Following on from this post, here are some business and domains closely associated with Michael Price of BizSummits, presented without comment for research purposes only.
COO Summit
cooleaders.org
Hiring Spring
hiringspring.com
Exit Partners LLC
exitpartners.net
Exact Leads
exactleads.com
VisitorLeads
visitorleads.com
ListK
listk.com
LoudJob
loudjob.com
Franchisee Funnel
franchiseefunnel.com
Supply Chain Summit
supplychainsummit.org
Hospital Growth Summit
hospitalgrowthsummit.org
CFO Summit
cfosummit.org
Safety Management Summit
safetysummit.org
Project Management Summit
projectmanagementsummit.org
CMO Summit
cmosummit.org
PR Summit
prsummit.org
Corp Summits
corpsummits.com
Quality Management Summit
qualitysummit.org
Corporate Counsel Summit
corporatecounselsummit.org
Executive Summits
execsummits.com
BizSummits
bizsummits.org
Marketing LeadFunnel
marketingleadfunnel.net
Meeting Setters
meetingsetters.com
CEO Ventures
ceoventures.com
HR LeadFunnel
hr-leadfunnel.com
Survey Executives
surveyexecutives.com
iListK
ilistk.com
IT LeadFunnel
itleadfunnel.com
Finance LeadFunnel
financeleadfunnel.com
GoPresent
gopresent.com
AffluentNames.com
affluentnames.com
Documents.me / Nouvou, Inc.
documents.me
AngelPool
angelpool.org
Critical Fit
criticalfit.com
HR Summit
hrsummit.org
Corp Venturing
corpventuring.com
PlugMeIn
plugmein.com
Retargetable
retargetable.com
LeadFunnel
leadfunnel.com
Pathfinder Careers
pathfindercareer.com
The Sales Management Association
salesmgtassoc.org
Executive Angels
executiveangels.net
CareerLeaper
careerleaper.com
Packed Events
packedevents.com
TeamEx
teamex.com
iCirc
icirc.net
HR Management Association
hrmanagementassociation.org
Product Conception Group
productconception.com
Sponsored by..
Tuesday, 22 September 2015
Monday, 21 September 2015
Malware spam: "Your Sage subscription invoice is ready" / "noreply@sage.com"
From: noreply@sage.com [noreply@sage.com]
Date: 21 September 2015 at 11:30
Subject: Your Sage subscription invoice is ready
Dear Ralph Spivey
Account number: 45877254
Your Sage subscription invoice is now online and ready to view.
Sage One subscriptions
Please follow the link bellow to view/download your account invoice: http://www.sageone.co.uk/
Got a question about your invoice?
Call us on 1890 88 5045
If you're an Accountant, please call 1890 92 21 06
If you're a Business Partner, please call 1890 94 53 85
Kind Regards
The Sage UK Subscription Team
Please note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.
The link in the email actually goes to a download location at Cubby rather than sageone.co.uk, this downloads a file invoice.zip which in turn contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56. The Hybrid Analysis report shows that this is Upatre dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria.
Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)
[donotclick]kfc.i.illuminationes.com/snitch
This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.
The injected script sends the keywords and referring site upstream, for example:
[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.seAlthough the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.
UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.
Friday, 18 September 2015
Malware spam: "Transaction confirmation" / "donotreply@lloydsbank.co.uk"
From donotreply@lloydsbank.co.ukAttached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria.
Date Fri, 18 Sep 2015 11:52:36 +0100
Subject Transaction confirmation
Dear Customer,
Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.
Best regards,
Your personal Manager
Thora Blanda
tel: 0345 300 0000
LLOYDS BANK.
E.ON "You've got mail" spam
------------
From: E.ON Energy [eon@eonenergy.com]
Reply-To: "E.ON Energy" [eon@eonenergy.com]
Date: 17 September 2015 at 19:02
Subject: You've got mail
| You've got mail. If you are having trouble viewing this email, you can view it here. |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Helping our customers. We're on it. | 
|
|
|
 |
Disclaimer Notice This email has been sent by E.ON Energy Solutions Limited. While we have checked this email and any attachments for viruses, we cannot guarantee that they are virus-free. You must therefore take full responsibility for virus checking. This message and attachments are confidential and should only be read by those to whom they are addressed. If you are not the intended recipient, please contact us, delete the message from your computer and destroy any copies. Any distribution or copying without prior permission is prohibited. Internet communications are not always secure and therefore E.ON does not accept legal responsibility for this message. The recipient is responsible for verifying its authenticity before acting on the contents. Any views or opinions presented are solely those of the author and do not necessarily represent those of E.ON. Registered Address E.ON Energy Solutions Limited. Registered office: Westwood Way, Westwood Business Park, Coventry, CV4 8LG. Registered in England and Wales No. 3407430. CONSENT CSS |
Ooookay. So it's a phish or malware, right? Well, in this case floating over the links clearly shows an eonenergy.com domain, rather than something malicious. And at least E.ON have shown good practice by using their own domain rather than some random tracking domain that others do.
It's been a long time since I logged onto E.ON because these days I generate all my electricity from a secondhand Russian nuclear reactor plucked from a rusty submarine that I have buried under the lawn.
Logging on to my account gives this message..
It's probably 15 years or so since I registered on E.ON.. when I registered it was part of TXU, then PowerGen which then became E.ON. So if you have registered an account with any of those companies in the past decade and a half, then you might get this spam from E.ON, even if you closed your account a long time ago..
UPDATE:
E.ON have posted some information about the cock-up and an apology here.
Thursday, 17 September 2015
Malware spam: hrwfmailerprod@lancashire.gov.uk / REFURBISHMENT
From "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.
To hp_printer@victimdomain.com
Date Thu, 17 Sep 2015 12:16:26 GMT
Subject FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)
From Mabel Winter
To hp_printer@victimdomain.com
Sent Thu, 17 Sep 2015 12:12:26 GMT
ID 7216378
Number 6767609,1
Title Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT
Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment.
The payload appears to be Upatre/Dyre as seen earlier today.
Malware spam: "Shell E-Bill for Week 38 2015"
From [invoices@ebillinvoice.com]
To administrator@victimdomain.com
Date Thu, 17 Sep 2015 11:10:15 GMT
Subject Shell E-Bill for Week 38 2015
Customer No : 28834
Email address : administrator@victimdomain.com
Attached file name : 28834_wk38_2015.PDF
Dear Customer,
Please find attached your invoice for Week 38 2015.
In order to open the attached PDF file you will need
the software Adobe Acrobat Reader.
For instructions of how to download and install this
software onto your computer please visit
http://www.adobe.com/products/acrobat/readstep2.html
If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely
Customer Services
======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.
MD5:
0d9c66ffedce257ea346d2c7567310ac
Wednesday, 16 September 2015
Malware spam: "Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/"
From: RSTNAME} Crabtree [Chang.Crabtree@lloydsbankcommercial.com]
Date: 15 September 2015 at 13:18
Subject: Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/
Please find attached our document pack for the above customer. Once completed please return via email to the below address.
If you have any queries relating to the above feel free to contact us at
MN2Lloydsbanking@lloydsbankcommercial.com
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 7117152. Telephone: 0845 603 1637
Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC453043.
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt
A further download then takes place from:
vandestaak.com/css/libary.exe
This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).
Recommended blocklist:
197.149.90.166
vandestaak.com
thebackpack.fr
obiectivhouse.ro
MD5s:
4b944c5e668ea9236ac9ab3b1192243a
1939eba53a1289d68d1fb265d80e60a1
Malware spam: "HSBC SecureMail" / "You have received a secure message"
From: HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@hsbc.co.uk]Attacked is a file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56.
Date: 16 September 2015 at 13:13
Subject: You have received a secure message
HSBC_Payment_87441653
16K
UPDATE: The Hybrid Analysis report shows network traffic to a familiar Nigerian IP of 197.149.90.166 which I strongly recommend you block. The traffic pattern is indicative of Upatre dropping the Dyre banking trojan.
MD5:
359f0c584d718f44e9777e259f013031
Monday, 14 September 2015
Spam from "Vanessa Reynolds" / vanessa.reynolds@breedandco.com
From "Vanessa Reynolds" [vanessa.reynolds@breedandco.com]The name after "Hello" varies in each version, for example:
Date Fri, 14 Sep 2015 10:34:32 GMT
Subject Hello, how are you?
Hello, Calvin how are you?
Hello, Sheldon how are you?
Hello, Lawanda how are you?
Hello, Thurman how are you?
Hello, Darlene how are you?
Hello, Rhea how are you?
The email is always "from" Vanessa Reynolds / vanessa.reynolds@breedandco.com although this is in fact just a simple forgery and Breed & Co (who are are a hardware store in Texas) are nothing to do with this.
The purpose of this spam is unknown. One possibility is that the spammers are probing mail servers for responses (to enumerate valid mailboxes). The other is that this could be a targeted attack on Breed & Co by disrupting email and other means of communication.
Some sending IPs for the record:
175.111.117.26
82.208.233.93
85.100.114.244
103.1.69.172
111.196.186.87
202.134.161.161
Friday, 11 September 2015
Malware spam: "Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva" / reports@officeteam.co.uk
From "reports@officeteam.co.uk" [reports@officeteam.co.uk]In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet).
Date Fri, 11 Sep 2015 10:39:32 GMT
Subject Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva
Please find attached your sales order acknowledgement
Order No: EF150085
Account: PFM895
Your Reference: 14 /Geneva
Web Reference:
Kind Regards
Office Team
In this case, the payload is Upatre downloading the Dyre banking trojan.
MD5:
0a7e68a84765d639210b77575c2373bd
Thursday, 10 September 2015
Malware spam: "New Fax - 3901535011" / "UK2Fax" [fax2@fax1.uk2fax.co.uk]
From "UK2Fax" [fax2@fax1.uk2fax.co.uk]Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the same Upatre/Dyre payload as seen it this attack also seen today.
Date Thu, 10 Sep 2015 14:07:11 +0100
Subject New Fax - 3901535011
UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT
Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
From "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.
Date Thu, 10 Sep 2015 06:32:37 -0500
Subject Payroll Received by Intuit
Dear, petrol
We received your payroll on Sep 10, 2015 at 09:01.
Attached is a copy of your Remittance. Please click on the attachment in order to
view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
paid two (2) banking days from the date received or on your paycheck date, whichever
is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you
have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list
of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services
IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this
email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect
is a phishing email, please forward it to immediately to spoof@intuit.com.
© 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
trademarks and/or registered service marks of Intuit Inc. in the United States and
other countries. All other marks are the property of their respective owners, should
be treated as such, and may be registered in various jurisdictions.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706
In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.
MD5:
4dbdf9e73db481b001774b8b9b522ebe
Tuesday, 8 September 2015
ipserver.su, 5.133.179.0/24 and 212.38.166.0/24
person: Oleg Nikol'skiy
address: British Virgin Islands, Road Town, Tortola, Drake Chambers
phone: +18552100465
e-mail: abuse@ipserver.su
nic-hdl: ON929-RIPE
mnt-by: IPSERVER-MNT
changed: abuse@ipserver.su 20150528
created: 2015-05-28T11:11:09Z
last-modified: 2015-05-28T11:11:09Z
source: RIPE
I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service.
Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating.
Here's what is odd. None of the sites that I found [pastebin] have a negative reputation, I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all.
I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation, then my suggestion is that you block traffic to:
5.133.179.0/24
212.38.166.0/24
In the meantime I will continue digging..
Monday, 7 September 2015
Something evil on 184.105.163.192/26 / White Falcon Communications / Dmitry Glazyrin
contact:ID;I:POC-DC-1258
contact:Auth-Area:contacts
contact:Class-Name:contact
contact:Name:Dmitry Glazyrin
contact:Company:White Falcon Communications
contact:Street-Address:3-758 Riverside Dr
contact:City:Port Coquitlam
contact:Province:BC
contact:Postal-Code:V3B 7V8
contact:Country-Code:CA
contact:Phone:+1-510-580-4100
The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..
bilettver.ru
ituslugi-ekb.ru
kerept.ru
porno-gt.com
pornosup.com
redkrab.com
vgubki.com
erotubik.com
autowagen.ru
decoitalcolor.ru
jimbobox.ru
kr-enot.ru
alemanas.ru
dynamo-energia.ru
master-lesa.ru
kinoprosmotra.net
multi-torrent.com
pl-games.ru
voyeur-hard.com
fishemania.com
learnigo.ru
qazashki.net
surfus.ru
mysuppadomainname.gq
kinoprosmotrov.net
multtracker.com
kyricabgr.tk
onlyhdporno.com
stat-irc.tk
white-wolves.tk
blondescript.com
dc-dcbcf352.hotvideocentral.com
wishfishworld.com
5ka.info
igro-baza1.ru
igro-baza2.ru
igro-baza3.ru
igro-baza4.ru
igro-baza5.ru
kinorelizov.net
torrent-mult.com
trailer-games.ru
vvpvv10.ru
vvpvv9.ru
todoke.ru
glazikvovana.cf
glazikvovana.ga
glazikvovana.gq
glazikvovana.ml
glazikvovana.tk
glazikvovki.cf
glazikvovki.ga
glazikvovki.gq
glazikvovki.ml
glazikvovki.tk
popochkavovana.cf
popochkavovana.ga
popochkavovana.gq
popochkavovana.ml
popochkavovana.tk
popochkavovki.cf
popochkavovki.ga
popochkavovki.gq
popochkavovki.ml
popochkavovki.tk
resnichkavovana.cf
resnichkavovana.ga
resnichkavovana.gq
resnichkavovana.ml
resnichkavovana.tk
resnichkavovki.cf
resnichkavovki.ga
resnichkavovki.gq
resnichkavovki.ml
resnichkavovki.tk
samaragss.ru
wechkavovana.cf
wechkavovana.ga
wechkavovana.gq
wechkavovana.ml
wechkavovana.tk
wechkavovki.cf
wechkavovki.ga
wechkavovki.gq
wechkavovki.ml
wechkavovki.tk
zalypkavovana.ml
zalypkavovana.tk
zalypkavovki.cf
zalypkavovki.ga
zalypkavovki.gq
zalypkavovki.ml
zalypkavovki.tk
zybikvovana.cf
zybikvovana.ga
zybikvovana.gq
zybikvovana.ml
zybikvovana.tk
zybikvovki.cf
zybikvovki.ga
zybikvovki.gq
zybikvovki.ml
zybikvovki.tk
staffrc.com
stopudof.com
35igr.ru
adandc.ru
avgyst.ru
comedy24.ru
e7ya.ru
funrussia.ru
ladykafe.ru
med-cafe.ru
mykazantip.ru
ohotaforum.ru
powerpoint-ppt.ru
sibledy.ru
turistvip.ru
ya-pisatel.ru
kypitest.ru
anykadavai.tk
forwarditaly.org
getyourimesh.com
mymobi.ml
yellowfrance.org
Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].
Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.
So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".
However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.
* fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.
Malware spam: "Credit Note CN-60938 from Stilwell Financial Inc" / "message-service@post.xero.com"
From: Accounts [message-service@post.xero.com]
To: hp_printer@victimdomain.com
Date: 7 September 2015 at 11:55
Subject: Credit Note CN-60938 from Stilwell Financial Inc for victimdomain.com (0178)
Hi Boris,
To download your credit note CN-60938 for 401.04 GBP please follow the link below : https://get.xerofiles.com/[snip]
This has been allocated against invoice number
If you have any questions, please let us know.
Thanks,
Stilwell Financial Inc
In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.
Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
Received: from 78.187.120.220.static.ttnet.com.tr (unknown [95.9.34.122])The fake parts of the headers are highlighted. The actual sending IP is 95.9.34.122 in Turkey. I don't know what the payload is in this case as the download location doesn't work, it will most likely be some sort of banking trojan.
by [redacted] (Postfix) with ESMTP id 74F50400BE;
Mon, 7 Sep 2015 11:59:12 +0100 (BST)
Received: from mail2.go.xero.com (198.61.155.105) by
GCN5B9ZDBKTFX.mail.protection.outlook.com (10.997.33.92) with Microsoft SMTP
Server id 05.9.975.7 via Frontend Transport; Mon, 7 Sep 2015 12:55:16 +0200
From: Accounts <message-service@post.xero.com>
To: hp_printer@[redacted]
Date: Mon, 7 Sep 2015 12:55:16 +0200
Subject: Credit Note CN-60938 from Stilwell Financial Inc for [redacted] (0178)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailer: aspNetEmail ver 3.5.2.0
Message-ID: <504359-L45H474JYDT96LCSOCCGF9O9R1IXJTQ2949EW0C2@xero.com>
Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]
From "Companies House" [WebFiling@companieshouse.gov.uk]
Date Mon, 7 Sep 2015 12:40:01 +0100
Subject RE: Case 0676414
The submission number is: 0676414
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.
Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500
The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.
This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.
MD5:
f1d62047d22f352a14fe6dc0934be3bb
Friday, 4 September 2015
Malware spam: "RE:resume" aka "What happened to your files?" / Cryptowall 3.0
From: fredrickkroncke@yahoo.comThe attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:
Date: 5 September 2015 at 03:50
Subject: RE:resume
Signed by: yahoo.com
Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply
Kind regards
Teresa Alexander
Protected DocumentFollowing these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.
This document is protected by Microsoft Office.
Please enable Editing and Content to see this document.
Can’t view? Follow the steps below.
Open the document in Microsoft Office. Previewing online does not work for protected documents.
If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
Once you have enabled editing, please hit “Enable Content” on the yellow bar above.
The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:
46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga.net)
192.186.235.39 (satisgoswamicollege.org)
52.88.9.255 (entriflex.com)
23.229.143.32 (eliasgreencondo.com)
Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.
Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)
This further references another bunch of domains that you might want to block, especially in a corporate environment:
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com
This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:
68.178.254.208 (erointernet.com)
Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.
The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.
Recommended blocklist:
46.30.46.0/24
gaiga.net
satisgoswamicollege.org
entriflex.com
eliasgreencondo.com
erointernet.com
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com
MD5s:
d6b3573944a4b400d6e220aabf0296ec
5b311508910797c91cc9c9eb4b4edb0c
Tuesday, 1 September 2015
Malware spam: "Complaint of your Internet activity"
From: Margret KuhicAll the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a valid attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56.
Date: 1 September 2015 at 16:10
Subject: Complaint of your Internet activity
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Margret Kuhic
Dynamic Communications Agent
T: 1-679-732-5379
F: 100.173.9045
This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor:
197.149.90.166 (Cobranet, Nigeria)
Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494
Subscribe to:
Posts (Atom)