Sponsored by..

Showing posts with label Thailand. Show all posts
Showing posts with label Thailand. Show all posts

Tuesday 11 April 2017

Malware spam: "Sprawdź stan przesylki DHL"

This spam targeting Polish victims seems quite widespread. It leads to malware. The email is personalised with the victim's real name which has been harvested from somewhere.

From: DHL Express (Poland) [mailto:biuro@nawigatorxxi.pl]
Sent: Monday, April 10, 2017 7:09 PM
To: [redacted]
Subject: Sprawdź stan przesylki DHL

Sprawdź stan przesylki DHL
Szanowny Kliencie, [redacted]

Informujemy, że w serwisie DHL24 zostało zarejestrowane zlecenie realizacji przesyłki, której jesteś odbiorcą.

Dane zlecenia:
- numer zlecenia:
9653788657

- data złożenia zlecenia:
poniedziałek, 10. kwietnia

Informacje o aktualnym statusie przesyłki znajdziesz na http://dhl24.com.pl/report.html&report=JavaScript&email=[redacted]. (JavaScript Raport)

Niniejsza wiadomość została wygenerowana automatycznie.

Dziękujemy za skorzystanie z naszych usług i aplikacji DHL24.

DHL Parcel (Poland)

UWAGA: Wiadomość ta została wygenerowana automatycznie. Prosimy nie odpowiadać funkcją Reply/Odpowiedz 

The link goes to a malicious Javascript [example here] [Malwr report] which downloads a binary from:

freight.eu.com/download3696 (159.100.181.107 - World Wide Web Hosting LLC, Netherlands)

..this has a detection rate of 10/60. This Malwr report plus observed activity show traffic to the following IPs and ports:

5.196.73.150:443 (OVH, France)
31.220.44.11:8080 (HostHatch, Netherlands)
46.165.212.76:8080 (Leaseweb, Germany)
109.228.13.169:443 (Fasthosts, UK)
119.82.27.246:8080 (Tsukaeru.net, Japan)
173.230.137.155:8080 (Linode, US)
173.255.229.121:443 (Linode, US)
203.121.145.40:8080 (Pacific Internet, Thailand)
206.214.220.79:8080 (ServInt, US)


There may be other phone home locations not observed.

Recommended blocklist:
5.196.73.150
31.220.44.11
46.165.212.76
109.228.13.169
119.82.27.246
159.100.181.107
173.230.137.155
173.255.229.121
203.121.145.40
206.214.220.79





Wednesday 27 January 2016

Malware spam: "Invoice 9210" / Dawn Salter [dawn@mrswebsolutions.com]

This make financial spam is not from MRS Web Solutions Ltd  but is instead a simple forgery with a malicious attachment.

From     Dawn Salter [dawn@mrswebsolutions.com]
Date     Wed, 27 Jan 2016 19:04:27 +0530
Subject     Invoice 9210

Good afternoon

I hope all is good with you.

Please see attached invoice 9210.

Kind regards

Dawn

Dawn Salter
Office Manager

Tel:
DDI:
Web:


+44 (0)1252 616000 / +44 (0)1252 622722
+44 (0)1252 916494
www.mrswebsolutions.com

1 Blue Prior Business Park, Church Crookham, Fleet, Hants, GU52 0RJ


[Google Partner]

[BPMA Chartered Supplier]

[Facebook]

[LinkedIn]

[Twitter]

[Google Plus]


DISCLAIMER: This e-mail and attachments are confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or opinions presented
are solely those of the author and do not necessarily represent those of MRS Web
Solutions Limited. If you are not the intended recipient, be advised that you have
received this e-mail in error and that any use, dissemination, forwarding, printing,
or copying of this e-mail is strictly prohibited. If this transmission is received
in error please notify the sender immediately and delete this message from your e-mail
system. All electronic transmissions to and from MRS Web Solutions Ltd are recorded
and may be monitored.Company Registered in England No. 3900283. VAT GB733622153.


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The attachment is named 9210.doc which I have seen come in three versions (VirusTotal [1] [2] [3]). The Malwr reports for those [4] [5] [6] shows executable download locations at:

www.cityofdavidchurch.org/54t4f4f/7u65j5hg.exe
www.hartrijders.com/54t4f4f/7u65j5hg.exe
grudeal.com/54t4f4f/7u65j5hg.exe


This binary has a detection rate of 1/53 and an MD5 of  9c8b2d84665aeedc1368e9951c07a469. Hybrid Analysis of the binary shows that it phones home to:

119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)

This is the same IP as seen in this earlier spam run, I recommend you block it.

Malware spam: "New Order" / Michelle Ludlow [Michelle.Ludlow@dssmith.com]

This fake financial spam does not come from DS Smith Plc, but is instead a simple forgery with a malicious attachment.

From     Michelle Ludlow [Michelle.Ludlow@dssmith.com]
Date     Wed, 27 Jan 2016 17:27:22 +0800
Subject     New Order

Hi

Please see attached for tomorrow.

Thanks
Michelle Ludlow
Customer Services Co-Ordinator - Packaging Services

Packaging Division
Dodwells Road, Hinckley LE10 3BX, United Kingdom
T +44 (0)1455 892939 F  +44 (0)1455 892924
michelle.ludlow@dssmith.com
www.dssmith.com

This e-mail message is intended solely for the person to whom it is addressed and
may contain confidential or privileged information. If you have received it in error,
please notify us immediately and destroy this e-mail and any attachments. In addition,
you must not disclose, copy, distribute or take any action in reliance on this e-mail
or any attachments. Any views or opinions presented in this e-mail are solely those
of the author and do not necessarily represent those of the company. E-mail may be
susceptible to data corruption, interception, unauthorised amendment, viruses and
unforeseen delays, and we do not accept liability for any such data corruption, interception,
unauthorised amendment, viruses and delays or the consequences thereof. Accordingly,
this e-mail and any attachments are opened at your own risk. DS Smith Plc, registered
in England and Wales (company number 1377658), with its registered office at 350
Euston Road, London, NW1 3AX.
So far I have seen two different variants of the attachment doc4502094035.doc (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] download a malicious executable from the following locations:

vinagps.net/54t4f4f/7u65j5hg.exe
trendcheckers.com/54t4f4f/7u65j5hg.exe


This binary has a detection rate of 5/53. Those two Malwr reports and the VirusTotal report show the malware phoning home to:

119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)

I strongly recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan and this looks consistent with botnet 220 activity.

Monday 18 January 2016

Malware spam FAIL: "Invoice January" / "A . Baird" [ABaird@jtcp.co.uk]

This fake financial spam does not come from J. Thomson Colour Printers but is instead a simple forgery with a malicious attachment.

From     "A . Baird" [ABaird@jtcp.co.uk]
Date     Mon, 18 Jan 2016 16:17:20 +0530
Subject     Invoice January

Hi,

We have been paid for much later invoices but still have the attached invoice as
outstanding.

Can you please confirm it is on your system and not under query.

Regards


  Alastair Baird
  Financial Controller

 [cid:image001.png@01CEE6A0.2D48E1B0]
  Registered in Scotland 29216
  14 Carnoustie Place
  Glasgow G5 8PB
  Direct Dial: 0141 418 5303
  Tel: 0141 429 1094
  www.jtcp.co.uk

 P Save Paper - Do you really need to print this e-mail?
Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday [1] [2] [3]. The payload is meant to be the Dridex banking trojan.

If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..

UPDATE

A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:

emirelo.com/786585d/08g7g6r56r.exe
esecon.com.br/786585d/08g7g6r56r.exe
outago.com/786585d/08g7g6r56r.exe


This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking:

192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)


Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173



Thursday 19 November 2015

Malware spam: "Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]" / "support@postcodeanywhere.com"

This spam is not from postcodeanywhere.com but is instead a simple forgery with a malicious attachment. Unfortunately, I don't have the body text of the message, the hreaders are:

From     support@postcodeanywhere.com
Date     Thu, 19 Nov 2015 16:20:40 +0300
Subject     Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]
The attachment is EDMUN11118_181859.xls which comes in two different versions (VirusTotal results [1] [2]) which according to these Hybrid Analysis reports [3] [4] download a file from one of the following locations:

iwcleaner.co.uk/8i65h4g53/o97i76u54.exe
lapelsbadges.com//8i65h4g53/o97i76u54.exe [file not found]


This has a VirusTotal detection rate of 1/54 and that VirusTotal report indicates it phoning home to:

182.93.220.146 (Ministry Of Education, Thailand)

I strongly recommend that you block that IP address. The payload is the Dridex banking trojan.

MD5s
8e22032e0b5d338ef078f5aaf302fa4c
63e22e87b78f6f82d437c7b622a84945
8aba2ca4fd785759ad2ad262d9c62d2f







Malware spam: "Your Google invoice is ready" / "billing-noreply@google.com"

This fake invoice does not come from Google, but is instead a simple forgery with a malicious attachment:

From:    billing-noreply@google.com
Date:    19 November 2015 at 12:40
Subject:    Your Google invoice is ready

Attached to this email, please find the following invoice:

Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806


Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@google.com.

Yours Sincerely,
The Google Billing Team


--------------------------
Billing ID: 0349-7974-3806
The attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis [1] [2]) and which contains a malicious macro like this [pastebin]).

Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan.

UPDATE

The Hybrid Analysis of the two documents [1] [2] shows attempted downloads from the following locations:

bhoomiconsultants.com/8i65h4g53/o97i76u54.exe [active]
bhairavraffia.com/8i65h4g53/o97i76u54.exe [file not found]


This binary has a detection rate of 1/54 and those reports indicate malicious network traffic to the familiar IP address of:


182.93.220.146 (Ministry of Education, Thailand)

I strongly recommend that you block traffic to that IP.

Malware spam: "[Shipping notification] N3043597 (PB UK)" / "noreply@cevalogistics.com"

This rather terse spam does not come from Ceva Logistics but is instead a simple forgery with a malicious attachment.

From:    noreply@cevalogistics.com
Date:    19 November 2015 at 10:27
Subject:    [Shipping notification] N3043597 (PB UK)
There is no body text and the "N" number is randomly generated. All samples I have seen contain a file called shipping-notification.xls which is in the same in all cases, containing this malicious macro [pastebin] and it has a VirusTotal detection rate of 2/54. The comments on that VirusTotal report plus this Hybrid Analysis report indicate a malicious binary is downloaded from:

iwcleaner.co.uk/8i65h4g53/o97i76u54.exe

This has an MD5 of e0d24cac5fb16c737f5f016e54292388 and a detection rate of 2/54 and this Hybrid Analysis report shows malicious traffic to the following IP (which I recommend you block):

182.93.220.146 (Ministry of Education, Thailand)


The payload is almost definitely the Dridex banking trojan.

Wednesday 18 November 2015

Malware spam: "Receipt" / "Mike" [mike@xencourier.co.uk]

This fake financial spam does not come from Xen Courier but is instead a simple forgery with a malicous attachment:

From     "Mike " [mike@xencourier.co.uk]
Date     Wed, 18 Nov 2015 14:46:28 +0200
Subject     Receipt

Hi

Here is your credit card receipt attached. VAT invoice to follw in due
course.

Best regards

Mike

---
This email is free from viruses and malware because avast! Antivirus protection is
active.
http://www.avast.com
Despite the disclaimer, this is in no way free of viruses. Instead, it has a malicious attachment scan0001.xls which appears to come in at least three different versions with the following MD5s:

b8f5c889658cac07e810998aaa582d76
798c8a2a2d2fb658d4cea1fd60aff6b9
4592d152fcd1c3ea128b7b9e7224bf69


These contain a malicious macro that looks like this [pastebin] and the documents themselves have a VirusTotal detection rate of around 10/55 [1] [2] [3] and which according to these Hybrid Analysis reports [4] [5] [6] they attempt to download a malicious binary from the following locations:

www.eurocontainers.it/h64gf3/89j6cx.exe
www.asnp.it/h64gf3/89j6cx.exe
www.samsoncontrols.co.uk/h64gf3/89j6cx.exe [file not found]


This binary has a detection rate of 7/54 and that VirusTotal report and this Malwr report both indication malicious network traffic to:

203.172.180.195 (Ministry Of Education, Thailand)

That binary has the MD5 of:

6581b83c82ef4a2d940976a47550fb2c

 The payload is likely to be the Dridex banking trojan.

Monday 16 November 2015

Malware spam: "DoT Payment Receipt" / "donotreply@transport.gov.uk"

This fake financial spam has a malicious attachment:

From: donotreply@transport.gov.uk [mailto:donotreply@transport.gov.uk]
Sent: Monday, November 16, 2015 12:10 PM
To: redacted
Subject: DoT Payment Receipt

[Automated message. Do not reply]

Thank you for your payment.  It is important that you print this receipt and record the receipt number as proof of your payment. You may be asked to provide your receipt details should you have an enquiry regarding this payment.

DISCLAIMER

This email and any attachments are confidential and may contain legally privileged and/or copyright material.  You should not read, copy, use or disclose any of the information contained in this email without authorisation.  If you have received it in error please contact us at once by return email and then delete both emails.  There is no warranty that this email is error or virus free.

I haven't seen this myself, but some contacts (thank you!) have. Attached is a file PaymentReceipt.xls which comes in several different versions, the sample I saw contained this malicious macro and had a VirusTotal detection rate of 5/54. According to my sources, the different versions download a malicious binary from one of the following:

gospi.eu/~gospi/45yfqfwg/6ugesgsg.exe
piotrektest.cba.pl/45yfqfwg/6ugesgsg.exe
wmdrewniana8.cba.pl/45yfqfwg/6ugesgsg.exe
www.kolumbus.fi/~kf0963/45yfqfwg/6ugesgsg.exe


This binary has a detection rate of 3/53 and that VirusTotal report and this Malwr report indicates malicious traffic to:

182.93.220.146 (Ministry Of Education, Thailand)
78.47.66.169 (Hetzner, Germany)
89.108.71.148 (Agava, Ltd)
221.132.35.56 (Post And Telecom Company, Vietnam)


The payload is the Dridex banking trojan.

MD5s:

e25a05d3fecceb14667048c07494d65f 
32f3495cb945448a9868c5fe653b8d7e
a5dd075bd48d16a3ad13c06651b0af10
ef3805be4797271a2a9c8552f77866c1
f2b78be5e8b52976f69b076338757146

Recommended blocklist:
cba.pl
182.93.220.146
78.47.66.169
89.108.71.148
221.132.35.56

Thursday 12 November 2015

Malware spam: "Remittance Advice" / "AccountsPayable@Norfolk.gov.uk"

This fake financial spam does not come from Norfolk County Council but is instead a simple forgery with a a malicious attachment:

From     AccountsPayable@Norfolk.gov.uk
Date     Thu, 12 Nov 2015 14:09:46 +0430
Subject     Remittance Advice

Dear Sir/Madam,

Please find attached your remittance advice.

Regards,
NCC

--
To see our email disclaimer click here http://www.norfolk.gov.uk/emaildisclaimer
Attached is a file 6134443_101115_141851.xls which apparently comes in two or three versions, although I have only seen one with a VirusTotal detection rate of 3/54 and containing this malicious macro.

These documents then download a malicious binary from:

aniretak.wz.cz/5t546523/lhf3f334f.exe
sanoko.jp/5t546523/lhf3f334f.exe

 www.delianfoods.com/5t546523/lhf3f334f.exe

This binary has a VirusTotal detection rate of 3/54, and that report plus this Hybrid Analysis report show malicious traffic to:

95.154.203.249 (Iomart Hosting / Rapidswitch, UK)
182.93.220.146 (Ministry of Education, Thailand)

The payload is the Dridex banking trojan.

Recommended blocklist:
95.154.203.249
182.93.220.146

MD5s:
289af95f99f58c751a7d1d0a26d7cdb3
becb1cdbd1c1aea53260c2ed96eb6ee2
d020bfed9f93636114b9736100a9b59f
5173aaa2f5aa40df7ffa772eeaa0d1f7




Wednesday 11 November 2015

Malware spam: "Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584" / "accounts@equip4work.co.uk"

This fake invoice does not come from OfficeFurnitureOnline.co.uk but is instead a simple forgery with a malicious attachment.
From     accounts [accounts@equip4work.co.uk]
Date     Wed, 11 Nov 2015 14:54:33 +0400
Subject     Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584

Please find attached a sales invoice from OfficeFurnitureOnline.co.uk.

This email address is only for account enquiries, please check your confirmation
for any information regarding the order details or delivery lead times.

Thank you for your order.
Attached is a file SI823610.XLS which I have seen only one version of in several samples of the email. Usually there are different variants. In this case, the spreadsheet contains this malicious macro [pastebin] and has a VirusTotal score of 4/54. According to this Hybrid Analysis report it then downloads a malicious binary from:

kdojinyhb.wz.cz/87yte55/6t45eyv.exe

In turn, this binary has a detection rate of zero. Those two reports plus this Malwr report show between them malicious traffic to the following IPs:

95.154.203.249 (Iomart / Rapidswitch, UK)
182.93.220.146 (Ministry Of Education, Thailand)
89.32.145.12 (Elvsoft SRL / Coreix , Romania / UK)


The payload is the Dridex banking trojan.

Recommended blocklist:
95.154.203.249
182.93.220.146
89.32.145.12
wz.cz

MD5s:
37ceca4ac82d0ade9bac811217590ecd
01638daf6dfb757f9a27b3e8124b3324


Monday 8 June 2015

Malware spam: "Bank payment" / "sarah@hairandhealth.co.uk"

This fake financial spam does not come from SBP Hair and Health but is a simple forgery with a malicious attachment.
From: sarah@hairandhealth.co.uk [mailto:sarah@hairandhealth.co.uk]
Sent: Monday, June 08, 2015 10:10 AM
Subject: Bank payment

Dear customer

Please find attached a bank payment for £3083.10 dated 10th June 2015 to pay invoice 1757.  With thanks.

Kind regards

Sarah
Accounts
Attached is a file Bank payment 100615.pdf [VT 2/57] which appears to drop a Word document with a malicious macro. Although there are probably several versions of this attachment, according to the Hybrid Analysis report it downloads a component from:

192.186.217.68/~banobatwo/15/10.exe

This is saved as %TEMP%\biksampc.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] indicate network traffic to the following IPs:

146.185.128.226 (Digital Ocean, Netherlands)
31.186.99.250 (Selectel, Russia)
176.99.6.10 (Global Telecommunications Ltd, Russia)
203.151.94.120 (Internet Thailand Company Limited, Thailand)
185.12.95.40 (RuWeb, Russia)

The Malwr report indicates that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40

MD5s:
48d496afc9c2c123e1ab0c72822a7975
6cbd6126b5761efffbe10dafaa7a4bde
2e499cacb5b3a396a3b2a08bd0f4ce1e

Thursday 9 April 2015

Malware spam: "Matthews, Tina [tina@royalcarson.com]" / "Credit card transaction" / "Royal Wholesale Electric"

This fake financial spam does not come from Royal Wholesale Electric but it is instead a simple forgery with a malicious attachment.
From:    Matthews, Tina [tina@royalcarson.com]
Date:    9 April 2015 at 10:48
Subject:    Credit card transaction

Here is the credit card transaction that you requested.

Tina Matthews
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
310-637-6377 Phone
310-603-9883 Fax
tina@royalcarson.com
Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.

The document is currently undetected by AV vendors and contains a malicious macro [pastebin] which downloads a binary from:

http://onemindgroup.com/366/114

This is saved as %TEMP%\ittext1.5.exe and has a VirusTotal detection rate of 3/49. Automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.230.60.219 (Docker Ltd, Russia)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
87.236.215.103 (OneGbits, Lithuania)
128.199.203.165 (DigitalOcean Cloud, Singapore)
128.135.197.30 (University Of Chicago, US)
185.35.77.160 (Corgi Tech Limited, UK)
46.101.38.178 (Digital Ocean, UK)
95.163.121.51 (Digital Networks CJSC aka DINETHOSTING, Russia)
92.41.107.253 (Hutchison 3G, UK)

According to the Malwr report  is also drops another variant of the downloader [VT 4/57] and a Dridex DLL [VT 4/57].

Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24

MD5s:
03ab12e578664290fa17a1a95abd71c4
48f39c245ec68bdbe6c0c93313bc8f74
90ebd79d1eac439c9c4ee1a056c9e879
62f33c7b850845cb66dcaa69e2af4443



Tuesday 31 March 2015

Malware spam: "Your PO: SP14619" / "Sam S. [sales@alicorp.com]"

This fake financial spam comes with a malicious attachment:

From:    Sam S. [sales@alicorp.com]
Date:    31 March 2015 at 07:45
Subject:    Your PO: SP14619

Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.

A copy of the document is attached

Regards,
New Era Contract Sales Inc.'s Document Exchange Team
In the sample I have seen, the attachment is APIPO1.doc with a VirusTotal detection rate of 5/56, and it contains this malicious macro [pastebin] which downloads a component from:

http://xianshabuchang.com/54/78.exe

which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs:

91.230.60.219 (Docker Ltd / ArtVisio Ltd, Russia)
185.91.175.39 (Webstyle Group LLC / Rohoster / MnogoByte, Russia)
46.101.38.178 (Digital Ocean, Netherlands)
87.236.215.103 (OneGbits, Lithuania)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
128.199.203.165 (DigitalOcean Cloud, Singapore)

According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].

Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165

MD5s:
f5ecc500c2b74612e33c0522104fb999
716d1dc7285b017c2dbc146dbb2e319c
2cb0f18ba030c1ab0ed375e4ce9c0342
6218264a6677a37f7e98d8c8bd2c13e9

UPDATE:
A couple of reports from Payload Security [1] [2]  also give some insight into the malware, including an additional but well-known IP to block:

95.163.121.178 (Digital Networks CJSC aka DINETHOSTING, Russia)



Wednesday 25 February 2015

Malware spam: "Your LogMeIn Pro payment has been processed!"

This fake financial email does not come from LogMeIn, instead it has a malicious attachment:

From:    LogMeIn.com [no_reply@logmein.com]
Date:    25 February 2015 at 08:52
Subject:    Your LogMeIn Pro payment has been processed!

Dear client,

Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.

Date : 25/2/2015
Amount : $999 ( you saved $749.75)



The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.


Thank you for choosing LogMeIn!
Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:

http://junidesign.de/js/bin.exe

This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show this calling home to the following IPs:

92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
I outlined some of the problems with MVTW in this post. The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57] and a malicious DLL which is probably a Dridex component [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104

UPDATE:  a different version of the attachment [VT] uses this macro to download from:

http://jacekhondel.w.interia.pl/js/bin.exe

The payload is identical to the other variant.

Tuesday 24 February 2015

Malware spam: "Berendsen UK Ltd Invoice 60020918 117" / "donotreply@berendsen.co.uk"

This fake invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.

From:    donotreply@berendsen.co.uk
Date:    24 February 2015 at 08:09
Subject:    Berendsen UK Ltd Invoice 60020918 117

Dear Sir/Madam,

Please find attached your invoice dated 21st February.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.


Thank you.

___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.

Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a zero detection rate. Contained within this is malicious Word macro which downloads a component from the following location:

http://heikehall.de/js/bin.exe

This binary has a VirusTotal detection rate of 2/57. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:

92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)


MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:

92.63.82.0/23
92.63.84.0/22
92.63.88.0/24

In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156

Thursday 19 February 2015

Malware spam: "Maria Wilson" / "securigroup.co.uk" / "Statement"

This fake financial spam does not come from SecuriGroup, their systems have not been compromised in any way nor has there been any leak of information. Instead, this is a simple forgery with a malicious document attached.

From:    Maria Wilson [maria.wilson6870@securigroup.co.uk]
Date:    19 February 2015 at 09:10
Subject:    Statement

Please see attached up to date statement.

I would be grateful if you could confirm all due invoices have been processed for payment.

Many thanks
Maria

Maria Wilson | Credit Controller

T: 0141 285 3838


www.securigroup.co.uk


Think Sustainability - Do not print this email unless essential


This email and any attachments are confidential and intended for the addressee only.

If you are not the named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication.

If you have received this in error, please contact the sender and then delete this email from your system.
The impact on this innocent company appears to be severe, with their website currently suspended.

I have only seen only sample of the attachment Statement 18 FEB 2015.xls although there are probably other variants. This contains a set of macros [password=infected] which are mostly crap, but the key parts are Modules 13 (the encrypted strings) and 27 (the decrypt function). These macros download a file from the following location:

http://hazardcheck.de/js/bin.exe

This is saved as %TEMP%\FfdgF.exe which has a VirusTotal detection rate of 5/57. Various automated analysis tools [1] [2] [3] show attempted network connections to:

83.169.4.178 (Hosteurope, Germany)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
14.99.146.242 (Tata Indicom, India)
78.140.164.160 (Webazilla, US)
220.143.5.92 (Chunghwa Telecom, Taiwan)
217.12.203.34 (ITL Company, Bulgaria)

The Malwr report shows it dropper another version of the downloader (VT 3/57) and a malicious DLL (VT 6/57). Payload is probably Dridex.

Recommended blocklist:
83.169.4.178
66.110.179.66
202.44.54.5
14.99.146.242
78.140.164.160
220.143.5.92
217.12.203.34



Wednesday 18 February 2015

Malware spam: "[dan@express-insurance.net]" / "Auto insurance apps and documents"

 This fake financial spam has a malicious attachment:


From:    Dan Bigelow [dan@express-insurance.net]
Date:    18 February 2015 at 09:18
Subject:    Auto insurance apps and documents

Hello ,

Please print “All” attached forms and sign and initial where I highlighted.

Scan and email back to me or fax to me at 407-937-0511.


Sincerely,

Dan Bigelow


Referrals are important to us. If you know anyone who would benefit from our services, please contact me. 

We would appreciate the opportunity to work with them.

2636 West State Rd 434 # 112
Longwood, Fl 32779


Fax     407-386-1601

This spam does not actually come from Express Insurance nor have their systems or data been compromised in any way. Instead this is a simple forgery with a malicious Word document attached.

There are actually at least two different versions of the document with zero detections [1] [2]. The macros are a bit too complex for pastebin, but you can download a ZIP here and here [password=infected].

Despite the difference, both seem to download from:

http://ecv.bookingonline.it/js/bin.exe

The download file is saved as %TEMP%\FfdgF.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] indicate that it attempts to phone home to:

83.169.4.178 (Hosteurope, Germany)
202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)

This probably drops a Dridex DLL, however the Malwr analysis appears to have malfunctioned and I don't have a sample.

Recommended blocklist:
83.169.4.178
202.44.54.5
66.110.179.66

Friday 18 October 2013

Malware sites to block 18/10/2013

These IPs and domains are associated with this spam run. Some of these servers have been compromised for some time by the looks of things. There's a plain list for copy-and-pasting at the end.

12.46.52.147 (Compact Information Systems / AT&T, US)
41.203.18.120 (Hetzner, South Africa)
62.75.246.191 (Intergenia, Germany)
62.76.42.58 (Clodo-Cloud / IT House, Russia)
69.46.253.241 (RapidDSL & Wireless, US)
70.159.17.146 (F G Wilson / AT&T , US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
94.102.14.239 (Netinternet , Turkey)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
140.174.98.150 (NTT America, US)
163.18.62.51 (TANET, Taiwan)
182.237.17.180 (Uclix, India)
201.151.0.164 (Alestra, Mexico)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156 (PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.5.182.144 (RackSRV Communications, UK)
213.143.121.133 (Wien Energie, Austria)
213.214.74.5 (BBC Cable, Bulgaria)

12.46.52.147
41.203.18.120
62.75.246.191
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
201.151.0.164
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5
alenikaofsa.ru
alionadorip.ru
dynamooblog.ru
inkrediblehalk.ru
intro2seo.ru

Added:
hankoksuper.ru is now active on those same IPs.

Tuesday 16 July 2013

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson, Turkey)
38.96.42.60 (PSInet / WiLogic Inc, US)
41.196.17.252 (Link Egypt, Egypt)
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
46.246.41.68 (Portlane Networks, Sweden)
46.38.51.162 (TCTEL, Russia)
50.97.253.162 (Softlayer, US)
58.196.7.174 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA, India)
61.220.221.92 (HINET / Chungwa Telecom, Taiwan)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.93.56.83 (Comcast Business Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
80.52.135.172 (TPNET, Poland)
81.17.140.138 (Velton.telecom, Ukraine)
82.165.41.13 (1&1, Philippines)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UNIWEB, Belgium)
87.236.211.159 (Azar Online, Iran)
88.86.100.2 (Supernetwork, Czech Republic)
89.161.255.30 (Home.pl, Poland)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel / Megalan, Bulgaria)
98.192.168.80 (Comcast Communications, US)
103.9.23.34 (TPL Trakker, Pakistan)
108.179.8.103 (Tyco / Cablevision, US)
111.121.193.198 (China Telecom, China)
111.121.193.199 (China Telecom, China)
111.121.193.200 (China Telecom, China)
114.32.97.58 (HINET / Chungwa Telecom, Taiwan)
119.1.109.40 (QianXiNan County, China)
119.1.109.48 (QianXiNan County, China)
119.92.209.120 (Philippine Long Distance Telephone Company, Philippines)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.115.43.187 (TANET, Taiwan)
143.239.87.38 (University College Cork, Ireland)
150.244.233.146 (Universidad Autonoma De Madrid , Spain)
151.155.25.109 (Novell, US)
151.155.25.111 (Novell, US)
172.255.106.17 (Nobis Technology Group, US)
173.167.54.139 (Iceweb Storage Corp / Comcast, US)
176.31.46.7 (OVH, France)
180.166.172.122 (China Telecom, China)
184.105.135.29 (Hurricane Electric, US)
188.132.213.115 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.241.205.26 (Digital Ocean, US)
193.95.91.78 (Agence Tunisienne Internet, Tunisia)
195.225.58.122 (C&A Connect SRL, Romania)
198.56.238.36 (Enzu Inc, US)
201.163.145.125 (Alestra, S. de R.L. de C.V., Mexico)
202.28.69.195 (UniNet, Thailand)
202.63.210.182 (CubeXS Private Lmited, Pakistan)
203.122.26.124 (Citycom Networks Pvt Ltd, India)
203.235.181.181 (Sejong Telecom, Korea)
203.236.232.42 (KINX, Korea)
207.254.1.17 (Virtacore Systems Inc, US)
208.115.114.68 (Wowrack, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services Inc., Taiwan)
212.143.233.159 (013 Netvision Network, Israel)
222.20.90.25 (CERNET, China)

Blocklist:
24.173.170.230
31.145.19.17
38.96.42.60
41.196.17.252
46.45.182.27
46.246.41.68
46.38.51.162
50.97.253.162
58.196.7.174
59.124.33.215
59.126.142.186
59.160.69.74
61.220.221.92
64.49.246.226
69.162.76.10
74.93.56.83
77.240.118.69
80.52.135.172
81.17.140.138
82.165.41.13
85.17.224.131
85.119.187.145
87.236.211.159
88.86.100.2
89.161.255.30
89.248.161.146
95.111.32.249
98.192.168.80
103.9.23.34
108.179.8.103
111.121.193.198
111.121.193.199
111.121.193.200
114.32.97.58
119.1.109.40
119.1.109.48
119.92.209.120
128.252.158.57
138.80.14.27
140.115.43.187
143.239.87.38
148.81.111.91
148.81.111.92
150.244.233.146
151.155.25.109
151.155.25.111
172.255.106.17
173.167.54.139
176.31.46.7
180.166.172.122
184.105.135.29
188.132.213.115
190.85.249.159
192.241.205.26
193.95.91.78
195.225.58.122
198.56.238.36
201.163.145.125
202.28.69.195
202.63.210.182
203.122.26.124
203.235.181.181
203.236.232.42
207.254.1.17
208.115.114.68
209.222.67.251
210.200.0.95
212.143.233.159
222.20.90.25
abundanceguys.net
allgstat.ru
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
americimblog.com
amimeseason.net
androv.pl
aniolyfarmacij.com
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
augel.pl
autocompletiondel.net
autorize.net.models-and-kits.net
autotradeguide.net
avenues.pl
basedbreakpark.su
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
bestofallforallas.pl
blacklistsvignet.pl
blindsay-law.net
bnamecorni.com
boats-sale.net
brandeddepend.com
brasilmatics.net
businessdocu.net
buty24-cool.com
buycushion.net
cabby.pl
centow.ru
chairsantique.net
charismasalonme.net
childrensuck.net
cirormdnivneinted40.ru
clik-kids.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
cotime.pl
cpa.state.tx.us.tax-returns.mattwaltererie.net
cryoroyal.net
dasay.pl
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
editionscode.com
e-eleves.net
effectivenesspre.com
eftps.gov.charismasalonme.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
eliroots.ru
enchantingfluid.com
ensutringscal.net
enuhhdijsnenbude40.ru
ergopets.com
estateandpropertty.com
exterms.pl
faststream.pl
feminineperceiv.pl
filmstripstyl.com
fincal.pl
first4supplies.net
foremostorgand.su
freakable.net
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
genie-enterprises.com
gentonoesleep.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
gotip.pl
grivnichesvkisejj50.ru
guardianforyou.pl
gumfart.ru
hdmltextvoice.net
heidipinks.com
hemorelief.net
highsecure155.com
hingpressplay.net
hospitalinstitutee.com
hotautoflot.com
hotkoyou.net
hotpubblici.com
how-about-we.net
huang.pl
independinsy.net
info-for-health.net
initiationtune.su
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kirki.pl
krasalco.com
ledfordlawoffice.net
letsgofit.net
libulionstreet.su
linefisher.com
linkedin.com-update-report.taltondark.net
m.krasalco.com
made-bali.net
magiklovsterd.net
mantuma.pl
mattwaltererie.net
maxapps.pl
microsoftnotification.net
missdigitalworld.net
models-and-kits.net
modshows.net
morphed.ru
mosher.pl
nailapp.pl
namastelearning.net
ns3.thebodyfatsolutioncb.pl
nvufvwieg.com
offeringshowt.com
ompute.pl
oneday-movie.net
organizerrescui.pl
oupwareplanets.su
oydahrenlitu346357.ru
pinterest.com.reports0701.net
polymerplanet.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.net
questphoneservice.net
quipbox.com
ratenames.net
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
rustin.pl
safebrowse.pw
scourswarriors.su
secrettapess.com
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
sitemax.pl
sklephoreca.pl
soberimages.com
spros.pl
stilos.pl
streetgreenlj.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
telecomerra.com
thebodyfatsolutioncb.pl
thebodyfatsolutionoi.pl
thegalaxyatwork.com
theguardian-newspaper.pl
therichboysmail.net
thetimesforyou.pl
thosetemperat.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
trymaximumslimbaba.pl
trymaximumslimbia.pl
trymaximumslimboa.pl
trymaximumslimbua.pl
trymaximumslimbuta.pl
trymaximumslimdel.pl
trymaximumslimeta.pl
trymaximumslimfea.pl
trymaximumslimfoa.pl
trymaximumslimfol.pl
trymaximumslimhoa.pl
trymaximumslimhol.pl
trymaximumslimhowa.pl
trymaximumsliminl.pl
trymaximumslimlacl.pl
trymaximumslimlal.pl
trymaximumslimlea.pl
trymaximumslimleta.pl
trymaximumslimlitta.pl
trymaximumslimmaa.pl
trymaximumslimmal.pl
trymaximumslimmea.pl
trymaximumslimmia.pl
trymaximumslimnel.pl
trymaximumslimnota.pl
trymaximumslimota.pl
trymaximumslimpaa.pl
trymaximumslimpal.pl
trymaximumslimpara.pl
trymaximumslimrata.pl
trymaximumslimroba.pl
trymaximumslimroll.pl
trymaximumslimroma.pl
trymaximumslimsaa.pl
trymaximumslimsal.pl
trymaximumslimsanda.pl
trymaximumslimsil.pl
trymaximumslimsina.pl
trymaximumslimsofa.pl
trymaximumslimsofl.pl
trymaximumslimsparl.pl
trymaximumslimteda.pl
trymaximumslimulda.pl
trymaximumslimundl.pl
tstatbox.ru
tvblips.net
u-janusa.net
ukbash.ru
unabox.pl
usenet4ever.net
usergateproxy.net
vahvahchicas.ru
vip-proxy-to-tor.com
vivendacalangute.net
wickedpl.com
wic-office.com
wordstudio.pl
wow-included.com
yourbodyfatsolutionaningm.pl
yourbodyfatsolutionharm.pl
yourbodyfatsolutionhom.pl
yourbodyfatsolutionlgf.pl
yourbodyfatsolutionlittm.pl
yourbodyfatsolutionlpa.pl
yourbodyfatsolutionlub.pl
yourbodyfatsolutionlui.pl
yourbodyfatsolutionmem.pl
yourbodyfatsolutionnak.pl
yourbodyfatsolutionncb.pl
yourbodyfatsolutionnff.pl
yourbodyfatsolutionnzk.pl
yourbodyfatsolutionronm.pl
yourbodyfatsolutionsam.pl
yourbodyfatsolutionsim.pl
yourbodyfatsolutionterm.pl
yourbodyfatsolutiontinm.pl
yourbodyfatsolutionuca.pl
yourbodyfatsolutionucb.pl
yourbodyfatsolutionuee.pl
yourbodyfatsolutionufd.pl
yourbodyfatsolutionuff.pl
yourbodyfatsolutionufg.pl
yourbodyfatsolutionugd.pl
yourbodyfatsolutionugf.pl
yourbodyfatsolutionuhh.pl
yourbodyfatsolutionukk.pl
yourbodyfatsolutionunb.pl
yourbodyfatsolutionunc.pl
yourbodyfatsolutionuoi.pl
yourbodyfatsolutionupa.pl
yourbodyfatsolutionusd.pl
yourbodyfatsolutionuub.pl
yourbodyfatsolutionuui.pl
yourbodyfatsolutionuvb.pl
yourbodyfatsolutionuvc.pl
yourbodyfatsolutionuzk.pl
yourbodyfatsolutionwam.pl
zestrecommend.com