Sponsored by..

Showing posts with label Nymaim. Show all posts
Showing posts with label Nymaim. Show all posts

Tuesday 15 December 2015

Malware spam: "Rockspring Remittance Advice - WIRE"

This fake financial spam comes with a malicious attachment:

From:    Kristina Salinas
Date:    15 December 2015 at 14:59
Subject:    Rockspring Remittance Advice - WIRE

Dear Customer,

Please find attached your Remittance Details for the funds that will be deposited to your bank account on December 15th.

Rockspring Capital is now sending through the bank the addenda information including your remit information.

If you are not seeing your addenda information in your bank reporting you may have to contact your local bank representative.

Accounts Payable
Attached is a malicious document with a random name. I have only seen one sample so far with a VirusTotal detection rate of 3/55. The Malwr report indicates that same behaviour as this earlier spam run  which is dropping Nymaim ransomware.

Malware spam: "Invoice Attached" / "Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp."

This fake financial spam has a malicious attachment:

From:    Ernestine Harvey
Date:    15 December 2015 at 11:34
Subject:    Invoice Attached

Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.

Thank you!

Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:

Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson

The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.

An analysis of five of the attachments [1] [2] [3] [4] [5] shows attempted downloads from:

modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe


Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:

servicexmonitoring899.tk

I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.

Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:

41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)


There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.

MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E



Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in


UPDATE

A source tells me (thank you) that  servicexmonitoring899.tk  is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:

google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org

Some of these domains are associated with Rovnix.

Monday 30 November 2015

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 
The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)


The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)


These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)


These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)


I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212

mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw