Sponsored by..

Monday, 7 March 2016

Malware spam: "Order Confirmation - Payment Successful, Ref. 81096454" leads to ransomware

This fake financial spam comes from various senders with different references, amounts and slightly different addresses. There is a malicious attachment which appears to be ransomware.

From:    Ellen thorp
Date:    7 March 2016 at 07:08
Subject:    Order Confirmation - Payment Successful, Ref. 81096454

Dear Client,

Thank you for your transaction of $477,84. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.

We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.

Double check please the document enclosed to this email.

Thank you for your order and we hope to see you again as our customer.

Respectfully,
Ellen thorp
Chief Accountant
95 N Forks Ave,
Forks, WA 30212
Phone: 028-959-7736 

Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary [1] [2] [3] [4] [5] [6]. These Hybrid Analysis reports on three of the samples [7] [8] [9] show the script download a malicious binary from:

blablaworldqq.com/80.exe?1
hellomydearqq.com/69.exe?1
hellomydearqq.com/80.exe?1

At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:

51.254.226.223 (OVH, France)
173.82.74.197 (Multacom Corporation, US)


The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54 [1] [2]. Analysis of these files [3] [4] [5] [6] indicates behaviour consistent with ransomware, and these binaries attempt to phone home to the following domains:

conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com



The two IPs specified as binary download locations have hosted a number of other evil sites:

pren874bwsdbmbwe.returnyourfiless.ru
itsyourtimeqq.su
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
thisisyourchangeqq.com
gutentagmeinliebeqq.com
returnyourfiless.ru
pren874bswsdbmbwe.returnyourfiless.ru
83gd65jfh24jbrwke43.brocksard.su
gubbosiak.su
yy4nfsdp4hpfas7hefp4w.gubbosiak.su
golemmalik.su
bb34dbsjneefnsdefjsn.golemmalik.su
hellomenqq.su
helloguysqq.su
hellowomenqq.su
invoiceholderqq.su
3j2gdpsipa74bgm441.biz
mayofish.com
l4rdnvb5jskjb45sdfb.mayofish.com
skuawill.com
belableqq.com
fausttime.com
pot98bza3sgfjr35t.fausttime.com
maniupulp.com
h5534bvnrnkj345.maniupulp.com
sifetsere.com
p47kjndfbj8hsdfsd3e.sifetsere.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
wakonratio.com
sdfsdfsd.wakonratio.com
fjfhsflj54t8ak439sm.wakonratio.com
ball-provide.com
piglyeleutqq.com
helloworldqqq.com
helloyungmenqq.com
hpareyouhereqq.com
pigglywigglyqq.com
lastooooomene3ie3.com
lastooooomene2ie2e.com
promsortirovochnie.com
belahhoast.net

Recommended blocklist:
51.254.226.223
173.82.74.197
conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com

Friday, 4 March 2016

Marketing1.net spammer rides again.. but for how much longer?

Marketing1.net have been one of the more annoying spammers I've seen over the past few years. Their sporadic spam campaign, sent to scraped email addresses has been going on since at least 2014.

This latest spam claims they are going out of business. I can only hope so.

From:    Audrey Martin [info@mapps-uk.net]
Date:    4 March 2016 at 11:06
Subject:    We are giving away all our European business databases before to close down

Hi there,

We are sending you this email because you visited our website in the past. As you may already know, we have developed the largest business databases on CD in Europe. The software provided with the databases allows to run unlimited searches by Industry/Location/Company Size/Premises type or Job title, and to export the search results to Excel. All from your computer.

We are closing down because the cost to update all databases regularly have become too high. We have had fantastic years developing the Marketing1 applications. Thousands of businesses across Europe have used them to create successful marketing campaigns.

Before to close down, we have decided, as ultimate gesture, to give you something unprecedented.

We are giving you all our European databases. That represents an access to millions of companies across Europe. If you want to expand your business now or in the future, you should not miss this offer.

You will get the 7 following applications:

1) Marketing1 UK 2015: 5.8mio UK Businesses. 800'000 records with email. Unlimited export.
2) Top Managers UK 2015: 30,000 Executives from the 5000 largest companies in the UK (incl. email for all records). Excel file with full data, included.

3) Marketing1 France 2015 (application in French): 5mio French Companies. 650'000 records with email. Unlimited export.
4) Top Managers France 2015: 35,000 Executives from the largest companies in France (incl. email for all records). Excel file with full data, included.

5) Marketing1 Germany 2015 (application in German): 5mio German companies. 1.7 mio records with email. Unlimited export.
6) Top Managers Germany 2015: 50,000 Executives from the largest companies in Germany (incl. email for all records). Excel file with full data, included.

7) Marketing1 Belgium 2015 (application in English):  1.8 mio Belgian companies. 500'000 records with email. Unlimited export.

The value for all those databases, is over £5000. We are offering it all to you for a symbolic price: £99. You only have to pay £99 and you get all the applications above. The offer ends today at 5PM. Do not miss it.

You will immediately get access to a download page from which you can download all applications. The download page will stay online for 6 months (so you can download the applications at a later time).

How to place your order. Free samples
Click here to access the offer page. It contains links to all websites. You can also download free samples for all applications from the same page.


The offer ends today at 5PM. Do not miss it.

To your success,

Best Regards,

Audrey Martin
Marketing1 Team


Unsubscribe: Click here if you do not want to receive any further emails from us

M1 Solutions. 152 City Road, London EC1V 2NX
The link in the spam goes to www.mapps-uk.net (37.220.22.107 - Redstation, UK - fake WHOIS details) and then goes to a landing page at marketing1-euro.net (89.187.85.8 - Pickaweb / Coreix, UK - fake WHOIS details) and then finally to marketing1.net (also 89.187.85.8 with fake WHOIS details). The email also originates from 37.220.22.107.

None of the WHOIS records reflect a real company, and there is scant information about the spammer's real identities.

However, this outfit isn't just a bunch of spammers. They are also liars.

Clicking through the link reveals a landing page which clearly claims that this is the last day of their "Sale".


If you click the first link, rather confusingly it gives a different offer with a date of January 15th 2016, claiming that this is the "Last SALE before product discontinuation".


Except it was also the last chance to buy exactly the same product on July 24th 2015..


..and July 10th..


..and June 19th..

..and June 5th..


Get the picture? The data is ALWAYS on sale. So what is this data? Luckily you can download a sample to see just how good the data is. Here is a tiny sample:


Woolworths ceased trading in 2009. And indeed the sample data is full of companies that haven't existed for years or have just plain out of date and inaccurate details.

In other words, the quality of the data is complete shit. The fact that they have to resort to spam to sell this shit indicates that perhaps they have no actual valid data at all. And the fact that they hide who they really are is just the icing on the cake.

Let's hope that these spammers really are closing down. I somehow doubt that they are telling the truth though. Avoid.

Update 2016-07-15

I hadn't heard anything from these spammers for a while, then this plopped into my mailbox..

From:    Audrey Martin [info@mapps-fr.net] via bnc3.mailjet.com
Date:    15 July 2016 at 12:02
Subject:    We are giving away all our European business databases before to close down
Mailing list:    [info.mapps-fr.net.ztmj-xqo6.mj] Filter messages from this mailing list
Signed by:    bnc3.mailjet.com

Good Morning,

We are sending you this email because you visited our website in the past. As you may already know, we are the developer and publisher of Marketing1, the largest business database on CD in the UK. The database is the only one on the market to contain details not available anywhere else on over 5 million Businesses in the UK including 4,6 million named decision makers available by job function and 800,000 Businesses with email addresses.

We did not only develop the UK database, but several ones across Europe. We are closing down because the cost to update all databases regularly have become too high. We have had fantastic years developing the Marketing1 applications. Thousands of businesses across Europe have used them to generate targeted lists for successful marketing campaigns.

Before to close down, we have decided, as ultimate gesture, to give you all our European databases. That represents an access to millions of companies across Europe. There is no catch.

You will get the 7 following applications:

1) Marketing1 UK 2016: 5.8mio UK Businesses. 800'000 records with email. Unlimited export.
2) Top Managers UK 2015: 30,000 Executives from the 5000 largest companies in the UK (incl. email for all records).

3) Marketing1 France 2015: 5mio French Companies. 650'000 records with email. Unlimited export.
4) Top Managers France 2015: 35,000 Executives from the largest companies in France (incl. email for all records). Excel file with full data, included.

5) Marketing1 Germany 2016: 5mio German companies. 1.7 mio records with email. Unlimited export.
6) Top Managers Germany 2015: 50,000 Executives from the largest companies in Germany (incl. email for all records). Excel file with full data, included.

7) Marketing1 Belgium 2015:  1.8 mio Belgian companies. 500'000 records with email. Unlimited export.


How do those applications work
The databases are delivered in a convenient software format. Search by Industry/Location/Company Size/Premises type or Job title, and export the results into Excel or txt files. With unlimited export. All from your computer.

The value for all those databases, is over £5000. We are offering it all to you for a symbolic price: £49. You only have to pay £49 and you get all the applications above. The offer ends today at 3PM. Do not miss it.

You will get access to a download page from which you can download all applications. The download page will stay online for 6 months (so you can download the applications at a later time).


How to place your order. Free samples
Click here to access the offer page. It contains links to all websites. You can also download free samples for all applications from the same page.


The offer ends today at 3PM. Do not miss it.

To your success,

Best Regards,

Audrey Martin
Marketing1 Team

Unsubscribe: Click here if you do not want to receive any further emails from us

M1 Solutions. 152 City Road, London EC1V 2NX
Obviously this is pretty much the same closing down sale they had in March. And here's the ever-changing final date again (which was actually last week)

The domain used in the spam email is marketing1-eu.site (66.96.161.163 - Endurance International Group, US) which forwards to marketing1-co.net (89.187.85.8 - Coreix Ltd, UK) and then onto marketing1.net on the same IP.

As previously established, this company always has a closing down sale, and the data they provide is complete crap. Avoid at all costs.

Malware spam: "Remittance" from random companies with .rtf attachment

This fake financial spam appears to come from random companies. The body text is similar in call cases.

Sample 1:
From:    Ignacio - Floris of London
Date:    4 March 2016 at 09:42
Subject:    Remittance


Dear Sir/Madam,

I hope you are well. I am writing you to let you know that total amount qualified in the contract has been sent to your bank account on the 3rd of March at 14 through BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Ignacio Knox
Accounts Payable

Sample 2:

From:    Audra - ECLECTIC BAR GRP PLC
Date:    4 March 2016 at 09:48
Subject:    Remittance

Dear Sir/Madam,

Hope you are OK. I am writing you to let you know that entire amount specified in the contract has been paid into your bank account on the 1st of March at 16 over BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Audra Pratt
Accounts Payable

Attached is a file named in a format similar to rem.advice-6430760513.rtf or invoice-9200564788.rtf. Detection rates are pretty low [1] [2] [3] and the Malwr reports are inconclusive [4] [5] [6] although I suspect the attachment itself may be malformed. Further analysis is pending.

UPDATE

These Hybrid Analysis reports  [1] [2] [3] show the file downloading a malicious binary from one of the following fruit-flavoured domains:

wildberry.markettimingintelligence.com/zalupa/kurva.php
raspberry.diversified-capital-management.com/zalupa/kurva.php

This file is dropped as %TEMP%\sdjgbcjkds.exe and both those sites are hosted on:

31.131.24.76 (PE Skurykhin Mukola Volodumurovuch, Ukraine)

Along with another domain of strawberry.reactionpointtimingindicator.com. All of these are hijacked GoDaddy domains.

The Malwr report for the executable shows it communicating with:

24.172.94.181 (Time Warner, US)

This is the same IP as seen here which Sophos identified as being Dridex.  

Recommended blocklist:
31.131.24.76
24.172.94.181 

Malware spam: "Closing bill" / "MyBill [mybill.central@affinitywater.co.uk]"

This fake financial spam does not come from Affinity Water but is instead a simple forgery with a malicious attachment.

From     MyBill [mybill.central@affinitywater.co.uk]
Date     Fri, 04 Mar 2016 14:50:57 +0530
Subject     Closing bill

Dear customer

Please find attached a copy of closing bill as requested.


Kind Regards

Natasha Hawkes
Customer Relations Advisor

affinitywater.co.uk

_________________________________________________________________________

This e-mail
(including any attachments) is confidential and may also be legally privileged or
otherwise protected from disclosure. If you are not the intended recipient of this
e-mail or any parts of it please notify us by reply e-mail or by telephone on 01707
268 111 immediately on receipt and then delete the message from your system. You
should not disclose the contents to any other person, nor take copies nor use it
for any purposes and to do so could be unlawful. The presence of this footnote indicates:
this email message has been tested for the presence of known computer viruses, unless
the email has been encrypted (in part or full) wherein the email will not be checked
for computer viruses. All incoming and outgoing emails may be monitored in line with
current legislation. Affinity Water Limited (Company Number 02546950) is registered
in England and Wales having their registered office, at Tamblin Way, Hatfield, Hertfordshire,
AL10 9EZ. www.affinitywater.co.uk

_____________________________________________________________________________

Attached is a partly randomly-named file, for exampple 081155545_1735494_18836.xls - the first two numbers are random, the third is always "18836". So far I have seen just two variants of this (there may be more) with detection rates of about 5/56 [1] [2] which according to the Malwr reports [3]  [4] download a binary from the following locations:

prettymom.ru/system/logs/vbry73f34f.exe
desean.com.sg/system/logs/vbry73f34f.exe


This binary has a detection rate of 6/56. Analysis is pending, however this looks like the Dridex banking trojan.

UPDATE 1

The comments in the VirusTotal scan give some more download locations:

2.casino-engine.ru/games/megajack/vbry73f34f.exe
shop-bedep.com/system/logs/vbry73f34f.exe
17.rent-shops.ru/system/logs/vbry73f34f.exe

Curiously "Bedep" is the name of a trojan. These Hybrid Analysis reports [1] [2] [3] show malicious traffic to:

188.165.215.180 (OVH, France)

I strongly recommend that you block traffic to that IP.

UPDATE2

Some additional download locations and C&C servers to block, from another source (thank you!)

jean-daniel.com.ua/system/logs/vbry73f34f.exe
namkeendelights.com/system/logs/vbry73f34f.exe


Overall, some of these download locations look like good candidates for blocking, especially:

81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)


These additional C&C servers have been seen before:

78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57



Thursday, 3 March 2016

Malware spam: "Order Delay - Package Ref. 30432839"

This spam comes with a malicious attachment. The name of the sender and the reference number will vary from message to message.

From:    Lorna trevor-roper [trevor-roperLorna54235@cable.net.co]
Date:    3 March 2016 at 17:28
Subject:    Order Delay - Package Ref. 30432839


Respected Customer,

The delay of your parcel ref. # 30432839 cannot be controlled due to the unstable weather conditions in our region.

We are doing everything we can to arrange the best shipping time for your package.

Please check the information on your purchase in the attached file. There your will also find the info on the new delivery time.

Sincerely,
Sales Department Manager
Lorna trevor-roper
3000 E Grand Ave,
Des Moines, IA 27222
308-590-9335 
So far I have seen three samples, with attachments named in the format Invoice_ref-30432839.zip containing a malicious script starting with invoice_ and then having some variable elements in it. These have detection rates of 3/55 or so [1] [2] [3] and which the Malwr reports [4] [5] [6] indicate attempt to GET a binary from one of the following locations:

isthereanybodyqq.com/69.exe?1
isthereanybodyqq.com/80.exe?1
ujajajgogoff.com/69.exe?1
ujajajgogoff.com/80.exe?1

Data is then POSTed to:

dustinhansenbook.com/wstr.php
agri-distribution.net/wstr.php
onegiantstore.com/wp-includes/theme-compat/wstr.php

The VirusTotal reports for the dropped binary [1] [2] indicate Ransomware, but those Malwr reports look more like the Dridex banking trojan. Either way it is Nothing Good.

The download locations are interesting, hosted on the following IPs:

78.135.108.94 (Sadecehosting, Turkey)
162.211.67.244 (Secure Dragon LLC, US)


The following domains are either hosted on these IPs or use them as namesevers. They all look highly suspect and worthy of futher analysis:

ohelloweuqq.com
ujajajgogoff.com
ohellohowru.ws
ujajajgogo.ws
gangthatgirlfast.ws
gutentagmenliebe.ws
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com


Recommended blocklist:
78.135.108.94
162.211.67.244


UPDATE

Smarter folks than I think this is Teslacrypt.


Malware spam: "FreePDF: 1922110025984.doc" / "Worrall, Antony" [Ant.Worrall@cmco.eu]

This fake financial spam has a malicious attachment.


From     "Worrall, Antony" [Ant.Worrall@cmco.eu]
Date     Thu, 03 Mar 2016 14:25:14 +0430
Subject     FreePDF: 1922110025984.doc


140 Years of Innovation. Lifting.
Positioning. Securing. Safely.

Atached is a randomly-named file that matches the reference in the subject. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run.

Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]

This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:

From     Sally Webb [swebb@thekmgroup.co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535

--

regards,
Sally


*Sally Webb*
Recruitment Media Sales Executive
KM Media Group

DDI : 01622 794500
Email : swebb@thekmgroup.co.uk

*KM Media Group is Kent's only independent multimedia company*

*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*

*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*

Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:

coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe


The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:

188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234


Wednesday, 2 March 2016

Malware spam spoofing "Hillsong Church London"

This rather confused spam comes with a subject saying one thing.. for example:

GREKA ENGINEERING & TECHNOLOGY LTD March Invoice #2875
LIMITLESS EARTH PLC March Invoice #75913
FALKLAND ISLANDS HLDGS March Invoice #58093
MULTI UNITS FRANCE March Invoice #6689
SHORE CAPITAL GROUP LTD March Invoice #1612

But the body text is from a church..

Hi there,

Please find the remittance advice for the payment made on the 19th Feb 2015 from
Hillsong Church London.

Please let me know if there are any queries.

Kind regards,

Joan Terry

The material contained in this email may be confidential, and may also be the subject
of copyright and/ or privileged information. If you are not the intended recipient,
any use, disclosure or copying of this document is prohibited. If you have received
this document in error, please advise the sender and delete the document.

This email communication does not create or vary any contractual relationship between
Hillsong and you. Internet communications are not secure and accordingly Hillsong
does not accept any legal liability for the contents of this message.

Please note that neither Hillsong nor the sender accepts any responsibility for viruses
and it is your responsibility to scan the email and any attachments.

Hillsong Church London
www.hillsong.co.uk http://www.hillsong.co.uk
Attached is either an Excel spreadsheet named in a style similar to Hillsong-C2E24.xls (VT results [1] [2] [3]) or a ZIP file with a similar name to Hillchurch-03234D.zip containing a script TR7433029032016.js or TR913740032016.js (VT results [4] [5]).

The Malwr reports are a mixed bunch with only the first three giving any data [1] [2] [3] [4] [5] showing download locations at:

oimedoaeklmrf.giftcardnanny.ca/nu2o3mk4/c987ah8j9ei1.php
eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php
doaemdpmekd.securalive.eu/8fjvimkel1/c987ah8j9ei1.php


In fact, all these locations are on the same server (and are the same binary), hosted on:

193.201.227.90 (PE Tetyana Mysyk, Ukraine)

According to VirusTotal, there are a few hijacked GoDaddy subdomains on that IP. This method is a little unusual for this type of attack.

Those Malwr reports and this Hybrid Analysis show the malware phoning home to:

24.172.94.181 (Time Warner Cable, US)

It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.

Recommended blocklist:
193.201.227.90
24.172.94.181

Malware spam: "Invoice" / "Payment Confirmation" lead to Locky

The fake financial spam emails lead to the Locky ransomware:

From:    Cedrick Burch
Date:    2 March 2016 at 10:31
Subject:    Payment Confirmation

Dear User,

The attached document is a transaction payment confirmation from USMarketing Ltd.

Thank you for your business - we appreciate it very much.

Sincerely,

Cedrick Burch
Project Manager

=============

From:    Alfredo Bauer
Date:    2 March 2016 at 10:24
Subject:    Invoice

Dear User,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Alfredo Bauer
Project Manager

I received only two samples (VT [1] [2]) of which only one worked in Malwr (this is the other). However, third-party analysis (thank you) shows download locations at:

cabanasestina.ro/num/5buybbtyu8
camberfam.de/num/5f6vtvrtv
ecofriend.co.jp/num/0ujinybvt
e-monalisa.ro/num/7yh5c44duyy
sumiden-e.co.jp/num/87hn8bv6r
leksvik.historielag.org/num/887hb56f
www.countrysaloonriki.sk/num/9987tg6v54


Each location has a different binary (VT [1] [2] [3] [4] [5] [6]) which between them phone home to the following IPs:

95.213.184.10 (Selectel, Russia)
192.71.213.69 (EDIS, Spain)
217.172.182.99 (PlusServer, Germany)


The payload is Locky ransomware.

Recommended blocklist:
95.213.184.10
192.71.213.69
217.172.182.99




Malware spam: "ZYL Invoice" / "Outstanding Invoice" / "Sales Invoice"

These randomly-generated financial spam emails come with a malicious attachment:

From:    Buckminster U. Petty
Date:    2 March 2016 at 07:55
Subject:    Outstanding Invoice

Please check the receipt attached to this message. The Transaction will be posted on your account within 48 hours.

----------

From:    Astra B. Fuller
Date:    2 March 2016 at 08:08
Subject:    Fwd: ZYL Invoice

Please find the payment details attached to this message. The Transfer should appear on your account in 2 days.

----------
From:    Audrey U. Oneil
Date:    2 March 2016 at 07:34
Subject:    Re: Sales Invoice

Please review the invoice attached to this message. The Transfer should appear on your bank in 48 hours.

Attached is a randomly-named file with an RTF extension which is actually a DOCX file in disguise. I have seen three different attachments with detection rates of 1/55 [1] [2] [3] and the Malwr reports for those [4] [5] [6] show the macro contained within downloading from the following locations:

thevillagelounge.nl/e.jpg?LnRiNLIoPC3=55
creeko.com/d.jpg?GIk1nRWM0r27m5Ss=50
creeko.com/d.jpg?GIk1nRWM0r27m5Ss=8


The VirusTotal results for the two unique binaries dropped are 3/55 [1] [2] but automated analysis [3] [4] is inconclusive. It looks rather like ransomware, but I cannot confirm this.

Tuesday, 1 March 2016

Malware spam: "Emailing: MX62EDO 01.03.2016"

This fake document scan has a malicious attachment. It appears to come from within the victim's own domain.
From:    documents@victimdomain.tld
Date:    1 March 2016 at 13:43
Subject:    Emailing: MX62EDO 01.03.2016

Your message is ready to be sent with the following file or link
attachments:

MX62EDO  01.03.2016 SERVICE SHEET

Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

I have seen two samples so far, with an attachment that has a similar name to MX62EDO20160301538482.zip which contains a malicious randomly-named script (e.g. PK5293425659.js). Detection rates on the scripts are fairly low [1] [2]. According to these Malwr reports [3] [4] the payload is the Locky ransomware. These two samples download malicious binaries from:

tianshilive.ru/vqmod/xml/87yhb54cdfy.exe
ubermensch.altervista.org/system/logs/87yhb54cdfy.exe


In turn, these attempt to phone home to:

31.184.197.119/main.php
5.34.183.195/main.php


These are the same C&C servers as seen here.

Malware spam: "Dear ValuedCustomer, It is very unpleasant to hear about the delay with your order"

This strangely worded spam leads to the Locky ransomware:
From     =cU3RlZmFuaWUgU3VsbGl2YW4=?= [SullivanStefanie68750@numericable.fr]
Date     Tue, 01 Mar 2016 13:40:48 +0200
Subject     =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICM3QjZCN0UwOCwgSW52b2ljZSAjMzI1ODMzNDY=?=

Dear ValuedCustomer,

It is very unpleasant to hear about the delay with your order #7B6B7E08, but be sure
thatour department will do its best to resolve the problem.It usually takes around7
business days to deliver a package of this size to your region.

The local post office should contact your as soon as they will receive theparcel.Be
sure that your purchase will be delivered in time and we alsoguarantee that you will
be satisfied with our services.

Thank you for your business with our company.

Stefanie Sullivan
Sales Manager
All the samples I have seen have slightly mangled headers. The sender name varies. Attacked is a ZIP file named in a similar format to order_copy_7B6B7E08.zip which contains a malicious script named something like:

important_181031694.js
warning_659701636.js
statistics_466026824.js

I have seen six different samples so far with zero detection rates [1] [2] [3] [4] [5] [6] and which according to these analysis [7] [8] [9] [10] [11] [12] attempt to download a Locky binary from:

sitemar.ro/5/92buyv5
pacificgiftcards.com/3/67t54cetvy
maisespanhol.com.br/1/8y7h8bv6f


Those binaries phone home to:

5.34.183.195/main.php
31.184.197.119/main.php


Those C&C servers are the same as I mentioned in this spam run and I suggest you block traffic to:

5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55


Malware spam: "March Invoice" / "Balkan Dream Properties"

This fake financial spam can't make up its mind which month it is for.

From:    Caitlin Velez
Date:    1 March 2016 at 11:50
Subject:    March Invoice

Hi,

Attached is the November invoice.

Thanks!

Caitlin Velez
Customer Service
Balkan Dream Properties
090-157-5969
So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero.

This Malwr report shows that it is the Locky ransomware, download a binary from:

intuit.bitdefenderdistributor.info/intrabmw/get.php

This is hosted on a bad webserver at..

93.95.100.141 (Mediasoft ekspert, Russia)

..and it then phones home to..

5.34.183.195 (ITL / UA Servers, Ukraine)

There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..

31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)


Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141


Monday, 29 February 2016

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment:
From:    admin [ands21@victimdomain.tld]
Date:    29 February 2016 at 19:05
Subject:    Scanned image

Image data in PDF format has been attached to this email.
The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js  I have seen three different versions of the attached scripts with detection rates of around 1/55 [1] [2] [3]. The Malwr reports for those [4] [5] [6] show download locations at:

www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe
svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution.in.th/system/logs/7ygvtyvb7niim.exe

This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:

51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)


Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to:

51.254.19.227
185.14.29.188




Malware spam: "Invoice #16051052/15" / "Dear costumer"


This fake financial email (sent to "Dear costumer") has a malicious attachment.

From:    Velma hodson
Date:    29 February 2016 at 16:49
Subject:    Invoice #16051052/15

Dear costumer,

You are receiving this informational letter because of the fact that you have a debt totaling $157,54 due to late payment of invoices dating March ‘15.

In attachment you will find a reconciliation of the past 12 months (year 2015).

Please study the file and contact us immediately to learn what steps you should take to avoid the accrual of penalties.


I have only seen a single sample with an attachment named Invoice_ref-16051052.zip which in turn contains a malicious script invoice_kOUEsX.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 2/55 and these automated analysis tools [1] [2] show that it attempts to download a binary from the following locations:

ohiyoungbuyff.com/69.exe?1
helloyungmenqq.com/69.exe?1


The domain names have a similar theme, indicating that the servers are malicious. It migh be worth blocking:

91.196.50.241 (EuroNet, Poland)
50.3.16.250 (Eonix, US)


This Malwr report  shows that the dropped payload is ransomware, calling home to the following domains:

biocarbon.com.ec
imagescroll.com
music.mbsaeger.com
stacon.eu


I recommend that you block traffic to those domains plus the two IPs, giving a recommended blocklist of:

91.196.50.241
50.3.16.250
biocarbon.com.ec
imagescroll.com
music.mbsaeger.com
stacon.eu



Friday, 26 February 2016

Malware spam: "Your Order has been despatched from Harrison" / warehouse@harrisonproducts.net

This spam does not come from Harrison Products but is instead a simple forgery with a malicious attachment:

From     warehouse | Harrison [warehouse@harrisonproducts.net]
Date     Fri, 26 Feb 2016 18:07:04 +0500
Subject     Your Order has been despatched from Harrison

Dear Customer

Thank you for your valued Order, your Despatch Confirmation is attached

If there are any queries relating to this delivery please contact our Customer Service
Team on 01451 830083 or email sales@harrisonproducts.net

Kind Regards

The Harrison Products Team


Harrison Products Co. Sterling House, Moreton Road, Longborough, Glos. GL56 0QJ
I have seen only one sample of this with an attachment named Order ref. 16173.xls  which has a VirusTotal detection rate of 6/55. This Malwr report plus this Hybrid Analysis for that sample shows a binary being downloaded from:

thetoyshop.by/system/logs/76tg654viun76b

There are probably other download locations too. This dropped file has a detection rate of 3/52. Those two reports indicate that this is the Dridex banking trojan. It phones home to:

203.162.141.13 (VietNam Data Communication Company, Vietnam)

I strongly recommend that you block traffic to that IP.



Evil networks to block 2016-02-26

These networks are clusters of the Angler EK and other badness. I tend to Tweet about Angler IPs rather than blog about them. Following the #AnglerEK hashtag at Twitter can yield more information, often in realtime.

All the links go to Pastebin with more information about the IPs and the blocks. Note that a few of these blocks do contain some legitimate Russian-language sites, but if your users don't visit that sort of site then you should be OK to block them.

51.254.240.0/24
64.79.88.16/29
86.106.93.0/24
88.198.229.184/29
88.214.237.0/24
89.45.67.0/24
146.0.43.64/26
176.9.226.160/29
176.223.111.0/24
184.154.53.136/29
185.66.9.0/24
185.66.10.0/24
185.46.11.0/24
185.86.76.0/22
185.86.149.0/24
185.104.8.0/22
185.118.65.0/24
188.227.72.0/22
191.96.66.0/24 
195.128.125.0/24
204.45.251.128/26 
204.155.30.0/24
207.182.141.200/29
212.22.85.0/24
212.109.192.224/27

Wednesday, 24 February 2016

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment. It appears to come from within the victim's own domain, but this is a malicious forgery.
From:    admin [southlands71@victimdomain.tld]
Date:    24 February 2016 at 15:25
Subject:    Scanned image

Image data in PDF format has been attached to this email.
I have only seen a single sample with an attachment 24-02-2016-00190459.zip containing a malicious script [pastebin] which in this case downloads a binary from:

kartonstandambalaj.com.tr/system/logs/87h754

My sources say that other versions download from:

demo2.master-pro.biz/plugins/ratings/87h754
baromedical.hu/media/87h754
bitmeyenkartusistanbul.com/system/logs/87h754/
zaza-kyjov.cz/system/cache/87h754


As this Hybrid Analysis shows, the payload is the Locky ransomware. The dropped binary has a detection rate of just 3/55.

Those reports show the malware phoning home to:

5.34.183.136 (ITL, Ukraine)

I strongly recommend that you block traffic to that IP.

Evil network: 184.154.28.72/29 (Marko Cipovic / Singlehop) and liveadexchanger.com

liveadexchanger.com is an advertising network with a questionable reputation currently hosted on a Google IP of 146.148.46.20. The WHOIS details are anonymous, never a good sign for an ad network.

Seemingly running ads on the scummiest websites, liveadexchanger.com does things like trying to install fake Flash updates on visitors computers, as can be seen from this URLquery report... you might find the screenshot missing because of the complex URL, so here it is..


That landing page is on alwaysnewsoft.traffic-portal.net (part of an extraordinarily nasty network at 184.154.28.72/29) which then forwards unsuspecting visitors to a fake download at intva31.peripheraltest.info  which you will not be surprised to learn is hosted at the adware-pusher's faviourite host of Amazon AWS.

Of the 567 sites that have been hosted in this /29 (not all are there now), 378 of them are tagged as malicious in some way by Google (67%) and 157 (28%) are also tagged by SURBL as being malicious in some way. Overall then, 74% are marked as malicious by either Google or SURBL, which typically means that they just haven't caught up yet with the other bad domains. The raw data can be seen here [pastebin].

At the time of writing, the following websites appear to be live:

check4free.newperferctupgrade.net
testpc24.onlinelivevideo.org
getsoftnow.onlinelivevideo.org
newsoftready.onlinelivevideo.org
whenupdate.plugin2update.net
alwaysnew.updateforeveryone.net
free2update.newsafeupdatesfree.net
liveupdate.update4free.org
downgradepc.update4free.org
noteupgrade.update4free.org
newupdate.digit-services.org
lastversion.whensoftisclean.org
newupdate.set4newsearchupdate.com
upd24.free247updatetoolnow.com
24check.plugin-search2update.com
check4upgrade.plugin-search2update.com
softwareupdate.plugin-search2update.com
updateauto.theinlinelive.net
newsoftready.set2updatesnen.net
alwaysnewsoft.traffic-portal.net
checksoft.new24checkupgrade.net
legalsoft.perfectsafeupdate.net
checksoft.group4updating.org
checksoft.thesoft4updates.org
netapp.safeplugin-update.org
freedlupd.pcfreeupdates.club
softwareupdate.upgrades4free.org
freechecknow.onlinelivevideo.org
liveupdate.os-update.club
newupdate.update4free.net
checksoft.newsafeupdatesfree.net
workingupdate.digit-services.org
now.how2update4u.com
autoupdate.whenupgradeswork.com
setupgrade.set4freeupdates.xyz
update4soft.searchonly.online
updateauto.forfreeupgrades.org
autoupdate.soft-land.club
soft4update.soft-land.club
updateauto.newvideolive.club
newupdate.portal-update.club
maintainpc.perfectupdater.org
newupdate.downloadsoft24.club

The WHOIS details for this block:
%rwhois V-1.5:003eff:00 rwhois.singlehop.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:ORG-SINGL-8.184-154-28-72/29
network:Auth-Area:184.154.0.0/16
network:IP-Network:184.154.28.72/29
network:Organization:Marko Cipovic
network:Street-Address:Kralja Nikole 33
network:City:Podgorica
network:Postal-Code:81000
network:Country-Code:CS
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20150323
network:Updated:20150323


If you are using domain-based blocklists, this [pastebin] is the list of domains currently or formerly hosted on this block with the subdomains removed. Other than that, I would recommend the following blocklist:

liveadexchanger.com
184.154.28.72/29

Malware spam FAIL: "Thank you for your order!" / DoNotReply@ikea.com

This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.

From:    DoNotReply@ikea.com
Date:    24 February 2016 at 09:56
Subject:    Thank you for your order!
IKEA
IKEA UNITED KINGDOM

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
24-02-2016
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
24-02-2016
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.
The intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do not open it. The attachment is currently being analysed.

UPDATE

Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this.

Malware spam: "VAT Invoice - Quote Ref: ES0142570" / CardiffC&MFinance@centrica.com

This fake financial spam is not from British Gas / Centrica but is instead a simple forgery with a malicious attachment.

From:    CardiffC&MFinance [CardiffC&MFinance@centrica.com]
Date:    24 February 2016 at 09:09
Subject:    VAT Invoice - Quote Ref: ES0142570


Good Afternoon,

Please find attached a copy of the VAT invoice as requested.

Regards
Tracy Whitehouse
Finance Team
British Gas Business| Floor 1| 4 Callaghan Square| Cardiff| CF10 5BT
http://intranet/C12/C12/Brand%20and%20communications%20toolk/Email%20signatures/British-Gas-Top-25-gptw.jpg




_____________________________________________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside England and Wales).

The views expressed in this email are not necessarily the views of Centrica plc, and the company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.

PH Jones is a trading name of British Gas Social Housing Limited. British Gas Social Housing Limited (company no: 01026007), British Gas Trading Limited (company no: 03078711), British Gas Services Limited (company no: 3141243), British Gas Insurance Limited (company no: 06608316), British Gas New Heating Limited (company no: 06723244), British Gas Services (Commercial) Limited (company no: 07385984) and Centrica Energy (Trading) Limited (company no: 02877397) are all wholly owned subsidiaries of Centrica plc (company no: 3033654). Each company is registered in England and Wales with a registered office at Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD.

British Gas Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. British Gas Services Limited and Centrica Energy (Trading) Limited are authorised and regulated by the Financial Conduct Authority. British Gas Trading Limited is an appointed representative of British Gas Services Limited which is authorised and regulated by the Financial Conduct Authority.

In the only sample I have seen before, there is an attached file named archive-0910001923884.docm which has a VirusTotal detection rate of 3/52. Analysis of this document is pending, but it is likely to drop either the Dridex banking trojan or Locky ransomware.

UPDATE 1

The Hybrid Analysis of the document plus the VirusTotal scan of the dropped EXE look like Dridex. The download location for that document was:

skropotov.ru/system/logs/87h754.exe

C2 to block:
80.86.91.232 (PlusServer, Germany)

UPDATE 2 

The comments on this VT report indicate other download locations:

school62.dp.ua/new_year/balls/87h754.exe
skropotov.ru/system/logs/87h754.exe
designis.com.ua/admin/images/87h754.exe
armo.sk/system/logs/87h754.exe
eyesquare.tn/system/logs/87h754.exe


Friday, 19 February 2016

Malware spam: "Unpaid Invoice #350" / credit control [invoices@thistleremovals.co.uk]

This fake financial spam does not come from Thistle Removals but is instead a simple forgery with a malicious attachment.
From     credit control [invoices@thistleremovals.co.uk]
Date     Fri, 19 Feb 2016 17:52:49 +0200
Subject     Unpaid Invoice #350
Message text

Please see attached letter and a copy of the original invoice.
Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).

Third party analysis (thank you) indicates that this then phones home to the following locations:

91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php
(Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)

The payload is the Locky ransomware.

Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106


Malware spam: "Invoice FEB-23456789" from "Accounting Specialist"

This fake financial spam comes from random senders, the attachment is malicious and drops the Locky ransomware:

From:    Kenya Becker
Date:    19 February 2016 at 11:59
Subject:    Invoice FEB-92031923


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Kenya Becker
Accounting Specialist

==================

From:    Toni Jacobson
Date:    19 February 2016 at 12:10
Subject:    Invoice FEB-63396033


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Toni Jacobson
Accounting Specialist 
Attached is a file with a semirandom name similar to invoice_feb-92031923.doc (Sample VirusTotal report) which contains XML that looks like this [pastebin]. Malwr analysis of these samples [1] [2] shows it downloading a malicious executable from:

ratgeber-beziehung.de/5/5.exe
www.proteusnet.it/6/6.exe

If recent patterns are followed, there will be several different download locations with different versions of the file at each. I will let you know if I get these locations. The binaries has a detection rate of 7/55 and 6/54 and these Malwr reports [1] [2] [3] indicate that it phones home to:

85.25.138.187 (PlusServer AG, Germany)
31.41.47.3 (Relink Ltd, Russia)


Other samples are being analysed, but in the meantime I recommend that you block traffic to:

85.25.138.187
31.41.47.3


UPDATE 1

Some additional download locations from these Malwr reports [1] [2] [3]:

ecoledecorroy.be/1/1.exe
animar.net.pl/3/3.exe
luigicalabrese.it/7/7.exe


..stil working on those other locations!

UPDATE 2

Two other locations are revealed in these Malwr reports [1] [2]:

http://lasmak.pl/2/2.exe
http://suicast.de/4/4.exe