Sponsored by..

Tuesday, 19 April 2016

Malware spam: "Facture : 1985 corrigée" / "Louis - Buvasport [louis64@buvasport.com]"

This French-language spam leads to malware:

From:    Louis - Buvasport [louis64@buvasport.com]
Date:    19 April 2016 at 13:29
Subject:    Facture : 1985 corrigée

Cher Client,

Veuillez trouver en pièce-jointe, la facture de vos achats. SANS FRAIS DE TRANSPORT
Votre marchandise est partie et vous devriez la recevoir dans les prochains jours.

Si vous avez des questions, n'hésitez pas à nous contacter.

Cordialement,

BUVA SPORTS 

Attached is a file 093887283-19.04.2016.zip which contains a semi-randomly named script (e.g. 741194709-18.04.2016.PDF.js) with VirusTotal detection rates of 6/56 [1] [2]. According to these Malwr reports [3] [4] the script downloads a file from one of the following locations:

pushdkim.com/267h67c5e
pay.360degreeinfo.com/267h67c5e


There are probably other scripts with different download locations, the binary has a detection rate of 10/55.The Hybrid Analysis report shows that this executable attempts to download another executable from:

buhjolk.at/files/Yd6aGF.exe

At the moment that location is 404ing and the main payload fails, although that could be easily fixed I guess. This is probably attempting to drop Locky ransomware.

The loader also attempts to interact with some servers belonging to BMG, possibly to generate false data for anyone doing network analysis.

To be on the safe side, it might be worth blocking:

93.79.82.215 (Telesweet, Ukraine)


Monday, 18 April 2016

Malware spam: "Please do confirm the Quote Price and get back to me as soon as possible"

This fake financial spam leads to malware:
From: khlee@ahnchem.com sales
To
Date: Mon, 18 Apr 2016 13:46:21 +0100
Subject: Re: Quote Price

Dear Sir

FYI,

Please do confirm the Quote Price and get back to me as soon as possible.

Regards
Sales Department
Attached is a fie with an unusual extension, ORDER LIST.ace which is actually a compressed archive (basically a modified ZIP file). It contains an executable ORDER LIST.exe which has a VirusTotal detection rate of 15/56. That same VirusTotal report indicates traffic to:

booksam.tk/pony/gate.php

This is hosted on:

46.4.100.109 (Hetzner, Germany)

That IP address might be worth blocking. The Hybrid Analysis indicates that this steals FTP and perhaps other passwords. This is a Pony loader which will probably try to download additional malware, but it is not clear what that it might be.

Wednesday, 13 April 2016

Malware spam: "Prompt response required! Past due inv. #FPQ479660" / "Jake Gill"

This fake financial spam has a malicious attachment:

From:    Hillary Odonnell [Hillary.OdonnellF@eprose.fr]
Date:    13 April 2016 at 18:40
Subject:    Prompt response required! Past due inv. #FPQ479660

Hello,

I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?

Thank you,

Jake Gill

Accounts Receivable Department

Diploma plc

(094) 426 8112
The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).

There seem to be several different versions of the attachment, I checked four samples [1] [2] [3] [4] and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive [5] [6] [7] [8] (as are the Hybrid Analyses [9] [10] [11] [12]) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on 212.76.140.230 - MnogoByte, Russia). The payload appears to be Dridex.

We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with:

195.169.147.88 (Culturegrid.nl, Netherlands)
178.33.167.120 (OVH, Spain)
210.70.242.41 (TANET, Taiwan)
210.245.92.63 (FPT Telecom Company, Vietnam)


These are all good IPs to block.

According to DNSDB, these other domains have all been hosted on the 212.76.140.230 address:

onlineaccess.bleutree.com
egotayx.net
wgytaab.net
emoaxmyx.net
wmbyaxma.net
emeotalyx.net
ezhoyznyx.net
wmeybtala.net
wzhybyzna.net
onlineaccess.bleutree.info
onlineaccess.bleutree.mobi


You can bet that they are all malicious too.

Recommended blocklist:
212.76.140.230
195.169.147.88
178.33.167.120
210.70.242.41
210.245.92.63


Malware spam: "Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC"

This fake financial email comes with a malicious attachment:
From:    Tran
Reply-To:    Tran, Reuben - ADVANCED ONCOTHERAPY PLC [TranReuben1322@telecom.kz]
Date:    13 April 2016 at 16:24
Subject:    Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC

Good morning,

Please advise status on these

If shipped, please send invoice & tracking


---------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail, including any attachments and/or linked documents, is intended for the sole use of the intended addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any unauthorized review, dissemination, distribution, or copying is prohibited. If you have received this communication in error, please contact the original sender immediately by reply email and destroy all copies of the original message and any attachments. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Xylem Inc.
I have only seen a single copy of this, it is likely that the company name will vary from email to email. The attachment due #46691848.doc has a VirusTotal detection rate of 5/56. According to this Malwr report it downloads a file from:

mgmt.speraelectric.info/flows/login.php

Right at the moment this is just a copy of the Windows Calculator and is harmless, but the payload could be switched later to something more malicious, probably Locky ransomware or the Dridex banking trojan.

Tuesday, 12 April 2016

PlusServer has a PlusSized problem with Angler

PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again.

So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).

85.25.102.0/24
85.25.107.0/24
85.25.160.0/24 
85.93.93.0/24
188.138.17.0/24
188.138.70.0/24 
188.138.71.0/24
188.138.75.0/24
188.138.102.0/24
188.138.105.0/24 
188.138.125.0/24 
217.172.189.0/24
217.172.190.0/24

Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too.

UPDATE 2016-04-25

Here are some more PlusServer ranges where Angler has been rampant:

85.25.218.0/24
85.25.237.0/24
188.138.25.0/24
188.138.68.0/24

UPDATE 2016-05-10

Heavy Angler activity has also been spotted in the following ranges:

62.75.203.0/24
62.75.207.0/24
85.25.43.0/24 
85.25.79.0/24
85.25.159.0/24
85.25.217.0/24
188.138.33.0/24
188.138.68.0/24
188.138.125.0/24

In addition, some Angler activity has been observed in the following ranges but is not yet widespread (I will update if I see more activity):

62.75.167.0/24
85.25.41.0/24

85.25.74.0/24

85.25.106.0/24
85.25.207.0/24

188.138.41.0/24
188.138.57.0/24
188.138.69.0/24
188.138.102.0/24

PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in 188.138.105.0/24) that the only safe option is to block traffic to those network ranges.

With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed.

Baldock is not the same as Badlock

Baldock is not the same as Badlock.

Monday, 11 April 2016

Evil networks to block 2016-04-11

I realise it has been a while since my last list of bad networks you might want to block. Hopefully in the next couple of days I will have another list outlining some bad problems with PlusServer IP ranges, in the mean times here are a load of network blocks with a high concentration of Angler EK and other nastiness. (The links go to my Pastebin with more details).

31.148.99.0/24
51.255.61.48/30
51.255.96.56/30 
51.255.143.80/30
65.49.8.64/26
83.217.11.0/24
85.93.93.0/24
85.143.209.0/24
91.221.36.0/24 
92.83.104.0/21
93.115.38.0/24
94.242.206.0/24 
131.72.136.0/24 
178.57.217.0/24
185.46.9.0/24
185.46.10.0/24
185.49.68.0/24
185.75.46.0/23
185.104.8.0/22 
194.1.238.0/24
204.155.31.0/24 

Thursday, 7 April 2016

foocrypt.net / fookey.org / foocrypt.net spam

The line between genius and madness is a fine one. Decide for yourself which side of the line this email is on.

From:    Cryptopocalypse NOW 01 04 2016 [no-reply@foocrypt.net]
Date:    7 April 2016 at 18:24
Subject:    Cryptopocalypse NOW 01 04 2016

Cryptopocalypse NOW 01 04 2016

Now available through iTunes - iBooks @ https://itunes.apple.com/us/book/cryptoapocalypse-now/id1100062356?ls=1&mt=11

Cryptopocalypse NOW is the story behind the trials and tribulations encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption."

"FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening several commonly used Symmetric Open Source Encryption methods so that they are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'.

"FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under export control by the Australian Department of Defence Defence Export Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology as per the ‘Wassenaar Arrangement’

A permit from Defence Export Control is expected within the next 2 months as the Australian Signals Directorate is currently assessing the associated application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical Encryption."

Early releases of "Cryptopocalypse NOW" will be available in the period leading up to June, 2016.

This is Volume 1 of N, where N represents an arbitrary number greater than 1 but less than infinity.

Limited Edition Collectors Versions and Hard Back Editions are available via the store on http://www.foocrypt.net/

© FooCrypt 1980 - 2016, All Rights Reserved.


Regards,

Mark A. Lane

© Mark A. Lane 1980 - 2015, All Rights Reserved.

Disclaimer :  To remove yourself from this email list, kindly goto http://www.foocrypt.net/unsub.html
Err.. no. "Quantum Encryption" is a branch of quantum physics, it's a completely different level of encryption in the same way that an aeroplane is not like a car. Attached is some weird semi-messianic picture..


The email originates from 208.79.219.105 (Loose Foot Computing, Canada). This also happens to be the IP address of:

foocrypt.net
mail0.foocrypt.net

So, the email was sent from the server it is spamvertising. That's normally a pretty certain indicator that the person running the web site is doing the spamming, and that it isn't a Joe Job. If you visit the spamvertised website (not recommended) then you can find a link to a crowdfunding appeal at www.gofundme.com/foocrypt which tells you all you need to know about the credibility of the project..

Yes.. so far it has raised $5 out of a $1,000,000 target in nearly two months. Good luck with the other $999,995.

The sender is apparently one "Mark A Lane" but other than some connections to Australia, I cannot identify an individual behind it. The following website do all seem to be related however:

enalakram.net
fookey.net
fookey.org
foocrypt.net


The closest I can get to contact details is the WHOIS entry for fookey.org:

Registrant ID:90b5527af50723f4
Registrant Name:Mark Lane
Registrant Organization:FOOCRYPT
Registrant Street: P.O. Box 66
Registrant City:Briar Hill
Registrant State/Province:Victoria
Registrant Postal Code:3088
Registrant Country:AU
Registrant Phone:+61.411414431
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:foocrypt@gmail.com


Curiously, that name and address also turns up on this somewhat ungrammatical CV.

Name: Mark Andrew Lane
Postal Address: P.O. Box 66,
Briar Hill, Victoria. 3088.
Telephone: 0411414431
Email: mark.andrew.lane@gmail.com

I mean it would be weird if they weren't related in some way. But that CV mentions nothing about cryptography at all.. a bit of a mystery.

This message was sent to a random and nonexistant email address. Crucially, it does seem to be just random spam and not malware or phishing, but is still best avoided.



Friday, 1 April 2016

Fake boss scams meet AI robocallers in a dangerous escalation of fraud

Many of us will be familiar with the "fake boss" scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady bank account for a business transaction you are not allowed to talk about.

This type of fraud is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and convincing calls have to be made to unsuspecting minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.

Now, the notorious Russian gang dubbed Den Duraka by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer.

Sporting the clumsy Russian acronym LOZHNYY, this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using hacked credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers.

Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were not suspicious as this seemed consistent with the behaviour of their CEOs.

Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely ignore any communications from your CEO and indeed any C-level executive. You have been warned!

(If you hadn't spotted the clues in the Russian names above.. this is an April Fools joke)


Wednesday, 30 March 2016

Malware spam: "Additional Costs" leads to Locky

About the 9000th malicious spam run of the week so far, this one drops Locky ransomware. Again.

From:    Gregg gale
Date:    30 March 2016 at 13:42
Subject:    Additional Costs

Based on our contact (#084715), we're required to inform you about additional costs associated with your account, more information attached.

Reference numbers and sender names vary, the attachments are similar to the ones in this spam run. Various Malwr analyses for the samples I captured [1] [2] [3] [4] [5] show download locations at:

cssrd.org.lb/Wji57q.exe
fabiocaminero.com/2L5pGE.exe


This binary has a detection rate of 7/56. Analysis of the binary [6] [7] [8] shows that it phones home to the same IPs reported here.

Malware spam: "Facture client N° FC_462982347 du 30/03/2016" leads to Locky

This French-language spam is pretending to be a renewal for anti-virus software, however instead it has a malicious attachment:

From:    administrator [netadmin@victimdomain.tld]
Date:    30 March 2016 at 11:09
Subject:    Facture client N° FC_462982347 du 30/03/2016

Bonjour,

Veuillez trouver ci-joint la facture pour le renouvellement de votre antivirus.

Bonne réception

A.Morel
It pretends to come from within the victim's own domain, but this is a simple forgery. The reference number changes from email to email, attached is a ZIP file named consistently with the subject (e.g. FC_462982347.zip). This ZIP file contains a malicious script (typical detection rate 8/56) which then downloads Locky ransomware. According to these automated analyses [1] [2] [3] [4] [5] show the scripts downloading from the following locations (there are almost definitely more):

bezuhova.ru/45t3443r3
thespinneyuk.com/45t3443r3
tishaclothing.co.za/45t3443r3


This dropped binary has a detection rate of 7/56. According to these analyses [6] [7] [8] it phones home to the same servers detailed in this earlier blog post.



Malware spam: "Additional Information Needed #869420" leads to ransomware

This spam has a malicious attachment, leading to ransomware.

From:    Joe holdman [holdmanJoe08@seosomerset.co.uk]
Date:    30 March 2016 at 08:55
Subject:    RE: Additional Information Needed #869420


We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.

An analysis of three scripts [1] [2] [3] shows binary downloads from:

cainabela.com/zFWvTM.exe
downloadroot.com/vU4VAZ.exe
folk.garnet-soft.com/jDFXfL.exe

This binary has a detection rate of 6/56.  Automated analysis [4] [5] shows network traffic to:

93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)


These characteristics are consistent with Locky ransomware.

Recommended blocklist:
93.170.131.108
5.135.76.18
82.146.37.200

Tuesday, 29 March 2016

Malware spam: "CCE29032016_00034" / "Sent from my iPhone"

The malware spammers have been busy again today. I haven't had time to look at this massive spam run yet, so I am relying on a trusted third party analysis (thank you!)

These spam emails look like the victim is sending them to themselves (but they aren't). Reference numbers vary a little between emails, but the basic pattern is:

From:    victim
To:    victim
Date:    29 March 2016 at 17:50
Subject:    CCE29032016_00034

Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:

3r.com.ua/ty43ff333.exe
canadattparts.com/ty43ff333.exe
chilloutplanet.com/ty43ff333.exe
gazoccaz.com/ty43ff333.exe
hindleys.com/ty43ff333.exe
jeweldiva.com/ty43ff333.exe
kandyprive.com/ty43ff333.exe
labonacarn.com/ty43ff333.exe
silvec.com/ty43ff333.exe
tbde.com.vn/ty43ff333.exe
zecapesca.com/ty43ff333.exe


This payload has a detection rate of 4/56. The malware calls back to:

84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)


McHost is almost purely a black-hat ISP in my opinion and should be blocked on sight.

Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24

Malware spam: "Re: New Order P2016280375" / Rose Lu [salesdeinnovative@technologist.com]

This fake financial spam comes with a malicious attachment:


From:    Rose Lu [salesdeinnovative@technologist.com]
Date:    29 March 2016 at 02:30
Subject:    Re: New Order P2016280375

Good Day,
Please find enclosed our new order P2016280375 for your kind attention and prompt execution.
I look forward to receiving your order acknowledgement in due course.
 
Best regards
Rose Lu
Office Manager
Suzhou  Eagle Electric Vehicle Manufacturing Co., Ltd.
Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China
Skype:rose.lu22
Email:luyi@eg-ev.com
Web: http://www.eagle-ev.com
        http://www.eg-ev.com
       http://szeagle.en.alibaba.com
        http://www.chinaelectricvehicle.com
        http://szeagle-golfcar.en.made-in-china.com

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58. The Malwr report is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..

Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe


So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn.no-ip.biz hosted on:

105.112.39.114 (Airtel, Nigeria)

I strongly recommend that you block traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before) so you might want to consider blocking those too.

Monday, 28 March 2016

Malware spam: "Envoi d’un message : 9758W-TERREDOC-RS62937-15000" / Christine Faure [c.faure@technicoflor.fr]

This French-language spam comes with a malicious attachment:
From:    Christine Faure [c.faure@technicoflor.fr]
Date:    28 March 2016 at 16:54
Subject:    Envoi d’un message : 9758W-TERREDOC-RS62937-15000

Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :

9758W-TERREDOC-RS62937-15000
Message de sécurité
To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:

store.brugomug.co.uk/765f46vb.exe
ggbongs.com/765f46vb.exe
dragonex.com/765f46vb.exe
homedesire.co.uk/765f46vb.exe

scorpena.com/765f46vb.exe
pockettypewriter.co.uk/765f46vb.exe
enduro.si/pdf/765f46vb.exe
185.130.7.22/files/qFBC5Y.exe

Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to:

83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)


All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.

The other binary appears to be another version of Locky which appears to phone home to the same servers.

Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100





Thursday, 24 March 2016

Malware spam: "FW: Payment Receipt" from multiple recipients leads to Locky

This fake financial spam comes from random recipients, for example:

From:    Marta Wood
Date:    24 March 2016 at 10:10
Subject:    FW: Payment Receipt

Dear [redacted],

Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.

Regards,
Marta Wood
Technical Manager - General Insurance

Attached is a ZIP file that incorporates the recipients name plus a word such as payment, details or receipt plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk.

VirusTotal detection rates for the scripts are fairly low (examples [1] [2] [3] [4] [5] [6]). Automated analysis [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] shows binary download locations at:

stie.pbsoedirman.com/msh4uys
projectpass.org/o3isua
natstoilet.com/l2ps0sa [404]
yourhappyjourney.com/asl2sd [404]


Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries, I will try to add a list later.

The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically is it Locky. Automated analyses [21] [22] [23] [24] [25] [26] show it phoning home to:

195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)


UPDATE

Some further download locations from another source (thank you!):

byprez.com/oeepsl3s
caidongrong.com/e5owzc
emprendamosjuntos.com/dk3oas
epicld.com/n3sjax
fallrunathon.com/pw9eoa
famouscouponcodes.com/nxj3sa
hudesign.com/k39skad
kanberdemir.com/b5uas
mqhchurch.net/k2usy
mskphilly.org/yt7wei
optionstrategiesinsiders.org/zpq9sa
plexcera.com/m4uxj2
tigabersaudara.com/k3isa
www.naturseife-gartetal.de/oe9fja


MD5s for downloaded binaries:

0b0f29dc216e481659e84efc349823e1
0bd4f9b53991e86e39945559be074f40
2aea58b3328728ee5f0117112f8d8bd1
3da8d515085dc46be0c5e8d0aa959a5d
8630de2e42fb8e26764a994a4b7c65a9
8b07f6a6b52462395ed8dc91c4b7e7e6
8b6bc36cf0fc6db4fe7f2257cdc75905
9b52fbfe6d763bdbd9156b308ce4cd9f
9ebc25f1e53a2174213ea128a3cdb166
ab7c78cbd32ca79dff83f00aec693b2c
c070835d983f162b48f4fc370e30cf02
c9be9e7751b8f164d04a31a71d0199c6
f5d668c551cecb12f6404214fb0c8251



Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39

Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk

This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:

From:    customer.service@axminster.co.uk
Date:    24 March 2016 at 10:11
Subject:    Your order has been despatched

Dear Customer

The attached document* provides details of items that have been packed and are ready for despatch.

Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.

Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm

Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)

Kind regards

Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk

* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8]  shows download locations at:

skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe


This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:

71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)


It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.

UPDATE

Some additional download locations from another source (thank you!)

webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe



Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41




Monday, 21 March 2016

Malware spam: "FX Service" / "Fax transmission" spoofing victim's domain

This fake fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple forgery with a malicious attachment.

From:    FX Service [emailsend@w.e191.victimdomain.tld]
Date:    21 March 2016 at 14:32
Subject:    Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff

Please find attached to this email a facsimile transmission we
have just received on your behalf

(Do not reply to this email as any reply will not be read by
a real person)
Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:

http://modaeli.com/89h766b.exe
http://spormixariza.com/89h766b.exe
http://sebastiansanni.org/wp-content/plugins/hello123/89h766b.exe
http://cideac.mx/wp-content/plugins/hello123/89h766b.exe


There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56.  This Malwr report of the payload indicates that it is Locky ransomware.

All of those sources plus this Deepviz report show network traffic to the following IPs:

195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine)


If I receive more information I will post it here.

Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90






Friday, 18 March 2016

Evil networks to block 2016-03-18

A follow-up to this list posted a few days ago. These networks are primarily distributing Angler and in my opinion you should block their entire ranges to be on the safe side. All the links go to Pastebin.

85.204.74.0/24
89.45.67.0/24
89.108.83.0/24
148.251.249.96/28
184.154.89.128/29
184.154.135.120/29
185.30.98.0/23
185.117.73.0/24
185.141.25.0/24
194.1.237.0/24
212.22.85.0/24
217.12.210.128/25 


Malware spam: "Proof of Delivery Report: 16/03/16-17/03/16" / UKMail Customer Services [list_reportservices@ukmail.com]

This spam does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    UKMail Customer Services [list_reportservices@ukmail.com]
Date:    18 March 2016 at 02:46
Subject:    Proof of Delivery Report: 16/03/16-17/03/16

Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD



...........................................................................................................................................................................................
iMail Logo
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:

kervanburak.com/wp-content/plugins/hello123/r34t4g33.exe

There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis  show network traffic to:

64.147.192.68 (Dataconstructs, US)

I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.

UPDATE 1

This DeepViz report shows some additional IP addresses contacted:

64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


UPDATE 2

Some additional download locations from a trusted source (thank you!):

almexports.com/wp-content/plugins/hello123/r34t4g33.exe
cky.org.uk/wp-content/plugins/hello123/r34t4g33.exe
felipemachado.com/wp-content/plugins/hello123/r34t4g33.exe
ioy.co.il/wp-content/plugins/hello123/r34t4g33.exe
muhidin.eu.pn/wp-content/plugins/hello123/r34t4g33.exe
tribebe.com/wp-content/plugins/hello123/r34t4g33.exe
voiceofveterans.in/wp-content/plugins/hello123/r34t4g33.exe


Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78

Thursday, 17 March 2016

Malware spam: "PDFPart2.pdf" / "Sent from my Samsung Galaxy Note 4 - powered by Three"

This spam run has a malicious attachment. It appears to come from within the user's own domain.

From:    Administrator [admin@victimdomain.tld]
Date:    17 March 2016 at 12:54
Subject:    PDFPart2.pdf

Sent from my Samsung Galaxy Note 4 - powered by Three

Sent from my Samsung Galaxy Note 4 - powered by Three
All the attachments that I saw were corrupt, but it appears to be trying to download a script that installs Locky ransomware, as seen here.

Malware spam: "Documentxx" apparently coming from the victim leads to Locky

This spam appears to come from the victim, but this is just a simple forgery (explained here). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is no body text. Here is an example:
From:    victim@domain.tld
To:    victim@domain.tld
Date:    17 March 2016 at 10:37
Subject:    Document32
Inside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13]  indicate that the script attempts to download a binary from the following locations:

escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel.pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados.com.br/wp-content/plugins/hello123/89h8btyfde445.exe


The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to:

78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)


This is Locky ransomware.

Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114







Malware spam: "Remittance Adivce" from random senders

This fake financial spam has a malicious attachment and poor spelling in the subject field.

From:    Booth.Garth19@idsbangladesh.net.bd
Date:    17 March 2016 at 09:17
Subject:    Remittance Adivce


Please find attached a remittance advice for payment made yo you today.

Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.

Kind Regards

Garth Booth
Sender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:

bakery.woodwardcounseling.com/michigan/map.php

This download location is almost certainly completely malicious, and is hosted at:

217.12.199.94 (ITL, Ukraine)

This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to:

38.64.199.33 (PSINet, Canada)
188.93.239.28 (DotSi, Portugal)


The payload is uncertain, but it could be the Dridex banking trojan.

UPDATE

The DeepViz analysis  also shows traffic to:

85.17.155.148 (Leaseweb, Netherlands)

Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148

Malware spam: "Interparcel Documents" / Interparcel [bounce@interparcel.com]

This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
From:    Interparcel [bounce@interparcel.com]
Date:    17 March 2016 at 08:51
Subject:    Interparcel Documents

Your Interparcel collection has been booked and your documents are ready.

There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.

Thank you for booking with Interparcel.
Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:

gooddrink.com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots.com/wp-content/plugins/hello123/56h4g3b5yh.exe


The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to:

195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


As mentioned before, these characteristics look like the Dridex banking trojan.

Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78




Monday, 14 March 2016

Malware spam: "Traffic report ID: 62699928" leads to Teslacrypt

This fake legal email has a malicious attachment:

From:    Myrna baker
Date:    14 March 2016 at 15:58
Subject:    Traffic report ID: 62699928

Dear Citizen,

We are contacting you on behalf of a local Traffic Violation Bureau.

Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 49757
Unfortunately, we will have no other option rather than passing this case to the local police authorities.

Please, see the report with the documents proofs attached for more information on this case.
Details in the email vary from message to message. The payload is Teslacrypt ransomware, as see in this earlier spam run.

Malware spam: "Credit details ID: 87320357" leads to Teslacrypt

So many Teslacrypt campaigns, so little time... I've had to rely on third party analysis on this particular one (thank you!)
From:    Ladonna feather
Date:    14 March 2016 at 14:50
Subject:    Credit details ID: 87320357

Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply. 
Send names, references and attachment names vary. The malicious scripts in the attachment attempt to download from:

giveitallhereqq.com/69.exe?1
washitallawayff.com/69.exe?1
giveitallhereqq.com/80.exe?1
washitallawayff.com/80.exe?1


This is Teslacrypt ransomware with VirusTotal detection rates of 1/57 [1] [2]. The malware attempts to phone home to:

198.1.95.93/~deveconomytravel/cache/binstr.php
kel52.com/wp-content/plugins/ajax-admin/binstr.php
myredhour.com/blog//wp-content/themes/berlinproof/binstr.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/binstr.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/wcspng.php


The download locations for the executable files can all be considered as malicious:

54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)

178.18.99.23 (Maginfo JSC, Russia)
31.47.179.11 (Baikal TransTeleCom, Russia)
31.134.39.52 (IRONNET Ltd, Russia)
119.247.218.165 (Hong Kong Broadband Network Ltd, Hong Kong)
113.252.180.39 (Hutchison Global Communications, Hong Kong)
37.115.24.106 (Kyivstar GSM, Ukraine)
5.248.2.179 (Kyivstar GSM, Ukraine)
193.169.134.215 (SDS-Vostok Ltd, Russia)
5.166.207.194 (ER-Telecom Holding, Russia)
46.172.219.246 (Krym Infostroy Ltd, Ukraine)

Out of these, only the first three (for giveitallhereqq.com) appear to be static IPs, the others (for washitallawayff.com) are dynamic and are likely part of a botnet, so blocking the domain might be better.

Recommended blocklist:
54.212.162.6
212.119.87.77
78.135.108.94

washitallawayff.com

Malware spam: "Blocked Transaction. Case No 19706002" leads to Teslacrypt

This fake financial transaction has a malicious attachment:

From:    Judy brittain
Date:    14 March 2016 at 08:12
Subject:    Blocked Transaction. Case No 19706002

The Automated Clearing House transaction (ID: 19706002), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID: 09293
Transaction Amount: 607,89 USD
Sender e-mail: brittainJudy056@panick.com.ar
Reason of Termination: See attached statement
The sender's name, references and dollar amounts vary from message to messages. The attachment names are randomly-generated (the format seems the same as this) containing either one or four malicious scripts. According to this analysis the scripts download from:

ohelloguyzzqq.com/85.exe?1

Although the infection mechanism seems the same as this spam run, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here.

Sunday, 13 March 2016

Malware spam: "Debt #85533 , Customer Case Nr.: 878" leads to Teslacrypt

The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments, however.

From:    Lamar drury
Date:    13 March 2016 at 18:43
Subject:    Debt #85533 , Customer Case Nr.: 878

Dear Customer,

Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.

We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.

Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.

We hope on your understanding.

Kind regards,
Finance Department
Lamar drury
878 N Davis St, Jacksonville,
FL 85533
Phone nr: 464-182-2340 
Attached is a ZIP file, that in the samples I saw starts with:
  • doc_scan_
  • money_
  • payment_details_
  • payment_
  • warning_
  • see_it_
  • payment_scan_
  • finance_
  • warning_letter_
  • report_
  • transaction_
  • details_
  • incorrect_operation_
  • confirmation_
  • document_
  • problem_
  • financial_judgement_
 ..plus a random number. Inside are one to four malicious .js scripts, named in the following format:

  • details_
  • mail_
  • post_
  • Post_Parcel_Case_id00-
  • Post_Parcel_Confirmation_id00-
  • Post_Parcel_Label_id00-
  • Post_Shipment_Confirmation_id00-
  • Post_Shipment_Label_id00-
  • Post_Tracking_Case_id00-
  • Post_Tracking_Confirmation_id00-
  • Post_Tracking_Label_id00-
The first three have a random string, the ones beginning with "Post" are followed by a random number and a #.  There are at least 22 unique scripts with the following MD5s:

05A44DF4418EA3F133A3708D4D829DC7
84A57069907726FFADE1DE7DDF6E34CD
6F9726C410B3FCE2FC1EAF75C5015BFC
97D6643DE12E4430CD11412D7917C8B2
ADB1CF98CD632B0E55358C045114ED6A
732314E639426E42B9342B1470798E02
AC2D6B033C943AF864F6A6E2A143E0CD
EA9BE11F3267D14CDF3A88786E2D69C8
E831A7247D30F9EB406A3F5AFCB63EDE
D5B74B58E9971BE84AA83B2E1D46B414
1A177FAF482FC924D2439F4111428D9F
0FB3CD12FB2BF4AC7ABB909383E2EEB8
A810DCD3DE5DA723940D3C44075D3314
F1B4DF8D16F81FFC543E252594DF5C03
3FE0BD9E25B3D0A36A898BE6E579780E
060990306E189A6022E2CCB041912588
6F963C39333F751D097D8DB8A2EEF525
DBF2B52926B5925E382BCF4024E5C8F7
4193D7D43CA5981EDB6E790ED568E5F3
AED7397352E43C0E2F0281AA2F4AACB2
ED8919841E31422C6318978BDAE5612B
C6D52DA9375DA4C33776D68407CC9B0D


These appear [1] [2] to download a malicious binary from one of the following locations:

ohelloguyff.com/70.exe
ohelloguyzzqq.com/85.exe?1


Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56.

The download locations have the following IP addresses:

185.35.108.109 (DA International Group Ltd, Bulgaria)
204.44.102.164 (Quadranet Inc, US)
54.212.162.6 (Amazon AWS, US)
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)


Those IP addresses can be considered as evil, and they also host the following sites:

returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
howareyouqq.com
ohelloguyqq.com
bonjovijonqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
ohelloguyff.com
ohelloguymyff.com
joecockerhereff.com
howisittomorrowff.com
thunicodenamespace.com
wioutpudforcontents.com
idendnsletbarcamednstwo.com
leadhoffmanclassapplico.com
insensitivityinterpreted.com
placegrantthenoticesmust.com
dns1.beforeyougogg.net
dns1.ohimyfriendff.net
dns2.ohimyfriendff.net
dns1.kaktotakvot.pw
dns2.martuswalmart.pw
dns2.beforeyougogg.net
dns2.microtexreglyt.net
microtexregyts.net
gdemoidomaine.info
daimoidomainemne.info
mydomainebizness.info


Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94