Sponsored by..

Wednesday, 7 January 2015

Exploit kits on Choopa LLC / Gameservers.com IP addresses

While chasing down this exploit kit yesterday, I noticed an awful lot of related IP addresses and domains that also seemed to be hosting malware.

The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE

ooshuchahxe.co.vu
ahjoneeshae.co.vu
phamiephim.co.vu
kaemahchuum.co.vu
pahsiefoono.co.vu
kaghaingai.co.vu
buengaiyei.co.vu
ohmiajusoo.co.vu
oodeerahshe.co.vu
paotuchepha.co.vu
aedeequeekou.co.vu
eikoosiexa.co.vu
phielaingi.co.vu
thohbeekee.co.vu

A typical exploit landing page looks like this [URLquery report] which appears to be the Nuclear EK.

These are hosted on the following Choopa LLC / Gamservers.com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:

108.61.165.69
108.61.165.70

108.61.165.96
108.61.167.160
108.61.172.139
108.61.175.125
108.61.177.107
108.61.177.89

All these malicious domains use the following nameservers:


ns1.thallsbe.com
ns1.yotelepa.com
ns1.zenteep.com
ns1.neverflouwks.com
ns1.daxpyorgilgere.com
ns1.irkoblik.com
ns2.thallsbe.com
ns2.yotelepa.com
ns2.zenteep.com
ns2.neverflouwks.com
ns2.daxpyorgilgere.com
ns2.irkoblik.com

Nameservers are mostly (but not all hosted on Choopa LLC IPs):

64.187.225.245
104.224.147.220
108.61.123.219
108.61.172.145
108.61.198.148
108.61.211.121

As I said, these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google (long list, sorry, scroll past it if you like):

offearfactory.cf
ukforsavectory.cf
ukforshivaflow.cf
soundchecker.cf
tobiahsebastiani.cf
crazystuff.ga
atproserafic.ga
soundchecker.ga
terriblelow.ml
stumbleupons.ml
ukforprimeebook.cf
greendriver.ga
ukforsavectory.ga
yellowcheck.ml
misterybook.cf
sporterafic.cf
thorteutsch.cf
imainconfig.ga
materofteck.ga
sporterafic.ga
pleskinebook.ga
lowensineflow.ga
warriordriver.ga
materofteck.ml
sporterafic.ml
lowensineflow.ml
mipkohoophw.cf
mipkoewushohn.cf
mipkoeerrw.ml
mipkohiocoh.ml
qdujbffg.cf
floraperf.cf
floreamva.cf
sintroota.cf
akcyvwkudu.cf
jepeugcpaq.cf
kzjzbbezgt.cf
rittfpynit.cf
unitedbeer.cf
vuktrontas.cf
wchiekohya.cf
wingasheng.cf
nikelnstate.cf
quitambient.cf
xotadddance.cf
xoteaddrack.cf
bloxianoiaba.cf
boyconroewom.cf
myfreenomapi.cf
walltaddates.cf
walltaddonce.cf
walltaddrave.cf
xoteaddotion.cf
trohqueenexai.cf
trotesaiheohu.cf
truechiekitha.cf
trueitheipoag.cf
vukontasixtas.cf
vuvatyisedron.cf
wallddforbake.cf
walltadddabit.cf
walltadddance.cf
walltadddsims.cf
wallteaddrack.cf
oproquanterbot.cf
veterloshamerr.cf
vuflowdeadcrow.cf
wallaerkinderr.cf
wallteaddotion.cf
wicomertulatti.cf
walltadddoppler.cf
amixionifyredhedi.cf
shamidgewoodpiste.cf
shoeufflorthrudis.cf
shoppaycleagoncad.cf
sosanasisernitive.cf
sourustieronixtur.cf
sparetediapletecu.cf
stekoneyredecklan.cf
subspironimitells.cf
sultintemicrearti.cf
coolmember.ga
krogralind.ga
rzanygngis.ga
unitedbeer.ga
wchiekohya.ga
weisewieku.ga
xotaddates.ga
xotaddrave.ga
junoreactor.ga
quitambient.ga
xoteaddrack.ga
dealerstrike.ga
trudahsheeso.ga
vumalworrest.ga
walltaddates.ga
walltaddonce.ga
walltaddrave.ga
wamipkoleoxw.ga
xoteaddotion.ga
proquantterms.ga
tritaeneiquoh.ga
trohqueenexai.ga
trotesaiheohu.ga
troyeachahgie.ga
truechiekitha.ga
truexauphudei.ga
victorysecret.ga
vuxeersktrace.ga
wallddforbake.ga
walltadddabit.ga
walltadddance.ga
walltadddsims.ga
wallteaddrack.ga
xotadddoppler.ga
veterloshamerr.ga
victoaddroplen.ga
vuflowdeadcrow.ga
vuvtrassktrace.ga
wallaerkinderr.ga
wallteaddotion.ga
wheallstechaxa.ga
wolscelipartin.ga
wolvestreyrmst.ga
walltadddoppler.ga
serckinvenaftovan.ga
shamidgewoodpiste.ga
shoppaycleagoncad.ga
sosanasisernitive.ga
sourustieronixtur.ga
sparetediapletecu.ga
stekoneyredecklan.ga
subspironimitells.ga
sultintemicrearti.ga
facilygda.ml
iqmhaslyzd.ml
kriendbasi.ml
queezerbot.ml
rittfpynit.ml
xotaddrave.ml
contermance.ml
crazyworlds.ml
junoreactor.ml
loborrowave.ml
quitambient.ml
vuxtronrace.ml
xoteaddrack.ml
bloxianoiaba.ml
trudahsheeso.ml
vumalworrest.ml
vumullefloor.ml
walltaddates.ml
walltaddonce.ml
walltaddrave.ml
xoteaddotion.ml
lodborrowpler.ml
proquantterms.ml
triceebicicha.ml
triilequadaev.ml
tritaeneiquoh.ml
troshiechooph.ml
trotesaiheohu.ml
victorysecret.ml
vuxeersktrace.ml
wallddforbake.ml
walltadddabit.ml
walltadddance.ml
walltadddsims.ml
wallteaddrack.ml
wamipkoicjnew.ml
oproquantables.ml
veterloshamerr.ml
victoaddroplen.ml
wallteaddotion.ml
wickleyoregene.ml
wolscelipartin.ml
walltadddoppler.ml
serckinvenaftovan.ml
shamidgewoodpiste.ml
shoeufflorthrudis.ml
shoppaycleagoncad.ml
sosanasisernitive.ml
sourustieronixtur.ml
sparetediapletecu.ml
stekoneyredecklan.ml
subspironimitells.ml
sultintemicrearti.ml
sintroota.tk
sionixire.tk
bugleryambur.tk
zarauphudei.cf
zaraachwahgie.cf
zaragietheeghe.cf
zarabixampw.ga
zaradhoophw.ga
zarasicjnew.ga
zarauphudei.ga
zaraachwahgie.ga
zaraeqwuadaev.ga
zaraheeteghoh.ga
zaraohgeegheis.ga
zaratiihuw.ml
zarabixampw.ml
zarasicjnew.ml
zarasorsarw.ml
zaraulleoxw.ml
zaraachwahgie.ml
zaraeqwuadaev.ml
zaraewneiquoh.ml
uzaraeserexwai.ml
zaragietheeghe.ml
zaraweethiocoh.ml

In addition, these domains are tagged as malicious by SURBL:
xoteaddrack.cf
wallddforbake.cf
xoteaddrack.ga
walltadddsims.ga
walltaddates.ml
walltadddabit.ml
wallteaddrack.ml
siewaxiesha.co.vu
fourkopoll.co.vu
kurramithompartherd.co.vu

These are the TLDs and SLDs being abused, operated by Freenom (cf, ga, gq, ml, tk) or CoDotVu (co.vu). It looks like perhaps Freenom cleaned up their space, but you can make your own mind up if you want to block traffic to these as a precaution:
co.vu
cf
ga
gq
ml
tk


A full list of all the domains that I can find associated with these servers can be found here [pastebin].

Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121

64.187.225.245
104.224.147.220

UPDATE:
Choopa LLC say they have terminated those IPs. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised.


Invoice spam with malicious XLS file from multiple companies

This spam run looks very similar to this one going out at roughly the same time, except this has a malicious XLS file rather than a DOC/

From:    Courtney Stark
Date:    7 January 2015 at 12:27
Subject:    Invoice 1252.70 GBP

Please find attached invoice for 1252.70 GBP.

Any queries please contact us.

Courtney Stark
Senior Accounts Payable Specialist
AVIVA

The "sender" is spoofed from multiple companies, so far I have seen:

Courtney Stark
Senior Accounts Payable Specialist
AVIVA

Phyllis Cobb
Senior Accounts Payable Specialist
DIGITAL BARRIERS LTD

Colby Burris
Senior Accounts Payable Specialist
XAAR

Randy Welch
Senior Accounts Payable Specialist
CAMELLIA

Kendra Cervantes
Senior Accounts Payable Specialist
TRINITY EXPLORATION & PRODUCTION

In the samples I have seen, there are two slightly different malicious Excel files with fairly low detection rates [1] [2] containing one of these two macros [1] [2] [pastebin] which downloads an executable from one of the following locations:

http://87.106.165.232:8080/mans/pops.php
http://193.136.19.160:8080/mans/pops.php

These locations are also found with this spam run and the payload is identical.


"Remittance Advice" malware spam from multiple spoofed companies

This fake financial spam claims to be from one of several legitimate companies. They are not sending the spam, not have their systems been compromised. Instead, this has a malicious Word document attached.

From:    Dominique Valenzuela
Date:    7 January 2015 at 11:38
Subject:    Remittance Advice for 3996.63 GBP

Please find attached a remittance advice for recent BACS payment of 3996.63 GBP.

Any queries please contact us.

Dominique Valenzuela
Senior Accounts Payable Specialist
HERMES PACIFIC INVESTMENTS PLC

These different fake senders have been spotted so far:

Reyna Alvarado
Senior Accounts Payable Specialist
AVATION PLC

Dominique Valenzuela
Senior Accounts Payable Specialist
HERMES PACIFIC INVESTMENTS PLC

Alfreda Carney
Senior Accounts Payable Specialist
RED ROCK RESOURCES

Dave Hancock
Senior Accounts Payable Specialist
HANSA TRUST

Kendra Cervantes
Senior Accounts Payable Specialist
TRINITY EXPLORATION & PRODUCTION

The amount of the so-called payment, the name of the sender and the attachment name changes in each case. So far I have spotted three different Word documents, all with low detection rates at VirusTotal [1] [2] [3] which contains one of three different macros [1] [2] [3] [pastebin] which downloads a second stage from one of the following locations:

http://193.136.19.160:8080/mans/pops.php
http://94.23.160.102:8080/mans/pops.php
http://87.106.165.232:8080/mans/pops.php


This file is downloaded as test.exe and is then moved to %TEMP%\1V2MUY2XWYSFXQ.exe. This has a VirusTotal detection rate of 4/56 and that report also says that it POSTs data to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine).

For research purposes, a copy of these files can be found here [password=infected]



Malware spam: "Eliza Fernandes" / "NUCSOFT-Payroll December 2014"

This fake spam pretends to be from an Indian company called Nucsoft but it isn't, instead it comes with a malicious Word document attached. Nucsoft are not sending out the spam, nor have their systems been compromised in any way.

From:    Eliza Fernandes [eliza_fernandes@nucsoft.co.in]
Date:    7 January 2015 at 07:27
Subject:    NUCSOFT-Payroll December 2014

Please find the data for payroll processing.


Please forward the PDF of summary.

 Regards,
Eliza Fernandes


NUCSOFT Ltd.
Finance Dept.

-------------------------------------------------------------------------------------------------
DISCLAIMER:
This message contains privileged and confidential information and is intended only for an individual named. If you are not the intended recipient, you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,
-------------------------------------------------------------------------------------------------
                          NUCSOFT : With You - Until Success  and Beyond....
                          Visit us at http://www.nucsoft.com
-------------------------------------------------------------------------------------------------
Attached is a malicous Word document (not a PDF) called Payroll Dec'14.doc which has a VirusTotal detection rate of 3/56. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://cerovski1.net.amis.hr/js/bin.exe

This is saved as %TEMP%\1V2MUY2XWYSFXQ.exe and has a VirusTotal detection rate of just 1/56.

The Malwr report shows network connections to the following IPs:

59.148.196.153 (HKBN, Hing Kong)
74.208.11.204 (1&1, US)

It also drops a DLL with a detection rate of 20/56, identified as Dridex.

Recommended blocklist:
59.148.196.153
74.208.11.204

Note - for research purposes, a copy of the DOC and dropped files is here [zip]. Password is "infected".

Tuesday, 6 January 2015

hqq.tv serving up exploit kit (via Digital Ocean and Choopa)

I will confess that I haven't had a lot of time to look at this, but here's an infection chain starting from a scummy-looking video streaming site called cine-stream.net. I do not recommend visiting any of the sites labelled [donotclick]

Step 1
[donotclick]cine-stream.net/1609-le-pre-nol-est-une-ordure-en-streaming.html
89.248.170.206 (Ecatel Ltd, Netherlands)
URLquery report

Step 2
[donotclick]hqq.tv/player/embed_player.php?vid=7SO84O65X5SM&autoplay=no
199.83.130.198 (Incapsula, US)

Step 3
[donotclick]agroristaler.info/dasimotulpes16.html
128.199.48.44 (Digital Ocean, Netherlands)
URLquery report

Step 4
[donotclick]aflesministal.info/chat.html
178.62.147.144 (Digital Ocean, Netherlands)
128.199.52.108 (Digital Ocean, Netherlands)

Step 5
[donotclick]pohfefungie.co.vu/VUZQBUgAAgtAGlc.html
[donotclick]eixaaweexum.co.vu/VxFVBkgAAgtAGlc.html
108.61.165.69 (Choopa LLC / Game Servers, Netherlands)
URLquery report

The Digital Ocean and Choopa IPs host several apparently malicious domains:

108.61.165.69
eixaaweexum.co.vu
ienaakeoke.co.vu
weswalkers.co.vu
pohfefungie.co.vu
vieleevethu.co.vu

178.62.147.144
128.199.52.108

sebitibir.info
abrisgalor.info
aflesministal.info

128.199.48.44
abibruget.info
alsonutird.info
fiflakutir.info
fistikopor.info
agroristaler.info
poliloparatoser.info

In my opinion, .co.vu domains are often bad news and are good candidates for blocking. In the mean time I would recommend the following minimum blocklist:

108.61.165.69
178.62.147.144
128.199.52.108
128.199.48.44

"PAYMENT ADVICE 06-JAN-2015" malware spam

This spam has a malicious attachment:
From:    Celeste , Senior Accountant
Date:    6 January 2015 at 10:13
Subject:    PAYMENT ADVICE 06-JAN-2015

Dear all,

Payment has been made to you in amount GBP 18898,28 by BACS.

See attachment.

Regards,

Celeste
Senior Accountant

I have only seen one sample so far, with a document BACS092459_473.doc which has a VirusTotal detection rate of 0/56 and which contains this macro [pastebin] which attempts to download an additional component from:

http://206.72.192.15:8080/mans/pops.php

This is exactly the same file as seen in this parallel spam run today and it has the same characteristics.

Malware spam: SGBD National Payments Centre / Saint Gobain UK / This is your Remittance Advice

This fake financial spam has a malicious payload:

Date:    6 January 2015 at 08:56
Subject:    This is your Remittance Advice #ATS29858

DO NOT REPLY TO THIS EMAIL ADDRESS

Please find attached your remittance advice from Saint Gobain UK.
For any queries relating to this remittance please notify the Payment Enquiry Team on 01484913947

Regards,
SGBD National Payments Centre

Note that this email is a forgery. Saint Gobain UK are not sending the spam, nor have their systems been compromised in any way. Instead, criminals are using a botnet to spam out malicious Excel documents.

Each email has a different reference number, and the attachment file name matches. The telephone number is randomly generated in each case, using a dialling code of 01484 which is Huddersfield (in the UK). There will probably be a lot of confused people in Huddersfield at the moment.

There are actually four different version of the malicious Excel file, none of which are detected by anti-virus vendors [1] [2] [3] [4] containing four different but similar macros [1] [2] [3] [4] [pastebin] which then download a component from one of the following locations:

http://213.174.162.126:8080/mans/pops.php
http://194.28.139.100:8080/mans/pops.php
http://206.72.192.15:8080/mans/pops.php
http://213.9.95.58:8080/mans/pops.php


This file is downloaded as test.exe and it then saved as %TEMP%\1V2MUY2XWYSFXQ.exe. It has a VirusTotal detection rate of just 3/48. That report shows that the malware then connects to the following URLs:

http://194.146.136.1:8080/
http://179.43.141.164/X9BMtSKOfaz/e&WGWM+o%3D_c%26%248/InRRqJL~L
http://179.43.141.164/TiHlXjsnCOo8%2C/fS%24P/VZFrel2ih%2Dlv+%26aTn
http://179.43.141.164/suELl1XsT%2CFX.k%26z4./sn%3F=/%3Ffw/HFBN@8J
http://179.43.141.164/fhmhi/igm/c&@%7E%2Dj.==m~cg_%2B%2C%3Daggs.%2Dkgm%26$~@fk@g/a%2Cgm+lkb%2D.~$kh/


194.146.136.1 is allocated to PE "Filipets Igor Victorovych" in Ukraine. 179.43.141.164 is Private Layer Incin Panama. I would definitely recommend blocking them and possibly the entire /24s in which they are hosted.

The Malwr report shows no activity, indicating that it is hardened against analysis.

Recommend blocklist:
194.146.136.1
179.43.141.164

213.174.162.126
194.28.139.100
206.72.192.15
213.9.95.58

Friday, 2 January 2015

binarysmoney.com / clickmoneys.com / thinkedmoney.com "job" spam

I've been plagued with these for the past few days:

Date:    2 January 2015 at 11:02
Subject:    response

Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

We cooperate with different countries and currently we have many clients in the world.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1500 up to $5000 per month.

The job offers a good salary so, interested candidates please registration on the our site: www.binarysmoney.com

Attention! Accept applications only on this and next week.

Respectively submitted
Personnel department

Subject lines include:

New employment opportunities
Staff Wanted
Employment invitation
new job
New job offer
Interesting Job

response

Spamvertised sites seen so far are binarysmoney.com, clickmoneys.com and thinkedmoney.com, all multihomed on the following IPs:

46.108.40.76 (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania)
201.215.67.43 (VTR Banda Ancha S.A., Chile)
31.210.63.94 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)

Another site hosted on these IPs is moneyproff.com. All the domains have apparently fake WHOIS details.

It looks like a money mule spam, but in fact it leads to some binary options trading crap.


There is no identifying information on the page at all. Trustworthy? Nope. But let's look at that relaxed looking chap at the top of the page, in a picture called matthew.png.

Well, that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere.

Binary options are a haven for scammers, and my opinion is that this is such a scam given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:

46.108.40.76
201.215.67.43
31.210.63.94
clickmoneys.com
thinkedmoney.com
binarysmoney.com
moneyproff.com

Wednesday, 31 December 2014

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@inet.ba

This post by Brian Krebs drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics..

Safe Browsing
Diagnostic page for AS198252 (ELTAKABEL-AS)

What happened when Google visited sites hosted on this network?

    Of the 165 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, office-hosts.org/, invoice-ups.org/, refforwarding.eu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2014-12-31, and the last time suspicious content was found was on 2014-12-26.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that appeared to function as intermediaries for the infection of 525 other site(s) including, for example, webtretho.com/, detik.com/, zaodich.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that infected 572 other site(s), including, for example, webtretho.com/, detik.com/, zaodich.com/.
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts.

An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very many bad sites, the WHOIS details for that block being..

inetnum:        217.71.48.0 - 217.71.63.255
descr:          TXTV d.o.o. Tuzla
org:            ORG-TdT1-RIPE
netname:        BA-TXTV-20030807
country:        BA
admin-c:        IK879-RIPE
tech-c:         IK879-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-NSC1
mnt-routes:     MNT-NSC1
notify:         ripe@txtv.ba
changed:        hostmaster@ripe.net 20030807
changed:        hostmaster@ripe.net 20040625
changed:        hostmaster@ripe.net 20050719
changed:        bitbucket@ripe.net 20081003
changed:        hostmaster@ripe.net 20110804
changed:        hostmaster@ripe.net 20140324
changed:        bit-bucket@ripe.net 20140325
source:         RIPE

organisation:   ORG-TdT1-RIPE
org-name:       TXTV d.o.o. Tuzla
org-type:       LIR
address:        TXTV d.o.o.
address:        Admir Jaganjac
address:        Focanska 1N
address:        75000
address:        Tuzla
address:        BOSNIA AND HERZEGOVINA
phone:          +38735353333
fax-no:         +38735266114
tech-c:         TXTV1-RIPE
abuse-mailbox:  abuse@txtv.ba
mnt-ref:        MNT-TXTV
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
admin-c:        AJ2947-RIPE
admin-c:        AA26986-RIPE
admin-c:        IK879-RIPE
abuse-c:        NSC11-RIPE
source:         RIPE
e-mail:         ripe@txtv.ba
changed:        bitbucket@ripe.net 20140324

person:         Igor Krneta
address:        Majora Drage Bajalovica 18
address:        78000 Banjaluka, BA
e-mail:         ripe@elta-kabel.com
phone:          +387 51 961 001
nic-hdl:        IK879-RIPE
mnt-by:         MNT-NAVIGOSC
changed:        ikrneta@navigosc.net 20071126
source:         RIPE

route:          217.71.50.0/24
descr:          Inet subnet #1
origin:         AS31630
mnt-by:         GENELEC-MNT
changed:        aadeno@inet.ba 20061029
source:         RIPE


I highlighted the part of most interest, which appears to be a block suballocated to someone using the email address aadeno@inet.ba.

I took a look at the sites hosted in this /24 and these are the results [csv]. There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.

Recommended blocklist:
217.71.50.0/24
darotkskeu.com
hijuvchr.com
humhfsara.com
lomospaoerotr.com
noerdfjkieswp.com
p28aa.com
pkoefkosaep.com
teeirkfoews.com
niggercar.es
invoice-ups.net
www-myups.net
invoice-myups.org
invoice-ups.org
office-hosts.org
softupdates.org
updatedns.org
www-myups.org
abdilo.ru
bihilafes.ru
cloudughtold.su
dedicnqher.su
dnspqajr.su
dnsxjkd.su
hosrvnwj.su
hostfjwmr.su
hostsple.su
hostyksn.su
servergotold.su
serverhersse.su
servermexyr.su
serveruey.su
serverxpqk.su
serviolt.su
ugulddedic.su
usehostru.su
uttofhost.su
vpsjsner.su
vpslopwz.su
baycityads.biz
blingstarscpm.biz
plustimber.biz
plutoads.biz
tempomedia.biz
dsffdsk323721372131.com
ny-discount-sales.com
rxmega-shop.com
rx-product-shop.com
safe-refill-rx.com
viphealhtmarket.com
datadirects.eu
dataremark.eu
dataresultsid.eu
datasynchronize.eu
datavail.eu
datsunplus.eu
dedistarid.eu
detectionstream1.eu
dmpcheck.eu
drellmedia.eu
elitemembers.eu
eplymedia.eu
eravideoads.eu
euserviceid.eu
forwardingref.eu
glowcheck.eu
iprecognition.eu
newsettingso.eu
ordealsting.eu
planacheck.eu
pluginverifys.eu
proudeuro.eu
refforwarding.eu
resellerapis.eu
rpmstatus.eu
samjectstar.eu
secondtierdirect.eu
selldataset.eu
soundads.eu
spokenads.eu
stretchstrong.eu
syncdata1.eu
trackingstreamchk.eu
trackstats.eu
trafficlax.eu
verablade.eu
club-rx-bestseller.ru
fuckaustralia.ru
rx-bestseller.ru




NetGuard Toolbar (ngcmp.com) spam

Sometimes a spam comes through and it isn't immediately obvious what they are trying to do:

From:    Brad Lorien [bclorien@ngcmp.com]
Date:    31 December 2014 at 01:12
Subject:    Real estate (12/30/2014)

Our company reaches an online community of almost 41 million people,
who are mostly US and Canadian based. We have the ability to present
our nearly 41 million strong network with a best, first choice when
they are looking online for what your company does.

We are seeking a preferred choice to send our people who are looking
for real estate in Abilene and surrounding markets.

I’m in the office weekdays from 9:00 AM to 5:00 PM Pacific time.

Best regards,

Brad Lorien
Network Specialist, SPS EServices
Phone: (877) 489.2929, ext. 64
There is no link or attachment in the email. So presumably the spammer is soliciting replies to the email address bclorien@ngcmp.com which is a valid address. The domain ngcmp.com uses a mail server mail.ngcmp.com to receive email messages, hosted on 38.71.66.127 (PSInet / Virtual Empire, US). A look at the spam headers are rather revealing..

Received: from [38.71.66.126] (port=60856 helo=ngcmp.net)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <bclorien@ngcmp.com>)
    id 1Y67tI-0006Ub-TC
    for [redacted]; Wed, 31 Dec 2014 01:16:17 +0000
Received: from mail.ngcmp.com (211.sub-75-215-49.myvzw.com [75.215.49.211])
    by ngcmp.net (Postfix) with ESMTPA id 0812E3E34E
    for <[redacted]>; Tue, 30 Dec 2014 19:18:13 -0600 (CST)
    (envelope-from bclorien@ngcmp.com)
We can see that the spam was sent via a relay at 38.71.66.126 which is one IP different from the server handling incoming mail, which pretty much firmly identifies that whoever controls the ngcmp.com domain is actually sending the spam. The mail headers also identify the originating IP as well as the relay, which is a Verizon Wireless customer at 75.215.49.211, possibly someone sending spam using throwaway cell phones to avoid being traced.

An examination of those two PSInet addresses shows the following domains are associated with them:

ncmp.co
ngmp.co
ngcmp.com
ng-portal.com
ngcmp.net
ng-central.net
luxebagscloset.com
reviewwordofmouth.com


All of these domains have anonymous WHOIS details, but you can see that there is a common pattern here. I don't recommend that you visit spam sites, but I did in this case to see what it was about.


It appears to be some crappy toolbar called NetGuard and indeed the ngcmp.com pulls down many resources from the netguardtoolbar.com website. The site claims to be from a company called "NG Systems" but gives no other identification. netguardtoolbar.com has also had anonymous WHOIS details since it was registered in 2008.

If we look at the "Privacy" page of the site, we can see what this is all about.

NetGuard does not ask you for any personally identifiable information such as an email address, phone number, your name, or any such data. We do track IP addresses only of those who choose to download our App. We also track downloads of the NetGuard App, as well as uninstalls of the NetGuard App, so that we may have accurate data on those two items only in dealing with our Advertisers. Our Advertisers assist us in maintaining our NetGuard App Community, which allows us to provide the public with even more features as time and innovation allows. NetGuard does, as part of our advertising process, allow Advertisers who maintain an active Advertiser Account, to present their websites when an end user of the NetGuard does a search on any of the major search engines. This in no way changes the search results contained on the native pages of the major search engines, but does allow NetGuard to continue to present the general public with more options as time and innovation allows. 
This is basically adware. Going back to the original spam message, these "41 million people" are presumably suckers who have downloaded this crap, and NG Systems are busy spamming out to find more low-life advertisers to fill up their network. Or am I just sounding annoyed?

Predictably, there seems to be no such corporation as "NG Systems", but if you download the Toolbar it turns out it is digitally signed by a company called "IP Marketing Concepts, Inc." 

If we drill down into the certificate details we can find out  more about this mystery corporation.
CN = IP Marketing Concepts, Inc.
OU = SECURE APPLICATION DEVELOPMENT
O = IP Marketing Concepts, Inc.
L = Lewes
S = Delaware
C = US


Some Googling around finds a Delware corporation number 4099908 founded in 2006, but as Delware is a "go to" place for corporation trying to hide their identities, it is hard to find out more information without paying.

The executable itself is tagged by only one AV engine as malicious, but VirusTotal does note that it looks like a PUA. Malwr notes that individual components appear to be Russian in origin.

So all in all, this spam is being sent out by a company that goes a very, very long way to disguise its origins. Would you really want to either install their product or advertise on their network?


Wednesday, 24 December 2014

Malware spam: Rhianna Wellings / Rhianna@teckentrupdepot.co.uk / Signature Invoice 44281

Teckentrup Depot UK is a legitimate UK company, but these emails are not from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are not responsible for this in any way.

From:    Rhianna Wellings [Rhianna@teckentrupdepot.co.uk]
Date:    24 December 2014 at 07:54
Subject:    Signature Invoice 44281

Your report is attached in DOC format.

To load the report, you will need the Microsoft® Word® reader, available to download at http://www.microsoft.com/
Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro [1] [2] [pastebin] which then downloads an additional component from one of these two locations:

http://Lichtblick-tiere.de/js/bin.exe
http://sunfung.hk/js/bin.exe

The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56. The ThreatExpert report shows traffic to the following IPs:

74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)

According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56, detected as the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere.de
sunfung.hk

Tuesday, 23 December 2014

"Remittance Advice" spam comes with a malicious Excel attachment

This fake remittance advice comes with a malicious Excel attachment.

From:    Whitney
Date:    23 December 2014 at 09:12
Subject:    Remittance Advice -DPRC93

Confidentiality and Disclaimer:  This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error.

This email and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the Telecommunications (Lawful Business Practices)(Interception of Communications) Regulations 2000.

The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, this is poorly-detected by AV vendors [1] [2] [3] [4].

If you read this blog regularly then you might have seen me mention these attacks many times before, and most of these have a familiar pattern. However, the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself.

The macro itself looks like this [pastebin] and as far as I can tell from it, it loads some data from the Excel spreadsheet and puts it into a file %TEMP%\windows.vbs. So far I have seen four different scripts [1] [2] [3] [4] which download a component from one of the following locations:

http://185.48.56.133:8080/sstat/lldvs.php
http://95.163.121.27:8080/sstat/lldvs.php
http://92.63.88.100:8080/sstat/lldvs.php
http://92.63.88.106:8080/sstat/lldvs.php

It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe.

The ThreatExpert report shows traffic to the following:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)

VirusTotal indicates a detection rate of just 3/54, and identifies it as Dridex.

Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107

185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106

Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well.






Monday, 22 December 2014

"Tiket alert" spam. Tiket? Really?

Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

From:    FBR service [jon.wo@fbi.com]
Date
:    22 December 2014 at 18:29
Subject:    Tiket alert

Look at the link file for more information.

http://mitsuba-kenya.com/ticket/fsb.html

Assistant Vice President, FBR service
Management Corporation
I have seen another version of this where the download location is negociomega.com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe.

This has a VirusTotal detection rate of 2/54. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:

http://202.153.35.133:42463/2212us12//0/51-SP3/0/
http://202.153.35.133:42463/2212us12//1/0/0/
http://moorfuse.com/images/unk12.pne


202.153.35.133 is Excell Media Pvt Ltd, India.

Recommended blocklist:
202.153.35.133
moorfuse.com
mitsuba-kenya.com
negociomega.com

Angler EK on 193.109.69.59

193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit.

The infection chain that I have seen is as follows (don't click those links, obviously):

[donotclick]www.opushangszer.hu/hora-at-200-b-csiptetos-gitarhangolo/1-864-359
-->
[donotclick]bettersaid.net/7b614b6f9fb62682c46d303fea879a38.swf
-->
[donotclick]www.smallbusinesssnapshot.com/

a6107b69be5422d82da0c2109cc7f20f.php?q=7a7581fad469383e7313d27d1cedf2d3
-->
[donotclick]qwe.holidayspeedfive.biz/em3t8gxum0
-->
[donotclick]qwe.holidayspeedfive.biz/

KuCRwb_Bwr38O4rT6dqEUCT9x5K26Bw_PNEHE3DJ_U9vgmcD31TZILN2BlAmHabL

The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:

qwe.holidayspeedsix.biz
qwe.holidayspeedfive.biz
qwe.holidayspeedseven.biz


A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted in this /23 indicates that most of them appear to be selling counterfeit goods, so blocking the entire /23 will probably be no great loss.

Recommended minimum blocklist:
193.109.69.59
holidayspeedsix.biz
holidayspeedfive.biz
holidayspeedseven.biz

Friday, 19 December 2014

Malware spam: "Blocked Transaction. Case No 970332"

This fake ACH spam leads to malware:

Date:    19 December 2014 at 16:06
Subject:    Blocked Transaction. Case No 970332

The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID     083520
Transaction Amount     1458.42 USD
Sender e-mail     info@victimdomain
Reason of Termination     See attached statement

Please open the word file enclosed with this email to get more info about this issue. 
In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54. Inside are a series of images detailing how to turn off macro security.. which is a very bad idea.











If you are daft enough to enable macros, then this macro [pastebin] will run which will download a malicious binary from http://nikolesy.com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51 as is identified as the Dridex banking trojan.

Malware spam: no-replay@my-fax.com / "Employee Documents - Internal Use"

This fake fax spam leads to malware:

From:    Fax [no-replay@my-fax.com]
Date:    19 December 2014 at 15:37
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://crematori.org/myfax/company.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
The download locations in the email vary, so far I have seen:

http://newsurveyresults.com/myfax/company.html
http://ChallengingDomesticAbuse.co.uk/myfax/company.html
http://crematori.org/myfax/company.html
http://gnrcorbus.com/myfax/company.html
http://sonata-arctica.wz.cz/myfax/company.html

Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55. Most automated analysis tools are inconclusive [1] [2] but the VT report shows network connections to the following locations:

http://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http://202.153.35.133:40542/1912uk22//1/0/0/
http://natural-anxiety-remedies.com/wp-includes/images/wlw/pack22.pne


Recommended blocklist:
202.153.35.133
natural-anxiety-remedies.com




Malware spam: "BACS payment Ref:901109RW"

This spam comes with a malicious attachment, in a format similar to the following:

From:    Fern
Date:    19 December 2014 at 10:09
Subject:    BACS payment Ref:901109RW


Please see below our payment confirmation for funds into your account on Tuesday re invoice 901109RW

Accounts Assistant
Tel:  01874 662 346
Fax: 01874 501 248

To add credibility, the attachment has the same name as the reference in the subject and body text (in this case it is 901109RW.xls). The reference is randomly generated.

So far, I have seen three different type of attachment, all undetected by AV vendors [1] [2] [3] containing a different malicious macro each [1] [2] [3] [pastebin]. These macros then try to download an executable from the following locations:

http://78.129.153.23/sstat/lldvs.php
http://5.9.253.183/sstat/lldvs.php
http://185.48.56.123/sstat/lldvs.php


The file is downloaded as test.exe and is then moved to %TEMP%\VMUYXWYSFXQ.exe. It has a VirusTotal detection rate of 2/54. VT also reports that it phones home to 194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

Additional analysis is pending.

UPDATE:
A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal and a different macro [pastebin], however it downloads the same binary from http://78.129.153.23/sstat/lldvs.php as the previous example does.

Thursday, 18 December 2014

Malware spam: aquaid.co.uk "Card Receipt"

[UPDATE: as of December 2015, there is a new version of the spam doing the rounds]

This spam claims to be from the legitimate firm AquAid, but it isn't. Instead it comes with a malcious attachment. The email is a forgery, AquAid are not sending the spam, nor have their systems been compromised in any way.

From:    Tracey Smith [tracey.smith@aquaid.co.uk]
Date:    18 December 2014 at 07:24
Subject:    Card Receipt

Hi

Please find attached receipt of payment made to us today

Regards
Tracey


Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk
email_new_logo
AquAid really is the only drinks supplier you will ever need with our huge product range. With products ranging from bottled and mains fed coolers ranging up to coffee machines and bespoke individual one off units we truly have the right solution for all environments. We offer a refreshing ethical approach to drinks supply in that we support both Christian Aid and Pump Aid with a donation from all sales.  All this is done while still offering a highly focused local service and competitive pricing. A personalised sponsorship certificate is available for all clients showing how you are helping and we offer £25 for any referral that leads to business.
*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with registered number 3505477 and registered office at 51 Newnham Road, Cambridge, CB3 9EY, UK. This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify the sender and delete the message and any attachments accompanying it immediately. Neither AquAid nor any of its Affiliates accepts liability for any corruption, interception, amendment, tampering or viruses occurring to this message in transit or for any message sent by its employees which is not in compliance with AquAid corporate policy.

In the sample I have seen, the attachment is called CAR014 151239.doc which is malicious, but only has a VirusTotal detection rate of 2/54. This particular document (note that there are usually several different documents in the spam run) contains this malicious macro [pastebin]. This macro downloads a malware executable from:

http://sardiniarealestate.info/js/bin.exe

..which is saved as %TEMP%\YEWZMJFAHIB.exe - this has a marginally better detection rate of 3/53.

The ThreatExpert report shows connections to the following two IPs:

74.208.11.204 (1&1, US)
81.169.156.5 (Strato AG, Germany)

The Malwr report shows that it drops a DLL which is very poorly detected but is probably the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5

FOR RESEARCHERS ONLY: a copy of the malicious DOC attachment plus dropped files can be found here. Password is "infected". Only handle these if you know what you are doing.

UPDATE 2015-01-13

This spam keeps coming back every few days or so. This time the attachment has a VirusTotal detection rate of 3/57 and the malicious macro it contains [pastebin] downloads from:

http://forpetsonly.cz/js/bin.exe

This file has a VirusTotal detection rate of 2/57. The Malwr report shows it phoning home to:

59.148.196.153
74.208.11.204

It also drops a DLL with a detection rate of 2/57.

UPDATE 2015-02-25

Another version of this spam run is in progress, with these malicious macros [1] [2] downloading from the following locations:

http://junidesign.de/js/bin.exe
http://jacekhondel.w.interia.pl/js/bin.exe

This malware is the same as used in this spam run.

Wednesday, 17 December 2014

"Blocked ACH Transfer" spam has a malicious DOC attachment

Another spam run pushing a malicious Word attachment..

Date:    17 December 2014 at 07:27
Subject:    Blocked ACH Transfer

The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.

Canceled transaction
ACH file Case ID     623742
Total Amount     2644.93 USD
Sender e-mail     info@mobilegazette.com
Reason for rejection     See attached word file
Please see the document provided below to have more details about this issue.


Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55.

Inside this is a malicious macro [pastebin] which downloads a file from:

http://www.lynxtech.com.hk/images/tn.exe

This has a VirusTotal detection rate of just 1/54. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.

Recommended blocklist:
5.187.1.78
209.208.62.36



"PL REMITTANCE DETAILS ref844127RH" malware spam

This fake remittance advice comes with a malicious Excel attachment.

From:    Briana
Date:    17 December 2014 at 08:42
Subject:    PL REMITTANCE DETAILS ref844127RH

The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros [1] [2] which then reach out to the following download locations:

http://23.226.229.112:8080/stat/lldv.php
http://38.96.175.139:8080/stat/lldv.php


The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55. The ThreatTrack report [pdf] shows it POSTing to the following IP:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

This IP has been used in several recent attacks and I strongly recommend blocking it.

The Malwr report also shows it dropping a malicious DLL identified as Dridex.

The ThreatExpert report gives some different IPs being contacted:

80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)


The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:

194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139

Spam: "Localizan a los 43 estudiantes desaparecidos en Ayotzinapa"

This Spanish-language malware spam comes with a malicious attachment.

From:    El Universal
Date:    16 December 2014 at 09:06
Subject:    Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Hoy 16 de diciembre del 2014 por la madrugada, agentes de la Policía Ministerial de Guerrero
han localizado con vida a los 43 estudiantes, desaparecidos el dia 26 de septiembre del 2014.

Para ver imágenes exclusivas del reencuentro de los estudiantes con sus familias, y las condiciones en que
vivieron durante su secuestro, anexamos un documento en este correo electrónico en formato Microsoft Word.


El Universal © todos los Derechos Reservados  2014.
This translates roughly as:

Located at 43 students missing in Ayotzinapa.

Today December 16, 2014 at dawn, agents of the Ministerial Police Guerrero
have been located alive at 43 students, missing the day September 26, 2014.

To view exclusive footage of the reunion of students and their families, and the conditions under which
They lived during his abduction, we attach a document to this email in Microsoft Word format.


The Universal © All Rights Reserved 2014.
This email relates to the kidnapping and possible murder of 43 Mexican students which has been blamed by some on the Mexican Police.

The Word document contains a malicious macro, and detailed instructions for the victim on how to disable the inbuilt security to enable it to run.


Once this has been done, the malicious macro [pastebin] runs. This attempts to download a file from:

http://www.milusz.eu/templates/default/00/ss.exe

At the moment, this download location is coming up with a 404 error. If the download were to work, it would save the file as %TEMP%\ test00010.exe. The Word document has a moderate detection rate of 10/54.

This type of malicious spam has been around for a long time, and this particular technique seems to be exclusively in Spanish, I have never seen this attack in English or any other language.

Malware spam: UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" [roughandtumble63@yahoo.co.uk]

This somewhat odd and terse spam comes with a malicious attachment.

From:    UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" <roughandtumble63@yahoo.co.uk>
Date:    17 December 2014 at 07:20
Subject:    Invoice as requested
There is no body text, but there is an malicious DOC attachment named 20140918_122519.doc which come in two slightly different versions with poor detection rates [1] [2]. The macros have been subtly changed from recent spam runs [1] [2] [pastebin] and download a second stage from one of the following locations:

http://openstacksg.com/js/bin.exe
http://worldinlens.net/js/bin.exe


This malicious executable is saved as %TEMP%\ADGYMSEKRJE.exe and has a detection rate of only 2/54.

Is is common with recent similar malware attempts, it attempts to phone home to 74.208.11.204 (1&1, US) as shown in the ThreatTrack report [pdf]. The Malwr report indicates a dropped file with an MD5 of ee826c184155a1fa1aea984f914e606a which is probably Dridex.

Monday, 15 December 2014

Malware spam: IFS Applications / vitacress.co.uk / DOC-file for report is ready

This fake payment advice spam is not from Vitacress but is a forgery with a malicious Word document attached.
From:    IFS Applications [Do_Not_Reply@vitacress.co.uk]
Date:    15 December 2014 at 07:49
Subject:    DOC-file for report is ready

The DOC-file for report Payment Advice is ready and is attached in this mail.
Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros [1] [2] [pastebin] that download a malware binary from one of the following locations:

http://gv-roth.de/js/bin.exe
http://notaxcig.com/js/bin.exe


This file is saved as %TEMP%\DYIATHUQLCW.exe  and is currently has a VirusTotal detection rate of just 1/52.

The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be blocked if you can:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)

The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet.

UPDATE 2014-12-16

A second wave of spam is in progress with a pair of new malicious Word documents with low detection rates [1] [2] containing new macros [1] [2] that download a malicious file from the following locations:

http://finepack.co.in/js/bin.exe
http://loneleaf.ca/js/bin.exe


This file is saved as %TEMP%\TQWTGECOROR.exe and it currently has a detection rate of just 1/54. The Malwr report shows it posting to 74.208.11.204 yet again, although it does not show the dropped Dridex binary that I would expect to see.