Sponsored by..

Showing posts with label OVH. Show all posts
Showing posts with label OVH. Show all posts

Friday 4 March 2016

Malware spam: "Closing bill" / "MyBill [mybill.central@affinitywater.co.uk]"

This fake financial spam does not come from Affinity Water but is instead a simple forgery with a malicious attachment.

From     MyBill [mybill.central@affinitywater.co.uk]
Date     Fri, 04 Mar 2016 14:50:57 +0530
Subject     Closing bill

Dear customer

Please find attached a copy of closing bill as requested.


Kind Regards

Natasha Hawkes
Customer Relations Advisor

affinitywater.co.uk

_________________________________________________________________________

This e-mail
(including any attachments) is confidential and may also be legally privileged or
otherwise protected from disclosure. If you are not the intended recipient of this
e-mail or any parts of it please notify us by reply e-mail or by telephone on 01707
268 111 immediately on receipt and then delete the message from your system. You
should not disclose the contents to any other person, nor take copies nor use it
for any purposes and to do so could be unlawful. The presence of this footnote indicates:
this email message has been tested for the presence of known computer viruses, unless
the email has been encrypted (in part or full) wherein the email will not be checked
for computer viruses. All incoming and outgoing emails may be monitored in line with
current legislation. Affinity Water Limited (Company Number 02546950) is registered
in England and Wales having their registered office, at Tamblin Way, Hatfield, Hertfordshire,
AL10 9EZ. www.affinitywater.co.uk

_____________________________________________________________________________

Attached is a partly randomly-named file, for exampple 081155545_1735494_18836.xls - the first two numbers are random, the third is always "18836". So far I have seen just two variants of this (there may be more) with detection rates of about 5/56 [1] [2] which according to the Malwr reports [3]  [4] download a binary from the following locations:

prettymom.ru/system/logs/vbry73f34f.exe
desean.com.sg/system/logs/vbry73f34f.exe

This binary has a detection rate of 6/56. Analysis is pending, however this looks like the Dridex banking trojan.

UPDATE 1

The comments in the VirusTotal scan give some more download locations:

2.casino-engine.ru/games/megajack/vbry73f34f.exe
shop-bedep.com/system/logs/vbry73f34f.exe
17.rent-shops.ru/system/logs/vbry73f34f.exe

Curiously "Bedep" is the name of a trojan. These Hybrid Analysis reports [1] [2] [3] show malicious traffic to:

188.165.215.180 (OVH, France)

I strongly recommend that you block traffic to that IP.

UPDATE2

Some additional download locations and C&C servers to block, from another source (thank you!)

jean-daniel.com.ua/system/logs/vbry73f34f.exe
namkeendelights.com/system/logs/vbry73f34f.exe

Overall, some of these download locations look like good candidates for blocking, especially:

81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)

These additional C&C servers have been seen before:

78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)

Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57


Posted by at 1 comment:
Labels: , , , , ,

Tuesday 1 March 2016

Malware spam: "March Invoice" / "Balkan Dream Properties"

This fake financial spam can't make up its mind which month it is for.

From:    Caitlin Velez
Date:    1 March 2016 at 11:50
Subject:    March Invoice

Hi,

Attached is the November invoice.

Thanks!

Caitlin Velez
Customer Service
Balkan Dream Properties
090-157-5969
So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero.

This Malwr report shows that it is the Locky ransomware, download a binary from:

intuit.bitdefenderdistributor.info/intrabmw/get.php

This is hosted on a bad webserver at..

93.95.100.141 (Mediasoft ekspert, Russia)

..and it then phones home to..

5.34.183.195 (ITL / UA Servers, Ukraine)

There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..

31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)

Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141

Posted by at No comments:
Labels: , , , , , , ,

Monday 29 February 2016

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment:
From:    admin [ands21@victimdomain.tld]
Date:    29 February 2016 at 19:05
Subject:    Scanned image

Image data in PDF format has been attached to this email.
The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js  I have seen three different versions of the attached scripts with detection rates of around 1/55 [1] [2] [3]. The Malwr reports for those [4] [5] [6] show download locations at:

www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe
svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution.in.th/system/logs/7ygvtyvb7niim.exe

This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:

51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)

Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to:

51.254.19.227
185.14.29.188



Posted by at 1 comment:
Labels: , , , , , , ,

Friday 19 February 2016

Malware spam: "Unpaid Invoice #350" / credit control [invoices@thistleremovals.co.uk]

This fake financial spam does not come from Thistle Removals but is instead a simple forgery with a malicious attachment.
From     credit control [invoices@thistleremovals.co.uk]
Date     Fri, 19 Feb 2016 17:52:49 +0200
Subject     Unpaid Invoice #350
Message text

Please see attached letter and a copy of the original invoice.
Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).

Third party analysis (thank you) indicates that this then phones home to the following locations:

91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)

The payload is the Locky ransomware.

Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106

Posted by at No comments:
Labels: , , , , , , , ,

Thursday 21 January 2016

Malware spam: "Invoice from COMPANY NAME - 123456"

This spam comes from random senders at random companies with random reference numbers. The attachment is named to reflect those values. For example:

From:    Bettye Davidson
Date:    21 January 2016 at 08:24
Subject:    Invoice from DRAGON OIL - 8454985

 Please find attached a copy of your invoice

 Many Thanks



 Bettye Davidson
 DRAGON OIL


Attachment: DRAGON OIL - inv8454985.DOC

================

From:    Charlotte Atkinson
Date:    21 January 2016 at 08:23
Subject:    Invoice from GULF FINANCE HOUSE - 40610

 Please find attached a copy of your invoice

 Many Thanks



 Charlotte Atkinson
 GULF FINANCE HOUSE

Attachment: GULF FINANCE HOUSE - inv40610.DOC


================

From:    Lucien Drake
Date:    21 January 2016 at 09:26
Subject:    Invoice from HYDROGEN GROUP PLC - 477397

 Please find attached a copy of your invoice

 Many Thanks



 Lucien Drake
 HYDROGEN GROUP PLC

Attachment: HYDROGEN GROUP PLC - inv477397.doc
So far I have seen a couple of different versions of the attachment (VirusTotal [1] [2]) which according to Malwr [3] [4] both download a malicious binary from:

5.189.216.101/dropbox/download.php

This IP belongs to LLHost Inc, Netherlands. You can assume that the IP is malicious.

The dropped binary is named rare.exe, and has an MD5 e6f67b358009f66f1a4840c1eff19c2e of and a detection rate of 4/53. The Malwr report for this shows it phoning home to:

198.50.234.211 (OVH, Canada)

The payload is the Dridex banking trojan, and this behaviour is characteristic of Botnet 120.

Recommended blocklist:
198.50.234.211
5.189.216.101

Posted by at No comments:
Labels: , , , , , , ,

Tuesday 19 January 2016

Malware spam: "Remittance Advice 1B859E37" / "Bellingham + Stanley"

This fake financial does not come from Bellingham + Stanley but is instead a simple forgery with a malicious attachment. Reference numbers and sender names will vary.

From:    Adeline Harrison [HarrisonAdeline20@granjacapital.com.br]
Date:    19 January 2016 at 09:45
Subject:    Remittance Advice 1B859E37

For the attention of Accounts Receivable,

We are attaching an up to date remittance advice detailing the latest payment on your account.

Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.


Kind regards,
Adeline Harrison

Best Regards,

Adeline Harrison
Senior Finance Assistant, Bellingham + Stanley

Bellingham + Stanley
Longfield Road
Tunbridge Wells
Kent, TN2 3EY
United Kingdom
Office: +44 (0) 1892 500406
Fax: +44 (0) 1892 543115
HarrisonAdeline20@granjacapital.com.br
www.bellinghamandstanley.com
I have seen at least four different variations of the attachment, named in the format remittance_advice14DDA974.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show those samples communicating with:

http://179.60.144.19/victor/onopko.php
http://5.34.183.127/victor/onopko.php

Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)

UPDATE 1this related spam run also downloads from:

91.223.88.206/victor/onopko.php

This is allocted to "Private Person Anton Malyi" in Ukraine.

A file aarab.exe is dropped (MD5 05219ea0aefedc873cecaa1f5100c617) [VT 4/53] which appears to communicate with:

198.50.234.211 (OVH, Canada)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.

UPDATE 2

This other Dridex 120 spam run uses different download locations:

46.17.100.209/aleksei/smertin.php
31.131.20.217/aleksei/smertin.php

The dropped "aarab.exe" file is also different, with an MD5 of c19959c2d372a7d40d4ba0f99745f114 and a detection rate of just 2/54.


Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217
Posted by at No comments:
Labels: , , , , , , , ,

Friday 8 January 2016

Malware spam: "Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB"

This fake financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.

From:    Hoyt Fowler
Date:    8 January 2016 at 10:49
Subject:    Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7

Total Amount:   GBP 60,00

Due Date:               28.01.2016

If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.


Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House
Parkeston, Harwich
Essex, CO12 4QG No.3874882

Tel: 01255 242242
Registered in England
VAT No. GB759894254
Global Transport and Logistics
I have only seen a single sample of this email at present, but if consistent with other similar emails then details such as the sender's name and reference numbers will vary. In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55.

According to this Malwr report, the sample attempts to download a further component:

194.28.84.79/softparade/spanish.php

There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too.

A file named hram.exe is dropped onto to target system with a detection rate of 4/54. The Malwr report indicates that this communicates with:

78.47.119.93 (Hetzner, Germany)

This is a critical IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan.

UPDATE 1

A contact (thank you) let me know of two other download locations:

176.103.62.14/softparade/spanish.php
51.254.51.178/softparade/spanish.php

These are:

176.103.62.14 (PE Ivanov Vitaliy Sergeevich, Ukraine)
51.254.51.178 (OVH, France / Dmitry Shestakov, Russia)

Both those are pretty well-known providers of malware.  I recommend that you block the entire /20 in the first instance and the blocks referenced here in the second.

MD5s:
5ab2a67268b3362802a13594edafbd2e
7d60996dd9293df5eecd07f33207aca8

Recommended blocklist:
78.47.119.93
194.28.84.79
176.103.48.0/20
51.254.51.176/30

UPDATE 2

An updated version of the payload is currently being spammed out as on 11.01.16, with a payload identical to this spam run.
Posted by at No comments:
Labels: , , , , , , , , ,

Tuesday 22 December 2015

Malware spam: "British Gas - A/c No. 602131633 - New Account" / trinity [trinity@topsource.co.uk]

This fake financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple forgery with a malicious attachment.

From:    trinity [trinity@topsource.co.uk]
Date:    22 December 2015 at 10:36
Subject:    British Gas - A/c No. 602131633 - New Account

Hi ,

Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.

Thanks & Regards,
Pallavi Parvatkar

Trinity Restaurants Accounts Team | TopSource Global Solutions | 020 3002 6203
4th Floor | Marlborough House | 10 Earlham Street | London WC2H 9LN | www.topsource.co.uk
    cid:image001.jpg@01D071F6.5F7DAE30                                                               cid:image002.jpg@01D071F6.5F7DAE30
  cid:image003.png@01D071F6.5F7DAE30     cid:image004.png@01D071F6.5F7DAE30     cid:image005.png@01D071F6.5F7DAE30    cid:image006.png@01D071F6.5F7DAE30    cid:image007.png@01D071F6.5F7DAE30                                                       cid:image003.png@01D071F6.5F7DAE30     cid:image004.png@01D071F6.5F7DAE30    cid:image005.png@01D071F6.5F7DAE30    cid:image008.png@01D071F6.5F7DAE30    cid:image006.png@01D071F6.5F7DAE30    cid:image009.png@01D071F6.5F7DAE30

Disclaimer:
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. TopSource does not accept liability for any errors or omissions.

"SAVE PAPER - THINK BEFORE YOU PRINT!"



British Gas.doc
92K

Attached is a file British Gas.doc with an MD5 a VirusTotal detection rate of 2/54. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.

UPDATE

These automated analyses [1] [2] show that the malicious document downloads from:

weddingme.net/786h8yh/87t5fv.exe

This has a VirusTotal detection rate of 3/54.  All those reports indicate malicious traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)

The payload looks like Dridex.

MD5s:
cacb79e05cf54490a7067aa1544083fa
c8694f1573a01b8b2cb7b1b502eb9372

Recommended blocklist:
199.7.136.88
151.80.142.33

Posted by at 1 comment:
Labels: , , , , , , ,

Monday 21 December 2015

Malware spam: "INVOICE" / "Brenda Howcroft [accounts@swaledalefoods.co.uk]"

This fake financial spam does not come from Swaledale Foods but is instead a simple forgery with a malicious attachment.

From:    Brenda Howcroft [accounts@swaledalefoods.co.uk]
Date:    21 December 2015 at 10:46
Subject:    INVOICE

Your report is attached in DOC format. To load the report, you will need the free Microsoft® Word® reader, available to download at http://www.microsoft.com/


Many thanks,

Brenda Howcroft
Office Manager

t 01756 793335 sales
t 01756 790160 accounts
e accounts@swaledalefoods.co.uk
w www.swaledalefoods.co.uk


cid:377F41D9-BDEF-4E30-A110-21CFAAA1D908@home


This email transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please delete it immediately and notify the sender, Any disclosure including copying or distribution of the information contained herein is strictly prohibited. Any opinions, instructions or advice contained in this email may not necessarily be those of the company. Although this email and any attachments are believed to be free of any virus or other defects, which might affect any computer or system it is the responsibility of the recipient to ensure they are virus free. E&OE.


Invoice 14702.doc
83K

Attached is a file Invoice 14702.doc which comes in at least 9 different versions (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8] [9]). I haven't had the chance to analyse them, but my sources say that at least some versions download from the following locations:

110.164.184.28/jh45wf/98i76u6h.exe
getmooresuccess.com/jh45wf/98i76u6h.exe
rahayu-homespa.com/jh45wf/98i76u6h.exe

This dropped file has a detection rate of 6/54. The Hybrid Analysis report plus some other sources indicate network traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)

The payload is the Dridex banking trojan.

MD5s:
6932A004CE3AD1AD5EA30F43A31B0285
49CF8C70BC4E94F6887ED0CBC426F08C
92B1F1B4BBD864411FA75C951D28EC5D
E4CB705754C93645D3F86F8AF9307769
D409889F92DA9B8D855C0037894A46CC
87CA159B9AEB127F698D2AA28A5BAAC5
C770760C66298301D1BE29E85ECBE971
F2FF5FCE2836025E97691937D6DF579E
6617EAB5B4DD17247DFF1819CA444674
EE57F929672651C1AE238EB7C7A0D734

Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169
Posted by at 2 comments:
Labels: , , , , , , , , , ,

Thursday 17 December 2015

Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake TfL spam is meant to have a malicious attachment, but is malformed.

From:    noresponse@cclondon.com
Date:    17 December 2015 at 08:54
Subject:    Email from Transport for London

Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to
read or download this attachment.

If you require Adobe Acrobat Reader this is available at no cost from
the Adobe Website http://www.adobe.com

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________

The attachment is not properly formatted and appears as a Base 64 section of the email. What it should be is a malicious document named FR7000609906.doc which has a VirusTotal detection rate of 4/54.

The Malwr analysis of the document indicates that it downloads from:

www.riucreatives.com/65dfg77/kmn653.exe

This has a detection rate of 3/54 and an MD5 of d5e717617400b3c479228fa756277be1. The Malwr report and Hybrid Analysis  indicate network traffic to:

151.80.142.33 (OVH, France)
117.239.73.244 (Marian International Institute Of Management, India)

The payload is likely to be the Dridex banking trojan.

Recommended blocklist:
151.80.142.33
117.239.73.244
Posted by at No comments:
Labels: , , , , , , ,

Tuesday 15 December 2015

Tainted network: Dmitry Shestakov / vds24.net on OVH

vds24.net (apparently belonging to "Dmitry Shestakov ") is a Russian reseller of OVH servers that has come up on my radar a few times in the past few days [1] [2] [3] in connection with domains supporting Teslacrypt malware and acting as landing pages for the Angler exploit kit.

Curious as to what was hosted on the vds24.net I set about trying to find out their IP address ranges. This proved to be somewhat difficult as they are spread in little chunks throughout OVH's IP space. I managed to identify:

5.135.58.216/29
5.135.254.224/29
51.254.10.128/29
51.254.162.80/30
51.255.131.64/30
149.202.234.116/30
149.202.234.144/30
149.202.234.188/30
149.202.237.68/30
176.31.24.28/30
178.32.95.152/29
178.33.200.128/26

Then using a reverse DNS function, I looked up all the domains associated with those ranges (there were a LOT) and then looked the see which were active plus their SURBL and Google ratings. You can see the results of the analysis here [csv].

There may well be legitimate domains in this range, but out of 1658 domains identified, 1287 (77.6%) are flagged by SURBL as being spammy. Only 11 (0.7%) are identified as malicious, but in reality I believe this to be much higher.

In particular, the following IP ranges seem to be clearly bad from those ratings:

51.254.10.131
51.254.162.81
51.255.131.66
51.255.142.101
149.202.234.190
149.202.237.68
178.33.200.138

I can see 61 active IPs in the vds24.net range, so perhaps it is only a small proportion. However, depending on your network stance, you may want to consider blocking all the IP ranges specified above just to be on the safe side.

UPDATE

One additional range has come to light, connected with the Dridex banking trojan:

51.254.51.176/30



Posted by at No comments:
Labels: , , ,

Monday 14 December 2015

Malware spam: "Your order #12345678" / "11 Money Way, Pittsburgh, PA 15226"

This fake financial spam leads to malware:

From:    Giuseppe Sims
Date:    14 December 2015 at 14:19
Subject:    Your order #25333445

Dear Valued Customer,

This letter was sent to you as a formal notice that you are obligated to repay our company the sum of 2,760$ which was advanced to you from our company on October 16, 2015.
Please, find the invoice enclosed down below.

This amount must be repaid until the date of maturity to payment obligation, December 28, 2015 and you have failed to repay our company the same despite repeated requests for this payment.

Thank you in advance for your prompt attention to this matter. We look forward to your remittance. If you have any questions, please do not hesitate to contact us.

Sincerely,
Giuseppe Sims
11 Money Way
Pittsburgh, PA 15226
The sender's name is randomly-generated but is always female. Also random are the order number and value, and there is an attachment in the format invoice_12345678_scan.zip that matches the reference in the document.

Inside that ZIP file is a uniquely generated .JS file in the format invoice_XXXXXX.js or invoice_copy_XXXXXX.js which is highly obfuscated (like this) and deobfuscates to something like this.

The various versions of the macro attempts to download a binary from the following location:

miracleworld1.com/80.exe?1

I cannot get this to resolve at the moment, it turns out that the domain was only registered today.

Domain Name:miracleworld1.com
Registry Domain ID:
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: webnic.cc
Updated Date:2015-12-14 21:24:21
Creation Date:2015-12-14 21:21:12
Registrar Registration Expiration Date:2016-12-14 13:21:11
Registrar:WEBCC
Registrar IANA ID:460
Registrar Abuse Contact Email:compliance_abuse@webnic.cc
Registrar Abuse Contact Phone:+603 8996 6799
Domain Status:Active
Registry Registrant ID:
Registrant Name:Eliisa Laukkanen
Registrant Organization:Eliisa Laukkanen
Registrant Street:Etelaesplanadi 89
Registrant City:Ingermaninkyla
Registrant State/Province:Ingermaninkyla
Registrant Postal Code:07810
Registrant Country:FI
Registrant Phone:+358.0460879234
Registrant Phone Ext:
Registrant Fax:+358.0460879234
Registrant Fax Ext:
Registrant Email:bomb@miracleworld1.com
I think they started spamming before the domain records could be pushed out fully. Shame.

Nameservers are DNS1.DONALDDUCKS.IN and DNS2.DONALDDUCKS.IN on 93.189.42.21 (NTCOM, Russia) and 178.33.200.177 (Dmitry Shestakov, Belize / OVH, France) respectively.

Looking at the nameservers, I can see that the following malicious domains are part of the same cluster, and I recommend you block all of them:

gammus.com
miracleworld1.com
soft2webextrain.com

Although I have not been able to acquire the payload, it is almost definitely Teslacrypt.

UPDATE

An updated version of the script is being spammed out that looks like this when deobfuscated. This attempts to download Teslacrypt from the following URLs:

firstwetakemanhat.com/91.exe?1
miracleworld1.com/91.exe?1

This has a detection rate of 4/55. firstwetakemanhat.com was registered just today and is hosted on:


193.150.0.78 (PE Govoruhin Vitaliy Sergeevich, Russia)
84.200.69.60 (Ideal-Hosting UG, Germany)


Nameservers are DNS1.GOGODNS.RU and DNS2.GOGODNS.RU which are hosted on the same two IPs.

The Malwr report shows more details, however this is my recommended blocklist (updated):
193.150.0.78
84.200.69.60 
gammus.com
miracleworld1.com
soft2webextrain.com
firstwetakemanhat.com

Posted by at 6 comments:
Labels: , , , , , ,

Friday 11 December 2015

Malware sites and evil networks to block (2015-12-11)

This group of domains and IPs are related to this Teslacrypt attack, sharing infrastructure with some of the malicious domains in question. In addition to Teslacrypt, some of these are connected with PoSeidon, Pony and Gozi malware.

The analysis [csv] includes SURBL and Google ratings, ISP information and a recommended blocklist.

Malicious domains:
auth-mail.ru
blagooooossss.com
brostosoosossss.com
chromedoors.ru
debatelocator.ru
ggergregre.com
growthtoys.ru
hagurowrob.ru
hedtheresran.ru
listfares.ru
littmahedtbo.ru
mikymaus.in
mytorsmired.ru
poponkia.com
soft2webextrain.com
softextrain64.com
softextrain644.com
toftevenghertbet.ru
wordlease.ru
workcccbiz.in

Partly or wholly malicious IPs:
46.166.168.106
80.87.202.52
96.8.119.3
104.232.34.141
149.202.234.190
176.103.48.223
185.18.53.247
185.118.64.182

Recommended blocklist:
46.166.168.64/26 (Duomenu Centras, UA)
80.87.202.0/24 (JSC Server, RU)
96.8.119.0/27 (New Wave NetConnect, US)
104.232.34.128/27 (Net3 Inc, US)
149.202.234.188/30 (OVH / Dmitry Shestakov, BZ)
176.103.48.0/20 (PE Ivanov Vitaliy Sergeevich, UA)
185.18.53.247 (Fornex Hosting, NL)
185.118.64.176/28 (CloudSol LLC, Russia)

I've blocked traffic to 176.103.48.0/20 for two years with no ill-effects, it seems to be a particularly bad network. There may be a few legitimate sites hosted in these ranges, they would mostly be Russian.. so if you don't usually visit Russian websites then the collateral damage might be acceptable.
Posted by at No comments:
Labels: , , , , ,

Monday 30 November 2015

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 
The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)

The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)

These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212
mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw

Posted by at No comments:
Labels: , , , , , , , , , , , , ,

Thursday 22 October 2015

Malware spam: "Notice to Appear" / Notice_to_Appear_00800614.zip

This fake legal spam comes with a malicious attachment:

From:    District Court
Date:    22 October 2015 at 19:03
Subject:    Notice to Appear

Notice to Appear,

This is to inform you to appear in the Court on the October 27 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Sincerely,
Michael Newell,
District Clerk.

Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js which looks like this [pastebin]. This obfuscated script translates into something a bit more understandable which clearly references the following domains:

www.flowarrior.com
www.abama.org
littlefacesofpanama-association.com

The Hybrid Analysis report  shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55 (possibly Cridex). It reference the following IPs as being highly suspect:

91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)

A large number of IPs are queried according to that report:

66.147.244.241 80 TCP United States
ASN: 46606 (Unified Layer)
Possibly Malicious (Details)
78.24.220.229 80 TCP Russian Federation
ASN: 29182 (ISPsystem, cjsc)
74.231.32.162 80 TCP United States
118.120.73.233 80 TCP China
29.225.112.86 80 TCP United States
100.73.14.38 80 TCP Reserved
58.101.131.47 80 TCP China
123.59.97.196 80 TCP China
166.32.216.239 80 TCP United States
149.91.92.120 80 TCP United States
24.216.168.199 80 TCP United States
105.140.148.131 80 TCP Morocco
163.58.44.144 80 TCP Japan
142.84.237.228 80 TCP Canada
15.108.255.248 80 TCP United States
220.168.3.242 80 TCP China
169.69.97.65 80 TCP United States
136.48.1.199 80 TCP United States
193.224.232.11 80 TCP Hungary
46.156.117.74 80 TCP Norway
15.73.25.4 8080 TCP United States
156.95.94.161 80 TCP United States
2.95.43.213 80 TCP Russian Federation
201.112.96.9 443 TCP Mexico
168.202.241.83 80 TCP Italy
126.200.226.38 80 TCP Japan
218.169.88.145 80 TCP Taiwan; Republic of China (ROC)
25.227.76.74 80 TCP United Kingdom
7.58.91.181 80 TCP United States
2.9.47.33 80 TCP France
82.64.212.187 80 TCP France
160.252.229.129 80 TCP Japan
3.19.211.174 80 TCP United States
206.36.90.112 80 TCP United States
70.162.95.85 80 TCP United States
179.74.44.184 80 TCP Brazil
27.60.28.101 80 TCP India
72.131.92.208 80 TCP United States
192.15.148.68 80 TCP United States
161.183.113.148 80 TCP United States
89.194.8.74 80 TCP United Kingdom
74.60.141.199 443 TCP United States
185.124.201.36 80 TCP Germany
57.254.22.27 80 TCP Belgium
223.212.109.175 443 TCP China
184.128.6.160 80 TCP United States
222.26.8.100 80 TCP China
201.80.124.250 80 TCP Brazil
28.245.107.140 8080 TCP United States
7.205.88.91 80 TCP United States
134.208.174.118 443 TCP Taiwan; Republic of China (ROC)
101.42.94.123 80 TCP China
89.184.155.55 8080 TCP Denmark
73.136.226.227 80 TCP United States
92.242.113.252 80 TCP Ukraine
183.80.180.237 80 TCP Viet Nam
189.217.246.252 80 TCP Mexico
162.124.240.218 80 TCP United States
169.244.37.32 80 TCP United States
121.213.170.136 8080 TCP Australia
91.121.108.77 80 TCP France
161.187.226.73 8080 TCP Canada
160.124.108.194 8080 TCP South Africa
132.201.159.171 80 TCP United States
36.136.60.81 80 TCP China
155.159.37.116 80 TCP South Africa
139.171.227.16 80 TCP United States
119.243.117.9 443 TCP Japan
42.199.100.99 80 TCP China
170.225.41.44 80 TCP United States
27.122.177.126 80 TCP Korea Republic of
151.75.83.209 80 TCP Italy
203.207.191.222 8080 TCP China
208.97.41.75 80 TCP United States
179.184.50.147 80 TCP Brazil
126.155.24.64 80 TCP Japan
86.14.23.181 80 TCP United Kingdom
182.162.87.90 80 TCP Korea Republic of
126.85.62.33 80 TCP Japan
96.60.99.19 80 TCP United States
118.123.163.35 80 TCP China
69.190.137.38 80 TCP United States
49.56.139.124 80 TCP Korea Republic of
135.35.59.201 80 TCP United States
57.25.34.69 80 TCP Belgium
174.190.210.89 80 TCP United States
206.91.83.240 80 TCP United States
16.143.86.194 80 TCP United States
99.212.19.159 80 TCP Canada
171.214.61.169 80 TCP China
194.184.155.135 80 TCP Italy
98.30.91.219 80 TCP United States
30.130.130.227 80 TCP United States
201.231.21.9 80 TCP Argentina
10.85.253.242 8080 TCP Reserved
41.70.25.98 80 TCP Malawi
2.239.93.99 80 TCP Italy
178.216.173.66 80 TCP Ukraine
102.239.48.12 80 TCP Indonesia
170.229.125.27 443 TCP United States
170.202.85.86 80 TCP United States
138.204.51.115 80 TCP Brazil
90.59.134.25 80 TCP France
179.105.47.26 80 TCP Brazil
190.128.247.9 80 TCP Paraguay
62.74.109.148 80 TCP Greece
39.6.23.63 80 TCP Korea Republic of
199.12.247.12 80 TCP United States
1.235.148.23 80 TCP Korea Republic of
128.166.232.112 80 TCP United States
198.12.245.130 80 TCP United States
180.59.204.28 80 TCP Japan
191.205.91.94 443 TCP Brazil
166.97.6.127 80 TCP United States
35.174.179.31 80 TCP United States
202.94.163.179 80 TCP Malaysia
199.2.172.193 80 TCP United States
36.4.249.54 80 TCP China
87.60.146.60 80 TCP Denmark
159.157.156.108 80 TCP United States
41.103.3.7 80 TCP Algeria
190.5.47.228 80 TCP Chile
102.197.139.86 8080 TCP Indonesia
79.181.62.136 80 TCP Israel
196.221.146.64 8080 TCP Egypt
45.215.43.254 80 TCP Zambia
133.50.67.191 443 TCP Japan
197.187.96.58 80 TCP Tanzania United Republic of
81.11.14.8 80 TCP European Union
165.216.148.197 80 TCP United States
26.159.93.175 80 TCP United States
55.192.224.240 80 TCP United States
99.183.118.77 8080 TCP United States
97.132.112.64 80 TCP United States
161.158.216.248 80 TCP Netherlands
171.36.6.24 80 TCP China
86.17.207.59 80 TCP United Kingdom
65.170.164.185 80 TCP United States
203.116.171.38 80 TCP Singapore
81.131.210.206 80 TCP United Kingdom
144.69.59.80 80 TCP United States
108.132.28.175 80 TCP United States
54.173.72.227 80 TCP United States
48.227.99.193 80 TCP United States
165.244.29.101 80 TCP Korea Republic of
61.163.159.70 80 TCP China
141.54.70.120 80 TCP Germany
22.6.129.165 80 TCP United States
16.65.24.201 80 TCP United States
107.66.193.112 80 TCP United States
113.185.128.185 80 TCP Viet Nam
185.242.98.255 80 TCP Germany
39.247.94.231 80 TCP Indonesia
1.136.195.240 80 TCP Australia
176.2.178.107 443 TCP Germany
211.57.175.126 80 TCP Korea Republic of
16.78.184.90 80 TCP United States
121.237.58.132 80 TCP China
45.115.246.94 80 TCP China
42.213.207.250 80 TCP China
202.217.115.34 80 TCP Japan
20.100.36.35 80 TCP United States
73.178.96.229 80 TCP United States
177.85.76.19 80 TCP Brazil
184.148.22.247 80 TCP Canada
153.228.8.191 80 TCP Japan
196.226.207.67 443 TCP Liberia
171.178.119.233 80 TCP United States
175.198.60.5 80 TCP Korea Republic of
196.9.179.56 80 TCP South Africa
20.163.126.33 443 TCP United States
152.223.8.195 80 TCP United States
12.51.242.168 80 TCP United States
197.169.155.191 80 TCP South Africa
95.198.239.136 8080 TCP Sweden
209.93.5.164 80 TCP United States
200.17.48.177 80 TCP Brazil
37.147.149.212 80 TCP Russian Federation
113.201.208.234 80 TCP China
157.219.20.253 80 TCP United States
45.72.49.98 80 TCP United States
87.196.69.215 80 TCP Portugal
141.251.31.43 80 TCP United States
30.28.29.139 8080 TCP United States
211.72.127.114 80 TCP Taiwan; Republic of China (ROC)
126.62.177.152 8080 TCP Japan
67.62.93.143 80 TCP United States
4.219.11.148 80 TCP United States
220.15.135.111 80 TCP Japan
6.193.44.176 80 TCP United States
88.18.235.212 80 TCP Spain
65.235.102.3 80 TCP United States
212.246.252.248 80 TCP Finland
65.44.223.34 80 TCP United States
67.147.184.3 443 TCP United States
218.100.198.67 8080 TCP China
183.74.253.72 443 TCP Japan
189.99.113.170 443 TCP Brazil
202.113.235.65 80 TCP China
78.193.245.197 80 TCP France
20.87.185.21 443 TCP United States
34.94.156.167 80 TCP United States
16.154.131.128 443 TCP United States
112.236.139.20 80 TCP China
37.217.232.246 80 TCP Saudi Arabia

I have not had the change to check those individual IP addresses, but I recommend that you block the following two at least:

91.121.108.77
78.24.220.229 

 UPDATE 26/10/15:

A slightly revised version of this is circulating:


Notice to Appear,

This is to inform you to appear in the Court on the November 03 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Nathan Andrews,
District Clerk.
The attachment is Notice_to_Appear_000314661.zip which contains a file Notice_to_Appear_000314661.doc.js which has a VirusTotal detection rate of 14/55. According to this Hybrid Analysis report it contacts a LOT of IPs, but these in particular should be blocked:

67.199.5.184 (CrystalTech Web Hosting, US)
78.24.220.229 (TheFirst-RU, Russia)
189.131.94.156 (UniNet, Mexico)
74.10.19.66 (Knox Attorney Service Inc., US)

The following files are dropped (VT reports) [1] [2] [3]

Recommended blocklist:
67.199.5.184
78.24.220.229
189.131.94.156
74.10.19.66

  ssf
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)