Sponsored by..

Showing posts with label Singapore. Show all posts
Showing posts with label Singapore. Show all posts

Wednesday 27 April 2016

Malware spam: Message from "RNP0BB8A7" / CLAUDIA MARTINEZ leads to Locky

This Spanish-language spam leads to malware:

From:    CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com]
Date:    27 April 2016 at 16:22
Subject:    Message from "RNP0BB8A7"

Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).

Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@victimdomain.tld
Attached is a  randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:

mebdco.com/8759j3f434
amwal.qa/8759j3f434
ecmacao.com/8759j3f434
lifeiscalling-sports.com/8759j3f434


This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:

absxpintranet.in/8759j3f434
amismaglaj.com.ba/8759j3f434
caegpa.com/8759j3f434
codeaweb.net/8759j3f434
coorgcalling.com/8759j3f434
gedvendo.com/8759j3f434
gedvendo.com.pe/8759j3f434
mc2academy.com/8759j3f434
teyseerlab.com/8759j3f434
www.adgroup.ae/8759j3f434
www.rumbafalcon.com/8759j3f434


This DeepViz report shows the malware phoning home to:

107.170.20.33 (Digital Ocean, US)
139.59.166.196 (Digital Ocean, Singapore)
146.185.155.126 (Digital Ocean, Netherlands)


There's a triple whammy for Digital Ocean! Well done them.

Recommended blocklist:
107.170.20.33
139.59.166.196
146.185.155.126

Malware spam: "Thank you. Our latest price list is attached. For additional information, please contact your local ITT office."

This fake financial spam leads to malware:

From:    Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date:    27 April 2016 at 12:23
Subject:    Price list

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.

Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:

aaacollectionsjewelry.com/ur8fgs
adamauto.nl/gdh46ss
directenergy.tv/l2isd
games-k.ru/n8eis
jurang.tk/n2ysk
lbbc.pt/n8wisd
l-dsk.com/k3isfa
mavrinscorporation.ru/hd7fs
myehelpers.com/j3ykf
onlinecrockpotrecipes.com/k2tspa
pediatriayvacunas.com/q0wps
soccerinsider.net/mys3ks
warcraft-lich-king.ru/i4ospd

haraccountants.co.uk/k9sjf

This downloads Locky ransomware. The executable then phones home to the following servers:

176.114.3.173 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
139.59.166.196 (Digital Ocean, Singapore)
107.170.20.33 (Digital Ocean, US)
146.185.155.126  (Digital Ocean, Netherlands)


Recommended blocklist:
176.114.3.173
139.59.166.196
107.170.20.33
146.185.155.126

Thursday 5 November 2015

Malware spam: "Document from AL-KO" / info@alko.co.uk

This spam does not come from AL-KO but is instead a simple forgery with a malicious attachment:

From     [info@alko.co.uk]
Date     Thu, 05 Nov 2015 16:33:40 +0530
Subject     Document from AL-KO

This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)

Document from AL-KO.doc
Attached is a file Document from AL-KO-01.doc which probably comes in many different versions, but I've only had the chance to run two through analysis. Both are undetected by any AV vendor [1] [2] at present. The structure of the document seems unusual and I am having some difficulties seeing the malicious macros, but these two Hybrid Analysis reports [3] [4] show the macro in action, downloading from:

members.dodo.com.au/~mfranklin17/f75f9juu/009u98j9.exe
www.mazzoni-hardware.de/f75f9juu/009u98j9.exe


There will be other locations too, all downloading the same binary with a detection rate of 4/54 (MD5 39f7827813ac9bc74a4a9176c9e80487) Other automated analyses [5] [6] show network traffic to:

128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
128.199.122.196
75.99.13.123

Tuesday 3 November 2015

Malware spam: "Delivery Confirmation: 0068352929" / "ACUVUE_DEL [ship-confirm@acuvue.com]"

This fake financial spam does not comes from Acuvue, but is instead a simple forgery with a malicious attachment:

From     ACUVUE_DEL [ship-confirm@acuvue.com]
Date     Tue, 03 Nov 2015 12:26:17 +0200
Subject     Delivery Confirmation: 0068352929

PLEASE DO NOT REPLY TO THIS E-MAIL.  IT IS A SYSTEM GENERATED MESSAGE.

Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide
Attached is a file Advance Shipping Notification 0068352929.DOC which my sources (thank you, btw) say comes in four different versions, although I have only seen three (VirusTotal results [1] [2] [3], Hybrid Analysis results [4] [5] [6])  containing a macro that looks like this [pastebin]. The download locations are:

builders-solutions.com/45gce333/097j6h5d.exe
goalaskatours.com/45gce333/097j6h5d.exe
www.frontiernet.net/~propertiespricedtosell/45gce333/097j6h5d.exe
www.prolococopparo.it/45gce333/097j6h5d.exe


This malicious binary has a VirusTotal detection rate of 6/54. That VT report and this Hybrid Analysis report show network communications to the following IPs:

128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
198.74.58.153 (Linode, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)


The payload is most likely to be the Dridex banking trojan.

Recommended blocklist:
128.199.122.196
75.99.13.123
198.74.58.153
221.132.35.56

MD5s:
c6cefd2923164aa14a3bbaf0dfbea669
8de322b1fb6a2cc3cbe237baa8d5f277
110d5fde265cd25842b63b9ec4e57b3c
dcf4314773c61d3dde6226a2d67424e8
274695746758801bfb68f46f79bfb638






Monday 2 November 2015

Malware spam: "Purchase Order 37087-POR" / "Margaret Wimperis [MargaretWimperis@biasbinding.com]"

This fake financial spam does not come from K. Stevens (Leicester) Ltd but is instead a simple forgery with a malicious attachment.

From     Margaret Wimperis [MargaretWimperis@biasbinding.com]
Date     Mon, 02 Nov 2015 18:28:23 +0700
Subject     Purchase Order 37087-POR

Hi
Please confirm receipt of order
Kind regards
Margaret


-----------------------------
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited. The views expressed by the author are not
necessarily those of  K. Stevens (Leicester) Ltd.

-----------------------------
Attached is a file PORDER.DOC which comes in three different versions (although I only have two samples [1] [2]) containing a malicious macro similar to this one [pastebin], which download a binary from the following locations:

saltup.com/34g3f3g/68k7jh65g.exe
landprosystems.com/34g3f3g/68k7jh65g.exe
jambidaily.com/34g3f3g/68k7jh65g.exe


This binary has a detection rate of 4/55 and according that that VirusTotal report, this reverse.it report this Malwr report it contacts the following IP:

128.199.122.196 (DigitalOcean, Singapore)

I strongly recommend that you block that IP. The payload is likely to be the Dridex banking trojan.

MD5s:
eb7df68bd7eb7cf2968cf541af3472d6
fca7c5a1b7fc754588da67c04d225504
6e07bb7f248492d54fdd604ca29da776
867295e266fc496572e42c9cd6281132


Thursday 29 October 2015

Malware spam: "Documents for Review and Comments" / Pony / eyeseen.net

This fake document scan email has a malicious attachment:

From:    Sarah [johnson@jbrakes.com]
Date:    29 October 2015 at 08:27
Subject:    Documents for Review and Comments

Hi Morning,

Attached are the return documents.

Call me if you need anything.

See you soon. :)


Sarah
The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.

According to various automated analysis tools [1] [2] [3] it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:

eyeseen.net/swift/gate.php

This is hosted on a SoftLayer IP of 198.105.221.5 in Singapore. A quick look at VirusTotal indicates a lot of badness on this IP address, so it is probably one worth blocking.

The payload is Pony / Fareit, which is basically a password stealer.

MD5s:
25a322b9ea5c709c4376bf58527f198a
efc7210f7dbce441f74e3c9f07f28a2e
79ca99c3f751ae334d0340284242e4f6



Tuesday 20 October 2015

Malware spam: "GOMEZ SANCHEZ"[postmail@bellair.net]

This spam comes with a malicious attachment:

From     "GOMEZ SANCHEZ"[postmail@bellair.net]
To    
Date     Tue, 20 Oct 2015 13:14:56 +0430
Subject     victim@victimdomain.tld

Congratulations

Print out the attachment file fill it and return it back by fax or email

Yours Sincerely

GOMEZ SANCHEZ
The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of these three malicious macros [1] [2] [3] .

Analysis of the payload is pending, but is likely to be the Dridex banking trojan. Please check back later.

MD5s:
24d9cd4caca15882dc4f142b46a16622
9a10c47dcdd28017afeec5aca2c71191
d63f6150b45227c20901ee887062d8de

UPDATE:

Sources say that the payload is Shifu, not Dridex. So far, three download location have been identified..

ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe

This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:

fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)

I recommend that you block traffic to that IP.

Thursday 9 April 2015

Malware spam: "Matthews, Tina [tina@royalcarson.com]" / "Credit card transaction" / "Royal Wholesale Electric"

This fake financial spam does not come from Royal Wholesale Electric but it is instead a simple forgery with a malicious attachment.
From:    Matthews, Tina [tina@royalcarson.com]
Date:    9 April 2015 at 10:48
Subject:    Credit card transaction

Here is the credit card transaction that you requested.

Tina Matthews
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
310-637-6377 Phone
310-603-9883 Fax
tina@royalcarson.com
Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.

The document is currently undetected by AV vendors and contains a malicious macro [pastebin] which downloads a binary from:

http://onemindgroup.com/366/114

This is saved as %TEMP%\ittext1.5.exe and has a VirusTotal detection rate of 3/49. Automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.230.60.219 (Docker Ltd, Russia)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
87.236.215.103 (OneGbits, Lithuania)
128.199.203.165 (DigitalOcean Cloud, Singapore)
128.135.197.30 (University Of Chicago, US)
185.35.77.160 (Corgi Tech Limited, UK)
46.101.38.178 (Digital Ocean, UK)
95.163.121.51 (Digital Networks CJSC aka DINETHOSTING, Russia)
92.41.107.253 (Hutchison 3G, UK)

According to the Malwr report  is also drops another variant of the downloader [VT 4/57] and a Dridex DLL [VT 4/57].

Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24

MD5s:
03ab12e578664290fa17a1a95abd71c4
48f39c245ec68bdbe6c0c93313bc8f74
90ebd79d1eac439c9c4ee1a056c9e879
62f33c7b850845cb66dcaa69e2af4443



Tuesday 31 March 2015

Malware spam: "Your PO: SP14619" / "Sam S. [sales@alicorp.com]"

This fake financial spam comes with a malicious attachment:

From:    Sam S. [sales@alicorp.com]
Date:    31 March 2015 at 07:45
Subject:    Your PO: SP14619

Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.

A copy of the document is attached

Regards,
New Era Contract Sales Inc.'s Document Exchange Team
In the sample I have seen, the attachment is APIPO1.doc with a VirusTotal detection rate of 5/56, and it contains this malicious macro [pastebin] which downloads a component from:

http://xianshabuchang.com/54/78.exe

which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs:

91.230.60.219 (Docker Ltd / ArtVisio Ltd, Russia)
185.91.175.39 (Webstyle Group LLC / Rohoster / MnogoByte, Russia)
46.101.38.178 (Digital Ocean, Netherlands)
87.236.215.103 (OneGbits, Lithuania)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
128.199.203.165 (DigitalOcean Cloud, Singapore)

According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].

Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165

MD5s:
f5ecc500c2b74612e33c0522104fb999
716d1dc7285b017c2dbc146dbb2e319c
2cb0f18ba030c1ab0ed375e4ce9c0342
6218264a6677a37f7e98d8c8bd2c13e9

UPDATE:
A couple of reports from Payload Security [1] [2]  also give some insight into the malware, including an additional but well-known IP to block:

95.163.121.178 (Digital Networks CJSC aka DINETHOSTING, Russia)



Thursday 7 November 2013

"You received a voice mail" spam / Voice_Mail.exe

This fake voice mail spam has a malicious attachment:

Date:      Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From:      Microsoft Outlook [no-reply@victimdomain.net]
Subject:      You received a voice mail

You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
   
Caller-Id:
   
698-333-5643
   
Message-Id:
   
80956-84B-12XGU
   
Email-Id:
   
[redacted]

This e-mail contains a voice message.
Double click on the link to listen the message.

Sent by Microsoft Exchange Server


Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47 and automated analysis tools [1] [2] show an attempted connection to amazingfloorrestoration.com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious.