From: Myrna bakerDetails in the email vary from message to message. The payload is Teslacrypt ransomware, as see in this earlier spam run.
Date: 14 March 2016 at 15:58
Subject: Traffic report ID: 62699928
Dear Citizen,
We are contacting you on behalf of a local Traffic Violation Bureau.
Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 49757
Unfortunately, we will have no other option rather than passing this case to the local police authorities.
Please, see the report with the documents proofs attached for more information on this case.
Monday, 14 March 2016
Malware spam: "Traffic report ID: 62699928" leads to Teslacrypt
This fake legal email has a malicious attachment:
Labels:
Malware,
Ransomware,
Spam,
Teslacrypt,
Viruses
Malware spam: "Credit details ID: 87320357" leads to Teslacrypt
So many Teslacrypt campaigns, so little time... I've had to rely on third party analysis on this particular one (thank you!)
giveitallhereqq.com/69.exe?1
washitallawayff.com/69.exe?1
giveitallhereqq.com/80.exe?1
washitallawayff.com/80.exe?1
This is Teslacrypt ransomware with VirusTotal detection rates of 1/57 [1] [2]. The malware attempts to phone home to:
198.1.95.93/~deveconomytravel/cache/binstr.php
kel52.com/wp-content/plugins/ajax-admin/binstr.php
myredhour.com/blog//wp-content/themes/berlinproof/binstr.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/binstr.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/wcspng.php
The download locations for the executable files can all be considered as malicious:
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
178.18.99.23 (Maginfo JSC, Russia)
31.47.179.11 (Baikal TransTeleCom, Russia)
31.134.39.52 (IRONNET Ltd, Russia)
119.247.218.165 (Hong Kong Broadband Network Ltd, Hong Kong)
113.252.180.39 (Hutchison Global Communications, Hong Kong)
37.115.24.106 (Kyivstar GSM, Ukraine)
5.248.2.179 (Kyivstar GSM, Ukraine)
193.169.134.215 (SDS-Vostok Ltd, Russia)
5.166.207.194 (ER-Telecom Holding, Russia)
46.172.219.246 (Krym Infostroy Ltd, Ukraine)
Out of these, only the first three (for giveitallhereqq.com) appear to be static IPs, the others (for washitallawayff.com) are dynamic and are likely part of a botnet, so blocking the domain might be better.
Recommended blocklist:
54.212.162.6
212.119.87.77
78.135.108.94
washitallawayff.com
From: Ladonna featherSend names, references and attachment names vary. The malicious scripts in the attachment attempt to download from:
Date: 14 March 2016 at 14:50
Subject: Credit details ID: 87320357
Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.
NOTE: This is the automatically generated message. Please, do not reply.
giveitallhereqq.com/69.exe?1
washitallawayff.com/69.exe?1
giveitallhereqq.com/80.exe?1
washitallawayff.com/80.exe?1
This is Teslacrypt ransomware with VirusTotal detection rates of 1/57 [1] [2]. The malware attempts to phone home to:
198.1.95.93/~deveconomytravel/cache/binstr.php
kel52.com/wp-content/plugins/ajax-admin/binstr.php
myredhour.com/blog//wp-content/themes/berlinproof/binstr.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/binstr.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
controlfreaknetworks.com/dev/wp-content/uploads/2015/07/wcspng.php
The download locations for the executable files can all be considered as malicious:
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
178.18.99.23 (Maginfo JSC, Russia)
31.47.179.11 (Baikal TransTeleCom, Russia)
31.134.39.52 (IRONNET Ltd, Russia)
119.247.218.165 (Hong Kong Broadband Network Ltd, Hong Kong)
113.252.180.39 (Hutchison Global Communications, Hong Kong)
37.115.24.106 (Kyivstar GSM, Ukraine)
5.248.2.179 (Kyivstar GSM, Ukraine)
193.169.134.215 (SDS-Vostok Ltd, Russia)
5.166.207.194 (ER-Telecom Holding, Russia)
46.172.219.246 (Krym Infostroy Ltd, Ukraine)
Out of these, only the first three (for giveitallhereqq.com) appear to be static IPs, the others (for washitallawayff.com) are dynamic and are likely part of a botnet, so blocking the domain might be better.
Recommended blocklist:
54.212.162.6
212.119.87.77
78.135.108.94
washitallawayff.com
Labels:
Amazon,
Hong Kong,
Malware,
Ransomware,
Russia,
Saudi Arabia,
Spam,
Teslacrypt,
Turkey,
Ukraine,
Viruses
Malware spam: "Blocked Transaction. Case No 19706002" leads to Teslacrypt
This fake financial transaction has a malicious attachment:
ohelloguyzzqq.com/85.exe?1
Although the infection mechanism seems the same as this spam run, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here.
From: Judy brittainThe sender's name, references and dollar amounts vary from message to messages. The attachment names are randomly-generated (the format seems the same as this) containing either one or four malicious scripts. According to this analysis the scripts download from:
Date: 14 March 2016 at 08:12
Subject: Blocked Transaction. Case No 19706002
The Automated Clearing House transaction (ID: 19706002), recently initiated from your online banking account, was rejected by the other financial institution.
Canceled ACH transaction
ACH file Case ID: 09293
Transaction Amount: 607,89 USD
Sender e-mail: brittainJudy056@panick.com.ar
Reason of Termination: See attached statement
ohelloguyzzqq.com/85.exe?1
Although the infection mechanism seems the same as this spam run, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here.
Labels:
Malware,
Ransomware,
Spam,
Teslacrypt,
Viruses
Sunday, 13 March 2016
Malware spam: "Debt #85533 , Customer Case Nr.: 878" leads to Teslacrypt
The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments, however.
05A44DF4418EA3F133A3708D4D829DC7
84A57069907726FFADE1DE7DDF6E34CD
6F9726C410B3FCE2FC1EAF75C5015BFC
97D6643DE12E4430CD11412D7917C8B2
ADB1CF98CD632B0E55358C045114ED6A
732314E639426E42B9342B1470798E02
AC2D6B033C943AF864F6A6E2A143E0CD
EA9BE11F3267D14CDF3A88786E2D69C8
E831A7247D30F9EB406A3F5AFCB63EDE
D5B74B58E9971BE84AA83B2E1D46B414
1A177FAF482FC924D2439F4111428D9F
0FB3CD12FB2BF4AC7ABB909383E2EEB8
A810DCD3DE5DA723940D3C44075D3314
F1B4DF8D16F81FFC543E252594DF5C03
3FE0BD9E25B3D0A36A898BE6E579780E
060990306E189A6022E2CCB041912588
6F963C39333F751D097D8DB8A2EEF525
DBF2B52926B5925E382BCF4024E5C8F7
4193D7D43CA5981EDB6E790ED568E5F3
AED7397352E43C0E2F0281AA2F4AACB2
ED8919841E31422C6318978BDAE5612B
C6D52DA9375DA4C33776D68407CC9B0D
These appear [1] [2] to download a malicious binary from one of the following locations:
ohelloguyff.com/70.exe
ohelloguyzzqq.com/85.exe?1
Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56.
The download locations have the following IP addresses:
185.35.108.109 (DA International Group Ltd, Bulgaria)
204.44.102.164 (Quadranet Inc, US)
54.212.162.6 (Amazon AWS, US)
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
Those IP addresses can be considered as evil, and they also host the following sites:
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
howareyouqq.com
ohelloguyqq.com
bonjovijonqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
ohelloguyff.com
ohelloguymyff.com
joecockerhereff.com
howisittomorrowff.com
thunicodenamespace.com
wioutpudforcontents.com
idendnsletbarcamednstwo.com
leadhoffmanclassapplico.com
insensitivityinterpreted.com
placegrantthenoticesmust.com
dns1.beforeyougogg.net
dns1.ohimyfriendff.net
dns2.ohimyfriendff.net
dns1.kaktotakvot.pw
dns2.martuswalmart.pw
dns2.beforeyougogg.net
dns2.microtexreglyt.net
microtexregyts.net
gdemoidomaine.info
daimoidomainemne.info
mydomainebizness.info
Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94
From: Lamar druryAttached is a ZIP file, that in the samples I saw starts with:
Date: 13 March 2016 at 18:43
Subject: Debt #85533 , Customer Case Nr.: 878
Dear Customer,
Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.
We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.
Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.
We hope on your understanding.
Kind regards,
Finance Department
Lamar drury
878 N Davis St, Jacksonville,
FL 85533
Phone nr: 464-182-2340
- doc_scan_
- money_
- payment_details_
- payment_
- warning_
- see_it_
- payment_scan_
- finance_
- warning_letter_
- report_
- transaction_
- details_
- incorrect_operation_
- confirmation_
- document_
- problem_
- financial_judgement_
- details_
- mail_
- post_
- Post_Parcel_Case_id00-
- Post_Parcel_Confirmation_id00-
- Post_Parcel_Label_id00-
- Post_Shipment_Confirmation_id00-
- Post_Shipment_Label_id00-
- Post_Tracking_Case_id00-
- Post_Tracking_Confirmation_id00-
- Post_Tracking_Label_id00-
05A44DF4418EA3F133A3708D4D829DC7
84A57069907726FFADE1DE7DDF6E34CD
6F9726C410B3FCE2FC1EAF75C5015BFC
97D6643DE12E4430CD11412D7917C8B2
ADB1CF98CD632B0E55358C045114ED6A
732314E639426E42B9342B1470798E02
AC2D6B033C943AF864F6A6E2A143E0CD
EA9BE11F3267D14CDF3A88786E2D69C8
E831A7247D30F9EB406A3F5AFCB63EDE
D5B74B58E9971BE84AA83B2E1D46B414
1A177FAF482FC924D2439F4111428D9F
0FB3CD12FB2BF4AC7ABB909383E2EEB8
A810DCD3DE5DA723940D3C44075D3314
F1B4DF8D16F81FFC543E252594DF5C03
3FE0BD9E25B3D0A36A898BE6E579780E
060990306E189A6022E2CCB041912588
6F963C39333F751D097D8DB8A2EEF525
DBF2B52926B5925E382BCF4024E5C8F7
4193D7D43CA5981EDB6E790ED568E5F3
AED7397352E43C0E2F0281AA2F4AACB2
ED8919841E31422C6318978BDAE5612B
C6D52DA9375DA4C33776D68407CC9B0D
These appear [1] [2] to download a malicious binary from one of the following locations:
ohelloguyff.com/70.exe
ohelloguyzzqq.com/85.exe?1
Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56.
The download locations have the following IP addresses:
185.35.108.109 (DA International Group Ltd, Bulgaria)
204.44.102.164 (Quadranet Inc, US)
54.212.162.6 (Amazon AWS, US)
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
Those IP addresses can be considered as evil, and they also host the following sites:
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
howareyouqq.com
ohelloguyqq.com
bonjovijonqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
ohelloguyff.com
ohelloguymyff.com
joecockerhereff.com
howisittomorrowff.com
thunicodenamespace.com
wioutpudforcontents.com
idendnsletbarcamednstwo.com
leadhoffmanclassapplico.com
insensitivityinterpreted.com
placegrantthenoticesmust.com
dns1.beforeyougogg.net
dns1.ohimyfriendff.net
dns2.ohimyfriendff.net
dns1.kaktotakvot.pw
dns2.martuswalmart.pw
dns2.beforeyougogg.net
dns2.microtexreglyt.net
microtexregyts.net
gdemoidomaine.info
daimoidomainemne.info
mydomainebizness.info
Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94
Labels:
Amazon,
Bulgaria,
Malware,
Ransomware,
Saudi Arabia,
Spam,
Teslacrypt,
Turkey,
Viruses
Saturday, 12 March 2016
Malware spam: "Urgent Notice # 78815053" leads to Teslacrypt
This spam comes from random senders, and has random references, dollar amounts and attachment names:
bonjovijonqq.com/69.exe?1
bonjovijonqq.com/80.exe?1
This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:
vtechshop.net/wcspng.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
shirongfeng.cn/images/lurd/wcspng.php
It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:
31.184.196.78 (Petersburg Internet Network Ltd, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Russia)
The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
The following malicious domains are also on the same servers:
nnrtsdf34dsjhb23rsdf.spannflow.com
bonjovijonqq.com
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
howareyouqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.
Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone.com
sappmtraining.com
shirongfeng.cn
vtechshop.net
From: Donnie emilyAttached is a randomly-named ZIP file, in the sample I have seen they begin with:
Date: 12 March 2016 at 14:01
Subject: Urgent Notice # 78815053
Dear Customer!
According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.
Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.
We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
Please check out the file and do not hesitate to pay off the debt.
Otherwise we will have to start a legal action against you.
Regards,
Donnie emily
758 N Davis St, Jacksonville,
FL 17323
Phone nr: 026-762-3482
- letter_
- confirm_
- access_
- unconfirmed_operation_
- operation_
- details_
- details_
- post_
- mail_
bonjovijonqq.com/69.exe?1
bonjovijonqq.com/80.exe?1
This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:
vtechshop.net/wcspng.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
shirongfeng.cn/images/lurd/wcspng.php
It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:
31.184.196.78 (Petersburg Internet Network Ltd, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Russia)
The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
The following malicious domains are also on the same servers:
nnrtsdf34dsjhb23rsdf.spannflow.com
bonjovijonqq.com
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
howareyouqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.
Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone.com
sappmtraining.com
shirongfeng.cn
vtechshop.net
Labels:
Amazon,
Locky,
Malware,
Ransomware,
Russia,
Saudi Arabia,
Spam,
Teslacrypt,
Turkey,
Viruses
Friday, 11 March 2016
Malware spam: "FW: Payment 16-03-#507586" / "We have received this documents from your bank, please review attached documents."
These spam messages come from various senders with different references and attachment names.
Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script containing one of the following strings plus a random number and also it seems a # sign at the end of some.
nro.gov.sd/23r35y44y5
nobilitas.cz/0954t4h45
There are probably other download locations. The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to block are the same as found in this earlier Locky run.
UPDATE 1
Two further download locations can be found at:
www.momstav.com/087hg67
perfumy_alice.republika.pl/08h867g5
The dropped binaries are different again [1] [2], but it is still Locky phoning home to the C2s detailed here.
UPDATE 2
Further download locations are at:
50.28.211.199/hdd0/89o8i76u5y4
galit-law.co.il/32tguynjk
peterdickem.com/87745g
scorpyofilms.com/67j5h5h4
thaihost.biz/bestylethai.com/43t3gh4
Again, the dropped binaries are all different but seem to be Locky [1] [2] [3] [4] [5].
From: Thanh Sears
Date: 11 March 2016 at 10:29
Subject: FW: Payment 16-03-#507586
Dear [redacted],
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Thanh Sears
Financial Manager
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script containing one of the following strings plus a random number and also it seems a # sign at the end of some.
- Post_Shipment_Confirmation_id
- Post_Shipment_Label_id
- q.
- Post_Shipment_Case_id
- Post_Tracking_Confirmation_id
- Post_Parcel_Confirmation_id
nro.gov.sd/23r35y44y5
nobilitas.cz/0954t4h45
There are probably other download locations. The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to block are the same as found in this earlier Locky run.
UPDATE 1
Two further download locations can be found at:
www.momstav.com/087hg67
perfumy_alice.republika.pl/08h867g5
The dropped binaries are different again [1] [2], but it is still Locky phoning home to the C2s detailed here.
UPDATE 2
Further download locations are at:
50.28.211.199/hdd0/89o8i76u5y4
galit-law.co.il/32tguynjk
peterdickem.com/87745g
scorpyofilms.com/67j5h5h4
thaihost.biz/bestylethai.com/43t3gh4
Again, the dropped binaries are all different but seem to be Locky [1] [2] [3] [4] [5].
Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."
This fake document scan leads to malware. It appears to come from within the victim's own domain, but this is a trivial forgery.
ghayatv.com/system/logs/uy78hn654e.exe
This is Locky ransomware, the same as dropped in this other spam run - that post also contains a list of C2s to block.
From: admin [lands375@victimdomain.tld]Attached is a document named in a similar format to 11-03-2016-6440705503.zip which contains a randomly-named malicious script. So far I have seen three versions of this script (VirusTotal results [1] [2] [3]) which according to the Malwr reports [4] [5] [6] download a malicious binary from:
Date: 11 March 2016 at 09:02
Subject: Scanned image
Image data in PDF format has been attached to this email.
ghayatv.com/system/logs/uy78hn654e.exe
This is Locky ransomware, the same as dropped in this other spam run - that post also contains a list of C2s to block.
Malware spam: Your Amazon order #137-89653734-2688148 / AMAZON.COM [Mailer-daemon@amazon.com]
This fake Amazon spam comes with a malicious attachment:
Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:
mercadohiper.com.br/system/logs/uy78hn654e.exe
That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to:
31.184.196.75 (Petersburg Internet Network, Russia)
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
There are probably other download locations and C2s, I will update this post if I find out what they are.
UPDATE
Some additional C2s from various sources:
78.40.108.39 (PS Internet Company LLC. Kazakhstan)
31.184.196.78 (Petersburg Internet Network, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)
Some additional download locations for this and other locky spam runs today:
solucionesdubai.com.ve/system/logs/uy78hn654e.exe
ghayatv.com/system/logs/uy78hn654e.exe
dolcevita-ykt.ru/system/logs/uy78hn654e.exe
Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192
From: AMAZON.COM [Mailer-daemon@amazon.com]
Date: 11 March 2016 at 09:09
Subject: Your Amazon order #137-89653734-2688148
Hello,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order #137-89653734-2688148 Placed on March 11, 2016
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon.
Amazon.com
Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:
mercadohiper.com.br/system/logs/uy78hn654e.exe
That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to:
31.184.196.75 (Petersburg Internet Network, Russia)
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
There are probably other download locations and C2s, I will update this post if I find out what they are.
UPDATE
Some additional C2s from various sources:
78.40.108.39 (PS Internet Company LLC. Kazakhstan)
31.184.196.78 (Petersburg Internet Network, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)
Some additional download locations for this and other locky spam runs today:
solucionesdubai.com.ve/system/logs/uy78hn654e.exe
ghayatv.com/system/logs/uy78hn654e.exe
dolcevita-ykt.ru/system/logs/uy78hn654e.exe
Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192
Thursday, 10 March 2016
Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"
This fake financial spam comes with a malicious attachment:
From: Jennie bowles
Date: 10 March 2016 at 12:27
Subject: GreenLand Consulting – Unpaid Issue No. 58833
Dear Client!
For the third time we are reminding you about your unpaid debt.
You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.
We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
Otherwise we will have to start a legal action against you.
Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994
Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:
http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1
These sites are hosted on:
142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)
This Malwr report and this Hybrid Analysis shows communications with:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)
The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.
These domains are also associated with some of the IPs. Consider them all to be evil:
t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146
From: Jennie bowles
Date: 10 March 2016 at 12:27
Subject: GreenLand Consulting – Unpaid Issue No. 58833
Dear Client!
For the third time we are reminding you about your unpaid debt.
You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.
We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
Otherwise we will have to start a legal action against you.
Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994
Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:
http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1
These sites are hosted on:
142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)
This Malwr report and this Hybrid Analysis shows communications with:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)
The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.
These domains are also associated with some of the IPs. Consider them all to be evil:
t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146
Malware spam: "Document No 4873206" / Accounts [accounts@victimdomain.tld]
This fake financial email has a malicious attachment:
ncrweb.in/system/logs/7t6f65g.exe
Happily this 404s, but it is likely that other scripts will have the same download locations as found here. The payload is the Locky ransomware, and it should drop an executable with a detection rate of 1/56.
From: Accounts [accounts@victimdomain.tld]The email appears to come from within victim's own domain. The number in the subject varies, and is matched by the attachment name (e.g. Document No 4873206.zip). In turn this contains one of several malicious scripts (VirusTotal results [1] [2] [3] [4] [5] [6]). All the Malwr reports [7] [8] [9] [10] [11] [12] all show an attempted download from:
Date: 10 March 2016 at 11:45
Subject: Document No 4873206
Thanks for using electronic billing
Please find your document attached
Regards
Accounts
ncrweb.in/system/logs/7t6f65g.exe
Happily this 404s, but it is likely that other scripts will have the same download locations as found here. The payload is the Locky ransomware, and it should drop an executable with a detection rate of 1/56.
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "Attached File" / canon@victimdomain.tld leads to Locky
This spam has a malicious attachment. It appears to come from within the sender's own domain. There is no body text.
In the sample I saw, there was an attachment victimname@victimdomain.tld_07567_273772.zip which contained a randomly-named script with a detection rate of 5/57. Automated analysis [1] [2] shows that this is the Locky ransomware, and it downloads a binary from:
buyfuntees.com/system/logs/7t6f65g.exe
This binary has a detection rate of just 1/56. Those reports indicate that the malware phones home to:
31.184.196.78 (Petersburg Internet Network Ltd, Russia)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
There are probably many other download locations and some more C2s as well, I will update this post if I see them.
UPDATE
This additional analysis is from a trusted third party (thank you!)
Additional download locations:
behrozan.ir/system/logs/7t6f65g.exe
fashion-boutique.com.ua/system/logs/7t6f65g.exe
fortyseven.com.ar/system/logs/7t6f65g.exe
iwear.md/system/logs/7t6f65g.exe
lady-idol.6te.net/system/logs/7t6f65g.exe
ncrweb.in/system/logs/7t6f65g.exe
xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe
Additional C2s:
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
91.234.33.149 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)
Sender is canon or copier or epson or scanner or xerox at the victim's domain.
Recommended blocklist:
31.184.196.78
78.40.108.39
91.219.30.254
91.234.33.149
From: canon@victimdomain.tld
Date: 10 March 2016 at 09:02
Subject: Attached File
In the sample I saw, there was an attachment victimname@victimdomain.tld_07567_273772.zip which contained a randomly-named script with a detection rate of 5/57. Automated analysis [1] [2] shows that this is the Locky ransomware, and it downloads a binary from:
buyfuntees.com/system/logs/7t6f65g.exe
This binary has a detection rate of just 1/56. Those reports indicate that the malware phones home to:
31.184.196.78 (Petersburg Internet Network Ltd, Russia)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
There are probably many other download locations and some more C2s as well, I will update this post if I see them.
UPDATE
This additional analysis is from a trusted third party (thank you!)
Additional download locations:
behrozan.ir/system/logs/7t6f65g.exe
fashion-boutique.com.ua/system/logs/7t6f65g.exe
fortyseven.com.ar/system/logs/7t6f65g.exe
iwear.md/system/logs/7t6f65g.exe
lady-idol.6te.net/system/logs/7t6f65g.exe
ncrweb.in/system/logs/7t6f65g.exe
xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe
Additional C2s:
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
91.234.33.149 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)
Sender is canon or copier or epson or scanner or xerox at the victim's domain.
Recommended blocklist:
31.184.196.78
78.40.108.39
91.219.30.254
91.234.33.149
Labels:
Kazakhstan,
Locky,
Malware,
Ransomware,
Russia,
Spam,
Viruses
Malware spam: "Final Notice About Unpaid Bill" / "Important Notice About Created Invoice" / "Important Message About New Invoice"
This fake financial spam comes with a malicious attachment.The sender's name, subject and body text has a variety of text in, including:
Subject:
Fwd: Final Notice About Unpaid Bill
Fw: Important Notice About Created Invoice
Re: Important Message About New Invoice
Body text:
Pls see the bill attached.
review the report attached.
check the invoice attached.
Some more examples can be seen here.
Attached is a randomly-named document, of which I have seen three samples (VirusTotal results [1] [2] [3]). The Malwr report on one of the samples plus these Hybrid Analysis reports [4] [5] [6] shows a download of an encrypted file from:
darrallmacqueen.com/b2.jpg?XhVee=9
darrallmacqueen.com/b2.jpg?XhVee=20
darrallmacqueen.com/b2.jpg?XhVee=16
The dropped files seem pretty random, indeed in all the samples the binaries were different with some generic detections [1] [2] [3] [4]. All of the samples crash in Malwr [5] [6] [7] [8].
It all seems a little odd and if I get more information on what is happening, I will update this post. In the meantime the only mitigating step I can think of is to block traffic to darrallmacqueen.com which should stop the files downloading.
Subject:
Fwd: Final Notice About Unpaid Bill
Fw: Important Notice About Created Invoice
Re: Important Message About New Invoice
Body text:
Pls see the bill attached.
review the report attached.
check the invoice attached.
Some more examples can be seen here.
Attached is a randomly-named document, of which I have seen three samples (VirusTotal results [1] [2] [3]). The Malwr report on one of the samples plus these Hybrid Analysis reports [4] [5] [6] shows a download of an encrypted file from:
darrallmacqueen.com/b2.jpg?XhVee=9
darrallmacqueen.com/b2.jpg?XhVee=20
darrallmacqueen.com/b2.jpg?XhVee=16
The dropped files seem pretty random, indeed in all the samples the binaries were different with some generic detections [1] [2] [3] [4]. All of the samples crash in Malwr [5] [6] [7] [8].
It all seems a little odd and if I get more information on what is happening, I will update this post. In the meantime the only mitigating step I can think of is to block traffic to darrallmacqueen.com which should stop the files downloading.
Wednesday, 9 March 2016
Malware spam: "Please find attached 2 invoices for processing." leads to Locky
These fake financial spam emails come from random sources with different names and reference numbers:
Attached is a file with a name similar to Payment_2016_March_111812.zip which contains two scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates [1] [2] [3] [4] [5] [6]. The Malwr reports for those samples [7] [8] [9] [10] [11] [12] show that the scripts download a binary from:
ihsanind.com/system/logs/87jhg44g5
nguoitieudungthongthai.com/system/logs/987i6u5y4t
astralia.ro/08o76g445g [404]
Only two of the download locations work, dropping binaries with a detection rate of 5/55 [1] [2]. Note that there may be other download locations.
The Malwr reports indicate that the malware phones home to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)
The payload is the Locky ransomware.
UPDATE
I received the following information from another source (thank you)
Additional download locations:
ari-ev.com/system/logs/765uy453gt5
hipnotixx.com/27h8n
myonlinedeals.pk/system/logs/43d5f67n8
planetarchery.com.au/system/logs/q32r45g54
saachi.co/system/logs/43ghy8n
shofukai.web.fc2.com/23rt54y56
www.ekowen.sk/09y8j
Payload MD5s:
252957f37b8bd7a57473eab5f1a65d5c
39443da2c5454e0cb3ab42e407266d12
536162e0df26db751c3aa192af512413
6d42c5aa20117483b47b6e9c10444626
80baac1953a3fa6b74c2cd9689a0d81c
84a47c9c74efe890d7e0e9935fc96bda
b81006520f0d50317a66c0eb9d2185a5
e12fde01606227d45e8048fb4e5cc88c
eebb1e3a4fefcbacf3a7076b32180673
Additional C2s:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
Recommended blocklist:
78.40.108.39
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18
From: Melisa Keller
Date: 9 March 2016 at 12:08
Subject: FW: Invoice 2016-M#111812
Dear server,
Please find attached 2 invoices for processing.
Yours sincerely,
Melisa Keller
Financial Manager
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
Attached is a file with a name similar to Payment_2016_March_111812.zip which contains two scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates [1] [2] [3] [4] [5] [6]. The Malwr reports for those samples [7] [8] [9] [10] [11] [12] show that the scripts download a binary from:
ihsanind.com/system/logs/87jhg44g5
nguoitieudungthongthai.com/system/logs/987i6u5y4t
astralia.ro/08o76g445g [404]
Only two of the download locations work, dropping binaries with a detection rate of 5/55 [1] [2]. Note that there may be other download locations.
The Malwr reports indicate that the malware phones home to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)
The payload is the Locky ransomware.
UPDATE
I received the following information from another source (thank you)
Additional download locations:
ari-ev.com/system/logs/765uy453gt5
hipnotixx.com/27h8n
myonlinedeals.pk/system/logs/43d5f67n8
planetarchery.com.au/system/logs/q32r45g54
saachi.co/system/logs/43ghy8n
shofukai.web.fc2.com/23rt54y56
www.ekowen.sk/09y8j
Payload MD5s:
252957f37b8bd7a57473eab5f1a65d5c
39443da2c5454e0cb3ab42e407266d12
536162e0df26db751c3aa192af512413
6d42c5aa20117483b47b6e9c10444626
80baac1953a3fa6b74c2cd9689a0d81c
84a47c9c74efe890d7e0e9935fc96bda
b81006520f0d50317a66c0eb9d2185a5
e12fde01606227d45e8048fb4e5cc88c
eebb1e3a4fefcbacf3a7076b32180673
Additional C2s:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
Recommended blocklist:
78.40.108.39
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18
Labels:
Italy,
Kazakhstan,
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]
This terse spam has a malicious attachment. There is no body text.
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe
There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:
64.76.19.251 (Impsat, Argentina)
I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.
UPDATE
A contact sent some more download locations (thank you!)
oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe
..and also some additional C2s..
188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234
From: Idris Mohammed [idrismohammed25@gmail.com]Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
Date: 9 March 2016 at 09:55
Subject: DOC-Z21193008
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe
There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:
64.76.19.251 (Impsat, Argentina)
I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.
UPDATE
A contact sent some more download locations (thank you!)
oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe
..and also some additional C2s..
188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234
Tuesday, 8 March 2016
Malware spam: "Please see attached (scanned document) file for your invoice" leads to Locky
This fake financial spam leads to the Locky ransomware. Sender names, reference numbers and attachment names will vary.
From: Kris Bentley [BentleyKris59113@annarborultimate.org]The payload appears to be identical to the one found in this spam run.
Date: 8 March 2016 at 14:35
Subject: FW: Invoice #098377-2016-03
Dear infon,
Please see attached (scanned document) file for your invoice.
Thank you for your business
Kris Bentley
Sales Manager
Malware spam: "Compensation - Reference Number #368380" leads to Locky
This fake financial spam comes with a malicious attachment:
Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:
ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf
Those same reports indicate the malware attempts to phone home to the following IPs:
89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)
Those automated reports all indicate that this is the Locky ransomware.
UPDATE
A trusted source also informs me of these additional download locations;
51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4
In addition, there is another IP address the malware phones home to:
212.47.223.19 (Web Hosting Solutions Oy, Estonia)
Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196
212.47.223.19
From: Orval Burgess
Date: 8 March 2016 at 11:10
Subject: Compensation - Reference Number #368380
Dear Customer,
The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.
Sincerely,
Orval Burgess
Account Manager
Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:
ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf
Those same reports indicate the malware attempts to phone home to the following IPs:
89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)
Those automated reports all indicate that this is the Locky ransomware.
UPDATE
A trusted source also informs me of these additional download locations;
51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4
In addition, there is another IP address the malware phones home to:
212.47.223.19 (Web Hosting Solutions Oy, Estonia)
Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196
212.47.223.19
Malware spam: "Samson Floyd agent Fedex" / "FeDex-service"
This fake FedEx spam has a malicious attachment:
Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:
www.fotoleonia.it/files/sample.exe
This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:
www.claudiocalaprice.com/modules/fedex/pad.exe
This has similar detections to the first binary. That Malwr report also indicates the binary POSTing data to:
pdf.repack.bike/new_and/state.php
This is hosted on:
151.80.76.200 (Kitdos, US / OVH, France)
I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.
None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.
From: FeDex-service
Date: 8 March 2016 at 11:40
Subject: Samson Floyd agent Fedex
Dear [redacted],
We attempted to deliver your item on March 07th, 2016, 11:40 AM.
The delivery attempt failed because the address was business closed or
nobody could sign for it. To pick up the parcel,please, print the receipt
that is attached to this email and visit Fedex office indicated in the
invoice. If the package is not picked up within 48 hours, it will be returned
to the shipper.
Label: US45928402845
Expected Delivery Date: March 07th, 2016
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Thank you for choosing our service
Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:
www.fotoleonia.it/files/sample.exe
This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:
www.claudiocalaprice.com/modules/fedex/pad.exe
This has similar detections to the first binary. That Malwr report also indicates the binary POSTing data to:
pdf.repack.bike/new_and/state.php
This is hosted on:
151.80.76.200 (Kitdos, US / OVH, France)
I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.
None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.
Malware spam: "Order 1307605 (Acknowledgement)" / rick.adrio@booles.co.uk
This fake financial spam has a malicious attachment:
stopmeagency.free.fr/9uj8n76b5.exe
reclamus.com/9uj8n76b5.exe
lhs-mhs.org/9uj8n76b5.exe
izzy-cars.nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi.web.fc2.com/9uj8n76b5.exe
The dropped binary has changed from earlier and has a detection rate of 2/55, it phones home to the same IP address as seen in this campaign. It appears to be the Dridex banking trojan.
From rick.adrio@booles.co.ukAttached is a file pm51A.docm which I have seen two versions of (VirusTotal results [1] [2]). According to these Malwr reports [3] [4] and various other sources the macro in the document downloads from:
Date Tue, 08 Mar 2016 15:58:07 +0530
Subject Order 1307605 (Acknowledgement)
Please find document attached
CONFIDENTIALITY AND DISCLAIMER NOTICE:
This email contains proprietary information which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission error has misdirected
this email, please notify the author by replying to this email. If you are not the
intended recipient you must not use, disclose, distribute, copy, print, or rely on
this email and delete all copies. Boole's Tools and Pipe Fittings Ltd is a private
company limited by shares. Registered in the United Kingdom No. 683745. Registered
office: PO Box 1586, Gemini One, John Smith Drive, Oxford Business Park South, Oxford,
OX4 9JF, United Kingdom.
stopmeagency.free.fr/9uj8n76b5.exe
reclamus.com/9uj8n76b5.exe
lhs-mhs.org/9uj8n76b5.exe
izzy-cars.nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi.web.fc2.com/9uj8n76b5.exe
The dropped binary has changed from earlier and has a detection rate of 2/55, it phones home to the same IP address as seen in this campaign. It appears to be the Dridex banking trojan.
Malware spam: "Emailing: 20121005154449756" / Gary Atkinson [Gary@garrardwindows.co.uk]
This spam does not come from Garrard Windows but is instead a simple forgery with a malicious attachment:
jatukarm-30.com/9uj8n76b5.exe
stopmeagency.free.fr/9uj8n76b5.exe
The downloaded binary appears to be Dridex and is the same as found in this spam run.
From Gary Atkinson [Gary@garrardwindows.co.uk]Attached is a file 20121005154449756.zip which contains a randomly-named script. I have seen two samples so far (VirusTotal results [1] [2]). The Malwr reports [3] [4] show the script downloads from the following locations:
Date Tue, 08 Mar 2016 12:09:33 +0300
Subject Emailing: 20121005154449756
Please find attached document as requested.
jatukarm-30.com/9uj8n76b5.exe
stopmeagency.free.fr/9uj8n76b5.exe
The downloaded binary appears to be Dridex and is the same as found in this spam run.
Malware spam: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 / Accounts Payable [vendoramendments@yorkshirewater.co.uk]
This fake financial spam does not come from Yorkshire Water but is instead a simple forgery with a malicious attachment.
According to the Malwr report and Hybrid Analysis on this sample, it downloads a malicious binary from:
lhs-mhs.org/9uj8n76b5.exe
This binary has a detection rate of 2/54 and all those reports indicate that it phones home to:
38.64.199.3 (PSINet, Canada)
I recommend that you block traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan.
From Accounts Payable [vendoramendments@yorkshirewater.co.uk]I have only seen a single sample with an attachment named Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP which contains a randomly-named malicious script with a detection rate of 3/54.
Date Tue, 08 Mar 2016 10:32:52 +0200
Subject Pay_Advice_Vendor_0000300320_1000_for_03.03.2016
-----------------------------------------
Spotted a leak?
If you spot a leak please report it immediately. Call us on 0800 57 3553 or go to
http://www.yorkshirewater.com/leaks
Get a free water saving pack
Don't forget to request your free water and energy saving pack, it could save you
money on your utility bills and help you conserve water. http://www.yorkshirewater.com/savewater
The information in this e-mail, and any files transmitted with it, is confidential
and may also be legally privileged. The contents are intended solely for the addressee
only and are subject to the legal notice available at http://www.keldagroup.com/email.htm.
This email does not constitute a binding offer, acceptance, amendment, waiver or
other agreement, or create any obligation whatsoever, unless such intention is clearly
stated in the body of the email. If you are not the intended recipient, please return
the message by replying to it and then delete the message from your computer. Any
disclosure, copying, distribution or action taken in reliance on its contents is
prohibited and may be unlawful.
Yorkshire Water Services Limited
Registered Office Western House, Halifax Road, Bradford, BD6 2SZ
Registered in England and Wales No 2366682
According to the Malwr report and Hybrid Analysis on this sample, it downloads a malicious binary from:
lhs-mhs.org/9uj8n76b5.exe
This binary has a detection rate of 2/54 and all those reports indicate that it phones home to:
38.64.199.3 (PSINet, Canada)
I recommend that you block traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan.
Subscribe to:
Posts (Atom)