Malware spam: "FW: Invoice" from multiple senders

This fake financial spam comes from randomly-generated senders, for example:

From:    Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br]
Date:    28 April 2016 at 11:40
Subject:    FW: Invoice

Please find attached invoice #342012

Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:

http://rabitaforex.com/pw3ksl
http://tribalsnedkeren.dk/n4jca
http://banketcentr.ru/v8usja
http://3dphoto-rotate.ru/h4ydjs
http://switchright.com/2yshda
http://cafe-vintage68.ru/asad2fl
http://minisupergame.ru/a9osfg

The payload looks like Locky ransomware. The DeepViz report shows it phoning home to:

83.217.26.168 (Firstbyte, Russia)
31.41.44.246 (Relink, Russia)
91.219.31.18 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.60 (Relink, Russia / OVH, France)
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua.  Ukraine)

These two Hybrid Analysis reports [1] [2] show Locky more clearly.

Recommended blocklist:
83.217.26.168
31.41.44.246
91.219.31.18
51.254.240.60
91.234.32.19

Malware spam: "Thank you. Our latest price list is attached. For additional information, please contact your local ITT office."

This fake financial spam leads to malware:

From:    Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date:    27 April 2016 at 12:23
Subject:    Price list

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.

Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:

aaacollectionsjewelry.com/ur8fgs
adamauto.nl/gdh46ss
directenergy.tv/l2isd
games-k.ru/n8eis
jurang.tk/n2ysk
lbbc.pt/n8wisd
l-dsk.com/k3isfa
mavrinscorporation.ru/hd7fs
myehelpers.com/j3ykf
onlinecrockpotrecipes.com/k2tspa
pediatriayvacunas.com/q0wps
soccerinsider.net/mys3ks
warcraft-lich-king.ru/i4ospd
haraccountants.co.uk/k9sjf

This downloads Locky ransomware. The executable then phones home to the following servers:

176.114.3.173 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
139.59.166.196 (Digital Ocean, Singapore)
107.170.20.33 (Digital Ocean, US)
146.185.155.126  (Digital Ocean, Netherlands)

Recommended blocklist:
176.114.3.173
139.59.166.196
107.170.20.33
146.185.155.126

Malware spam: "FW: Latest order delivery details" is somewhat rude

This fake financial spam leads to malware:

From:    Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]
Date:    21 April 2016 at 17:45
Subject:    FW: Latest order delivery details

Good morning!

Hope you are good.

Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.

I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.

Many thanks and good luck

Milan Bell

DORIC NIMROD AIR ONE LTD

tel. 443-682-9021

The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.

This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:

trendmicro.healdsburgdistricthospital.com/RIB/assets.php

Cheekily the URL references a well-known security company.  The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:

176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)

You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:

103.245.153.154 (OrionVM, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (PT Telecom Company, Vietnam)
23.249.1.171 (Datacate , US)

It is not clear what the payload is, but there are indications it is the Dridex banking trojan.

Recommended blocklist:
176.103.56.30
103.245.153.154
176.9.113.214
210.245.92.63
23.249.1.171

Malware spam: "Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]" / "Document No™2958719"

This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:

From:    Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]
Date:    20 April 2016 at 11:01
Subject:    Document No™2958719

Thanks for using electronic billing

Please find your document attached

Regards


Beerhouse Self Drive

In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:

bi.pushthetraffic.com/87ty8hbvcr44

There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers:

193.90.12.221 (MultiNet AS, Norway)
212.126.59.41 (Letshost / Digiweb, Ireland)
93.104.211.103 (Contabo GmbH, Germany)
155.133.82.82 (FUFO Studio Agata Grabowska, Poland)
212.50.14.39 (Computers Equipnemt, Bulgaria)
91.194.251.204 (TOV Dream Line Holding, Ukraine)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)

Recommended blocklist:
193.90.12.221
212.126.59.41
93.104.211.103
155.133.82.82
212.50.14.39
91.194.251.204
194.116.73.71
64.76.19.251

Malware spam: "Envoi d’un message : 9758W-TERREDOC-RS62937-15000" / Christine Faure [c.faure@technicoflor.fr]

This French-language spam comes with a malicious attachment:

From:    Christine Faure [c.faure@technicoflor.fr]
Date:    28 March 2016 at 16:54
Subject:    Envoi d’un message : 9758W-TERREDOC-RS62937-15000

Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :

9758W-TERREDOC-RS62937-15000
Message de sécurité

To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:

store.brugomug.co.uk/765f46vb.exe
ggbongs.com/765f46vb.exe
dragonex.com/765f46vb.exe
homedesire.co.uk/765f46vb.exe
scorpena.com/765f46vb.exe
pockettypewriter.co.uk/765f46vb.exe
enduro.si/pdf/765f46vb.exe
185.130.7.22/files/qFBC5Y.exe

Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to:

83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)

All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.

The other binary appears to be another version of Locky which appears to phone home to the same servers.

Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100

Malware spam: "FW: Payment Receipt" from multiple recipients leads to Locky

This fake financial spam comes from random recipients, for example:

From:    Marta Wood
Date:    24 March 2016 at 10:10
Subject:    FW: Payment Receipt

Dear [redacted],

Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.

Regards,
Marta Wood
Technical Manager - General Insurance

Attached is a ZIP file that incorporates the recipients name plus a word such as payment, details or receipt plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk.

VirusTotal detection rates for the scripts are fairly low (examples [1] [2] [3] [4] [5] [6]). Automated analysis [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] shows binary download locations at:

stie.pbsoedirman.com/msh4uys
projectpass.org/o3isua
natstoilet.com/l2ps0sa [404]
yourhappyjourney.com/asl2sd [404]

Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries, I will try to add a list later.

The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically is it Locky. Automated analyses [21] [22] [23] [24] [25] [26] show it phoning home to:

195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)

UPDATE

Some further download locations from another source (thank you!):

byprez.com/oeepsl3s
caidongrong.com/e5owzc
emprendamosjuntos.com/dk3oas
epicld.com/n3sjax
fallrunathon.com/pw9eoa
famouscouponcodes.com/nxj3sa
hudesign.com/k39skad
kanberdemir.com/b5uas
mqhchurch.net/k2usy
mskphilly.org/yt7wei
optionstrategiesinsiders.org/zpq9sa
plexcera.com/m4uxj2
tigabersaudara.com/k3isa
www.naturseife-gartetal.de/oe9fja

MD5s for downloaded binaries:

0b0f29dc216e481659e84efc349823e1
0bd4f9b53991e86e39945559be074f40
2aea58b3328728ee5f0117112f8d8bd1
3da8d515085dc46be0c5e8d0aa959a5d
8630de2e42fb8e26764a994a4b7c65a9
8b07f6a6b52462395ed8dc91c4b7e7e6
8b6bc36cf0fc6db4fe7f2257cdc75905
9b52fbfe6d763bdbd9156b308ce4cd9f
9ebc25f1e53a2174213ea128a3cdb166
ab7c78cbd32ca79dff83f00aec693b2c
c070835d983f162b48f4fc370e30cf02
c9be9e7751b8f164d04a31a71d0199c6
f5d668c551cecb12f6404214fb0c8251


Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39

Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk

This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:

From:    customer.service@axminster.co.uk
Date:    24 March 2016 at 10:11
Subject:    Your order has been despatched

Dear Customer

The attached document* provides details of items that have been packed and are ready for despatch.

Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.

Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm

Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)

Kind regards

Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk

* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html

Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8]  shows download locations at:

skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe

This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:

71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)

It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.

UPDATE

Some additional download locations from another source (thank you!)

webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe


Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41

Malware spam: "FX Service" / "Fax transmission" spoofing victim's domain

This fake fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple forgery with a malicious attachment.

From:    FX Service [emailsend@w.e191.victimdomain.tld]
Date:    21 March 2016 at 14:32
Subject:    Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff

Please find attached to this email a facsimile transmission we
have just received on your behalf

(Do not reply to this email as any reply will not be read by
a real person)

Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:

http://modaeli.com/89h766b.exe
http://spormixariza.com/89h766b.exe
http://sebastiansanni.org/wp-content/plugins/hello123/89h766b.exe
http://cideac.mx/wp-content/plugins/hello123/89h766b.exe

There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56.  This Malwr report of the payload indicates that it is Locky ransomware.

All of those sources plus this Deepviz report show network traffic to the following IPs:

195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine)

If I receive more information I will post it here.

Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90

Malware spam: "Documentxx" apparently coming from the victim leads to Locky

This spam appears to come from the victim, but this is just a simple forgery (explained here). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is no body text. Here is an example:

From:    victim@domain.tld
To:    victim@domain.tld
Date:    17 March 2016 at 10:37
Subject:    Document32

Inside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13]  indicate that the script attempts to download a binary from the following locations:

escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel.pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados.com.br/wp-content/plugins/hello123/89h8btyfde445.exe

The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to:

78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)

This is Locky ransomware.

Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114

Malware spam: "Remittance Adivce" from random senders

This fake financial spam has a malicious attachment and poor spelling in the subject field.

From:    Booth.Garth19@idsbangladesh.net.bd
Date:    17 March 2016 at 09:17
Subject:    Remittance Adivce


Please find attached a remittance advice for payment made yo you today.

Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.

Kind Regards

Garth Booth

Sender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:

bakery.woodwardcounseling.com/michigan/map.php

This download location is almost certainly completely malicious, and is hosted at:

217.12.199.94 (ITL, Ukraine)

This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to:

38.64.199.33 (PSINet, Canada)
188.93.239.28 (DotSi, Portugal)

The payload is uncertain, but it could be the Dridex banking trojan.

UPDATE

The DeepViz analysis  also shows traffic to:

85.17.155.148 (Leaseweb, Netherlands)

Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148

Malware spam: "Credit details ID: 87320357" leads to Teslacrypt

So many Teslacrypt campaigns, so little time... I've had to rely on third party analysis on this particular one (thank you!)

From:    Ladonna feather
Date:    14 March 2016 at 14:50
Subject:    Credit details ID: 87320357

Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply. 

Send names, references and attachment names vary. The malicious scripts in the attachment attempt to download from:

giveitallhereqq.com/69.exe?1
washitallawayff.com/69.exe?1
giveitallhereqq.com/80.exe?1
washitallawayff.com/80.exe?1

This is Teslacrypt ransomware with VirusTotal detection rates of 1/57 [1] [2]. The malware attempts to phone home to:

198.1.95.93/~deveconomytravel/cache/binstr.php
kel52.com/wp-content/plugins/ajax-admin/binstr.php
myredhour.com/blog//wp-content/themes/berlinproof/binstr.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/binstr.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/wcspng.php

The download locations for the executable files can all be considered as malicious:

54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
178.18.99.23 (Maginfo JSC, Russia)
31.47.179.11 (Baikal TransTeleCom, Russia)
31.134.39.52 (IRONNET Ltd, Russia)
119.247.218.165 (Hong Kong Broadband Network Ltd, Hong Kong)
113.252.180.39 (Hutchison Global Communications, Hong Kong)
37.115.24.106 (Kyivstar GSM, Ukraine)
5.248.2.179 (Kyivstar GSM, Ukraine)
193.169.134.215 (SDS-Vostok Ltd, Russia)
5.166.207.194 (ER-Telecom Holding, Russia)
46.172.219.246 (Krym Infostroy Ltd, Ukraine)

Out of these, only the first three (for giveitallhereqq.com) appear to be static IPs, the others (for washitallawayff.com) are dynamic and are likely part of a botnet, so blocking the domain might be better.

Recommended blocklist:
54.212.162.6
212.119.87.77
78.135.108.94
washitallawayff.com

Malware spam: Your Amazon order #137-89653734-2688148 / AMAZON.COM [Mailer-daemon@amazon.com]

This fake Amazon spam comes with a malicious attachment:

From:    AMAZON.COM [Mailer-daemon@amazon.com]
Date:    11 March 2016 at 09:09
Subject:    Your Amazon order #137-89653734-2688148

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order #137-89653734-2688148 Placed on March 11, 2016

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.com 

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:

mercadohiper.com.br/system/logs/uy78hn654e.exe

That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to:

31.184.196.75 (Petersburg Internet Network, Russia)
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)

There are probably other download locations and C2s, I will update this post if I find out what they are.

UPDATE

Some additional C2s from various sources:

78.40.108.39 (PS Internet Company LLC. Kazakhstan)
31.184.196.78 (Petersburg Internet Network, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)

Some additional download locations for this and other locky spam runs today:

solucionesdubai.com.ve/system/logs/uy78hn654e.exe
ghayatv.com/system/logs/uy78hn654e.exe
dolcevita-ykt.ru/system/logs/uy78hn654e.exe

Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192

Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"

This fake financial spam comes with a malicious attachment:

From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833

Dear Client!

For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994


Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:

http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1

These sites are hosted on:

142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)

This Malwr report and this Hybrid Analysis shows communications with:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)

The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.

These domains are also associated with some of the IPs. Consider them all to be evil:

t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146

Malware spam: "Remittance" from random companies with .rtf attachment

This fake financial spam appears to come from random companies. The body text is similar in call cases.

Sample 1:

From:    Ignacio - Floris of London
Date:    4 March 2016 at 09:42
Subject:    Remittance


Dear Sir/Madam,

I hope you are well. I am writing you to let you know that total amount qualified in the contract has been sent to your bank account on the 3rd of March at 14 through BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Ignacio Knox
Accounts Payable

Sample 2:

From:    Audra - ECLECTIC BAR GRP PLC
Date:    4 March 2016 at 09:48
Subject:    Remittance

Dear Sir/Madam,

Hope you are OK. I am writing you to let you know that entire amount specified in the contract has been paid into your bank account on the 1st of March at 16 over BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Audra Pratt
Accounts Payable

Attached is a file named in a format similar to rem.advice-6430760513.rtf or invoice-9200564788.rtf. Detection rates are pretty low [1] [2] [3] and the Malwr reports are inconclusive [4] [5] [6] although I suspect the attachment itself may be malformed. Further analysis is pending.

UPDATE

These Hybrid Analysis reports  [1] [2] [3] show the file downloading a malicious binary from one of the following fruit-flavoured domains:

wildberry.markettimingintelligence.com/zalupa/kurva.php
raspberry.diversified-capital-management.com/zalupa/kurva.php

This file is dropped as %TEMP%\sdjgbcjkds.exe and both those sites are hosted on:

31.131.24.76 (PE Skurykhin Mukola Volodumurovuch, Ukraine)

Along with another domain of strawberry.reactionpointtimingindicator.com. All of these are hijacked GoDaddy domains.

The Malwr report for the executable shows it communicating with:

24.172.94.181 (Time Warner, US)

This is the same IP as seen here which Sophos identified as being Dridex.  

Recommended blocklist:
31.131.24.76
24.172.94.181 

Malware spam spoofing "Hillsong Church London"

This rather confused spam comes with a subject saying one thing.. for example:

GREKA ENGINEERING & TECHNOLOGY LTD March Invoice #2875
LIMITLESS EARTH PLC March Invoice #75913
FALKLAND ISLANDS HLDGS March Invoice #58093
MULTI UNITS FRANCE March Invoice #6689
SHORE CAPITAL GROUP LTD March Invoice #1612

But the body text is from a church..

Hi there,

Please find the remittance advice for the payment made on the 19th Feb 2015 from
Hillsong Church London.

Please let me know if there are any queries.

Kind regards,

Joan Terry

The material contained in this email may be confidential, and may also be the subject
of copyright and/ or privileged information. If you are not the intended recipient,
any use, disclosure or copying of this document is prohibited. If you have received
this document in error, please advise the sender and delete the document.

This email communication does not create or vary any contractual relationship between
Hillsong and you. Internet communications are not secure and accordingly Hillsong
does not accept any legal liability for the contents of this message.

Please note that neither Hillsong nor the sender accepts any responsibility for viruses
and it is your responsibility to scan the email and any attachments.

Hillsong Church London
www.hillsong.co.uk http://www.hillsong.co.uk

Attached is either an Excel spreadsheet named in a style similar to Hillsong-C2E24.xls (VT results [1] [2] [3]) or a ZIP file with a similar name to Hillchurch-03234D.zip containing a script TR7433029032016.js or TR913740032016.js (VT results [4] [5]).

The Malwr reports are a mixed bunch with only the first three giving any data [1] [2] [3] [4] [5] showing download locations at:

oimedoaeklmrf.giftcardnanny.ca/nu2o3mk4/c987ah8j9ei1.php
eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php
doaemdpmekd.securalive.eu/8fjvimkel1/c987ah8j9ei1.php

In fact, all these locations are on the same server (and are the same binary), hosted on:

193.201.227.90 (PE Tetyana Mysyk, Ukraine)

According to VirusTotal, there are a few hijacked GoDaddy subdomains on that IP. This method is a little unusual for this type of attack.

Those Malwr reports and this Hybrid Analysis show the malware phoning home to:

24.172.94.181 (Time Warner Cable, US)

It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.

Recommended blocklist:
193.201.227.90
24.172.94.181

Malware spam: "March Invoice" / "Balkan Dream Properties"

This fake financial spam can't make up its mind which month it is for.

From:    Caitlin Velez
Date:    1 March 2016 at 11:50
Subject:    March Invoice

Hi,

Attached is the November invoice.

Thanks!

Caitlin Velez
Customer Service
Balkan Dream Properties
090-157-5969

So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero.

This Malwr report shows that it is the Locky ransomware, download a binary from:

intuit.bitdefenderdistributor.info/intrabmw/get.php

This is hosted on a bad webserver at..

93.95.100.141 (Mediasoft ekspert, Russia)

..and it then phones home to..

5.34.183.195 (ITL / UA Servers, Ukraine)

There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..

31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)

Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment:

From:    admin [ands21@victimdomain.tld]
Date:    29 February 2016 at 19:05
Subject:    Scanned image

Image data in PDF format has been attached to this email.

The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js  I have seen three different versions of the attached scripts with detection rates of around 1/55 [1] [2] [3]. The Malwr reports for those [4] [5] [6] show download locations at:

www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe
svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution.in.th/system/logs/7ygvtyvb7niim.exe

This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:

51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)

Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to:

51.254.19.227
185.14.29.188

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment. It appears to come from within the victim's own domain, but this is a malicious forgery.

From:    admin [southlands71@victimdomain.tld]
Date:    24 February 2016 at 15:25
Subject:    Scanned image

Image data in PDF format has been attached to this email.

I have only seen a single sample with an attachment 24-02-2016-00190459.zip containing a malicious script [pastebin] which in this case downloads a binary from:

kartonstandambalaj.com.tr/system/logs/87h754

My sources say that other versions download from:

demo2.master-pro.biz/plugins/ratings/87h754
baromedical.hu/media/87h754
bitmeyenkartusistanbul.com/system/logs/87h754/
zaza-kyjov.cz/system/cache/87h754

As this Hybrid Analysis shows, the payload is the Locky ransomware. The dropped binary has a detection rate of just 3/55.

Those reports show the malware phoning home to:

5.34.183.136 (ITL, Ukraine)

I strongly recommend that you block traffic to that IP.

Malware spam: "Rechnung Nr. 2016_131" / fueldner1A0@lfw-ludwigslust.de

This German language spam does not comes from LFW Ludwigsluster but is instead a simple forgery with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.

From:    fueldner1A0@lfw-ludwigslust.de
Date:    19 February 2016 at 09:10
Subject:    Rechnung Nr. 2016_131

Sehr geehrte Damen und Herren,

bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:

LFW Ludwigsluster Fleisch- und Wurstspezialitäten

GmbH & Co.KG

Vielen Dank!

Mit freundlichen Grüßen

Anke Füldner

Finanzbuchhaltung

Tel.: 03874-422038

Fax: 03874-4220844

E-Mail: fueldner@lfw-ludwigslust.de 

LFW Ludwigsluster Fleisch- und Wurstspezialitäten

GmbH & Co.KG, Bauernallee 9, 19288 Ludwigslust

HRA 1715, Amtsgericht Schwerin

Geschäftsführer: U.Müller, U.Warncke

USt.-IdNr. DE202820580, St.Nr. 08715803209

Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressant sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese E-Mail und alle Anhänge und Ausdrucke unverzüglich.

Das Gebrauchen, Publizieren, Kopieren oder Ausdrucken sowie die unbefugte Weitergabe des Inhalts dieser E-Mail ist nicht erlaubt.

This e-mail and any attached files may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with zero detection rates at VirusTotal [1] [2]. Malwr analysis of one of the samples shows that a binary is downloaded from:

mondero.ru/system/logs/56y4g45gh45h

Other samples probably have different download locations. This executable has a detection rate of 7/53 and it appears to drop another executable with a relatively high detection rate of 26/55. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.

The malware phones home to:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)

But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you block it.

Incidentally, full credit to the company involved in putting this massive banner on their website warning people about the fake email..

UPDATE

An additional analysis from a trusted source (thank you). Download locations are:

mondero.ru/system/logs/56y4g45gh45h
tcpos.com.vn/system/logs/56y4g45gh45h
www.bag-online.com/system/logs/56y4g45gh45h

The malware phones home to:

46.4.239.76/main.php
94.242.57.45/main.php
wblejsfob.pw/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php

The active C2s (some may be sinkholes) appear to be:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)

Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70

Malware spam: "Attached Image" from canon@ the recipient's own domain

This spam pretends to come from the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.

From:    canon@victimdomain.tld
Date:    3 February 2016 at 12:09
Subject:    Attached Image

There is no body text. Attached is a file 1690_001.xls of which I have seen a single variant with a detection rate of 9/54. The Hybrid Analysis shows it downloading an executable from:


best-drum-set.com/43rf3dw/34frgegrg.exe

This has a detection rate of 6/51 and is the same binary as used in this other spam attack today.