Despite the hype, very few people actually deal with Bitcoins and I suspect even fewer use this particular exchange, so I assume that the attackers in this case are very interested in targeting Bitcoin owners specifically.
From: Bitstamp.net [no_reply@bitstamp.net]
Date: 23 October 2014 14:48
Subject: New bank details
New banking details
Dear Bitstamp clients,
We would like to inform you that Bitstamp now has new bank details, please check attached file.
We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.
Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.
Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.
Best regards
CEO, Nejc Kodrič
Bitstamp LIMITED
Friday 24 October 2014
Bitstamp.net "New bank details" spam
This fake email pretending to be from Bitstamp.net (a Bitcoin exchange) is meant to have a malicious payload (probably a Word document) but in the sample I have seen that payload is missing. However, if you receive a similar email then wth an attachment then it is probably malicious.
Thursday 23 October 2014
"Voice Mail" (voicemail_sender@voicemail.com) spam
From: "Voice Mail" [voicemail_sender@voicemail.com]Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51.
Date: Thu, 23 Oct 2014 14:31:22 +0200
Subject: voice message from 598-978-8974 for mailbox 833
You have received a voice mail message from 598-978-8974
Message length is 00:00:33. Message size is 264 KB.
Download your voicemail message from dropbox service below (Google Disk
Drive Inc.):
http://itsallaboutrice.com/documents/doc.php
The Malwr report for that binary shows it communicating with the following URLs:
http://188.165.214.6:18608/2310uk1/HOME/0/51-SP3/0/
http://188.165.214.6:18608/2310uk1/HOME/1/0/0/
http://188.165.214.6:18608/2310uk1/HOME/41/5/1/
http://inaturfag.com/files/2310uk1.oss
188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system, nlsio.exe (VT 4/48, Malwr report) and qhcjp.exe (VT 0/51, Malwr report).
Recommended blocklist:
188.165.214.6
inaturfag.com
Labels:
Malware,
OVH,
Spam,
Viruses,
Voice Mail
Fake supertouch.com / Allied International Trading Limited "Order Confirmation spam"
This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a forgery originating from an organised crime ring, it does not originate from supertouch.com / Allied International Trading Limited nor habe their systems been compromised in any way.
87.106.84.226
84.40.9.34
jvsfiles.com
From: Elouise Massey [Elouise.Massey@supertouch.com]In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:
Date: 23 October 2014 10:52
Subject: Order Confirmation
Hello,
Thank you for your order, please check and confirm.
Kind Regards
Elouise
Allied International Trading Limited
Unit 1A
Hubert Road
Brentwood
Essex
CM14 4JE
United Kingdom
Telephone 0845 130 9922
Fax 0845 130 9933
87.106.84.226
84.40.9.34
jvsfiles.com
Wednesday 22 October 2014
"This email contains an invoice file attachment" spam contains poorly-detected malware
This fake invoice spam has a malicious Word document attached.
Attempting to open the document gives the following message:
..along with an embedded image to tell you how to turn macros off.
If the victim does this, then this malicious macro [pastebin] runs and downloads an executable from http://162.243.234.167:8080/gr/4.exe which has a VirusTotal detection rate of just 1/53.
The Malwr analysis shows this binary posting data to: http://178.250.243.114/IArej7rcO/@HPZ8A5aPU_W/
The 178.250.243.114 IP address is allocated to MajorDomo LLC, Russia. The executable also drops a malicious DLL using the name 2.tmp which also has a VirusTotal detection rate of 0/54.
From: Brittney Spencer , Customer service [Fitzgerald.79f7@host-77-242-217-170.telecomitalia.sm]In this case the attachment was ZHO904856SU.doc which contains a malicious macro, however at the moment the document is showing a VirusTotal detection rate of 0/54.
Date: 22 October 2014 12:46
Subject: Reference:ZHO904856SU
This email contains an invoice file attachment ID:ZHO904856SU
Thanks!
Brittney Spencer .
Attempting to open the document gives the following message:
You didn't enable macros.
Content cant be visible.
Content cant be visible.
..along with an embedded image to tell you how to turn macros off.
If the victim does this, then this malicious macro [pastebin] runs and downloads an executable from http://162.243.234.167:8080/gr/4.exe which has a VirusTotal detection rate of just 1/53.
The Malwr analysis shows this binary posting data to: http://178.250.243.114/IArej7rcO/@HPZ8A5aPU_W/
The 178.250.243.114 IP address is allocated to MajorDomo LLC, Russia. The executable also drops a malicious DLL using the name 2.tmp which also has a VirusTotal detection rate of 0/54.
Tuesday 21 October 2014
Fake "Humber Merchants Group / humbermerchants.co.uk" Industrial Invoices spam
This fake spam pretends to come from the legitimate firm Humber Merchants but doesn't. It's a forgery, Humber Merchants are not sending out this spam nor have they been hacked or compromised.
http://62.75.182.94/eQ7j0+Z7/kfnmylxhl/%7EaEskub2Av7ZSh%20v@q%2Ct6W/@
http://62.75.182.94/CzUO1%20cxp%3DkLsR&/RTlIMuF1Wo/EWhm1z.ZuO8%2C2/sH@%3Fnqiakk_Tq/
http://62.75.182.94/X4mSfKkEhOPU%242cqi5W%3F%20&1Iql%20Byr/%2D588l0wY3w+=SsKQut1mgPzk%2C%24G+seO%3F
http://62.75.182.94/zms%3F@&JoTAN%2C/0C%20%2Bk+nCk_/p%20rxIqpUOyt%3FYR4W1g%2B
http://62.75.182.94/oX83KZqm@WZ%2BM%3F%20wQG@$24+/h5@RnK5~Y@7&mKGc%2C1%7E0/BhmOUE~Xf/_T_%20GSN
62.75.182.94 is a Serverloft / Intergenia IP address in Germany.
Recommended blocklist:
62.75.182.94
gpsbah.com
UPDATE 2014-10-23
Another version of the attachment is doing the rounds, this time the attachment has a detection rate of 0/54 (Malwr report) but in this case it downloads a file from http://jvsfiles.com/common/1.exe which has a detection rate of just 1/54.
According to the Malwr report, that binary contacts the following URLs:
http://84.40.9.34/kSIfRXSnEP25k76mz/9_oSoYWIoYi0/0%2B.tYWE05j%7EVA%24k/Jnt%26
http://87.106.84.226/SYh7Y+NbkSk74/mWbqM9m/L2o/%26hA%2DFG
http://87.106.84.226/QzteG3org5I%3Fa/@&e%7EfgonN%205ccf~qCi2/1_%2C%26A3QPq%3F/w56KC%2D4B0lFMbghLcFm
http://87.106.84.226/jooywueelxs/=+juqybp3sc/%2Db.mm01%24__s3/r1&iw2%20a+%3Dse%24%20@m1bpe%24%20ru/
http://87.106.84.226/pIQ%3FSS%3F%2DPC%207/%7E=jN%3Fh5e%3FP%20mB
87.106.84.226 is 1&1, Germany and 84.40.9.34 is Hostway, Belgium.
This executable drops a DLL on the system which is also poorly detected with a detection rate of 1/54.
Recommended blocklist:
87.106.84.226
84.40.9.34
jvsfiles.com
UPDATE 2014-11-13
A fresh round of spam has started with the same template. So far I have seen two documents with low detection rates [1] [2] [Malwr report] that drop one of two malicious binaries [1] [2] [pastebin] from one of these locations:
http://body-fitness.net/js/bin.exe
http://live.znicz-pruszkow.cba.pl/mandoc/js/bin.exe
This is also poorly-detected according to VirusTotal. The Malwr report for this shows that it reaches out to the following URL (again):
http://84.40.9.34/Xe0RBsy6nU2qow&nr7pGA%3DTWw./%7EwosMJ_V46G3/5Cqmr+6S/1ZzUf
It also drops a DLL identified by VirusTotal as Dridex.
From: ps7031112@humbermerchants.co.ukAttached is a malicious Word document 15040BII3646501.doc which has a VirusTotal detection of 6/54. The Malwr report gives a little detail as to what it going on, but the crux of it is that if you have macros enabled then they will download and execute a malicious binary from http://gpsbah.com/images/1.exe which has a VirusTotal detection rate of 11/53 and which the Malwr report indicates then connects to the following URLs:
Date: 21 October 2014 15:21
Subject: Industrial Invoices
Attached are accounting documents from Humber Merchants
Humber Merchants Group
Head Office:
Parkinson Avenue
Scunthorpe
North Lincolnshire
DN15 7JX
Tel: 01724 860331
Fax: 01724 281326
Email: sales@humbermerchants.co.uk
--
Automated mail message produced by DbMail.
Registered to Humber Merchants Limited , License MBS2008354.
http://62.75.182.94/eQ7j0+Z7/kfnmylxhl/%7EaEskub2Av7ZSh%20v@q%2Ct6W/@
http://62.75.182.94/CzUO1%20cxp%3DkLsR&/RTlIMuF1Wo/EWhm1z.ZuO8%2C2/sH@%3Fnqiakk_Tq/
http://62.75.182.94/X4mSfKkEhOPU%242cqi5W%3F%20&1Iql%20Byr/%2D588l0wY3w+=SsKQut1mgPzk%2C%24G+seO%3F
http://62.75.182.94/zms%3F@&JoTAN%2C/0C%20%2Bk+nCk_/p%20rxIqpUOyt%3FYR4W1g%2B
http://62.75.182.94/oX83KZqm@WZ%2BM%3F%20wQG@$24+/h5@RnK5~Y@7&mKGc%2C1%7E0/BhmOUE~Xf/_T_%20GSN
62.75.182.94 is a Serverloft / Intergenia IP address in Germany.
Recommended blocklist:
62.75.182.94
gpsbah.com
UPDATE 2014-10-23
Another version of the attachment is doing the rounds, this time the attachment has a detection rate of 0/54 (Malwr report) but in this case it downloads a file from http://jvsfiles.com/common/1.exe which has a detection rate of just 1/54.
According to the Malwr report, that binary contacts the following URLs:
http://84.40.9.34/kSIfRXSnEP25k76mz/9_oSoYWIoYi0/0%2B.tYWE05j%7EVA%24k/Jnt%26
http://87.106.84.226/SYh7Y+NbkSk74/mWbqM9m/L2o/%26hA%2DFG
http://87.106.84.226/QzteG3org5I%3Fa/@&e%7EfgonN%205ccf~qCi2/1_%2C%26A3QPq%3F/w56KC%2D4B0lFMbghLcFm
http://87.106.84.226/jooywueelxs/=+juqybp3sc/%2Db.mm01%24__s3/r1&iw2%20a+%3Dse%24%20@m1bpe%24%20ru/
http://87.106.84.226/pIQ%3FSS%3F%2DPC%207/%7E=jN%3Fh5e%3FP%20mB
87.106.84.226 is 1&1, Germany and 84.40.9.34 is Hostway, Belgium.
This executable drops a DLL on the system which is also poorly detected with a detection rate of 1/54.
Recommended blocklist:
87.106.84.226
84.40.9.34
jvsfiles.com
UPDATE 2014-11-13
A fresh round of spam has started with the same template. So far I have seen two documents with low detection rates [1] [2] [Malwr report] that drop one of two malicious binaries [1] [2] [pastebin] from one of these locations:
http://body-fitness.net/js/bin.exe
http://live.znicz-pruszkow.cba.pl/mandoc/js/bin.exe
This is also poorly-detected according to VirusTotal. The Malwr report for this shows that it reaches out to the following URL (again):
http://84.40.9.34/Xe0RBsy6nU2qow&nr7pGA%3DTWw./%7EwosMJ_V46G3/5Cqmr+6S/1ZzUf
It also drops a DLL identified by VirusTotal as Dridex.
Monday 20 October 2014
beeg.com hacked (again)
This summary is not available. Please
click here to view the post.
Adobe Billing "Adobe Invoice" spam / adb-102288-invoice.doc
This fake Adobe spam has a malicious Word document attached.
Attached is a malicious Word document adb-102288-invoice.doc which has a VirusTotal detection rate of just 1/53, the Malwr report shows there are macros in the document then try to run when it is open. If macros are enabled, this then downloads and executes a malicious binary from http://pro-pose-photography.co.uk/fair/1.exe which also has a pretty poor detection rate of 2/53.
According to the Malwr report, this binary then reaches out to the following URLs:
http://62.75.182.94/66mAzAj8ko%2Ch$n=pS%3FgfE@%3Dx%7Efa/%24ysusij%2B%2C%2C%20kCbh2tc8ex%3Dnsgr_/%26
http://208.89.214.177/xWmWEs0Br+3%26KH0/ES$B6JR%2C+j3K2./%20SB
http://208.89.214.177/6ly5iKYr&q$%2CIYA/9Y8STPqNxu/j2hfMb6S
http://208.89.214.177/O4tHj8hw9RA~P%3FkB69agw.ksFx_&ce@%2DV%24/%2BSUq%2DBP$%24zqFH.O%2BRg%20%20/T%2D
http://208.89.214.177/yr3=E~SS+/%2Df7Y.OZk3M/~Ww6A3~33YQ%24UT%3D
The IPs in question are 208.89.214.177 (Virpus, US) and 62.75.182.94 (Intergenia, Germany).
The Malware then drops another malicious binary 2.tmp (which looks like a DLL). The VirusTotal detection rate for this is only 1/54. The Malwr report is inconclusive.
Recommended blocklist:
208.89.214.177
62.75.182.94
pro-pose-photography.co.uk
From: Adobe Billing [billing@adobe.com]
Date: 20 October 2014 11:33
Subject: Adobe Invoice
Adobe(R) logo
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service
Adobe and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners.
© 2014 Adobe Systems Incorporated. All rights reserved.
Attached is a malicious Word document adb-102288-invoice.doc which has a VirusTotal detection rate of just 1/53, the Malwr report shows there are macros in the document then try to run when it is open. If macros are enabled, this then downloads and executes a malicious binary from http://pro-pose-photography.co.uk/fair/1.exe which also has a pretty poor detection rate of 2/53.
According to the Malwr report, this binary then reaches out to the following URLs:
http://62.75.182.94/66mAzAj8ko%2Ch$n=pS%3FgfE@%3Dx%7Efa/%24ysusij%2B%2C%2C%20kCbh2tc8ex%3Dnsgr_/%26
http://208.89.214.177/xWmWEs0Br+3%26KH0/ES$B6JR%2C+j3K2./%20SB
http://208.89.214.177/6ly5iKYr&q$%2CIYA/9Y8STPqNxu/j2hfMb6S
http://208.89.214.177/O4tHj8hw9RA~P%3FkB69agw.ksFx_&ce@%2DV%24/%2BSUq%2DBP$%24zqFH.O%2BRg%20%20/T%2D
http://208.89.214.177/yr3=E~SS+/%2Df7Y.OZk3M/~Ww6A3~33YQ%24UT%3D
The IPs in question are 208.89.214.177 (Virpus, US) and 62.75.182.94 (Intergenia, Germany).
The Malware then drops another malicious binary 2.tmp (which looks like a DLL). The VirusTotal detection rate for this is only 1/54. The Malwr report is inconclusive.
Recommended blocklist:
208.89.214.177
62.75.182.94
pro-pose-photography.co.uk
Saturday 18 October 2014
Evil network: 5.135.230.176/28 (OVH / "Eldar Mahmudov" / mahmudik@hotmail.com)
These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK (hat tip).
Domains that are currently hosted in the range are in listed below, domains flagged as malicious by Google are highlighted. I think it is safe to assume that all these domains are in fact malicious.
basedgi.com
californikationde.com
weryipols.com
califkoli.com
cxzpolnaser.com
drifaert.com
duewks.com
gutjikolma.com
jioksud.com
metrixhistory.com
metrix-history.com
metrixhistory.net
metrix-history.net
metrixhistory.org
msdiw.com
oilbuyrew.com
qwecufd.com
siteinformationews.com
tregtpol.com
vfnpol.com
zasd-a.com
zdkuvb.com
zxlkjv.com
zxobciu.com
nhmnewf.com
youfromneverais.com
akssfmqw.com
asdpvo.com
asdv-dvd.com
car0project.com
car-auto.org
car-project.net
car-purchased.com
dfgxz.net
fg-kcdj.com
ghjkhfyoufromnever.com
groupsert.com
iubhss.com
lolitesgray.com
nzolas.com
poilcebert.com
ppilohbh.com
scentifickol.com
sedrcsepol.com
trust-plast.com
trustplast.net
trustplast.org
trust-plast.org
ucxy-pop.com
youfromnev.com
youfromnever.com
youfromneveras.com
youfromneverhg.com
youfromneverjia.com
youfromneverkils.com
youfromnevermin.com
youfromneverplo.com
youfromneverred.com
youfromneverret.com
youfromneversjh.com
fg-kcdj.net
oiunfc.com
polsheru.com
sc-sdj.com
vpn-portable.com
xcuvh.com
xdg-hn.com
xdg-yuj.com
aisuvhn.com
aodivbjka.com
aodivja.com
asoiuvaq.com
asvuyhaq.com
iauygcaik.com
qiosunva.com
qixzefka.com
qoibvjma.com
sc-sdj.net
sdiuvhnsd.com
siduv.com
siduyvh.com
siudh.com
siudhbns.com
siudvhswa.com
siuhnsdv.com
skicuhvs.com
sodiuvq.com
usdyvb.com
wdhyb.com
wiudcn.com
xciub.com
xdg-hn.net
xdvn-vpn.com
zidxvhnd.com
zixuvhk.com
zkiuxhvs.com
zo9x8vh.com
zouvhasd.com
zsudhxcvnsdv.com
zucxvyb.com
aisduyh.com
aisuha.com
aaiuwd.com
aisduhvaq.com
aosduawq.com
aqsuyh.com
aqswif.com
asdiuha.com
asdiuvhas.com
asduihqnw.com
asioduh.com
asoicuh.com
ausyc.com
ausytb.com
fsdiyhv.com
ixuvnsd.com
ozdhgq.com
pok-da.com
pokda.net
qeivndv.com
qisucybv.com
quwysbn.com
qweyfbdx.com
sdifyvhw.com
sdivuwnq.com
shop-akicj.com
siduvns.com
siuvnsk.com
uaihc.com
usdybcn.com
uwysbx.com
uwytbgynua.net
uycvnxc.co
uycvnxc.com
uycvnxc.net
uycvnxc.org
wivnsals.com
wqduy.com
wyefb.com
zuyxgc.com
asiuvhwn.com
asycha.com
ausycgv.com
dvyhgqq.com
dxuyvg.com
iasduvh.com
ioaqus.com
iounsdv.com
isauwmo.com
isdnwekal.com
ixuzdaov.com
oiswzvppiosa.com
qasiu8ych.com
qinasc.com
qweoiuvf.com
The following domains have recently been hosted in this space. Ones marked malicious by Google are highlighted, although I would again assume they are all malicious.
oficinaempleo.net
dinpdfob.com
doifbd.com
dovibm.com
fclkq.com
fc-sr.com
fc-sr.net
fcsr.org
fc-su.info
fc-su.net
fc-su.org
fc-we.com
fc-we.net
fc-we.org
fc-web.info
fc-web.org
gregogyparkinsold.com
ihkvh.com
ihk-vh.com
iuhcv.com
iuyuj.com
lifeforclablive.com
parkinonstreet.com
pro-fone.com
psodkb.com
pzxo.org
qsdgi.com
qs-dgi.com
sd-gg.org
selectionswest.com
sfiub.com
sharedskip.com
softlabprofessional.com
softportaldb.net
start-voice.com
trercvu.com
uygbko.com
werynewsgood.com
wetasqard.com
wetermarknilop.com
xpsharedwindow.com
zxxo.biz
zx-xo.com
zx-xo.netalexwritter.com
asertqgj.com
combypist.com
doifnj.com
dvpok.com
fastimportkimy.com
fc-slose.com
fcsr.info
fc-su.com
fc-we.info
fc-website.com
fc-website.net
greengerlplaz.com
highfightertrack.com
htkw.info
ihkvh.net
ihk-vh.net
ihkvh.org
iuhcv.net
jxoei.com
lilpootwestside.com
mainrainbrain.com
opsdf.com
panterrosestat.com
proffottballstart.com
pzvo.net
pz-xo.com
pzxo.net
qfsdv.com
qsdgi.net
sdfjwq.com
sdgg.info
sd-gg.info
sd-gg.net
sdiouvb.com
softlab-professional.com
softlabprofessional.net
softlabprofessional.org
softportaldb.com
soinvplk.com
startvoice.net
stupidgirlcoolnice.com
w9gpo.com
wivbu.com
wqergjv.com
xocbjw.com
ysudpokv.com
zxxo.info
zxxo.org
gremypolicer.com
juaspo.com
justbulshed.com
utswbs.com
westsideclop.com
awertujiko.com
dertukilocer.com
dsbretcompany.com
dsbretcompanyinfo.com
dsbretcompanytv.com
dukillopder.com
fighteryouxc.com
juanitokilasrte.com
juaspo.net
noobhanter.com
opqwxcmn.com
pilotprof.com
politbujil.com
respozytoryol.com
retwsaerop.com
semenasder.com
systebnmilk.com
vhoermoer.com
vitopralik.com
westunasder.com
xpwindowssolut.com
asusstandbuy.com
bertaser.com
bestgreengey.com
fixmewhere.com
gjhytfg.com
h-tkw.net
iuojrt.com
kilsderc.com
lidhv.com
nerstdl.com
nulexgreen.com
oiyyio.com
oop-bn.com
oopbn.info
oop-bn.net
oopbn.org
oopcclop.com
siduvn.com
tgbkpo.com
usdygc.com
uytrd.com
uytrd.net
uytrd.org
wicunvw.com
aduyf.com
andourhernain.com
bestgreengay.com
bestgreenguy.com
bestguyup.com
betstgeyup.com
bmw-audi.com
bmw-seat.com
eofiu.com
fdgjmbv.com
h-tkw.com
htkw.org
maintrast.com
oopbn.com
oopgf.com
oop-gf.com
oopgf.net
oop-gf.net
oopgf.org
poljiocall.com
qiuewfh.com
quewyb.com
qwieuhf.com
sdiuh.com
sdufybn.com
siuww3.com
thebestpowriter.com
transnatgeo.com
uy-trd.com
zaqwscueexp.com
zixelgreen.com
5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
organisation: ORG-EM25-RIPE
org-name: eldar mahmudov
org-type: OTHER
address: ishveran 9
address: 75003 paris
address: FR
e-mail: mahmudik@hotmail.com
abuse-mailbox: mahmudik@hotmail.com
phone: +33.919388845
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ovh.net 20140621
source: RIPE
There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you block traffic going to it.
Domains that are currently hosted in the range are in listed below, domains flagged as malicious by Google are highlighted. I think it is safe to assume that all these domains are in fact malicious.
basedgi.com
californikationde.com
weryipols.com
califkoli.com
cxzpolnaser.com
drifaert.com
duewks.com
gutjikolma.com
jioksud.com
metrixhistory.com
metrix-history.com
metrixhistory.net
metrix-history.net
metrixhistory.org
msdiw.com
oilbuyrew.com
qwecufd.com
siteinformationews.com
tregtpol.com
vfnpol.com
zasd-a.com
zdkuvb.com
zxlkjv.com
zxobciu.com
nhmnewf.com
youfromneverais.com
akssfmqw.com
asdpvo.com
asdv-dvd.com
car0project.com
car-auto.org
car-project.net
car-purchased.com
dfgxz.net
fg-kcdj.com
ghjkhfyoufromnever.com
groupsert.com
iubhss.com
lolitesgray.com
nzolas.com
poilcebert.com
ppilohbh.com
scentifickol.com
sedrcsepol.com
trust-plast.com
trustplast.net
trustplast.org
trust-plast.org
ucxy-pop.com
youfromnev.com
youfromnever.com
youfromneveras.com
youfromneverhg.com
youfromneverjia.com
youfromneverkils.com
youfromnevermin.com
youfromneverplo.com
youfromneverred.com
youfromneverret.com
youfromneversjh.com
fg-kcdj.net
oiunfc.com
polsheru.com
sc-sdj.com
vpn-portable.com
xcuvh.com
xdg-hn.com
xdg-yuj.com
aisuvhn.com
aodivbjka.com
aodivja.com
asoiuvaq.com
asvuyhaq.com
iauygcaik.com
qiosunva.com
qixzefka.com
qoibvjma.com
sc-sdj.net
sdiuvhnsd.com
siduv.com
siduyvh.com
siudh.com
siudhbns.com
siudvhswa.com
siuhnsdv.com
skicuhvs.com
sodiuvq.com
usdyvb.com
wdhyb.com
wiudcn.com
xciub.com
xdg-hn.net
xdvn-vpn.com
zidxvhnd.com
zixuvhk.com
zkiuxhvs.com
zo9x8vh.com
zouvhasd.com
zsudhxcvnsdv.com
zucxvyb.com
aisduyh.com
aisuha.com
aaiuwd.com
aisduhvaq.com
aosduawq.com
aqsuyh.com
aqswif.com
asdiuha.com
asdiuvhas.com
asduihqnw.com
asioduh.com
asoicuh.com
ausyc.com
ausytb.com
fsdiyhv.com
ixuvnsd.com
ozdhgq.com
pok-da.com
pokda.net
qeivndv.com
qisucybv.com
quwysbn.com
qweyfbdx.com
sdifyvhw.com
sdivuwnq.com
shop-akicj.com
siduvns.com
siuvnsk.com
uaihc.com
usdybcn.com
uwysbx.com
uwytbgynua.net
uycvnxc.co
uycvnxc.com
uycvnxc.net
uycvnxc.org
wivnsals.com
wqduy.com
wyefb.com
zuyxgc.com
asiuvhwn.com
asycha.com
ausycgv.com
dvyhgqq.com
dxuyvg.com
iasduvh.com
ioaqus.com
iounsdv.com
isauwmo.com
isdnwekal.com
ixuzdaov.com
oiswzvppiosa.com
qasiu8ych.com
qinasc.com
qweoiuvf.com
The following domains have recently been hosted in this space. Ones marked malicious by Google are highlighted, although I would again assume they are all malicious.
oficinaempleo.net
dinpdfob.com
doifbd.com
dovibm.com
fclkq.com
fc-sr.com
fc-sr.net
fcsr.org
fc-su.info
fc-su.net
fc-su.org
fc-we.com
fc-we.net
fc-we.org
fc-web.info
fc-web.org
gregogyparkinsold.com
ihkvh.com
ihk-vh.com
iuhcv.com
iuyuj.com
lifeforclablive.com
parkinonstreet.com
pro-fone.com
psodkb.com
pzxo.org
qsdgi.com
qs-dgi.com
sd-gg.org
selectionswest.com
sfiub.com
sharedskip.com
softlabprofessional.com
softportaldb.net
start-voice.com
trercvu.com
uygbko.com
werynewsgood.com
wetasqard.com
wetermarknilop.com
xpsharedwindow.com
zxxo.biz
zx-xo.com
zx-xo.netalexwritter.com
asertqgj.com
combypist.com
doifnj.com
dvpok.com
fastimportkimy.com
fc-slose.com
fcsr.info
fc-su.com
fc-we.info
fc-website.com
fc-website.net
greengerlplaz.com
highfightertrack.com
htkw.info
ihkvh.net
ihk-vh.net
ihkvh.org
iuhcv.net
jxoei.com
lilpootwestside.com
mainrainbrain.com
opsdf.com
panterrosestat.com
proffottballstart.com
pzvo.net
pz-xo.com
pzxo.net
qfsdv.com
qsdgi.net
sdfjwq.com
sdgg.info
sd-gg.info
sd-gg.net
sdiouvb.com
softlab-professional.com
softlabprofessional.net
softlabprofessional.org
softportaldb.com
soinvplk.com
startvoice.net
stupidgirlcoolnice.com
w9gpo.com
wivbu.com
wqergjv.com
xocbjw.com
ysudpokv.com
zxxo.info
zxxo.org
gremypolicer.com
juaspo.com
justbulshed.com
utswbs.com
westsideclop.com
awertujiko.com
dertukilocer.com
dsbretcompany.com
dsbretcompanyinfo.com
dsbretcompanytv.com
dukillopder.com
fighteryouxc.com
juanitokilasrte.com
juaspo.net
noobhanter.com
opqwxcmn.com
pilotprof.com
politbujil.com
respozytoryol.com
retwsaerop.com
semenasder.com
systebnmilk.com
vhoermoer.com
vitopralik.com
westunasder.com
xpwindowssolut.com
asusstandbuy.com
bertaser.com
bestgreengey.com
fixmewhere.com
gjhytfg.com
h-tkw.net
iuojrt.com
kilsderc.com
lidhv.com
nerstdl.com
nulexgreen.com
oiyyio.com
oop-bn.com
oopbn.info
oop-bn.net
oopbn.org
oopcclop.com
siduvn.com
tgbkpo.com
usdygc.com
uytrd.com
uytrd.net
uytrd.org
wicunvw.com
aduyf.com
andourhernain.com
bestgreengay.com
bestgreenguy.com
bestguyup.com
betstgeyup.com
bmw-audi.com
bmw-seat.com
eofiu.com
fdgjmbv.com
h-tkw.com
htkw.org
maintrast.com
oopbn.com
oopgf.com
oop-gf.com
oopgf.net
oop-gf.net
oopgf.org
poljiocall.com
qiuewfh.com
quewyb.com
qwieuhf.com
sdiuh.com
sdufybn.com
siuww3.com
thebestpowriter.com
transnatgeo.com
uy-trd.com
zaqwscueexp.com
zixelgreen.com
5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
organisation: ORG-EM25-RIPE
org-name: eldar mahmudov
org-type: OTHER
address: ishveran 9
address: 75003 paris
address: FR
e-mail: mahmudik@hotmail.com
abuse-mailbox: mahmudik@hotmail.com
phone: +33.919388845
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ovh.net 20140621
source: RIPE
There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you block traffic going to it.
Friday 17 October 2014
"Final notification" malware spam uses a Google redirector and copy.com
This malware spam uses a Google redirector to retrieve malware hosted on copy.com:
The link in this particular email is https://www.google.com/url?q=https%3A%2F%2Fcopy.com%2FU3k7IRbLXyIv%2FShippingLable_HSDAPDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNF6TQQctHxLItp_Nmdrx94MJkhmAA which downloads a malicious executable ShippingLable_HSDAPDF.scr and this has a VirusTotal detection rate of 3/54.
The automated analysis tools that have given results used so far [1] [2] [3] are inconclusive.
From: compplus@click.com.py
Date: 17 October 2014 17:04
Subject: Final notification for support@victimdomain.com
Purchase Notice
Thank you for buying at our store!
Processed on October 17th 2014
We are happy to let you know that the package is on its way to you. We also attached delivery terms to residential address.
Payment #: 507040420
Order total: 2088.11 USD
Shipping date: October 18 2014.
Please hit the link given at the bottom to get more details about your order.
Order details
The link in this particular email is https://www.google.com/url?q=https%3A%2F%2Fcopy.com%2FU3k7IRbLXyIv%2FShippingLable_HSDAPDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNF6TQQctHxLItp_Nmdrx94MJkhmAA which downloads a malicious executable ShippingLable_HSDAPDF.scr and this has a VirusTotal detection rate of 3/54.
The automated analysis tools that have given results used so far [1] [2] [3] are inconclusive.
eFax message from "02086160204" spam
This fake eFax spam leads to malware:
The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http://tadarok.com/wp-content/themes/deadline/mess.html
http://107.170.219.47/wp-content/themes/inove/mess.html
http://dollfacebeauty.com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a fake eFax page at http://206.253.165.76:8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u.com).
The download link goes to http://206.253.165.76:8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54.
The Malwr report is interesting because it contains many references to bacstel-ip which is the name of an online payment system used by UK businesses. The malware also contains the string
The malware connects to the following URLs:
http://212.59.117.207/yqqwe9mN5yoZJwBcwDqo0kTckoyNuHmw3cXoyRRFa/kaT1aBHyLi9Ne5TcaVNg3ik0NkDZ4ZqwwP/J9s1iNPmFwLiTgJuwky
http://107.170.19.156/sqVT2amDRPXDRkRmkcoyki5kimRHkZyuiqNJuV4eo/RZDe9aPekT5wqB75ge8PXHeN
http://107.170.19.156/VmwBacsascVDgHgFsDu/37PDXaX6ZVTuJ7LDeyaosTiXcZiNPg1FZak/D3TqP4RD8o1HX0TVFqkRBJwc7i
http://107.170.19.156/5XuammNFaHN8HNmD95sHik/a7mHqwFDD4ayHiuk5DeZasiXNuFucy1o/PqXNkwTu69c/1kgyo7gauTouq/wsLPNw91iN5mBL5HJsiJTmge
I recommend blocking 107.170.19.156 (Digital Ocean, US), 212.59.117.207 (IO-Hosts Ltd, Russia) and 206.253.165.76 (Arachnitec, US)
Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76
From: eFax [message@inbound.claranet.co.uk]The telephone number seems to very but is always in the 0208616xxxx format.
Date: 17 October 2014 11:36
Subject: eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
Fax Message [Caller-ID: 208-616-0204]
You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
* The reference number for this fax is lon2_did11-4056638710-9363579926-02.
Please visit https://www.efax.co.uk/myaccount/message/lon2_did11-4056638710-9363579926-02 to view this message in full.
Thank you for using the eFax service!
Home Contact Login
Powered by j2
© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.
The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http://tadarok.com/wp-content/themes/deadline/mess.html
http://107.170.219.47/wp-content/themes/inove/mess.html
http://dollfacebeauty.com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a fake eFax page at http://206.253.165.76:8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u.com).
The download link goes to http://206.253.165.76:8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54.
The Malwr report is interesting because it contains many references to bacstel-ip which is the name of an online payment system used by UK businesses. The malware also contains the string
runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.mscIf you are a sysadmin then you might recognise this as being the "Active Directory Users and Computers" admin tool. So, are the bad guys probing for sysadmins?
The malware connects to the following URLs:
http://212.59.117.207/yqqwe9mN5yoZJwBcwDqo0kTckoyNuHmw3cXoyRRFa/kaT1aBHyLi9Ne5TcaVNg3ik0NkDZ4ZqwwP/J9s1iNPmFwLiTgJuwky
http://107.170.19.156/sqVT2amDRPXDRkRmkcoyki5kimRHkZyuiqNJuV4eo/RZDe9aPekT5wqB75ge8PXHeN
http://107.170.19.156/VmwBacsascVDgHgFsDu/37PDXaX6ZVTuJ7LDeyaosTiXcZiNPg1FZak/D3TqP4RD8o1HX0TVFqkRBJwc7i
http://107.170.19.156/5XuammNFaHN8HNmD95sHik/a7mHqwFDD4ayHiuk5DeZasiXNuFucy1o/PqXNkwTu69c/1kgyo7gauTouq/wsLPNw91iN5mBL5HJsiJTmge
I recommend blocking 107.170.19.156 (Digital Ocean, US), 212.59.117.207 (IO-Hosts Ltd, Russia) and 206.253.165.76 (Arachnitec, US)
Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76
Sage "Outdated Invoice" spam spreads malware via cubbyusercontent.com
This fake Sage email spreads malware using a service called Cubby, whatever that is.
Despite appearances, the link in the email (in this case) actually goes to https://www.cubbyusercontent.com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53. The Malwr report shows HTTP conversations with the following URLs:
http://188.165.214.6:15600/1710uk3/HOME/0/51-SP3/0/
http://188.165.214.6:15600/1710uk3/HOME/1/0/0/
http://188.165.214.6:15600/1710uk3/HOME/41/5/1/
http://tonysenior.co.uk/images/IR/1710uk3.osa
188.165.214.6 is not surprisingly allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54, Malwr report) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52, Malwr report).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior.co.uk
From: Sage Account & Payroll [invoice@sage.com]
Date: 17 October 2014 10:28
Subject: Outdated Invoice
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
https://invoice.sage.co.uk/Account?864394=Invoice_032414.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.
We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent to: [redacted]
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom
Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.
Despite appearances, the link in the email (in this case) actually goes to https://www.cubbyusercontent.com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53. The Malwr report shows HTTP conversations with the following URLs:
http://188.165.214.6:15600/1710uk3/HOME/0/51-SP3/0/
http://188.165.214.6:15600/1710uk3/HOME/1/0/0/
http://188.165.214.6:15600/1710uk3/HOME/41/5/1/
http://tonysenior.co.uk/images/IR/1710uk3.osa
188.165.214.6 is not surprisingly allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54, Malwr report) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52, Malwr report).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior.co.uk
Thursday 16 October 2014
A bunch of .su and .ru domains leading to malware
These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know. I haven't had much time to poke at these properly though, but I'd recommend watching out for these:
alinbot.ru
angryflo.ru
arnebbc.su
brokenpiano.ru
bubkagops.su
everydaypp.ru
f11europe.ru
fixiland.su
fumondaydns.in
funnygronni.com
goliathuz.com
icaldns.in
kimberlydns.in
kineshevasto.ru
levdnjord.su
madagask.ru
monkeysea.su
mysweetmon.ru
nitmurmansk.su
nomoreblack.su
odekon.su
opolla.ru
proffygroup.ru
salgarian.su
slimsize1.su
slowdownn.ru
solofrikred.su
superbup.su
temeluchus.ru
tomasz.su
whoisjohnthefirst.ru
winstent.su
wzorcd.ru
xchy3yzbdcavqij3dcr3.ru
ywaiukgcmmmcwqmk.org
108.21.223.101
109.104.174.109
109.104.184.20
109.120.7.117
109.162.32.234
109.162.6.112
109.184.141.196
109.196.77.198
109.201.232.221
109.227.103.153
109.227.105.88
109.227.114.50
109.227.91.150
109.254.116.68
109.60.243.38
109.86.76.58
109.86.83.167
119.18.77.27
121.176.22.15
125.135.166.159
130.204.235.160
134.19.225.199
134.249.15.60
134.249.65.178
14.33.25.64
141.101.27.2
141.101.3.150
158.181.134.227
158.181.14.38
158.181.169.88
158.181.175.126
159.224.101.52
173.171.103.248
173.49.70.65
174.61.141.129
176.100.28.115
176.102.209.127
176.104.253.21
176.104.97.17
176.105.201.21
176.106.31.227
176.114.32.97
176.114.38.72
176.118.144.240
176.118.45.228
176.120.39.87
176.193.22.49
176.193.37.112
176.215.117.210
176.239.12.104
176.36.48.185
176.36.68.13
176.8.203.177
176.8.95.116
176.98.22.147
176.99.226.87
178.132.2.153
178.137.175.36
178.137.215.186
178.137.232.234
178.141.98.158
178.150.104.8
178.151.0.25
178.158.135.20
178.158.16.193
178.158.16.248
178.159.122.213
178.212.101.94
178.213.175.151
178.213.189.58
178.216.227.71
178.219.91.40
178.74.212.207
178.74.226.67
178.89.203.41
178.90.99.120
178.91.41.119
178.94.92.212
185.10.2.11
185.32.120.210
188.0.120.49
188.163.31.16
188.163.50.18
188.214.33.160
188.230.1.99
188.230.15.191
188.230.87.17
188.239.5.123
193.111.241.125
193.34.94.85
194.187.111.74
194.44.252.229
194.44.37.3
195.114.145.188
195.114.147.96
195.138.75.163
195.174.42.216
195.242.81.56
195.72.156.236
2.132.61.249
2.135.129.248
2.135.87.207
206.174.99.120
208.107.176.24
212.22.192.224
212.79.119.49
212.90.32.62
212.92.237.199
212.92.253.167
213.111.151.156
213.111.183.205
213.129.111.70
213.164.123.63
213.174.10.241
213.231.11.136
213.231.49.184
217.112.220.202
217.12.122.58
217.175.85.76
217.197.252.11
218.52.52.157
24.163.109.78
24.214.93.170
27.147.182.44
31.130.4.1
31.131.137.63
31.133.79.131
31.133.79.205
31.134.19.130
31.134.211.43
31.135.140.114
31.170.156.146
31.192.156.153
31.28.249.94
31.41.116.88
31.41.72.159
37.110.12.9
37.115.110.8
37.115.229.27
37.115.33.96
37.115.65.28
37.140.106.117
37.229.189.190
37.229.54.152
37.25.103.214
37.25.106.88
37.53.73.152
37.55.61.26
37.57.159.200
37.57.244.98
37.57.97.229
46.118.162.62
46.118.220.117
46.118.228.6
46.118.46.202
46.119.157.204
46.119.85.215
46.119.90.143
46.146.40.134
46.149.177.86
46.149.48.133
46.160.79.233
46.164.179.75
46.172.211.150
46.172.230.166
46.173.171.118
46.185.51.76
46.185.98.100
46.191.172.157
46.211.40.28
46.211.74.12
46.219.77.143
46.33.243.82
46.61.62.152
46.63.135.3
46.63.66.102
46.98.171.128
46.98.174.49
5.1.27.92
5.1.28.199
5.105.120.46
5.137.71.123
5.153.189.97
5.246.178.134
5.248.243.117
5.34.18.37
5.56.111.111
50.134.47.136
50.154.149.189
62.16.38.131
62.220.53.85
62.80.181.42
62.84.254.75
67.183.123.151
70.114.48.81
70.53.172.129
72.185.199.204
72.80.145.90
74.103.3.126
75.131.252.100
75.76.166.8
76.17.60.31
77.120.183.13
77.121.105.26
77.121.129.150
77.121.140.120
77.122.153.68
77.71.188.240
77.95.92.254
78.131.93.231
78.27.159.75
78.27.183.113
79.113.160.194
79.114.113.151
79.132.17.125
79.134.2.105
79.171.124.211
80.245.117.198
80.64.81.51
81.162.70.55
81.162.75.68
81.163.142.181
81.163.153.185
81.200.148.6
81.90.233.231
82.117.243.39
83.218.228.46
85.198.171.90
85.237.35.122
85.29.154.152
87.110.167.54
87.76.61.30
88.135.93.105
89.105.249.250
89.116.191.51
89.161.84.65
89.209.91.107
89.252.29.97
89.254.147.242
91.196.97.220
91.197.187.189
91.198.143.44
91.200.232.86
91.201.243.191
91.203.89.26
91.207.86.210
91.210.87.242
91.222.63.1
91.223.86.185
91.243.203.238
91.250.34.68
92.112.156.8
92.113.161.218
92.113.4.121
92.114.123.227
92.245.40.208
92.55.30.207
93.170.68.140
93.171.77.198
93.183.247.117
93.76.240.22
93.76.57.57
93.77.75.2
93.78.145.22
93.79.177.59
93.79.199.81
94.100.95.109
94.153.125.201
94.153.53.132
94.153.69.169
94.178.216.34
94.179.99.149
94.231.32.32
94.231.72.194
94.244.173.95
94.45.92.6
95.135.58.25
95.215.117.207
95.47.128.209
95.66.202.226
95.76.64.224
95.87.94.65
96.26.196.66
98.111.140.190
98.244.185.173
98.245.227.235
alinbot.ru
angryflo.ru
arnebbc.su
brokenpiano.ru
bubkagops.su
everydaypp.ru
f11europe.ru
fixiland.su
fumondaydns.in
funnygronni.com
goliathuz.com
icaldns.in
kimberlydns.in
kineshevasto.ru
levdnjord.su
madagask.ru
monkeysea.su
mysweetmon.ru
nitmurmansk.su
nomoreblack.su
odekon.su
opolla.ru
proffygroup.ru
salgarian.su
slimsize1.su
slowdownn.ru
solofrikred.su
superbup.su
temeluchus.ru
tomasz.su
whoisjohnthefirst.ru
winstent.su
wzorcd.ru
xchy3yzbdcavqij3dcr3.ru
ywaiukgcmmmcwqmk.org
108.21.223.101
109.104.174.109
109.104.184.20
109.120.7.117
109.162.32.234
109.162.6.112
109.184.141.196
109.196.77.198
109.201.232.221
109.227.103.153
109.227.105.88
109.227.114.50
109.227.91.150
109.254.116.68
109.60.243.38
109.86.76.58
109.86.83.167
119.18.77.27
121.176.22.15
125.135.166.159
130.204.235.160
134.19.225.199
134.249.15.60
134.249.65.178
14.33.25.64
141.101.27.2
141.101.3.150
158.181.134.227
158.181.14.38
158.181.169.88
158.181.175.126
159.224.101.52
173.171.103.248
173.49.70.65
174.61.141.129
176.100.28.115
176.102.209.127
176.104.253.21
176.104.97.17
176.105.201.21
176.106.31.227
176.114.32.97
176.114.38.72
176.118.144.240
176.118.45.228
176.120.39.87
176.193.22.49
176.193.37.112
176.215.117.210
176.239.12.104
176.36.48.185
176.36.68.13
176.8.203.177
176.8.95.116
176.98.22.147
176.99.226.87
178.132.2.153
178.137.175.36
178.137.215.186
178.137.232.234
178.141.98.158
178.150.104.8
178.151.0.25
178.158.135.20
178.158.16.193
178.158.16.248
178.159.122.213
178.212.101.94
178.213.175.151
178.213.189.58
178.216.227.71
178.219.91.40
178.74.212.207
178.74.226.67
178.89.203.41
178.90.99.120
178.91.41.119
178.94.92.212
185.10.2.11
185.32.120.210
188.0.120.49
188.163.31.16
188.163.50.18
188.214.33.160
188.230.1.99
188.230.15.191
188.230.87.17
188.239.5.123
193.111.241.125
193.34.94.85
194.187.111.74
194.44.252.229
194.44.37.3
195.114.145.188
195.114.147.96
195.138.75.163
195.174.42.216
195.242.81.56
195.72.156.236
2.132.61.249
2.135.129.248
2.135.87.207
206.174.99.120
208.107.176.24
212.22.192.224
212.79.119.49
212.90.32.62
212.92.237.199
212.92.253.167
213.111.151.156
213.111.183.205
213.129.111.70
213.164.123.63
213.174.10.241
213.231.11.136
213.231.49.184
217.112.220.202
217.12.122.58
217.175.85.76
217.197.252.11
218.52.52.157
24.163.109.78
24.214.93.170
27.147.182.44
31.130.4.1
31.131.137.63
31.133.79.131
31.133.79.205
31.134.19.130
31.134.211.43
31.135.140.114
31.170.156.146
31.192.156.153
31.28.249.94
31.41.116.88
31.41.72.159
37.110.12.9
37.115.110.8
37.115.229.27
37.115.33.96
37.115.65.28
37.140.106.117
37.229.189.190
37.229.54.152
37.25.103.214
37.25.106.88
37.53.73.152
37.55.61.26
37.57.159.200
37.57.244.98
37.57.97.229
46.118.162.62
46.118.220.117
46.118.228.6
46.118.46.202
46.119.157.204
46.119.85.215
46.119.90.143
46.146.40.134
46.149.177.86
46.149.48.133
46.160.79.233
46.164.179.75
46.172.211.150
46.172.230.166
46.173.171.118
46.185.51.76
46.185.98.100
46.191.172.157
46.211.40.28
46.211.74.12
46.219.77.143
46.33.243.82
46.61.62.152
46.63.135.3
46.63.66.102
46.98.171.128
46.98.174.49
5.1.27.92
5.1.28.199
5.105.120.46
5.137.71.123
5.153.189.97
5.246.178.134
5.248.243.117
5.34.18.37
5.56.111.111
50.134.47.136
50.154.149.189
62.16.38.131
62.220.53.85
62.80.181.42
62.84.254.75
67.183.123.151
70.114.48.81
70.53.172.129
72.185.199.204
72.80.145.90
74.103.3.126
75.131.252.100
75.76.166.8
76.17.60.31
77.120.183.13
77.121.105.26
77.121.129.150
77.121.140.120
77.122.153.68
77.71.188.240
77.95.92.254
78.131.93.231
78.27.159.75
78.27.183.113
79.113.160.194
79.114.113.151
79.132.17.125
79.134.2.105
79.171.124.211
80.245.117.198
80.64.81.51
81.162.70.55
81.162.75.68
81.163.142.181
81.163.153.185
81.200.148.6
81.90.233.231
82.117.243.39
83.218.228.46
85.198.171.90
85.237.35.122
85.29.154.152
87.110.167.54
87.76.61.30
88.135.93.105
89.105.249.250
89.116.191.51
89.161.84.65
89.209.91.107
89.252.29.97
89.254.147.242
91.196.97.220
91.197.187.189
91.198.143.44
91.200.232.86
91.201.243.191
91.203.89.26
91.207.86.210
91.210.87.242
91.222.63.1
91.223.86.185
91.243.203.238
91.250.34.68
92.112.156.8
92.113.161.218
92.113.4.121
92.114.123.227
92.245.40.208
92.55.30.207
93.170.68.140
93.171.77.198
93.183.247.117
93.76.240.22
93.76.57.57
93.77.75.2
93.78.145.22
93.79.177.59
93.79.199.81
94.100.95.109
94.153.125.201
94.153.53.132
94.153.69.169
94.178.216.34
94.179.99.149
94.231.32.32
94.231.72.194
94.244.173.95
94.45.92.6
95.135.58.25
95.215.117.207
95.47.128.209
95.66.202.226
95.76.64.224
95.87.94.65
96.26.196.66
98.111.140.190
98.244.185.173
98.245.227.235
Barclays Bank "Transaction not complete" spam
From: Barclays Bank [Barclays@email.barclays.co.uk]
Date: 16 October 2014 12:48
Subject: Transaction not complete
Unable to complete your most recent Transaction.
Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt below:
http://essecisoftware.it/docs/viewdoc.php
Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register
No. 122702). Registered in England. Registered Number is 1026167 with registered
office at 1 Churchill Place, London E14 5HP.
Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of 4/54. The Malwr report shows that it reaches out to the following URLs:
http://188.165.214.6:12302/1610uk1/HOME/0/51-SP3/0/
http://188.165.214.6:12302/1610uk1/HOME/1/0/0/
http://188.165.214.6:12302/1610uk1/HOME/41/5/1/
http://jwoffroad.co.uk/img/t/1610uk1.osa
In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to block or monitor.
It also drops two executables, bxqyy.exe (VT 5/54, Malwr report) and ldplh.exe (VT 1/51, Malwr report)
.
Wednesday 15 October 2014
"Shipping Information for.." spam uses a Google redirector and copy.com to distribute malware
This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.
The link in the email goes to https://www.google.com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54.
The Malwr report indicates that the malware fails to install because of a bug in the code, a problem that also appears in all the other analysis tools that I tried.
What I think is meant to happen is that a malicious script [pastebin] that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it with the following command:
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been infected by the executable running in the background.
From: fatmazohra.mekhalfia@groupehasnaoui.com
Date: 15 October 2014 15:09
Subject: Shipping Information for [redacted]
Please see the shipping info
Processed on Oct 15/ 2014
This is to inform you that the package is being shipped to you. We also provided delivery terms to specified address.
Order number: 611541106
Order total: 3000.28 USD
Shipping date: Oct 16th 2014.
Please hit the button provided at the bottom to see more info about your package.
Shipping Invoice
The link in the email goes to https://www.google.com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54.
The Malwr report indicates that the malware fails to install because of a bug in the code, a problem that also appears in all the other analysis tools that I tried.
What I think is meant to happen is that a malicious script [pastebin] that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it with the following command:
Gl.exe -pGlue1 -d%temp%This executable has a VirusTotal detection rate of 2/53. It bombs out of automated analysis tools (see the Malwr report) possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been infected by the executable running in the background.
"Clean India" spam is an exercise in hypocrisy
"Clean India" is a meant to be a campaign to clean up Indian
politics. But one of the biggest problems they have in India is spam
(which lead to the long saga of Delhi minister Somnath
Bharti's history of spam). So I think it is an act of sheer
hypocrisy to promote this campaign through random spam.
The spam originates from an Amazon AWS IP of 54.240.9.132, the spamvertised site localcircles.com is also hosted on Amazon AWS. The registration details are:
Registry Registrant ID:
Registrant Name: LocalCircles India
Registrant Organization: LocalCircles India Pvt Ltd
Registrant Street: 1105, 11th Floor,
Registrant Street: Advant Navis Business Park, Sector 142
Registrant City: Noida
Registrant State/Province: Uttar Pradesh
Registrant Postal Code: 201301
Registrant Country: India
Registrant Phone: +91.1204263558
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@localcircles.com
Google sums up localcircles.com poor reputation nicely: We've found that lots of messages from localcirclesemail.com are spam.
As long as India tolerates spam and other dishonest business practices then I don't think that there's much change of them cleaning up their act. I think whoever is sending out this spam needs to look much closer to home before criticising others.
From: Ministry Of Urban Development [support@localcirclesemail.com]
Reply-To: support@localcirclesemail.com
Date: 15 October 2014 11:24
Subject: Swachh Bharat invite by Ministry Of Urban Development
Signed by: localcirclesemail.com
Invited to Circle: Swachh Bharat
Founder: Ministry Of Urban Development
Members: 189975
Description: This circle brings together all citizens who want a Clean India. Through this circle, citizens will be able to share cleanliness initiatives, challenges, successes at a National Level as well as learn about best practices from each other. Members will also be able to give collective inputs to Ministry of Urban Development on an ongoing basis. Soon, members of this circle will have access to their local constituency circle on Swachh Bharat connecting them with fellow local residents and enabling them to organize/participate in clean up drives in their neighborhood/city. Together, let us make it a SWACHH BHARAT!
About LocalCircles
LocalCircles takes Social Media to the next level and makes it about Communities, Governance and Utility. It enables citizens to connect with communities for most aspects of urban daily life like Neighborhood, Constituency, City, Government, Causes, Interests and Needs, seek information/assistance when needed, come together for various initiatives and improve their urban daily life. LocalCircles is free for citizens and always will be!
The spam originates from an Amazon AWS IP of 54.240.9.132, the spamvertised site localcircles.com is also hosted on Amazon AWS. The registration details are:
Registry Registrant ID:
Registrant Name: LocalCircles India
Registrant Organization: LocalCircles India Pvt Ltd
Registrant Street: 1105, 11th Floor,
Registrant Street: Advant Navis Business Park, Sector 142
Registrant City: Noida
Registrant State/Province: Uttar Pradesh
Registrant Postal Code: 201301
Registrant Country: India
Registrant Phone: +91.1204263558
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@localcircles.com
Google sums up localcircles.com poor reputation nicely: We've found that lots of messages from localcirclesemail.com are spam.
As long as India tolerates spam and other dishonest business practices then I don't think that there's much change of them cleaning up their act. I think whoever is sending out this spam needs to look much closer to home before criticising others.
Tuesday 14 October 2014
"To view your document, please open attachment" spam with a DOC attachment
This spam comes with a malicious DOC attachment:
This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography.co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55 and the EXE file is just 2/54.
I have not yet had time to look at the malicious binary, but the Malwr analysis is here.
UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55. You can see the Malwr analysis here.
From: Anna [ºžô õö?ǯ#-øß {qYrÝsØ l½:ž±þ EiÉ91¤É¤y$e| p‹äŒís' ÀQtÃ#7 þ–¿åoù[þ–¿åoù[þ–¿åoù[þ–¿åÿ7 å{˜x|%S;ÖUñpbSË‘ý§B§i…¾«¿¨` Òf ¶ò [no-reply@bostonqatar.net]The "From" field in the samples I have seen seems to be a random collection of characters. The DOC attachment is also randomly named in the format document_9639245.doc.
Date: 14 October 2014 11:09
Subject: Your document
To view your document, please open attachment.
This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography.co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55 and the EXE file is just 2/54.
I have not yet had time to look at the malicious binary, but the Malwr analysis is here.
UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55. You can see the Malwr analysis here.
Monday 13 October 2014
Malware spam: "You have received a new secure message from BankLine" / "You've received a new fax"
A couple of unimaginative spam emails leading to a malicious payload.
Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54.
The Malwr analysis shows that the malware attempts to communicate with the following URLs:
http://94.75.233.13:40200/1310uk1/HOME/0/51-SP3/0/
http://94.75.233.13:40200/1310uk1/HOME/1/0/0/
http://94.75.233.13:40200/1310uk1/HOME/41/5/1/
http://carcomputer.co.uk/image/1310uk1.rtf
http://phyccess.com/Scripts/Pony.rtf
http://144.76.220.116/gate.php
http://hotelnuovo.com/css/heap_238_id2.rtf
http://wirelesssolutionsny.com/wp-content/themes/Wireless/js/heap_238_id2.rtf
http://isc-libya.com/js/Pony.rtf
http://85.25.152.238/
Also dropped are a couple of executables, egdil.exe (VT 2/54, Malwr report) and twoko.exe (VT 6/55, Malwr report).
Recommended blocklist:
94.75.233.13
144.76.220.116
85.25.152.238
carcomputer.co.uk
phyccess.com
hotelnuovo.com
wirelesssolutionsny.com
isc-libya.com
You have received a new secure message from BankLine
From: Bankline [secure.message@bankline.com]
Date: 13 October 2014 12:48
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow:
http://losislotes.com/dropbox/document.php
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7507.
First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message
You've received a new fax
From: Fax [fax@victimdomain.com]
Date: 13 October 2014 13:07
Subject: You've received a new fax
New fax at SCAN2166561 from EPSON by https://victimdomain.com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at:
http://www.mezaya.ly/dropbox/document.php
(Dropbox Drive is a file hosting service operated by Google, Inc.)
Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54.
The Malwr analysis shows that the malware attempts to communicate with the following URLs:
http://94.75.233.13:40200/1310uk1/HOME/0/51-SP3/0/
http://94.75.233.13:40200/1310uk1/HOME/1/0/0/
http://94.75.233.13:40200/1310uk1/HOME/41/5/1/
http://carcomputer.co.uk/image/1310uk1.rtf
http://phyccess.com/Scripts/Pony.rtf
http://144.76.220.116/gate.php
http://hotelnuovo.com/css/heap_238_id2.rtf
http://wirelesssolutionsny.com/wp-content/themes/Wireless/js/heap_238_id2.rtf
http://isc-libya.com/js/Pony.rtf
http://85.25.152.238/
Also dropped are a couple of executables, egdil.exe (VT 2/54, Malwr report) and twoko.exe (VT 6/55, Malwr report).
Recommended blocklist:
94.75.233.13
144.76.220.116
85.25.152.238
carcomputer.co.uk
phyccess.com
hotelnuovo.com
wirelesssolutionsny.com
isc-libya.com
"Your Amazon.co.uk order" spam with malformed DOC attachment
A whole bunch of these just came through:
The order number changes in each version of the spam. Note the misplaced "}" in the title though.. that's not the only thing wrong with this spam.
Attached is a file with a random number and a DOC extension, but in fact it is a plain text attachment that begins:
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAD/////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaoARgBEAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAOJ7AADiewAAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
AAAAALADAAAAAAAAsAMAABQAAAAAAAAAAAAAAOoDAAAUAAAAIgQAAAAAAAAiBAAAAAAAACIE
Obviously something has gone wrong here, it looks like the attachment is Base 64 encoded when it shouldn't be, but running it through a decode still seems to generate nothing but junk.
My guess is that something has gone wrong with this spam run, and this is meant to be a malicious executable. As it stands, neither the original or decoded version trigger anything at VirusTotal [1] [2]. There's a good chance that the bad guys will figure this out and fix it though, so be cautious if you receive an unexpected email from Amazon.
From: AMAZON.CO.UK [order@amazon.co.uk]
To: 1122@eddfg.com
Date: 13 October 2014 08:32
Subject: Your Amazon.co.uk order }837-1171095-3201918
Hello,
Thanks for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.Order Details
Order #837-1171095-3201918 Placed on October 11, 2014
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.We hope to see you again soon. Amazon.co.uk
The order number changes in each version of the spam. Note the misplaced "}" in the title though.. that's not the only thing wrong with this spam.
Attached is a file with a random number and a DOC extension, but in fact it is a plain text attachment that begins:
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAD/////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaoARgBEAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAOJ7AADiewAAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
AAAAALADAAAAAAAAsAMAABQAAAAAAAAAAAAAAOoDAAAUAAAAIgQAAAAAAAAiBAAAAAAAACIE
Obviously something has gone wrong here, it looks like the attachment is Base 64 encoded when it shouldn't be, but running it through a decode still seems to generate nothing but junk.
My guess is that something has gone wrong with this spam run, and this is meant to be a malicious executable. As it stands, neither the original or decoded version trigger anything at VirusTotal [1] [2]. There's a good chance that the bad guys will figure this out and fix it though, so be cautious if you receive an unexpected email from Amazon.
Friday 10 October 2014
Malware spam: "You've received a new fax" / "You have received a new secure message from BankLine"
A pair of malware spams this morning, both with the same payload:
The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54.
According to the ThreatExpert report [pdf] the malware communicates with the following URLs which are probably worth blocking or monitoring:
94.75.233.13/1010uk1/NODE01/41/5/1/
94.75.233.13/private/sandbox_status.php
94.75.233.13/1010uk1/NODE01/0/51-SP3/0/
94.75.233.13/1010uk1/NODE01/1/0/0/
beanztech.com/beanz/1010uk1.rtf
"You've received a new fax"
From: Fax [fax@victimdomain.com]
Date: 10 October 2014 11:34
Subject: You've received a new fax
New fax at SCAN7097324 from EPSON by https://victimdomain.com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at:
http://www.eialtd.com/kk/document.php
(Google Disk Drive is a file hosting service operated by Google, Inc.)
"You have received a new secure message from BankLine"
From: Bankline [secure.message@bankline.com]
Date: 10 October 2014 10:29
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow:
http://www.electromagneticsystems.com/kk/document.php
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3297.
First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message
The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54.
According to the ThreatExpert report [pdf] the malware communicates with the following URLs which are probably worth blocking or monitoring:
94.75.233.13/1010uk1/NODE01/41/5/1/
94.75.233.13/private/sandbox_status.php
94.75.233.13/1010uk1/NODE01/0/51-SP3/0/
94.75.233.13/1010uk1/NODE01/1/0/0/
beanztech.com/beanz/1010uk1.rtf
Thursday 9 October 2014
Spam: Confederation MineraIs / Confederation Minerals (CNRMF) pump-and-dump
This high-volume pump-and-dump spam run is promoting the Confederation Minerals (CNRMF) stock, although the spam itself intentionally mis-spells it as Confederation MineraIs with a capital "I" replacing the lowercase "l".
We can see clearly from the Yahoo! Finance page that CNRMF is a disaster area. The stock has slumped from $1.33 in April 2011 to $0.06 today.
Usually the shares are very thinly traded with either zero trades or trades in the low thousands on most days (average trades are about 2000 per day or $120 at today's prices) . The reason for the poor share price is apparent when you look at the financials. As with several other stocks promoted through spam (especially mining stocks) there is zero income and only a bunch of expenditure.
The spam argues that this is going to be OK because CNRMF are sitting on an enormous pile of precious metals which they are shortly going to be selling off. Of course if they were actually sitting on a goldmine then the smart thing to do would be hold onto the stocks until the money comes in. In reality, the chances of this happening are approximately zero.
There doesn't seem to be a particular pattern of stock buying going on, which indicates perhaps that the pump and dump spam is being arranged by some existing stockholder trying to cash out.
Only a fool would invest in CNRMF in response to this sort of spam message. Avoid.
UPDATE 2014-10-10: a second version is now being spammed out..
From: TheStreet
Date: 9 October 2014 12:29
Subject: The Stocktip Of The Year
You've been patient for a while now and finally it's time.
Confederation MineraIs (CNRMF) is on the verge of exploding.
Thats because they have hundreds ofmillions of precious metals on their property and they are weeks away from beginning to dig it out and selling it up the distribution chain.
It is trading at such a bargain right now that CNRMF is a no-brainer.
Snap up as many shares of it as you can today before it goes up too high.
Everyone is certain that we will see it hit past 40cents before month's end.
63 South Main Street, Newtown CT 06470
The TheStreet, Inc. Press | Customer Service | Privacy Policy
You received this message because you are a TheStreet, Inc. customer or have registered at TheStreet.com.
This email was sent to you by The TheStreet, Inc.. Click here to update your email preferences.
We can see clearly from the Yahoo! Finance page that CNRMF is a disaster area. The stock has slumped from $1.33 in April 2011 to $0.06 today.
Usually the shares are very thinly traded with either zero trades or trades in the low thousands on most days (average trades are about 2000 per day or $120 at today's prices) . The reason for the poor share price is apparent when you look at the financials. As with several other stocks promoted through spam (especially mining stocks) there is zero income and only a bunch of expenditure.
The spam argues that this is going to be OK because CNRMF are sitting on an enormous pile of precious metals which they are shortly going to be selling off. Of course if they were actually sitting on a goldmine then the smart thing to do would be hold onto the stocks until the money comes in. In reality, the chances of this happening are approximately zero.
There doesn't seem to be a particular pattern of stock buying going on, which indicates perhaps that the pump and dump spam is being arranged by some existing stockholder trying to cash out.
Only a fool would invest in CNRMF in response to this sort of spam message. Avoid.
UPDATE 2014-10-10: a second version is now being spammed out..
From: Thanh Ford
Date: 10 October 2014 15:50
Subject: Sorry for my late reply
Hi [redacted],
I got your voicemail yesterday about the stock tip you want, sorry I couldnt pick up the phone I was on with the wife you know how she is but please next time don't call the house line, I would prefer if you come in to my office instead. In person is always better. Anyway your timing is impeccable you are very lucky. There's this insane little company (confederation minerals) that was exchanging hands for like a dollar and a half last year and now you can grab it for around 10 cents. These guys are sitting on gold, literaly. They have proven reserves worth a few hundred mill and theyre about to begin digging out the stuff in a few months.
You better bet the stokc is gonna go nuts in the coming weeks when they make the drilling announcement. Take care and if you need anything else give me a shout. The stokc is CNRMF and if I were you id grab as many shares as I can, everyone at the office thinks this one is gonna go up at least 5x soon.
Labels:
Pump and Dump,
Spam
chinaregistry.org.cn domain scam
This is an old scam that can safely be ignored.
Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either.
I created a brief video explaining the scam that you can view below:
From: Henry Liu [henry.liu@chinaregistry.org.cn]
Date: 9 October 2014 07:53
Subject: [redacted] domain and keyword in CN
(Please forward this to your CEO, because this is urgent. Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards
Henry Liu
General Manager
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China
Tel: +86 21 6191 8696
Mobile: +86 138 1642 8671
Fax: +86 21 6191 8697
Web: www.chinaregistry.org.cn
Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either.
I created a brief video explaining the scam that you can view below:
Nuclear EK active on 178.79.182.106
It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can fee the following sites active on that IP:
fuhloizle.tryzub-it.co.uk
fuhloizle.pgaof39.com
fuhloizle.cusssa.org
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea.
fuhloizle.tryzub-it.co.uk
fuhloizle.pgaof39.com
fuhloizle.cusssa.org
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea.
Labels:
Linode,
Malware,
Nuclear EK,
Viruses
Subscribe to:
Posts (Atom)