Malware spam: "Payment history" leads to Locky

Another morning, another spam run pushing Locky ransomware:

Subject:     Payment history
From:     Theodore Wilkins
Date:     Friday, 28 October 2016, 10:09

The payment history for the first week of October 2016 is attached as you requested.

Please review it and let us know if you have any question.

The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script [pastebin] (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].

There are many different variants of the script, downloading components from:

2rtt-2rm.ru/grb7c
92hanju.com/utl41nrt
a1plus2.de/ljwxw6vh
accubattery.eu/sjc2at
aegischina.com/yrp6eyv
agrobiciuffa.com.ar/l5e7m6i
allaboutseniors.in/wtm1i0yg
alpha-next.com/ssvmwa
angundoviz.com/lhk96wx
aoteatrial.net/02yls0
aoteatrial.net/142y5x
aoteatrial.net/4865ht
aoteatrial.net/7gojeo
artmusic.dk/izpv2d39
autoreal16.ru/r1j54weq
bachledowka.net/xausf
beauty-link.jp/umjwg8f
bikemielec.com/b7owupi
bircansigorta.com/s84vkrx
blaauw-woonidee.nl/hvlqf9v4
bts-site.nl/fb80j
bumbocubeb.net/04s7752
bumbocubeb.net/163yebg7
bumbocubeb.net/4rjsepe
bumbocubeb.net/8p54eb8
burdur-bld.gov.tr/usl1pm4
buron.dk/t8nh96d
butterflytiger.com/o7eancbx
caraudiogdl.com/zm74gwvw
cavafis.gr/ouyrvo
chanet.jp/mrf40le
chernozem-msk.ru/l5wvp4nc
clinicaharvard.com/umuyki
cmmsrilanka.lk/xztuej9
codelime.net/u9dhbjib
cronos-com.ru/hbxxkshz
dadou0531.com/gych5
dcproduction.fr/wrs9q6
dohere.net/zyme3z
dollheiser.de/v5oqpb4
doogo.com.ar/vw280ik8
drewnianaskrzynka.pl/nfw15wn9
eajhosting.nl/q7jijj3k
edhalper.it/tmnm2v
efb-demarco.de/ywkdd
eflproject.org/vco8bi
egda.pl/unu16fq9
elma.7080.ru/qe3sp3
energiclima.com/sesmgrv4
enzyma.es/lpzd1gev
er-mecanicautomotriz.com/fxlkkv
e-testers.it/jy5ipe3
eurobnr.ro/qd0gn425
euromac.es/oodhs
expert-as.ru/ulfzbh
finahistory.com/jhrni
hellomissdance.com/a03sf
helsby.biz/apwms
hltrader.com/audu4f4o
huodaibbs.com/bqmvde
ilmdesign.com/aos8ly25
joshdult.net/0ia6e4
joshdult.net/3c554n2
joshdult.net/73eqx7oc
joshdult.net/9p4eh
nowon.dk/woqb5j
plookseri.net/097ga
plookseri.net/1s4bzaa1
plookseri.net/5t9nja
plookseri.net/9jyg2s70
shop.ukrtk.com/ck6jfe2e
verdianthy.com/diqlfy1
weddingandfashion.it/djzuf5c
zencart.alpm.gogzmermedia.com/h0woq
zlotysalmo.net/0zx0ken3
zlotysalmo.net/3v8va8ov
zlotysalmo.net/75vepy6f
zlotysalmo.net/9v50aob

(Thank you to my usual source for this data). The malware phones home to:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks.php [hostname: tarasik1.infium.net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks.php (Dunaevskiy Denis Leonidovich, Ukraine)

It also attempts to contact the following URLs which appear to be dead:

pqrifsjpryygmip.pw/linuxsucks.php
uxpxpirusm.xyz/linuxsucks.php
wbaskcsxiffiax.info/linuxsucks.php
kcydflvipqsvqxw.work/linuxsucks.php
haxkbqwyudoeghlhj.biz/linuxsucks.php
mdecrwmtscal.su/linuxsucks.php
pqpmswodyqlbbjmwm.pl/linuxsucks.php
yppsuvfjmnsbi.org/linuxsucks.php
fpeuwdde.xyz/linuxsucks.php
qggdljlijbygeutc.click/linuxsucks.php
juiweirqvt.su/linuxsucks.php
gyhbiuo.ru/linuxsucks.php

A DLL is dropped with a detection rate of 12/57.

Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79

Malware spam: "E-TICKET 41648" leads to Locky

More Locky ransomware today..

From     "Matthew standaloft"
Date     Thu, 27 Oct 2016 15:20:27 +0530
Subject     E-TICKET 41648

Dear Sir ,

Please find the attached E-ticket as per your requested.


Thanks & Regards ,

Matthew standaloft

Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil from one of the following locations (according to my usual source):

agile-scrum-training.com/g67eihnrv
axzio.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cttcleaning.com/g67eihnrv
dmlevents.com/g67eihnrv
dreamruntech.com/g67eihnrv
dryilmazyildirim.com/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
fullservicetech.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
intomim.com/g67eihnrv
jackpotfutures.com/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
librahost.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
micaraland.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
riverlifechurch.tv/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
vkwelaarts.co.za/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv

This drops a malicious DLL with a detection rate of 9/56. The following C2 servers are contacts:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks.php (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
213.159.214.86/linuxsucks.php (JSC Server, Russia)

Recommeded blocklist (also see this other spam run today):
83.217.11.193
91.201.202.12
213.159.214.86 

Malware spam: "This is from the Telephone Company to remind you that your bill is overdue." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Bill overdue
From:     Alexandria Maxwell
Date:     Thursday, 27 October 2016, 9:35

This is from the Telephone Company to remind you that your bill is overdue.

Please see the attached bill for the fine charge.

The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script [pastebin] detailed bill C43A9.vbs

The Malwr Report and Hybrid Analysis for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download from:

198zc.com/f7ss3oy
3d-schilling.de/jrz8hn
502mm.com/wwe0mac6
88cui.de/rwl8ov
abmelectric.ca/q0o4780r
actiononsports.com/kq0u93a1
aiccard.co.th/dvja1te
alefunny.pl/fksf4
alvida.de/klv2aog3
antiguarelojeria.com/kkzyr
ardnas.nl/f2v5o
art-yoga.myjino.ru/r1es12r
astra-antiques.com/bt32u5
atgem.ch/okl2jok
ayubatikpekalongan.com/cb2it0jj
babilon.by/sws2z1
bachvietxd.com/cbm2v
bathboating.co.uk/fptmhcm
bazalt-gracze.pl/cux57
begbuilders.com/i7ux0sxr
bestseptik.ru/zkmdw66
bibigame.net/ilc753c
bibob-hairshop.nl/fm0tue
bluecuracao.nl/iplibwz
brkos.borec.cz/dwz8li
buypc.ro/vds7o
callideo.fr/msn9ar
casadecandomble.com.br/rhn2dn
cneedu.cn/t1k2wlus
cztaxes.cz/rx19j
dabar.name/hscgqx
dadaniu.cn/o1ws9s
danor.ro/ip9f85t
dicatex.com.ar/tx3or
digicap.net/s6bhb6
dmtya.ru/mpozceu
dont.pl/cvjjw1
dovgan.bclas.ru/gtyvx
dzx800.com/j3sll
dzyncreative.com/o2ilww
ebgboz.nl/pzxc1je
ecentz.com/nvp7s9t
edepolama.com/o56szw
eiskgd.ru/vgvr31
ekofil.pl/o3pp6
elektrik1.ru/vn2q7au
englishukcentral.com/gw59b8
enrico.ru/wqhni
esysports.com/k3qsnhm
favourfinance.com/ouzoy
fbstone.com/gud0y
fengxiaohui.com/k5sqnm
fightsportuk.com/s9e9qdm
flutygoy.net/1b2sy4r
flutygoy.net/48jc5on
flutygoy.net/82okzzkq
flutygoy.net/9vvgvtk
guguhah.com/0w6rv87d
guguhah.com/3mikeq
guguhah.com/7ut2t95
guguhah.com/9bxqzgzo
khstarter.com/fy5cns7
monecouth.net/1gz0ae
monecouth.net/702t90
monecouth.net/8qxfzegf
monecouth.net/atb1yedm
morenaart.com/ng8if4c
njlsyb.com/rp7pn
sozluktr.com/x65mjo
szylbx.com/bgmhcx14
tahradeep.com/0u0zb
tahradeep.com/1tuqd
tahradeep.com/7emuv
tahradeep.com/94rttn
theatosc.net/1clhtqam
theatosc.net/558x66
theatosc.net/8j3wm
theatosc.net/a952l

A DLL is dropped with a detection rate of 11/56, and the malware then phones home to:


91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)

Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150

Malware spam: "Your order has been proceeded." leads to Locky

This curiously worded spam email leads to Locky ransomware:

Subject:     Your order has been proceeded
From:     Elijah Farrell
Date:     Wednesday, 26 October 2016, 12:41


Your order has been proceeded.

Attached is the invoice for your order 2026326638.

Kindly keep the slip in case you would like to return or state your product's warranty.

The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name.

The various scripts download a component from one of the following locations (thank you to my usual source for this):

198zc.com/vnrymi
3d-schilling.de/ytm08hf
abaffbedip.net/0ec4sb62
abaffbedip.net/1roef5v
abaffbedip.net/5k4oh5
abaffbedip.net/8b0lk2p
actiononsports.com/yduc1
aiccard.co.th/sy7hb7
alefunny.pl/vjjw0
alvida.de/zhw8nw6
antiguarelojeria.com/zg28jio
ayso722.org/ny8s6fn
banana2.jp/zsf0952
begbuilders.com/xjtb9k
bibliocultura.org/hdhwx7sf
bluecuracao.nl/xt8w2p3
bonetti.nl/bqc565q
brkos.borec.cz/skxkk33b
callideo.fr/zwg1d
caulgreet.com/0gxgwa
caulgreet.com/2sqh38d1
caulgreet.com/6o04pdt
caulgreet.com/9gl7t
chuvafeatherstone.com/rve6j
ciscscout.net/rvkbiv3t
cloudafis.com/kpw6h4uh
cngmalaysia.org/f4cda
cpugame.com/r3octl
cryochoice.com/n4801d
dadaniu.cn/cyk9hpr
danor.ro/xnnhp5
dmtya.ru/zqzii
dominoassociates.com/keg4g
dongyigg.com/onirn0r
dont.pl/stuf3
dovgan.bclas.ru/wk7tah
dzyncreative.com/v1djrmn
ecentz.com/sbvv8md
edepolama.com/xlyrh
edu02.ru/nk6z1
entersukses.com/cudm8
ergobois.com/j87ns
esteticapro.com/tje1ya
esysports.com/ybn7qw
exquisiteescape.com/fa8f7fk9
fazendacristal.com/djgyn
fbstone.com/xjlq6
fengxiaohui.com/yulge
filenetp8.info/esg742j9
flw123.com/kygiq6t
gerardfetter.com/fudjm1m
gongzuoshu.com/lojhvcj7
grandfm.com/my98xg7a
guymorgandaily.com/ilgx8tki
hankookm.com/lun77kyf
hfhhk.com/edfwyi1
hotsigns.net/ayxpi
jean-ealogy.com/dauwq7a
khstarter.com/w8811bg
landondavid.com/d5t56y4b
lanmaicao.com/bxyi91
lcmaya.com/d79p8w
mannersfromtheheart.com/cn450b
milianjie.com/dg1ie
morenaart.com/qbwnl
nakedglobal.com/d6s6f
roweliced.net/12fi9dc
roweliced.net/35lz355g
roweliced.net/6vgrs4
roweliced.net/a1f8yb
sheatcatan.com/1cb7jn
sheatcatan.com/3oze6ie
sheatcatan.com/74mqu
sheatcatan.com/awcdu3
titmaius.net/0f7ygeg
titmaius.net/1zsxe
titmaius.net/6g32j
titmaius.net/8u0ie

The downloaded binary then phones home to:

78.46.170.94/linuxsucks.php [hostname: k-42.ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks.php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost.hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks.php [hostname: weblinks-3424.ru] (Sobis, Russia)

It also tries to phone home to these URLs which are currently not resolving:

umjjvccteg.biz/linuxsucks.php
hbnatserncelosskp.biz/linuxsucks.php
rqnegynlpkohoohp.pw/linuxsucks.php
ymrorgauixirigj.biz/linuxsucks.php
ayyxamwyvfyqidija.pw/linuxsucks.php
yfjxvok.ru/linuxsucks.php
lbbauqqpynjem.xyz/linuxsucks.php
tnvnmjdyokgyj.pl/linuxsucks.php
hoiedes.pl/linuxsucks.php
toaqabrl.xyz/linuxsucks.php
leacfrc.info/linuxsucks.php
jkjxnrnirmqt.pw/linuxsucks.php

Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225

Malware spam: "Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data" leads to Locky

Perhaps minimalist spam works better, there is currently a Locky spam run with on of the subjects Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript that looks like this [pastebin]. There is no body text.

These automated analyses [1] [2] [3] [4] show that it is Locky. My usual sources tell me that the various scripts download from one of the following locations:

abplhomes.com/g76dbf
alyatater.com/g76dbf
baedalapp.com/g76dbf
beaumontschool.com/g76dbf
blastspraypolish.com/g76dbf
codefinder.co/g76dbf
copperfilters.com/g76dbf
cultural-ecology.com/g76dbf
designera.org/g76dbf
dev.indonesiatextile.id/g76dbf
dwimultimakmur.com/g76dbf
dziennikarze.lo-kolaczyce.pl/g76dbf
easytravelvault.com/g76dbf
elitednadt.com/g76dbf
emreker.com/g76dbf
faisal-ibrahim.info/g76dbf
fpi-canada.com/g76dbf
fresflor.net/g76dbf
gellyrepin.com/g76dbf
himytutor.com/g76dbf
informing.asia/g76dbf
jciindia.in/g76dbf
kantoor.vescolub.nl/g76dbf
kendalpos.com/g76dbf
lamurindo.com/g76dbf
lilxtreme.com/g76dbf
lookbeauty.ir/g76dbf
mahendradesai.net/g76dbf
newdesign.well.pk/g76dbf
nitrogenwebs.com/g76dbf
panaceapeople.com/g76dbf
permars.com/g76dbf
privatestashstorage.com/g76dbf
promo.worldloft.ru/g76dbf
read4change.com/g76dbf
runmyaccounts.ch/g76dbf
rws1.com.au/g76dbf
samuderaciptaraya.com/g76dbf
sendat.vn/g76dbf
shopro.ir/g76dbf
srcc.co.th/g76dbf
swissmades.com/g76dbf
tacunair.com/g76dbf
tciislandguide.com/g76dbf
uatsa.cl/g76dbf
vicampro.com/g76dbf
web.justproductions.co.uk/g76dbf
wivebeday.com/g76dbf
www.fireballindia.com/g76dbf
www.jockytours.com/g76dbf
www.pb2bb2c.com/g76dbf
www.pharmaciela.com/g76dbf

The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh

A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56. The malware then phones home to one of the following locations:

185.127.27.100/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks.php (Volia DataCentre, Ukraine)

The malware also attempts to contact the following locations, all of which seem to be inactive:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221

Malware spam: "Complaint letter" leads to Locky

This spam leads to Locky ransomware:

From     "Justine Hodge"
Date     Mon, 24 Oct 2016 19:27:53 +0600
Subject     Complaint letter

Dear [redacted],

Client sent a complaint letter regarding the data file you provided.
The letter is attached.

Please review his concerns carefully and reply him as soon as possible.

Best regards,
Justine Hodge

The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS scripts with a name starting with "saved letter".

My source tells me that this scripts download from one of the following locations:

adultmagstore.com/itc0h81
alkanshop.com/zrwcx8om
azaminsaat.com/nyzhvh2c
bwocc.org/dkttu
circolorisveglio.com/dw2hheb
coreywallace.com/qjkrlxp
corployalty.it-strategy.ru/p4icah5h
cruzdemiguel.com/jittrxkr
cz1321.com/zg4c4m
decorvise.com/g7k3n
denas-express.ru/fl5vy16
desthailand.com/wfmaq0az
disneyrentalvillas.com/k2ars5j2
downtownlaoffice.com/ixmh1
DSWRITINGS.ORG/lnf7gv
duvalitatli.com/umx3btc1
executivegolfmanagement.com/qtzsegm6
firephonesex.com/bxuobuam
fjbszl.com/m4q1pmr5
fraildata.net/09rz1jcj
fraildata.net/4s1szk77
fraildata.net/5ti18g
fraildata.net/9b8cba
getitsold.info/cndrdsu9
girlsoffire.com/d2k0b967
GNSTUDIO.NET/sxv6fhqo
greenmedicalgroup.org/dy7s5
gruffcrimp.com/352gr0
gruffcrimp.com/5inrze
gruffcrimp.com/8vzak
gruffcrimp.com/bki56h
gunnisonkoa.com/d5cw6
gzxyz.net/zznej
hetaitop.com/pgq8e
infopea.com/bm747o9
iwebmediasavvy.com/eu7mq36w
jejuep.com/jh7rrgbi
jejui.com/j1ldsf
julianhand.com/hollu
jzmkj.net/y7tf2
kak-vernut-devushku.gq/rwlr9
kirijones.net/2b8fnrqm
kirijones.net/4v7574mp
kirijones.net/66wey
kirijones.net/a2r3pme
lqfrdj.com/rbpkt
luobuma8.com/h5hq2que
myboatplans.net/p8gik2g8
nightpeople.co.il/o8le7
onlysalz.com/xjo100
payrentonline.org/l3mdiv7y
pblossom.com/t78u8
potchnoun.com/06p2vxua
potchnoun.com/38j2xn
potchnoun.com/5ngsn8g5
potchnoun.com/8x2nt
privateclubmag.com/wyztr73
prodesc.net/x7nlxq
relentlesspt.com/faisexor
riyuegu.net/o69ecb
royallife.co.uk/mx5nck
ryanrandom.com/hwv97p8
scope-t.com/loinhgm
sexybliss.co.uk/en8ds7nt
sunproductivity.com/m6ot1
taiyuwanli.com/cpkd9
theleadershipdoc.com/wm1bv
turservice.xaker007.net/k92b92
ukdistributionservices.com/x1397
vowedbutea.net/2f1okfif
vowedbutea.net/5491o
vowedbutea.net/8jtnj8nt
vowedbutea.net/apupuyh3
weekcoupon.com/hggbcg
wjyunfanbs.com/ihku0r53
www.studiorif.ru/toiu7
xn--80aa3c3a.xn--b1aajgfxm2a9g.xn--p1ai/xip5lltq
xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
yourrealestateconnection.us/rlfh0

The malware phones home to the following URLs:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)

The following URLs are also contacted but are not active:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77 
81.177.22.221

Malware spam: "Document from.." leads to Locky

I have only received a single sample of this spam, presumably it comes from random senders. There is no body text in my sample.

Subject:     Document from Paige
From:     Paige cuddie (Paige592035@gmail.com)
Date:     Wednesday, 5 October 2016, 9:37 

In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script [pastebin] DOC-20161005-WA0002715.wsf.

Automated analysis [1] [2] shows this sample downloads from:

euple.com/65rfgb?EfTazSrkG=eLKWKtL

There will be many other locations besides this.

Those same reports show the malware (in this case Locky ransomware) phoning home to:

88.214.236.36/apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100/apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)

The sample I found downloaded a legitimate binary from ciscobinary.openh264.org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.

Recommended blocklist:
88.214.236.0/23
109.248.59.0/24

Malware spam: "I have shipped your packet. Please check the report enclosed here to view more info."

This spam email leads to Cerber ransomware:

From:    Trevor David
Date:    3 October 2016 at 13:46
Subject:    Pede Industries

Hello
I have shipped your packet. Please check the report enclosed here to view more info.

Word doc password: JqpcGrKK9


Pede Industries

Company names and senders are randomly generated. Attached is a randomly-named .DOT file with password protection. The password protection makes it hard to analyse, but my source tell me that these documents download from:

www.ldlogistic.it/kls.doc
csir.bdx6.siteinternet.com/kls.doc

The dropped malware apparently has an MD5 of 0e7913875724151d8e822add07ec75b2.

Once downloaded, the malware attempts to make a C2 connection to an IP in the range
31.184.234.0/23:6892 (GTO, Montenegro and Virty.io, Russia). I don't know which is the active IP, but blocking the entire /23 might be a good precaution.

Malware spam: "Receipt 103-526" / Receipt.xls

This spam leads to Locky ransomware:

From     rosalyn.gregory@gmail.com
Date     Thu, 29 Sep 2016 21:07:46 +0800
Subject     Receipt 103-526

I cannot tell if there is any body text, however there is an attachment Receipt.xls which contains malicious code [pastebin] that in the case of the sample I analysed downloads a binary from:

opmsk.ru/g76ub76

There will be many other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:

89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

A malicious DLL is dropped with a detection rate of 6/57. Malicious IPs and domains overlap quite a bit with this earlier attack. This version of Locky encrypts files with a .odin extension.

UPDATE - a source indicates these are all the download locations in this attack:

1gouw.com/g76ub76
368lx.com/g76ub76
81millstreet.nl/g76ub76
alliswelltour.com/g76ub76
ampconnect.com/g76ub76
anhsaodem.info/g76ub76
aseandates.com/g76ub76
birthstory.com/g76ub76
cmcomunicacion.es/g76ub76
dedivan.ru/g76ub76
demo.website.pl/g76ub76
econopaginas.com/g76ub76
gadget24.ro/g76ub76
globalremoteservices.com/g76ub76
innogenap.com/g76ub76
juyinggroup.com/g76ub76
kelownatownhomes.com/g76ub76
mediumsize.org/g76ub76
opmsk.ru/g76ub76
parentchildmothergoose.com/g76ub76
parroquiansg.org/g76ub76
slaterarts.com/g76ub76
sonajp.com/g76ub76
studiorif.ru/g76ub76
unforgettabletymes.com/g76ub76

Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132

Malware spam: "Temporarily blocked" leads to Locky

The attachment on this spam email leads to Locky ransomware:

From: "Ambrose Clements"
Subject: Temporarily blocked
Date: Thu, 29 Sep 2016 13:37:53 +0400

Dear [redacted]

this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.

We attached the scan of transactions. Please confirm whether you made these transactions.

 Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download from one of the following locations:

0793mobile.com/jetg2
109.73.234.241/dgq01p
18901350711.com/ll0wdsu
365jtoo.com/qw3r7arg
3ddentalimage.com/ytouk6
489ean.com/r2jdxy
51steel.org/s4b5ztgc
59jd.com/ggha9
5i5k.net/j0g1jk3
5iroom.com/vqv5yibr
91ise.info/pcre0ri4
abbiholland.com/f5ioimw
aldohuaman.com/52y3am
antamduc.com/ttbysvp
a-we.com/o0m5ayu
baankonkoh.com/hhon5mma
cielitodrive.com/x8vqc6
columbiaprintingservices.com/u542pjoi
cranioactive.com/l7vb0
cyprusnike.com/kkpno
domaks-dom.ru/mugr3gb1
exonbalai.com/1r1y6so
exonbalai.com/4dnv8
fhgmediaent.com/66aslu
hastarim.com/nyyjoec
immewrood.net/2j4z9px
immewrood.net/52y3am
inspirationbydesire.com/lfmlspp
jetpcl.com/m23gz0tv
joventa.sk/25fkt
jscompuserve.com/sqa5iq4
kayooo.net/67mxndh
khasitez.net/0a5lma5
khasitez.net/2m01898x
kidzvidz.com/miwn5
kitamachiweek.com/khcg0ta4
knigoboz.ru/nessj4k8
londonmusicclub.com/j6ln7cl
mayurinkorat.com/igxbat
ogeedfungo.net/0zqoae
ogeedfungo.net/3n4pwk
olimp-otel.ru/vevfq
pthcu.org/vnqdve7
redegamb.com/25fkt
redegamb.com/4gwca5b
rglogistic.com/var79sa
sewingwholesale.com/o8hn4
supplyglassess.com/gbnfsmh
szaloncukor.net/jelxoi
tolgaustun.com/drnag
touchasoul.org/nha0pkom
unwantedtattoos.co.uk/e1mbgfej
vaidia.com/y6m3en
viptabien.com/al9n7nh
web4-magento.com/cdlp4o
websitedesigncourse.net/p9580
wikichemicals.com/v1x7cfd
wirelessdd.com/692lrr
womenepic.com/89spy93v

The decoded malware then phones home to:

195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo.pw/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
gqackht.biz/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
bgldptjuwwq.org/apache_handler.php
cxnlxkdkxxxt.xyz/apache_handler.php
rcahcieii.work/apache_handler.php
uxaoooxqqyuslylw.click/apache_handler.php
vwktvjgpmpntoso.su/apache_handler.php
upsoxhfqut.work/apache_handler.php
nqchuuvgldmxifjg.click/apache_handler.php
ofoclobdcpeeqw.biz/apache_handler.php
kfvigurtippypgw.pl/apache_handler.php
toescilgrgvtjcac.work/apache_handler.php

Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132

Malware spam: "Bill for documents" / "Bill for papers" / "Bill for parcel" leads to Locky

This spam leads to Locky ransomware. The sample I have seen have no body text, but have subjects in the format:

 Bill for documents 31564-29-09-2016
 Bill for parcel 08388-28-09-2016
 Bill for papers 657-29-09-2016

Each subject has a random number appended by the date. Attached is a RAR archive file with a name similar to Bill 657-29-09-2016.rar containing a malicious .js script which downloads a binary from one of the following locations (according to a trusted source):

81millstreet.nl/8g74crec
alamanconsulting.at/8g74crec
aseandates.com/8g74crec
bandbcreuse.com/8g74crec
baraderoteinforma.com.ar/8g74crec
birthstory.com/8g74crec
cafe-bg.com/8g74crec
cmcomunicacion.es/8g74crec
delphinph.com/8g74crec
droukulnad.com/8g74crec
econopaginas.com/8g74crec
eitanbehar.org/8g74crec
g2cteknoloji.com/8g74crec
gadget24.ro/8g74crec
globalremoteservices.com/8g74crec
gomelnaushnik.com/8g74crec
iachovski.com/8g74crec
ingpors.sk/8g74crec
kelownatownhomes.com/8g74crec
lafripouniere.com/8g74crec
mergrain.com/8g74crec
opmsk.ru/8g74crec
parentchildmothergoose.com/8g74crec
parroquiansg.org/8g74crec
pecschool.com/8g74crec
serenadacourt.com/8g74crec
sipcomponents.com/8g74crec
slaterarts.com/8g74crec
smokintech.com/8g74crec
spaciodentalrd.com/8g74crec
sundanceballoons.com/8g74crec
techsilicon.com/8g74crec
teothemes.com/8g74crec
travelinsider.com.au/8g74crec
undiaem.com/8g74crec
unforgettabletymes.com/8g74crec
veganvet.net/8g74crec
victorcasino.com/8g74crec
w3hostingserver.com/8g74crec

The malware then phones home to the following servers:

194.67.208.69/apache_handler.php (Marosnet, Russia)
89.108.83.45/apache_handler.php (Agava, Russia)

Payload detection for the version analysed was 16/56 but there could be an updated payload by now.

Recommended blocklist:
194.67.208.69
89.108.83.45

Something evil on 69.64.63.77

This appears to be some sort of exploit kit leveraging hacked sites, for example:

[donotclick]franchidiscarpa[.]com/index.php
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4

You can see this EK infecting a legitimate site in this URLquery report. The IP address appears to be a customer of ServerYou:

OrgName:        MegaHosterNetwork
OrgId:          MEGAH
Address:        Zaporozhskogo kazachestva 15
City:           Zaporozhzhe
StateProv:     
PostalCode:     69097
Country:        UA
RegDate:        2012-09-02
Updated:        2012-09-02
Ref:            https://whois.arin.net/rest/org/MEGAH

These other domains are hosted on the same IP:

[donotclick]j8le7s5q745e.org
[donotclick]3wdev4pqfw1u.org
[donotclick]fg1238tq38le.net

All of those domains are registered to:

Registrant Name: sergey muromov
Registrant Organization: sergey muromov
Registrant Street: veteranov 45-87
Registrant City: sank-tpeterburg
Registrant State/Province: leningradckaya
Registrant Postal Code: 458223
Registrant Country: RU
Registrant Phone: +7.66473838987
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: muromov96@bk.ru

It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking.

Locky download and C2 locations 2016-09-28

It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.

Binary download locations:

agri-host.us/67fgbcni
bigballsincowtown.com/67fgbcni
deeryarch.me/67fgbcni
dfl210.ru/67fgbcni
dslayer.net/67fgbcni
hasatbey.com/67fgbcni
house-of-quality.com/67fgbcni
intesols.com/67fgbcni
ivankhoo.com/67fgbcni
kolonker.com/67fgbcni
komsutekstil.com/67fgbcni
lucianasaliani.com/67fgbcni
marlonmendieta.com/67fgbcni
muangbouge.com/67fgbcni
naughtypixelads.com/67fgbcni
noorgames.com/67fgbcni
obtenloya.com/67fgbcni
patriciaclarkfinley.com/67fgbcni
permanentmark.sk/67fgbcni
podaripodarok.ru/67fgbcni
ramsdale.org/67fgbcni
rikuzentakata-mpf.org/67fgbcni
sigglab.com/67fgbcni
thehotelandrea.com/67fgbcni
travicoperu.com/67fgbcni
villaangela.info/67fgbcni
wmediatraining.com/67fgbcni
zahrady-landart.sk/67fgbcni
bathecista.com/1xz8pu
bathecista.com/8rjz1fr
bildungsmedien.org/je62fq
casaxavier.com.mx/p5hq150
cdou.ru/mhr53p
centralfirepro.com/sba7l
chimesmedia.com/ecn343f
chole-ray.com/yb1ambd
cydotomasyon.com/o8sh8
cylooks.com/y1kj5y4i
czeladz24.com/qvms47
depersoneelskamer.nl/v2h0o
doorleads.com/d9txgc
drsearsprime-time.com/pzcpg
edunayok.org/i4qnmc13
etustime.com/xa7sajm4
fatquote.net/0znym9
fatquote.net/4kj0ecdq
formationinnovation.net/dvzeb154
galinakireeva.ru/tmdq8o9z
gideroto.com/gtslcf
gonenisi.com/f5f91g1
healingwaterscc.com/souanzj5
hobbydays.ru/rrzvs
housellaw.com/lhfxwgx7
i-mdv.com/yb7rwfj
inchallahrencontre.net/rax72ya
i-school-tutor.com/ucg4c8
izmirisgb.com/dknjf
linoteil.com/1fm2x9
linoteil.com/8ncfzoi
lordalexleon.com/vbsmt6d
mineralhound.com/micmlf
ncbwhb.com/padk5n
nevis-football.com/u7tohi
nvwriter.com/eh4zm
panusnikom.com/k6hk6
pblossom.com/a91a5u
portal.rimpro.ru/s20c5
powercomm.ie/v57lkb
rimiller.com/sw1axrg
roxyperu.com/j6qpb5eb
servisix.com/csavi3l
shendiaoqzj.com/az1j2cq
shinganist.com/hl8he62
softgallery.dk/x5yjlhh
sscsci.com/c761057
styleyate.net/0o9tl6d
styleyate.net/2sn8erda
sunteamvn.com/uda8s
susanthomas.net/mq9ea3
taitong.info/tl6q7zlc
tanerkaplama.com/oa9wr5p
teamindo.com/sfpkv
tzabanga.com/bnxg4hp
vicwulaw.com/vjbql
waspyfauna.com/0vzw8y
waspyfauna.com/4aegrg
xfjt.org/lcwg8o
youtuberankchecker.net/wkmdc

C2s:

176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh.biz/apache_handler.php  [69.195.129.70] (Joe's Datacenter, US)
rluqypf.pw/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk.biz/apache_handler.php  [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap.info/apache_handler.php
kdbbpmrdfnlno.pl/apache_handler.php
jlhxyspgvwcnjb.work/apache_handler.php
dceaordeoe.ru/apache_handler.php
gisydkcsxosyokkuv.work/apache_handler.php
mqlrmom.work/apache_handler.php
wfgtoxqbf.biz/apache_handler.php
ndyevynuwqe.su/apache_handler.php
vgcfwrnfrkkarc.work/apache_handler.php

Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158

Malware spam: "Attached:Scan(70)" and others leads to Locky

This fake scanned document leads to Locky ransomware:

Subject:     Attached:Scan(70)
From:     Zelma (Zelma937@victimdomain.tld)
To:     victim@victimdomain.tld;
Date:     Tuesday, 27 September 2016, 14:15 

There does not appear to be any body text. My trusted source tells me that the subject is a combination of the words Attached / Copy / File / Emailing and Document / Receipt / Scan plus a random two-digit number. Attached is a ZIP file with a name similar to the subject, containing a malicious .wsf scriot.

This script then downloads components from one of the following locations:

akseko.ru/78hceef
altorelevo.net/78hceef
amsterdamrent.com/78hceef
art-asfalt.com/78hceef
australiandesignerweddings.com/78hceef
baitcalculator.com/78hceef
bb-alarm.com/78hceef
bezdeals.com/78hceef
brambory.net/78hceef
ccaglobal.org/78hceef
cg3dstudio.com/78hceef
cimetieremontroyal.com/78hceef
dashandling.com/78hceef
deadly-city.com/78hceef
dealerjoin.com/78hceef
diemsolutions.com/78hceef
essennarose.com/78hceef
eventbuzzuk.com/78hceef
fixturesexpress.com/78hceef
frecuenciaurbana.es/78hceef
gharazi.com/78hceef
google-seo-top.com/78hceef
gouri-gouri.com/78hceef
grijspaardt.nl/78hceef
haikhhoose.com/78hceef
hedefosgb.com/78hceef
homemadebakeryindonesia.com/78hceef
hurbtrade.com/78hceef
idealuze.com/78hceef
intardesign.com/78hceef
johnlesterart.com/78hceef
karacanalbum.com/78hceef
linbao.org/78hceef
maxtherm.net/78hceef
mediaalias.com/78hceef
mysolosource.com/78hceef
nerosk.ru/78hceef
peryskop.biz/78hceef
profsonstage.com/78hceef
speaklifegreetings.com/78hceef
upav.org/78hceef
usedtextilemachinerylive.com/78hceef
wssunhui.com/78hceef
www.musicbarpriatelia.sk/78hceef
xdesign-p.com/78hceef

The payload is Locky ransomware, phoning home to:

5.196.200.247/apache_handler.php (OVH, Ireland / Just Hosting, Russia)
62.173.154.240/apache_handler.php (JSC Internet-Cosmos, Russia)
uiwaupjktqbiwcxr.xyz/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
rflqjuckvwsvsxx.click/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
dypvxigdwyf.org/apache_handler.php  [69.195.129.70] (Joe's Datacenter, US)
ntqgcmkmnratfnwk.org/apache_handler.php
wababxgqgiyfrho.su/apache_handler.php
ytqeycxnbpuygc.ru/apache_handler.php
ocuhfpcgyg.pl/apache_handler.php
cifkvluxh.su/apache_handler.php
sqiwysgobx.click/apache_handler.php
yxmagrdetpr.biz/apache_handler.php
xnoxodgsqiv.org/apache_handler.php
vmibkkdrlnircablv.org/apache_handler.php

Recommended blocklist:
5.196.200.0/24
62.173.154.240
86.110.118.114

Malware spam: "Tracking data" leads to Locky

This spam has a malicious attachment leading to Locky ransomware:

From:    Loretta Gilmore
Date:    20 September 2016 at 08:31
Subject:    Tracking data


Good afternoon [redacted],

Your item #9122164-201609 has been sent to you by carrier.
He will arrive to you on 23th of September, 2016 at noon.



The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.

The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.

Analysis of the attachments is pending.

UPDATE

Hybrid Analysis of various samples [1] [2] [3] [4] shows the script downloading from various locations:

akinave.ru/ckk7y
solenapeak.com/ha4n2
vetchsoda.org/uemmdt
akinave.ru/1e11lhrk

All of these are hosted on:

178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)

The malware then phones home to the following locations:

91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php  [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)

A DLL is dropped with a detection rate of 13/57.

Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202

Malware spam: "Express Parcel service" leads to Locky

This spam has a malicious attachment:

From:    Marla Campbell
Date:    19 September 2016 at 09:09
Subject:    Express Parcel service

Dear [redacted], we have sent your parcel by Express Parcel service.

The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.


Thank you.

Attached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing.

The Hybrid Analysis for one sample shows a download location of:

178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)

There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:

195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra.pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)

It drops a DLL with a detection rate of 8/54.

UPDATE

These Hybrid Analysis reports of other samples [1] [2] [3] [4] [5] show other download locations at:

roxieimshi.com/eppmn
roxieimshi.com/y4lf1neg
foveawaac.net/yjmaazj
foveawaac.net/wzwzjply
merofid.com/zn6mcj

All of these domains are hosted on evil IPs:

178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)

These domains are all related and should be considered malicious:

duelrid.com
merofid.com
pradran.com
adzebury.com
amrastacy.com
bulkreasy.com
sternhala.com
gobantakao.com
roxieimshi.com
tearyrecce.com
wyvesnarl.info
aborik.net
ecadxyst.net
maydayen.net
ponggirr.net
foveawaac.net
normadnex.net
pawlrubia.net
pradkevyn.net
satyrwelf.net
vernpucka.net
yerndrunk.net
latexuchee.net
maggycocoa.net
moismdheri.net
rokerlelia.net
sparmsov.org
citmowra.in
swagpaty.in

Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10
91.194.250.131

The last one listed in italics is part of the update.

Locky download locations 2016-09-16

I haven't had a chance to look at Locky today, but here are the current campaign download locations (thanks to my usual source)..


1express.com.sg/54JHbjgcDLG
24hourprintshop.com/54JHbjgcDLG
46709394.com/54JHbjgcDLG
adityastar.com/54JHbjgcDLG
akademistcicek.com/54JHbjgcDLG
all4supply.com/54JHbjgcDLG
apro88.com/54JHbjgcDLG
bsm.sk/54JHbjgcDLG
chelsea-west.com/54JHbjgcDLG
criar-meu-site.com/54JHbjgcDLG
curlysol.com/54JHbjgcDLG
demo.website.pl/54JHbjgcDLG
graveyardsofmilwaukee.org/54JHbjgcDLG
helpmybathroom.com/54JHbjgcDLG
hollystamps.com/54JHbjgcDLG
honeydavis.us/54JHbjgcDLG
inovsol.com/54JHbjgcDLG
islamiccollege.org/54JHbjgcDLG
jsydjc.com/54JHbjgcDLG
lv-nexis.com/54JHbjgcDLG
mclodesigns.com/54JHbjgcDLG
miamilimosina.com/54JHbjgcDLG
mudelts.com/54JHbjgcDLG
mytourbid.com/54JHbjgcDLG
paraspokeri.net/54JHbjgcDLG
psychquiz.com/54JHbjgcDLG
qarmoo.com/54JHbjgcDLG
rentvspb.ru/54JHbjgcDLG
sadeqmedia.com/54JHbjgcDLG
salemwitchcat.com/54JHbjgcDLG
samenart.com/54JHbjgcDLG
sds-india.org/54JHbjgcDLG
shopmjn.com/54JHbjgcDLG
sinergica.cl/54JHbjgcDLG
swivelsrus.com/54JHbjgcDLG
tobybender.com/54JHbjgcDLG
travelvoice.com/54JHbjgcDLG
urachart.com/54JHbjgcDLG
wordpresshosting.co.il/54JHbjgcDLG
xsolution.sk/54JHbjgcDLG

1natureresort.com/afdIJGY8766gyu
allovercoupon.com/afdIJGY8766gyu
bet4good.org/afdIJGY8766gyu
bigfishcasting.com/afdIJGY8766gyu
charlcote1.net/afdIJGY8766gyu
credit-it.com/afdIJGY8766gyu
delicefilm.com/afdIJGY8766gyu
dendang.net/afdIJGY8766gyu
discoverstillwater.com/afdIJGY8766gyu
eiti.co.il/afdIJGY8766gyu
electua.org/afdIJGY8766gyu
espaciosamadhi.com/afdIJGY8766gyu
fenwaycourier.com/afdIJGY8766gyu
gearstuff.net/afdIJGY8766gyu
hawaiipoliticalinfo.org/afdIJGY8766gyu
iandistudio.com/afdIJGY8766gyu
iassess.net/afdIJGY8766gyu
insideinsights.net/afdIJGY8766gyu
insieutoc.com/afdIJGY8766gyu
jxbestextile.com/afdIJGY8766gyu
keratin.sk/afdIJGY8766gyu
kf-design.com/afdIJGY8766gyu
lacumpa.biz/afdIJGY8766gyu
lowcostveterinarios.com/afdIJGY8766gyu
lullaby-babies.co.uk/afdIJGY8766gyu
lusanmaster.com/afdIJGY8766gyu
mika.tohmon.com/afdIJGY8766gyu
mumbomedia.nl/afdIJGY8766gyu
ocscexpo.net/afdIJGY8766gyu
oliveservicedapartments.com/afdIJGY8766gyu
onefilmy.com/afdIJGY8766gyu
pasbardejov.sk/afdIJGY8766gyu
rimpro.ru/afdIJGY8766gyu
salarypra1.net/afdIJGY8766gyu
sandpiperchorus.us/afdIJGY8766gyu
sapanboon.com/afdIJGY8766gyu
techboss.net/afdIJGY8766gyu
tommylam.com/afdIJGY8766gyu
trudprom.ru/afdIJGY8766gyu
zharikoff.ru/afdIJGY8766gyu

bulkreasy.com/7e5a7
bulkreasy.com/8tl3rmh
bulkreasy.com/905jscb
bulkreasy.com/c3vaho
bulkreasy.com/oqn8p
maggycocoa.net/8i00a
maggycocoa.net/i9uje
maggycocoa.net/uml71ij
maggycocoa.net/z8xl3w7q
maggycocoa.net/zi6mrx
yerndrunk.net/esab0
yerndrunk.net/ez5jqc0n
yerndrunk.net/nhddf4gt
yerndrunk.net/t43anq3
yerndrunk.net/yk5vx6i

The first two lists are legitimate hacked sites, the last list are hosted on the following two IPs which are definitely worth blocking:


178.212.131.10 (21 Century Telecom Ltd, Russia)
37.200.70.6 (Selectel Ltd, Russia)

Malicious domains to block 2016-09-16

These domains are part of a cluster, some of with are serving the EITEST RIG exploit kit (similar to that described here). They all share nameservers running on 62.75.167.186 and 62.75.167.187.

kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
pronetanaliz.info
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
outsecurety.pw
kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
bwl2rola3cpm.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
businessprofessionalzgroup.com
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
siteanalytics.pro
pronetanaliz.info

The EK domains are running on a botnet (those are listed in italics). The other domains seem to serve some other sort of nastiness. Those IPs form part of a range rented from Host Europe Group consisting of the following IPs:

62.75.167.186
62.75.167.187
62.75.167.188
62.75.167.189
62.75.167.190

This is roughly analogous to 62.75.167.184/29 which might be worth blocking, but note that won't stop IP traffic to the EK domains which are on different IPs. These IPs are allocated to:

person:         Vasiliy Buyanov
address:        Tereshkovoy 37
address:
address:        664000 Irkutsk
address:        Russia
phone:          +7 901 6508840
e-mail:         admin@realhosters.com
nic-hdl:        VB5472-RIPE
remarks:        5408042
abuse-mailbox:  admin@realhosters.com
mnt-by:         BSB-SERVICE-MNT
created:        2015-10-07T08:35:50Z
last-modified:  2015-10-07T08:35:50Z
source:         RIPE

Malware spam: "Attached is the tax invoice of your company. Please do the payment in an urgent manner." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Tax invoice
From:     Kris Allison (Allison.5326@resorts.com.mx)
Date:     Tuesday, 13 September 2016, 11:22

Dear Client,

Attached is the tax invoice of your company. Please do the payment in an urgent manner.


Best regards,
Kris Allison

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:

adzebur.com/dsd7gk  [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
            [78.212.131.10] (21 Century Telecom Ltd, Russia)
            [31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f   [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
            [23.95.106.223] (New Wave Netconnect, US)
            [23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]

The payload then phones home to:

91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php   [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php   [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php

Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71

UPDATE: further analysis gives these other IPs to block..

78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116

Malware spam: "Budget report" leads to Locky (and also evil network on 23.95.106.128/25)

This fake financial spam leads to Locky ransomware:

From:    Lauri Gibbs
Date:    12 September 2016 at 15:11
Subject:    Budget report

Hi [redacted],

I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.


With many thanks,
Lauri Gibbs

Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:

921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js

The scripts are highly obfuscated however the Hybrid Analysis and Malwr report show that it downloads a component from:

lookbookinghotels.ws/a9sgrrak
trybttr.ws/h71qizc

These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked.

A DLL is dropped with a detection rate of about 8/57 [3] [4] which appears to phone home to:

51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte.ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy.ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)

Incidentally, the registrant information on the bad domains is also very familiar:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:


Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101

UPDATE - 2016/06/13

A list of the sites currently hosted on 23.95.106.128/25 and their SURBL ratings can be found here.