Sponsored by..

Showing posts with label Tunisia. Show all posts
Showing posts with label Tunisia. Show all posts

Tuesday 15 December 2015

Malware spam: "Invoice Attached" / "Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp."

This fake financial spam has a malicious attachment:

From:    Ernestine Harvey
Date:    15 December 2015 at 11:34
Subject:    Invoice Attached

Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.

Thank you!

Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:

Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson

The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.

An analysis of five of the attachments [1] [2] [3] [4] [5] shows attempted downloads from:

modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe


Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:

servicexmonitoring899.tk

I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.

Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:

41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)


There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.

MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E



Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in


UPDATE

A source tells me (thank you) that  servicexmonitoring899.tk  is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:

google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org

Some of these domains are associated with Rovnix.