Sponsored by..

Showing posts with label Ukraine. Show all posts
Showing posts with label Ukraine. Show all posts

Tuesday 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

https://dropbox.com/file/9A30AA
--
Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA

Members of the CAERUS Capital Group

www.tayloredgroup.co.uk

Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system. 
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6]  shows Locky ransomware attempting to phone home to the following locations:

91.234.35.170/imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75/imageload.cgi (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24

Monday 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Thursday 19 January 2017

Malware spam: "The Insolvency Service" / "Investigations Inquiry Notification" / chucktowncheckin.com / chapelnash.com

This malware spam in unusual in many respects. The payload may be some sort of ransomware [UPDATE: this appears to be Cerber].

From: The Insolvency Service [mailto:service@chucktowncheckin.com]
Sent: 19 January 2017 12:22
Subject: EGY 318NHAR12 - Investigations Inquiry Notification



Company Investigations Inquiry
Informing You that we have received appeal regarding your company which indicates corporate misconduct.
Your Inquiry Number: 84725UPTN583
As part of this occasion we have made our own background investigation and if it occurs to be in the public interest, we can apply to the court to wind up the company and stop it trading.
Also if the performance of the director(s) who run the company is questionable enough, we can commence proceedings to disqualify them from governing a limited company for a time span up to 15 years.
FURTHER CASE DATA
The investigation can give us information that we can transmit to another regulatory body that has more suitable powers to deal with any concerns the investigation uncovers.
Help Cookies Contact Terms and conditions Rhestr o Wasanaethau Cymraeg
Built by the Government Digital Service
All content is available under the Open Government Licence v3.0, except where otherwise stated   
© Crown copyright

Sample subjects are:

LSV 354EMPU31 -  Investigations Inquiry Reminder
JXI 647TESR39 -  Investigations Inquiry Reminder
SHV 622WYXP68 -  Investigations Inquiry Notice
QPY 661APWZ41 -  Investigations Inquiry Notice
FHF 338SYBV85 -  Investigations Inquiry Notice
EGY 318NHAR12 -  Investigations Inquiry Notification
IZJ 296CNWP92 -  Investigations Inquiry Notice

All the senders I have seen come from the chucktowncheckin.com domain. Furthermore, all of the sending servers are in the same /24:

194.87.216.87
194.87.216.62
194.87.216.40
194.87.216.43
194.87.216.3
194.87.216.7
194.87.216.80

All the servers have names like kvm42.chapelnash.com in a network block controlled by Reg.ru in Russia.

The link in the email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect.com e.g. 2vo4.uk-insolvencydirect.com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:


Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js) that looks like this [Pastebin].

Hybrid Analysis of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool).

The script downloads a component from www.studiolegaleabbruzzese.com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53.

Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:

soumakereceivedthiswith.ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor.ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource.ru (does not resolve)
maytermsmodiall.ru (does not resolve)

It isn't exactly clear what the malware does, but you can bet it is Nothing Good™.

I recommend that you block email traffic from:

194.87.216.0/24

and block web traffic to

uk-insolvencydirect.com
studiolegaleabbruzzese.com
176.98.52.157
151.0.42.255



Monday 19 December 2016

Malware spam: "Payslip for the month Dec 2016." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    PATRICA GROVES
Date:    19 December 2016 at 10:12
Subject:    Payslip for the month Dec 2016.

Dear customer,

We are sending your payslip for the month Dec 2016 as an attachment with this mail.

Note: This is an auto-generated mail. Please do not reply.
The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55.

This Hybrid Analysis clearly shows Locky ransomware in action when the document is opened.

According to my usual reliable source, the various versions of this download a component from one of the following locations:

023pc.cn/8hrnv3
aguamineralsantacruz.com.br/8hrnv3
allard-g.be/8hrnv3
as-kanal-rohrreinigung.de/8hrnv3
aspecta-aso.net/8hrnv3
audehd.com/8hrnv3
audreyetsteve.fr/8hrnv3
baugildealtmark.de/8hrnv3
berstetaler.de/8hrnv3
birdhausdesign.com/8hrnv3
bperes.com.br/8hrnv3
brainfreezeapp.com/8hrnv3
delreywindows.com/8hrnv3
democracyandsecurity.org/8hrnv3
factoryfreeapparel.com/8hrnv3
garosero5.com/8hrnv3
globaser3000.com/8hrnv3
grafiquesvaros.com/8hrnv3
routerpanyoso.50webs.com/8hrnv3
skyers.awardspace.com/8hrnv3
www.andmax-rehabilitacja.pl/8hrnv3
www.bandhiga.com/8hrnv3
www.clinicafisiosan.com/8hrnv3
www.de-klinker.be/8hrnv3
www.foyerstg.pro/8hrnv3
www.globalchristiantrust.com/8hrnv3
www.neumayr-alkoven.com/8hrnv3
zimbabweaids.awardspace.com/8hrnv3

The malware then phones home to one of the following locations:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
193.201.225.124/checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76/checkupdate (SmartApe, Russia)
46.148.26.82/checkupdate (Infium, Latvia / Ukraine)


A DLL is dropped with a detection rate of 12/52.

Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82



Monday 12 December 2016

Malware spam: "Invoice number: 947781" leads to Locky

This fake financial spam comes from multiple senders and leads to Locky ransomware:


From:    AUTUMN RHINES
Date:    12 December 2016 at 10:40
Subject:    Invoice number: 947781

Please find attached a copy of your invoice.


Tel: 0800 170 7234
Fax: 0161 850 0404

For all your stationery needs please visit Stationerybase.
The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56.

Automated analysis of a couple of these files [1] [2] [3] [4] show the macro downloading a component from miel-maroc.com/874ghv3  (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57.

All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
88.214.236.218/checkupdate (Overoptic Systems, UK / Russia)
91.219.31.14/checkupdate (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


Recommended blocklist:
176.121.14.95
88.214.236.218
91.219.31.14




Friday 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.


--
King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:

107.181.187.97/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
51.254.141.213/checkupdate (OVH, France)


It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:

91.142.90.46/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
195.123.209.23/checkupdate [hostame: prujio.com] (Layer6, Latvia)
185.127.24.247/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
185.46.11.236/checkupdate (Agava, Russia)
178.159.42.248/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)


Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24


Wednesday 23 November 2016

Moar Locky: "Bill-12345" from victim's own domain

This spam has no body text and appears to come from within the sender's own domain. It leads to Locky ransomware. For example:

From:    julia newenham [julia.newenham@victimdomain.tld]
Date:    23 November 2016 at 10:44
Subject:    Bill-76137
There is a randomly-named ZIP (e.g. 589af1aa1aaf4cb9ce571fced687b8ac.zip) containing a randomly-named malicious javascript. My usual reliable source (thank you) identifies the following download locations for these scripts:

asrcargo.ru/08yhrf3
decorvise.com/08yhrf3
gyreunbar.com/08yhrf3
halsklam.net/08yhrf3
myphychoice.com/08yhrf3
naruto55.com/08yhrf3
netclip.ro/08yhrf3
nikanels.pl/08yhrf3
nikitassalon.com/08yhrf3
njzhigaokt.com/08yhrf3
nkfyfs.cn/08yhrf3
noamshop.com/08yhrf3
notretribu.eu/08yhrf3
nuevarazajeans.com/08yhrf3
odtahova-sluzba-praha.eu/08yhrf3
oehome.com.cn/08yhrf3
ogrodexmilicz.pl/08yhrf3
ogustine.com/08yhrf3
onushilon.org/08yhrf3
o-sis.jp/08yhrf3
ossiatzki.com/08yhrf3
ostra.ro/08yhrf3
ouiphone.fr/08yhrf3
ovsz.ru/08yhrf3
parenclub-devilsenangels.nl/08yhrf3
paronleather.com/08yhrf3
paulking.it/08yhrf3
pedalcars.ru/08yhrf3
peppyinsta.com/08yhrf3
piaristesafriquecentrale.org/08yhrf3
plastictas.nl/08yhrf3
popek.si/08yhrf3
pppconstruction.co.za/08yhrf3
propfisher.com/08yhrf3
pusulam.com.tr/08yhrf3
qybest.cn/08yhrf3
raivel.pt/08yhrf3
rdyy.cn/08yhrf3
reaga.cz/08yhrf3
realearthproperties.in/08yhrf3
realtorpics.net/08yhrf3
receptoare-satelit.ro/08yhrf3
revaitsolutions.com/08yhrf3
rimiller.com/08yhrf3

A malicious DLL is dropped with an MD5 of 4e207b30c5eae01fa136f3d89d59bbbe and
a detection rate of 9/56. The malware then communicates with:

80.87.202.49/information.cgi (JSC Server, Russia)
94.242.55.81/information.cgi (RNet, Russia)
95.46.114.205/information.cgi (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)


Recommended blocklist:
80.87.202.49
94.242.55.81
95.46.114.205


Tuesday 22 November 2016

Malware spam: "Invoice 123456" from random sender in victim's own domain

This fake financial spam appears to come from a random sender in the victim's own domain, but this is just a simple forgery. The payload is Locky ransomware.

Subject:     Invoice 5639438
From:     random sender (random.sender@victimdomain.tld)
Date:     Tuesday, 22 November 2016, 8:43

Attached is the document 'Invoice 5639438'.

The reference number varies from email to email, but is consistent in the subject, body and the name of the attachment (e.g. Invoice 5639438.zip). This ZIP file contains a malicious WSF script (e.g. Invoice 7868933153.wsf) that looks like this.

According the the Malwr analysis, that script downloads from:

manage.parafx.com/98y4h?AdIXigNCmu=UdJVux

There are no doubt many other locations. That same analysis shows a DLL being dropped with an MD5 of de5d8250edf98262f335cd87fe6f6740 and a detection rate of 9/56. The Hybrid Analysis of the same sample shows the malware contacting the following C2 locations:

89.108.73.124/information.cgi (Agava, Russia)
91.211.119.98/information.cgi (Zharkov Mukola Mukolayovuch aka 0x2a.com.ua, Ukraine)
94.242.55.81/information.cgi (RNet, Russia)


Recommended blocklist:
89.108.73.0/24
91.211.119.98
94.242.55.81


UPDATE

My usual reliable source came up with these additional download locations:

adoptshawm.net/98y4h
hotelmm.ro/98y4h
houseller.eu/98y4h
huaphoto.net/98y4h
huduanjichuang.com/98y4h
i12.ir/98y4h
ifsaiumumi.com/98y4h
illinoisnavhda.org/98y4h
inkubator.biz.pl/98y4h
interdean.hu/98y4h
iphoneservices.com.ua/98y4h
iran-bazaar.ir/98y4h
irandivinggroup.com/98y4h
islandspirits.ca/98y4h
izww.cn/98y4h
jain4jain.com/98y4h
jaydeepuk.com/98y4h
jazz.kvalitne.cz/98y4h
jinqiaonkyy.com/98y4h
jkshea.com/98y4h
joesrv.com/98y4h
joplinglobeonline.com/98y4h
junhao8.com/98y4h
justsport.co.il/98y4h
kabele.ru/98y4h
klaxcar.ro/98y4h
kongkhak.go.th/98y4h
korbastudio.com/98y4h
krepiec.pl/98y4h
kstm.or.th/98y4h
kuponik.eu/98y4h
lanphuong.vn/98y4h
lesmouf.com/98y4h
lhesh.com/98y4h
lifanpower.pl/98y4h
lomtalay.com/98y4h
lp511.com/98y4h
ltinvest.de/98y4h
luanasahian.ro/98y4h
lumitech.ro/98y4h
manage.parafx.com/98y4h
maroeg.com/98y4h
maxifitness.ru/98y4h
mckains.net/98y4h
mediawax.be/98y4h
megalingeriemall.com/98y4h
melzer-casting.de/98y4h
microsupport.net/98y4h
militarydirect.com/98y4h
minmin.in/98y4h
mirokon30.ru/98y4h
mooymedia.nl/98y4h
morgoo.es/98y4h
mudrahviezda.sk/98y4h
mybankofgold.com/98y4h
mysolosource.com/98y4h
natalija.ru/98y4h
reoilmaya.com/98y4h

Malware spam: "Delivery status" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Delivery status
From:     Gilbert Hancock
Date:     Tuesday, 22 November 2016, 8:51

Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.

In the sample I analysed there was an attachment named document_recipientname.zip (i.e. the first part of the recipient's email address was in the name), containing a malicious javascript with a random name. This particular script (and there are probably many others) attempts to download a component from one of the following locations:

sbdma.com/ri3xnzkaoz
robertocostama.com/qpnst8glsz
kettycoony.com/ahkzls3w
sadhekoala.com/efgqy4tdw
sdwsgs.com/voh7


According to this Malwr analysis, a malicious DLL is dropped with an MD5 of ebf03567c2a907705a026ff0821d8e63 and a detection rate of 6/55. The Hybrid Analysis reveals the following C2 locations:

91.201.202.130/information.cgi [hostname: dominfo.dp.ua] (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
188.120.250.138/information.cgi [hostname: olezhkakovtonyuk.fvds.ru] (TheFirst-RU, Russia)
213.32.66.16/information.cgi (OVH, France)

For those Russian and Ukranian networks I would be tempted to block the entire /24 at least, but this is my minimum recommended blocklist:

91.201.202.130
95.213.186.93
188.120.250.138
213.32.66.16

UPDATE

These are additional download locations for this variant (thank you to my usual source):

87.244.17.86/bhigobrbr
beachbreak.com/beachbreak/hk7mqlgs
bursacicekmagazasi.com/yqrws0c
campossa.com/ped2hwz3
cniplc.com/1cbgu
convertus.com/3p80kj
csplane.com/ej7irq
dmsoinfo.com/1buigkyvl
dtinsani.com/1gon5mmzk
fabriquekorea.com/1f3mauxvzb
facerecognition.com.ba/9b7aecm
girlstravelling.com/llnza
girlstravelling.com/zj3ij
gto-cro.com/zcvofb
gtodo.com.ar/shvssbgwh
gumorca.com/ydsojspvx
gxaiq.com/y6lhc
hairchinadirect.com/iryscuex9
hancebile.com/03aviw5ree
hancebile.com/cmlucpol
hancebile.com/fppm5myp7r
hancebile.com/rk9q4pf1
hjertearken.dk/pxyti0
kettycoony.com/ahkzls3w
kettycoony.com/cx55khn
kettycoony.com/gl74xldx
kettycoony.com/qllgov6rp
lauiatraps.net/90iuiatl
lauiatraps.net/lknfc
lauiatraps.net/tltnctyadf
lauiatraps.net/zyqjw08qqt
liftaccessory.com/crvjl4
marvicedo.com/drvf1s5x
mcmustard.com/lotojt3
misicka.com/ho6guo1jn
monowheels.ru/2nbknagte9
newautolatino.com/wa7lm4i7vo
nuociss.com/css5igxfe
oualili.org/afdnzqtmbc
paidforall.com/wnvppxdp0
parskavand.com/wekzwe
pattumalamatha.com/biwkk3sp
phaseiv.org/9utjgbof
poltec.com.au/wjzfftju
profilab.ru/wsmie0k
remixsarkilar.com/um5mvc53
rndled.com/adf4t5s3
robertocostama.com/qpnst8glsz
rsahosting.com/quudvvjxe
sadhekoala.com/efgqy4tdw
sadhekoala.com/lvqh1
sadhekoala.com/qg7bhfv3sa
sadhekoala.com/vjhxxwuo
sbdma.com/ri3xnzkaoz
sdwsgs.com/voh7l
shouwangstudio.com/uddj8u
snehil.com/8jp3sr
starmakersentertainment.com/vvaury
suziemorris.net/qz3wodtpqe
talentinzicht.eu/2szzeegt
thegioitructuyen.org/lalvx1nrj
thegoldclubs.com/soaiga
thirdchild.org/ratorfeybm
touroflimassol.com/uekc5dx
touroflimassol.com/vil8begqiq
ulmustway.com/gggsslzj1c
ulmustway.com/jm2hp
ulmustway.com/kzqnerxm
ulmustway.com/stj6o
unkalojistik.com/hhwh0xv9
valpit.ru/kn3jm
vedexpert.com/qbaiegzzu
verdianthy.com/iool1e
warisstyle.com/mjuurbt2bx
wbakerpsych.com/j00gr8z
whatsapphd.com/fqi0a
woodmode-eg.com/dsi79s
xa12580.com/lzwkiqsi8s
xhumbrella.com/jb5c396v
znany-lekarz.pl/nrpfqwwq

Thursday 17 November 2016

Malware spam: "Sage Invoice [service@sage-invoices.com]" / "Outdated Invoice" leads to Trickbot

This fake financial spam leads to the Trickbot banking trojan.

From:    Sage Invoice [service@sage-invoices.com]
Date:    17 November 2016 at 10:54
Subject:    Outdated Invoice

This is a customer service e-mail from © Sage (UK) Limited to [redacted]
   
Sage Invoice Payments
Outdated Invoice

You have an outdated invoice from Sage Invoice Payments that needs your attention. To find out more details on this invoice, please see the enclosed document attached to this email.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54. Hybrid Analysis shows malicious network traffic to:

substan.merahost.ru/petrov.bin  [185.86.77.224] (Mulgin Alexander Sergeevich aka gmhost.com.ua, Ukraine)

A malicious file scsnsys.exe is dropped with a detection rate of 8/53.

The domain sage-invoices.com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication. The no doubt fake WHOIS details are:

Registry Registrant ID: Not Available From Registry
Registrant Name: Antonio Padula
Registrant Organization: Weighpack Systems Inc
Registrant Street: 5605 Rue Cypihot
Registrant City: Saint Laurent
Registrant State/Province: Quebec
Registrant Postal Code: H4S 1R3
Registrant Country: CA
Registrant Phone: +1.5144243344
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: test@orasore.com


I recommend that you block traffic from that domain or check your filters to see who may have it.

Recommended blocklist:
sage-invoices.com [email]
185.86.77.0/24

Tuesday 8 November 2016

Malware spam: "Suspicious movements" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Suspicious movements
From:     Marlene Parrish
Date:     Tuesday, 8 November 2016, 12:52

Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.
---
King regards,
Marlene Parrish
Account Manager
Tel.: 202-328-1800
U.S. Office of Personnel Management
1189 E Street, NW
Washington, DC 20415-1000
The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js) which looks like this (note the insane amount of whitespace).

That particular script downloads a malicious component from one of the following locations:

vexerrais.net/6sbdh
centinel.ca/wkr1j6n
3-50-90.ru/u4y5t
alpermetalsanayi.com/vuvls
flurrbinh.net/6mz3c5q


There will probably be other download locations. This Hybrid Analysis and this Malwr report show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56.

UPDATE

My usual reliable source (thank you) informs me that there are indeed C2 servers (see the end of the post). The download locations are as follows:

3-50-90.ru/u4y5t
365aiwu.net/hbdo6
85.92.144.157/y8giadzn
abclala.com/r2kvg2
abercrombiesales.com/nmuch6
accenti.mx/nryojp
acrilion.ru/84m9t
adriandomini.com.ar/bq62dx10
agorarestaurant.ro/cg06f
ajmontanaro.com/q9giar
alpermetalsanayi.com/vuvls
antivirus.co.th/jukwebgk
apidesign.ca/ijau8q2z
archmod.com/sapma828
assetcomputers.com.au/lkfpyww
avon2you.ru/ayz1waqm
ayurvedic.by/b9kk9k
babuandanji.jp/lq9kay
bepxep.com/mo05j41
berrysbarber.com/q6qsnfpf
bielpak.pl/a79a64h
bjshicheng.com/blewwab
bst.tw/gnjeebt
cafedelrey.es/snby1c
centinel.ca/wkr1j6n
cgrs168.com/xmej0mc
chandrphen.com/h4b1k
chaturk.com/mxaxemv1
cheedellahousing.com/h24ph1
ck.co.th/r2k6i6
codanuscorp.com/ay5v52r1
comovan.t5.com.br/byev5nd
competc.ca/qrc9n
concern-block.ru/nijp1xq
corinnenewton.ca/ctlt8b
cosmobalance.com/jsqlt0g
dekoral.eu/twnyr1s
dessde.com/zcwaya
dinglihn.com/zg3pnsj
dmamart.com/c5l2p
donrigsby.com/nts0mk
dowfrecap.net/0d08tp
dowfrecap.net/3muv7
dowfrecap.net/6f9tho
dowfrecap.net/7qd7rck9
drkitchen.ca/y5jllxe
drmulchandani.com/d6ymtf62
dunyam.ru/jge1b3e
dwcell.com/dph861ws
earthboundpermaculture.org/okez95b
edrian.com/dfc33k67
edubit.eu/b6ye94wv
eldamennska.is/h4yim
elektronstore.it/z298ejb9
elleart.nl/gn3pim41
eroger.be/918p2q
fibrotek.com/deoq2
flurrbinh.net/0nbir64
flurrbinh.net/3nrgpb
flurrbinh.net/6mz3c5q
flurrbinh.net/7wi66hp
geethikabedcollege.com/766epkuj
handsomegroup.com/ae2y1hr0
inzt.net/lbrisge
lashouli.com/rq4xoq3
odinmanto.com/0cz2zwz
odinmanto.com/2rw12
odinmanto.com/57evyr
odinmanto.com/7gplz
pastelesallegro.mx/ex67ri8
thisnspeel.com/04u77s
thisnspeel.com/2qrn06f
thisnspeel.com/3ypojyl0
thisnspeel.com/766epkuj
vexerrais.net/1jk8n
vexerrais.net/3nx3w
vexerrais.net/6sbdh
vexerrais.net/84fwijj
villaamericana.net/84fwijj
www.cutillas.fr/lmc80sdb

C2s:

185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd, Ukraine)
195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Latvia)
185.102.136.127/message.php [hostname: koltsov12.mgn-host.ru] (MGNHost, Russia)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
185.67.0.102
195.123.211.229
185.102.136.127
188.65.211.181



Monday 7 November 2016

Malware spam: "Financial documents" leads to Locky

The never-ending Locky ransomware onslaught continues. This fake financial spam has a malicious attachment:

Subject:     Financial documents
From:     Judy Herman
To:     [redacted]
Date:     Monday, 7 November 2016, 10:53

Hi [redacted],

These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.

Best Wishes,
Judy Herman 
Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:

http://coachatelier.nl/lg8s2
http://bechsautomobiler.dk/m8idi9j
http://desertkingwaterproofing.com/ma4562
http://zapashydro.net/6sgto2bd
http://owkcon.com/6xgohg6i

According to this Hybrid Analysis, the malware then phones home to:

195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181




Thursday 3 November 2016

Malware spam: "!!! Urgent payment request" from random senders leads to Locky

This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.


Subject:     !!! Urgent payment request
From:     erika.whitwell@hillcrestlife.org (erika.whitwell@hillcrestlife.org)
Date:     Thursday, 3 November 2016, 10:01

ERIKA WHITWELL

Telefon: +49 1592 / 51-2545
Fax: +49 1592 / 5166-2545
E-Mail:
erika.whitwell@hillcrestlife.org

Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js) which looks like this [pastebin].

Analysis is pending. Please check back later.

UPDATE

This Hybrid Analysis shows the script downloading from:

dornovametoda.sk/jhb6576?jPUTusVX=GXNaiircxm

There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here):

194.28.87.26/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
109.234.34.227/message.php (McHost.Ru, Russia)


Recommended blocklist:
194.28.87.26
93.170.123.119
109.234.34.0/24




Moar Locky 2016-11-03

I haven't had much time to look at the Locky runs overnight, but here is a data dump of download locations and C2s (at the bottom) from my usual reliable source:

Download locations:
10minutesto1.net/d05k5d
1stop-entertainment.com/ztpt8d0
3rock.ie/qdq1fv4c
3tr.ru/f92o6
a1match.dk/spcmi8qp
ac-elektrik.com/tvb20i
affordablewebsitesolutions.net/hdeaf
akira-sushi34.ru/przgzq
alexchen.name/aw9yipi
alexchen.name/c3ortzkj
alexeliades.com/fxhrz4
alkatech.gr/x3z70
allgameserver.com/ewxhiknt
allur.com.ua/skiz8q
alphabet-city.com.au/cbfi1
amadistrit.com/1bnao0hm
amadistrit.com/47r6wm
amadistrit.com/7exev9x1
amadistrit.com/9qci0
asambleacristiana.com.ar/e6q09un
assuredtenancyagreement.co.uk/yrz0c4v
astrainks.com/wdb2s8ny
ateliebucal.com/mxxnu
batavia-restaurant.nl/vk3p2se
bddja.com/p0u44p8z
bestcomp.ge/cp0oag4r
beta-net.lt/htfpant
beyondthedeals.com/iv41b8mg
bios.gr/mwrbr
burgeravenue.ru/tl0wf2ls
camdo89.com/rs0o9
campagno.com.au/gz4lot
carblogger.net/tzf9ba
ceramacity.ru/v6fjk
cnesa.cn/au6rql7
cokealong.com/0l609
cokealong.com/2ylfay
cokealong.com/6z1n11
cokealong.com/8qa1in
cokseyvar.com/fsodg2ho
colagung.com/izm4t243
contiades.gr/lhj4kx6
cxsite.net/l8tn0z
cyrilunrun.com/07ubcvl
cyrilunrun.com/2jnf9f8b
cyrilunrun.com/4x9yp6
cyrilunrun.com/7u1lgycs
dadashop.no/yfks5f9z
damoresilvia.com.ar/aulkfvs
deadpuppetsociety.com.au/mzgtl9z
de-btc.ru/xe1j6kx
decoulissen.be/vtdn792
derekbrooker.ca/xzziio9
dh1789.com/tu4ry8
dhback.com/hgp825l
diplocam.cm/zec5nk
douledu.com/h5vpn
dpshop.it/cq2we
drukarnia.lodz.pl/olsyi7
dtmx.pl/o0ico52
dulawa.pl/hbskw
edeldental.hu/rv97fz
edrsoft.com/atttlti
ertebat24.ir/n2khs
evotrade.ro/toz1iqw
exideworld.com.cn/zh2xd6
ezimu.com/dziykl
f8development.be/at2fpz
fiveclean.com/14msj3
fiveclean.com/3mz5l6t
fiveclean.com/76wl2
fiveclean.com/9q8jjta
kekjacint.hu/nygdhk
meskatha.com/2ccjhik
meskatha.com/49x930
meskatha.com/7i1ko82
meskatha.com/a0flf
www.50mi.cn/lbcc88r
www.compsec.co.nz/lpmn9vw
www.cvdesign.nl/h7fid1op
028happy.com/kjg56f7
1140746.net/kjg56f7
abercrombiesales.com/kjg56f7
accenti.mx/kjg56f7
acrilion.ru/kjg56f7
ahmetaksan.com/kjg56f7
alphabureau.ma/kjg56f7
antivirus.co.th/kjg56f7
apidesign.ca/kjg56f7
asastaff.com/kjg56f7
auwm.ru/kjg56f7
babuandanji.jp/kjg56f7
babyparka.ca/kjg56f7
bazkomp.pl/kjg56f7
bemmart.net/kjg56f7
bepxep.com/kjg56f7
bilisimarsivi.com/kjg56f7
blakslee.com/kjg56f7
boraba.net/kjg56f7
brokerclub.lt/kjg56f7
budeanu.ro/kjg56f7
buh-uchet71.ru/kjg56f7
byensbilleje.dk/kjg56f7
canals.cn/kjg56f7
capitalintroductionservices.com/kjg56f7
chaturk.com/kjg56f7
chuandishe.com/kjg56f7
cip.edu.pk/kjg56f7
cluster09server.com/kjg56f7
concern-block.ru/kjg56f7
daivupaint.com/kjg56f7
damai0769.com/kjg56f7
dela-cruz.eu/kjg56f7
delfin-lait.ru/kjg56f7
dienmaykhanhhuy.com/kjg56f7
dinglihn.com/kjg56f7
ding.sk/kjg56f7
discuzshop.com/kjg56f7
dongwooclean.com/kjg56f7
donrigsby.com/kjg56f7
draiveris.lt/kjg56f7
drede.ro/kjg56f7
dudenman.net/kjg56f7
dunyam.ru/kjg56f7
earthboundpermaculture.org/kjg56f7
edrian.com/kjg56f7
efson.707.cz/kjg56f7
eplotery.pl/kjg56f7
ev-entertainment.nl/kjg56f7
fcarmida.ru/kjg56f7
fedsav.com/kjg56f7
guardrupia.com/kjg56f7
inzt.net/kjg56f7
morgkelly.net/kjg56f7
365aiwu.net/43ftybb8
421pfyy.com/43ftybb8
677spo.com/43ftybb8
abgr.ru/43ftybb8
abrahams.ch/43ftybb8
adasulamasistemleri.com/43ftybb8
aifgroup.jp/43ftybb8
aircrew.co.in/43ftybb8
alkfor.ru/43ftybb8
allebanken.net/43ftybb8
almaks-mr.ru/43ftybb8
animals.org.il/43ftybb8
anime-one.com/43ftybb8
arnaudgranata.com/43ftybb8
atart.cn/43ftybb8
atforum.pl/43ftybb8
autoabs.lt/43ftybb8
automaler.ru/43ftybb8
awaelschool.com/43ftybb8
ayulduz.biz/43ftybb8
baraonda.gr/43ftybb8
basketballninja.com/43ftybb8
bassguitartips.com/43ftybb8
battleduck.ch/43ftybb8
bdvdo.net/43ftybb8
beamit.be/43ftybb8
beautyexpress.com.au/43ftybb8
bechsautomobiler.dk/43ftybb8
bestprservices.com/43ftybb8
bha-group.eu/43ftybb8
bhatiarasayanudyog.in/43ftybb8
birthdaystoday.net/43ftybb8
bluehost.hu/43ftybb8
bogaziciradyo.com/43ftybb8
bst.tw/43ftybb8
buhlmend.net/43ftybb8
bvn.lt/43ftybb8
cabanaionela.ro/43ftybb8
carmenortigosa.com/43ftybb8
casadalocacao.com/43ftybb8
chandrphen.com/43ftybb8
cheappaintball.net/43ftybb8
cheedellahousing.com/43ftybb8
chinatea.ro/43ftybb8
christen-in-nuernberg.de/43ftybb8
christmas-metal-meeting.de/43ftybb8
city-charger.ru/43ftybb8
classicnet.ir/43ftybb8
club-impact.ro/43ftybb8
coachatelier.nl/43ftybb8
coinobras.com/43ftybb8
consardproiectare.ro/43ftybb8
contserv.ro/43ftybb8
corinnenewton.ca/43ftybb8
cxsd.com.cn/43ftybb8
cyclingpromotion.com.au/43ftybb8
cyprushealthservices.com/43ftybb8
d2dlaundry.com/43ftybb8
debki-klara.pl/43ftybb8
deborahshallcross.com/43ftybb8
decactus.cl/43ftybb8
delanothayer.cl/43ftybb8
dersiz.com/43ftybb8
desertkingwaterproofing.com/43ftybb8
diandiandx.com/43ftybb8
drossell.com/43ftybb8
dwcell.com/43ftybb8
ecomission.com.au/43ftybb8
edu-net.ro/43ftybb8
ejiavip.com/43ftybb8
eldamennska.is/43ftybb8
el-sklep.com/43ftybb8
enkobud.dp.ua/43ftybb8
erotes.gr/43ftybb8
eskopb.com/43ftybb8
eurotrading.com.ua/43ftybb8
evogelbacher.de/43ftybb8
fazilusta.com/43ftybb8
fibrotek.com/43ftybb8
filmsites.nl/43ftybb8
gzycgj.com/43ftybb8
irk.24abcd.ru/43ftybb8
pastelesallegro.mx/43ftybb8
wonnapian.com/43ftybb8
ws.osenilo.com/43ftybb8
xiguacity.com/43ftybb8

C2s:
51.255.107.20/message.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
85.143.215.209/message.php (PrdmService LLC / Comfortel Ltd / Trader soft LLC, Russia)
91.230.211.103/message.php (Optibit LLC, Russia)
91.239.232.171/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
194.28.87.26/message.php (Hostpro Ltd, Ukraine)
51.255.107.20/linuxsucks.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
194.28.87.26/linuxsucks.php (Hostpro Ltd, Ukraine)

Recommended blocklist:
51.255.107.20
85.143.215.209
91.230.211.103
91.239.232.171
93.170.123.119
194.1.239.152
194.28.87.26

Wednesday 2 November 2016

Malware spam: "Companies House - new company complaint" / noreply@companies-house.me.uk / noreply@companieshouses.co.uk leads to TrickBot

This fake Companies House spam leads to TrickBot malware:

From:    Companies House [noreply@companieshouses.co.uk]
Date:    2 November 2016 at 11:51
Subject:    Companies House - new company complaint
Signed by:    companieshouses.co.uk

Investigations and Enforcement Services

This message has been auto-generated in response to the company complaint submitted to our WebFiling  service.

The submission number is ID109202DLK02911

Please find the attached document for your review.

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500

The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday) 
Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.


The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:

    Registrant:
        Camell Williams

    Registrant type:
        Unknown

    Registrant's address:
        550 HOLTS LAKE CT STE 101
        Suite 101
        Apopka
        Florida
        32703
        United States


Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.

All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.

Attached is a Word document Complaint.doc  (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:

futuras.com/img/dododocdoc.exe

This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.

The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:

78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)


The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.

Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117


Tuesday 1 November 2016

Malware spam: "New Fax Message" / administrator@local-fax.com leads to TrickBot

This fake fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

From:    Administrator [administrator@local-fax.com]
To:    annie@[redacted]
Date:    1 November 2016 at 13:28
Subject:    New Fax Message
Signed by:    local-fax.com

Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.

[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]

Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.



Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54. Both the Malwr report and Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:

www.tessaban.com/img/safafaasfasdddd.exe

This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr and Hybrid Analysis reports give the following suspect traffic:

91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)

I can match all those IPs except the last to this ThreatGeek report, those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (highlighted):

5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)
37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)
68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


3NT Solutions (aka Inferno Solutions / inferno.name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit. FLP Kochenov Aleksej Vladislavovich aka uadomen.com has appeared here so many times [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] that really I have to categorise that as an Evil Network too.

If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a recommended blocklist of:

37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24


However, there's more to this too. The original email message is actually signed by local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.

All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..


Malware spam: "This is to inform that the transaction you made yesterday is declined." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Transaction declined
From:     Chandra Frye
Date:     Tuesday, 1 November 2016, 10:48

Dear [redacted],

This is to inform that the transaction you made yesterday is declined.

Please look through the attachment for the verification of the card details.

Best Regards,
Chandra Frye
The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs) which looks like this [pastebin]. That particular sample plus one other I received communicates with the URLs below, but you can be sure that there are many more examples:

51qudu.com/mqy2pj4
bjzst.cn/qgq4dx
danapardaz.net/zrr8rtz
litchloper.com/66qpos7m
creaciones-alraune.es/dx8a5
adasia.my/f5qyi10
alecrim50.pt/g28w495t
zizzhaida.com/a0s9b
silscrub.net/07ifycb

Hybrid Analysis is inconclusive. If I get hold of the C2s or other download locations then I will post them here.

UPDATE

My usual reliable source tells me that these are all the download locations:

17173wang.com/f6w0p
176.9.41.156/rodru
4office.pl/zyjkry6
51qudu.com/mqy2pj4
akbarcab.com/p8vw992v
alpinivel.pt/as4jcmm
americanjuniorgolfschool.com/hkba7
apiaa.ro/jqm6ltfw
atech.co.th/lyyrdp9
badyna.pl/saf0zv
baoan99.com/jllkv
baranteks.com/hrnf0q44
beesket.com/jrd8d411
bikebrowse.com/mjjoy
biolume.nl/rq8mabk
bionorica.md/m61yk
birim.org/x5s8d
bisskultur.de/rawmjx
bjsunny.net/claocm
bjzst.cn/qgq4dx
blastech.cc/nsg5xyi
carsmotor.net/stab2
cascinamatine.com/a7w59h
cdxybg.com/iribzm
charoenpan.com/jv4fj
chbeirlaw.com/oyem1
civc.co.uk/y5rcauj
containermx.com/vzndc
creaciones-alraune.es/dx8a5
crossfitgladstone.com/orfx8
cvanchen.com/m61yk
danapardaz.net/zrr8rtz
daricacicekci.com/jqec1k7r
doctornauchebe.it-strategy.ru/k1d7d
eatfatlosefat.com/yx7s1
ebooks.w8w.pl/slhj1l
econsult.com.tw/dqtvy
fieldserviceca.net/dndovr
koranjebus.net/1bpsrbfa
koranjebus.net/4rwg5
koranjebus.net/94rgo
koranjebus.net/9fif0
litchloper.com/2be1xz
litchloper.com/66qpos7m
litchloper.com/96iq4o
litchloper.com/9qknusm
nbsbjt.net/icefdwl
silscrub.net/40l8w
silscrub.net/79d6w4
sonsytaint.com/0dqj0dd
sonsytaint.com/4mgxlrf
sonsytaint.com/89hs1ix
zizzhaida.com/3m6ij
zizzhaida.com/98g4ubq

These are the C2s:

91.234.32.202/linuxsucks.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
81.177.22.164/linuxsucks.php (NETPLACE, Russia)


Recommended blocklist:
91.234.32.202
81.177.22.164

Monday 31 October 2016

Malware spam: "Wrong tracking number" leads to Locky

This spam email leads to Locky ransomware:

From     "Samuel Rodgers"
Date     Mon, 31 Oct 2016 15:21:22 +0530
Subject     Wrong tracking number

It looks like the delivery company gave us the wrong tracking number.

Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.
The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script [pastebin] named something like tracking number A99DB PDF.vbs.

That script tries to download a component from:

tastebudsmarketing.com/uw6lin
mechap.com/xd7uh
coffeeteashop.ru/daz2rp
ficussalm.com/0bqzcn96
waynesinew.com/0fqt9he1

There will no doubt be other locations. At present I do not have those or the C2 servers, but will update this post if I get them.

UPDATE

The full list of download locations is as follows (thank you to my usual source):

365cuit.com/d9x9f0
7ut.ru/ge9j0et2
8hly.com/jc45tun
a1akeyssportfishing.com/etrt5
academy24.nl/k6lxc
aconetrick.com/2ejczfc
aconetrick.com/564nr0
aconetrick.com/6yoajl7
aconetrick.com/bwt2ixo
ami-mo.ca/k5xhdz2
ami-mo.ca/kr641jxw
archilog.at/imwjmt
architectureetenvironnement.ma/g31701d
badznaptak.pl/inlgm49
bebmila.it/eczde9
buenotour.com/j97s7
business-cambodia.com/he8wtc
campossa.com/vjbfdtj
cdqdms.com/d887wn9
cintasuci.com/cl6pa
coffeeteashop.ru/daz2rp
comistus.net/j6y95
customrestaurantapps.com/gn7c2se
dgtoca.net/d1wr3
dicresco.vn/gq1bjtbb
ecig-ok.com/luflbx4
eijsvogel.nl/gpbka1n2
elgrandia.com.mx/ginlp2f
epsihologie.com/jd2qrzg
eredmenyek.net/ff2i98t
ficussalm.com/0bqzcn96
ficussalm.com/2m6u1jt9
ficussalm.com/65s3r
ficussalm.com/8pmjmwp
financesystem.net/inliid
frijaflail.com/21fpb
frijaflail.com/37cu2
frijaflail.com/6u982pak
frijaflail.com/bnrxxvsk
mcmustard.com/u6ll6y
mechap.com/xd7uh
personalizar.net/nrwnmk
personalizar.net/qz5x2mmr
robertocostama.com/xyulv
shouwangstudio.com/xkocl94
sintasia.com/ziyd0iap
tastebudsmarketing.com/uw6lin
thegioitructuyen.org/rw6ost0e
timwhid.com/1mdm3
timwhid.com/33ck9bxc
timwhid.com/6twktm
timwhid.com/bnkxqf
tjbjpw.com/wsdou72d
tonglizhongji.com/xia3fu0
tropicalcoffeebreak.com/mqomzf
utopiamanali.com/tylv91
valpit.ru/syrwg2r3
vedexpert.com/zt4ug
visualtopshop.com/svnjzk9
warisstyle.com/sq1sae
wayneboyce.com/u5ahu
waynesinew.com/0fqt9he1
waynesinew.com/2psuru2
waynesinew.com/67egbs
waynesinew.com/9li2sv1r
wbakerpsych.com/mm3kuv
wedding-pix.net/u39ssq
wei58.com/wnticba
wklm.it/qjv1ap
xa12580.com/pq2xb
xhumbrella.com/rb374woh
yurtdax.com/wgltz
zbdesignsas.com/m13o692o
znany-lekarz.pl/wd7zj

The malware phones home to:

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
5.187.7.111/linuxsucks.php (Fornet Hosting, Spain)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152

Friday 28 October 2016

Malware spam: "Payment history" leads to Locky

Another morning, another spam run pushing Locky ransomware:

Subject:     Payment history
From:     Theodore Wilkins
Date:     Friday, 28 October 2016, 10:09

The payment history for the first week of October 2016 is attached as you requested.

Please review it and let us know if you have any question.
The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script [pastebin] (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].

There are many different variants of the script, downloading components from:

2rtt-2rm.ru/grb7c
92hanju.com/utl41nrt
a1plus2.de/ljwxw6vh
accubattery.eu/sjc2at
aegischina.com/yrp6eyv
agrobiciuffa.com.ar/l5e7m6i
allaboutseniors.in/wtm1i0yg
alpha-next.com/ssvmwa
angundoviz.com/lhk96wx
aoteatrial.net/02yls0
aoteatrial.net/142y5x
aoteatrial.net/4865ht
aoteatrial.net/7gojeo
artmusic.dk/izpv2d39
autoreal16.ru/r1j54weq
bachledowka.net/xausf
beauty-link.jp/umjwg8f
bikemielec.com/b7owupi
bircansigorta.com/s84vkrx
blaauw-woonidee.nl/hvlqf9v4
bts-site.nl/fb80j
bumbocubeb.net/04s7752
bumbocubeb.net/163yebg7
bumbocubeb.net/4rjsepe
bumbocubeb.net/8p54eb8
burdur-bld.gov.tr/usl1pm4
buron.dk/t8nh96d
butterflytiger.com/o7eancbx
caraudiogdl.com/zm74gwvw
cavafis.gr/ouyrvo
chanet.jp/mrf40le
chernozem-msk.ru/l5wvp4nc
clinicaharvard.com/umuyki
cmmsrilanka.lk/xztuej9
codelime.net/u9dhbjib
cronos-com.ru/hbxxkshz
dadou0531.com/gych5
dcproduction.fr/wrs9q6
dohere.net/zyme3z
dollheiser.de/v5oqpb4
doogo.com.ar/vw280ik8
drewnianaskrzynka.pl/nfw15wn9
eajhosting.nl/q7jijj3k
edhalper.it/tmnm2v
efb-demarco.de/ywkdd
eflproject.org/vco8bi
egda.pl/unu16fq9
elma.7080.ru/qe3sp3
energiclima.com/sesmgrv4
enzyma.es/lpzd1gev
er-mecanicautomotriz.com/fxlkkv
e-testers.it/jy5ipe3
eurobnr.ro/qd0gn425
euromac.es/oodhs
expert-as.ru/ulfzbh
finahistory.com/jhrni
hellomissdance.com/a03sf
helsby.biz/apwms
hltrader.com/audu4f4o
huodaibbs.com/bqmvde
ilmdesign.com/aos8ly25
joshdult.net/0ia6e4
joshdult.net/3c554n2
joshdult.net/73eqx7oc
joshdult.net/9p4eh
nowon.dk/woqb5j
plookseri.net/097ga
plookseri.net/1s4bzaa1
plookseri.net/5t9nja
plookseri.net/9jyg2s70
shop.ukrtk.com/ck6jfe2e
verdianthy.com/diqlfy1
weddingandfashion.it/djzuf5c
zencart.alpm.gogzmermedia.com/h0woq
zlotysalmo.net/0zx0ken3
zlotysalmo.net/3v8va8ov
zlotysalmo.net/75vepy6f
zlotysalmo.net/9v50aob

(Thank you to my usual source for this data). The malware phones home to:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks.php [hostname: tarasik1.infium.net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks.php (Dunaevskiy Denis Leonidovich, Ukraine)


It also attempts to contact the following URLs which appear to be dead:

pqrifsjpryygmip.pw/linuxsucks.php
uxpxpirusm.xyz/linuxsucks.php
wbaskcsxiffiax.info/linuxsucks.php
kcydflvipqsvqxw.work/linuxsucks.php
haxkbqwyudoeghlhj.biz/linuxsucks.php
mdecrwmtscal.su/linuxsucks.php
pqpmswodyqlbbjmwm.pl/linuxsucks.php
yppsuvfjmnsbi.org/linuxsucks.php
fpeuwdde.xyz/linuxsucks.php
qggdljlijbygeutc.click/linuxsucks.php
juiweirqvt.su/linuxsucks.php
gyhbiuo.ru/linuxsucks.php

A DLL is dropped with a detection rate of 12/57.

Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79

Thursday 27 October 2016

Malware spam: "E-TICKET 41648" leads to Locky

More Locky ransomware today..

From     "Matthew standaloft"
Date     Thu, 27 Oct 2016 15:20:27 +0530
Subject     E-TICKET 41648

Dear Sir ,

Please find the attached E-ticket as per your requested.


Thanks & Regards ,

Matthew standaloft
Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil from one of the following locations (according to my usual source):

agile-scrum-training.com/g67eihnrv
axzio.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cttcleaning.com/g67eihnrv
dmlevents.com/g67eihnrv
dreamruntech.com/g67eihnrv
dryilmazyildirim.com/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
fullservicetech.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
intomim.com/g67eihnrv
jackpotfutures.com/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
librahost.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
micaraland.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
riverlifechurch.tv/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
vkwelaarts.co.za/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv

This drops a malicious DLL with a detection rate of 9/56. The following C2 servers are contacts:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks.php (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
213.159.214.86/linuxsucks.php (JSC Server, Russia)


Recommeded blocklist (also see this other spam run today):
83.217.11.193
91.201.202.12
213.159.214.86