Sponsored by..

Showing posts with label Montenegro. Show all posts
Showing posts with label Montenegro. Show all posts

Monday 3 October 2016

Malware spam: "I have shipped your packet. Please check the report enclosed here to view more info."

This spam email leads to Cerber ransomware:

From:    Trevor David
Date:    3 October 2016 at 13:46
Subject:    Pede Industries

Hello
I have shipped your packet. Please check the report enclosed here to view more info.

Word doc password: JqpcGrKK9


Pede Industries
Company names and senders are randomly generated. Attached is a randomly-named .DOT file with password protection. The password protection makes it hard to analyse, but my source tell me that these documents download from:

www.ldlogistic.it/kls.doc
csir.bdx6.siteinternet.com/kls.doc

The dropped malware apparently has an MD5 of 0e7913875724151d8e822add07ec75b2.

Once downloaded, the malware attempts to make a C2 connection to an IP in the range
31.184.234.0/23:6892 (GTO, Montenegro and Virty.io, Russia). I don't know which is the active IP, but blocking the entire /23 might be a good precaution.

Tuesday 13 September 2016

Malware spam: "Attached is the tax invoice of your company. Please do the payment in an urgent manner." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Tax invoice
From:     Kris Allison (Allison.5326@resorts.com.mx)
Date:     Tuesday, 13 September 2016, 11:22

Dear Client,

Attached is the tax invoice of your company. Please do the payment in an urgent manner.


Best regards,
Kris Allison
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:

adzebur.com/dsd7gk  [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
            [78.212.131.10] (21 Century Telecom Ltd, Russia)
            [31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f   [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
            [23.95.106.223] (New Wave Netconnect, US)
            [23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]

The payload then phones home to:

91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php   [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php   [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php


Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71


UPDATE: further analysis gives these other IPs to block..

78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116

Monday 12 September 2016

Malware spam: "Budget report" leads to Locky (and also evil network on 23.95.106.128/25)

This fake financial spam leads to Locky ransomware:

From:    Lauri Gibbs
Date:    12 September 2016 at 15:11
Subject:    Budget report

Hi [redacted],

I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.


With many thanks,
Lauri Gibbs
Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:

921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js


The scripts are highly obfuscated however the Hybrid Analysis and Malwr report show that it downloads a component from:

lookbookinghotels.ws/a9sgrrak
trybttr.ws/h71qizc


These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked.

A DLL is dropped with a detection rate of about 8/57 [3] [4] which appears to phone home to:

51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte.ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy.ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)

Incidentally, the registrant information on the bad domains is also very familiar:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:



Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101


UPDATE - 2016/06/13

A list of the sites currently hosted on 23.95.106.128/25 and their SURBL ratings can be found here.



Wednesday 30 March 2016

Malware spam: "Additional Information Needed #869420" leads to ransomware

This spam has a malicious attachment, leading to ransomware.

From:    Joe holdman [holdmanJoe08@seosomerset.co.uk]
Date:    30 March 2016 at 08:55
Subject:    RE: Additional Information Needed #869420


We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.

An analysis of three scripts [1] [2] [3] shows binary downloads from:

cainabela.com/zFWvTM.exe
downloadroot.com/vU4VAZ.exe
folk.garnet-soft.com/jDFXfL.exe

This binary has a detection rate of 6/56.  Automated analysis [4] [5] shows network traffic to:

93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)


These characteristics are consistent with Locky ransomware.

Recommended blocklist:
93.170.131.108
5.135.76.18
82.146.37.200

Tuesday 29 March 2016

Malware spam: "CCE29032016_00034" / "Sent from my iPhone"

The malware spammers have been busy again today. I haven't had time to look at this massive spam run yet, so I am relying on a trusted third party analysis (thank you!)

These spam emails look like the victim is sending them to themselves (but they aren't). Reference numbers vary a little between emails, but the basic pattern is:

From:    victim
To:    victim
Date:    29 March 2016 at 17:50
Subject:    CCE29032016_00034

Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:

3r.com.ua/ty43ff333.exe
canadattparts.com/ty43ff333.exe
chilloutplanet.com/ty43ff333.exe
gazoccaz.com/ty43ff333.exe
hindleys.com/ty43ff333.exe
jeweldiva.com/ty43ff333.exe
kandyprive.com/ty43ff333.exe
labonacarn.com/ty43ff333.exe
silvec.com/ty43ff333.exe
tbde.com.vn/ty43ff333.exe
zecapesca.com/ty43ff333.exe


This payload has a detection rate of 4/56. The malware calls back to:

84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)


McHost is almost purely a black-hat ISP in my opinion and should be blocked on sight.

Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24

Wednesday 24 February 2016

Evil network: 184.154.28.72/29 (Marko Cipovic / Singlehop) and liveadexchanger.com

liveadexchanger.com is an advertising network with a questionable reputation currently hosted on a Google IP of 146.148.46.20. The WHOIS details are anonymous, never a good sign for an ad network.

Seemingly running ads on the scummiest websites, liveadexchanger.com does things like trying to install fake Flash updates on visitors computers, as can be seen from this URLquery report... you might find the screenshot missing because of the complex URL, so here it is..


That landing page is on alwaysnewsoft.traffic-portal.net (part of an extraordinarily nasty network at 184.154.28.72/29) which then forwards unsuspecting visitors to a fake download at intva31.peripheraltest.info  which you will not be surprised to learn is hosted at the adware-pusher's faviourite host of Amazon AWS.

Of the 567 sites that have been hosted in this /29 (not all are there now), 378 of them are tagged as malicious in some way by Google (67%) and 157 (28%) are also tagged by SURBL as being malicious in some way. Overall then, 74% are marked as malicious by either Google or SURBL, which typically means that they just haven't caught up yet with the other bad domains. The raw data can be seen here [pastebin].

At the time of writing, the following websites appear to be live:

check4free.newperferctupgrade.net
testpc24.onlinelivevideo.org
getsoftnow.onlinelivevideo.org
newsoftready.onlinelivevideo.org
whenupdate.plugin2update.net
alwaysnew.updateforeveryone.net
free2update.newsafeupdatesfree.net
liveupdate.update4free.org
downgradepc.update4free.org
noteupgrade.update4free.org
newupdate.digit-services.org
lastversion.whensoftisclean.org
newupdate.set4newsearchupdate.com
upd24.free247updatetoolnow.com
24check.plugin-search2update.com
check4upgrade.plugin-search2update.com
softwareupdate.plugin-search2update.com
updateauto.theinlinelive.net
newsoftready.set2updatesnen.net
alwaysnewsoft.traffic-portal.net
checksoft.new24checkupgrade.net
legalsoft.perfectsafeupdate.net
checksoft.group4updating.org
checksoft.thesoft4updates.org
netapp.safeplugin-update.org
freedlupd.pcfreeupdates.club
softwareupdate.upgrades4free.org
freechecknow.onlinelivevideo.org
liveupdate.os-update.club
newupdate.update4free.net
checksoft.newsafeupdatesfree.net
workingupdate.digit-services.org
now.how2update4u.com
autoupdate.whenupgradeswork.com
setupgrade.set4freeupdates.xyz
update4soft.searchonly.online
updateauto.forfreeupgrades.org
autoupdate.soft-land.club
soft4update.soft-land.club
updateauto.newvideolive.club
newupdate.portal-update.club
maintainpc.perfectupdater.org
newupdate.downloadsoft24.club

The WHOIS details for this block:
%rwhois V-1.5:003eff:00 rwhois.singlehop.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:ORG-SINGL-8.184-154-28-72/29
network:Auth-Area:184.154.0.0/16
network:IP-Network:184.154.28.72/29
network:Organization:Marko Cipovic
network:Street-Address:Kralja Nikole 33
network:City:Podgorica
network:Postal-Code:81000
network:Country-Code:CS
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20150323
network:Updated:20150323


If you are using domain-based blocklists, this [pastebin] is the list of domains currently or formerly hosted on this block with the subdomains removed. Other than that, I would recommend the following blocklist:

liveadexchanger.com
184.154.28.72/29

Tuesday 15 December 2015

Malware spam: "Invoice Attached" / "Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp."

This fake financial spam has a malicious attachment:

From:    Ernestine Harvey
Date:    15 December 2015 at 11:34
Subject:    Invoice Attached

Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.

Thank you!

Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:

Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson

The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.

An analysis of five of the attachments [1] [2] [3] [4] [5] shows attempted downloads from:

modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe


Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:

servicexmonitoring899.tk

I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.

Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:

41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)


There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.

MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E



Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in


UPDATE

A source tells me (thank you) that  servicexmonitoring899.tk  is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:

google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org

Some of these domains are associated with Rovnix.