Sponsored by..

Sunday, 13 March 2016

Malware spam: "Debt #85533 , Customer Case Nr.: 878" leads to Teslacrypt

The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments, however.

From:    Lamar drury
Date:    13 March 2016 at 18:43
Subject:    Debt #85533 , Customer Case Nr.: 878

Dear Customer,

Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.

We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.

Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.

We hope on your understanding.

Kind regards,
Finance Department
Lamar drury
878 N Davis St, Jacksonville,
FL 85533
Phone nr: 464-182-2340 
Attached is a ZIP file, that in the samples I saw starts with:
  • doc_scan_
  • money_
  • payment_details_
  • payment_
  • warning_
  • see_it_
  • payment_scan_
  • finance_
  • warning_letter_
  • report_
  • transaction_
  • details_
  • incorrect_operation_
  • confirmation_
  • document_
  • problem_
  • financial_judgement_
 ..plus a random number. Inside are one to four malicious .js scripts, named in the following format:

  • details_
  • mail_
  • post_
  • Post_Parcel_Case_id00-
  • Post_Parcel_Confirmation_id00-
  • Post_Parcel_Label_id00-
  • Post_Shipment_Confirmation_id00-
  • Post_Shipment_Label_id00-
  • Post_Tracking_Case_id00-
  • Post_Tracking_Confirmation_id00-
  • Post_Tracking_Label_id00-
The first three have a random string, the ones beginning with "Post" are followed by a random number and a #.  There are at least 22 unique scripts with the following MD5s:

05A44DF4418EA3F133A3708D4D829DC7
84A57069907726FFADE1DE7DDF6E34CD
6F9726C410B3FCE2FC1EAF75C5015BFC
97D6643DE12E4430CD11412D7917C8B2
ADB1CF98CD632B0E55358C045114ED6A
732314E639426E42B9342B1470798E02
AC2D6B033C943AF864F6A6E2A143E0CD
EA9BE11F3267D14CDF3A88786E2D69C8
E831A7247D30F9EB406A3F5AFCB63EDE
D5B74B58E9971BE84AA83B2E1D46B414
1A177FAF482FC924D2439F4111428D9F
0FB3CD12FB2BF4AC7ABB909383E2EEB8
A810DCD3DE5DA723940D3C44075D3314
F1B4DF8D16F81FFC543E252594DF5C03
3FE0BD9E25B3D0A36A898BE6E579780E
060990306E189A6022E2CCB041912588
6F963C39333F751D097D8DB8A2EEF525
DBF2B52926B5925E382BCF4024E5C8F7
4193D7D43CA5981EDB6E790ED568E5F3
AED7397352E43C0E2F0281AA2F4AACB2
ED8919841E31422C6318978BDAE5612B
C6D52DA9375DA4C33776D68407CC9B0D


These appear [1] [2] to download a malicious binary from one of the following locations:

ohelloguyff.com/70.exe
ohelloguyzzqq.com/85.exe?1


Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56.

The download locations have the following IP addresses:

185.35.108.109 (DA International Group Ltd, Bulgaria)
204.44.102.164 (Quadranet Inc, US)
54.212.162.6 (Amazon AWS, US)
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)


Those IP addresses can be considered as evil, and they also host the following sites:

returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
howareyouqq.com
ohelloguyqq.com
bonjovijonqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
ohelloguyff.com
ohelloguymyff.com
joecockerhereff.com
howisittomorrowff.com
thunicodenamespace.com
wioutpudforcontents.com
idendnsletbarcamednstwo.com
leadhoffmanclassapplico.com
insensitivityinterpreted.com
placegrantthenoticesmust.com
dns1.beforeyougogg.net
dns1.ohimyfriendff.net
dns2.ohimyfriendff.net
dns1.kaktotakvot.pw
dns2.martuswalmart.pw
dns2.beforeyougogg.net
dns2.microtexreglyt.net
microtexregyts.net
gdemoidomaine.info
daimoidomainemne.info
mydomainebizness.info


Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94


Saturday, 12 March 2016

Malware spam: "Urgent Notice # 78815053" leads to Teslacrypt

This spam comes from random senders, and has random references, dollar amounts and attachment names:

From:    Donnie emily
Date:    12 March 2016 at 14:01
Subject:    Urgent Notice # 78815053

Dear Customer!

According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.

Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.

We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.

Please check out the file and do not hesitate to pay off the debt.

Otherwise we will have to start a legal action against you.

Regards,
Donnie emily
758 N Davis St, Jacksonville,
FL 17323
Phone nr: 026-762-3482 
Attached is a randomly-named ZIP file, in the sample I have seen they begin with:
  • letter_
  • confirm_
  • access_
  • unconfirmed_operation_
  • operation_
  • details_
..plus a random number. There may be other formats. Inside is a malicious script beginning with:
  • details_
  • post_
  • mail_
..plus a random string of characters. I have seen six versions of this script, I do not know how many there are in total. VirusTotal results show detection rates between 4 and 7 out of 57 [1] [2] [3] [4] [5] [6] and automated analysis tools [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] show the script attempting to download a binary from:

bonjovijonqq.com/69.exe?1
bonjovijonqq.com/80.exe?1


This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:

vtechshop.net/wcspng.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
shirongfeng.cn/images/lurd/wcspng.php


It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:

31.184.196.78 (Petersburg Internet Network Ltd, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Russia)


The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:

192.210.144.130 (Hudson Valley Host  / Colocrossing, US)
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)


The following malicious domains are also on the same servers:

nnrtsdf34dsjhb23rsdf.spannflow.com
bonjovijonqq.com
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
howareyouqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.

Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone.com
sappmtraining.com
shirongfeng.cn
vtechshop.net


Friday, 11 March 2016

Malware spam: "FW: Payment 16-03-#507586" / "We have received this documents from your bank, please review attached documents."

These spam messages come from various senders with different references and attachment names.

From:    Thanh Sears
Date:    11 March 2016 at 10:29
Subject:    FW: Payment 16-03-#507586

Dear [redacted],

We have received this documents from your bank, please review attached documents.

Yours sincerely,

Thanh Sears
Financial Manager


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script containing one of the following strings plus a random number and also it seems a # sign at the end of some.

  • Post_Shipment_Confirmation_id
  • Post_Shipment_Label_id
  • q.
  • Post_Shipment_Case_id
  • Post_Tracking_Confirmation_id
  • Post_Parcel_Confirmation_id
Detection rates for these scripts are all zero at the moment [1] [2] [3]. A Malwr analysis of some of the samples [4] [5] [6] shows download locations at:

nro.gov.sd/23r35y44y5
nobilitas.cz/0954t4h45


There are probably other download locations. The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to block are the same as found in this earlier Locky run.

UPDATE 1

Two further download locations can be found at:

www.momstav.com/087hg67
perfumy_alice.republika.pl/08h867g5

The dropped binaries are different again [1] [2],  but it is still Locky phoning home to the C2s detailed here.

UPDATE 2

Further download locations are at:

50.28.211.199/hdd0/89o8i76u5y4
galit-law.co.il/32tguynjk
peterdickem.com/87745g
scorpyofilms.com/67j5h5h4
thaihost.biz/bestylethai.com/43t3gh4


Again, the dropped binaries are all different but seem to be Locky [1] [2] [3] [4] [5].

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan leads to malware. It appears to come from within the victim's own domain, but this is a trivial forgery.

From:    admin [lands375@victimdomain.tld]
Date:    11 March 2016 at 09:02
Subject:    Scanned image

Image data in PDF format has been attached to this email.
Attached is a document named in a similar format to 11-03-2016-6440705503.zip which contains a randomly-named malicious script. So far I have seen three versions of this script (VirusTotal results [1] [2] [3]) which according to the Malwr reports [4] [5] [6] download a malicious binary from:

ghayatv.com/system/logs/uy78hn654e.exe

This is Locky ransomware, the same as dropped in this other spam run - that post also contains a list of C2s to block.



Malware spam: Your Amazon order #137-89653734-2688148 / AMAZON.COM [Mailer-daemon@amazon.com]

This fake Amazon spam comes with a malicious attachment:

From:    AMAZON.COM [Mailer-daemon@amazon.com]
Date:    11 March 2016 at 09:09
Subject:    Your Amazon order #137-89653734-2688148

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order #137-89653734-2688148 Placed on March 11, 2016

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.com 

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:

mercadohiper.com.br/system/logs/uy78hn654e.exe

That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to:

31.184.196.75 (Petersburg Internet Network, Russia)
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)


There are probably other download locations and C2s, I will update this post if I find out what they are.

UPDATE

Some additional C2s from various sources:

78.40.108.39 (PS Internet Company LLC. Kazakhstan)
31.184.196.78 (Petersburg Internet Network, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)


Some additional download locations for this and other locky spam runs today:

solucionesdubai.com.ve/system/logs/uy78hn654e.exe
ghayatv.com/system/logs/uy78hn654e.exe
dolcevita-ykt.ru/system/logs/uy78hn654e.exe


Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192


Thursday, 10 March 2016

Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"

This fake financial spam comes with a malicious attachment:

From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833

Dear Client!

For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994


Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:

http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1


These sites are hosted on:

142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)


This Malwr report and this Hybrid Analysis shows communications with:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)


The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.

These domains are also associated with some of the IPs. Consider them all to be evil:

t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146



Malware spam: "Document No 4873206" / Accounts [accounts@victimdomain.tld]

This fake financial email has a malicious attachment:

From:    Accounts [accounts@victimdomain.tld]
Date:    10 March 2016 at 11:45
Subject:    Document No 4873206

Thanks for using electronic billing

Please find your document attached

Regards

Accounts
The email appears to come from within victim's own domain. The number in the subject varies, and is matched by the attachment name (e.g. Document No 4873206.zip). In turn this contains one of several malicious scripts (VirusTotal results [1] [2] [3] [4] [5] [6]). All the Malwr reports [7] [8] [9] [10] [11] [12] all show an attempted download from:

ncrweb.in/system/logs/7t6f65g.exe

Happily this 404s, but it is likely that other scripts will have the same download locations as found here. The payload is the Locky ransomware, and it should drop an executable with a detection rate of 1/56

Malware spam: "Attached File" / canon@victimdomain.tld leads to Locky

This spam has a malicious attachment. It appears to come from within the sender's own domain. There is no body text.

From:    canon@victimdomain.tld
Date:    10 March 2016 at 09:02
Subject:    Attached File

In the sample I saw, there was an attachment victimname@victimdomain.tld_07567_273772.zip which contained a randomly-named script with a detection rate of 5/57. Automated analysis [1] [2] shows that this is the Locky ransomware, and it downloads a binary from:

buyfuntees.com/system/logs/7t6f65g.exe

This binary has a detection rate of  just 1/56. Those reports indicate that the malware phones home to:

31.184.196.78 (Petersburg Internet Network Ltd, Russia)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)


There are probably many other download locations and some more C2s as well, I will update this post if I see them.

UPDATE

This additional analysis is from a trusted third party (thank you!)

Additional download locations:

behrozan.ir/system/logs/7t6f65g.exe
fashion-boutique.com.ua/system/logs/7t6f65g.exe
fortyseven.com.ar/system/logs/7t6f65g.exe
iwear.md/system/logs/7t6f65g.exe
lady-idol.6te.net/system/logs/7t6f65g.exe
ncrweb.in/system/logs/7t6f65g.exe
xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe


Additional C2s:

91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
91.234.33.149 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)


Sender is canon or copier or epson or scanner or xerox at the victim's domain.

Recommended blocklist:
31.184.196.78
78.40.108.39

91.219.30.254
91.234.33.149




Malware spam: "Final Notice About Unpaid Bill" / "Important Notice About Created Invoice" / "Important Message About New Invoice"

This fake financial spam comes with a malicious attachment.The sender's name, subject and body text has a variety of text in, including:

Subject:
Fwd: Final Notice About Unpaid Bill
Fw: Important Notice About Created Invoice
Re: Important Message About New Invoice

Body text:
Pls see the bill attached.
review the report attached.
check the invoice attached.

Some more examples can be seen here.

Attached is a randomly-named document, of which I have seen three samples (VirusTotal results [1] [2] [3]). The Malwr report on one of the samples plus these Hybrid Analysis reports [4] [5] [6] shows a download of an encrypted file from:

darrallmacqueen.com/b2.jpg?XhVee=9
darrallmacqueen.com/b2.jpg?XhVee=20
darrallmacqueen.com/b2.jpg?XhVee=16


The dropped files seem pretty random, indeed in all the samples the binaries were different with some generic detections [1] [2] [3] [4]. All of the samples crash in Malwr [5] [6] [7] [8].

It all seems a little odd and if I get more information on what is happening, I will update this post. In the meantime the only mitigating step I can think of is to block traffic to darrallmacqueen.com which should stop the files downloading.

Wednesday, 9 March 2016

Malware spam: "Please find attached 2 invoices for processing." leads to Locky

These fake financial spam emails come from random sources with different names and reference numbers:

From:    Melisa Keller
Date:    9 March 2016 at 12:08
Subject:    FW: Invoice 2016-M#111812

Dear server,

Please find attached 2 invoices for processing.

Yours sincerely,

Melisa Keller
Financial Manager


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

Attached is a file with a name similar to Payment_2016_March_111812.zip which contains two scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates [1] [2] [3] [4] [5] [6]. The Malwr reports for those samples [7] [8] [9] [10] [11] [12] show that the scripts download a binary from:

ihsanind.com/system/logs/87jhg44g5
nguoitieudungthongthai.com/system/logs/987i6u5y4t
astralia.ro/08o76g445g [404]


Only two of the download locations work, dropping binaries with a detection rate of 5/55 [1] [2]. Note that there may be other download locations.

The Malwr reports indicate that the malware phones home to:

78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)


The payload is the Locky ransomware.

UPDATE

I received the following information from another source (thank you)

Additional download locations:

ari-ev.com/system/logs/765uy453gt5
hipnotixx.com/27h8n
myonlinedeals.pk/system/logs/43d5f67n8
planetarchery.com.au/system/logs/q32r45g54
saachi.co/system/logs/43ghy8n
shofukai.web.fc2.com/23rt54y56
www.ekowen.sk/09y8j


Payload MD5s:

252957f37b8bd7a57473eab5f1a65d5c
39443da2c5454e0cb3ab42e407266d12
536162e0df26db751c3aa192af512413
6d42c5aa20117483b47b6e9c10444626
80baac1953a3fa6b74c2cd9689a0d81c
84a47c9c74efe890d7e0e9935fc96bda
b81006520f0d50317a66c0eb9d2185a5
e12fde01606227d45e8048fb4e5cc88c
eebb1e3a4fefcbacf3a7076b32180673


Additional C2s:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)



Recommended blocklist:
78.40.108.39
149.154.157.14

91.195.12.131
151.236.14.51
37.235.53.18



Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]

This terse spam has a malicious attachment. There is no body text.
From:    Idris Mohammed [idrismohammed25@gmail.com]
Date:    9 March 2016 at 09:55
Subject:    DOC-Z21193008
Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
 
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe


There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:

64.76.19.251 (Impsat, Argentina)

I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.

UPDATE

A contact sent some more download locations (thank you!)

oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe


..and also some additional C2s..

188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234




Tuesday, 8 March 2016

Malware spam: "Please see attached (scanned document) file for your invoice" leads to Locky

This fake financial spam leads to the Locky ransomware. Sender names, reference numbers and attachment names will vary.
From:    Kris Bentley [BentleyKris59113@annarborultimate.org]
Date:    8 March 2016 at 14:35
Subject:    FW: Invoice #098377-2016-03

Dear infon,

Please see attached (scanned document) file for your invoice.

Thank you for your business


Kris Bentley
Sales Manager
The payload appears to be identical to the one found in this spam run.

Malware spam: "Compensation - Reference Number #368380" leads to Locky

This fake financial spam comes with a malicious attachment:

From:    Orval Burgess
Date:    8 March 2016 at 11:10
Subject:    Compensation - Reference Number #368380

Dear Customer,

The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.


Sincerely,
Orval Burgess
Account Manager

Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:

ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf


Those same reports indicate the malware attempts to phone home to the following IPs:

89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)


Those automated reports all indicate that this is the Locky ransomware.

UPDATE

A trusted source also informs me of these additional download locations;

51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4


In addition, there is another IP address the malware phones home to:

212.47.223.19 (Web Hosting Solutions Oy, Estonia)



Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196

212.47.223.19

Malware spam: "Samson Floyd agent Fedex" / "FeDex-service"

This fake FedEx spam has a malicious attachment:

From:    FeDex-service
Date:    8 March 2016 at 11:40
Subject:    Samson Floyd agent Fedex

Dear [redacted],
We attempted to deliver your item on March 07th, 2016, 11:40 AM.
The delivery attempt failed because the address was business closed or
nobody could sign for it. To pick up the parcel,please, print the receipt
that is attached to this email and visit Fedex office indicated in the
invoice. If the package is not picked up within 48 hours, it will be returned
to the shipper.

Label: US45928402845
Expected Delivery Date: March 07th, 2016
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent

Thank you for choosing our service

Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:

www.fotoleonia.it/files/sample.exe

This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:

www.claudiocalaprice.com/modules/fedex/pad.exe

This has similar detections to the first binary.  That Malwr report also indicates the binary POSTing data to:

pdf.repack.bike/new_and/state.php

This is hosted on:

151.80.76.200 (Kitdos, US / OVH, France)

I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.

None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.


Malware spam: "Order 1307605 (Acknowledgement)" / rick.adrio@booles.co.uk

This fake financial spam has a malicious attachment:

From     rick.adrio@booles.co.uk
Date     Tue, 08 Mar 2016 15:58:07 +0530
Subject     Order 1307605 (Acknowledgement)

Please find document attached
CONFIDENTIALITY AND DISCLAIMER NOTICE:
This email contains proprietary information which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission error has misdirected
this email, please notify the author by replying to this email. If you are not the
intended recipient you must not use, disclose, distribute, copy, print, or rely on
this email and delete all copies. Boole's Tools and Pipe Fittings Ltd is a private
company limited by shares. Registered in the United Kingdom No. 683745. Registered
office: PO Box 1586, Gemini One, John Smith Drive, Oxford Business Park South, Oxford,
OX4 9JF, United Kingdom.
Attached is a file pm51A.docm which I have seen two versions of (VirusTotal results [1] [2]). According to these Malwr reports [3] [4] and various other sources the macro in the document downloads from:

stopmeagency.free.fr/9uj8n76b5.exe
reclamus.com/9uj8n76b5.exe
lhs-mhs.org/9uj8n76b5.exe
izzy-cars.nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi.web.fc2.com/9uj8n76b5.exe


The dropped binary has changed from earlier and has a detection rate of 2/55, it phones home to the same IP address as seen in this campaign. It appears to be the Dridex banking trojan.



Malware spam: "Emailing: 20121005154449756" / Gary Atkinson [Gary@garrardwindows.co.uk]

This spam does not come from Garrard Windows but is instead a simple forgery with a malicious attachment:
From     Gary Atkinson [Gary@garrardwindows.co.uk]
Date     Tue, 08 Mar 2016 12:09:33 +0300
Subject     Emailing: 20121005154449756

Please find attached document as requested.
Attached is a file 20121005154449756.zip which contains a randomly-named script. I have seen two samples so far (VirusTotal results [1] [2]). The Malwr reports [3] [4] show the script downloads from the following locations:

jatukarm-30.com/9uj8n76b5.exe
stopmeagency.free.fr/9uj8n76b5.exe


The downloaded binary appears to be Dridex and is the same as found in this spam run.

Malware spam: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 / Accounts Payable [vendoramendments@yorkshirewater.co.uk]

This fake financial spam does not come from Yorkshire Water but is instead a simple forgery with a malicious attachment.

From     Accounts Payable [vendoramendments@yorkshirewater.co.uk]
Date     Tue, 08 Mar 2016 10:32:52 +0200
Subject     Pay_Advice_Vendor_0000300320_1000_for_03.03.2016

-----------------------------------------

Spotted a leak?
If you spot a leak please report it immediately. Call us on 0800 57 3553 or go to
http://www.yorkshirewater.com/leaks

Get a free water saving pack
Don't forget to request your free water and energy saving pack, it could save you
money on your utility bills and help you conserve water. http://www.yorkshirewater.com/savewater

The information in this e-mail, and any files transmitted with it, is confidential
and may also be legally privileged. The contents are intended solely for the addressee
only and are subject to the legal notice available at http://www.keldagroup.com/email.htm.
This email does not constitute a binding offer, acceptance, amendment, waiver or
other agreement, or create any obligation whatsoever, unless such intention is clearly
stated in the body of the email. If you are not the intended recipient, please return
the message by replying to it and then delete the message from your computer. Any
disclosure, copying, distribution or action taken in reliance on its contents is
prohibited and may be unlawful.

Yorkshire Water Services Limited
Registered Office Western House, Halifax Road, Bradford, BD6 2SZ
Registered in England and Wales No 2366682
I have only seen a single sample with an attachment named Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP which contains a randomly-named malicious script with a detection rate of 3/54.

According to the Malwr report and Hybrid Analysis on this sample, it downloads a malicious binary from:

lhs-mhs.org/9uj8n76b5.exe

This binary has a detection rate of 2/54 and all those reports indicate that it phones home to:

38.64.199.3 (PSINet, Canada)

I recommend that you block traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan.

Monday, 7 March 2016

Evil networks to block 2016-03-07

Some more evil networks you might want to block, following on from an update about a week ago.

5.9.253.160/27
69.175.66.72/29
85.204.74.0/24
89.108.83.0/24
91.227.68.0/24 
107.182.226.128/28
146.185.243.0/24
162.244.32.64/26
184.154.47.96/29
185.46.8.0/24
185.49.68.0/24
188.138.71.208/28
188.138.71.224/29
204.45.251.0/24




Malware spam: "E-Service (Europe) Ltd Invoice No: 10013405" / andrew.williams@eurocoin.co.uk

This fake financial spam leads to malware:

From     Andrew Williams [andrew.williams@eurocoin.co.uk]
Date     Mon, 07 Mar 2016 17:37:49 +0530
Subject     E-Service (Europe) Ltd Invoice No: 10013405

Dear Customer,

Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.

Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment on:

Tel (44) 01707 280000
Email: accounts@e-service.co.uk

Or logon and register to access your  customer portal where you can view all historic
orders & transactions on www.e-service.co.uk

PLEASE NOTE NEW E-SERVICE (EUROPE)  BANK DETAILS:

Currency        A/C No.         Sort Code         Swift Code      IBAN No.

GBP               21698613         40-04-37         MIDLGB22            GB48MIDL40043721698613
EUR               71685997         40-05-15         MIDLGB22           GB75MIDL40051571685997

Kind regards

E-Service (Europe) Accounts Team

Attached is a ZIP file named Invoice 10013405.zip which contains one of a wide range of randomly-named scripts.

A trusted third party analysis (thank you!) shows that there are download locations at:

aqarhits.com/system/logs/87tg7v645c.exe
alexkote.ru/wp-content/plugins/87tg7v645c.exe
azshop24.com.vn/system/logs/87tg7v645c.exe
dsignshop.com.au/system/logs/87tg7v645c.exe
fibrefamily.ru/system/logs/87tg7v645c.exe
jldoptics.com/system/logs/87tg7v645c.exe
kiddyshop.kiev.ua/image/data/87tg7v645c.exe
kievelectric.kiev.ua/art/media/87tg7v645c.exe
lightsroom.ru/system/logs/87tg7v645c.exe
ptunited.net/system/logs/87tg7v645c.exe
scs-smesi.ru/published/PD/87tg7v645c.exe
shapes.com.pk/system/logs/87tg7v645c.exe
sub4.gustoitalia.ru/system/logs/87tg7v645c.exe
surprise.co.in/system/logs/87tg7v645c.exe
texfibre.eu/system/logs/87tg7v645c.exe
www.promumedical.com/system/logs/87tg7v645c.exe
www.souqaqonline.com/system/logs/87tg7v645c.exe

The dropped binary has a detection rate of 5/56 and the Malwr report clearly shows this is the Locky ransomware.

My contact reports that the malware phones home to:

192.121.16.196 (EDIS, Netherlands)
46.108.39.18 (EDIS, Romania)
212.47.223.19 (Web Hosting Solutions OY, Estonia)
109.237.111.168 (Krek Ltd, Russia)
185.92.220.35 (Choopa LLC, Netherlands)
89.108.85.163 (Agava Ltd, Russia)
192.71.213.69 (EDIS, Spain)


Recommended blocklist:
192.121.16.196
46.108.39.18
212.47.223.19
109.237.111.168
185.92.220.35
89.108.85.163
192.71.213.69


Malware spam: "Order Confirmation - Payment Successful, Ref. 81096454" leads to ransomware

This fake financial spam comes from various senders with different references, amounts and slightly different addresses. There is a malicious attachment which appears to be ransomware.

From:    Ellen thorp
Date:    7 March 2016 at 07:08
Subject:    Order Confirmation - Payment Successful, Ref. 81096454

Dear Client,

Thank you for your transaction of $477,84. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.

We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.

Double check please the document enclosed to this email.

Thank you for your order and we hope to see you again as our customer.

Respectfully,
Ellen thorp
Chief Accountant
95 N Forks Ave,
Forks, WA 30212
Phone: 028-959-7736 

Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary [1] [2] [3] [4] [5] [6]. These Hybrid Analysis reports on three of the samples [7] [8] [9] show the script download a malicious binary from:

blablaworldqq.com/80.exe?1
hellomydearqq.com/69.exe?1
hellomydearqq.com/80.exe?1

At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:

51.254.226.223 (OVH, France)
173.82.74.197 (Multacom Corporation, US)


The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54 [1] [2]. Analysis of these files [3] [4] [5] [6] indicates behaviour consistent with ransomware, and these binaries attempt to phone home to the following domains:

conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com



The two IPs specified as binary download locations have hosted a number of other evil sites:

pren874bwsdbmbwe.returnyourfiless.ru
itsyourtimeqq.su
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
thisisyourchangeqq.com
gutentagmeinliebeqq.com
returnyourfiless.ru
pren874bswsdbmbwe.returnyourfiless.ru
83gd65jfh24jbrwke43.brocksard.su
gubbosiak.su
yy4nfsdp4hpfas7hefp4w.gubbosiak.su
golemmalik.su
bb34dbsjneefnsdefjsn.golemmalik.su
hellomenqq.su
helloguysqq.su
hellowomenqq.su
invoiceholderqq.su
3j2gdpsipa74bgm441.biz
mayofish.com
l4rdnvb5jskjb45sdfb.mayofish.com
skuawill.com
belableqq.com
fausttime.com
pot98bza3sgfjr35t.fausttime.com
maniupulp.com
h5534bvnrnkj345.maniupulp.com
sifetsere.com
p47kjndfbj8hsdfsd3e.sifetsere.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
wakonratio.com
sdfsdfsd.wakonratio.com
fjfhsflj54t8ak439sm.wakonratio.com
ball-provide.com
piglyeleutqq.com
helloworldqqq.com
helloyungmenqq.com
hpareyouhereqq.com
pigglywigglyqq.com
lastooooomene3ie3.com
lastooooomene2ie2e.com
promsortirovochnie.com
belahhoast.net

Recommended blocklist:
51.254.226.223
173.82.74.197
conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com