This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.
Specifically, VirusTotal lists badness on the following IPs:
5.196.33.8
5.196.33.9
5.196.33.10
There are also some doubtful looking IP addresses on 5.196.33.15 which may we have a malicious purpose.
All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.
Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
kiogosphwuysvx12.com
nelipraderson3.com
aderradpow.in
akojdurczopat.in
amoptrafnoger.in
apo83ggacer.in
apowiurbera.in
asdlpoqnoosgteer.in
asdpqwoieu12.in
asdqpwcya2.in
ashcytiqwer.in
askio2iytqrefa.in
asnodp3booztrea.in
azlaowumoa.in
blomcreaters.in
bvioplorazeno.in
bvopqcawea.in
bxpqy7everas.in
bzoapitradetn.in
cnertazootreas.in
coiqpyteramed.in
foksatboks3.in
golhahorsea.in
greolkopanx9.in
hiapwjertas.in
hokayreenols.in
jonofogolor.in
kiaowqptrea.in
koapnoxopaiuw72.in
kutradopretano98.in
lapouiqwg28.in
loatu27amop.in
looperfter4.in
mozgyterfaopetr.in
mxopa3ieravuk.in
nioapowedrakt.in
nitreamoptec.in
nloopboobs.in
npcowytrar.in
nxaopautrmoge.in
opqertasopma.in
poltraderano.in
sapertzalofasmo.in
vjogersamxe.in
vokjotreasmo.in
xboapvogtase.in
xnaiojipotram.in
xnaioqowhera.in
ywusbopa63a.in
zbtywraser.in
gpjfwsznuhdjgzwg.com
zntddwqtteq4.com
Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant ID:WIQ_27860746
Registrant Name:Gennadiy Borisov
Registrant Organization:N/A
Registrant Street1:ul. Lyulyak 5
Registrant Street2:
Registrant Street3:
Registrant City:Varna
Registrant State/Province:
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:yingw90@yahoo.com
Tuesday, 9 December 2014
Monday, 8 December 2014
"Soo Sutton" / "INVOICE 224245 from Power EC Ltd" spam
Another variant of this spam, this fake invoice comes with a malicious Word document attached.
http://aircraftpolish.com/js/bin.exe
http://gofoto.dk/js/bin.exe
This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)
According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53.
Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish.com
gofoto.dk
http://kawachiya.biz/js/bin.exe
http://darttoolinc.com/js/bin.exe
This is then saved as %TEMP%\YVXBZJRGJYE.exe and is presently undetected by vendors. The Malwr report and ThreatExpert report vary slightly, but both show traffic to the same IPs are before. The Malwr report also indicates that a DLL is dropped with a detection rate of 4/52 which is identified as the Dridex trojan.
Recommended blocklist:
203.172.141.250
74.208.11.204
kawachiya.biz
darttoolinc.com
From: soo.sutton966@powercentre.comAttached are one of two Word documents, both with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros [1] [2] [pastebin] which then downloads an executable from one of the following locations:
Date: 8 December 2014 at 10:57
Subject: INVOICE 224245 from Power EC Ltd
Please find attached INVOICE number 224245 from Power EC Ltd
http://aircraftpolish.com/js/bin.exe
http://gofoto.dk/js/bin.exe
This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)
According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53.
Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish.com
gofoto.dk
UPDATE 2014-12-09:
A further couple of variants are being spammed out, both with low detections by VirusTotal [1] [2] and containing one of two malicious macros [1] [2] [pastebin] which down,loads from the following locations:http://kawachiya.biz/js/bin.exe
http://darttoolinc.com/js/bin.exe
This is then saved as %TEMP%\YVXBZJRGJYE.exe and is presently undetected by vendors. The Malwr report and ThreatExpert report vary slightly, but both show traffic to the same IPs are before. The Malwr report also indicates that a DLL is dropped with a detection rate of 4/52 which is identified as the Dridex trojan.
Recommended blocklist:
203.172.141.250
74.208.11.204
kawachiya.biz
darttoolinc.com
Friday, 5 December 2014
"Mathew Doleman" / "lightmoorhomes.co.uk" spam comes with a malicious Word document
This spam came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.
The macro downloads a file from http://hiro-wish.com/js/bin.exe which is completely undetected by any AV vendor at present. According to the internal data, this is a Windows Media Player component although the compile date is today so this seems unlikely.
The ThreatTrack report and ThreatExpert report indicate traffic to the following locations that you wouldn't expect a legitimate MS application to call home to:
74.208.11.204 (1&1 Internet, US)
203.172.141.250 (Ministry of Education, Thailand)
The VirusTotal report shows it phoning home t:
46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)
Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish.com
From: Mathew Doleman [order@lightmoorhomes.co.uk]The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors. Some investigation shows that it contains a malicious macro [pastebin].
Date: 5 December 2014 at 08:32
Subject: Order no. 98348936010
Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.
Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB
Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)
Best regards,
Sales Department
Mathew Doleman
+07966 566663
The macro downloads a file from http://hiro-wish.com/js/bin.exe which is completely undetected by any AV vendor at present. According to the internal data, this is a Windows Media Player component although the compile date is today so this seems unlikely.
Developer metadata
Copyright© Microsoft Corporation. All rights reserved.Publisher Microsoft CorporationProduct Microsoft® Windows® Operating SystemOriginal name wmadmod.dllInternal name wmadmod.dllFile version 11.0.5721.5145 (WMP_11.061018-2006)Description Windows Media Audio DecoderPE header basic information
Target machine Intel 386 or later processors and compatible processorsCompilation timestamp 2014-12-05 06:30:06Entry Point 0x00006460Number of sections 3
74.208.11.204 (1&1 Internet, US)
203.172.141.250 (Ministry of Education, Thailand)
The VirusTotal report shows it phoning home t:
46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)
Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish.com
"K J Watking & Co" fake Remittance Advice spam
This fake remittance advice spam has been hammering my inbox this morning. It uses randomly generated sender names but has a consistent fake company name of K J Watking & Co which is very close to a legitimate firm K J Watkin & Co who have nothing to do with this.
The spam comes with an Excel spreadsheet which contains a malicious macro.
Some sample spams are as follows:
Each spreadsheet contains a different but similar malicious macro [1] [2] [pastebin] which then download a binary from the following locations:
http://79.137.227.123:8080/stat/lld.php
http://124.217.199.218:8080/stat/lld.php
This file is downloaded as test.exe and is then moved to %TEMP%\EWSUVRXTBUU.exe. It has a VirusTotal detection rate of just 2/52. According to the Malwr report this then drops a DLL with another low detection rate which is identified as Dridex. The ThreatExpert report [pdf] indicates that the malware attempts to communicate with the following IPs:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218
http://41.0.5.138:8080/stat/lld.php
http://217.174.240.46:8080/stat/lld.php
The file is downloaded as test.exe and is saved as %TEMP%\LNUDTUFLKOJ.exe and is the same payload as found in this attack.
The spam comes with an Excel spreadsheet which contains a malicious macro.
Some sample spams are as follows:
From: Brenton GloverThe Excel attachments have random names such as BAC_0577719P.xls or BAC_581969Q.xls. So far I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2].
Date: 5 December 2014 at 07:20
Subject: Remittance Advice for 430.57 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co
================
From: Reba Fletcher
Date: 5 December 2014 at 08:23
Subject: Remittance Advice for 520.60 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Reba Fletcher
Senior Accounts Payable Specialist
K J Watking & Co
================
From: Jennifer Copeland
Date: 5 December 2014 at 07:36
Subject: Remittance Advice for 866.73 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Jennifer Copeland
Senior Accounts Payable Specialist
K J Watking & Co
================
From: Tia Maddox
Date: 5 December 2014 at 07:33
Subject: Remittance Advice for 539.99 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Tia Maddox
Senior Accounts Payable Specialist
K J Watking & Co
================
From: Weston Martinez
Date: 5 December 2014 at 08:33
Subject: Remittance Advice for 248.65 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Weston Martinez
Senior Accounts Payable Specialist
K J Watking & Co
================
From: Reva Morgan
Date: 5 December 2014 at 08:17
Subject: Remittance Advice for 649.39 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Reva Morgan
Senior Accounts Payable Specialist
K J Watking & Co
Each spreadsheet contains a different but similar malicious macro [1] [2] [pastebin] which then download a binary from the following locations:
http://79.137.227.123:8080/stat/lld.php
http://124.217.199.218:8080/stat/lld.php
This file is downloaded as test.exe and is then moved to %TEMP%\EWSUVRXTBUU.exe. It has a VirusTotal detection rate of just 2/52. According to the Malwr report this then drops a DLL with another low detection rate which is identified as Dridex. The ThreatExpert report [pdf] indicates that the malware attempts to communicate with the following IPs:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218
UPDATE 2014-12-10:
Another spam run is in progress, with a slightly different payload. Again, there are two different XLS files both of which are undetected [1] [2] by AV vendors and containing one of two macros [1] [2] [pastebin] which download from the following locations:http://41.0.5.138:8080/stat/lld.php
http://217.174.240.46:8080/stat/lld.php
The file is downloaded as test.exe and is saved as %TEMP%\LNUDTUFLKOJ.exe and is the same payload as found in this attack.
Thursday, 4 December 2014
Something evil on 46.161.30.0/24 (KolosokIvan-net / Ivan Kolosok)
The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware.
In the past, this IP range has hosted various sites which have moved off. At the moment it seems to host just the following domains:
worldstocktrends.net
trackmepls.ru
casinoroyal7.ru
worldnews247.ru
clubstore29.ru
yourwebsupport.ru
countryregion.ru
chooseyourhost.ru
Active IPs are as follows:
46.161.30.16
46.161.30.18
46.161.30.20
46.161.30.20
46.161.30.24
46.161.30.41
46.161.30.42
46.161.30.43
Out of those domains, these following ones are linked with some sort of file locker malware:
casinoroyal7.ru [report]
clubstore29.ru [report]
yourwebsupport.ru [report]
chooseyourhost.ru [report]
The other domains have virtually no reference to them at all, which is somewhat suspicious.
The block as allocated as follows:
inetnum: 46.161.30.0 - 46.161.30.255
netname: KolosokIvan-net
descr: Net for customer ID 12510
country: RU
admin-c: KI811-RIPE
tech-c: KI811-RIPE
status: ASSIGNED PA
mnt-by: MNT-PIN
mnt-by: MNT-PINSUPPORT
mnt-routes: MNT-SELECTEL
changed: admin@pinspb.ru 20130904
source: RIPE
person: Kolosok Ivan
address: ul Lenina 19-56
phone: +380766553642
e-mail: kolosokivan@i.ua
nic-hdl: KI811-RIPE
mnt-by: KolosokIvan
changed: kolosokivan@i.ua 20130830
source: RIPE
route: 46.161.30.0/24
descr: Selectel Customer
origin: AS49505
mnt-by: MNT-SELECTEL
changed: korsakov@selectel.ru 20140901
source: RIPE
There are no legitimate sites in this network range, so I strongly recommend that you block the entire 46.161.30.0/24 range.
In the past, this IP range has hosted various sites which have moved off. At the moment it seems to host just the following domains:
worldstocktrends.net
trackmepls.ru
casinoroyal7.ru
worldnews247.ru
clubstore29.ru
yourwebsupport.ru
countryregion.ru
chooseyourhost.ru
Active IPs are as follows:
46.161.30.16
46.161.30.18
46.161.30.20
46.161.30.20
46.161.30.24
46.161.30.41
46.161.30.42
46.161.30.43
Out of those domains, these following ones are linked with some sort of file locker malware:
casinoroyal7.ru [report]
clubstore29.ru [report]
yourwebsupport.ru [report]
chooseyourhost.ru [report]
The other domains have virtually no reference to them at all, which is somewhat suspicious.
The block as allocated as follows:
inetnum: 46.161.30.0 - 46.161.30.255
netname: KolosokIvan-net
descr: Net for customer ID 12510
country: RU
admin-c: KI811-RIPE
tech-c: KI811-RIPE
status: ASSIGNED PA
mnt-by: MNT-PIN
mnt-by: MNT-PINSUPPORT
mnt-routes: MNT-SELECTEL
changed: admin@pinspb.ru 20130904
source: RIPE
person: Kolosok Ivan
address: ul Lenina 19-56
phone: +380766553642
e-mail: kolosokivan@i.ua
nic-hdl: KI811-RIPE
mnt-by: KolosokIvan
changed: kolosokivan@i.ua 20130830
source: RIPE
route: 46.161.30.0/24
descr: Selectel Customer
origin: AS49505
mnt-by: MNT-SELECTEL
changed: korsakov@selectel.ru 20140901
source: RIPE
There are no legitimate sites in this network range, so I strongly recommend that you block the entire 46.161.30.0/24 range.
Labels:
Evil Network,
Malware,
Russia,
Viruses
Wednesday, 3 December 2014
More malware on Crissic Solutions LLC
Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report):
167.160.164.102 [VirusTotal report]
167.160.164.103 [VirusTotal report]
167.160.164.141 [VirusTotal report]
167.160.164.142 [VirusTotal report]
The following domains are being exploited (although there will probably be more soon).
citycentralone.biz
citycentraltwo.biz
citycentralfive.biz
citycentralfour.biz
seasononecoming.biz
seasonsixcoming.biz
seasontwocoming.biz
citycentralthree.biz
seasonfivecoming.biz
seasonfourcoming.biz
seasonsevencoming.biz
seasonthreecoming.biz
ultimateconnectioneleven.biz
saturdaynightsnow.biz
saturdaynightzero.biz
saturdaynightwater.biz
saturdaynighteleven.biz
saturdaynightknight.biz
mvsmicrocomcontrol.net
mvseyeoperationcontrol.net
dateswellsfolls.asia
limississippiviewsdooms.asia
limsviewsdooms.asia
limsviewsmakeoms.asia
dateshealthysfolls.asia
Subdomains in use start with one of qwe. or asd. or zxc. (see examples here [pastebin]).
Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended blocking 167.160.165.0/24 and 167.160.166.0/24 and now with multiple servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go.
167.160.164.102 [VirusTotal report]
167.160.164.103 [VirusTotal report]
167.160.164.141 [VirusTotal report]
167.160.164.142 [VirusTotal report]
The following domains are being exploited (although there will probably be more soon).
citycentralone.biz
citycentraltwo.biz
citycentralfive.biz
citycentralfour.biz
seasononecoming.biz
seasonsixcoming.biz
seasontwocoming.biz
citycentralthree.biz
seasonfivecoming.biz
seasonfourcoming.biz
seasonsevencoming.biz
seasonthreecoming.biz
ultimateconnectioneleven.biz
saturdaynightsnow.biz
saturdaynightzero.biz
saturdaynightwater.biz
saturdaynighteleven.biz
saturdaynightknight.biz
mvsmicrocomcontrol.net
mvseyeoperationcontrol.net
dateswellsfolls.asia
limississippiviewsdooms.asia
limsviewsdooms.asia
limsviewsmakeoms.asia
dateshealthysfolls.asia
Subdomains in use start with one of qwe. or asd. or zxc. (see examples here [pastebin]).
Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended blocking 167.160.165.0/24 and 167.160.166.0/24 and now with multiple servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go.
Monday, 1 December 2014
Q:is sync.audtd.com a virus? A:probably not.
One of those things that makes you go "hmmm".. I kept seeing a lot of suspect looking traffic from Russian sites to sync.audtd.com, with strings like this:
audtd.com is parked on a Voxility IP of 5.254.113.29. I block large swathes of Voxility IP space because it has bad reputation, but it does have some legitimate customers. The domain registration details are hidden:
Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID:
However, sync.audtd.com is hosted on three completely different IPs:
148.251.87.17
148.251.81.131
148.251.81.140
These are hosted by Hetzner in Germany. Not exactly a squeaky clean network either, but they do have a lot of legitimate customers in addition to some evil ones.
Some Googling around and poking about at the very bottom of the search results reveals a possible lead in a Russian-language privacy policy [pdf] on a domain tbighistory.com. There was an English-language version that has since been deleted which read:
This site is called "The Big History" and it belongs to a clearly identified Russian company called Auditorius.
So, in fact Auditorius do fully spell out what they are doing in their privacy policy.. but the problem is that it isn't on the audtd.com domain itself, and rather stupidly they are using anonymous WHOIS details (plus some questionable websites). I think the lesson is that if you ARE involved in a legitimate tracking activity, then you must make sure that it is obvious and people can find out what is happening easily. If you don't people will just assume that is a virus.
http://sync.audtd.com/match/rambler/?uid=0123456789abcdef0123456789abcdef
audtd.com is parked on a Voxility IP of 5.254.113.29. I block large swathes of Voxility IP space because it has bad reputation, but it does have some legitimate customers. The domain registration details are hidden:
Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID:
However, sync.audtd.com is hosted on three completely different IPs:
148.251.87.17
148.251.81.131
148.251.81.140
These are hosted by Hetzner in Germany. Not exactly a squeaky clean network either, but they do have a lot of legitimate customers in addition to some evil ones.
Some Googling around and poking about at the very bottom of the search results reveals a possible lead in a Russian-language privacy policy [pdf] on a domain tbighistory.com. There was an English-language version that has since been deleted which read:
Privacy Policy
The Big History is an online technology company, Headquartered in the Russian
Federation. This Privacy policy relates to our technology service that our company provides
to online advertisers, web sites owners and other businesses that use our services.
OUR BUSINESS
We collect non-personally identifiable information regarding offline collected attributes and digital usage patterns of users of mobile devices and computers. In this policy, we refer to this non-personally identifiable information, together with other non-personally identifiable information that we obtain from third parties in order to influence which types of marketing messages and other content are displayed to you, as "Preference Data". We use Preference Data to prepare groups of users, referred to as "segments," based upon their behavior and preferences. We give our customers a limited right to use a user's membership in a segment as a basis for displaying advertisements and other content that are intended to reflect the user's preferences. We also collect non-personally identifiable information for other purposes: for example, to provide aggregate statistics for market research and analytics programs.
WHAT WE COLLECT
Non-PII includes but not limited to your IP host address, the date and time of the ad
request, pages viewed, browser type, the referring URL, Internet Service Provider, and your computer's operating system.
HOW WE COLLECT
We use non-personally identifiable data, including "cookies", "pixel tags," and in some
instances, statistical ID's, to collect and store Preference Data. We do not use flash cookies.
Cookies are small text files that contain a string of characters and uniquely identify a
browser. They are sent to a computer by Web site operators or third parties. Most
browsers are initially set up to accept cookies. You may, however, be able to change your
browser settings to cause your browser to refuse third-party cookies or to indicate when a
third-party cookie is being sent. Check your browser's "Help" files to learn more about
handling cookies on your browser. The Big History cookies will expire after 24 months from the date they are created.
Pixel tags are small strings of code that provide a method for delivering a graphic image on a Web page or other document. Pixel tags allow the operator of the Web page or other
document, or a third party who serves the pixel tag, to set, read, and modify cookies on,
and to transfer other data to, the browser used to view the Web page or other document.
Pixel tags may also be used to obtain information about the computer being used to view
that Web page or other document. The entity that sends the tag can view the IP address of
the computer that the tag is sent to, the time it was sent, the user's operating system and
browser type, and similar information.
INFORMATION SHARING
Collected Non-PII processes into targeting data segments, nevertheless it cannot be broken into segments of users that is small or unique enough for the users to be identified
personally.
All of the information we collect or record is restricted to our offices or designated sites.
Only employees who need the information to perform a specific job are granted access to
our data.
Collected data is processed into targeting data segments and then used by advertisers,
publishers and content providers to enhance users experience. TBH could share collected
and processed data with partners, based on that collected information could be used for
third party advertising purpose.
All of the information we share is transferring via secured protocol excluding non granted access.
OPT OUT
If you’d like to opt-out from having The Big History collect your Non-PII in connection with our Technology, please click here http://sync.audtd.com/optout. When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your Non-PII to tailor our online advertisement campaigns. Please note that if you delete, block or otherwise restrict cookies, or if you use a different computer or Internet browser, you may need to renew your opt-out choice.
CHANGES TO OUR POLICY
Our company could revise and change this website policy at any time, so we advise you to
check it periodically to always have up-to-date version.
CONTACT
If you have any questions about this website policy please feel free to contact us by email
info@tbighistory.com
Last Update: 5 September 2014
This site is called "The Big History" and it belongs to a clearly identified Russian company called Auditorius.
So, in fact Auditorius do fully spell out what they are doing in their privacy policy.. but the problem is that it isn't on the audtd.com domain itself, and rather stupidly they are using anonymous WHOIS details (plus some questionable websites). I think the lesson is that if you ARE involved in a legitimate tracking activity, then you must make sure that it is obvious and people can find out what is happening easily. If you don't people will just assume that is a virus.
Labels:
Advertising,
Hetzner,
Russia,
Stupidity,
Voxility
Thursday, 27 November 2014
Tainted network: Crissic Solutions (167.160.160.0/19)
Several IPs hosted on the Crissic Solutions range of 167.160.160.0/19 (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness.
I analysed over 1500 sites hosted in the Crissic IP address range (report here [csv]) and many sites were already marked as being malicious by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious.
Malware is hosted on the following IPs:
167.160.165.38 [VT report]
167.160.165.39 [VT report]
167.160.165.158 [VT report]
167.160.165.159 [VT report]
167.160.165.171 [VT report]
167.160.165.172 [VT report]
167.160.165.214 [VT report]
167.160.165.215 [VT report]
167.160.166.66 [VT report]
167.160.166.67 [VT report]
167.160.166.68 [VT report]
Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend blocking you traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence.
The following domains are being used to spread malware (new domains are being added all the time, blocking these may not be effective):
everydayfifth.biz
everydayfirst.biz
everydayfour.biz
everydaysecond.biz
everydaythird.biz
fantybrady.biz
fantybrown.biz
fantycelly.biz
fantyverko.biz
filterblowfred.biz
filterbrickpont.biz
filterglowpred.biz
filtersendcheck.biz
filtersongpreg.biz
fivejobtoday.biz
fivemegapack.biz
fourmegapack.biz
fridaynight1.biz
fridaynight2.biz
fridaynight3.biz
fridaynight4.biz
fridaynight5.biz
fridaynight6.biz
fridaynight7.biz
fridaynight8.biz
fridaynight9.biz
mondayworkfive.biz
mondayworkfour.biz
mondayworkone.biz
mondayworkseven.biz
mondayworksix.biz
mondayworkthree.biz
mondayworktwo.biz
ninemonthjet.biz
onemegapack.biz
secondmonthjet.biz
sevenjobtoday.biz
sixjobtoday.biz
sixmonthjet.biz
sundayfiveticket.biz
sundayfourticket.biz
sundaysixticket.biz
sundaytwoticket.biz
thirdmonthjet.biz
threemegapack.biz
tuesdaymorningfive.biz
tuesdaymorningfour.biz
tuesdaymorningone.biz
tuesdaymorningseven.biz
tuesdaymorningsix.biz
tuesdaymorningthree.biz
tuesdaymorningtwo.biz
twomegapack.biz
wednesdayfifthjob.biz
wednesdayfirstjob.biz
wednesdaysecondjob.biz
wednesdaythirdjob.biz
zerojobtoday.biz
zoneclickjohny.biz
zoneclickporno.biz
zoneclicksex.biz
zoneclickwindow.biz
babydomainscoolsxenons.com
babynamescoolsxenons.com
domainscoolsxenons.com
namescoolsxenons24.com
namesthecoolsxenons.com
nyparvermoligh.eu
robbulerolrom.eu
rurecranparro.eu
sitgoottinbab.eu
talonegahadti.eu
tertsinrowofthem.eu
usethethedttalhat.eu
watehorohar.eu
mvabsolutezeronotice.info
mvanchusaofficinalis.info
mvappealscourtcontrols.info
mvcalldownroister.info
mvcellulosicairforce.info
mvdaccrualairforce.info
mvdangraecumtekki.info
mvdcercidiumdeluge.info
mvdfamilytheophrastaceae.info
mvjacquemierssign.info
mvlongtimecetotalcontrol.info
mvmarasmustekkinotice.info
mvmolluskfamilynotice.info
mvpinnatifidamericancontrols.info
georgwitlhelmfriedrichhegel.us
onomustculusintercostalis.us
pearhatwthorn.us
toponytmkamarupan.us
vagabotndagetoil.us
I analysed over 1500 sites hosted in the Crissic IP address range (report here [csv]) and many sites were already marked as being malicious by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious.
Malware is hosted on the following IPs:
167.160.165.38 [VT report]
167.160.165.39 [VT report]
167.160.165.158 [VT report]
167.160.165.159 [VT report]
167.160.165.171 [VT report]
167.160.165.172 [VT report]
167.160.165.214 [VT report]
167.160.165.215 [VT report]
167.160.166.66 [VT report]
167.160.166.67 [VT report]
167.160.166.68 [VT report]
Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend blocking you traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence.
The following domains are being used to spread malware (new domains are being added all the time, blocking these may not be effective):
everydayfifth.biz
everydayfirst.biz
everydayfour.biz
everydaysecond.biz
everydaythird.biz
fantybrady.biz
fantybrown.biz
fantycelly.biz
fantyverko.biz
filterblowfred.biz
filterbrickpont.biz
filterglowpred.biz
filtersendcheck.biz
filtersongpreg.biz
fivejobtoday.biz
fivemegapack.biz
fourmegapack.biz
fridaynight1.biz
fridaynight2.biz
fridaynight3.biz
fridaynight4.biz
fridaynight5.biz
fridaynight6.biz
fridaynight7.biz
fridaynight8.biz
fridaynight9.biz
mondayworkfive.biz
mondayworkfour.biz
mondayworkone.biz
mondayworkseven.biz
mondayworksix.biz
mondayworkthree.biz
mondayworktwo.biz
ninemonthjet.biz
onemegapack.biz
secondmonthjet.biz
sevenjobtoday.biz
sixjobtoday.biz
sixmonthjet.biz
sundayfiveticket.biz
sundayfourticket.biz
sundaysixticket.biz
sundaytwoticket.biz
thirdmonthjet.biz
threemegapack.biz
tuesdaymorningfive.biz
tuesdaymorningfour.biz
tuesdaymorningone.biz
tuesdaymorningseven.biz
tuesdaymorningsix.biz
tuesdaymorningthree.biz
tuesdaymorningtwo.biz
twomegapack.biz
wednesdayfifthjob.biz
wednesdayfirstjob.biz
wednesdaysecondjob.biz
wednesdaythirdjob.biz
zerojobtoday.biz
zoneclickjohny.biz
zoneclickporno.biz
zoneclicksex.biz
zoneclickwindow.biz
babydomainscoolsxenons.com
babynamescoolsxenons.com
domainscoolsxenons.com
namescoolsxenons24.com
namesthecoolsxenons.com
nyparvermoligh.eu
robbulerolrom.eu
rurecranparro.eu
sitgoottinbab.eu
talonegahadti.eu
tertsinrowofthem.eu
usethethedttalhat.eu
watehorohar.eu
mvabsolutezeronotice.info
mvanchusaofficinalis.info
mvappealscourtcontrols.info
mvcalldownroister.info
mvcellulosicairforce.info
mvdaccrualairforce.info
mvdangraecumtekki.info
mvdcercidiumdeluge.info
mvdfamilytheophrastaceae.info
mvjacquemierssign.info
mvlongtimecetotalcontrol.info
mvmarasmustekkinotice.info
mvmolluskfamilynotice.info
mvpinnatifidamericancontrols.info
georgwitlhelmfriedrichhegel.us
onomustculusintercostalis.us
pearhatwthorn.us
toponytmkamarupan.us
vagabotndagetoil.us
Spam: "Telefonrechnung NTTCable November 2014"
This German-language spam leads to malware:
In this case the link in the email goes to http://illen-beauty.ru/wp-admin/3PAbHfSM5FEma from where it downloads a file 2014_11_rechnung_1_1_000309399002.zip containing a malicious executable 2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exe which at the moment is quite widely detected at VirusTotal with 22/56 engines coming up positive.
The Malwr report shows that the payload is hardened against analysis, but it does show an attempted connection to 109.123.78.10 (UK2.net, UK) which might be worth looking for.
Von: NTTCable Europe S.A. [mailto:info@reisebuerowerther.de]
Gesendet: Mittwoch, 26. November 2014 21:15
Betreff: Telefonrechnung NTTCable November 2014
Ihre Kundennummer: 119683
Sehr geehrter Geschäftspartner,
anbei erhalten Sie die NTTCable-Telefonrechnung für den Leistungsmonat November 2014,
Telefonrechnung NTTCable November 2014.
Hinweise zum Format und der digitalen Signatur:
Ihre Rechnung ist im PDF-Format erstellt und mit einer digitalen Signatur versehen.
Somit erfüllt Ihre Rechnung alle Anforderungen des Signaturgesetzes.
Haben Sie Fragen zu Ihrer Rechnung?
Dann rufen Sie uns an. Unser Customer-Care-Team steht Ihnen telefonisch jederzeit gerne zur Verfügung.
Mit freundlichen Grüßen
Ihre Telefongesellschaft
______________________________________________
NTTCable Gruppe
Telefongesellschaft der Deutschen Industrie.
Escher Str. 19
D - 65510 Idstein
Tel: +49 0 6126 - 9 98 76 - 0
Fax:+49 0 6126 - 9 98 76 - 54
EMail: info@nttcable.de
Web: www.nttcable.de
NTTCable Europe S.A.
Registriert in Luxemburg Handelsregisternummer: B 160348
NTTCable Deutschland KG
Geschäftsführender Gesellschafter: Michael Gros
Registriert in Wiesbaden HRA 9407
NTTCable Service KG
Geschäftsführender Gesellschafter: Michael Gros
Registriert in Wiesbaden HRA 9404
In this case the link in the email goes to http://illen-beauty.ru/wp-admin/3PAbHfSM5FEma from where it downloads a file 2014_11_rechnung_1_1_000309399002.zip containing a malicious executable 2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exe which at the moment is quite widely detected at VirusTotal with 22/56 engines coming up positive.
The Malwr report shows that the payload is hardened against analysis, but it does show an attempted connection to 109.123.78.10 (UK2.net, UK) which might be worth looking for.
Wednesday, 26 November 2014
Spam: "Ihre Telekom Mobilfunk RechnungOnline Monat November 2014 (Nr. 95921500725106)"
This spam leads to malware:
This malware has a VirusTotal detection rate of 6/55. The Malwr report shows that it is hardeded against analysis, but it does connect to the following URL:
http://162.144.106.152:8080/974aade0/d0392bb4/
162.144.106.152 has been used several times recently in this type of attack, it is a compromised server belonging to Unified Layer in the US. I strongly suggest that you block traffic to this IP.
From: Deutsche Telekom AG [g.dogan@idolcarpet.com]The link in the email goes to http://taxi-haarlem.com/wp-content/ajisev8X7AOkLY from where it downloads rechnung_november_2014_0003900028.zip containing a malicious executable rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe which has an icon that looks like a PDF file.
Date: 26 November 2014 at 06:57
Subject: Ihre Telekom Mobilfunk RechnungOnline Monat November 2014 (Nr. 95921500725106)
Sehr geehrte Kundin, sehr geehrter Kunde,
als Anlage ist die Rechnung 7188201282 als PDF-Datei: Telefonrechnung Telekom November.
Der Gesamtbetrag im Monat November 2014 ist ausgewiesen mit: 271,02 Euro.
Mit freundlichen Grüßen,
Geschäftskundenservice
Telekom Deutschland GmbH
Aufsichtsrat: Timotheus Höttges Vorsitzender
Geschäftsführung: Niek Jan van Damme Sprecher, Thomas Dannenfeldt, Thomas Freude, Michael Hagspihl, Dr. Bruno Jacobfeuerborn, Dietmar Welslau, Dr. Dirk Wössner
Eintrag: Amtsgericht Bonn, HRB 59 19, Sitz der Gesellschaft Bonn
USt-Id.Nr.: DE 1287171
WEEE-Reg.-Nr.: 8820712
This malware has a VirusTotal detection rate of 6/55. The Malwr report shows that it is hardeded against analysis, but it does connect to the following URL:
http://162.144.106.152:8080/974aade0/d0392bb4/
162.144.106.152 has been used several times recently in this type of attack, it is a compromised server belonging to Unified Layer in the US. I strongly suggest that you block traffic to this IP.
Tuesday, 25 November 2014
What the heck is with 104.152.215.0/25?
104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer:
NetRange: 104.152.215.0 - 104.152.215.127707 Wilshire Boulevard is a massive office block but I suspect that this is just an accommodation address, so there's no real lead on who this customer is.
CIDR: 104.152.215.0/25
NetName: QUERYFOUNDRY
NetHandle: NET-104-152-215-0-1
Parent: QUERYFOUNDRY-06 (NET-104-152-212-0-1)
NetType: Reassigned
OriginAS: AS62638
Customer: Shanghe Yang (C05354145)
RegDate: 2014-09-30
Updated: 2014-09-30
Ref: http://whois.arin.net/rest/net/NET-104-152-215-0-1
CustName: Shanghe Yang
Address: 707 Wilshire Blvd
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US
RegDate: 2014-09-30
Updated: 2014-09-30
Ref: http://whois.arin.net/rest/customer/C05354145
A look at the contents of the /25 is puzzling, because I can see almost 1500 sites [csv] on a number of active IPs [txt], almost none of which have any kind of discernible web presence or reputation.
Drilling down into the domains and registrants [csv] shows a list of either Chinese or US registrants, but in the vast majority of cases they look to be fake. The key indicator is that the email addresses listed are all of a similar format and bear no relationship whatsoever to the name of the registrant.
The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France:
address: 13, rue de rohrwiller bischwiller,67240 Bas-Rhin, France 139 a
address: 67240 Bischwiller
address: Bas-Rhin
country: FR
It isn't a big place according to Google. I doubt if there is a Assad Sfdsadsfw, Yfdsjshfk Ynagkjhk, Qewqewq Sfwad or Poiug Pppobflgk living in that location.
Although there is not much data about the range, there are a couple of domains that are also flagged a malicious:
sxzav.xyz [Google diagnostics]
klioz.xyz [Google diagnostics]
Quite why they are flagged as malicious is a puzzle.
My personal opinion is that there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains.
Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it, alternatively these are the domains being used in this network block:
izhse.com.cn
nmfcd.com.cn
szeeo.com.cn
trfqg.com.cn
uzwqy.com.cn
ycrlru.cn
yifxu.cn
yivuu.cn
yoezuu.cn
yrmhmu.cn
yszrru.cn
yyknu.cn
bcczrvo.com
bzvod.com
cyhgeqm.com
dgudwco.com
dhidzbo.com
dhwgfub.com
dnzwafr.com
dqlivdc.com
enndmfy.com
eufxdtc.com
eugutxh.com
fprtrsz.com
fytwhsw.com
gwrvwed.com
heghsbq.com
hotkii.com
hsephqf.com
iondydc.com
jeyztjy.com
jjfnshu.com
jpkwin.com
jtgypou.com
jtvkrv.com
kudnzpq.com
lgyudpy.com
mhmzyqf.com
mhxipaw.com
mtqlgko.com
nekclhr.com
ngieznn.com
nwnfbmn.com
okjepel.com
pbqbgkd.com
pcerrxh.com
plqrwgl.com
qebywad.com
qtknjnb.com
ripyiht.com
scauyfs.com
svyqkuu.com
sxfkzgf.com
tfwvtxy.com
ubqyfht.com
uewswa.com
umremdh.com
uuyrvtf.com
vdblrqb.com
vjqmryt.com
wgsunfk.com
wubpcb.com
xjgvtvs.com
xqyvqtx.com
ypnmxpe.com
ysmryfm.com
yyxkaqs.com
zakagps.com
zbecfan.com
mudanguojiyulecheng.eu
feldo-luxury.fr
latable-brasserie.fr
lestudio-orthez.fr
limpid.fr
mariepapier.fr
mobile-prepaye.fr
piscines-spas-95.fr
taxi-saint-medard-de-guizieres.fr
thermoservices.fr
tout-com-magny.fr
vansboutique.fr
fxy101.org
fxy102.org
fxy103.org
fxy105.org
fxy106.org
fxy107.org
fxy108.org
fxy109.org
sz101.org
sz103.org
sz118.org
sz188.org
tz100.org
tz110.org
7381.pw
97897.pw
417700.pw
ccbjz.pw
cdjgey.pw
dfjglr.pw
dfojy.pw
dgkjgy.pw
dlgjt.pw
hljbjz.pw
hrbbz.pw
hzkhj.pw
jlbzj.pw
jsbzj.pw
kdjjt.pw
kjdkg.pw
lnbzj.pw
njkuy.pw
sdbzj.pw
sdjkls.pw
sdljog.pw
sjaux.pw
sldjog.pw
sxbzj.pw
sybzj.pw
szjbzj.pw
tjbyee.pw
whgiut.pw
cmslj.xyz
fdslj.xyz
fjdxz.xyz
hbdxz.xyz
hkdxz.xyz
hljdxz.xyz
hndxz.xyz
klioz.xyz
myslj.xyz
nhslj.xyz
njdxz.xyz
sxzav.xyz
tlslj.xyz
tnslj.xyz
whslj.xyz
wzslj.xyz
ycslj.xyz
yqslj.xyz
yyslj.xyz
zwslj.xyz
Monday, 24 November 2014
MyFax message from "unknown" spam leads to poorly-detected malware
Fax spam again. How quaint. This spam appears to come from the person receiving it (which is an old trick).
http://95.211.199.37:16792/2411us3/HOME/0/51-SP3/0/
http://95.211.199.37:16792/2411us3/HOME/1/0/0/
http://lasuruguayas.com/images/refus3.pnk
A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54. The Malwr report is here.
From: victim@victimdomain.comThe link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to the following URLs:
Sent: 24 November 2014 15:31
To: norep.c@mefax.com
Subject: MyFax message from "unknown" - 3 page(s)
Fax Message [Caller-ID: 1-407-067-7356]
http://159593.webhosting58.1blu.de/messages/get_message.php
You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.
* The reference number for this fax is chd_did11-14186364797-10847113200-628.
View this fax using your PDF reader.
Thank you for using the MyFax service!
http://95.211.199.37:16792/2411us3/HOME/0/51-SP3/0/
http://95.211.199.37:16792/2411us3/HOME/1/0/0/
http://lasuruguayas.com/images/refus3.pnk
A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54. The Malwr report is here.
Saturday, 22 November 2014
Oplamo Herbal Root scam
As far as I can tell, there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.
Given that all the search results I can find for "Oplamo Herbal Root" or "Oplamo Root" seem to be similar scams, I would suggest that this doesn't even qualify as snake oil and I would give it a very wide berth.
From: Mr. Tom Good Hope [mrtomgood@gmail.com]"Tom Goodhope" sounds more Nigerian than British, but the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost.com] in the US.
Reply-To: mrtomgoodhope@gmail.com
Date: 22 November 2014 02:24
Subject: SUPPLY BUSINESS OF OPLAMO
My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company.
I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase.
OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD,while they supply to our company at the rate of $430 USD.
Recently i got the contact information of a local producer in India that preserve {OPLAMO} herbal root to the quality our company needs for production and i came to know that this product can be purchase at rate of $280 US dollar per sachet in India.
Note that i can not release the contact information of the local producer easily to anybody that can not follow up with guidelines on how to make this supply on this first supply,because if any mistake occurs and my company finds out that i'm involve in given information to someone to supply this product to them they will consult a legal petition against me and i can not go to India to buy and supply this product to our company because i do not have money to handle this business and i don't want to release this information to our company management.
Our company buys 3000 sachets (each sachet contains 5 grams),but on the first order with any producer they want to give a trial order of 300 or 500 sachets and payment method for this first order is COD- cash on delivery, upon their satisfaction on this first order they would be making payment on T/T in advance.
Please read this business proposal very well before you reply me,if you can not handle this business according to my guideline its better you don't reply me,because i want you and i to be on safer side in this transaction.
Upon your reply i will clarify you more on how to start this business immediately,please drop your contact phone number for me to be able to contact you ASAP.
Thanks,
Mr Tom Goodhope
Company Secretary
mrtomgoodhope@gmail.com
Given that all the search results I can find for "Oplamo Herbal Root" or "Oplamo Root" seem to be similar scams, I would suggest that this doesn't even qualify as snake oil and I would give it a very wide berth.
"Ihr Zahlungsauftrag - 41401236123" spam
This German-language spam leads to malware.
In this case the link goes to agromark-bimsa.com.ar/VR7wkx13 where it downloads a file 2014_11_transaktions_id_000000039190.zip which in turn contains a malicious executable 2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe which has a VirusTotal detection rate of 14/55.
Automated analysis tools [1] [2] [3] are not particularly revealing, but similar recent malspam runs have been linked to Geodo.
Von: Sparkasse IT AG [mailto:assistant@fourmusic.com]
Gesendet: Freitag, 21. November 2014 15:03
Betreff: Ihr Zahlungsauftrag - 41401236123
Der Auftrag wurde entgegengenommen.
21. November 2014, 02:02:17 Uhr
Sie haben eine Zahlung über 2735,15 EUR an Miss Elita Zirne veranlasst.
Wir haben die Sparkasse über die Versandbereitschaft des Artikels in Kenntnis gesetzt. Weitere Details zu diesem
Vorgang:
2014_11_Sparkasse_details_4543735454333.zip.
In this case the link goes to agromark-bimsa.com.ar/VR7wkx13 where it downloads a file 2014_11_transaktions_id_000000039190.zip which in turn contains a malicious executable 2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe which has a VirusTotal detection rate of 14/55.
Automated analysis tools [1] [2] [3] are not particularly revealing, but similar recent malspam runs have been linked to Geodo.
Friday, 21 November 2014
StockTips.com spam.. or Joe Job?
When I saw this StockTips.com spam, I assumed that it was a pump-and-dump scam.
Here is another version of the body text:
The spam was sent to an account that often receives pump-and-dump spam, and it has never signed up for anything like this. The most likely source for the email address in question is from the virus-infected computer of a contact.
So what is this? A virus? There's nothing malicious about this email. A Joe Job? Well, I've had a LOT of these, and even the most stupid email marketer tend not spam the same recipients over and over again. So perhaps it is a Joe Job.
But there is not one single piece of information that identifies who runs it, except for a reference to Amerada Corp which is also mentioned in the spam email. The WHOIS details for the domain are also hidden, so it is impossible to determine who actually owns the site.
A search for "Amerada Corp" comes up with nothing except that it is a former name of Hess Corporation who are clearly nothing to do with this.
Scrolling down the page gives a clue as to what this might be about..
A $37 signup fee? No thanks.. but it says it is a one time fee but the spam says a monthly fee. That's inconsistent. Another indicator of a Joe Job? Perhaps.
Something else caught me eye.
HAIR was the subject of a massive pump-and-dump spam run last year. After StockTips.com recommended HAIR in May of 2012, the share price basically fell off a cliff.
Hmmm.
A bit of Googling around shows a lot of negative comment about StockTips.com. There are some accusations that I have not been able to verify that they are involved in paid stock promotions for the penny stocks that they list.
The Penny Stock market has a lot of legitimate players, but there are also a lot of people who try to manipulate the market for their own gains. It is possible that StockTips.com has clashed in some way with the sort of people who run pump-and-dump scams, and they have decided to take their revenge by creating this fake spam run.
Perhaps if you have some experience with this outfit, you would like to share it in the comments? Note that all comments are owned by the people posting them.
From: StockTips.com
Date: 21 November 2014 07:58
Subject: Sign up now
StockTips
Want to make money with stocks?
© 2001-2012 StockTips.com. All Rights Reserved.
StockTips.com is operated by Amerada Corp
Here is another version of the body text:
StockTips |
Stock Tips Delivered to your Inbox!
Stock Tips is the #1 stock alert service... As always membership is 100% FREE! |
© 2001-2012 StockTips.com. All Rights Reserved. StockTips.com is operated by Amerada Corp |
The spam was sent to an account that often receives pump-and-dump spam, and it has never signed up for anything like this. The most likely source for the email address in question is from the virus-infected computer of a contact.
So what is this? A virus? There's nothing malicious about this email. A Joe Job? Well, I've had a LOT of these, and even the most stupid email marketer tend not spam the same recipients over and over again. So perhaps it is a Joe Job.
IP address analysis
The IP addresses used to send the spam seem to be a mix of compromised PCs and servers, possibly forming part of a botnet. Legitimate companies don't use this kind of technique (obviously), but even real companies that do send spam tend to find a proper web host somewhere. This is another indicate that it might be a Joe Job.62.143.125.49 | Unitymedia, Germany | Project Honeypot shows that it has only been used for spam quite recently. It looks to be a server rented from a legitimate company, although obviously for illegitimate purposes. Possibly the server has been compromised. |
188.66.76.4 | Gamma Telecom, UK | Project Honeypot shows just how spammy this IP is. And it has been used for stock spam in the past as well, which indicates this is not a one-off. It looks like this may be a compromised server. |
80.38.8.21 | Telefonica de Espana SAU, Spain | Resolves as 21.Red-80-38-8.staticIP.rima-tde.net, so a static IP rather than a DSL connection. Project Honeypot says that it used to be used for spam some time ago but has been clean for a long time. |
88.156.185.92 | Vectra S.A., Poland | Description is "Vectra Broadband Users" which indicates a DSL or cable connection. Project Honeypot has no data. |
187.94.214.35 | Feliz Acesse Comunicacao Ltda, Brazil | No data on this, could be a domestic IP address. |
79.180.189.55 | Bezeq International Ltd, Israel | Appears to be a domestic broadband user. |
78.187.242.217 | TurkTelekom, Turkey | ADSL subscriber |
176.94.67.198 | Arcor AG, Germany | Arcor / Vodafone DE business customer. |
What about StockTips.com itself?
StockTips.com is a snazzy looking site..But there is not one single piece of information that identifies who runs it, except for a reference to Amerada Corp which is also mentioned in the spam email. The WHOIS details for the domain are also hidden, so it is impossible to determine who actually owns the site.
A search for "Amerada Corp" comes up with nothing except that it is a former name of Hess Corporation who are clearly nothing to do with this.
Scrolling down the page gives a clue as to what this might be about..
A $37 signup fee? No thanks.. but it says it is a one time fee but the spam says a monthly fee. That's inconsistent. Another indicator of a Joe Job? Perhaps.
Something else caught me eye.
HAIR was the subject of a massive pump-and-dump spam run last year. After StockTips.com recommended HAIR in May of 2012, the share price basically fell off a cliff.
Hmmm.
A bit of Googling around shows a lot of negative comment about StockTips.com. There are some accusations that I have not been able to verify that they are involved in paid stock promotions for the penny stocks that they list.
The Penny Stock market has a lot of legitimate players, but there are also a lot of people who try to manipulate the market for their own gains. It is possible that StockTips.com has clashed in some way with the sort of people who run pump-and-dump scams, and they have decided to take their revenge by creating this fake spam run.
Perhaps if you have some experience with this outfit, you would like to share it in the comments? Note that all comments are owned by the people posting them.
Labels:
Spam
"Duplicate Payment Received" spam from "Enid Tyson" has a malicious DOC
This fake financial spam has a malicious Word document attached.
http://79.137.227.123:8080/get1/get1.php
I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.
This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].
UPDATE:
A second version is going the rounds, with zero detections and a download location of
http://61.221.117.205:8080/get1/get1.php
A copy of the malicious macro can be found here.
From: Enid TysonIn this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive). This contains a malicious macro [pastebin] which connects to the following URL:
Date: 21 November 2014 15:36
Subject: INV209473A Duplicate Payment Received
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Enid Tyson
Accounts Department
http://79.137.227.123:8080/get1/get1.php
I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.
This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].
UPDATE:
A second version is going the rounds, with zero detections and a download location of
http://61.221.117.205:8080/get1/get1.php
A copy of the malicious macro can be found here.
Something evil on 46.8.14.154
46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort.
The following subdomains have been active on that server, they are ALL hijacked GoDaddy domains:
band.animagraphic.net
casual.animagraphics.org
emissions.usanicotinebiz.com
family.animagraphics.com
format.animagraphics.net
george.animagraphics.net
hunger.usanicotinenow.com
indictment.animagraphic.net
interest.animagraphics.org
keeps.animagraphics.net
nearest.zeezoarticles.com
overwhelmingly.ecigvv.com
revolt.animagraphics.biz
south.animagraphics.com
tests.animagraphics.net
textile.animagraphics.org
this.animagraphics.net
transplant.madvapor.com
floatingtpoint.vzeliquid.com
delivering.animagraphics.biz
week.animagraphics.biz
speaks.animagraphics.biz
automobile.animagraphics.biz
herself.vvmod.com
obtained.vzmod.com
unixtbased.ecigvv.com
transplant.madvapor.com
metric.animagraphics.com
norway.animagraphics.com
plays.nicotinegiant.com
majority.usanicotinenow.com
underground.usanicotinenow.com
o.animagraphic.net
costs.animagraphic.net
illinois.animagraphic.net
rape.animagraphics.net
usable.animagraphics.net
presents.animagraphics.net
upper.hotzonenow.com
Domains spotted so far with malicious subdomains:
animagraphics.org
usanicotinebiz.com
animagraphics.com
animagraphics.net
usanicotinenow.com
zeezoarticles.com
ecigvv.com
animagraphics.biz
madvapor.com
vzeliquid.com
vvmod.com
vzmod.com
madvapor.com
nicotinegiant.com
hotzonenow.com
The best thing to do is to block traffic to 46.8.14.154 because these domains seem to change every few minutes.
The following subdomains have been active on that server, they are ALL hijacked GoDaddy domains:
band.animagraphic.net
casual.animagraphics.org
emissions.usanicotinebiz.com
family.animagraphics.com
format.animagraphics.net
george.animagraphics.net
hunger.usanicotinenow.com
indictment.animagraphic.net
interest.animagraphics.org
keeps.animagraphics.net
nearest.zeezoarticles.com
overwhelmingly.ecigvv.com
revolt.animagraphics.biz
south.animagraphics.com
tests.animagraphics.net
textile.animagraphics.org
this.animagraphics.net
transplant.madvapor.com
floatingtpoint.vzeliquid.com
delivering.animagraphics.biz
week.animagraphics.biz
speaks.animagraphics.biz
automobile.animagraphics.biz
herself.vvmod.com
obtained.vzmod.com
unixtbased.ecigvv.com
transplant.madvapor.com
metric.animagraphics.com
norway.animagraphics.com
plays.nicotinegiant.com
majority.usanicotinenow.com
underground.usanicotinenow.com
o.animagraphic.net
costs.animagraphic.net
illinois.animagraphic.net
rape.animagraphics.net
usable.animagraphics.net
presents.animagraphics.net
upper.hotzonenow.com
Domains spotted so far with malicious subdomains:
animagraphics.org
usanicotinebiz.com
animagraphics.com
animagraphics.net
usanicotinenow.com
zeezoarticles.com
ecigvv.com
animagraphics.biz
madvapor.com
vzeliquid.com
vvmod.com
vzmod.com
madvapor.com
nicotinegiant.com
hotzonenow.com
The best thing to do is to block traffic to 46.8.14.154 because these domains seem to change every few minutes.
Tuesday, 18 November 2014
"INCOMING FAX REPORT" spam, let's party like it's 1999
Hang on, I think I need to load some more papyrus into the facsimile machine, the 1990s are back!
http://108.61.229.224:13861/1811us1/HOME/0/51-SP3/0/
http://108.61.229.224:13861/1811us1/HOME/1/0/0/
http://159593.webhosting58.1blu.de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.
Recommended blocklist:
108.61.229.224
159593.webhosting58.1blu.de
From: Incoming Fax [no-reply@efax.co.uk]This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:
Date: 18 November 2014 13:16
Subject: INCOMING FAX REPORT : Remote ID: 766-868-5553
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file:
http://mrconsultantpune.com/dropbox/document.php
*********************************************************
http://108.61.229.224:13861/1811us1/HOME/0/51-SP3/0/
http://108.61.229.224:13861/1811us1/HOME/1/0/0/
http://159593.webhosting58.1blu.de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.
Recommended blocklist:
108.61.229.224
159593.webhosting58.1blu.de
Monday, 17 November 2014
"Test message" spam plague continues..
This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125" which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses.
If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.
If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.
From: Hollie <Laurie.17@123goa.com>
Date: 17 November 2014 19:04
Subject: Test 8657443T
test message.
Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard.
----------
From: Bethany <Toney.b0c@tbmeca.pl>
Date: 17 November 2014 20:00
Subject: Test 513081H
test message.
George Washington's existing building was constructed in 1960 and has had many renovations since its opening. His parents ran a restaurant, but his father emigrated to South America and never returned.
From 1971 to 1975, he was head of the Semiconductor Electronics Research Department. AIDS, which marked one of the most painful parts of Blotzer's life.
----------
From: Lilly <Glenn.75@ottcommunications.com>
Date: 17 November 2014 19:18
Subject: Test 547004K
test message.
On its full length, it passes through 14 provinces of Turkey. During the night, Dudu develops a cough and in the morning he is rushed to a local hospital.
The regular season was won by the Sevilla FC Puerto Rico, which became the first team to win two regular season cups. Letter to the World Narcotic Defense Association.
----------
From: Eddie <Darwin.87@satfilm.net.pl>
Date: 17 November 2014 19:20
Subject: Test 769978N
test message.
District 16 in the upper chamber. These allegations were followed by a long investigation of the convent that caused much inner strife amongst the nuns.
The teams alternate turns on who will pick first depending on the night. Bellona's report on RTG lighthouses.
----------
From: Alba <Young.69@discoverwhitewater.org>
Date: 17 November 2014 20:18
Subject: Test 7900710A
test message.
DR B1 and DQ B1 polymorphisms in patients with coronary artery ectasia. The Thames at Brentford.
Chi world GNI percapita. Little known gems are unearthed.
----------
From: Neal <Nichole.23b@business.telecomitalia.it>
Date: 17 November 2014 19:03
Subject: Test 974193J
test message.
It is a very good preparation for further studies in law, literature and linguistics. IPSC and USPSA provide for two power factors, major and minor.
Lake Agassiz can also be seen today. He threatened her, saying that if she told anyone, he would kill her too.
----------
From: Sabrina <Ross.68a@213-5-41-251.bestgo.pl>
Date: 17 November 2014 19:17
Subject: Test 685552L
test message.
The episode starts with girls comments about Alyona's leaving. US 52 leaves the highway here.
Cwmgors Community Centre by Aberdare Blog. Darcy invites Spinner over after she finishes packing for summer camp so they can spend time together before she leaves.
----------
From: Debora <Raquel.6b8@mmgphotographystudio.com>
Date: 17 November 2014 20:22
Subject: Test 409258E
test message.
Combined with manual transmission, these cars were often used as drag racers due to their light weight. A break in his health led to his retirement in 1920.
The company milled lumber and ground flour. Improving the existing headroom under the bridge from 3.
Labels:
Spam
Interfax "Failed Fax Transmission" spam comes with malicious .DOCM file
This fake fax spam comes with a malicious attachment
Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe
This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:
http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E
It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53.
If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.
From: Interfax [uk@interfax.net]
Date: 13 November 2014 20:29
Subject: Failed Fax Transmission to 01616133969@fax.tc<00441616133969>
Transmission Results Destination Fax: 00441616133969 Contact Name: 01616133969@fax.tc Start Time: 2014/11/13 20:05:27 End Time: 2014/11/13 20:29:00 Transmission Result: 3220 - Communication error Pages sent: 0 Subject: 140186561.XLS CSID: Duration (In Seconds): 103 Message ID: 485646629
Thank you for using Interfax
E-mail: uk@interfax.net
Home page: http://www.interfax.net
Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe
This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:
http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E
It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53.
If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.
Subscribe to:
Posts (Atom)