Sponsored by..

Wednesday, 27 July 2016

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be 
The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:

beauty-jasmine.ru/6dc2y

There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.

UPDATE

The C2 locations for this variant are:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)


Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30


Malware spam: "Sent from my Samsung device" leads to Locky

This spam comes in a few different variations:

From:    Lottie
Date:    27 July 2016 at 10:38
Subject:    scan0000510

Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:

alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765


The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)


(Thank you to my usual source for this data)

There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.

Recommended blocklist:
5.9.253.160/27
178.62.232.244


Tuesday, 26 July 2016

Malware spam: "list of activities" leads to Locky

This fake business spam has a malicious attachment:

From     "Penelope Phelps"
Date     Tue, 26 Jul 2016 23:02:43 +1100
Subject     list of activities

Hello,

Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.

Warm regards,
Penelope Phelps
ALLIED MINDS LTD
Security-ID: 4d2c95a750fe26a3560ffddfe374ff5c5c064bd78fea30
The sender's name, company and "Security-ID" vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script that looks like this. This Malwr report and this Hybrid Analysis show this particular sample downloading from:

akva-sarat.nichost.ru/bokkdolx

There will be many other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55. Further analysis is pending, however it is quite likely that this sample uses the same C2 servers as seen earlier today.



Malware spam: "Attached Image" leads to Locky

This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    26 July 2016 at 10:27
Subject:    Attached Image

**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************
Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:

www.isleofwightcomputerrepairs.talktalk.net/okp987g7v

There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:

31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)


Recommended blocklist:
31.41.47.41
91.234.35.216


Monday, 25 July 2016

Malware spam: "Emailing: Photo 25-07-2016, 34 80 10" / "Emailing: Document 25-07-2016, 72 35 48"

This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
From:    Rebeca [Rebeca3@victimdomain.tld]
Date:    25 July 2016 at 10:16
Subject:    Emailing: Photo 25-07-2016, 34 80 10


Your message is ready to be sent with the following file or link
attachments:

Photo 25-07-2016, 34 80 10


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.

Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".

An alternative variant comes with a malicious Word document:

From:    Alan [Alan306@victimdomain.tld]
Date:    25 July 2016 at 12:40
Subject:    Emailing: Document 25-07-2016, 72 35 48

Your message is ready to be sent with the following file or link
attachments:

Document 25-07-2016, 72 35 48


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
The attachment is this case is a .DOCM filed named in a similar way as before.

This analysis is done by my usual trusted source (thank you). These scripts and macros download a component from one of the following locations:

0urkarachi.atspace.com/7h8gbiuomp
cantrell.biz/7h8gbiuomp
czemarserwis.home.pl/7h8gbiuomp
exploromania4x4club.ro/7h8gbiuomp
finaledithon.web.fc2.com/7h8gbiuomp
koushuen.co.jp/7h8gbiuomp
moehakiba.web.fc2.com/7h8gbiuomp
ostseeurlaub-tk.homepage.t-online.de/7h8gbiuomp
r-p-b.de/7h8gbiuomp
topmanagers.claas.fr/7h8gbiuomp
tpllaw.com/7h8gbiuomp
tutomogiya.web.fc2.com/7h8gbiuomp
vplegat.dk/7h8gbiuomp
www.aproso.de/7h8gbiuomp
www.ciapparelli.com/7h8gbiuomp
www.foto-aeree.it/7h8gbiuomp
www.gruetzi.es/7h8gbiuomp
www.isleofwightcomputerrepairs.talktalk.net/7h8gbiuomp
www.louislechien.net/7h8gbiuomp
www.motoslittetrecime.com/7h8gbiuomp
www.sistronic.com.co/7h8gbiuomp
www.tridi.be/7h8gbiuomp
www.vakantiehuisjeameland.nl/7h8gbiuomp
www.westline.it/7h8gbiuomp
zemlya.web.fc2.com/7h8gbiuomp


The payload here is Locky ransomware, and it phones home to the following addresses:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)


Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176


Friday, 22 July 2016

Malware spam: "I am truly sorry that I was not available at the time you called me yesterday."

This spam has a malicious attachment:

From: "Lizzie Carpenter"
Subject: sales report
Date: Fri, 22 Jul 2016 21:38:25 +0800

I am truly sorry that I was not available at the time you called me yesterday.
I attached the report with details on sales figures.



-----
Best of luck,
Lizzie Carpenter

SCHRODER GLOBAL REAL ESTATE SEC LTD
Phone: +1 (773) 812-15-66
Fax: +1 (773) 812-15-86

The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report".

In a change from recent malware runs, the script does not directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script.

This executable has a detection rate of 4/54 and trusted analysis says that it is Locky ransomware, phoning home to:


77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51




Marketing1.net spam: "Nous vous offrons toutes nos bases de données européennes avant de fermer"

I recently noted that the spammers at Marketing1.net were at it again, but despite assurances from their host Coreix that they had been suspended, they continue to send out spam. This time in French.

From:    Audrey Martin [info@mapps-fr.net] via bnc3.mailjet.com
Date:    22 July 2016 at 09:10
Subject:    Nous vous offrons toutes nos bases de données européennes avant de fermer
Signed by:    bnc3.mailjet.com

Cher Gérant, Chère Gérante,

Nous nous permettons de vous contacter car vous avez visité notre site Internet dans le passé. Comme vous le savez déjà peut-être, nous avons développé les plus grands annuaires d'entreprises sur CD en Europe. Le logiciel fourni avec les annuaires permet aux utilisateurs d'effectuer des recherches illimitées par secteur d'activité, lieu, tranche de revenus ou fonction, et d'exporter les résultats vers Excel.

Au cours de ces dernières années, des milliers d'entreprises à travers l'Europe ont utilisé nos applications pour générer des listes ciblées pour mener des campagnes de prospection à succès. Nous avons décidé de retirer nos produits du marché parce que la mise à jour des données est trop onéreuse.

Avant de fermer, nous avons décidé, comme ultime geste, de vous offrir quelque chose d'inimaginable.

Nous avons décidé de vous donner toutes nos bases de données européennes. Cela représente un accès à des millions d'entreprises à travers l'Europe. Si vous souhaitez développer votre entreprise à l'étranger maintenant ou dans l'avenir, cela est un cadeau exceptionnel.

Nous vous offrons les 7 applications suivantes:

1) Marketing1 France 2016: 5 million d'entreprises françaises. 650'000 entreprises avec email. export illimité.
2) Top Managers France 2015: 35'000 cadres supérieurs auprès des plus grandes entreprises de France. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.

3) Marketing1 UK (Royaume-Uni) 2016 (en anglais): 5,8 million d'entreprises britanniques. 800'000 entreprises avec email. export illimité.
4) Top Managers UK (Royaume-Uni) 2015: 30'000 cadres supérieurs auprès des plus grandes entreprises du Royaume-Uni. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.

5) Marketing1 Belgique 2015 (en anglais): 1,8 million d'entreprises belges. 500'000 entreprises avec email. export illimité. 

6) Marketing1 Allemagne 2016 (en allemand): 5 million d'entreprises allemandes. 1,7 million d'entreprises avec email. export illimité.
7) Top Managers Allemagne 2015: 50'000 cadres supérieurs auprès des plus grandes entreprises d'Allemagne. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.


La valeur pour toutes ces bases de données est d'environ 5000 euros. Nous vous offrons le tout pour un prix symbolique de 49 euros. Vous avez seulement à payer 49 euros et vous obtiendrez toutes les applications ci-dessus. L'offre se termine aujourd'hui à 17 heures.

Vous aurez accès immédiatement à une page de téléchargement depuis laquelle vous pouvez télécharger toutes les applications. La page de téléchargement va rester en ligne pendant six mois (de sorte que vous puissiez les télécharger à une date ultérieure, si vous le souhaitez).


Comment passer commande. échantillons gratuit.
Cliquez ici pour accéder à la page de l'offre. La page contient les liens vers tous les sites. Vous pouvez télécharger des échantillons gratuits pour toutes les applications depuis la même page.


L'offre se termine aujourd'hui à 17 heures. Ne la ratez pas.


J'espère que je ne ai pas pris trop de votre temps précieux, et je vous souhaite plein de succès.

Meilleures salutations,

Audrey Martin
Marketing1 Team


Unsubscribe:
Veuillez cliquer ici si vous ne souhaitez plus recevoir d'emails de notre part

M1 Solutions. 152 City Road, London EC1V 2NX

The link in the email goes to marketing1.site hosted on 66.96.161.163 (Endurance International Group, US) and then redirects to a landing page at marketing1apps.net on 89.187.85.8 (Coreix, UK) which is just a gateway to marketing1.net on that same IP. The email comes from 87.253.234.168, a Mailjet IP in France.

As I mentioned previously, Marketing1.net are always having a closing down sale (but never close down) and if their sample data is anything to go by, it is complete crap. That's in addition to spamming domain contacts. Avoid.

Tuesday, 19 July 2016

Malware spam: "Documents from work." / "Untitled(1).docm" leads to Locky

This rather terse spam appears to come from the victim themselves (but doesn't). It has a malicious attachment.
From: recipient@victim.tld
To: recipient@victim.tld
Subject: Documents from work.
Date:    19 July 2016 at 12:20
There is no body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component from on of the following locations:

aerosfera.ru/0hb765
biovinci.com.br/0hb765
choogo.net/0hb765
control3.com.br/0hb765
dealsbro.com/0hb765
heonybaby.synology.me/0hb765
hiramteran.com/0hb765
lifecare-hc.com/0hb765
ostrovokkrasoty.ru/0hb765
tvernedra.ru/0hb765
valsystem.cl/0hb765
wacker-etm.ru/0hb765
webidator.co.il/0hb765
wineroutes.ru/0hb765
www.mystyleparrucchieri.com/0hb765

The dropped payload has a detection rate of 3/54 and it phones home to the following locations:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)

That's a subset of the locations found here.  The payload is Locky ransomware.

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51


Malware spam: "Documents" / "Natalie Pywell" / "Natalie.Pywell6@abbeyglassuk.com"

This spam does not come from Abbey Glass UK, but is instead a simple forgery with a malicious attachment:

From     Natalie Pywell [Natalie.Pywell6@abbeyglassuk.com]
Date     Tue, 19 Jul 2016 15:27:20 +0530
Subject     Documents
Message text

Dear Customer

Please find your documents attached.

If you have any questions please reply by email or contact me on 01443 238787.

Kind regards

Natalie Pywell

**This email has generated from an automated system**
This email has been sent via the Fusemail mail filtering service provided by Pro-Copy
Limited
The sender's email address varies somewhat. Attached is a randomly named ZIP file which contains a malicious .js script.

Analysis is pending, but it looks like Locky ransomware and is probably similar to the one found in this spam run.

Malware spam: "I attached the detailed business analysis (updated}"

This spam has a malicious attachment. And also mismatched (brackets}.

From     "Lynnette Slater"
Date     Tue, 19 Jul 2016 10:47:09 +0200
Subject     Business Analysis
Message text

I attached the detailed business analysis (updated}

---

King regards,
Lynnette Slater

Briglin Pottery
Phone: +1 (181) 133-27-50
Fax: +1 (181) 133-27-49
ID: 34a8c7f01e98b92f3985fe91965e703df1f13456

The message will appear to be "from" different individuals, varying from message to message. However, the main part of the body text is always the same.

Attached is a ZIP file containing elements of the recipients email address and some random letters and numbers. I have been unable to obtain a copy of the attachment at the moment, but it is likely to be Locky ransomware and if I get further details I will post them here.

UPDATE

My usual trusted source for analysis (thank you) reports that these ZIP files contain a malicious .wsf script which downloads a component from one of the following locations:

12-land.co.jp/gvkkx
accendojuris.com/dem3owmx
aerosfera.ru/xmljn
alinmaagroup.com/c2baqb
all-rides.com/m6bobmp
altadevelopers.com/kacgwe
anima-centrum.sk/bkcs2
bastidoresderondonia.com.br/ww55qzn
biovinci.com.br/dl9f0m6
choogo.net/qisxmdwz
darkhollowcoffee.com/unntj
daveshearth.com/f1t14
dealsbro.com/ptamc
delaemvkusnoe.ru/7lsypth
delaemvkusnoe.ru/yr54po27
dev.appleleafabstracting.com/j5q4b
dipp.lt/id4e6xcs
econopaginas.com/33ry5u
ejdadim.com/tzblhuk
heonybaby.synology.me/uydikuo
ialri.net/wh64xsb
jem-111.com/v5tq6s3
kveldeil.no/gfk2p
litehauzz.com.ng/cxqr03
lkfashions.com/3vkh8fcv
modulofm.com.br/3ap3qsi
moroem.com/n79lv
muscleinjuries.com/lqah1guh
mylimajai.lt/fkf75fo
myphychoice.com/s0ksxt8e
ormanstressrelief.com/lq1z62q
ostrovokkrasoty.ru/zxaen4
pasadenaoffice.com/431i00cd
right-livelihoods.org/uplwj
scpremiumbikes.com/53mkzxat
sitkainvestigations.com/2wmp4g
technobuz.com/05gwngqn
thetestserver.net/kemymr
tvernedra.ru/zkca0de
u0086064.cp.regruhosting.ru/hnmbac
versus.uz/ah73wlnz
vidonet.es/al268615
vilalusa.com/33q4i6f
westcoastswingitaly.it/jycvhfqq
www.thephoneguy.talktalk.net/om8bt
zuerich-gewerbe.ch/99v85w

I don't have a decrypted sample of the binary at present, although the C2 locations are reported as:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine, Ltd, Ukraine)

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51



Monday, 18 July 2016

Malware spam: "Image data has been attached to this email." / "Scanned image"

This spam is presumably meant to have a malicious attachment, but all the samples I have seen are malformed:

From:    support398@victimdomain.tld
Date:    18 July 2016 at 16:22
Subject:    Scanned image

--+-+-+-MGCS-+-+-+
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: Quoted-Printable
Content-X-CIAJWNETFAX: IGNORE

Image data has been attached to this email.



--+-+-+-MGCS-+-+-+
Content-Type: application/vnd.ms-word.document.macroEnabled.12; name="18-07-2016_rndnum(4,9)}}.docm"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="18-07-2016_rndnum(4,9)}}.docm"
Content-Description: 18-07-2016_rndnum(4,9)}}.docm

UEsDBBQABgAIAAAAIQB+OOx6hwEAAK0FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIo
oAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0lM9OwkAQxu8mvkOzV9MueDDGUDgIHpVE
[snip]
The spam appears to come from within the victim's own domain (but doesn't). In case you don't recognise all those random letters, that's what an email attachment looks like.. but something has gone badly wrong with this spam run. I haven't analysed the payload, but it is likely to be Locky ransomware as found here.

Malware spam: "Sent from my Samsung device" leads to Locky

This rather terse spam has a malicious attachment:

From:    Ila
Date:    18 July 2016 at 13:01
Subject:    scan0000511

Sent from my Samsung device
The sender and subject vary, but the subject seems to be in a format similar to the following:

scan0000511
SCAN000044
COPY00002802


Attached is a .DOCM file with the same name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading from one of the following locations:

bursaforex.home.ro/54ghnnuo
car-sound.go.ro/54ghnnuo
cats.ugu.pl/54ghnnuo
dmb.republika.pl/54ghnnuo
eightplusnine.com/54ghnnuo
enpitsutenpura.web.fc2.com/54ghnnuo
gastro411.com/54ghnnuo
howtosucceed.tripod.com/54ghnnuo
iss0.tripod.com/54ghnnuo
klasste.tripod.com/54ghnnuo
marcinek.republika.pl/54ghnnuo
naturopatheenligne.free.fr/54ghnnuo
pacyna2.republika.pl/54ghnnuo
pichuile.free.fr/54ghnnuo
sgvillage.com/54ghnnuo
static.indirveoyna.com/54ghnnuo
www.carboplast.it/54ghnnuo

The payload is Locky with a detection rate of 4/53. It phones home to:

77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)


That's a subset of the IPs found here, so I recommend you block the following IPs:

77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14
 

Malware spam: "bank account report" leads to Locky

This fake financial spam has a malicious attachment:

From     "Boyd Dennis"
Date     Mon, 18 Jul 2016 11:34:11 +0200
Subject     bank account report


How is it going?

Thank you very much for responding my email in a very short time. Attached is the
bank account report. Please look at it again and see if you have any disapproval.

--Yours faithfully,Boyd DennisHSBC HLDGSPhone: +1 (593) 085-57-81, Fax: +1 (593)
085-57-41
The sender name and details vary, although it all follows the same pattern. Attached is a ZIP file containing elements of the recipients email address and some random digits. Contained within is a .wsf script that downloads a file from one of the following locations (thank you to my source for analysis):

acnek.com/fyxxbcsz
ahatv.com.au/twh7xv
anchortron.com/hiqsij
aquatixbottle.com/ygyngc
bailamecuba.com/4uyh5bex
banthaoduoc.com/v5g9z0s
BenavidezHoy.com/8zrg48k
bigislandhawaiihilorealestate.com/16h9p
bizconsulting.ro/bm8s7
blackdildo.net/h9kyu
bridgeplacements.com/dhbuk
calcoastlogistics.com/pda6bms
candobetter.net/5nt3ayk
cbactive.com/jw7l6mlr
christian-view.com/rwe24t
cinerd.info/ebiyhv
cloudbws.com/m0tu07b
colleenthestylist.com/rdrfp
containermx.com/tb4u2v
davisdoherty.co.nz/g0vi70
deanstum.com/z9opr
dnp9.com/zpfqk2l
ecpi.ro/cqema
equalityindonesia.com/b229mg
eurasian.fc2web.com/18nws9
findmobileauto.com/gh8ft
fusofrance.fr/nengga
gruposoluciomatica.com.br/ryi81
gv.com.my/qbnuau
ilkhaberadana.com/rmegjezz
kouzoncorporation.com/jikkhl
leeplastic.com/w49a80y
matthewmccright.org/sl8wu
my-result.ru/0j1nlpj8
ormanstressrelief.com/uhgoz3b
otwayorchard.net/u96kt
provincialpw.com/r0vaqf
quest.agency/0ovl6v5z
rsxxx.com/3vp8s83
s2mgmt.com/do40lc
serviceautoiasi.com/4tbvsfcz
smp.com.mx/hcoyv
thegracefamilychurch.com/ltxm3t
tip.ub.ac.id/36k8m2xt
trans-free.ru/2hx1l
travelabroadsecret.com/rxurfhqk
travoxsb.com/qmi5u0n
vakantiehuisinauvergne.com/apyd17
wcouto.com.br/9d207v

I don't have a copy of the payload at present, but it does phone home to:

77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
176.111.63.51 (United Networks Of Ukraine Ltd , Ukraine)
209.126.112.14 (MegaHosterNetwork, Ukraine)


The payload appears to be Locky ransomware.

Recommended blocklist:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14


Tuesday, 12 July 2016

Malware spam: "Please find attached the profile of Mr.X for a suitable role in your Organisation" leads to Locky

This spam comes with a malicious attachment, it appears to come from different senders and the referenced name varies, but the format is essentially the same.

From:    Effie Larsen
Date:    12 July 2016 at 20:07
Subject:    Profile

Dear [redacted],

Please find attached the profile of Mr.Welch for a suitable role in your Organisation


King regards,
Effie Larsen
Mexico Key Account Director
Attached is a ZIP file containing elements of the recipient's email address, the word "profile" and a random number. Contained within are a variety of malicious .js scripts beginning with "profile".

These two Hybrid Analysis reports [1] [2] show download locations at:

jstudio.com.my/wtxyf4
zakagimebel.ru/nrik9xq


This is somewhat consistent with the download locations for the earlier Locky ransomware spam as seen here. It is likely that the C2 servers are the same or at least overlap.


Malware spam: "Here's that excel file (latest invoices) that you wanted." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Benita Clayton
Date:    12 July 2016 at 15:04
Subject:    Fw:

hi [redacted],

Here's that excel file (latest invoices) that you wanted.


Best regards,
Benita Clayton
Vice President US Risk Management
Sender details vary from message to message. Attached is a ZIP file containing part of the recipient's email address plus some other elements, within which is a malicious. js script beginning with -SWIFT-.

Trusted external analysis (thank you again) shows the scripts download an obfuscated binary from one of the following locations:

acepipesdeli.com.br/tffx7
aerosfera.ru/h5vkp87
agbiz.co.za/x2evw01
choogo.net/qi7j7f
control3.com.br/57nhtzkv
dealsbro.com/4qtc20
diablitos.no/ogmrgs
doisirmaosturismo-rj.com.br/jxdlzcf
eskuvotervezo.hu/3kbgy9a
eusekkei.co.jp/tdts0
ferozsons-labs.com/52sf0l
games4games.com.br/ubabtp
globaldveri.ru/i4a3l0
hanaweb.xsrv.jp/be6o4g6
heonybaby.synology.me/41sx3e
ialri.net/tughk
jsbaden.jemk.ch/xyn8moxt
jstudio.com.my/5mkejwj4
kveldeil.no/opca2v2
maihama.2jikai-p.net/5mkejwj4
mcpf.co.za/ffq1mq
mphooseitutu.com/tfq5e5d2
mywebhost.nichost.ru/g53y7
nicesound.biz/42did
omnitask.ba/ac5f6
ostrovokkrasoty.ru/x7lcd
ppf.com.pk/5z2sk
quaint.com.br/divme5d
repair-service.london/uywgi7v
revengeofsultans.com/9cu7bsw
richard-scissors.com/wife8eaf
rigoberto.com.br/nqum54t
samaju.se/fsqrtgrm
sindsul.com/h02sujs
sirimba.com.br/qiovtl
stylespiritdubai.com/be1id
tvernedra.ru/lob9x
valsystem.cl/v4db1wd
wacker-etm.ru/jfbmxlhy
wineroutes.ru/hrzl8dw5
www.cristaleriadominguez.com/fxcx6ep
www.inextenso.hu/xc3739l
www.ital.com.mx/xswj9
zachphoto.7u.cz/0jyhh
zakagimebel.ru/krcsvf
zoomwalls.com/zghpzv2f


Locky then phones home to one of the following locations:

5.196.189.37 (Just Hosting, Russia / OVH, Ireland)
77.222.54.202 (SpaceWeb CJSC, Russia)
109.234.34.146 (McHost.Ru, Russia)
192.71.249.220 (EDIS, Sweden)


Recommended blocklist:
5.196.189.37
77.222.54.202
109.234.34.0/24
192.71.249.220


Wednesday, 6 July 2016

Malware spam with random hexadecimal number leads to Locky

I only have a couple of samples of this very minimalist spam, consisting of just a "Subject" with a random hex number (e.g. 90027696CCCC611D) and a matching .DOCM attachment (e.g. 90027696CCCC611D.docm).

My trusted analysis source (thank you) says that these DOCM files contain a macro (no surprises there) that downloads a binary from the following locations:

blingberry24.com/90ujn3b8c3
danseduchat.com/90ujn3b8c3
harveyventuresltd.com/90ujn3b8c3
noveltybella.com/90ujn3b8c3
www.proxiassistant-ao.com/90ujn3b8c3
www.sacandolalengua.com/90ujn3b8c3


The payload is Locky ransomware with a detection rate of 3/52. The same source says that C2 locations are:

89.108.84.42 (Agava JSC, Russia)
148.163.73.29 (GreencloudVPS JSC, Vietnam)


Agava in particular is a regular source of badness, and I would suggest that you consider blocking the entire 89.108.80.0/20 range, or at least this minimum recommended blocklist:

89.108.84.42
148.163.73.29


UPDATE 2016-07-08

A variant of this spam run is in progress which adds the words RE, FW, Scan, Emailing or File to the random number. A trusted source (thank you) informs me that the download locations for the DOCM files in this case are:

abschlepp-taxi24.at/87yg5fd5
caijiachina.com/87yg5fd5
drpampe.com/87yg5fd5
felicecremesini.com/87yg5fd5
fermmedia.com/87yg5fd5
gebrauchtkauf.at/87yg5fd5
kurumenishimura.com/87yg5fd5
manutenzionecarrier.com/87yg5fd5
seferworld.com/87yg5fd5
snupress.com/87yg5fd5
themeidea.com/87yg5fd5

A malicious file is dropped with a detection rate of 3/55 which then phones home to the following server:

51.255.172.55 (OVH, France)

I recommend that you blog traffic to that IP.

Tuesday, 5 July 2016

Malware spam: "Scanned image" leads to Locky

This fake document scan appears to come from within the victim's own domain but has a malicious attachment.

From:    administrator8991@victimdomain.com
Date:    5 July 2016 at 12:47
Subject:    Scanned image

Image data has been attached to this email.
Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52 and 6/52. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:

leafyrushy.com/98uhnvcx4x
sgi-shipping.com/98uhnvcx4x


There will be a lot more locations too. This drops a binary with a detection rate of 5/55 which appears to be Locky ransomware. Hybrid Analysis shows it phoning home to:

185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)


Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be be Locky ransomware.

Recommended blocklist:
185.106.122.0/24
185.129.148.0/24



Wednesday, 29 June 2016

Malware spam: "Documents copies" / "I am sending copies of the documents as attachments."

This spam appears to come from various senders and has a malicious attachment:

From:    Eddie Savage
Date:    29 June 2016 at 22:47
Subject:    Documents copies

Dear [redacted],

I am sending copies of the documents as attachments.

Thank you very much for your reply.

Regards

Eddie Savage
"Sales Director"

Attached is a ZIP file with the recipient's email address plus "DOC", "pdf" or "copy" plus a random number, contained within is a malicious .js file beginning with "swift".

Trusted analysis by another source (thank you!) gives download locations at:

12-land.co.jp/i3t2jhd
211.133.144.17/~doberuku/u9ux2e
213.191.128.17/~bilanca/zz8nws49
31.31.77.164/~belize/vg53s9
3210kawasemi.web.fc2.com/q1znrou
66.109.30.133/~PlcmSpIp/400mks
80.109.240.71/~g.koprinkov/a570ddjp
84.94.229.189/~mce12/ynkxugc
87.106.143.248/~regie/8j89l
alexiedb.home.ro/tttkjz2n
armaplate.co.uk/41h4c0bm
armaplate.co.uk/97mdwa
armaplate.co.uk/xi7cgp
bite-sportivi.it/ckgj83r
clientes.netvisao.pt/~night/05gwe
code-ltd.com/dhc12
daveshearth.com/hdifi
denchostation.web.fc2.com/rro9ws2
diskopolo.republika.pl/n8ctec1p
fujihoku.web.fc2.com/dusqvzj4
ghislain.dartois.pagesperso-orange.fr/iy53v0
humphrey.nl/1d25yqh
iranecs.ir/5klox7
karlsmart.com/9it3vmj4
ktbk.web.fc2.com/h4ur12
machinescript.hi2.ro/94sjyj
malgorzatakowal.republika.pl/jvmf7qcs
mm.pl/~kamilmg/usbcx
negep.com.br/1sr133q6
pcadesigneng.com/4zxlg
platanenhof-zschornewitz.homepage.t-online.de/cjv865
risenkeitai.ame-zaiku.com/swcbl4r
scale.kane-tsugu.com/f9h4q
selen.yu-nagi.com/g02tx18t
shimizubandfes.web.fc2.com/lntmd0g
sp31bielsko.republika.pl/f6q9z58p
sp31-bielsko.republika.pl/od5e898
topoeval.ro/z86ca14d
toushi.katsu-yori.com/sx83vt
vipoil.es/3y95xwon
vrkoc.eu/x4t68b
watanabekagu.web.fc2.com/iwiry
www.apec.cc/rffs1rs


The payload is Locky ransomware. The command and control servers appear to be the same as found here and I recommend you block them.

Tuesday, 28 June 2016

Malware spam: "report" / "I致e attached the report you asked me to send." leads to Locky

This spam has a weird problem with its apostrophe and comes with a malicious attachment:

From:    Kris Ruiz
Date:    28 June 2016 at 10:38
Subject:    report

Hi info,

I致e attached the report you asked me to send.


Regards


Kris Ruiz
Head of Finance UKGI Planning

The details of the sender will vary from message to message.

Attached is a ZIP file containing components of the recipient's email address and the words "report" and/or "pdf". Contained within is a malicious .js script file with a name starting with "swift".

This analysis comes from a trusted third party (thank you again). The script downloads a file from one of the following locations:

300tomoli.it/j8m7ktu
4k18.com/dfg4ad
adbm.co.uk/q2bmmhz
atlantaelectronics.co.id/xe1370n
bbmarilu.it/hkl9d
bbvogliadimare.it/il4cc3e
bibliadarkorbit.za.pl/i59j41zo
bisericaromaneasca.ro/trslckn
bobbysinghwpg.com/x42honx
bordur32.ru/re23zcb7
cameramartusa.info/u0uolg9
centrosportivoiunco.it/e8uxd
certifiedbanker.org/qjxfba
cond.gribochechki.ru/1vmcl8l
depaardestal.nl/3vfr61
dobramu.za.pl/4pc3kd9p
dragon.obywateleuropy.eu/4u22bfst
dugganinternational.ca/ksx6dv7
edilperle.it/d1mys2g
euro-support.be/xaf5349p
focolareostuni.it/oqtkiw
ft.driftactive.za.pl/7b03ffv
fuckcraft.xorg.pl/8cn8zeo
hate-metal.com/kgp8v
hudebiah.net/nskx4
ilbalconcino2011.it/e4ao4kky
ingstroymash.ru/cwiivhxu
jd-products.nl/t57vc86
marxforschung.de/0e7ac
mr2peter.de/o5ci15o
mycreativeprint.com/w3d7z6
namifitnessclub.it/f6hi6k
newgeneration2010.it/gupwqe1
potolok-profit.ru/q39aie
sprintbus.com.pl/9h7b0qnx
staffsolut.nichost.ru/jwz8i9
stbb.pt/40gnvp9a
tanie-pranie.za.pl/9e607
tip.ub.ac.id/v9wcojln
turniejkrzyz.za.pl/he2013lf
usdavetrana.it/dn81o
vonenidan.de/m3mmis
www.centroinfantilelmolino.com/qtuuvm2
www.johnlodgearchitects.com/haqew
www.pececitos.com/9ehkrke


The file is then decrypted (although I don't have a sample yet) and appears to be Locky ransomware. It phones home to the following servers:

109.234.35.71 (McHost.ru, Russia)
185.146.169.16 (Pavel Poddubniy aka Cloudpro LLC, Russia)
193.9.28.254 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
194.31.59.147 (HostBar, Russia)
195.123.209.227 (Layer6 Networks, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)


Recommended blocklist:
109.234.35.71
185.146.169.16
193.9.28.254
194.31.59.147
195.123.209.227
217.12.223.88
217.12.223.89

Monday, 27 June 2016

Malware spam: "Updated" / "Attached please find the documents you requested.." / "King regards"

This spam email has a malicious attachment and a slightly amusing typo:

From:    Sophia Rowland
Date:    27 June 2016 at 22:17
Subject:    Updated

Dear [redacted],

Attached please find the documents you requested..



King regards

Sophia Rowland
Technical Manager - General Insurance
Mon, 27 Jun 2016 17:17:50 -0400
These two Hybrid Analyses [1] [2] show what appears to be Locky ransomware being downloaded from multiple locations. The dropped binary has a detection rate of 2/55. At present I don't have any C2 servers, but I would guess they are largely the same as the ones found here.

Malware spam: "Requested document" / "The document you requested is attached" leads to Locky

This spam comes from various senders, and leads to Locky ransomware:

From:    Trudy Bonner
Date:    27 June 2016 at 15:39
Subject:    Requested document

Dear [redacted],

The document you requested is attached.

Best regards


Trudy Bonner
Group Director of Strategy
Attached is a ZIP file containing elements of the recipients email address, the words "document", "doc" or "scanned" plus a random number. Contained within is a random .js script beginning with unpaid.

Trusted external analysis (thank you as ever) shows the scripts downloading from one of the following locations:

192.186.246.134/~advancedptr/4kw2yb
210.171.0.30/~akfa8701/76p9su
216.218.93.172/~thelma2/7a4q7knx
217.172.226.2/~redpaluch/8ji21s5
217.172.226.2/~vikolor/3pdqsh
300tomoli.it/0qgidk55
3141592.ru/rvhijql
4k18.com/lpschs
80.244.134.169/x4jzt5
82.140.32.172/~hoddl/4etb1e1
adbm.co.uk/104ky
addonworks.com/aaotksj
angeelle.nichost.ru/sf0bm5rz
arogyaforhealth.com/apqbmvr
asliaypak.com/zcubi7
atlantaelectronics.co.id/kjdfbm
babycotsonline.com/hiy96z
beautifulhosting.com.au/ljtxwrr4
bisericaromaneasca.ro/amfcy
bobbysinghwpg.com/fx1jpyt
cameramartusa.info/qaghx
camera-test.hi2.ro/5w9tcm
certifiedbanker.org/faplav8m
clients.seospell.co.in/8jq6cu
climairuk.com/bv7haqcm
cond.gribochechki.ru/v84pn
delicious-doughnuts.net/t81of0k
empiredeckandfence.com/8wytfp
euro-support.be/jo1s8r3k
focolareostuni.it/1tl199rq
hudebiah.net/vyz44p8
immoclic.o2switch.net/mpzkos32
ingstroymash.ru/vi4hwfp
jd-products.nl/msjswnn
mycreativeprint.com/f9qa60q
potolok-profit.ru/w9oyt
sherlock.uvishere.com/2ujlndd
staffsolut.nichost.ru/wif31sug
tip.ub.ac.id/bzrnweoo
www.centroinfantilelmolino.com/2sgw0ch


The malware phones home to the following hosts:


51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
109.234.35.71 (McHost.ru, Russia)
185.82.216.61 (ITL, Bulgaria)
185.146.169.16 (Pavel Poddubniy aka CloudPro, Russia)
195.123.209.227 (ITL, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)


Lots of ITL recently... you might want to block /24s here instead of single IPs.

Recommended blocklist:
51.254.240.48
109.234.35.71
185.82.216.61
185.146.169.16
195.123.209.227
217.12.223.88
217.12.223.89


Malware spam: DOC1234 / document4321 / Document56789 leads to Locky

This rather terse spam run leads to Locky ransomware and appears to come from the sender's own email account (but doesn't).

The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.

Some examples

Subject: DOC541887
Attachment: DOC541887.zip

Subject: document36168
Attachment: document36168.zip

Subject: Document453567810
Attachment: Document453567810.zip

Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:

calcoastlogistics.com/09ujnb76v5?yNVICJbit=nFikKFve
labthanhthanhpg.com/09ujnb76v5?yNVICJbit=nFikKFve
patmagifts.asia/09ujnb76v5?yNVICJbit=nFikKFve
shadowbi.com/09ujnb76v5?yNVICJbit=nFikKFve
www.tmdmagento.com/09ujnb76v5?yNVICJbit=nFikKFve


Detection rates for the dropped binary are 5/54. The malware phones home to the following IPs:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
185.82.216.61 (ITL, Bulgaria)


Recommended blocklist:
51.254.240.48
217.12.223.88
195.123.209.227
185.82.216.61


Thursday, 23 June 2016

Malware spam: "Final version of the report" probably leads to Locky

This spam leads to malware:

From:    Julianne Pittman
Date:    23 June 2016 at 09:48
Subject:    Final version of the report

Dear info,

Patrica Ramirez asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Patrica know if you have any questions about the contents of the report.


Kind regards


Julianne Pittman
Operations Director (CEO Designate)
The names in each version of the email vary. Attached is a ZIP file with a filename containing some version of the recipients email address and the word "report" which contains in turn a malicious ZIP .js script beginning with the words "unpaid".

The payload is not known at this time and analysis is pending, but is likely to be Locky ransomware similar to this.

UPDATE 1

Hybrid Analysis of three sample scripts [1] [2] [3] show three download locations (you can bet there will be many more):

bptec.ir/kvk9leho
promoresults.com.au/gx4al
boranwebshop.nl/ggc7ld


Each one drops a slightly different binary (VirusTotal results [4] [5] [6]) but at the moment automated analysis is inconclusive [7] [8] [9] [10] [11] [12]. I will try to post the C2 servers here if I get them.

UPDATE 2

A trusted third party analysis shows the following download locations (thank you!) :

3141592.ru/wyesvj
4k18.com/u69f97
aberfoyledental.ca/6dil05
abligl.com/8v62l4i4
adbm.co.uk/1o2wejz
angeelle.nichost.ru/y6s1y9h
arogyaforhealth.com/jujg6ru
atlantaelectronics.co.id/quv7rcc1
babycotsonline.com/ph42q6ue
barum.de/c2blg
beautifulhosting.com.au/rxn80
bilgoray.com/vi5sfu
bobbysinghwpg.com/pdqcqlnr
boranwebshop.nl/ggc7ld
bptec.ir/kvk9leho
cameramartusa.info/xrfpm
capitalwomanmagazine.ca/6k1oig
century21keim.com/c7xb2xy
certifiedbanker.org/obmv6590
cg.wandashops.com/evqbfwkx
clients.seospell.co.in/fkn67zy
climairuk.com/h32k491o
climatizareonline.ro/azkqs
cond.gribochechki.ru/zibni
dentalshop4you.nl/m22brjfz
disneyexperience.com/psyyhe
elviraminkina.com/ojyq1
euro-support.be/rdl3n7u
focolareostuni.it/0k2ren
freesource.su/ijugasq1
grantica.ru/6hjli
honeystays.co.za/siu2k
ideograph.com/k7qfsxx
imetinyang.za.pl/74hd4by5
immoclic.o2switch.net/styvuwti
jd-products.nl/xjld131
karl-lee.se/x23ft
margohack.za.pl/wkiokl
matvil8.freehostia.com/64tmb1
mycreativeprint.com/mqib9te
oakashandthorn.charybdis.seedboxes.cc/f7ge4y3k
pipt.wallst.ru/qojqp2
promoresults.com.au/gx4al
redpower.com.au/xlkdld
tip.ub.ac.id/k2e32vh
www.centroinfantilelmolino.com/60wfh
www.darkhollowcoffee.com/oqlyd9m
www.ellicottcitypediatrics.com/7d6sdl
www.keven.site.aplus.net/fmlonxl


C2 servers are at:

51.254.240.48 (Rackspace, US)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)


The malware uses the path /upload/_dispatch.php on the C2 servers.

Recommended blocklist:
51.254.240.48
91.219.29.41
217.12.223.88
195.123.209.227
93.170.169.188



/upload/_dispatch.php

Wednesday, 22 June 2016

Malware spam: "Corresponding Invoice" leads to Locky

This spam has a malicious attachment, probably leading to Locky ransomware:

From:    Althea Duke
Date:    22 June 2016 at 16:00
Subject:    Corresponding Invoice

Dear lisa:

Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
contact me.

Also, our records show that we have not yet received payment for the previous order of 11 June,
so I would be grateful if you could send payment as soon as possible. Please find attached the
corresponding invoice.

If there is anything else you require, our company would be pleased to help. Looking forward to
hearing from you soon.

Yours sincerely

Althea Duke
Managing Director
Who the message is "from" varies from message to message, but the body text is the same. Analysis of the payload is pending, but it is probably similar to yesterday's Locky run.

UPDATE

A little bit of analysis, via these automated reports [1] [2] [3] [4] [5] show some download locations as:

personal-architecture.nl/6gcpaey
ding-a-ling-tel.com/b289dg
plasticsmachine.com/d43ndxna
hyip-all.com/9qwmc65

Various files are dropped, including these samples [6] [7] the latter of which is a three week old version of Locky. Go figure. The comments in this report show C2 servers at:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
185.82.216.55 (ITL, Bulgaria)
93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)


Three out of those four servers are the same as yesterday.

Recommended blocklist:
51.254.240.48
91.219.29.41
185.82.216.55
93.170.169.188

Tuesday, 21 June 2016

Malware spam: "Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter."

This malicious spam leads to Locky ransomware, something that we haven't seen for several weeks:

From:    Lilian Fletcher
Date:    21 June 2016 at 20:01
Subject:    Re:

Dear lisa:

Please find attached our invoice for services rendered and additional disbursements in the above-
mentioned matter.

Hoping the above to your satisfaction, we remain.

Sincerely,
Lilian Fletcher
Head of Maintenance
These are being sent out in huge numbers at the moment. Details vary from message to message, but the body text is essentially the same. Attached is a ZIP file containing the words addition, invoice or services plus the recipients email address and a number (e.g. lisa_addition_278292.zip) containing a malicious script beginning with the word "addition".

A trusted third-party analysis (thank you, you know who you are) shows download locations at:

204.232.192.84/abjvucr
akdenizozalit.com/ixoxi
allchannel.net/lue6c4
aloprint.com/bk0f2
arabian-star.com/nay7jq7
beluxfurniture.com/0jcxx
cbactive.com/1sdfs
clerici.info/g1sd5d59
depaardestal.nl/z5htsm
ding-a-ling-tel.com/bazk3kao
easysupport.us/fl85xie
ekonova.nazwa.pl/wc0coj
ft.dol.za.pl/ymsikgp7
fuji-mig.com/awcigpa1
futuretech-iq.net/koqpy
handicraftmag.com/mrihc
heavenboundministry.com/i7a59qj
hrlpk.com/s5ibqz1
hyip-all.com/9qwmc65
iminlife.com/cqoanbzr
infocuscreative.net/didt48j
innatesynergy.com/mrgdve3
jasoncoroy.com/szlzqni
kitchenconceptagra.com/5s9xb7j
komplettraeder-24.de/w61qx92
marxforschung.de/tt18a
modelestrazackie.za.pl/zfww8nx
otolocphat.com/bv2n241r
passagegoldtravel.com/bqugo3qb
pawelbuczynski.za.pl/z1q8u
percorsipsicoarte.com/6gz707c
pub-voiture.com/dcsjrjm
racedayworld.com/808k8pd
reginamargherita96.net/hhtvomcw
rzezba-bierowiec.za.pl/y7fbo1a
samrhamburg.com/jrh9b
scpremiumbikes.com/3y1b0n4s
searchforamy.com/1fz0k9kp
stbb.pt/z59ifwj
stckwt.net/p4jlk
testfacility.awsome.pl/zc73v
totalsportnetwork.com/kpbrp2mq
ugmp.nazwa.pl/xkhhf2n
unitedprogamers.za.pl/ylxt67
vantagenetsvc.com/a7xssz
vinabuhmwoo.com/69udv
wasearch.us/6mm3hk
wbksis.com/5mxl28il
yourworshipspace.com/a3py3w


Analysis by those parties shows that it phones home to:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
185.82.216.55 (ITL, Bulgaria)
217.12.223.83 (ITL, Ukraine)


As I mentioned before, this is Locky ransomware which has not been circulating at all since about 31st May.

Recommended blocklist:
51.254.240.48
91.219.29.41
185.82.216.55
217.12.223.83


Thursday, 16 June 2016

Spam: Dr Happy's Terrorism Conference

Fake conferences are a pretty common scam. The criminals send out spam about serious-looking upcoming conferences that don't exist and then rip victims off for travel costs, conference fees and hotel accommodation. This spam about a fake conference about terrorism caught my eye because it comes from the amusingly named (but fake) Dr Happy Wisdom:

From:    Dr. Happy [shreyag@bajajcapital.com]
Reply-To:    "Dr. Happy" [iedhsto.officedesk@gmail.com]
Date:    15 June 2016 at 23:24
Subject:    INTERNATIONAL CONFERENCE PROGRAM 2016

Dear Sir/Madam,

 On behalf of the International Economic Development on Human Security and Terrorism Organization, I am pleased to invite you to our conference that will be held from August 15th to 19th, 2016 @ the conference place in Dallas Texas USA and August 22nd-26th 2016 @ in Dakar Senegal. The conference meeting will contain various talks and mini workshops related to the issues of Challenges to Economic Development & Human Security in our society.

The topic of the conference is "The Effect of Terrorism on Global Economy and Human Security " the sponsors of this event shall cover your round-trip air tickets from your country to the USA and from USA to Dakar Senegal back to your country and we shall also provide visa assistance with the U.S Embassy in your country of residence and your ground transportation from the airport to the conference venue. The hotel accommodation booking cost will be your own responsibility in Republic of Senegal. Please contact the conference secretariat for more information and registration for participation: [iedhsto.officedesk@gmail.com].

We look forward to your confirmed presence at the conference.
Respectfully Yours,
Dr. Happy Wisdom,
Program Assistant.

The email does actually originate from an IP address in Senegal (41.82.15.40) but then it is routed through a hacked server belonging to the domain bajajcapital.com which is a finance company in India. The compromise email account can be seen in the "From" field.

At best this scam is some sort of financial fraud. At worst, turning up to it could put your life in danger. Avoid.


Friday, 10 June 2016

Malware spam: ". CARTÓRIO POSTAL. Apontamento de Protesto. 10/06/2016 17:42:46"

This Portuguese-language spam leads to malware:

From:    formacion@salesianos-madrid.com
Date:    10 June 2016 at 21:42
Subject:    . CARTÓRIO POSTAL. Apontamento de Protesto. 10/06/2016 17:42:46

Levamos ao conhecimento de V. Sa. que se acha devidamente protocolado neste Tabelionato, para ser protestado, o título abaixo anexado.

Lei nº 9.492 de 10 setembro de 1997.
Art. 12. O protesto será registrado dentro de três dias úteis contados da protocolização do título ou documento de dívida.
§ 1º Na contagem do prazo a que se refere o caput exclui-se o dia da protocolização e inclui-se o do vencimento.

Favor comparecer munido deta intimação, no horário das 8:00h às 17:00h


Atenciosamente,Liliane peixoto.

The link in the email message in this case goes to:

www.sugarsync.com/pf/D3259546_878_449109824?directDownload=3Dtrue

This downloads an executable PROTESTO.exe with a VirusTotal detection rate of 15/56. Automated analysis [1] [2] [3] shows it dropping a further executable OViLQKDS.exe which has a detection rate of 16/56. Analysis of that is inconclusive [4] [5] [6] is inconclusive, but it looks like some kind of information stealer.

Wednesday, 8 June 2016

Malware spam: "David Bernard agent Fedex" / "Secure-FeDex" leads to Andromeda

This fake FedEx (or FeDex?) spam has a malicious attachment:

From:    Secure-FeDex
Date:    8 June 2016 at 18:17
Subject:    David Bernard agent Fedex

Deаr [redacted] ,
We tried tо delivеr уour item on June 08th, 2016, 10:45 АM.
The delivеry attempt failеd because thе аddress was business сlоsed оr nobodу сould sign fоr it.
Тo piсk up the package, please, рrint the receipt that is аttаchеd to this еmаil and visit FеdEx
office indicated in the invoice. If the pасkagе is nоt piсkеd up within 24 hоurs, it will bе returnеd to thе shipper.
 
Receipt Number:  98402839289
Eхpесted Delivеrу Dаte: June 08th, 2016
Class: Intеrnаtional Paсkаge Sеrviсe
Servicе(s): Delivеrу Cоnfirmation
Status: Notifiсatiоn sent
 
Thank you for choosing our service
 
 
©  FedEх  1995-2016
In this case there was an attachment FedEx_track_98404283928.zip which unzipped into a folder FedEx_track_98404283928 containing in turn a malicious script FedEx_track_98404283928.js which (according to Malwr) attempts to download a binary from one of the following locations:

www.brusasport.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.microsoft.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.mega.net/Brusa/vario/direct/teamviiverupdate2918372.exe
www.google.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.yahoo.com/Brusa/vario/direct/teamviiverupdate2918372.exe

Only the first one is a valid download location, the rest are a smokescreen. The dropped binary has a detection rate of 5/56 but automated analysis [1] [2] [3] is inconclusive. However those reports do seem to indicate attempted network traffic to:

secure.adnxs.metalsystems.it
upfd.pilenga.co.uk


These two subdomains appears to have been hijacked from unrelated Register.IT customers and are hosted on a questionable-looking customer of OVH Italy on 188.165.157.176:

organisation:   ORG-NQ1-RIPE
org-name:       Kitdos NOC
org-type:       OTHER
address:        UNKNOW
address:        UNKNOW UNKNOW
address:        US
e-mail:         kitdos.com@gmail.com
abuse-mailbox:  kitdos.com@gmail.com
phone:          +33.188866688
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-02-04T03:22:05Z
last-modified:  2016-02-23T13:14:14Z
source:         RIPE


Other hijacked subdomains on the same IP are:

tgr.tecnoagenzia.eu
bmp.pilenga.co.uk
maps.pilenga.co.uk
sundication.twitter.luigilatruffa.com
tit.pilenga.net
trw.pilenga.net
ocsp.pilenga.net
plda.pilenga.net
maps.pilenga.mobi
plda.pilenga.mobi


This Tweet from ‏@pancak3lullz indicates that this IP is associated with Anrdomeda rather than the usual recent patterns of Locky or Dridex (which has.. err.. dried up recently). It appears to have been a malicious IP for more than a month.

Of interest is that almost every part of this chain (including the spam sending IP of 31.27.229.22) is in Italy.

As with a great deal of recent spam, this is delivered via a .js script in a ZIP file. If you can configure your mail filters to reject such things then you will be a whole lot safer.

Recommended blocklist:
188.165.157.176/30


Malware spam: "Good morning" résumé spam drops Cerber ransomware and makes a statement

This fake résumé spam leads to malware:

From:    Dora Bain
Date:    7 June 2016 at 03:37
Subject:    Good morning

What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.

With gratitude,

--
Dora Bain
In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..


This downloads a file from 80.82.64.198/subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe  which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.

The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.

According to the VT report the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block.

That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.

Recommended blocklist:
80.82.64.0/24
85.93.0.0/24