This fake financial spam has a malicious attachment:
From: Ernestine Harvey
Date: 15 December 2015 at 11:34
Subject: Invoice Attached
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Thank you!
Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:
Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson
The attachments are named in the format
invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around
3/54, and the macro looks something
like this.
An analysis of five of the attachments
[1] [2] [3] [4] [5] shows attempted downloads from:
modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe
Note that these are all .
TK domains.. and they are all hosted on exactly the same server of
31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's
report for that IP gives another malicious domain of:
servicexmonitoring899.tk
I would suggest that the entire
31.184.234.0/24 range looks pretty questionable.
Anyway, the downloaded binary has a VirusTotal detection rate of
4/55 and the comments indicate that rather surprisingly this is the
Nymaim ransomware. The
Hybrid Analysis indicates network traffic to
xnkhfbc.in on
200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:
41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)
There are a
bunch of bad domains associated with this malware but the only other one that seems to be active is
oxrdmfdis.in.
MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E
Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in
UPDATE
A source tells me (thank you) that
servicexmonitoring899.tk is now resolving to
78.129.252.19 (iomart, UK) that has also recently hosted these following domains:
google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org
Some of these domains are
associated with Rovnix.