Sponsored by..

Monday, 19 January 2015

Malware spam: "NatWest [donotreply@netwest.uk]" / "Important - Please complete attached form"

This spam claiming to be from NatWest bank (or is it nEtwest?) leads to malware.

From:    NatWest [donotreply@netwest.uk]
Date:    19 January 2015 at 14:02
Subject:    Important - Please complete attached form

*********************************************************************
This message has been scanned by the Bankline CSC SSM AV and found to be free of known security risks.
*********************************************************************

Dear Customer

Please find below your Banking Form for Bankline.

http://www.ipawclp.com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document.html
Please complete Bankline Banking Form :

- Your Customer Id and User Id - which are available from your administrator if you have not already received them

Additionally, if you wish to access Bankline training, simply follow the link  below

www.natwest.com/banklinetraining

If you have any queries or concerns, please telephone your Electronic Banking Help Desk.


National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer.

Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate

In this case the link in the email goes to www.ipawclp.com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document.html where it hits a couple of scripts at:

http://restaurantratiobeach.ro/js/jquery-1.39.15.js
http://utokatalin.ro/js/jquery-1.39.15.js

In turn, that leads to a ZIP file download which contains an EXE file which is slightly different each time it downloads, with low detection rates in all cases [1] [2] [3]. The name of the ZIP file and EXE varies, but is in the format doc12345.exe and doc54321.zip. Of note is a sort-of-informational screen on the download page.


Automated analysis is presently inconclusive [1] [2].

UPDATE:
@snxperxero suggests blocking the following sites:
202.153.35.133
loveshopclothing.com
credit490.com



Malware spam: "Traci Wilson" / "t.wilson@daviescranehire.co.uk" / "19TH JANUARY 2015.doc"

This rather terse spam does not actually come from Davies Crane Hire, but it is a forgery with a malicious Word document attached. Davies Crane Hire have not been hacked or compromised, and they are not sending out this spam.

From:    Traci Wilson [t.wilson@daviescranehire.co.uk]
Date:    19 January 2015 at 09:05
Subject:    19TH JANUARY 2015.doc
There is no body text, just an attachment called 19TH JANUARY 2015.doc which contains a malicious macro.

The documents in use and the payload are identical to this spam run that proceeded it. At the moment, everything has a very low detection rate. The payload is the Dridex banking trojan.



Malware spam: "repairermessages@fmg.co.uk" / "Insurance Inspection Arranged AIG02377973" / "FMG Support Group Ltd"

This spam does not come from FMG Support Group Ltd, but instead it is a forgery. FMG are not sending out the spam, nor have their systems been compromised in any way. Instead, this spam has a malicious Word document attached.
From:    repairermessages@fmg.co.uk
Date:    19 January 2015 at 07:24
Subject:    Insurance Inspection Arranged AIG02377973

FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.

Have you been impressed by one of our people?
If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@fmg.co.uk

FMG Support Group Ltd. Registered in England. No. 06489429.
Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.

Tel: 0844 243 8888
Email: info@fmg.co.uk

This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you received this email by mistake, please advise the sender by using the reply facility in your email software.

Outbound Message checked by Websense Mail Control.
Attached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least two different versions, neither of which are detected by AV vendors [1] [2]. These documents contain two slightly different malicious macros [1] [2] which attempt to download a further component from:

http://chilan.ca/js/bin.exe
http://techno-kar.ru/js/bin.exe

This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57. The Malwr report shows it attempting to communicate with the following IPs:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)


These two IP addresses have been used by this malware for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53.
 

Thursday, 15 January 2015

Malware Spam: "HEXIS (UK) LIMITED" / "Invoice from Hexis"

This fake invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.

From:    Invoice from Hexis [Invoice@hexis.co.uk]
Date:    15 January 2015 at 06:36
Subject:    Invoice

Sent 15 JAN 15 08:30

HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ

Telephone 01543 411221
Fax 01543 411246 
Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in two different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from one of the following locations:

http://dramakazuki.kesagiri.net/js/bin.exe
http://cassiope.cz/js/bin.exe

This has a VirusTotal detection rate of 3/57. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:

59.148.196.153
74.208.11.204
81.27.38.97


UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57.



Malware spam: Payment request of 4176.94 (14 JAN 2015)

This spam comes with a malicious Word document attached:

from:    Alan Case
date:    15 January 2015 at 08:49
subject:    Payment request of 4176.94 (14 JAN 2015)

Dear Sirs,

Sub: Remitance of GBP 4176.94

This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.

Thanking you,
Alan Case Remittance Manager
Other names and job titles seen include:
Alan Case
Melisa Howell
Brooke Barr
Nanette Lloyd
Holly Hartman
Doreen Mclean
Lonnie Boyer
Jessica Richardson
Celeste Singleton
Katie Hahn
Marilyn Barnett
Lois Powell
Donald Yang
Christina Grimes
Keenan Graham
Muriel Prince
Chance Salazar
Francine Nixon

Accounting Team
Senior Accounts
Senior Accounts Payable
Senior Accountant
General Manager
Remittance Manager

The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro [1] [2] [3] which attempt to download another component from one of the following locations:

http://95.163.121.71:8080/mopsi/popsi.php
http://95.163.121.72:8080/mopsi/popsi.php

http://136.243.237.204:8080/mopsi/popsi.php

Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking.  136.243.237.204 is a Hetzner IP.

The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP.

The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.

Recommended blocklist:
194.146.136.1
95.163.121.71
95.163.121.72
136.243.237.204

UPDATE: the following are Dridex C&C servers which you should also block:
80.237.255.196
85.25.20.107

Wednesday, 14 January 2015

Isabella Rossellini falls on hard times, starts sending SEO spam

Now, I enjoyed Isabella Rossellini very much in Blue Velvet ..


But it seems that she must have fallen on hard times and has started spamming for some Indian SEO outfit..

From:    Isabella Rossellini [isabellarosselliniwebmaster@hotmail.com]
Date:    14 January 2015 at 11:30
Subject:    SEO Package Get 25% Discount

Hi,

My name is Isabella Rossellini and working with a reputed leading S.E.O. Company in INDIA having the experience of getting our customer’s websites top in Google, Yahoo, and Msn and other search engine rankings producing high revenue with top page rank.

We provide a S.E.O. Special Offer going for the following package.

Monthly task and Responsibilities:-

1. 150 Directory submissions
2. 10 Social Bookmarking Submissions
3. 10 Article Submissions (1 article x 10 article directories)
4. 10 Press Release Submissions (1 press release x 10 press release websites)
5. Google Submissions
6. 1 unique, 400 word article written
7. 1 unique, 400 word press releases
8. 15 One Way back links with mix PR
9. Meta tags changes suggestions
10. Keyword research
11. Competitor Analysis
12. Heading tag changes
13. Alt tag changes
14. Interlinking wherever required.
15. Keyword Density in site content.
16. HTML Site Map
17. XML site map and Submission in webmaster tool
18.Search Engine Submission
19.Content Optimization
20.Deep linking submission

Wish u a happy,healthy,peaceful & prosperous 2015!!!

Let me know if you are interested and I would happy to send you more details on this.

Kind Regards

Isabella Rossellini
Online Marketing Executive
I suppose it is marginally possibly that this isn't the same "Isabella Rossellini" or indeed that the name is completely made up. Anyway, I think I will give this SEO spammer a wide berth.

Malware spam: "Les Mills Invoice" / "lmuk.accounts@lesmills.com"

This fake invoice pretends to come from Les Mills but it doesn't, it is a forgery and they are not sending out spam nor have their systems been compromised in any way. Instead, this is being sent by a botnet controlled by organised criminals and carries a malicious attachment.

From:    lmuk.accounts@lesmills.com
Date:    14 January 2015 at 07:49
Subject:    Les Mills Invoice

Dear Customer,
Please find attached an invoice for Les Mills goods/services.  Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
If you have any queries please email lmuk.accounts@lesmills.com or call 0207 264 0200 and select option 3 to speak to a member of the team.
Best regards,
Les Mills Finance Team
I have personally only seen one sample with an attachment Les Mills SIV035931.doc which is currently undetected by AV vendors and contains this malicious macro [pastebin]. This version of the macro attempts to download a component from:

http://ford-mustang.ro/js/bin.exe

..but this location is currently not working. However, my sources say that there is another download location of:

http://okurimono.ina-ka.com/js/bin.exe

which is loaded by a different version of the DOC that I have not yet seen. This file is saved as %TEMP%\dserrttfsdf.exe and has a VirusTotal detection rate of 2/57. The same source says that it downloads a DLL from the following IPs:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
81.27.38.97 (Webhuset Datasenter, Norway)

Some of this activity can be seen in the Malwr report including the dropped DLL which has a VirusTotal detection rate of just 2/57.

Recommended blocklist:
59.148.196.153
74.208.11.204
81.27.38.97

okurimono.ina-ka.com

Tuesday, 13 January 2015

Malware spam: "john.smith@mail-irs.gov" / "Your tax return was incorrectly filled out"

This fake tax return spam leads to malware:

From: John Smith [mailto:john.smith@mail-irs.gov]
Sent: 13 January 2015 11:13
Subject: Your tax return was incorrectly filled out


Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely
The link in the email has a format such as:
http://marypageevans.com/taxadmin/get_doc.html
http://laser-support.co.uk/taxadmin/get_doc.html

A journey through some heavily obfuscated javascript follows (see here for a deeper analysis of this sort of attack) which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead.

The .exe file has a VirusTotal detection rate of just 2/57 and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:

http://202.153.35.133:19639/1301us23/HOME/0/51-SP3/0/
http://202.153.35.133:19639/1301us23/HOME/1/0/0/
http://dstkom.com/mandoc/lit23.pdf
http://202.153.35.133:19657/1301us23/HOME/41/7/4/

It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs.gov on your email gateway might help.

Monday, 12 January 2015

Malware spam: Important - New Outlook Settings

There has been a large spam run going on in the past few hours with the subject "Important - New Outlook Settings", for example:

From: Administrator [mailto:Administrator@Outlook-us.com]
Date: Monday, 12th January 2015 16:21
Subject: Important - New Outlook Settings

Please carefully read the downloaded instructions before updating settings.

http://indemnizaciongarantizada.com/outlook/settings.html

This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@Outlook-us.com and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. 
The download location varies but always has the same path. Here are some other sites in use:

equisolv.com
crm.martrada.com
drukart.home.pl
baypipo.com
hagarsatat.com
duedisnc.it
hinchablessegarra.com
ferramentarighi.it
eu1.panalinks.com
duckzone.kilu.de
indemnizaciongarantizada.com

This spam run is essentially very similar as others seen in recent days, for example this one. Clicking the link in the email will either lead to nonsense text or a file that downloaded as "message.zip ;.zip ;.zip ;" when I tried it.

Inside this ZIP file is an executable file that is slightly different each time it is downloaded. When I scanned one of these earlier, it turned out to have a very low detection rate.

The Malwr report shows that it drops another file that appears to be a banking trojan, and which also has low detection rates.

Malwr also reports malicious traffic to and from the following locations:

http://202.153.35.133:12028/1201uk1/HOME/0/51-SP3/0/
http://202.153.35.133:12028/1201uk1/HOME/1/0/0/
http://morph-x.com/mandoc/page_241.pdf
http://202.153.35.133:12011/1201uk1/HOME/41/7/4/

A tip-off also indicates that there will be traffic to coffeeofthemonth.biz.

Recommended blocklist:
202.153.35.133
morph-x.com
coffeeofthemonth.biz

Malware spam: "JPS Projects Ltd" / "Jason Bracegirdle" / "Summary Paid Against "

This fake finance email appears to be from a legitimate company called JPS Projects Ltd, but it isn't. Instead the email is a forgery being sent by an organised crime ring. JPS Projects are not sending this email, not have their systems been hacked in any way.

This email has a malicious Word document attached, the nature of the email itself indicates that it has been taken from a customer of JPS Projects that has been hacked and used as a template for the spam.

There is no need to email or phone JPS Projects, you should simply delete the email message without opening the the attachment.

From:    Jason Bracegirdle JPS Projects Ltd [jason.bracegirdle@jpsprojectsltd.co.uk]
Date:    12 January 2015 at 10:50
Subject:    Summary Paid Against

Please find attached summary which was paid against

Jas




JPS
Jason Bracegirdle  Managing Director

M: 07912 883455O: 02031 741416F: 02030 700632E: jason.bracegirdle@jpsprojectsltd.co.ukW: www.jpsprojectsltd.co.uk
QMS ISO 9001QMS ISO 14001OHAS 18001
Manchester
402 Chaddck Lane
Astley
Manchester
M29 7JS
London
Unit 9,
Bunns Lane Works,
Bunns Lane,
Mill Hill,
London
NW7 2AJ

JPS
This e-mail is confidential and is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient and you have received this e-mail in error then any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. You should contact the sender by return e-mail and delete and destroy all the information from your system. Any views or opinions presented are solely those of the author and do not necessarily represent those of JPS. This email does not form part of a legally binding agreement. We have taken precautions to minimise the risk of transmitting software viruses or trojans, but we advise that you carry out your own virus checks on any attachments to this message. We cannot accept liability for any loss or damage caused to your software, hardware or system.
More information about JPS can be found at our website at: http://www.jpsprojectsltd.co.uk

Attached is a file Copy of Weekly Summary 28 12 2014 w.e 28.12.14 which actually comes in two versions, both with a VirusTotal detection rate of 3/56 [1] [2]. The payload is exactly the same as used in this earlier spam run today and it leads to the Dridex banking trojan.

Malware spam: "Invoice from simply carpets of Keynsham Ltd"

This fake invoice spam comes with a malicious Word document attached. It is not from Simply Carpets of Keynsham Ltd, it is spoofed (i.e. it is a forgery) and their systems have not been compromised in any way.
From:    Simply carpets [sales@simplycarpets.co.uk]
Date:    12 January 2015 at 08:11
Subject:    Invoice from simply carpets of Keynsham Ltd

Your invoice is attached.  Please remit payment at your earliest
convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

simply carpets of Keynsham Ltd
So far this morning I have only seen a single sample of the Word document which is undetected by any anti-virus vendors. This document contains a malicious macro [pastebin] which then downloads an additional component from:

http://haselburg.cz/js/bin.exe

This is then saved as %TEMP%\TYUhfdtUUUdsf.exe. This also has a low detection rate (identified as Dridex), and the Malwr report shows that it attempts to contact the following well-known malware C&C IPs:

74.208.11.204 (1&1, US)
59.148.196.153 (HKBN, Hong Kong)

It probably also drops a malicious DLL, although the Malwr report does not show that.

Recommended blocklist:
59.148.196.153
74.208.11.204


UPDATE: a second version of the malicious document is also in circulation, again undetected by AV vendors, but this time the macro downloads from:

http://shared.radiosabbia.it/js/bin.exe

This is exactly the same binary as downloaded by the other sample.

UPDATE 2015-01-13

 If you receive a spam like this and are in the UK, the good folks at Simply Carpets request that you report it to report it to ActionFraud:
Have you received a spoof email from us ref invoice 12983? Call fraud office 03001232040 ref nfrc150100902706. Thank you for your support

Friday, 9 January 2015

Malware spam: "Employee Documents - Internal Use" / "Fax [no-replay@fax-voice.com]"

This fake fax run is a variation of this one from yesterday.
From:    Fax [no-replay@fax-voice.com]
Date:    9 January 2015 at 14:52
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://rehberhatay.com/files/get_msg.html
As before, there are several links leading to different download locations, the ones I have personally seen are:

http://isschennai.com/files/get_msg.html
http://java.bizhat.com/files/get_msg.html
http://tradedeal.in/files/get_msg.html
http://cecileandsimonswedding.com/files/get_msg.html
http://kimtrotman.com/files/get_msg.html
http://forum-adb.org/files/get_msg.html
http://munimejia.gob.pe/files/get_msg.html
http://rehberhatay.com/files/get_msg.html
http://marinethrusters.com/files/get_msg.html
http://homeworkhelpindia.com/files/get_msg.html

These landing pages lead to a pair of jjencoded javascripts hosted on different files. I explained a little about those last time, so I won't go into much more detail about how to handle those.

What is interesting though is that the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "message.zip ;.zip ;.zip ;" it seems to be different.

Visiting the sites I listed above get ten different download locations:

http://hudsoncityholdings.com/js/jquery-1.6.39.js?get_message=4068432082
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=1390167085
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=337687660
http://hudsoncityholdings.com/js/jquery-1.6.39.js?get_message=3612499004
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=4238661099
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=2377682563
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=2792412553
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=1104895466
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=3161145159
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=138855569

That led to 10 different ZIP files containing different EXE files, each one with similar VT results [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] and in turn Malwr reports that they are almost identically functionally [1] [2] [3] [4] [5] [6] [7] [8] [9] [10].

Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:

http://202.153.35.133:55365/0901us1/HOME/0/51-SP3/0/
http://202.153.35.133:55365/0901us1/HOME/1/0/0/
http://crecrec.com/mandoc/nuts12.pdf
http://202.153.35.133:55350/0901us1/HOME/41/7/4/
http://samrhamburg.com/img/ml1.tar

202.153.35.133  (Excell Media Pvt Lt, India) is probably the key thing to block.

Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of 1/55 and you can see the Malwr report for that file here.

For researchers only, a copy of the file involved can be found here, password=infected

Malware spam: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report

This spam email pretends to be from a wholly legitimate company called Datasharp UK Ltd but it isn't, it is a spoof. Datasharp is not sending the spam, their systems have not been compromised in any way.
From:    ebilling@datasharp.co
Date:    9 January 2015 at 06:55
Subject:    DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report

THIS MESSAGE WAS SENT AUTOMATICALLY

Attached is your Invoice from Datasharp Hosted Services for this month.

To view your bill please go to www.datasharp.co.uk.  Allow 24 hours before viewing this information.

For any queries relating to this bill, please contact hosted.services@datasharp.co.uk or call 01872 266644.

Please put your account number on your reply to prevent delays

Kind Regards
Ebilling 
So far I have seen two different Word documents attached with low detection rates at VirusTotal [1] [2] containing one of two malicious macros [1] [2] [pastebin] which then attempt to download an additional component from the following locations:

http://TICKLESTOOTSIES.COM/js/bin.exe
http://nubsjackbox.oboroduki.com/js/bin.exe

The tickletootsies.com download location has been cleaned up, but the other one is still working at it downloads a file with a VirusTotal detection rate of 5/56. That VirusTotal report also shows that it attempts to POST to 74.208.11.204:8080 (1&1, US) which has been a malware C&C server for several weeks and is definitely worth blocking.

UPDATE: the Malwr report shows connections to the following IPs which I recommend you block:
59.148.196.153
74.208.11.204
 

Thursday, 8 January 2015

MyFax [no-replay@my-fax.com] spam campaign

I am endebted to several people for help with this (not all of whom I can mention). It is similar to this recent spam run analysed by TechHelpList.com.

It begins with a simple fake fax message..
From:    MyFax [no-replay@my-fax.com]
Date:    8 January 2015 at 17:11
Subject:    Fax #6117833

Fax message

http://raffandraff.com/docs/new_fax.html
Sent date: Thu, 8 Jan 2015 17:11:53 +0000
There are *lots* of these download locations, the ones I have personally seen are:

http://381main.com/docs/new_fax.html
http://blustoneentertainment.com/docs/new_fax.html
http://claimquest123.com/docs/new_fax.html
http://www.drhousesrl.it/docs/new_fax.html
http://dutawirautama.com/documents/message.html
http://espaceetconfort.free.fr/docs/new_fax.html
http://netsh105951.web13.net-server.de/docs/new_fax.html
http://njstangers.org/docs/new_fax.html
http://patresearch.com/docs/new_fax.html
http://powderroomplayground.com/docs/new_fax.html
http://prosperprogram.org/docs/new_fax.html
http://pyramidautomation.com/docs/new_fax.html
http://raffandraff.com/docs/new_fax.html
http://regimentalblues.co.uk/docs/new_fax.html
http://rewelacja.eu/docs/new_fax.html
http://stamfordicenter.com/docs/new_fax.html
http://stylista.com.cy/docs/new_fax.html
http://win.org.ro/docs/new_fax.html

Each one of these pages contains a script that looks like this:

<!DOCTYPE html>
<html>
<head>
  <title>Page Title</title>
<script type="text/javascript" src="http://girardimusicstudio.com/js/jquery-1.7.50.js"></script>
<script type="text/javascript" src="http://blackstonebikes.co.uk/js/jquery-1.7.50.js"></script>

</head>

<body>
</body>

</html>
So far, so good. But the scripts seem insane, like this one.


It looks a bit like Brainfuck but in fact it is something called jjencoding which I confess is way beyond my limited Javascript skillz. No worries, I used the code at this Github repository to decode it, and that leads to this script.

Now, this script passes some browser variables to the next step (described here, I won't reinvent the wheel), and if you have all your ducks in a row you might get a "Read message" link.

Get it wrong and you get another jjencoded script that turns out to be gobbledegook (like the message seen here).

The download link looks something like this - http://stylista.com.cy/js/jquery-1.7.50.js?get_message=2151693229 - which in this case downloads the curiously named file "message.zip ;.zip ;.zip ;" which contains a file fax_letter_pdf.exe which is of course malicious.

Now, it's worth pointing out that there is strong evidence that the EXE-in-ZIP file downloaded here has several different version. In this case it has a VirusTotal detection rate of 3/56. I have seen at least two other MD5s though, I think each download site might have a different variant.

The Malwr report for this binary takes us a little deeper down the rabbit hole. We can see that it communicates with the following URLs:

http://202.153.35.133:48472/0801us1/HOME/0/51-SP3/0/
http://202.153.35.133:48472/0801us1/HOME/1/0/0/
http://masterelectric.net/mandoc/1001.pdf


It also drops a file EXE1.EXE which has a detection rate of 4/56. That analysis indicates that the payload is the Dyreza banking trojan.

All this seems like a lot of effort to drop a ZIP file with a funny name, but it does go some way to obfuscating the payload.


Persistent hijacked GoDaddy domains serve malware via Turkish IPs

Last year I wrote about a small bunch of IPs belonging to Radore Veri Merkezi Hizmetleri A.S in Turkey that seemed to be aggressively pushing an exploit kit via hijacked GoDaddy domains. Today I was slightly surprised to see that this is still going on, and in some cases using the same domains as they were all those months ago.

Let's start by looking at an example hijacked domain gssportspics.com which is a neat little site with some high school photos of sports and events on.


We can look up the DNS details for www.gssportspics.com and they look OK with an IP of 184.168.152.5 which belongs to GoDaddy.

01/08/15 14:06:28 dns www.gssportspics.com
Mail for www.gssportspics.com is handled by smtp.secureserver.net mailstore1.secureserver.net
Canonical name: gssportspics.com
Aliases:
  www.gssportspics.com
Addresses:
  184.168.152.5


The domain is registered by GoDaddy, the domain is hosted by GoDaddy. Makes sense, and the website is clean of malware as far as I can tell.

But the problem is that there are a whole bunch of subdomains also using the gssportspics.com that you can't easily tell are there. For example, these subdomains all exist too:

invu.gssportspics.com
yossi.gssportspics.com
auckle.gssportspics.com
sively.gssportspics.com
truset.gssportspics.com
vishal.gssportspics.com
sovieana.gssportspics.com
wiramart.gssportspics.com
gardenhour.gssportspics.com
spechtling.gssportspics.com

Let's look up one of these..

01/08/15 14:24:45 dns vishal.gssportspics.com
Canonical name: vishal.gssportspics.com
Addresses:
  31.210.96.158


Well, that IP address ain't GoDaddy.

inetnum:        31.210.64.0 - 31.210.127.255
netname:        TR-RADORE-20110504
descr:          Radore Veri Merkezi Hizmetleri A.S.
country:        TR
org:            ORG-RHTH1-RIPE
admin-c:        RLA11-RIPE
tech-c:         RLA11-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      RADORE-MNT
mnt-routes:     RADORE-MNT
mnt-domains:    RADORE-MNT
notify:         registry@rh.com.tr
changed:        hostmaster@ripe.net 20110504
changed:        hostmaster@ripe.net 20130410
changed:        bit-bucket@ripe.net 20130930
source:         RIPE


Well, we've been here before and I can tell you that these sort of hijacked sites are hosted on the following IPs:

31.210.96.155
31.210.96.156
31.210.96.157
31.210.96.158


I don't know how this Turkish host suballocates IPs to customers, but it is roughly equivalent to 31.210.96.152/29.

So how are these hijacks happening? Actually, I don't know although I do know that this is very common with GoDaddy accounts that use domaincontrol.com namservers. Perhaps the accounts are being phished, hit in an XSS attack or there is a weakness in GoDaddy's DNS architecture. GoDaddy are normally very good at cleaning this sort of thing up, so let's hope they can put a stop to this now.

What the exact payload of these IPs is I don't know because it is hardened against analysis, but they have hosted Ponmocup in the past.  I have observed traffic being sent to these server via hacked sites, and given the subdomain hijacking then it is clear that something very bad is going on. You can see an example of URLquery failing to analyse one of these sites here.. I suspect that the payload only works once per visiting IP.

You can see an example of some of the LIVE subdomains hosted on these IPs here [pastebin] or a full list of ALL the hijacked subdomains that I seen over time in this range here.

Currently, these following domains all have hijacked subdomains, as far as I can tell, they are all legitimate sites and I would hesitate to block them.. instead I would recommend blocking the IP address ranges listed above instead.

21ideas.com
2cuonline.com
4runnerliftkits.com
8jutawan.com
aabathlifts.com
adventureresponsibly.com
advertisementdevil.com
advertisewiththedevil.com
aesirholdings.com
agentonpoint.com
ahtcna.com
alhogames.com
alisonleese.com
allknowingpsychic.com
alloyfurnacerolls.com
alloymuffles.com
alloyradianttubes.com
allprodelta.com
alternateolympics.com
alternativeolympics.com
ancestorworshippublishing.com
animalgenetics.com
antonzuponcic.com
arc4g.com
aredietsok.com
aredietsokay.com
assistlist.com
asstimate.net
atvguidebooks.com
atv-guidebooks.com
atvtrailguides.com
autoeventregistration.com
automotiveeventregistration.com
automotiveservicesavings.com
autoserviceevent.com
aylesburyironing.com
azproremodelers.com
bahenasteel.com
bakecakesnow.com
basslakeshagclub.com
be3ny.com
benahavisrealestate.com
berkshirecapitalholdings.com
bestsilvercufflinks.com
bgtoledorent.com
birdsexingkit.com
blingmatters.com
blurlight.com
boeckman.net
breastimate.com
bridgenations.com
bristolblog.com
bristolwatch.com
bumperstickerpatriots.com
buybackmyvehicle.com
buynewaz.com
buynowbuynewaz.com
bvvk.com
canadianpilotcars.com
caninecolorgenetics.com
caninepaternitytesting.com
caseybassett.com
castlelawpa.com
caytechpools.com
charlesawells.com
chrisvessey.com
ciunev.com
concretevibration.com
connecteli.com
connectmetv.com
consul-tec.com
consumerdevil.com
cruzeonover.com
custom-chocolate-favors.com
customerdevil.com
dealerholidayevent.com
deespilotcars.com
defeattheliberalmedia.com
deliveredbythedevil.com
devilforacause.com
devilwithacause.com
dkshealth.com
drinkbluphoria.com
drinkcalories.net
drjaneaxelrod.com
dropoutgobig.com
dunstablekitchens.com
eaglepocatello.com
effectsllc.com
egunt.com
ellagphotography.com
empowerprinciples.com
engpua.com
enhancementlasers.com
enhancinglasers.com
equinepaternitytesting.com
exceltoner.com
exceltoners.com
facenewbook.com
fantasticfountain.com
fathersnsons.com
fatlosstoolkit.com
felixtreitler.com
feltedfibers.com
fighttheliberalmedia.com
fortheloveofgadgets.com
frankryn.com
freegascardregistration.com
fubarpaintball.com
funtrecks.net
funtreks.net
funtrekspublishing.com
gee-wizsolutions.com
getpaid365days.com
gillspools.com
girlsgoneglamis.com
gliscastings.net
gliscentrifugal.com
glisfabrications.com
glisinc.com
golfironworks.com
golfnewsalaska.com
golfnewsarkansas.com
golfnewscolorado.com
golfnewsconnecticut.com
golfnewsdelaware.com
golfnewsgeorgia.com
golfnewsidaho.com
golfnewsillinois.com
golfnewsindiana.com
golfnewsiowa.com
golfnewskansas.com
golfnewskentucky.com
golfnewslouisiana.com
golfnewsmaine.com
golfnewsmaryland.com
golfnewsmassachusetts.com
golfnewsmississippi.com
golfnewsmissouri.com
golfnewsmontana.com
golfnewsnebraska.com
golfnewsnewengland.com
golfnewsnewhampshire.com
golfnewsnewjersey.com
golfnewsnewmexico.com
golfnewsnewyork.com
golfnewsnorthcarolina.com
golfnewsnorthdakota.com
golfnewsohio.com
golfnewsoklahoma.com
golfnewspennsylvania.com
golfnewsrhodeisland.com
golfnewssouthcarolina.com
golfnewssouthdakota.com
golfnewstennessee.com
golfnewsutah.com
golfnewsvermont.com
golfnewsvirginia.com
golfnewswestvirginia.com
golfnewswisconsin.com
golfnewswyoming.com
grafikcase.com
grafikdevils.com
grafik-devils.com
grafik-skins.com
greatserviceforless.com
greatsoundevents.com
gregorylknox.com
grupa-kim.com
gryphonaz.com
gryphoncompanies.com
gryphonus.com
gssportspics.com
haosjer.com
hartford-capital.com
hbacagreenproremodelers.com
hbacaproremodelers.com
heattreatalloy.com
historyhobbybooks.com
hockeydoneright.com
hugesavingsevent.com
humphreyslawncare.com
icecreamtruckuniversity.com
imokh.com
inboccaproductions.com
inkandtonersale.com
integratedpipe.com
italy-in-bocca.com
javaemulator.com
jmydesign.com
joannheilman.com
joeamericashow.com
joechenphoto.com
jsjenterprises.com
juddnelsonstudios.com
kaitlinsplayground.com
kevindonnellymd.com
knoxkomputerservice.com
kokobon.com
ksupride.com
ksupridewrestling.com
ksuwrestling.net
lakehousetimberranch.com
laser-enhancements.com
laserhairenhancement.com
launchyourline.com
learningoverip.com
leashyourcamera.com
lendmecash.com
letseatinitaly.com
lifestylology.com
lindseytoothman.com
lionizetheworld.com
lionizeyourself.com
lions-mark.com
lovetoner.com
lovetoners.com
lsclinks.com
lusitanogold.com
makingwaves-salon.com
mangiamoinitalia.com
mangiamoneicantucci.com
mapclimber.com
matthewstarner.com
maxscenesdesign.com
mdmofgeorgia.com
memorialdaysavingsevent.com
mendezign.com
metoly.com
micksher.com
middlefieldma.net
midnightastronomy.com
mikemcmortgage.com
miracline.com
momsagainstmercury.com
monizarealty.com
mrsstyleseeker.com
mwhiteman.com
myabadi.com
mycameraleash.com
myfuturephysique.com
mystagingbox.com
my-ui.com
nacprint.com
newcarsat.com
newlogiq.com
newworldheroes.com
ngage-games.com
nitplus.com
nutritionbydesign.com
ny007ny.com
oharvest.net
omarker.net
omobia.com
onlybetterdeal.com
organixharvest.com
ozarkmountain4x4club.com
palermolundahl.com
pamsdogacademy.com
pamsdogtraining.com
panjiaying.com
panochevalleysolar.com
paulguardino.com
paxamericanaspirits.com
peekaboopumpkin.com
pennyappleapparel.com
pinkdollaratm.com
powerplaycreative.com
prestigehonda.net
propertiespain.com
qualitycomforthomeservices.com
realdealpsychic.com
registerforautoevent.com
reikisolar.com
remodelgreaterphoenix.com
renzograciemexico.com
restoremystuff.com
revolvertactical.net
richmondguitarx.com
rled.net
roaringlion.com
roaringlionenergydrink.com
savedalyfield.com
searchtrusted.com
secrettomb.com
sellitandforgetitnow.com
sellitandforgetittoday.com
shamrocksmokrz.com
shynlaw.com
signaturetoner.com
signaturetoners.com
skyviewphoto.com
slyforkfarm.com
snuffbottleworld.net
softmn.com
southvalleyrugby.com
specialpsychic.com
sportdoneright.com
springcleaningevent.com
squeezepagecentral.com
stainlessfabrications.com
stevesenergydrink.com
strongpsychic.com
studiosylverline.com
sunblockmaterials.com
tabeer-e-pakistan.com
tacomaliftkits.com
tagdeedlingua.com
tagdeed-translation.com
tagdeed-translations.com
techsupportauctions.com
teeboxpromo.com
telecomchicago.com
telecomillinois.com
telecomindiana.com
telecommichigan.com
tfgjustsayin.net
theafternoonjoker.com
theartdepot.net
thecinema6.com
thecollegeaddressshop.com
theeveningjoker.com
thehiddencorner.com
theknowledgekingdom.com
themorningjoker.com
thenightlyjoker.com
thinkadmit.com
thisishowthisworks.com
thisweekinwhiteness.com
thomasdesgrp.com
thomasdesigngroupllc.com
timkennywebdesign.com
timothykenny.com
timsicecreamtruck.com
timsroadtrip.com
toyotaliftkits.net
toyteclifts.net
trademarkrestoration.com
trademarkrestorationinc.com
tri-swelding.com
tropicaltoner.com
tuftsclimatejustice.com
turkrdns.com
twibularity.com
usdays.com
usedcarsat.com
usedmobi.com
valentinesalesevent.com
vehicleexchangeprogram.com
vehicleservicediscount.com
virtualsofts.com
warpets.com
webrunchhard.com
wenerdhard.com
whhholdingusainc.com
whhusainc.net
whichcameratookthis.com
whybuyanewhome.com
xn--80afcbdab0arg8e4c.com
xn--h1adlaje.net
yourcakedecoratingclass.com
yourcrystalball.com
yourspartanmovers.com
zombiesurvivalaptitudetest.com
zoomtoner.com
zoopoints.com
z-sat.com



Malware spam "INVOICE ADVISE 08/01/2015" and "NOVEMBER INVOICE" from multiple fake senders

These two spam runs have different email messages but the same payload. In both cases, there are multiple fake senders

Sample 1 - INVOICE ADVISE 08/01/2015

From:    Mia Holmes
Date:    8 January 2015 at 09:11
Subject:    INVOICE ADVISE 08/01/2015

Good morning

Happy New Year

Please could you advise on the  November GBP invoice in the attachment for me?

Many thanks

Kind Regards
Mia Holmes
Accountant
SULA IRON & GOLD PLC

Sample 2 - NOVEMBER INVOICE

From:    Reed Barrera
Date:    8 January 2015 at 09:16
Subject:    NOVEMBER INVOICE

Good morning

Happy New Year

Please could you advise on the  November GBP invoice in the attachment for me?

Many thanks

Kind Regards
Reed Barrera
Controller
ASSETCO PLC
Other sender names include:
Marlin Rodriquez
Accountant
CLONTARF ENERGY PLC

Olive Pearson
Senior Accountant
ABERDEEN UK TRACKER TRUST PLC

Andrew Salas
Credit Management
AMTEK AUTO
The attachment is in a Word document (in one sample it was a Word document saved as an XLS file). Example filenames include:

RBAC_9971IV.xls
INV_6495NU.doc
2895SC.doc

There are four different malicious files that I have seen so far, all with low detection rates [1] [2] [3] [4] which contain in turn one of these macros [1] [2] [3] [4] leading to a download from one of the following locations:

http://188.241.116.63:8080/mops/pops.php
http://108.59.252.116:8080/mops/pops.php
http://178.77.79.224:8080/mops/pops.php
http://192.227.167.32:8080/mops/pops.php

This file is downloaded as g08.exe which is then copied to %TEMP%\1V2MUY2XWYSFXQ.exe. This file has a detection rate of 3/56.

The VT report shows a POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known malware server which I recommend that you block. This IP is confirmed in the Malwr report which also shows a dropped DLL which is the same as found in this spam run and has a detection rate of just 2/56.

For researchers only, a copy of the files can be found here. Password = infected

Malware spam: "Ieuan James" / "invoice EME018.docx"

So far this morning I've seen a handful of these malformed malware spams, claiming to be from a Ieuan James and with a subject of invoice EME018.docx. The body text contains some Base64 encoded data which presumably is meant to be an attachment.

For example..

From:    Ieuan James
Date:    8 January 2015 at 07:25
Subject:    invoice EME018.docx

--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: text/plain;
        charset=us-ascii
Content-Transfer-Encoding: 7bit

--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: application/msword;
        name="invoice EME018.doc";
        x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
Content-Disposition: attachment;
        filename="invoice EME018.doc"
Content-Transfer-Encoding: base64

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAB/AAAA////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaptVm1UAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAPk/AQD5PwEAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
[snipped for clarity]
Some assembly is required with this malware, but if you decode the Base64 area you get one of two different Word documents with VirusTotal detection rates of just 1/56 [1] [2]. These malicious documents contain one of two macros [1] [2] [pastebin] that download an additional component from one of the following locations:

http://ecovoyage.hi2.ro/js/bin.exe
http://mateusz321.cba.pl/js/bin.exe

This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55. The Malwr report for this shows that it connects to:

http://74.208.11.204/
http://129.215.249.52/qZXI6nYL8NLtqX6%3DZ/@mF6s4lFjMN4JSfB%2CVPutSGtX/6Ww_r5R%3FlP_ce2A
http://78.140.164.160/LL7yk@O6E/Qyiy/6yz%3Dzs18r/s4$rV

It also queries some other hosts, meaning that it looks like it attempts to connect home to:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
129.215.249.52 (Edinburgh University, UK)
78.140.164.160 (Webazilla, US)
37.1.208.21 (3NT Solutions LLP aka inferno.name, UK)
86.156.238.178 (BT, UK)

In addition, the Malwr report says that a malicious DLL is dropped with a detection rate of 2/56.

Recommended minimum blocklist:
59.148.196.153
74.208.11.204
129.215.249.52
78.140.164.160
37.1.208.21
86.156.238.178

In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range.

For researchers, a copy of all the files is available here, password is infected.

Wednesday, 7 January 2015

Exploit kits on Choopa LLC / Gameservers.com IP addresses

While chasing down this exploit kit yesterday, I noticed an awful lot of related IP addresses and domains that also seemed to be hosting malware.

The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE

ooshuchahxe.co.vu
ahjoneeshae.co.vu
phamiephim.co.vu
kaemahchuum.co.vu
pahsiefoono.co.vu
kaghaingai.co.vu
buengaiyei.co.vu
ohmiajusoo.co.vu
oodeerahshe.co.vu
paotuchepha.co.vu
aedeequeekou.co.vu
eikoosiexa.co.vu
phielaingi.co.vu
thohbeekee.co.vu

A typical exploit landing page looks like this [URLquery report] which appears to be the Nuclear EK.

These are hosted on the following Choopa LLC / Gamservers.com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:

108.61.165.69
108.61.165.70

108.61.165.96
108.61.167.160
108.61.172.139
108.61.175.125
108.61.177.107
108.61.177.89

All these malicious domains use the following nameservers:


ns1.thallsbe.com
ns1.yotelepa.com
ns1.zenteep.com
ns1.neverflouwks.com
ns1.daxpyorgilgere.com
ns1.irkoblik.com
ns2.thallsbe.com
ns2.yotelepa.com
ns2.zenteep.com
ns2.neverflouwks.com
ns2.daxpyorgilgere.com
ns2.irkoblik.com

Nameservers are mostly (but not all hosted on Choopa LLC IPs):

64.187.225.245
104.224.147.220
108.61.123.219
108.61.172.145
108.61.198.148
108.61.211.121

As I said, these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google (long list, sorry, scroll past it if you like):

offearfactory.cf
ukforsavectory.cf
ukforshivaflow.cf
soundchecker.cf
tobiahsebastiani.cf
crazystuff.ga
atproserafic.ga
soundchecker.ga
terriblelow.ml
stumbleupons.ml
ukforprimeebook.cf
greendriver.ga
ukforsavectory.ga
yellowcheck.ml
misterybook.cf
sporterafic.cf
thorteutsch.cf
imainconfig.ga
materofteck.ga
sporterafic.ga
pleskinebook.ga
lowensineflow.ga
warriordriver.ga
materofteck.ml
sporterafic.ml
lowensineflow.ml
mipkohoophw.cf
mipkoewushohn.cf
mipkoeerrw.ml
mipkohiocoh.ml
qdujbffg.cf
floraperf.cf
floreamva.cf
sintroota.cf
akcyvwkudu.cf
jepeugcpaq.cf
kzjzbbezgt.cf
rittfpynit.cf
unitedbeer.cf
vuktrontas.cf
wchiekohya.cf
wingasheng.cf
nikelnstate.cf
quitambient.cf
xotadddance.cf
xoteaddrack.cf
bloxianoiaba.cf
boyconroewom.cf
myfreenomapi.cf
walltaddates.cf
walltaddonce.cf
walltaddrave.cf
xoteaddotion.cf
trohqueenexai.cf
trotesaiheohu.cf
truechiekitha.cf
trueitheipoag.cf
vukontasixtas.cf
vuvatyisedron.cf
wallddforbake.cf
walltadddabit.cf
walltadddance.cf
walltadddsims.cf
wallteaddrack.cf
oproquanterbot.cf
veterloshamerr.cf
vuflowdeadcrow.cf
wallaerkinderr.cf
wallteaddotion.cf
wicomertulatti.cf
walltadddoppler.cf
amixionifyredhedi.cf
shamidgewoodpiste.cf
shoeufflorthrudis.cf
shoppaycleagoncad.cf
sosanasisernitive.cf
sourustieronixtur.cf
sparetediapletecu.cf
stekoneyredecklan.cf
subspironimitells.cf
sultintemicrearti.cf
coolmember.ga
krogralind.ga
rzanygngis.ga
unitedbeer.ga
wchiekohya.ga
weisewieku.ga
xotaddates.ga
xotaddrave.ga
junoreactor.ga
quitambient.ga
xoteaddrack.ga
dealerstrike.ga
trudahsheeso.ga
vumalworrest.ga
walltaddates.ga
walltaddonce.ga
walltaddrave.ga
wamipkoleoxw.ga
xoteaddotion.ga
proquantterms.ga
tritaeneiquoh.ga
trohqueenexai.ga
trotesaiheohu.ga
troyeachahgie.ga
truechiekitha.ga
truexauphudei.ga
victorysecret.ga
vuxeersktrace.ga
wallddforbake.ga
walltadddabit.ga
walltadddance.ga
walltadddsims.ga
wallteaddrack.ga
xotadddoppler.ga
veterloshamerr.ga
victoaddroplen.ga
vuflowdeadcrow.ga
vuvtrassktrace.ga
wallaerkinderr.ga
wallteaddotion.ga
wheallstechaxa.ga
wolscelipartin.ga
wolvestreyrmst.ga
walltadddoppler.ga
serckinvenaftovan.ga
shamidgewoodpiste.ga
shoppaycleagoncad.ga
sosanasisernitive.ga
sourustieronixtur.ga
sparetediapletecu.ga
stekoneyredecklan.ga
subspironimitells.ga
sultintemicrearti.ga
facilygda.ml
iqmhaslyzd.ml
kriendbasi.ml
queezerbot.ml
rittfpynit.ml
xotaddrave.ml
contermance.ml
crazyworlds.ml
junoreactor.ml
loborrowave.ml
quitambient.ml
vuxtronrace.ml
xoteaddrack.ml
bloxianoiaba.ml
trudahsheeso.ml
vumalworrest.ml
vumullefloor.ml
walltaddates.ml
walltaddonce.ml
walltaddrave.ml
xoteaddotion.ml
lodborrowpler.ml
proquantterms.ml
triceebicicha.ml
triilequadaev.ml
tritaeneiquoh.ml
troshiechooph.ml
trotesaiheohu.ml
victorysecret.ml
vuxeersktrace.ml
wallddforbake.ml
walltadddabit.ml
walltadddance.ml
walltadddsims.ml
wallteaddrack.ml
wamipkoicjnew.ml
oproquantables.ml
veterloshamerr.ml
victoaddroplen.ml
wallteaddotion.ml
wickleyoregene.ml
wolscelipartin.ml
walltadddoppler.ml
serckinvenaftovan.ml
shamidgewoodpiste.ml
shoeufflorthrudis.ml
shoppaycleagoncad.ml
sosanasisernitive.ml
sourustieronixtur.ml
sparetediapletecu.ml
stekoneyredecklan.ml
subspironimitells.ml
sultintemicrearti.ml
sintroota.tk
sionixire.tk
bugleryambur.tk
zarauphudei.cf
zaraachwahgie.cf
zaragietheeghe.cf
zarabixampw.ga
zaradhoophw.ga
zarasicjnew.ga
zarauphudei.ga
zaraachwahgie.ga
zaraeqwuadaev.ga
zaraheeteghoh.ga
zaraohgeegheis.ga
zaratiihuw.ml
zarabixampw.ml
zarasicjnew.ml
zarasorsarw.ml
zaraulleoxw.ml
zaraachwahgie.ml
zaraeqwuadaev.ml
zaraewneiquoh.ml
uzaraeserexwai.ml
zaragietheeghe.ml
zaraweethiocoh.ml

In addition, these domains are tagged as malicious by SURBL:
xoteaddrack.cf
wallddforbake.cf
xoteaddrack.ga
walltadddsims.ga
walltaddates.ml
walltadddabit.ml
wallteaddrack.ml
siewaxiesha.co.vu
fourkopoll.co.vu
kurramithompartherd.co.vu

These are the TLDs and SLDs being abused, operated by Freenom (cf, ga, gq, ml, tk) or CoDotVu (co.vu). It looks like perhaps Freenom cleaned up their space, but you can make your own mind up if you want to block traffic to these as a precaution:
co.vu
cf
ga
gq
ml
tk


A full list of all the domains that I can find associated with these servers can be found here [pastebin].

Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121

64.187.225.245
104.224.147.220

UPDATE:
Choopa LLC say they have terminated those IPs. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised.


Invoice spam with malicious XLS file from multiple companies

This spam run looks very similar to this one going out at roughly the same time, except this has a malicious XLS file rather than a DOC/

From:    Courtney Stark
Date:    7 January 2015 at 12:27
Subject:    Invoice 1252.70 GBP

Please find attached invoice for 1252.70 GBP.

Any queries please contact us.

Courtney Stark
Senior Accounts Payable Specialist
AVIVA

The "sender" is spoofed from multiple companies, so far I have seen:

Courtney Stark
Senior Accounts Payable Specialist
AVIVA

Phyllis Cobb
Senior Accounts Payable Specialist
DIGITAL BARRIERS LTD

Colby Burris
Senior Accounts Payable Specialist
XAAR

Randy Welch
Senior Accounts Payable Specialist
CAMELLIA

Kendra Cervantes
Senior Accounts Payable Specialist
TRINITY EXPLORATION & PRODUCTION

In the samples I have seen, there are two slightly different malicious Excel files with fairly low detection rates [1] [2] containing one of these two macros [1] [2] [pastebin] which downloads an executable from one of the following locations:

http://87.106.165.232:8080/mans/pops.php
http://193.136.19.160:8080/mans/pops.php

These locations are also found with this spam run and the payload is identical.