Sponsored by..

Showing posts with label TheFirst-RU. Show all posts
Showing posts with label TheFirst-RU. Show all posts

Monday 5 September 2016

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.


Sincerely yours,
Tamika Good
Account manager
The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:

canonsupervideo4k.ws/1bcpr7xx

This appears to be multihomed on the following IP addresses:

23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)


Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru


Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57.  These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:

91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48

91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55


Wednesday 30 March 2016

Malware spam: "Additional Information Needed #869420" leads to ransomware

This spam has a malicious attachment, leading to ransomware.

From:    Joe holdman [holdmanJoe08@seosomerset.co.uk]
Date:    30 March 2016 at 08:55
Subject:    RE: Additional Information Needed #869420


We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.

An analysis of three scripts [1] [2] [3] shows binary downloads from:

cainabela.com/zFWvTM.exe
downloadroot.com/vU4VAZ.exe
folk.garnet-soft.com/jDFXfL.exe

This binary has a detection rate of 6/56.  Automated analysis [4] [5] shows network traffic to:

93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)


These characteristics are consistent with Locky ransomware.

Recommended blocklist:
93.170.131.108
5.135.76.18
82.146.37.200

Thursday 22 October 2015

Malware spam: "Notice to Appear" / Notice_to_Appear_00800614.zip

This fake legal spam comes with a malicious attachment:

From:    District Court
Date:    22 October 2015 at 19:03
Subject:    Notice to Appear

Notice to Appear,

This is to inform you to appear in the Court on the October 27 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Sincerely,
Michael Newell,
District Clerk.

Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js which looks like this [pastebin]. This obfuscated script translates into something a bit more understandable which clearly references the following domains:

www.flowarrior.com
www.abama.org
littlefacesofpanama-association.com

The Hybrid Analysis report  shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55 (possibly Cridex). It reference the following IPs as being highly suspect:

91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)

A large number of IPs are queried according to that report:

66.147.244.241 80 TCP United States
ASN: 46606 (Unified Layer)

Possibly Malicious (Details)
78.24.220.229 80 TCP Russian Federation
ASN: 29182 (ISPsystem, cjsc)
74.231.32.162 80 TCP United States
118.120.73.233 80 TCP China
29.225.112.86 80 TCP United States
100.73.14.38 80 TCP Reserved
58.101.131.47 80 TCP China
123.59.97.196 80 TCP China
166.32.216.239 80 TCP United States
149.91.92.120 80 TCP United States
24.216.168.199 80 TCP United States
105.140.148.131 80 TCP Morocco
163.58.44.144 80 TCP Japan
142.84.237.228 80 TCP Canada
15.108.255.248 80 TCP United States
220.168.3.242 80 TCP China
169.69.97.65 80 TCP United States
136.48.1.199 80 TCP United States
193.224.232.11 80 TCP Hungary
46.156.117.74 80 TCP Norway
15.73.25.4 8080 TCP United States
156.95.94.161 80 TCP United States
2.95.43.213 80 TCP Russian Federation
201.112.96.9 443 TCP Mexico
168.202.241.83 80 TCP Italy
126.200.226.38 80 TCP Japan
218.169.88.145 80 TCP Taiwan; Republic of China (ROC)
25.227.76.74 80 TCP United Kingdom
7.58.91.181 80 TCP United States
2.9.47.33 80 TCP France
82.64.212.187 80 TCP France
160.252.229.129 80 TCP Japan
3.19.211.174 80 TCP United States
206.36.90.112 80 TCP United States
70.162.95.85 80 TCP United States
179.74.44.184 80 TCP Brazil
27.60.28.101 80 TCP India
72.131.92.208 80 TCP United States
192.15.148.68 80 TCP United States
161.183.113.148 80 TCP United States
89.194.8.74 80 TCP United Kingdom
74.60.141.199 443 TCP United States
185.124.201.36 80 TCP Germany
57.254.22.27 80 TCP Belgium
223.212.109.175 443 TCP China
184.128.6.160 80 TCP United States
222.26.8.100 80 TCP China
201.80.124.250 80 TCP Brazil
28.245.107.140 8080 TCP United States
7.205.88.91 80 TCP United States
134.208.174.118 443 TCP Taiwan; Republic of China (ROC)
101.42.94.123 80 TCP China
89.184.155.55 8080 TCP Denmark
73.136.226.227 80 TCP United States
92.242.113.252 80 TCP Ukraine
183.80.180.237 80 TCP Viet Nam
189.217.246.252 80 TCP Mexico
162.124.240.218 80 TCP United States
169.244.37.32 80 TCP United States
121.213.170.136 8080 TCP Australia
91.121.108.77 80 TCP France
161.187.226.73 8080 TCP Canada
160.124.108.194 8080 TCP South Africa
132.201.159.171 80 TCP United States
36.136.60.81 80 TCP China
155.159.37.116 80 TCP South Africa
139.171.227.16 80 TCP United States
119.243.117.9 443 TCP Japan
42.199.100.99 80 TCP China
170.225.41.44 80 TCP United States
27.122.177.126 80 TCP Korea Republic of
151.75.83.209 80 TCP Italy
203.207.191.222 8080 TCP China
208.97.41.75 80 TCP United States
179.184.50.147 80 TCP Brazil
126.155.24.64 80 TCP Japan
86.14.23.181 80 TCP United Kingdom
182.162.87.90 80 TCP Korea Republic of
126.85.62.33 80 TCP Japan
96.60.99.19 80 TCP United States
118.123.163.35 80 TCP China
69.190.137.38 80 TCP United States
49.56.139.124 80 TCP Korea Republic of
135.35.59.201 80 TCP United States
57.25.34.69 80 TCP Belgium
174.190.210.89 80 TCP United States
206.91.83.240 80 TCP United States
16.143.86.194 80 TCP United States
99.212.19.159 80 TCP Canada
171.214.61.169 80 TCP China
194.184.155.135 80 TCP Italy
98.30.91.219 80 TCP United States
30.130.130.227 80 TCP United States
201.231.21.9 80 TCP Argentina
10.85.253.242 8080 TCP Reserved
41.70.25.98 80 TCP Malawi
2.239.93.99 80 TCP Italy
178.216.173.66 80 TCP Ukraine
102.239.48.12 80 TCP Indonesia
170.229.125.27 443 TCP United States
170.202.85.86 80 TCP United States
138.204.51.115 80 TCP Brazil
90.59.134.25 80 TCP France
179.105.47.26 80 TCP Brazil
190.128.247.9 80 TCP Paraguay
62.74.109.148 80 TCP Greece
39.6.23.63 80 TCP Korea Republic of
199.12.247.12 80 TCP United States
1.235.148.23 80 TCP Korea Republic of
128.166.232.112 80 TCP United States
198.12.245.130 80 TCP United States
180.59.204.28 80 TCP Japan
191.205.91.94 443 TCP Brazil
166.97.6.127 80 TCP United States
35.174.179.31 80 TCP United States
202.94.163.179 80 TCP Malaysia
199.2.172.193 80 TCP United States
36.4.249.54 80 TCP China
87.60.146.60 80 TCP Denmark
159.157.156.108 80 TCP United States
41.103.3.7 80 TCP Algeria
190.5.47.228 80 TCP Chile
102.197.139.86 8080 TCP Indonesia
79.181.62.136 80 TCP Israel
196.221.146.64 8080 TCP Egypt
45.215.43.254 80 TCP Zambia
133.50.67.191 443 TCP Japan
197.187.96.58 80 TCP Tanzania United Republic of
81.11.14.8 80 TCP European Union
165.216.148.197 80 TCP United States
26.159.93.175 80 TCP United States
55.192.224.240 80 TCP United States
99.183.118.77 8080 TCP United States
97.132.112.64 80 TCP United States
161.158.216.248 80 TCP Netherlands
171.36.6.24 80 TCP China
86.17.207.59 80 TCP United Kingdom
65.170.164.185 80 TCP United States
203.116.171.38 80 TCP Singapore
81.131.210.206 80 TCP United Kingdom
144.69.59.80 80 TCP United States
108.132.28.175 80 TCP United States
54.173.72.227 80 TCP United States
48.227.99.193 80 TCP United States
165.244.29.101 80 TCP Korea Republic of
61.163.159.70 80 TCP China
141.54.70.120 80 TCP Germany
22.6.129.165 80 TCP United States
16.65.24.201 80 TCP United States
107.66.193.112 80 TCP United States
113.185.128.185 80 TCP Viet Nam
185.242.98.255 80 TCP Germany
39.247.94.231 80 TCP Indonesia
1.136.195.240 80 TCP Australia
176.2.178.107 443 TCP Germany
211.57.175.126 80 TCP Korea Republic of
16.78.184.90 80 TCP United States
121.237.58.132 80 TCP China
45.115.246.94 80 TCP China
42.213.207.250 80 TCP China
202.217.115.34 80 TCP Japan
20.100.36.35 80 TCP United States
73.178.96.229 80 TCP United States
177.85.76.19 80 TCP Brazil
184.148.22.247 80 TCP Canada
153.228.8.191 80 TCP Japan
196.226.207.67 443 TCP Liberia
171.178.119.233 80 TCP United States
175.198.60.5 80 TCP Korea Republic of
196.9.179.56 80 TCP South Africa
20.163.126.33 443 TCP United States
152.223.8.195 80 TCP United States
12.51.242.168 80 TCP United States
197.169.155.191 80 TCP South Africa
95.198.239.136 8080 TCP Sweden
209.93.5.164 80 TCP United States
200.17.48.177 80 TCP Brazil
37.147.149.212 80 TCP Russian Federation
113.201.208.234 80 TCP China
157.219.20.253 80 TCP United States
45.72.49.98 80 TCP United States
87.196.69.215 80 TCP Portugal
141.251.31.43 80 TCP United States
30.28.29.139 8080 TCP United States
211.72.127.114 80 TCP Taiwan; Republic of China (ROC)
126.62.177.152 8080 TCP Japan
67.62.93.143 80 TCP United States
4.219.11.148 80 TCP United States
220.15.135.111 80 TCP Japan
6.193.44.176 80 TCP United States
88.18.235.212 80 TCP Spain
65.235.102.3 80 TCP United States
212.246.252.248 80 TCP Finland
65.44.223.34 80 TCP United States
67.147.184.3 443 TCP United States
218.100.198.67 8080 TCP China
183.74.253.72 443 TCP Japan
189.99.113.170 443 TCP Brazil
202.113.235.65 80 TCP China
78.193.245.197 80 TCP France
20.87.185.21 443 TCP United States
34.94.156.167 80 TCP United States
16.154.131.128 443 TCP United States
112.236.139.20 80 TCP China
37.217.232.246 80 TCP Saudi Arabia

I have not had the change to check those individual IP addresses, but I recommend that you block the following two at least:

91.121.108.77
78.24.220.229 


UPDATE 26/10/15:

A slightly revised version of this is circulating:


Notice to Appear,

This is to inform you to appear in the Court on the November 03 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Nathan Andrews,
District Clerk.
The attachment is Notice_to_Appear_000314661.zip which contains a file Notice_to_Appear_000314661.doc.js which has a VirusTotal detection rate of 14/55. According to this Hybrid Analysis report it contacts a LOT of IPs, but these in particular should be blocked:

67.199.5.184 (CrystalTech Web Hosting, US)
78.24.220.229 (TheFirst-RU, Russia)
189.131.94.156 (UniNet, Mexico)
74.10.19.66 (Knox Attorney Service Inc., US)


The following files are dropped (VT reports) [1] [2] [3]

Recommended blocklist:
67.199.5.184
78.24.220.229
189.131.94.156
74.10.19.66

  ssf

Thursday 21 May 2015

Malware spam: "Invoice# 2976361 Attached" / "PGOMEZ@polyair.co.uk"

So far I have only seen one sample of this. The sender and subject may vary.
From:    PGOMEZ@polyair.co.uk
Date:    21 May 2015 at 08:58
Subject:    Invoice# 2976361 Attached

Invoice Attached - please confirm..


This transmission may contain information that is privileged and strictly confidential.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.

If you received this transmission in error, please contact the sender and delete the material from any computer immediately.  Thank you.

Attached is a malicious file with the no-very-imaginative name 00001.doc [VT 4/56] which contains this malicious macro [pastebin] that downloads a component from the following location:

http://mercury.powerweave.com/72/11.exe

This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57.

Automated analysis tools [1] [2] [3] [4] show attempted communications with the following IPs:

78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)


The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195

MD5s:
f5aee45ce06f6d9f9210ae28545a14c6
56305283d26e66b81afcbcb6f0e9b9b4
015cc26b738d313e5e7aba0c9114670e

Friday 24 April 2015

Malware spam: "Colin Fox [colin@nofss.co.uk]" / "Invoice 519658"

This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
From:    Colin Fox [colin@nofss.co.uk]
Date:    24 April 2015 at 09:40
Subject:    Invoice 519658

Please find Invoice 519658     attached 
The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].

There may be different versions of the macro, but in this case it downloads a component from:

http://bepminhchi.com/83/61.exe

..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to:

185.12.95.191 (RuWeb CJSC, Russia)
149.154.64.70 (TheFirst-RU, Russia)
78.24.218.186 (TheFirst-RU, Russia)
89.28.83.228 (StarNet SRL, Moldova)


In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228

Sample MD5s:
da26ed1b6fe69d15a400b3bc70001918
b37ea697df790121e4dda35d8ba172c3
0ea69ef635257be03043a3f70f013475
29471c1aabae10d205f474a3299486ec


Thursday 23 April 2015

Malware spam: "Refund on order 204-2374256-3787503" / "Amazon.co.uk [payments-messages@amazon.co.uk]"

This fake Amazon spam comes with a malicious attachment:

From:    Amazon.co.uk [payments-messages@amazon.co.uk]
Reply-To:    "Amazon.co.uk" [payments-messages@amazon.co.uk]
Date:    23 April 2015 at 09:58
Subject:    Refund on order 204-2374256-3787503

Dear Customer,

Greetings from Amazon.co.uk.

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1161010

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
it: http://get.adobe.com/reader/

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
refunds.

Thank you for shopping at Amazon.co.uk.

Sincerely,

Amazon.co.uk Customer Service
http://www.amazon.co.uk


Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again


Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:

http://qube.co.il/42/335.exe

..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs:

185.12.95.191 (RuWeb CJSC, Russia)
87.236.215.151 (OneGbits, Lithuania)
94.23.171.198 (OVH, Czech Republic)
185.35.77.250 (Corgi Tech, UK)
149.154.64.70 (TheFirst-RU, Russia)

The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.

Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70

MD5s:
e52a8d15ee08d7f8b4efca1b16daaefb
57b54e248588af284871c2076f05651c
ca5c5b79ce16d888ba2a6747b9d033d3


Wednesday 15 April 2015

Malware spam: "Invoice from Living Water" / "Natalie [mailto:accounts@living-water.co.uk]"

This fake invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.
From: Natalie [mailto:accounts@living-water.co.uk]
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water

Dear Customer  :

Your invoice is attached.  Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Living Water
0203 139 9051
In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55. This contains a malicious macro [pastebin] which downloads a file from the following location:

http://adlitipcenaze.com/353/654.exe

There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:

89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)

According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100

MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328

Tuesday 14 April 2015

Malware spam: "Kairen Varker [mailto:kvarker@notifications.kashflow.com]" / "Invoice from"

This fake invoice has a malicious attachment:
From: Kairen Varker [mailto:kvarker@notifications.kashflow.com] On Behalf Of Kairen Varker
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from

I have made the changes need and the site is now mobile ready . Invoice is attached
In this case the attachment is called Invoice-83230.xls which is currently undetected by AV vendors. It contains this malicious macro [pastebin] which downloads a component from the following location (although there are probably more than this):

http://925balibeads.com/94/053.exe

This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] [4] shows the malware phoning home to:

78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)

The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57.

Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228

MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995

Thursday 2 April 2015

Malware spam: "Scanned document from HP/Brother/Epson Scanner [87654321]"

These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.

Now.. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Would you?

From:    Cindy Pate [Caroline.dfd@flexmail.eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]

Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Sterling Hoffman [Lara.dc4@astroexports.com]
Date:    2 April 2015 at 11:00
Subject:    Scanned document from Brother Scanner [07623989]

Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office

File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Manuel Velez [Yesenia.10@acv.nl]
Date:    2 April 2015 at 12:04
Subject:    Scanned document from Epson Scanner [81829722]

Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

I have seen three different malicious attachments with low detection rates [1] [2] [3] which appear to contain one of two macros [1] [2] which download a further component from one of the following locations:

http://93.158.117.163:8080/bz1gs9/kansp.jpg
http://78.47.87.131:8080/bz1gs9/kansp.jpg


Those servers are almost definitely malicious in other ways, the IPs are allocated to:

93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)

This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Automated analysis [1] [2] [3] indicates that it calls home to:

188.120.225.17 (TheFirst-RU, Russia)
92.63.88.83 (MWTV, Latvia)
121.50.43.175 (Tsukaeru.net, Japan)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
82.151.131.129 (Doruknet, Turkey)
46.19.143.151 (Private Layer Inc, Switzerland)
45.55.154.235 (Digital Ocean, US)
195.130.118.92 (University Of Ioannina, Greece)
199.201.121.169 (Synaptica, Canada)
95.211.168.10 (Leaseweb, Netherlands)
222.234.230.239 (Hanaro Telecom, Korea)

Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.

Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131

MD5s:
96f3aa2402daf9093ef0b47943361231
cff4b8b7f9adf1f5964b495a8116d196
68fb9aadda63d18f1b085d5bd8815223
64fa6501bd4d32b2958922598008ca96