From donotreply@lloydsbank.co.ukAttached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria.
Date Fri, 18 Sep 2015 11:52:36 +0100
Subject Transaction confirmation
Dear Customer,
Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.
Best regards,
Your personal Manager
Thora Blanda
tel: 0345 300 0000
LLOYDS BANK.
Friday, 18 September 2015
Malware spam: "Transaction confirmation" / "donotreply@lloydsbank.co.uk"
This fake banking spam comes with a malicious attachment:
E.ON "You've got mail" spam
I haven't used E.ON for a couple of years, and I no longer have an account with them. So I was surprised to get this E.ON-themed spam. Is it malware? No, it really is E.ON spamming me..
------------
From: E.ON Energy [eon@eonenergy.com]
Reply-To: "E.ON Energy" [eon@eonenergy.com]
Date: 17 September 2015 at 19:02
Subject: You've got mail
Ooookay. So it's a phish or malware, right? Well, in this case floating over the links clearly shows an eonenergy.com domain, rather than something malicious. And at least E.ON have shown good practice by using their own domain rather than some random tracking domain that others do.
It's been a long time since I logged onto E.ON because these days I generate all my electricity from a secondhand Russian nuclear reactor plucked from a rusty submarine that I have buried under the lawn.
Logging on to my account gives this message..
And from that point onwards there is nothing at all that I can do. I can't turn off the E.ON spam because I don't have an account with them!
It's probably 15 years or so since I registered on E.ON.. when I registered it was part of TXU, then PowerGen which then became E.ON. So if you have registered an account with any of those companies in the past decade and a half, then you might get this spam from E.ON, even if you closed your account a long time ago..
UPDATE:
E.ON have posted some information about the cock-up and an apology here.
------------
From: E.ON Energy [eon@eonenergy.com]
Reply-To: "E.ON Energy" [eon@eonenergy.com]
Date: 17 September 2015 at 19:02
Subject: You've got mail
You've got mail. If you are having trouble viewing this email, you can view it here. |
|
Helping our customers. We're on it. |
|
Disclaimer Notice This email has been sent by E.ON Energy Solutions Limited. While we have checked this email and any attachments for viruses, we cannot guarantee that they are virus-free. You must therefore take full responsibility for virus checking. This message and attachments are confidential and should only be read by those to whom they are addressed. If you are not the intended recipient, please contact us, delete the message from your computer and destroy any copies. Any distribution or copying without prior permission is prohibited. Internet communications are not always secure and therefore E.ON does not accept legal responsibility for this message. The recipient is responsible for verifying its authenticity before acting on the contents. Any views or opinions presented are solely those of the author and do not necessarily represent those of E.ON. Registered Address E.ON Energy Solutions Limited. Registered office: Westwood Way, Westwood Business Park, Coventry, CV4 8LG. Registered in England and Wales No. 3407430. CONSENT CSS |
Ooookay. So it's a phish or malware, right? Well, in this case floating over the links clearly shows an eonenergy.com domain, rather than something malicious. And at least E.ON have shown good practice by using their own domain rather than some random tracking domain that others do.
It's been a long time since I logged onto E.ON because these days I generate all my electricity from a secondhand Russian nuclear reactor plucked from a rusty submarine that I have buried under the lawn.
Logging on to my account gives this message..
And from that point onwards there is nothing at all that I can do. I can't turn off the E.ON spam because I don't have an account with them!
It's probably 15 years or so since I registered on E.ON.. when I registered it was part of TXU, then PowerGen which then became E.ON. So if you have registered an account with any of those companies in the past decade and a half, then you might get this spam from E.ON, even if you closed your account a long time ago..
UPDATE:
E.ON have posted some information about the cock-up and an apology here.
Thursday, 17 September 2015
Malware spam: hrwfmailerprod@lancashire.gov.uk / REFURBISHMENT
This fake financial spam (presumably) comes in several different variants (I saw two):
The payload appears to be Upatre/Dyre as seen earlier today.
From "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.
To hp_printer@victimdomain.com
Date Thu, 17 Sep 2015 12:16:26 GMT
Subject FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)
From Mabel Winter
To hp_printer@victimdomain.com
Sent Thu, 17 Sep 2015 12:12:26 GMT
ID 7216378
Number 6767609,1
Title Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT
Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment.
The payload appears to be Upatre/Dyre as seen earlier today.
Malware spam: "Shell E-Bill for Week 38 2015"
This fake financial spam comes with a malicious attachment:
Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.
MD5:
0d9c66ffedce257ea346d2c7567310ac
From [invoices@ebillinvoice.com]
To administrator@victimdomain.com
Date Thu, 17 Sep 2015 11:10:15 GMT
Subject Shell E-Bill for Week 38 2015
Customer No : 28834
Email address : administrator@victimdomain.com
Attached file name : 28834_wk38_2015.PDF
Dear Customer,
Please find attached your invoice for Week 38 2015.
In order to open the attached PDF file you will need
the software Adobe Acrobat Reader.
For instructions of how to download and install this
software onto your computer please visit
http://www.adobe.com/products/acrobat/readstep2.html
If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely
Customer Services
======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.
MD5:
0d9c66ffedce257ea346d2c7567310ac
Wednesday, 16 September 2015
Malware spam: "Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/"
This fake Lloyds Bank spam comes with a malicious payload:
In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt
A further download then takes place from:
vandestaak.com/css/libary.exe
This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).
Recommended blocklist:
197.149.90.166
vandestaak.com
thebackpack.fr
obiectivhouse.ro
MD5s:
4b944c5e668ea9236ac9ab3b1192243a
1939eba53a1289d68d1fb265d80e60a1
From: RSTNAME} Crabtree [Chang.Crabtree@lloydsbankcommercial.com]
Date: 15 September 2015 at 13:18
Subject: Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/
Please find attached our document pack for the above customer. Once completed please return via email to the below address.
If you have any queries relating to the above feel free to contact us at
MN2Lloydsbanking@lloydsbankcommercial.com
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 7117152. Telephone: 0845 603 1637
Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC453043.
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt
A further download then takes place from:
vandestaak.com/css/libary.exe
This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).
Recommended blocklist:
197.149.90.166
vandestaak.com
thebackpack.fr
obiectivhouse.ro
MD5s:
4b944c5e668ea9236ac9ab3b1192243a
1939eba53a1289d68d1fb265d80e60a1
Malware spam: "HSBC SecureMail" / "You have received a secure message"
This fake HSBC email message has a malicious payload:
UPDATE: The Hybrid Analysis report shows network traffic to a familiar Nigerian IP of 197.149.90.166 which I strongly recommend you block. The traffic pattern is indicative of Upatre dropping the Dyre banking trojan.
MD5:
359f0c584d718f44e9777e259f013031
From: HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@hsbc.co.uk]Attacked is a file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56.
Date: 16 September 2015 at 13:13
Subject: You have received a secure message
You have received a secure message Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.hsbc.co.uk/secureemail
HSBC_Payment_87441653
16K
UPDATE: The Hybrid Analysis report shows network traffic to a familiar Nigerian IP of 197.149.90.166 which I strongly recommend you block. The traffic pattern is indicative of Upatre dropping the Dyre banking trojan.
MD5:
359f0c584d718f44e9777e259f013031
Monday, 14 September 2015
Spam from "Vanessa Reynolds" / vanessa.reynolds@breedandco.com
This spam does not seem to have a malicious payload, but is likely sent out by the same people who send out Upatre/Dyre malware spam (or possible Dridex):
Hello, Sheldon how are you?
Hello, Lawanda how are you?
Hello, Thurman how are you?
Hello, Darlene how are you?
Hello, Rhea how are you?
The email is always "from" Vanessa Reynolds / vanessa.reynolds@breedandco.com although this is in fact just a simple forgery and Breed & Co (who are are a hardware store in Texas) are nothing to do with this.
The purpose of this spam is unknown. One possibility is that the spammers are probing mail servers for responses (to enumerate valid mailboxes). The other is that this could be a targeted attack on Breed & Co by disrupting email and other means of communication.
Some sending IPs for the record:
175.111.117.26
82.208.233.93
85.100.114.244
103.1.69.172
111.196.186.87
202.134.161.161
From "Vanessa Reynolds" [vanessa.reynolds@breedandco.com]The name after "Hello" varies in each version, for example:
Date Fri, 14 Sep 2015 10:34:32 GMT
Subject Hello, how are you?
Hello, Calvin how are you?
Hello, Sheldon how are you?
Hello, Lawanda how are you?
Hello, Thurman how are you?
Hello, Darlene how are you?
Hello, Rhea how are you?
The email is always "from" Vanessa Reynolds / vanessa.reynolds@breedandco.com although this is in fact just a simple forgery and Breed & Co (who are are a hardware store in Texas) are nothing to do with this.
The purpose of this spam is unknown. One possibility is that the spammers are probing mail servers for responses (to enumerate valid mailboxes). The other is that this could be a targeted attack on Breed & Co by disrupting email and other means of communication.
Some sending IPs for the record:
175.111.117.26
82.208.233.93
85.100.114.244
103.1.69.172
111.196.186.87
202.134.161.161
Labels:
Spam
Friday, 11 September 2015
Malware spam: "Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva" / reports@officeteam.co.uk
This fake financial spam comes with a malicious payload:
In this case, the payload is Upatre downloading the Dyre banking trojan.
MD5:
0a7e68a84765d639210b77575c2373bd
From "reports@officeteam.co.uk" [reports@officeteam.co.uk]In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet).
Date Fri, 11 Sep 2015 10:39:32 GMT
Subject Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva
Please find attached your sales order acknowledgement
Order No: EF150085
Account: PFM895
Your Reference: 14 /Geneva
Web Reference:
Kind Regards
Office Team
In this case, the payload is Upatre downloading the Dyre banking trojan.
MD5:
0a7e68a84765d639210b77575c2373bd
Thursday, 10 September 2015
Malware spam: "New Fax - 3901535011" / "UK2Fax" [fax2@fax1.uk2fax.co.uk]
This fake fax spam comes with a malicious attachment:
From "UK2Fax" [fax2@fax1.uk2fax.co.uk]Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the same Upatre/Dyre payload as seen it this attack also seen today.
Date Thu, 10 Sep 2015 14:07:11 +0100
Subject New Fax - 3901535011
UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT
Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:
In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.
MD5:
4dbdf9e73db481b001774b8b9b522ebe
From "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.
Date Thu, 10 Sep 2015 06:32:37 -0500
Subject Payroll Received by Intuit
Dear, petrol
We received your payroll on Sep 10, 2015 at 09:01.
Attached is a copy of your Remittance. Please click on the attachment in order to
view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
paid two (2) banking days from the date received or on your paycheck date, whichever
is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you
have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list
of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services
IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this
email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect
is a phishing email, please forward it to immediately to spoof@intuit.com.
© 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
trademarks and/or registered service marks of Intuit Inc. in the United States and
other countries. All other marks are the property of their respective owners, should
be treated as such, and may be registered in various jurisdictions.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706
In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.
MD5:
4dbdf9e73db481b001774b8b9b522ebe
Tuesday, 8 September 2015
ipserver.su, 5.133.179.0/24 and 212.38.166.0/24
A follow-up to this post, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:
person: Oleg Nikol'skiy
address: British Virgin Islands, Road Town, Tortola, Drake Chambers
phone: +18552100465
e-mail: abuse@ipserver.su
nic-hdl: ON929-RIPE
mnt-by: IPSERVER-MNT
changed: abuse@ipserver.su 20150528
created: 2015-05-28T11:11:09Z
last-modified: 2015-05-28T11:11:09Z
source: RIPE
I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service.
Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating.
Here's what is odd. None of the sites that I found [pastebin] have a negative reputation, I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all.
I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation, then my suggestion is that you block traffic to:
5.133.179.0/24
212.38.166.0/24
In the meantime I will continue digging..
person: Oleg Nikol'skiy
address: British Virgin Islands, Road Town, Tortola, Drake Chambers
phone: +18552100465
e-mail: abuse@ipserver.su
nic-hdl: ON929-RIPE
mnt-by: IPSERVER-MNT
changed: abuse@ipserver.su 20150528
created: 2015-05-28T11:11:09Z
last-modified: 2015-05-28T11:11:09Z
source: RIPE
I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service.
Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating.
Here's what is odd. None of the sites that I found [pastebin] have a negative reputation, I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all.
I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation, then my suggestion is that you block traffic to:
5.133.179.0/24
212.38.166.0/24
In the meantime I will continue digging..
Monday, 7 September 2015
Something evil on 184.105.163.192/26 / White Falcon Communications / Dmitry Glazyrin
So.. I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243 hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26 suballocated to:
contact:ID;I:POC-DC-1258
contact:Auth-Area:contacts
contact:Class-Name:contact
contact:Name:Dmitry Glazyrin
contact:Company:White Falcon Communications
contact:Street-Address:3-758 Riverside Dr
contact:City:Port Coquitlam
contact:Province:BC
contact:Postal-Code:V3B 7V8
contact:Country-Code:CA
contact:Phone:+1-510-580-4100
The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..
bilettver.ru
ituslugi-ekb.ru
kerept.ru
porno-gt.com
pornosup.com
redkrab.com
vgubki.com
erotubik.com
autowagen.ru
decoitalcolor.ru
jimbobox.ru
kr-enot.ru
alemanas.ru
dynamo-energia.ru
master-lesa.ru
kinoprosmotra.net
multi-torrent.com
pl-games.ru
voyeur-hard.com
fishemania.com
learnigo.ru
qazashki.net
surfus.ru
mysuppadomainname.gq
kinoprosmotrov.net
multtracker.com
kyricabgr.tk
onlyhdporno.com
stat-irc.tk
white-wolves.tk
blondescript.com
dc-dcbcf352.hotvideocentral.com
wishfishworld.com
5ka.info
igro-baza1.ru
igro-baza2.ru
igro-baza3.ru
igro-baza4.ru
igro-baza5.ru
kinorelizov.net
torrent-mult.com
trailer-games.ru
vvpvv10.ru
vvpvv9.ru
todoke.ru
glazikvovana.cf
glazikvovana.ga
glazikvovana.gq
glazikvovana.ml
glazikvovana.tk
glazikvovki.cf
glazikvovki.ga
glazikvovki.gq
glazikvovki.ml
glazikvovki.tk
popochkavovana.cf
popochkavovana.ga
popochkavovana.gq
popochkavovana.ml
popochkavovana.tk
popochkavovki.cf
popochkavovki.ga
popochkavovki.gq
popochkavovki.ml
popochkavovki.tk
resnichkavovana.cf
resnichkavovana.ga
resnichkavovana.gq
resnichkavovana.ml
resnichkavovana.tk
resnichkavovki.cf
resnichkavovki.ga
resnichkavovki.gq
resnichkavovki.ml
resnichkavovki.tk
samaragss.ru
wechkavovana.cf
wechkavovana.ga
wechkavovana.gq
wechkavovana.ml
wechkavovana.tk
wechkavovki.cf
wechkavovki.ga
wechkavovki.gq
wechkavovki.ml
wechkavovki.tk
zalypkavovana.ml
zalypkavovana.tk
zalypkavovki.cf
zalypkavovki.ga
zalypkavovki.gq
zalypkavovki.ml
zalypkavovki.tk
zybikvovana.cf
zybikvovana.ga
zybikvovana.gq
zybikvovana.ml
zybikvovana.tk
zybikvovki.cf
zybikvovki.ga
zybikvovki.gq
zybikvovki.ml
zybikvovki.tk
staffrc.com
stopudof.com
35igr.ru
adandc.ru
avgyst.ru
comedy24.ru
e7ya.ru
funrussia.ru
ladykafe.ru
med-cafe.ru
mykazantip.ru
ohotaforum.ru
powerpoint-ppt.ru
sibledy.ru
turistvip.ru
ya-pisatel.ru
kypitest.ru
anykadavai.tk
forwarditaly.org
getyourimesh.com
mymobi.ml
yellowfrance.org
Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].
Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.
So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".
However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.
* fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.
contact:ID;I:POC-DC-1258
contact:Auth-Area:contacts
contact:Class-Name:contact
contact:Name:Dmitry Glazyrin
contact:Company:White Falcon Communications
contact:Street-Address:3-758 Riverside Dr
contact:City:Port Coquitlam
contact:Province:BC
contact:Postal-Code:V3B 7V8
contact:Country-Code:CA
contact:Phone:+1-510-580-4100
The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..
bilettver.ru
ituslugi-ekb.ru
kerept.ru
porno-gt.com
pornosup.com
redkrab.com
vgubki.com
erotubik.com
autowagen.ru
decoitalcolor.ru
jimbobox.ru
kr-enot.ru
alemanas.ru
dynamo-energia.ru
master-lesa.ru
kinoprosmotra.net
multi-torrent.com
pl-games.ru
voyeur-hard.com
fishemania.com
learnigo.ru
qazashki.net
surfus.ru
mysuppadomainname.gq
kinoprosmotrov.net
multtracker.com
kyricabgr.tk
onlyhdporno.com
stat-irc.tk
white-wolves.tk
blondescript.com
dc-dcbcf352.hotvideocentral.com
wishfishworld.com
5ka.info
igro-baza1.ru
igro-baza2.ru
igro-baza3.ru
igro-baza4.ru
igro-baza5.ru
kinorelizov.net
torrent-mult.com
trailer-games.ru
vvpvv10.ru
vvpvv9.ru
todoke.ru
glazikvovana.cf
glazikvovana.ga
glazikvovana.gq
glazikvovana.ml
glazikvovana.tk
glazikvovki.cf
glazikvovki.ga
glazikvovki.gq
glazikvovki.ml
glazikvovki.tk
popochkavovana.cf
popochkavovana.ga
popochkavovana.gq
popochkavovana.ml
popochkavovana.tk
popochkavovki.cf
popochkavovki.ga
popochkavovki.gq
popochkavovki.ml
popochkavovki.tk
resnichkavovana.cf
resnichkavovana.ga
resnichkavovana.gq
resnichkavovana.ml
resnichkavovana.tk
resnichkavovki.cf
resnichkavovki.ga
resnichkavovki.gq
resnichkavovki.ml
resnichkavovki.tk
samaragss.ru
wechkavovana.cf
wechkavovana.ga
wechkavovana.gq
wechkavovana.ml
wechkavovana.tk
wechkavovki.cf
wechkavovki.ga
wechkavovki.gq
wechkavovki.ml
wechkavovki.tk
zalypkavovana.ml
zalypkavovana.tk
zalypkavovki.cf
zalypkavovki.ga
zalypkavovki.gq
zalypkavovki.ml
zalypkavovki.tk
zybikvovana.cf
zybikvovana.ga
zybikvovana.gq
zybikvovana.ml
zybikvovana.tk
zybikvovki.cf
zybikvovki.ga
zybikvovki.gq
zybikvovki.ml
zybikvovki.tk
staffrc.com
stopudof.com
35igr.ru
adandc.ru
avgyst.ru
comedy24.ru
e7ya.ru
funrussia.ru
ladykafe.ru
med-cafe.ru
mykazantip.ru
ohotaforum.ru
powerpoint-ppt.ru
sibledy.ru
turistvip.ru
ya-pisatel.ru
kypitest.ru
anykadavai.tk
forwarditaly.org
getyourimesh.com
mymobi.ml
yellowfrance.org
Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].
Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.
So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".
However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.
* fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.
Labels:
Botnet,
Canada,
Evil Network,
Nuclear EK
Malware spam: "Credit Note CN-60938 from Stilwell Financial Inc" / "message-service@post.xero.com"
This fake financial spam comes with a malicious payload.
In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.
Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
From: Accounts [message-service@post.xero.com]
To: hp_printer@victimdomain.com
Date: 7 September 2015 at 11:55
Subject: Credit Note CN-60938 from Stilwell Financial Inc for victimdomain.com (0178)
Hi Boris,
To download your credit note CN-60938 for 401.04 GBP please follow the link below : https://get.xerofiles.com/[snip]
This has been allocated against invoice number
If you have any questions, please let us know.
Thanks,
Stilwell Financial Inc
In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.
Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
Received: from 78.187.120.220.static.ttnet.com.tr (unknown [95.9.34.122])The fake parts of the headers are highlighted. The actual sending IP is 95.9.34.122 in Turkey. I don't know what the payload is in this case as the download location doesn't work, it will most likely be some sort of banking trojan.
by [redacted] (Postfix) with ESMTP id 74F50400BE;
Mon, 7 Sep 2015 11:59:12 +0100 (BST)
Received: from mail2.go.xero.com (198.61.155.105) by
GCN5B9ZDBKTFX.mail.protection.outlook.com (10.997.33.92) with Microsoft SMTP
Server id 05.9.975.7 via Frontend Transport; Mon, 7 Sep 2015 12:55:16 +0200
From: Accounts <message-service@post.xero.com>
To: hp_printer@[redacted]
Date: Mon, 7 Sep 2015 12:55:16 +0200
Subject: Credit Note CN-60938 from Stilwell Financial Inc for [redacted] (0178)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailer: aspNetEmail ver 3.5.2.0
Message-ID: <504359-L45H474JYDT96LCSOCCGF9O9R1IXJTQ2949EW0C2@xero.com>
Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]
This spam does not come from Companies House, but is instead a simple forgery with a malicious attachment:
The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.
This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.
MD5:
f1d62047d22f352a14fe6dc0934be3bb
From "Companies House" [WebFiling@companieshouse.gov.uk]
Date Mon, 7 Sep 2015 12:40:01 +0100
Subject RE: Case 0676414
The submission number is: 0676414
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.
Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500
The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.
This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.
MD5:
f1d62047d22f352a14fe6dc0934be3bb
Friday, 4 September 2015
Malware spam: "RE:resume" aka "What happened to your files?" / Cryptowall 3.0
This fake résumé spam leads to ransomware:
The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:
46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga.net)
192.186.235.39 (satisgoswamicollege.org)
52.88.9.255 (entriflex.com)
23.229.143.32 (eliasgreencondo.com)
Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.
Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)
This further references another bunch of domains that you might want to block, especially in a corporate environment:
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com
This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:
68.178.254.208 (erointernet.com)
Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.
The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.
Recommended blocklist:
46.30.46.0/24
gaiga.net
satisgoswamicollege.org
entriflex.com
eliasgreencondo.com
erointernet.com
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com
MD5s:
d6b3573944a4b400d6e220aabf0296ec
5b311508910797c91cc9c9eb4b4edb0c
From: fredrickkroncke@yahoo.comThe attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:
Date: 5 September 2015 at 03:50
Subject: RE:resume
Signed by: yahoo.com
Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply
Kind regards
Teresa Alexander
Protected DocumentFollowing these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.
This document is protected by Microsoft Office.
Please enable Editing and Content to see this document.
Can’t view? Follow the steps below.
Open the document in Microsoft Office. Previewing online does not work for protected documents.
If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
Once you have enabled editing, please hit “Enable Content” on the yellow bar above.
The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:
46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga.net)
192.186.235.39 (satisgoswamicollege.org)
52.88.9.255 (entriflex.com)
23.229.143.32 (eliasgreencondo.com)
Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.
Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)
This further references another bunch of domains that you might want to block, especially in a corporate environment:
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com
This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:
68.178.254.208 (erointernet.com)
Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.
The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.
Recommended blocklist:
46.30.46.0/24
gaiga.net
satisgoswamicollege.org
entriflex.com
eliasgreencondo.com
erointernet.com
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com
MD5s:
d6b3573944a4b400d6e220aabf0296ec
5b311508910797c91cc9c9eb4b4edb0c
Tuesday, 1 September 2015
Malware spam: "Complaint of your Internet activity"
This spam comes with a malicious attachment:
This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor:
197.149.90.166 (Cobranet, Nigeria)
Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494
From: Margret KuhicAll the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a valid attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56.
Date: 1 September 2015 at 16:10
Subject: Complaint of your Internet activity
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Margret Kuhic
Dynamic Communications Agent
T: 1-679-732-5379
F: 100.173.9045
This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor:
197.149.90.166 (Cobranet, Nigeria)
Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494
Malware spam: "Private message notification 41447" / "Adrien Abbott"
This spam comes with a malicious attachment:
197.149.90.166 (Cobranet, Nigeria)
..which is an IP that has been used several time for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor.
MD5:
7c94abe2e3b60f8a72b7358d50d04ee0
From: Adrien AbbottI have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other variants could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56, the Hybrid Analysis report shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to:
Date: 1 September 2015 at 12:34
Subject: Private message notification 41447
You've received a private message. Please open the attached to view it.
Adrien Abbott
Chief Tactics Executive
home: 1-583-761-3793
work: 380.022.2492
twitter: @nicole
skype: nicole
messenger: nicole
197.149.90.166 (Cobranet, Nigeria)
..which is an IP that has been used several time for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor.
MD5:
7c94abe2e3b60f8a72b7358d50d04ee0
Sunday, 30 August 2015
WARNING: projectmanagementinternational.org / "Project Management International" aka Patty Jones and Anthony Christopher Jones
"Project Management International" (projectmanagementinternational.org) appears to be another website run by Patty Jones (aka Patchree Patchrint) and Anthony Christopher Jones of California.
These so-called training courses run by the Joneses are promoted through spam and have a terrible reputation. One BBB report for a previous incarnation of this scheme sums up many of the complaints that I have seen:
On to this particular scheme called "Project Management International" which should not be confused with many reputable organisations of a similar name, using the domain projectmanagementinternational.org which just frames another site at ipmam862026.sitebuilder.name.com. The "ipma" part of the name is significant as I will mention later. The site is promoted through spam email such as the one found here:
The site is generic looking but fairly smart:
It lists some upcoming courses:
The domain was registered on May 20th 2015 to an anonymous registrant. The site itself lists no contact details on the Contact page:
It appears to be using an email address of "info@projectmanagementinternational.org" for correspondence, but a look at the underlying HTML tells a different story:
The "About Project Management page" features some generic text about Project Management:
The text is almost identical to the defunct website Institute of Program Management America (IPMA) that I mentioned last year. If you remember, this new website also uses "IPMA" in its underlying URL (ipmam862026.sitebuilder.name.com) which also links the two schemes. A RipOffReport for IPMA also shows the same pattern as before.
There is little doubt that this is the same scheme as mentioned in all my previous posts on the activities of Jones and Patchrint. My personal recommendation is that you give this "Project Management International" a very wide berth, and if you feel that you have been defrauded then you would be doing a lot of people a favour if your pursued them aggressively. Also, if you have any positive (or negative) experiences then sharing them in the Comments would be appreciated.
These so-called training courses run by the Joneses are promoted through spam and have a terrible reputation. One BBB report for a previous incarnation of this scheme sums up many of the complaints that I have seen:
Grant Funding USA advertised a 3-day grant writing workshop for non-profit professionals to be held November 12-14 at the Georgetown Law School campus in Washington DC. The course was described as an overview of the grant writing process and concluding with a certificate in professional grant writing. The cost was $495. My organization paid the fee, I received a confirmation email. I received a credit card authorization letter requesting authorization; we completed and submitted it. I spoke with an individual over the phone confirming my registration. I received a registration packet (about 15 pages) with suggestions for preparation and materials to bring to the course. On the first day, November 12, I arrived at Georgetown Law at 8 AM. The guard was unaware of our course and was working on figuring out where we needed to be (there were 7 other students). After about 45 minutes, we all received an email from the organization Grant Funding USA that said our instructor had fallen ill and they were working on securing a substitute instructor to start the class by the afternoon.At 1pm, we received an email from the same email address saying that they were unable to secure a substitute for Wednesday, but class would begin promptly at 8am on Thursday. I called the number for the organization multiple times and continually got their voicemail. On Thursday, November 13 at 8AM, I arrived at Georgetown again, and found the other students in the lobby upset and confused. The guard was unaware of the course and said he had no information for us. He directed me to the Georgetown Student Life office (who would have been responsible for securing the space). They informed me that Georgetown has never heard of Grant Funding USA nor has a relationship with them. There was no workshop scheduled to be held on their campus. Grant Funding USA has not answered my numerous calls or emails. Other participants fooled by this scam were from Smithsonian Institute and State Gov't of New Jersey.This story seems to be echoed over and over again. A venue is booked at a prestigious location, but changed at the last minute. The person taking the course very often seems to be ill and doesn't turn up. Sometimes an ill-prepared substitute teacher is found, but has difficulty being paid. Calls to the so-called institute are either not answered or met with hostility. Read the comments for more stories such as this.
On to this particular scheme called "Project Management International" which should not be confused with many reputable organisations of a similar name, using the domain projectmanagementinternational.org which just frames another site at ipmam862026.sitebuilder.name.com. The "ipma" part of the name is significant as I will mention later. The site is promoted through spam email such as the one found here:
Project Management Certification Course (July 28-31, 2015: University of Southern California)
The Project Management Certification Course will be offered July 28 - 31, 2015 at the University of Southern California in Los Angeles, CA . Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .
July 28 - 31, 2015
University of Southern California
Los Angeles, California
The PMCC is designed for those seeking professional project management certification. It serves as both a thorough professional education and recognized certification. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.
Project Management Masters Certification program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 36 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials.
The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request.
Program Description
Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.
The skills developed in the Project Management Masters Certification program apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.
Our approach to project management education offers proven, results-focused learning.
Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.
Tuition
Tuition for the four-day Project Management Certification Course is $995.00
Program Schedule and Content
1. Project Initiation, Costing, and Selection, Day 1
2. Project Organization and Leadership, Day 2
3. Detailed Project Planning, Day 2 and 3
4. Project Monitoring and Control, Day 3 and 4
5. Project Risk and Stakeholder Management, Day 4
Benefits
· A Project Management International Certificate of Accomplishment is awarded upon completion of the four day program of five courses. Completion letters are given for each course.
· Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.
· Each class is highly focused and promotes maximum interaction.
· You can network with other project management professionals from a variety of industries.
· Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.
· Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will have met all education requirements for eligibility.
Registration
Participants may reserve a seat online at the Project Management International website, by calling the Program Office toll-free at (800) 288-8387, or by sending their name and contact information via email to the Program Registrar .
Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.
To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.
The site is generic looking but fairly smart:
It lists some upcoming courses:
August 25 - 28, 2015: University of Houston
September 22- 25, 2015: University of Miami
October 6-9, 2015: University of Southern California
The domain was registered on May 20th 2015 to an anonymous registrant. The site itself lists no contact details on the Contact page:
It appears to be using an email address of "info@projectmanagementinternational.org" for correspondence, but a look at the underlying HTML tells a different story:
<h4> If you have any additional questions, simply email us directly at <a href="mailto:info@grantfundingusa.org?subject=ContactUS"> </a> <a href="mailto:grantfundingusa@gmail.com?subject=Contact+Us" target="_self" title="info@thefundinginstitute.org">info@projectmanagementinternational.org </a> and our coordinators will respond to you directly. </h4>The underlying code references both info@grantfundingusa.org and grantfundingusa@gmail.com (the organisation mentioned in the BBB report I mentioned earlier) and which is the same site I warned about a year ago. The only other contact details on the site are a telephone number of 800-288-8387.
The "About Project Management page" features some generic text about Project Management:
The text is almost identical to the defunct website Institute of Program Management America (IPMA) that I mentioned last year. If you remember, this new website also uses "IPMA" in its underlying URL (ipmam862026.sitebuilder.name.com) which also links the two schemes. A RipOffReport for IPMA also shows the same pattern as before.
There is little doubt that this is the same scheme as mentioned in all my previous posts on the activities of Jones and Patchrint. My personal recommendation is that you give this "Project Management International" a very wide berth, and if you feel that you have been defrauded then you would be doing a lot of people a favour if your pursued them aggressively. Also, if you have any positive (or negative) experiences then sharing them in the Comments would be appreciated.
Thursday, 27 August 2015
Malware spam: "Payslip for period end date 27/08/2015" / "noreply@fermanagh.gov.uk"
This spam does not come from Fermanagh District Council. Of course it doesn't. It is instead a simple forgery with a malicious attachment:
Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.
This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.
MD5:
fdea30868df48bff9e7c2b2605431d23
From: noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date: 27 August 2015 at 12:28
Subject: Payslip for period end date 27/08/2015
Dear administrator
Please find attached your payslip for period end 27/08/2015
Payroll Section
Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.
This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.
MD5:
fdea30868df48bff9e7c2b2605431d23
Wednesday, 26 August 2015
Malware spam: "RE:resume" leads to Cryptowall
This fake resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware.
In the only sample I saw, the spam looks like this:
The format of this message is very similar to this other fake resume spam seen recently, and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
Deobfuscating the macro shows that a file is downloaded from http://46.30.46.60/444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report shows some of this in action, but Techhelplist did the hard work of decrypting it..
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report which has some nice screenshots.
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
46.30.46.60 (Eurobyte, Russia)
linecellardemo.net / 23.229.194.224 (GoDaddy, US)
You might want to block the entire 46.30.46.0/24 range because.. well, Russia really.
MD5s:
41177ea4a2c88a2b0d320219389ce27d
d1e23b09bb8f5c53c9e4d01f66db3654
In the only sample I saw, the spam looks like this:
From: emmetrutzmoser@yahoo.comAttached was a file Janet_Ronald_resume.doc [VT 5/56] which (of course) contains a malicious macro that looks like this [pastebin].
To:
Date: 26 August 2015 at 23:29
Subject: RE:resume
Signed by: yahoo.com
Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply
Best regards
Janet Ronald
The format of this message is very similar to this other fake resume spam seen recently, and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
Deobfuscating the macro shows that a file is downloaded from http://46.30.46.60/444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report shows some of this in action, but Techhelplist did the hard work of decrypting it..
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report which has some nice screenshots.
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
46.30.46.60 (Eurobyte, Russia)
linecellardemo.net / 23.229.194.224 (GoDaddy, US)
You might want to block the entire 46.30.46.0/24 range because.. well, Russia really.
MD5s:
41177ea4a2c88a2b0d320219389ce27d
d1e23b09bb8f5c53c9e4d01f66db3654
Fake fax spam spoofs multiple senders, has malicious payload
This fake fax spam comes from random senders - company names and attachment names vary from spam to spam.
The Hybrid Analysis report shows it phoning home to:
197.149.90.166/260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166/260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.
From: "Heaney, Vandervort and Hilll"Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56 detection rate at VirusTotal.
Subject: Fax #AhnxlQ8 from Donny Kub
Date: Wed, 26 Aug 2015 14:02:30 +0000
You have a fax.
Data sent: Wed, 26 Aug 2015 14:03:30 +0000
TO: info@victimdomain.com
*********************************
We are a new fax delivery service - Heaney, Vandervort and Hilll.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: "Fast. Cheap. Best quality."
*********************************
The Hybrid Analysis report shows it phoning home to:
197.149.90.166/260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166/260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.
Malware spam: "Scanned image from MX-2600N" / "noreply@victimdomain.com"
NOTE: As of December 2015 there is an updated version of this spam run.
This spam is not from a scanner, but it is instead a simple forgery with a malicious attachment:
http://fotolagi.com/45ygege/097uj.exe
http://asterixpr.republika.pl/45ygege/097uj.exe
http://detocoffee.ojiji.net/45ygege/097uj.exe
This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis [1] [2] shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan.
This spam is not from a scanner, but it is instead a simple forgery with a malicious attachment:
From: noreply@victimdomain.comThe email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros [1] [2] [3] which attempt to download a malicious component from one of the following locations:
Reply-To: noreply@victimdomain.com
To: victim@victimdomain.com
Date: 19 May 2014 at 18:11
Subject: Scanned image from MX-2600N
Reply to: noreply@victimdomain.com [noreply@victimdomain.com]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.
http://fotolagi.com/45ygege/097uj.exe
http://asterixpr.republika.pl/45ygege/097uj.exe
http://detocoffee.ojiji.net/45ygege/097uj.exe
This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis [1] [2] shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan.
Subscribe to:
Posts (Atom)