PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again.
So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).
85.25.102.0/24
85.25.107.0/24
85.25.160.0/24
85.93.93.0/24
188.138.17.0/24
188.138.70.0/24
188.138.71.0/24
188.138.75.0/24
188.138.102.0/24
188.138.105.0/24
188.138.125.0/24
217.172.189.0/24
217.172.190.0/24
Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too.
UPDATE 2016-04-25
Here are some more PlusServer ranges where Angler has been rampant:
85.25.218.0/24
85.25.237.0/24
188.138.25.0/24
188.138.68.0/24
UPDATE 2016-05-10
Heavy Angler activity has also been spotted in the following ranges:
62.75.203.0/24
62.75.207.0/24
85.25.43.0/24
85.25.79.0/24
85.25.159.0/24
85.25.217.0/24
188.138.33.0/24
188.138.68.0/24
188.138.125.0/24
In addition, some Angler activity has been observed in the following ranges but is not yet widespread (I will update if I see more activity):
62.75.167.0/24
85.25.41.0/24
85.25.74.0/24
85.25.106.0/24
85.25.207.0/24
188.138.41.0/24
188.138.57.0/24
188.138.69.0/24
188.138.102.0/24
PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in 188.138.105.0/24) that the only safe option is to block traffic to those network ranges.
With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed.
Tuesday, 12 April 2016
PlusServer has a PlusSized problem with Angler
Labels:
Angler EK,
Evil Network,
Germany
Monday, 11 April 2016
Evil networks to block 2016-04-11
I realise it has been a while since my last list of bad networks you might want to block. Hopefully in the next couple of days I will have another list outlining some bad problems with PlusServer IP ranges, in the mean times here are a load of network blocks with a high concentration of Angler EK and other nastiness. (The links go to my Pastebin with more details).
31.148.99.0/24
51.255.61.48/30
51.255.96.56/30
51.255.143.80/30
65.49.8.64/26
83.217.11.0/24
85.93.93.0/24
85.143.209.0/24
91.221.36.0/24
92.83.104.0/21
93.115.38.0/24
94.242.206.0/24
131.72.136.0/24
178.57.217.0/24
185.46.9.0/24
185.46.10.0/24
185.49.68.0/24
185.75.46.0/23
185.104.8.0/22
194.1.238.0/24
204.155.31.0/24
31.148.99.0/24
51.255.61.48/30
51.255.96.56/30
51.255.143.80/30
65.49.8.64/26
83.217.11.0/24
85.93.93.0/24
85.143.209.0/24
91.221.36.0/24
92.83.104.0/21
93.115.38.0/24
94.242.206.0/24
131.72.136.0/24
178.57.217.0/24
185.46.9.0/24
185.46.10.0/24
185.49.68.0/24
185.75.46.0/23
185.104.8.0/22
194.1.238.0/24
204.155.31.0/24
Labels:
Angler EK,
Evil Network
Thursday, 7 April 2016
foocrypt.net / fookey.org / foocrypt.net spam
The line between genius and madness is a fine one. Decide for yourself which side of the line this email is on.
The email originates from 208.79.219.105 (Loose Foot Computing, Canada). This also happens to be the IP address of:
foocrypt.net
mail0.foocrypt.net
So, the email was sent from the server it is spamvertising. That's normally a pretty certain indicator that the person running the web site is doing the spamming, and that it isn't a Joe Job. If you visit the spamvertised website (not recommended) then you can find a link to a crowdfunding appeal at www.gofundme.com/foocrypt which tells you all you need to know about the credibility of the project..
Yes.. so far it has raised $5 out of a $1,000,000 target in nearly two months. Good luck with the other $999,995.
The sender is apparently one "Mark A Lane" but other than some connections to Australia, I cannot identify an individual behind it. The following website do all seem to be related however:
enalakram.net
fookey.net
fookey.org
foocrypt.net
The closest I can get to contact details is the WHOIS entry for fookey.org:
Registrant ID:90b5527af50723f4
Registrant Name:Mark Lane
Registrant Organization:FOOCRYPT
Registrant Street: P.O. Box 66
Registrant City:Briar Hill
Registrant State/Province:Victoria
Registrant Postal Code:3088
Registrant Country:AU
Registrant Phone:+61.411414431
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:foocrypt@gmail.com
Curiously, that name and address also turns up on this somewhat ungrammatical CV.
Name: Mark Andrew Lane
Postal Address: P.O. Box 66,
Briar Hill, Victoria. 3088.
Telephone: 0411414431
Email: mark.andrew.lane@gmail.com
I mean it would be weird if they weren't related in some way. But that CV mentions nothing about cryptography at all.. a bit of a mystery.
This message was sent to a random and nonexistant email address. Crucially, it does seem to be just random spam and not malware or phishing, but is still best avoided.
From: Cryptopocalypse NOW 01 04 2016 [no-reply@foocrypt.net]Err.. no. "Quantum Encryption" is a branch of quantum physics, it's a completely different level of encryption in the same way that an aeroplane is not like a car. Attached is some weird semi-messianic picture..
Date: 7 April 2016 at 18:24
Subject: Cryptopocalypse NOW 01 04 2016
Cryptopocalypse NOW 01 04 2016
Now available through iTunes - iBooks @ https://itunes.apple.com/us/book/cryptoapocalypse-now/id1100062356?ls=1&mt=11
Cryptopocalypse NOW is the story behind the trials and tribulations encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption."
"FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening several commonly used Symmetric Open Source Encryption methods so that they are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'.
"FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under export control by the Australian Department of Defence Defence Export Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology as per the ‘Wassenaar Arrangement’
A permit from Defence Export Control is expected within the next 2 months as the Australian Signals Directorate is currently assessing the associated application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical Encryption."
Early releases of "Cryptopocalypse NOW" will be available in the period leading up to June, 2016.
This is Volume 1 of N, where N represents an arbitrary number greater than 1 but less than infinity.
Limited Edition Collectors Versions and Hard Back Editions are available via the store on http://www.foocrypt.net/
© FooCrypt 1980 - 2016, All Rights Reserved.
Regards,
Mark A. Lane
© Mark A. Lane 1980 - 2015, All Rights Reserved.
Disclaimer : To remove yourself from this email list, kindly goto http://www.foocrypt.net/unsub.html
The email originates from 208.79.219.105 (Loose Foot Computing, Canada). This also happens to be the IP address of:
foocrypt.net
mail0.foocrypt.net
So, the email was sent from the server it is spamvertising. That's normally a pretty certain indicator that the person running the web site is doing the spamming, and that it isn't a Joe Job. If you visit the spamvertised website (not recommended) then you can find a link to a crowdfunding appeal at www.gofundme.com/foocrypt which tells you all you need to know about the credibility of the project..
Yes.. so far it has raised $5 out of a $1,000,000 target in nearly two months. Good luck with the other $999,995.
The sender is apparently one "Mark A Lane" but other than some connections to Australia, I cannot identify an individual behind it. The following website do all seem to be related however:
enalakram.net
fookey.net
fookey.org
foocrypt.net
The closest I can get to contact details is the WHOIS entry for fookey.org:
Registrant ID:90b5527af50723f4
Registrant Name:Mark Lane
Registrant Organization:FOOCRYPT
Registrant Street: P.O. Box 66
Registrant City:Briar Hill
Registrant State/Province:Victoria
Registrant Postal Code:3088
Registrant Country:AU
Registrant Phone:+61.411414431
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:foocrypt@gmail.com
Curiously, that name and address also turns up on this somewhat ungrammatical CV.
Name: Mark Andrew Lane
Postal Address: P.O. Box 66,
Briar Hill, Victoria. 3088.
Telephone: 0411414431
Email: mark.andrew.lane@gmail.com
I mean it would be weird if they weren't related in some way. But that CV mentions nothing about cryptography at all.. a bit of a mystery.
This message was sent to a random and nonexistant email address. Crucially, it does seem to be just random spam and not malware or phishing, but is still best avoided.
Friday, 1 April 2016
Fake boss scams meet AI robocallers in a dangerous escalation of fraud
Many of us will be familiar with the "fake boss" scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady bank account for a business transaction you are not allowed to talk about.
This type of fraud is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and convincing calls have to be made to unsuspecting minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.
Now, the notorious Russian gang dubbed Den Duraka by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer.
Sporting the clumsy Russian acronym LOZHNYY, this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using hacked credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers.
Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were not suspicious as this seemed consistent with the behaviour of their CEOs.
Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely ignore any communications from your CEO and indeed any C-level executive. You have been warned!
This type of fraud is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and convincing calls have to be made to unsuspecting minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.
Now, the notorious Russian gang dubbed Den Duraka by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer.
Sporting the clumsy Russian acronym LOZHNYY, this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using hacked credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers.
Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were not suspicious as this seemed consistent with the behaviour of their CEOs.
Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely ignore any communications from your CEO and indeed any C-level executive. You have been warned!
(If you hadn't spotted the clues in the Russian names above.. this is an April Fools joke)
Wednesday, 30 March 2016
Malware spam: "Additional Costs" leads to Locky
About the 9000th malicious spam run of the week so far, this one drops Locky ransomware. Again.
Reference numbers and sender names vary, the attachments are similar to the ones in this spam run. Various Malwr analyses for the samples I captured [1] [2] [3] [4] [5] show download locations at:
cssrd.org.lb/Wji57q.exe
fabiocaminero.com/2L5pGE.exe
This binary has a detection rate of 7/56. Analysis of the binary [6] [7] [8] shows that it phones home to the same IPs reported here.
From: Gregg gale
Date: 30 March 2016 at 13:42
Subject: Additional Costs
Based on our contact (#084715), we're required to inform you about additional costs associated with your account, more information attached.
Reference numbers and sender names vary, the attachments are similar to the ones in this spam run. Various Malwr analyses for the samples I captured [1] [2] [3] [4] [5] show download locations at:
cssrd.org.lb/Wji57q.exe
fabiocaminero.com/2L5pGE.exe
This binary has a detection rate of 7/56. Analysis of the binary [6] [7] [8] shows that it phones home to the same IPs reported here.
Labels:
Locky,
Malware,
Ransomware,
Spam
Malware spam: "Facture client N° FC_462982347 du 30/03/2016" leads to Locky
This French-language spam is pretending to be a renewal for anti-virus software, however instead it has a malicious attachment:
bezuhova.ru/45t3443r3
thespinneyuk.com/45t3443r3
tishaclothing.co.za/45t3443r3
This dropped binary has a detection rate of 7/56. According to these analyses [6] [7] [8] it phones home to the same servers detailed in this earlier blog post.
From: administrator [netadmin@victimdomain.tld]It pretends to come from within the victim's own domain, but this is a simple forgery. The reference number changes from email to email, attached is a ZIP file named consistently with the subject (e.g. FC_462982347.zip). This ZIP file contains a malicious script (typical detection rate 8/56) which then downloads Locky ransomware. According to these automated analyses [1] [2] [3] [4] [5] show the scripts downloading from the following locations (there are almost definitely more):
Date: 30 March 2016 at 11:09
Subject: Facture client N° FC_462982347 du 30/03/2016
Bonjour,
Veuillez trouver ci-joint la facture pour le renouvellement de votre antivirus.
Bonne réception
A.Morel
bezuhova.ru/45t3443r3
thespinneyuk.com/45t3443r3
tishaclothing.co.za/45t3443r3
This dropped binary has a detection rate of 7/56. According to these analyses [6] [7] [8] it phones home to the same servers detailed in this earlier blog post.
Labels:
France,
Locky,
Malware,
Ransomware,
Spam
Malware spam: "Additional Information Needed #869420" leads to ransomware
This spam has a malicious attachment, leading to ransomware.
An analysis of three scripts [1] [2] [3] shows binary downloads from:
cainabela.com/zFWvTM.exe
downloadroot.com/vU4VAZ.exe
folk.garnet-soft.com/jDFXfL.exe
This binary has a detection rate of 6/56. Automated analysis [4] [5] shows network traffic to:
93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)
These characteristics are consistent with Locky ransomware.
Recommended blocklist:
93.170.131.108
5.135.76.18
82.146.37.200
From: Joe holdman [holdmanJoe08@seosomerset.co.uk]The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.
Date: 30 March 2016 at 08:55
Subject: RE: Additional Information Needed #869420
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
An analysis of three scripts [1] [2] [3] shows binary downloads from:
cainabela.com/zFWvTM.exe
downloadroot.com/vU4VAZ.exe
folk.garnet-soft.com/jDFXfL.exe
This binary has a detection rate of 6/56. Automated analysis [4] [5] shows network traffic to:
93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)
These characteristics are consistent with Locky ransomware.
Recommended blocklist:
93.170.131.108
5.135.76.18
82.146.37.200
Labels:
France,
Locky,
Montenegro,
Ransomware,
Russia,
TheFirst-RU
Tuesday, 29 March 2016
Malware spam: "CCE29032016_00034" / "Sent from my iPhone"
The malware spammers have been busy again today. I haven't had time to look at this massive spam run yet, so I am relying on a trusted third party analysis (thank you!)
These spam emails look like the victim is sending them to themselves (but they aren't). Reference numbers vary a little between emails, but the basic pattern is:
Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:
3r.com.ua/ty43ff333.exe
canadattparts.com/ty43ff333.exe
chilloutplanet.com/ty43ff333.exe
gazoccaz.com/ty43ff333.exe
hindleys.com/ty43ff333.exe
jeweldiva.com/ty43ff333.exe
kandyprive.com/ty43ff333.exe
labonacarn.com/ty43ff333.exe
silvec.com/ty43ff333.exe
tbde.com.vn/ty43ff333.exe
zecapesca.com/ty43ff333.exe
This payload has a detection rate of 4/56. The malware calls back to:
84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)
McHost is almost purely a black-hat ISP in my opinion and should be blocked on sight.
Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24
These spam emails look like the victim is sending them to themselves (but they aren't). Reference numbers vary a little between emails, but the basic pattern is:
From: victim
To: victim
Date: 29 March 2016 at 17:50
Subject: CCE29032016_00034
Sent from my iPhone
Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:
3r.com.ua/ty43ff333.exe
canadattparts.com/ty43ff333.exe
chilloutplanet.com/ty43ff333.exe
gazoccaz.com/ty43ff333.exe
hindleys.com/ty43ff333.exe
jeweldiva.com/ty43ff333.exe
kandyprive.com/ty43ff333.exe
labonacarn.com/ty43ff333.exe
silvec.com/ty43ff333.exe
tbde.com.vn/ty43ff333.exe
zecapesca.com/ty43ff333.exe
This payload has a detection rate of 4/56. The malware calls back to:
84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)
McHost is almost purely a black-hat ISP in my opinion and should be blocked on sight.
Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24
Labels:
France,
Germany,
Locky,
Malware,
Montenegro,
OVH,
Ransomware,
Russia,
Spam,
Viruses
Malware spam: "Re: New Order P2016280375" / Rose Lu [salesdeinnovative@technologist.com]
This fake financial spam comes with a malicious attachment:
Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58. The Malwr report is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..
Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe
So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn.no-ip.biz hosted on:
105.112.39.114 (Airtel, Nigeria)
I strongly recommend that you block traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before) so you might want to consider blocking those too.
From: Rose Lu [salesdeinnovative@technologist.com]
Date: 29 March 2016 at 02:30
Subject: Re: New Order P2016280375
Good Day,Please find enclosed our new order P2016280375 for your kind attention and prompt execution.I look forward to receiving your order acknowledgement in due course.Best regardsRose LuOffice ManagerSuzhou Eagle Electric Vehicle Manufacturing Co., Ltd.Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, ChinaTel: +86 512 6596 0151 Fax: +86 512 6252 1796Cell: +86 186 2520 8037Skype:rose.lu22Email:luyi@eg-ev.comWeb: http://www.eagle-ev.comhttp://www.eg-ev.comhttp://szeagle.en.alibaba.comhttp://www.chinaelectricvehicle.com http://szeagle-golfcar.en.made-in-china.com
Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58. The Malwr report is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..
Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe
So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn.no-ip.biz hosted on:
105.112.39.114 (Airtel, Nigeria)
I strongly recommend that you block traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before) so you might want to consider blocking those too.
Monday, 28 March 2016
Malware spam: "Envoi d’un message : 9758W-TERREDOC-RS62937-15000" / Christine Faure [c.faure@technicoflor.fr]
This French-language spam comes with a malicious attachment:
store.brugomug.co.uk/765f46vb.exe
ggbongs.com/765f46vb.exe
dragonex.com/765f46vb.exe
homedesire.co.uk/765f46vb.exe
scorpena.com/765f46vb.exe
pockettypewriter.co.uk/765f46vb.exe
enduro.si/pdf/765f46vb.exe
185.130.7.22/files/qFBC5Y.exe
Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to:
83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)
All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.
The other binary appears to be another version of Locky which appears to phone home to the same servers.
Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100
From: Christine Faure [c.faure@technicoflor.fr]To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:
Date: 28 March 2016 at 16:54
Subject: Envoi d’un message : 9758W-TERREDOC-RS62937-15000
Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :
9758W-TERREDOC-RS62937-15000
Message de sécurité
store.brugomug.co.uk/765f46vb.exe
ggbongs.com/765f46vb.exe
dragonex.com/765f46vb.exe
homedesire.co.uk/765f46vb.exe
scorpena.com/765f46vb.exe
pockettypewriter.co.uk/765f46vb.exe
enduro.si/pdf/765f46vb.exe
185.130.7.22/files/qFBC5Y.exe
Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to:
83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)
All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.
The other binary appears to be another version of Locky which appears to phone home to the same servers.
Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100
Labels:
France,
Germany,
Latvia,
Locky,
Netherlands,
OVH,
Ransomware,
Russia,
Ukraine
Thursday, 24 March 2016
Malware spam: "FW: Payment Receipt" from multiple recipients leads to Locky
This fake financial spam comes from random recipients, for example:
Attached is a ZIP file that incorporates the recipients name plus a word such as payment, details or receipt plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk.
VirusTotal detection rates for the scripts are fairly low (examples [1] [2] [3] [4] [5] [6]). Automated analysis [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] shows binary download locations at:
stie.pbsoedirman.com/msh4uys
projectpass.org/o3isua
natstoilet.com/l2ps0sa [404]
yourhappyjourney.com/asl2sd [404]
Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries, I will try to add a list later.
The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically is it Locky. Automated analyses [21] [22] [23] [24] [25] [26] show it phoning home to:
195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
UPDATE
Some further download locations from another source (thank you!):
byprez.com/oeepsl3s
caidongrong.com/e5owzc
emprendamosjuntos.com/dk3oas
epicld.com/n3sjax
fallrunathon.com/pw9eoa
famouscouponcodes.com/nxj3sa
hudesign.com/k39skad
kanberdemir.com/b5uas
mqhchurch.net/k2usy
mskphilly.org/yt7wei
optionstrategiesinsiders.org/zpq9sa
plexcera.com/m4uxj2
tigabersaudara.com/k3isa
www.naturseife-gartetal.de/oe9fja
MD5s for downloaded binaries:
0b0f29dc216e481659e84efc349823e1
0bd4f9b53991e86e39945559be074f40
2aea58b3328728ee5f0117112f8d8bd1
3da8d515085dc46be0c5e8d0aa959a5d
8630de2e42fb8e26764a994a4b7c65a9
8b07f6a6b52462395ed8dc91c4b7e7e6
8b6bc36cf0fc6db4fe7f2257cdc75905
9b52fbfe6d763bdbd9156b308ce4cd9f
9ebc25f1e53a2174213ea128a3cdb166
ab7c78cbd32ca79dff83f00aec693b2c
c070835d983f162b48f4fc370e30cf02
c9be9e7751b8f164d04a31a71d0199c6
f5d668c551cecb12f6404214fb0c8251
Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39
From: Marta Wood
Date: 24 March 2016 at 10:10
Subject: FW: Payment Receipt
Dear [redacted],
Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.
Regards,
Marta Wood
Technical Manager - General Insurance
Attached is a ZIP file that incorporates the recipients name plus a word such as payment, details or receipt plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk.
VirusTotal detection rates for the scripts are fairly low (examples [1] [2] [3] [4] [5] [6]). Automated analysis [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] shows binary download locations at:
stie.pbsoedirman.com/msh4uys
projectpass.org/o3isua
natstoilet.com/l2ps0sa [404]
yourhappyjourney.com/asl2sd [404]
Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries, I will try to add a list later.
The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically is it Locky. Automated analyses [21] [22] [23] [24] [25] [26] show it phoning home to:
195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
UPDATE
Some further download locations from another source (thank you!):
byprez.com/oeepsl3s
caidongrong.com/e5owzc
emprendamosjuntos.com/dk3oas
epicld.com/n3sjax
fallrunathon.com/pw9eoa
famouscouponcodes.com/nxj3sa
hudesign.com/k39skad
kanberdemir.com/b5uas
mqhchurch.net/k2usy
mskphilly.org/yt7wei
optionstrategiesinsiders.org/zpq9sa
plexcera.com/m4uxj2
tigabersaudara.com/k3isa
www.naturseife-gartetal.de/oe9fja
MD5s for downloaded binaries:
0b0f29dc216e481659e84efc349823e1
0bd4f9b53991e86e39945559be074f40
2aea58b3328728ee5f0117112f8d8bd1
3da8d515085dc46be0c5e8d0aa959a5d
8630de2e42fb8e26764a994a4b7c65a9
8b07f6a6b52462395ed8dc91c4b7e7e6
8b6bc36cf0fc6db4fe7f2257cdc75905
9b52fbfe6d763bdbd9156b308ce4cd9f
9ebc25f1e53a2174213ea128a3cdb166
ab7c78cbd32ca79dff83f00aec693b2c
c070835d983f162b48f4fc370e30cf02
c9be9e7751b8f164d04a31a71d0199c6
f5d668c551cecb12f6404214fb0c8251
Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39
Labels:
Locky,
Malware,
Netherlands,
Ransomware,
Spam,
Ukraine,
Viruses
Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk
This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:
skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe
This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:
71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)
It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.
UPDATE
Some additional download locations from another source (thank you!)
webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe
Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41
From: customer.service@axminster.co.ukAttached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8] shows download locations at:
Date: 24 March 2016 at 10:11
Subject: Your order has been despatched
Dear Customer
The attached document* provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk
Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm
Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk
Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)
Kind regards
Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk
* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe
This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:
71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)
It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.
UPDATE
Some additional download locations from another source (thank you!)
webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe
Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41
Monday, 21 March 2016
Malware spam: "FX Service" / "Fax transmission" spoofing victim's domain
This fake fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple forgery with a malicious attachment.
http://modaeli.com/89h766b.exe
http://spormixariza.com/89h766b.exe
http://sebastiansanni.org/wp-content/plugins/hello123/89h766b.exe
http://cideac.mx/wp-content/plugins/hello123/89h766b.exe
There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56. This Malwr report of the payload indicates that it is Locky ransomware.
All of those sources plus this Deepviz report show network traffic to the following IPs:
195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine)
If I receive more information I will post it here.
Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90
From: FX Service [emailsend@w.e191.victimdomain.tld]Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:
Date: 21 March 2016 at 14:32
Subject: Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff
Please find attached to this email a facsimile transmission we
have just received on your behalf
(Do not reply to this email as any reply will not be read by
a real person)
http://modaeli.com/89h766b.exe
http://spormixariza.com/89h766b.exe
http://sebastiansanni.org/wp-content/plugins/hello123/89h766b.exe
http://cideac.mx/wp-content/plugins/hello123/89h766b.exe
There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56. This Malwr report of the payload indicates that it is Locky ransomware.
All of those sources plus this Deepviz report show network traffic to the following IPs:
195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine)
If I receive more information I will post it here.
Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90
Friday, 18 March 2016
Evil networks to block 2016-03-18
A follow-up to this list posted a few days ago. These networks are primarily distributing Angler and in my opinion you should block their entire ranges to be on the safe side. All the links go to Pastebin.
85.204.74.0/24
89.45.67.0/24
89.108.83.0/24
148.251.249.96/28
184.154.89.128/29
184.154.135.120/29
185.30.98.0/23
185.117.73.0/24
185.141.25.0/24
194.1.237.0/24
212.22.85.0/24
217.12.210.128/25
85.204.74.0/24
89.45.67.0/24
89.108.83.0/24
148.251.249.96/28
184.154.89.128/29
184.154.135.120/29
185.30.98.0/23
185.117.73.0/24
185.141.25.0/24
194.1.237.0/24
212.22.85.0/24
217.12.210.128/25
Labels:
Angler EK,
Evil Network
Malware spam: "Proof of Delivery Report: 16/03/16-17/03/16" / UKMail Customer Services [list_reportservices@ukmail.com]
This spam does not come from UKMail but is instead a simple forgery with a malicious attachment:
At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:
kervanburak.com/wp-content/plugins/hello123/r34t4g33.exe
There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis show network traffic to:
64.147.192.68 (Dataconstructs, US)
I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.
UPDATE 1
This DeepViz report shows some additional IP addresses contacted:
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)
UPDATE 2
Some additional download locations from a trusted source (thank you!):
almexports.com/wp-content/plugins/hello123/r34t4g33.exe
cky.org.uk/wp-content/plugins/hello123/r34t4g33.exe
felipemachado.com/wp-content/plugins/hello123/r34t4g33.exe
ioy.co.il/wp-content/plugins/hello123/r34t4g33.exe
muhidin.eu.pn/wp-content/plugins/hello123/r34t4g33.exe
tribebe.com/wp-content/plugins/hello123/r34t4g33.exe
voiceofveterans.in/wp-content/plugins/hello123/r34t4g33.exe
Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78
From: UKMail Customer Services [list_reportservices@ukmail.com]
Date: 18 March 2016 at 02:46
Subject: Proof of Delivery Report: 16/03/16-17/03/16
Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD
.............................. .............................. .............................. .............................. .............................. .............................. .......
Please consider the environment before printing this e-mail or any attachments. This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.
At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:
kervanburak.com/wp-content/plugins/hello123/r34t4g33.exe
There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis show network traffic to:
64.147.192.68 (Dataconstructs, US)
I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.
UPDATE 1
This DeepViz report shows some additional IP addresses contacted:
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)
UPDATE 2
Some additional download locations from a trusted source (thank you!):
almexports.com/wp-content/plugins/hello123/r34t4g33.exe
cky.org.uk/wp-content/plugins/hello123/r34t4g33.exe
felipemachado.com/wp-content/plugins/hello123/r34t4g33.exe
ioy.co.il/wp-content/plugins/hello123/r34t4g33.exe
muhidin.eu.pn/wp-content/plugins/hello123/r34t4g33.exe
tribebe.com/wp-content/plugins/hello123/r34t4g33.exe
voiceofveterans.in/wp-content/plugins/hello123/r34t4g33.exe
Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78
Thursday, 17 March 2016
Malware spam: "PDFPart2.pdf" / "Sent from my Samsung Galaxy Note 4 - powered by Three"
This spam run has a malicious attachment. It appears to come from within the user's own domain.
From: Administrator [admin@victimdomain.tld]All the attachments that I saw were corrupt, but it appears to be trying to download a script that installs Locky ransomware, as seen here.
Date: 17 March 2016 at 12:54
Subject: PDFPart2.pdf
Sent from my Samsung Galaxy Note 4 - powered by Three
Sent from my Samsung Galaxy Note 4 - powered by Three
Malware spam: "Documentxx" apparently coming from the victim leads to Locky
This spam appears to come from the victim, but this is just a simple forgery (explained here). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is no body text. Here is an example:
escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel.pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados.com.br/wp-content/plugins/hello123/89h8btyfde445.exe
The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)
This is Locky ransomware.
Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114
From: victim@domain.tldInside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13] indicate that the script attempts to download a binary from the following locations:
To: victim@domain.tld
Date: 17 March 2016 at 10:37
Subject: Document32
escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel.pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados.com.br/wp-content/plugins/hello123/89h8btyfde445.exe
The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)
This is Locky ransomware.
Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114
Malware spam: "Remittance Adivce" from random senders
This fake financial spam has a malicious attachment and poor spelling in the subject field.
bakery.woodwardcounseling.com/michigan/map.php
This download location is almost certainly completely malicious, and is hosted at:
217.12.199.94 (ITL, Ukraine)
This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to:
38.64.199.33 (PSINet, Canada)
188.93.239.28 (DotSi, Portugal)
The payload is uncertain, but it could be the Dridex banking trojan.
UPDATE
The DeepViz analysis also shows traffic to:
85.17.155.148 (Leaseweb, Netherlands)
Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148
From: Booth.Garth19@idsbangladesh.net.bdSender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:
Date: 17 March 2016 at 09:17
Subject: Remittance Adivce
Please find attached a remittance advice for payment made yo you today.
Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.
Kind Regards
Garth Booth
bakery.woodwardcounseling.com/michigan/map.php
This download location is almost certainly completely malicious, and is hosted at:
217.12.199.94 (ITL, Ukraine)
This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to:
38.64.199.33 (PSINet, Canada)
188.93.239.28 (DotSi, Portugal)
The payload is uncertain, but it could be the Dridex banking trojan.
UPDATE
The DeepViz analysis also shows traffic to:
85.17.155.148 (Leaseweb, Netherlands)
Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148
Malware spam: "Interparcel Documents" / Interparcel [bounce@interparcel.com]
This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
gooddrink.com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots.com/wp-content/plugins/hello123/56h4g3b5yh.exe
The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to:
195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)
As mentioned before, these characteristics look like the Dridex banking trojan.
Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78
From: Interparcel [bounce@interparcel.com]Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:
Date: 17 March 2016 at 08:51
Subject: Interparcel Documents
Your Interparcel collection has been booked and your documents are ready.
There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
Thank you for booking with Interparcel.
gooddrink.com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots.com/wp-content/plugins/hello123/56h4g3b5yh.exe
The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to:
195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)
As mentioned before, these characteristics look like the Dridex banking trojan.
Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78
Subscribe to:
Posts (Atom)