Sponsored by..

Monday, 15 August 2016

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Friday, 12 August 2016

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs


The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190


Thursday, 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Thursday, 4 August 2016

Malware spam: "Please sign the receipt attached for the arrival of new office facilities." leads to Locky

Yet another Locky campaign today..

From:    Erica Hutchinson
Date:    4 August 2016 at 12:34
Subject:    please sign

Dear [redacted]

Please sign the receipt attached for the arrival of new office facilities.


Best regards,
Erica Hutchinson

This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run.

Malware spam: "Emailing: Sheet / Document / Invoice" with a .docm leads to Locky

This malware-laden spam comes with a variety of subjects, for example:

Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf


There is no body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component from one of the following locations:

abi64.com/h78r3gfe
bikepaintpureworks.web.fc2.com/h78r3gfe
brupuoli.tempsite.ws/h78r3gfe
composit.vtrbandaancha.net/h78r3gfe
film-online.bejbiblues.cba.pl/h78r3gfe
ftp.bergamo.chiesacattolica.it/h78r3gfe
innal.com.mx/h78r3gfe
karnat.cba.pl/h78r3gfe
mbc.nekonikoban.org/h78r3gfe
potato.chottu.net/h78r3gfe
schello4u.de/h78r3gfe
tyouseikan.web.fc2.com/h78r3gfe
www.agriturismolapiana.net/h78r3gfe
www.artistsagainstwar.it/h78r3gfe
www.bwmodels.com/h78r3gfe
www.comunedicanischio.it/h78r3gfe
www.ekstraciuchy.pl/h78r3gfe
www.kishazy.hu/h78r3gfe

(Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here.

Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change


King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:

escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7


This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:

31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22






Wednesday, 3 August 2016

Malware spam: "Confirmation letter" leads to Locky

Another spam run leading to Locky ransomware..
From:    Mavis Howe [Howe.4267@croestate.com]
Date:    3 August 2016 at 13:32
Subject:    Confirmation letter

Hi [redacted],

I attached the employment confirmation letter I prepared.
Please check it before you send it out.

Best regards

Mavis Howe
The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here.

Malware spam: "As you directed, I send the attachment containing the data about the new invoices"

Another day, another Locky ransomware run:

From:    Marian Mcgowan
Date:    3 August 2016 at 11:15
Subject:    Fw: New invoices

As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script  which according to this Malwr analysis downloads a binary from..

blog-aida.cba.pl/2zensi7t

..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:

93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]

Both those IPs are in known bad blocks.

Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24



Tuesday, 2 August 2016

Malware spam: "Unable to deliver your item, #000179376" / "FedEx International Ground" leads to ransomware

This fake FedEx email has a malicious attachment.

From:    FedEx International Ground [terry.mcnamara@luxmap.com]
Date:    2 August 2016 at 18:53
Subject:    [REDACTED], Unable to deliver your item, #000179376

Dear [Redacted],

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Thanks and best regards,
Terry Mcnamara,
Support Manager.
Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis on the sample shows that the script downloads ransomware from opros.mskobr.ru but a quick examination of the code reveals several download locations:

opros.mskobr.ru
alacahukuk.com
www.ortoservis.ru
aksoypansiyon.com
samurkasgrup.com


Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:

195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)


A couple of binaries are dropped onto the system, a.exe (detection rate 2/53) [may not be malicious] and a2.exe (detection rate 7/53).

The payload seems to be Nemucod / Crypted or some related ransomware.

Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32



Monday, 1 August 2016

Malware spam: "Please review the attached corrected annual report." / "Corrected report"

This spam comes with a malicious attachment:

Subject:     Corrected report
From:     Joey Cox (Cox.48@sodetel.net.lb)
Date:     Monday, 1 August 2016, 13:37

Dear webmaster,

Please review the attached corrected annual report.

Yours faithfully
Joey Cox
The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware from one of the following locations (thank you to my usual source for analysis):

121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a


The dropped binary then attempts to phone home to:

91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

The host for that last one comes up over and over again, it's time to block that /22..

Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22



Scam: Fanrong Europe Fund / fanrongfund.info / fanrongeuropefund.info / fanrongeuropefund.com

This spam email advertising a "too good to be true" investment is a scam:

From:    Tim Hoffman [letter@612.com]
To:    contact [contact@victimdomain.tld]
Date:    30 July 2016 at 09:26
Subject:    Fanrong Europe Fund – 1 Half 2016 return +32.69%.

Dear Sirs,

Please be informed that the Fanrong Europe Fund reported strong 1 Half 2016 with return +32.69%.

Fanrong Europe Fund is a registered hedge fund that managed by a team of stock market experts that located in Zurich, Switzerland. The Fanrong Europe Fund Strategy is Long/Short Equity. The Fund was launched in April 2014. It is open-ended hedge fund. We are open for new investors.

We welcome you to contact us through our web-site to learn more about investing with us:
www.FanrongFund.info

Kind regards,
Tim Hoffman
e-marketing manager
Fanrong Europe Fund
www.FanrongFund.info


Reply to: marketing@fanrongfund.info

If you do not want to receive this newsletter send an email to: unsubscribe@fanrongfund.info

NOTICE: Your address was obtained from open sources where you were agreed to receive the marketing information from third parties.
I have received two of these emails, one coming from the IPs 188.69.207.57 and 188.69.223.168 which are both allocated to a mobile phone provider in Lithuania (UPDATE: also 188.69.223.54). The website fanrongfund.info was created just a few days ago (28th July 2016) and is registed to the following (presumably fake) registrant:

Registrant ID: JLD4030131633
Registrant Name: James Dean
Registrant Organization:
Registrant Street: Vorstadt 20
Registrant City: Zug
Registrant State/Province:
Registrant Postal Code: 6300
Registrant Country: CH
Registrant Phone: +41.417120101
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jd767@yahoo.com


The site is hosted (apparently) in the British Virgin Islands on an IP allocated to the Public Domain Registry (PDR). It uses nameservers from Russian company AYBHOST.COM.

The website is pretty generic looking and opens with these words of wisdom:

Our main trade approach is:
"Close the position if it runs to loss, and hold it if it runs to profit".

Hans Messner
fund manager "Fanrong Europe Fund"

What next. "Buy low, sell high"? Here are some screenshots in case you see another version of this on your travels:






The "About" page carries this text:
We are the EU-domiciled investment manager with successful experience in stock trade in EU. Our professional assets managers have personal approach to trade with bear and bulls market. We use self-made investment strategy that allows getting the constant positive result in short-term horizon. All investment process is in full accordance with IIS (International Investment Standards) of Fanrong Capital (Hong Kong) (fanrongcapital.com).
Presumably this is copied off an earlier scam site, in this case there is an official warning about that particular firm.

fanrongfund.info appears to have mirrors at:

fanrongeuropefund.info
fanrongeuropefund.com

Both of these are hosted on 46.4.24.196 (Hetzner, Germany). The WHOIS details for those are inconsistent with each other.

fanrongeuropefund.info
Registrant ID: HSM1859139253
Registrant Name: Hans Messner
Registrant Organization: Fanrong Europe Fund
Registrant Street: Leutschenbachstrasse 95
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8050
Registrant Country: CH
Registrant Phone: +41.445632589
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.info


fanrongeuropefund.com
Registry Registrant ID: Not Available From Registry
Registrant Name: Li Yong
Registrant Organization:
Registrant Street: Schwingerstrasse 9
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8006
Registrant Country: CH
Registrant Phone: +41.442289632
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.com


For completeness, the domain fanrongcapital.com is hosted on 5.100.152.26  (the same block as fanrongfund.info) and this particular corporation seems to be using a free email address..

Registry Registrant ID: Not Available From Registry
Registrant Name: Wei Zhang
Registrant Organization: Fanrong Capital
Registrant Street: 20F, 1 Harbor View Street
Registrant City: Hong Kong
Registrant State/Province: Hong Kong
Registrant Postal Code: 111000
Registrant Country: HK
Registrant Phone: +852.58085536
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: fanrongcapital@yahoo.com


Nothing about this offer is legitimate. Avoid it, or if you have invested money in this fictitious firm then you should contact the police immediately.

Friday, 29 July 2016

Malware spam: "Voicemail from Anonymous" / SureVoIP [voicemailandfax@surevoip.co.uk]

This fake voicemail spam has a malicious attachment:
From     SureVoIP [voicemailandfax@surevoip.co.uk]
Date     Fri, 29 Jul 2016 17:47:41 +0700
Subject     Voicemail from Anonymous <Anonymous> 00:02:15

Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain.tld
The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf.

According to my trusted source (thank you as ever):

64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry


The downloaded binary is Locky ransomware, phoning home to:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]

Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139

Malware spam: "Bank account record" leads to Locky

This fake financial spam leads to malware:

Subject:     Bank account record
From:     Stephen Ford (Ford.24850@aworkofartcontracting.com)
Date:     Friday, 29 July 2016, 10:56

Good morning,

Did you forget to finish the Bank account record?
Read the attachment and let me know if there is anything I didn't make clear.

Yours sincerely,
Stephen Ford

57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe 

The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attacked is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record" (sample here).

According to the Hybrid Analysis on that script and Malwr report on a partly deobfuscated version the script downloads a binary from:

oleanderhome.com/q59ldt5r

This dropped binary has a detection rate of 5/55 and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2].

The is also traffic to kassa.p0.ru which is more of a puzzle and doesn't look particularly malicious. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs.

If I get more information on this I will post it here.

UPDATE

My trusted source (thank you) gives the following download locations:

211.18.200.4/~tlas021/3rwcozqv
80.241.232.207/fefj1r
agazoumi.com/t30z6j8
alci.dommel.be/clf26lu
amandinearmand.perso.sfr.fr/6piy70m
azmusclemart.com/pb79s
bartocha-photography.com/~fib-naturfoto/99xny
blekitniproba.cba.pl/fo1k6o
chelmy.cba.pl/yv7h2r3
childmoon.web.fc2.com/coy0nl
fcc-thechamps.de/6g5vo1a
garo903.web.fc2.com/2mf4v0
handball-literatur.de/3ua7j
happurg-schulanger.atspace.org/0s6lyu6
hw.srca.org/iwg54jh
impregui.com/h3cywm
inhouserecording.atspace.com/t4wj9316
intracorpwestsidecollection.com/ifs0j92
joslinsalesltd.com/kro1gx
jyoumon.web.fc2.com/7tcec
kenestyonline.com/h782hd
minocki.republika.pl/nvlx7
minocki.republika.pl/s125d6
newt150.tripod.com/4bcsv
oleanderhome.com/q59ldt5r
ratnam.fx.perso.sfr.fr/vtpm9k
senzai.nobu-naga.net/2jv74
smc.psuti.ru/3rcxu
theuniongroup.com/5sv0c
tomart3d.cba.pl/3ivctw
voisin-sa.com/~voisin9689/vnsaumj
vova318.vline.ru/mkmkr
wbbs176.web.fc2.com/20srj
wktkwkbaaan.web.fc2.com/0mm9qx
wn420pjpa.homepage.t-online.de/046ss5
www.13one.de/vz8gl5a
www.astool.com/ljgzai
www.attivita-antroposofiche-roma.org/gpjjr5u
www.damasoinfante.com/7pmfw
www.dukewayne.talktalk.net/todga
www.erikacostruzioni.com/0z1hkf
www.ferresur.es/3k58w8z
www.fotosdelburgo.com/oerwg1
www.frank-nickel.de/7e46f9t5
www.hydroenergie.fr/yzhhkit
www.istruiscus.it/qzdy65b0
www.istruiscus.it/r5ncu
www.kassa.p0.ru
www.snvl-ptrc.go.ro/srhgx
zauber-fred.de/0zth9jfv


C2 servers are the same as found here.

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]

Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139


Thursday, 28 July 2016

Malware spam: "Self Billing Statement" / Kathryn Smith [kathryn@powersolutions.com] leads to Locky

This fake financial spam comes with a malicious attachment:

From     Kathryn Smith [kathryn@powersolutions.com]
Date     Thu, 28 Jul 2016 16:21:41 +0530
Subject     Self Billing Statement
I do not know if there is any body text at present. Attached is a file with a name similar to Self Billing Statement_431.zip which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js)

Analysis by a trusted party shows that these scripts download a component from one of the following locations:

apachost.com/j988765
avon-beraterin-mank.de/j988765
cukiernia_izabela.republika.pl/j988765
dawstaw.cba.pl/j988765
gnetgnethouse.web.fc2.com/j988765
gumka.strefa.pl/j988765
kreacjonizm.cba.pl/j988765
levivanesch.nl/j988765
maka.ken-shin.net/j988765
okhtinka.ru.hoster-ok.com/j988765
robertstefan.home.ro/j988765
sardain.fr/j988765
sonomama.kan-be.com/j988765
taityou0615.web.fc2.com/j988765
tolearn.tora.ru/j988765
www.andyschwietzer.homepage.t-online.de/j988765
www.aspadeljaen.com/j988765
www.camelu.com/j988765
www.flagships.de/j988765
www.schwarzer-baer-kastl.de/j988765
www.uasm.de/j988765


This originally dropped this payload since updated to this payload, both of which are Locky ransomware. The C2 servers to block are exactly the same as found in this earlier spam run.

Malware spam: "Please check the attached invoice and confirm me if I sent the right data" leads to Locky

This fake financial spam leads to malware:

Subject:     Invoice
From:     Kendall Harrison (Harrison.59349@chazsmedley.com)
Date:     Thursday, 28 July 2016, 10:33

Hello,

Please check the attached invoice and confirm me if I sent the right data

Yours sincerely,
Kendall Harrison

320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3 
The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted".

The Malwr analysis for the partially deobfuscated script and this Hybrid Analysis show this particular sample downloading from:

83.235.64.44/~typecent/xvsb58

This drops a malicious Locky ransomware binary with a detection rate of 7/55. Analysis of this binary is pending.

UPDATE

Thank you to my usual source for this analysis. The download locations for the various scripts are:

01ad681.netsolhost.com/7j0jlq3
12-land.co.jp/vrquj
178.78.87.8/xjzhm
83.235.64.44/~typecent/xvsb58
arabian-horse-highlights.homepage.t-online.de/kzm2n
bajasae.grupos.usb.ve/4y13jg1
baldwinhistory.portalstream.net/rqbljjx
billy-hanjo.homepage.t-online.de/2r713u
blanquerna.eresmas.net/tt2e8s4
burkersdorf.eu/8y5n3f
campustouren.de/k6tkk
christilipp.com/cnb0o
creartnet.com/5ylah
dev12.gammat.net/oxg2m3
exclusive-closet.com/fld2h8
fremdesland.x.fc2.com/iya9qt
gkxxx.x.fc2.com/dxfom
idd00dnu.eresmas.net/wdmlqe
it4cio.servicos.ws/u8c3x
jozefow.cba.pl/ouini6
karumaengeki.web.fc2.com/f3ry4
kbridge.web.fc2.com/hj1fr
lacrima.ru/hvn1c
luzdevelas.es/9belfi
mbiurorachunkowe.republika.pl/6t6sz
motorkote.org/0gq654
okhtinka.ru.hoster-ok.com/qdiqooeo
papamama.com.sg/zhbepez
piggy.riffle.be/~gniff/r9bzz
robertstefan.home.ro/pycz4o
sav-krelingen.de/36r3qe8
schefman.info/snjqz
slit.xxxxxxxx.jp/l58gd3p
sv-r.ru/btawsoc
www.acheri.it/magii
www.andyschwietzer.homepage.t-online.de/r3a0tw
www.chantale.force9.co.uk/lsyeuw
www.clefranceitalie.org/cj937f7l
www.inari.net/ov5u1k
www.kan-therm.ru/qara9i
www.marinoderosas.com/59nue8uo
www.panella.org/eo9lk
www.rgtalp14.it/ykb84n40
www.ruyssinck-demeyer.be/v4xo5r28
www.schwarzer-baer-kastl.de/tt7ea
www.uasm.de/qwqiyk
yourparty.cba.pl/5avhe
zckupila.republika.pl/m6w6uu5f


C2 locations:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)


Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0


Wednesday, 27 July 2016

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be 
The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:

beauty-jasmine.ru/6dc2y

There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.

UPDATE

The C2 locations for this variant are:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)


Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30


Malware spam: "Sent from my Samsung device" leads to Locky

This spam comes in a few different variations:

From:    Lottie
Date:    27 July 2016 at 10:38
Subject:    scan0000510

Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:

alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765


The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)


(Thank you to my usual source for this data)

There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.

Recommended blocklist:
5.9.253.160/27
178.62.232.244


Tuesday, 26 July 2016

Malware spam: "list of activities" leads to Locky

This fake business spam has a malicious attachment:

From     "Penelope Phelps"
Date     Tue, 26 Jul 2016 23:02:43 +1100
Subject     list of activities

Hello,

Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.

Warm regards,
Penelope Phelps
ALLIED MINDS LTD
Security-ID: 4d2c95a750fe26a3560ffddfe374ff5c5c064bd78fea30
The sender's name, company and "Security-ID" vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script that looks like this. This Malwr report and this Hybrid Analysis show this particular sample downloading from:

akva-sarat.nichost.ru/bokkdolx

There will be many other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55. Further analysis is pending, however it is quite likely that this sample uses the same C2 servers as seen earlier today.



Malware spam: "Attached Image" leads to Locky

This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    26 July 2016 at 10:27
Subject:    Attached Image

**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************
Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:

www.isleofwightcomputerrepairs.talktalk.net/okp987g7v

There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:

31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)


Recommended blocklist:
31.41.47.41
91.234.35.216


Monday, 25 July 2016

Malware spam: "Emailing: Photo 25-07-2016, 34 80 10" / "Emailing: Document 25-07-2016, 72 35 48"

This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
From:    Rebeca [Rebeca3@victimdomain.tld]
Date:    25 July 2016 at 10:16
Subject:    Emailing: Photo 25-07-2016, 34 80 10


Your message is ready to be sent with the following file or link
attachments:

Photo 25-07-2016, 34 80 10


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.

Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".

An alternative variant comes with a malicious Word document:

From:    Alan [Alan306@victimdomain.tld]
Date:    25 July 2016 at 12:40
Subject:    Emailing: Document 25-07-2016, 72 35 48

Your message is ready to be sent with the following file or link
attachments:

Document 25-07-2016, 72 35 48


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
The attachment is this case is a .DOCM filed named in a similar way as before.

This analysis is done by my usual trusted source (thank you). These scripts and macros download a component from one of the following locations:

0urkarachi.atspace.com/7h8gbiuomp
cantrell.biz/7h8gbiuomp
czemarserwis.home.pl/7h8gbiuomp
exploromania4x4club.ro/7h8gbiuomp
finaledithon.web.fc2.com/7h8gbiuomp
koushuen.co.jp/7h8gbiuomp
moehakiba.web.fc2.com/7h8gbiuomp
ostseeurlaub-tk.homepage.t-online.de/7h8gbiuomp
r-p-b.de/7h8gbiuomp
topmanagers.claas.fr/7h8gbiuomp
tpllaw.com/7h8gbiuomp
tutomogiya.web.fc2.com/7h8gbiuomp
vplegat.dk/7h8gbiuomp
www.aproso.de/7h8gbiuomp
www.ciapparelli.com/7h8gbiuomp
www.foto-aeree.it/7h8gbiuomp
www.gruetzi.es/7h8gbiuomp
www.isleofwightcomputerrepairs.talktalk.net/7h8gbiuomp
www.louislechien.net/7h8gbiuomp
www.motoslittetrecime.com/7h8gbiuomp
www.sistronic.com.co/7h8gbiuomp
www.tridi.be/7h8gbiuomp
www.vakantiehuisjeameland.nl/7h8gbiuomp
www.westline.it/7h8gbiuomp
zemlya.web.fc2.com/7h8gbiuomp


The payload here is Locky ransomware, and it phones home to the following addresses:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)


Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176


Friday, 22 July 2016

Malware spam: "I am truly sorry that I was not available at the time you called me yesterday."

This spam has a malicious attachment:

From: "Lizzie Carpenter"
Subject: sales report
Date: Fri, 22 Jul 2016 21:38:25 +0800

I am truly sorry that I was not available at the time you called me yesterday.
I attached the report with details on sales figures.



-----
Best of luck,
Lizzie Carpenter

SCHRODER GLOBAL REAL ESTATE SEC LTD
Phone: +1 (773) 812-15-66
Fax: +1 (773) 812-15-86

The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report".

In a change from recent malware runs, the script does not directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script.

This executable has a detection rate of 4/54 and trusted analysis says that it is Locky ransomware, phoning home to:


77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51




Marketing1.net spam: "Nous vous offrons toutes nos bases de données européennes avant de fermer"

I recently noted that the spammers at Marketing1.net were at it again, but despite assurances from their host Coreix that they had been suspended, they continue to send out spam. This time in French.

From:    Audrey Martin [info@mapps-fr.net] via bnc3.mailjet.com
Date:    22 July 2016 at 09:10
Subject:    Nous vous offrons toutes nos bases de données européennes avant de fermer
Signed by:    bnc3.mailjet.com

Cher Gérant, Chère Gérante,

Nous nous permettons de vous contacter car vous avez visité notre site Internet dans le passé. Comme vous le savez déjà peut-être, nous avons développé les plus grands annuaires d'entreprises sur CD en Europe. Le logiciel fourni avec les annuaires permet aux utilisateurs d'effectuer des recherches illimitées par secteur d'activité, lieu, tranche de revenus ou fonction, et d'exporter les résultats vers Excel.

Au cours de ces dernières années, des milliers d'entreprises à travers l'Europe ont utilisé nos applications pour générer des listes ciblées pour mener des campagnes de prospection à succès. Nous avons décidé de retirer nos produits du marché parce que la mise à jour des données est trop onéreuse.

Avant de fermer, nous avons décidé, comme ultime geste, de vous offrir quelque chose d'inimaginable.

Nous avons décidé de vous donner toutes nos bases de données européennes. Cela représente un accès à des millions d'entreprises à travers l'Europe. Si vous souhaitez développer votre entreprise à l'étranger maintenant ou dans l'avenir, cela est un cadeau exceptionnel.

Nous vous offrons les 7 applications suivantes:

1) Marketing1 France 2016: 5 million d'entreprises françaises. 650'000 entreprises avec email. export illimité.
2) Top Managers France 2015: 35'000 cadres supérieurs auprès des plus grandes entreprises de France. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.

3) Marketing1 UK (Royaume-Uni) 2016 (en anglais): 5,8 million d'entreprises britanniques. 800'000 entreprises avec email. export illimité.
4) Top Managers UK (Royaume-Uni) 2015: 30'000 cadres supérieurs auprès des plus grandes entreprises du Royaume-Uni. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.

5) Marketing1 Belgique 2015 (en anglais): 1,8 million d'entreprises belges. 500'000 entreprises avec email. export illimité. 

6) Marketing1 Allemagne 2016 (en allemand): 5 million d'entreprises allemandes. 1,7 million d'entreprises avec email. export illimité.
7) Top Managers Allemagne 2015: 50'000 cadres supérieurs auprès des plus grandes entreprises d'Allemagne. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.


La valeur pour toutes ces bases de données est d'environ 5000 euros. Nous vous offrons le tout pour un prix symbolique de 49 euros. Vous avez seulement à payer 49 euros et vous obtiendrez toutes les applications ci-dessus. L'offre se termine aujourd'hui à 17 heures.

Vous aurez accès immédiatement à une page de téléchargement depuis laquelle vous pouvez télécharger toutes les applications. La page de téléchargement va rester en ligne pendant six mois (de sorte que vous puissiez les télécharger à une date ultérieure, si vous le souhaitez).


Comment passer commande. échantillons gratuit.
Cliquez ici pour accéder à la page de l'offre. La page contient les liens vers tous les sites. Vous pouvez télécharger des échantillons gratuits pour toutes les applications depuis la même page.


L'offre se termine aujourd'hui à 17 heures. Ne la ratez pas.


J'espère que je ne ai pas pris trop de votre temps précieux, et je vous souhaite plein de succès.

Meilleures salutations,

Audrey Martin
Marketing1 Team


Unsubscribe:
Veuillez cliquer ici si vous ne souhaitez plus recevoir d'emails de notre part

M1 Solutions. 152 City Road, London EC1V 2NX

The link in the email goes to marketing1.site hosted on 66.96.161.163 (Endurance International Group, US) and then redirects to a landing page at marketing1apps.net on 89.187.85.8 (Coreix, UK) which is just a gateway to marketing1.net on that same IP. The email comes from 87.253.234.168, a Mailjet IP in France.

As I mentioned previously, Marketing1.net are always having a closing down sale (but never close down) and if their sample data is anything to go by, it is complete crap. That's in addition to spamming domain contacts. Avoid.

Tuesday, 19 July 2016

Malware spam: "Documents from work." / "Untitled(1).docm" leads to Locky

This rather terse spam appears to come from the victim themselves (but doesn't). It has a malicious attachment.
From: recipient@victim.tld
To: recipient@victim.tld
Subject: Documents from work.
Date:    19 July 2016 at 12:20
There is no body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component from on of the following locations:

aerosfera.ru/0hb765
biovinci.com.br/0hb765
choogo.net/0hb765
control3.com.br/0hb765
dealsbro.com/0hb765
heonybaby.synology.me/0hb765
hiramteran.com/0hb765
lifecare-hc.com/0hb765
ostrovokkrasoty.ru/0hb765
tvernedra.ru/0hb765
valsystem.cl/0hb765
wacker-etm.ru/0hb765
webidator.co.il/0hb765
wineroutes.ru/0hb765
www.mystyleparrucchieri.com/0hb765

The dropped payload has a detection rate of 3/54 and it phones home to the following locations:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)

That's a subset of the locations found here.  The payload is Locky ransomware.

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51


Malware spam: "Documents" / "Natalie Pywell" / "Natalie.Pywell6@abbeyglassuk.com"

This spam does not come from Abbey Glass UK, but is instead a simple forgery with a malicious attachment:

From     Natalie Pywell [Natalie.Pywell6@abbeyglassuk.com]
Date     Tue, 19 Jul 2016 15:27:20 +0530
Subject     Documents
Message text

Dear Customer

Please find your documents attached.

If you have any questions please reply by email or contact me on 01443 238787.

Kind regards

Natalie Pywell

**This email has generated from an automated system**
This email has been sent via the Fusemail mail filtering service provided by Pro-Copy
Limited
The sender's email address varies somewhat. Attached is a randomly named ZIP file which contains a malicious .js script.

Analysis is pending, but it looks like Locky ransomware and is probably similar to the one found in this spam run.

Malware spam: "I attached the detailed business analysis (updated}"

This spam has a malicious attachment. And also mismatched (brackets}.

From     "Lynnette Slater"
Date     Tue, 19 Jul 2016 10:47:09 +0200
Subject     Business Analysis
Message text

I attached the detailed business analysis (updated}

---

King regards,
Lynnette Slater

Briglin Pottery
Phone: +1 (181) 133-27-50
Fax: +1 (181) 133-27-49
ID: 34a8c7f01e98b92f3985fe91965e703df1f13456

The message will appear to be "from" different individuals, varying from message to message. However, the main part of the body text is always the same.

Attached is a ZIP file containing elements of the recipients email address and some random letters and numbers. I have been unable to obtain a copy of the attachment at the moment, but it is likely to be Locky ransomware and if I get further details I will post them here.

UPDATE

My usual trusted source for analysis (thank you) reports that these ZIP files contain a malicious .wsf script which downloads a component from one of the following locations:

12-land.co.jp/gvkkx
accendojuris.com/dem3owmx
aerosfera.ru/xmljn
alinmaagroup.com/c2baqb
all-rides.com/m6bobmp
altadevelopers.com/kacgwe
anima-centrum.sk/bkcs2
bastidoresderondonia.com.br/ww55qzn
biovinci.com.br/dl9f0m6
choogo.net/qisxmdwz
darkhollowcoffee.com/unntj
daveshearth.com/f1t14
dealsbro.com/ptamc
delaemvkusnoe.ru/7lsypth
delaemvkusnoe.ru/yr54po27
dev.appleleafabstracting.com/j5q4b
dipp.lt/id4e6xcs
econopaginas.com/33ry5u
ejdadim.com/tzblhuk
heonybaby.synology.me/uydikuo
ialri.net/wh64xsb
jem-111.com/v5tq6s3
kveldeil.no/gfk2p
litehauzz.com.ng/cxqr03
lkfashions.com/3vkh8fcv
modulofm.com.br/3ap3qsi
moroem.com/n79lv
muscleinjuries.com/lqah1guh
mylimajai.lt/fkf75fo
myphychoice.com/s0ksxt8e
ormanstressrelief.com/lq1z62q
ostrovokkrasoty.ru/zxaen4
pasadenaoffice.com/431i00cd
right-livelihoods.org/uplwj
scpremiumbikes.com/53mkzxat
sitkainvestigations.com/2wmp4g
technobuz.com/05gwngqn
thetestserver.net/kemymr
tvernedra.ru/zkca0de
u0086064.cp.regruhosting.ru/hnmbac
versus.uz/ah73wlnz
vidonet.es/al268615
vilalusa.com/33q4i6f
westcoastswingitaly.it/jycvhfqq
www.thephoneguy.talktalk.net/om8bt
zuerich-gewerbe.ch/99v85w

I don't have a decrypted sample of the binary at present, although the C2 locations are reported as:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine, Ltd, Ukraine)

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51



Monday, 18 July 2016

Malware spam: "Image data has been attached to this email." / "Scanned image"

This spam is presumably meant to have a malicious attachment, but all the samples I have seen are malformed:

From:    support398@victimdomain.tld
Date:    18 July 2016 at 16:22
Subject:    Scanned image

--+-+-+-MGCS-+-+-+
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: Quoted-Printable
Content-X-CIAJWNETFAX: IGNORE

Image data has been attached to this email.



--+-+-+-MGCS-+-+-+
Content-Type: application/vnd.ms-word.document.macroEnabled.12; name="18-07-2016_rndnum(4,9)}}.docm"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="18-07-2016_rndnum(4,9)}}.docm"
Content-Description: 18-07-2016_rndnum(4,9)}}.docm

UEsDBBQABgAIAAAAIQB+OOx6hwEAAK0FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIo
oAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0lM9OwkAQxu8mvkOzV9MueDDGUDgIHpVE
[snip]
The spam appears to come from within the victim's own domain (but doesn't). In case you don't recognise all those random letters, that's what an email attachment looks like.. but something has gone badly wrong with this spam run. I haven't analysed the payload, but it is likely to be Locky ransomware as found here.

Malware spam: "Sent from my Samsung device" leads to Locky

This rather terse spam has a malicious attachment:

From:    Ila
Date:    18 July 2016 at 13:01
Subject:    scan0000511

Sent from my Samsung device
The sender and subject vary, but the subject seems to be in a format similar to the following:

scan0000511
SCAN000044
COPY00002802


Attached is a .DOCM file with the same name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading from one of the following locations:

bursaforex.home.ro/54ghnnuo
car-sound.go.ro/54ghnnuo
cats.ugu.pl/54ghnnuo
dmb.republika.pl/54ghnnuo
eightplusnine.com/54ghnnuo
enpitsutenpura.web.fc2.com/54ghnnuo
gastro411.com/54ghnnuo
howtosucceed.tripod.com/54ghnnuo
iss0.tripod.com/54ghnnuo
klasste.tripod.com/54ghnnuo
marcinek.republika.pl/54ghnnuo
naturopatheenligne.free.fr/54ghnnuo
pacyna2.republika.pl/54ghnnuo
pichuile.free.fr/54ghnnuo
sgvillage.com/54ghnnuo
static.indirveoyna.com/54ghnnuo
www.carboplast.it/54ghnnuo

The payload is Locky with a detection rate of 4/53. It phones home to:

77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)


That's a subset of the IPs found here, so I recommend you block the following IPs:

77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14
 

Malware spam: "bank account report" leads to Locky

This fake financial spam has a malicious attachment:

From     "Boyd Dennis"
Date     Mon, 18 Jul 2016 11:34:11 +0200
Subject     bank account report


How is it going?

Thank you very much for responding my email in a very short time. Attached is the
bank account report. Please look at it again and see if you have any disapproval.

--Yours faithfully,Boyd DennisHSBC HLDGSPhone: +1 (593) 085-57-81, Fax: +1 (593)
085-57-41
The sender name and details vary, although it all follows the same pattern. Attached is a ZIP file containing elements of the recipients email address and some random digits. Contained within is a .wsf script that downloads a file from one of the following locations (thank you to my source for analysis):

acnek.com/fyxxbcsz
ahatv.com.au/twh7xv
anchortron.com/hiqsij
aquatixbottle.com/ygyngc
bailamecuba.com/4uyh5bex
banthaoduoc.com/v5g9z0s
BenavidezHoy.com/8zrg48k
bigislandhawaiihilorealestate.com/16h9p
bizconsulting.ro/bm8s7
blackdildo.net/h9kyu
bridgeplacements.com/dhbuk
calcoastlogistics.com/pda6bms
candobetter.net/5nt3ayk
cbactive.com/jw7l6mlr
christian-view.com/rwe24t
cinerd.info/ebiyhv
cloudbws.com/m0tu07b
colleenthestylist.com/rdrfp
containermx.com/tb4u2v
davisdoherty.co.nz/g0vi70
deanstum.com/z9opr
dnp9.com/zpfqk2l
ecpi.ro/cqema
equalityindonesia.com/b229mg
eurasian.fc2web.com/18nws9
findmobileauto.com/gh8ft
fusofrance.fr/nengga
gruposoluciomatica.com.br/ryi81
gv.com.my/qbnuau
ilkhaberadana.com/rmegjezz
kouzoncorporation.com/jikkhl
leeplastic.com/w49a80y
matthewmccright.org/sl8wu
my-result.ru/0j1nlpj8
ormanstressrelief.com/uhgoz3b
otwayorchard.net/u96kt
provincialpw.com/r0vaqf
quest.agency/0ovl6v5z
rsxxx.com/3vp8s83
s2mgmt.com/do40lc
serviceautoiasi.com/4tbvsfcz
smp.com.mx/hcoyv
thegracefamilychurch.com/ltxm3t
tip.ub.ac.id/36k8m2xt
trans-free.ru/2hx1l
travelabroadsecret.com/rxurfhqk
travoxsb.com/qmi5u0n
vakantiehuisinauvergne.com/apyd17
wcouto.com.br/9d207v

I don't have a copy of the payload at present, but it does phone home to:

77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
176.111.63.51 (United Networks Of Ukraine Ltd , Ukraine)
209.126.112.14 (MegaHosterNetwork, Ukraine)


The payload appears to be Locky ransomware.

Recommended blocklist:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14


Tuesday, 12 July 2016

Malware spam: "Please find attached the profile of Mr.X for a suitable role in your Organisation" leads to Locky

This spam comes with a malicious attachment, it appears to come from different senders and the referenced name varies, but the format is essentially the same.

From:    Effie Larsen
Date:    12 July 2016 at 20:07
Subject:    Profile

Dear [redacted],

Please find attached the profile of Mr.Welch for a suitable role in your Organisation


King regards,
Effie Larsen
Mexico Key Account Director
Attached is a ZIP file containing elements of the recipient's email address, the word "profile" and a random number. Contained within are a variety of malicious .js scripts beginning with "profile".

These two Hybrid Analysis reports [1] [2] show download locations at:

jstudio.com.my/wtxyf4
zakagimebel.ru/nrik9xq


This is somewhat consistent with the download locations for the earlier Locky ransomware spam as seen here. It is likely that the C2 servers are the same or at least overlap.


Malware spam: "Here's that excel file (latest invoices) that you wanted." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Benita Clayton
Date:    12 July 2016 at 15:04
Subject:    Fw:

hi [redacted],

Here's that excel file (latest invoices) that you wanted.


Best regards,
Benita Clayton
Vice President US Risk Management
Sender details vary from message to message. Attached is a ZIP file containing part of the recipient's email address plus some other elements, within which is a malicious. js script beginning with -SWIFT-.

Trusted external analysis (thank you again) shows the scripts download an obfuscated binary from one of the following locations:

acepipesdeli.com.br/tffx7
aerosfera.ru/h5vkp87
agbiz.co.za/x2evw01
choogo.net/qi7j7f
control3.com.br/57nhtzkv
dealsbro.com/4qtc20
diablitos.no/ogmrgs
doisirmaosturismo-rj.com.br/jxdlzcf
eskuvotervezo.hu/3kbgy9a
eusekkei.co.jp/tdts0
ferozsons-labs.com/52sf0l
games4games.com.br/ubabtp
globaldveri.ru/i4a3l0
hanaweb.xsrv.jp/be6o4g6
heonybaby.synology.me/41sx3e
ialri.net/tughk
jsbaden.jemk.ch/xyn8moxt
jstudio.com.my/5mkejwj4
kveldeil.no/opca2v2
maihama.2jikai-p.net/5mkejwj4
mcpf.co.za/ffq1mq
mphooseitutu.com/tfq5e5d2
mywebhost.nichost.ru/g53y7
nicesound.biz/42did
omnitask.ba/ac5f6
ostrovokkrasoty.ru/x7lcd
ppf.com.pk/5z2sk
quaint.com.br/divme5d
repair-service.london/uywgi7v
revengeofsultans.com/9cu7bsw
richard-scissors.com/wife8eaf
rigoberto.com.br/nqum54t
samaju.se/fsqrtgrm
sindsul.com/h02sujs
sirimba.com.br/qiovtl
stylespiritdubai.com/be1id
tvernedra.ru/lob9x
valsystem.cl/v4db1wd
wacker-etm.ru/jfbmxlhy
wineroutes.ru/hrzl8dw5
www.cristaleriadominguez.com/fxcx6ep
www.inextenso.hu/xc3739l
www.ital.com.mx/xswj9
zachphoto.7u.cz/0jyhh
zakagimebel.ru/krcsvf
zoomwalls.com/zghpzv2f


Locky then phones home to one of the following locations:

5.196.189.37 (Just Hosting, Russia / OVH, Ireland)
77.222.54.202 (SpaceWeb CJSC, Russia)
109.234.34.146 (McHost.Ru, Russia)
192.71.249.220 (EDIS, Sweden)


Recommended blocklist:
5.196.189.37
77.222.54.202
109.234.34.0/24
192.71.249.220


Wednesday, 6 July 2016

Malware spam with random hexadecimal number leads to Locky

I only have a couple of samples of this very minimalist spam, consisting of just a "Subject" with a random hex number (e.g. 90027696CCCC611D) and a matching .DOCM attachment (e.g. 90027696CCCC611D.docm).

My trusted analysis source (thank you) says that these DOCM files contain a macro (no surprises there) that downloads a binary from the following locations:

blingberry24.com/90ujn3b8c3
danseduchat.com/90ujn3b8c3
harveyventuresltd.com/90ujn3b8c3
noveltybella.com/90ujn3b8c3
www.proxiassistant-ao.com/90ujn3b8c3
www.sacandolalengua.com/90ujn3b8c3


The payload is Locky ransomware with a detection rate of 3/52. The same source says that C2 locations are:

89.108.84.42 (Agava JSC, Russia)
148.163.73.29 (GreencloudVPS JSC, Vietnam)


Agava in particular is a regular source of badness, and I would suggest that you consider blocking the entire 89.108.80.0/20 range, or at least this minimum recommended blocklist:

89.108.84.42
148.163.73.29


UPDATE 2016-07-08

A variant of this spam run is in progress which adds the words RE, FW, Scan, Emailing or File to the random number. A trusted source (thank you) informs me that the download locations for the DOCM files in this case are:

abschlepp-taxi24.at/87yg5fd5
caijiachina.com/87yg5fd5
drpampe.com/87yg5fd5
felicecremesini.com/87yg5fd5
fermmedia.com/87yg5fd5
gebrauchtkauf.at/87yg5fd5
kurumenishimura.com/87yg5fd5
manutenzionecarrier.com/87yg5fd5
seferworld.com/87yg5fd5
snupress.com/87yg5fd5
themeidea.com/87yg5fd5

A malicious file is dropped with a detection rate of 3/55 which then phones home to the following server:

51.255.172.55 (OVH, France)

I recommend that you blog traffic to that IP.

Tuesday, 5 July 2016

Malware spam: "Scanned image" leads to Locky

This fake document scan appears to come from within the victim's own domain but has a malicious attachment.

From:    administrator8991@victimdomain.com
Date:    5 July 2016 at 12:47
Subject:    Scanned image

Image data has been attached to this email.
Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52 and 6/52. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:

leafyrushy.com/98uhnvcx4x
sgi-shipping.com/98uhnvcx4x


There will be a lot more locations too. This drops a binary with a detection rate of 5/55 which appears to be Locky ransomware. Hybrid Analysis shows it phoning home to:

185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)


Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be be Locky ransomware.

Recommended blocklist:
185.106.122.0/24
185.129.148.0/24