx
There will be many other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55. Further analysis is pending, however it is quite likely that this sample uses the same C2 servers as seen earlier today.
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "Attached Image" leads to Locky
This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.
www.isleofwightcomputerrepairs.talktalk.net/okp987g7v
There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216
From: victim@victimdomain.tldAttached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:
To: victim@victimdomain.tld
Date: 26 July 2016 at 10:27
Subject: Attached Image
**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************
www.isleofwightcomputerrepairs.talktalk.net/okp987g7v
There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216
Monday 25 July 2016
Malware spam: "Emailing: Photo 25-07-2016, 34 80 10" / "Emailing: Document 25-07-2016, 72 35 48"
This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".
An alternative variant comes with a malicious Word document:
This analysis is done by my usual trusted source (thank you). These scripts and macros download a component from one of the following locations:
0urkarachi.atspace.com/7h8gbiuomp
cantrell.biz/7h8gbiuomp
czemarserwis.home.pl/7h8gbiuomp
exploromania4x4club.ro/7h8gbiuomp
finaledithon.web.fc2.com/7h8gbiuomp
koushuen.co.jp/7h8gbiuomp
moehakiba.web.fc2.com/7h8gbiuomp
ostseeurlaub-tk.homepage.t-online.de/7h8gbiuomp
r-p-b.de/7h8gbiuomp
topmanagers.claas.fr/7h8gbiuomp
tpllaw.com/7h8gbiuomp
tutomogiya.web.fc2.com/7h8gbiuomp
vplegat.dk/7h8gbiuomp
www.aproso.de/7h8gbiuomp
www.ciapparelli.com/7h8gbiuomp
www.foto-aeree.it/7h8gbiuomp
www.gruetzi.es/7h8gbiuomp
www.isleofwightcomputerrepairs.talktalk.net/7h8gbiuomp
www.louislechien.net/7h8gbiuomp
www.motoslittetrecime.com/7h8gbiuomp
www.sistronic.com.co/7h8gbiuomp
www.tridi.be/7h8gbiuomp
www.vakantiehuisjeameland.nl/7h8gbiuomp
www.westline.it/7h8gbiuomp
zemlya.web.fc2.com/7h8gbiuomp
The payload here is Locky ransomware, and it phones home to the following addresses:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
From: Rebeca [Rebeca3@victimdomain.tld]
Date: 25 July 2016 at 10:16
Subject: Emailing: Photo 25-07-2016, 34 80 10
Your message is ready to be sent with the following file or link
attachments:
Photo 25-07-2016, 34 80 10
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".
An alternative variant comes with a malicious Word document:
From: Alan [Alan306@victimdomain.tld]The attachment is this case is a .DOCM filed named in a similar way as before.
Date: 25 July 2016 at 12:40
Subject: Emailing: Document 25-07-2016, 72 35 48
Your message is ready to be sent with the following file or link
attachments:
Document 25-07-2016, 72 35 48
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
This analysis is done by my usual trusted source (thank you). These scripts and macros download a component from one of the following locations:
0urkarachi.atspace.com/7h8gbiuomp
cantrell.biz/7h8gbiuomp
czemarserwis.home.pl/7h8gbiuomp
exploromania4x4club.ro/7h8gbiuomp
finaledithon.web.fc2.com/7h8gbiuomp
koushuen.co.jp/7h8gbiuomp
moehakiba.web.fc2.com/7h8gbiuomp
ostseeurlaub-tk.homepage.t-online.de/7h8gbiuomp
r-p-b.de/7h8gbiuomp
topmanagers.claas.fr/7h8gbiuomp
tpllaw.com/7h8gbiuomp
tutomogiya.web.fc2.com/7h8gbiuomp
vplegat.dk/7h8gbiuomp
www.aproso.de/7h8gbiuomp
www.ciapparelli.com/7h8gbiuomp
www.foto-aeree.it/7h8gbiuomp
www.gruetzi.es/7h8gbiuomp
www.isleofwightcomputerrepairs.talktalk.net/7h8gbiuomp
www.louislechien.net/7h8gbiuomp
www.motoslittetrecime.com/7h8gbiuomp
www.sistronic.com.co/7h8gbiuomp
www.tridi.be/7h8gbiuomp
www.vakantiehuisjeameland.nl/7h8gbiuomp
www.westline.it/7h8gbiuomp
zemlya.web.fc2.com/7h8gbiuomp
The payload here is Locky ransomware, and it phones home to the following addresses:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
Subscribe to:
Posts (Atom)