Sponsored by..

Monday, 18 April 2016

Malware spam: "Please do confirm the Quote Price and get back to me as soon as possible"

This fake financial spam leads to malware:
From: khlee@ahnchem.com sales
To
Date: Mon, 18 Apr 2016 13:46:21 +0100
Subject: Re: Quote Price

Dear Sir

FYI,

Please do confirm the Quote Price and get back to me as soon as possible.

Regards
Sales Department
Attached is a fie with an unusual extension, ORDER LIST.ace which is actually a compressed archive (basically a modified ZIP file). It contains an executable ORDER LIST.exe which has a VirusTotal detection rate of 15/56. That same VirusTotal report indicates traffic to:

booksam.tk/pony/gate.php

This is hosted on:

46.4.100.109 (Hetzner, Germany)

That IP address might be worth blocking. The Hybrid Analysis indicates that this steals FTP and perhaps other passwords. This is a Pony loader which will probably try to download additional malware, but it is not clear what that it might be.

Wednesday, 13 April 2016

Malware spam: "Prompt response required! Past due inv. #FPQ479660" / "Jake Gill"

This fake financial spam has a malicious attachment:

From:    Hillary Odonnell [Hillary.OdonnellF@eprose.fr]
Date:    13 April 2016 at 18:40
Subject:    Prompt response required! Past due inv. #FPQ479660

Hello,

I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?

Thank you,

Jake Gill

Accounts Receivable Department

Diploma plc

(094) 426 8112
The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).

There seem to be several different versions of the attachment, I checked four samples [1] [2] [3] [4] and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive [5] [6] [7] [8] (as are the Hybrid Analyses [9] [10] [11] [12]) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on 212.76.140.230 - MnogoByte, Russia). The payload appears to be Dridex.

We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with:

195.169.147.88 (Culturegrid.nl, Netherlands)
178.33.167.120 (OVH, Spain)
210.70.242.41 (TANET, Taiwan)
210.245.92.63 (FPT Telecom Company, Vietnam)


These are all good IPs to block.

According to DNSDB, these other domains have all been hosted on the 212.76.140.230 address:

onlineaccess.bleutree.com
egotayx.net
wgytaab.net
emoaxmyx.net
wmbyaxma.net
emeotalyx.net
ezhoyznyx.net
wmeybtala.net
wzhybyzna.net
onlineaccess.bleutree.info
onlineaccess.bleutree.mobi


You can bet that they are all malicious too.

Recommended blocklist:
212.76.140.230
195.169.147.88
178.33.167.120
210.70.242.41
210.245.92.63


Malware spam: "Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC"

This fake financial email comes with a malicious attachment:
From:    Tran
Reply-To:    Tran, Reuben - ADVANCED ONCOTHERAPY PLC [TranReuben1322@telecom.kz]
Date:    13 April 2016 at 16:24
Subject:    Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC

Good morning,

Please advise status on these

If shipped, please send invoice & tracking


---------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail, including any attachments and/or linked documents, is intended for the sole use of the intended addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any unauthorized review, dissemination, distribution, or copying is prohibited. If you have received this communication in error, please contact the original sender immediately by reply email and destroy all copies of the original message and any attachments. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Xylem Inc.
I have only seen a single copy of this, it is likely that the company name will vary from email to email. The attachment due #46691848.doc has a VirusTotal detection rate of 5/56. According to this Malwr report it downloads a file from:

mgmt.speraelectric.info/flows/login.php

Right at the moment this is just a copy of the Windows Calculator and is harmless, but the payload could be switched later to something more malicious, probably Locky ransomware or the Dridex banking trojan.

Tuesday, 12 April 2016

PlusServer has a PlusSized problem with Angler

PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again.

So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).

85.25.102.0/24
85.25.107.0/24
85.25.160.0/24 
85.93.93.0/24
188.138.17.0/24
188.138.70.0/24 
188.138.71.0/24
188.138.75.0/24
188.138.102.0/24
188.138.105.0/24 
188.138.125.0/24 
217.172.189.0/24
217.172.190.0/24

Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too.

UPDATE 2016-04-25

Here are some more PlusServer ranges where Angler has been rampant:

85.25.218.0/24
85.25.237.0/24
188.138.25.0/24
188.138.68.0/24

UPDATE 2016-05-10

Heavy Angler activity has also been spotted in the following ranges:

62.75.203.0/24
62.75.207.0/24
85.25.43.0/24 
85.25.79.0/24
85.25.159.0/24
85.25.217.0/24
188.138.33.0/24
188.138.68.0/24
188.138.125.0/24

In addition, some Angler activity has been observed in the following ranges but is not yet widespread (I will update if I see more activity):

62.75.167.0/24
85.25.41.0/24

85.25.74.0/24

85.25.106.0/24
85.25.207.0/24

188.138.41.0/24
188.138.57.0/24
188.138.69.0/24
188.138.102.0/24

PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in 188.138.105.0/24) that the only safe option is to block traffic to those network ranges.

With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed.

Baldock is not the same as Badlock

Baldock is not the same as Badlock.

Monday, 11 April 2016

Evil networks to block 2016-04-11

I realise it has been a while since my last list of bad networks you might want to block. Hopefully in the next couple of days I will have another list outlining some bad problems with PlusServer IP ranges, in the mean times here are a load of network blocks with a high concentration of Angler EK and other nastiness. (The links go to my Pastebin with more details).

31.148.99.0/24
51.255.61.48/30
51.255.96.56/30 
51.255.143.80/30
65.49.8.64/26
83.217.11.0/24
85.93.93.0/24
85.143.209.0/24
91.221.36.0/24 
92.83.104.0/21
93.115.38.0/24
94.242.206.0/24 
131.72.136.0/24 
178.57.217.0/24
185.46.9.0/24
185.46.10.0/24
185.49.68.0/24
185.75.46.0/23
185.104.8.0/22 
194.1.238.0/24
204.155.31.0/24 

Thursday, 7 April 2016

foocrypt.net / fookey.org / foocrypt.net spam

The line between genius and madness is a fine one. Decide for yourself which side of the line this email is on.

From:    Cryptopocalypse NOW 01 04 2016 [no-reply@foocrypt.net]
Date:    7 April 2016 at 18:24
Subject:    Cryptopocalypse NOW 01 04 2016

Cryptopocalypse NOW 01 04 2016

Now available through iTunes - iBooks @ https://itunes.apple.com/us/book/cryptoapocalypse-now/id1100062356?ls=1&mt=11

Cryptopocalypse NOW is the story behind the trials and tribulations encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption."

"FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening several commonly used Symmetric Open Source Encryption methods so that they are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'.

"FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under export control by the Australian Department of Defence Defence Export Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology as per the ‘Wassenaar Arrangement’

A permit from Defence Export Control is expected within the next 2 months as the Australian Signals Directorate is currently assessing the associated application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical Encryption."

Early releases of "Cryptopocalypse NOW" will be available in the period leading up to June, 2016.

This is Volume 1 of N, where N represents an arbitrary number greater than 1 but less than infinity.

Limited Edition Collectors Versions and Hard Back Editions are available via the store on http://www.foocrypt.net/

© FooCrypt 1980 - 2016, All Rights Reserved.


Regards,

Mark A. Lane

© Mark A. Lane 1980 - 2015, All Rights Reserved.

Disclaimer :  To remove yourself from this email list, kindly goto http://www.foocrypt.net/unsub.html
Err.. no. "Quantum Encryption" is a branch of quantum physics, it's a completely different level of encryption in the same way that an aeroplane is not like a car. Attached is some weird semi-messianic picture..


The email originates from 208.79.219.105 (Loose Foot Computing, Canada). This also happens to be the IP address of:

foocrypt.net
mail0.foocrypt.net

So, the email was sent from the server it is spamvertising. That's normally a pretty certain indicator that the person running the web site is doing the spamming, and that it isn't a Joe Job. If you visit the spamvertised website (not recommended) then you can find a link to a crowdfunding appeal at www.gofundme.com/foocrypt which tells you all you need to know about the credibility of the project..

Yes.. so far it has raised $5 out of a $1,000,000 target in nearly two months. Good luck with the other $999,995.

The sender is apparently one "Mark A Lane" but other than some connections to Australia, I cannot identify an individual behind it. The following website do all seem to be related however:

enalakram.net
fookey.net
fookey.org
foocrypt.net


The closest I can get to contact details is the WHOIS entry for fookey.org:

Registrant ID:90b5527af50723f4
Registrant Name:Mark Lane
Registrant Organization:FOOCRYPT
Registrant Street: P.O. Box 66
Registrant City:Briar Hill
Registrant State/Province:Victoria
Registrant Postal Code:3088
Registrant Country:AU
Registrant Phone:+61.411414431
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:foocrypt@gmail.com


Curiously, that name and address also turns up on this somewhat ungrammatical CV.

Name: Mark Andrew Lane
Postal Address: P.O. Box 66,
Briar Hill, Victoria. 3088.
Telephone: 0411414431
Email: mark.andrew.lane@gmail.com

I mean it would be weird if they weren't related in some way. But that CV mentions nothing about cryptography at all.. a bit of a mystery.

This message was sent to a random and nonexistant email address. Crucially, it does seem to be just random spam and not malware or phishing, but is still best avoided.



Friday, 1 April 2016

Fake boss scams meet AI robocallers in a dangerous escalation of fraud

Many of us will be familiar with the "fake boss" scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady bank account for a business transaction you are not allowed to talk about.

This type of fraud is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and convincing calls have to be made to unsuspecting minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.

Now, the notorious Russian gang dubbed Den Duraka by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer.

Sporting the clumsy Russian acronym LOZHNYY, this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using hacked credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers.

Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were not suspicious as this seemed consistent with the behaviour of their CEOs.

Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely ignore any communications from your CEO and indeed any C-level executive. You have been warned!

(If you hadn't spotted the clues in the Russian names above.. this is an April Fools joke)


Wednesday, 30 March 2016

Malware spam: "Additional Costs" leads to Locky

About the 9000th malicious spam run of the week so far, this one drops Locky ransomware. Again.

From:    Gregg gale
Date:    30 March 2016 at 13:42
Subject:    Additional Costs

Based on our contact (#084715), we're required to inform you about additional costs associated with your account, more information attached.

Reference numbers and sender names vary, the attachments are similar to the ones in this spam run. Various Malwr analyses for the samples I captured [1] [2] [3] [4] [5] show download locations at:

cssrd.org.lb/Wji57q.exe
fabiocaminero.com/2L5pGE.exe


This binary has a detection rate of 7/56. Analysis of the binary [6] [7] [8] shows that it phones home to the same IPs reported here.

Malware spam: "Facture client N° FC_462982347 du 30/03/2016" leads to Locky

This French-language spam is pretending to be a renewal for anti-virus software, however instead it has a malicious attachment:

From:    administrator [netadmin@victimdomain.tld]
Date:    30 March 2016 at 11:09
Subject:    Facture client N° FC_462982347 du 30/03/2016

Bonjour,

Veuillez trouver ci-joint la facture pour le renouvellement de votre antivirus.

Bonne réception

A.Morel
It pretends to come from within the victim's own domain, but this is a simple forgery. The reference number changes from email to email, attached is a ZIP file named consistently with the subject (e.g. FC_462982347.zip). This ZIP file contains a malicious script (typical detection rate 8/56) which then downloads Locky ransomware. According to these automated analyses [1] [2] [3] [4] [5] show the scripts downloading from the following locations (there are almost definitely more):

bezuhova.ru/45t3443r3
thespinneyuk.com/45t3443r3
tishaclothing.co.za/45t3443r3


This dropped binary has a detection rate of 7/56. According to these analyses [6] [7] [8] it phones home to the same servers detailed in this earlier blog post.



Malware spam: "Additional Information Needed #869420" leads to ransomware

This spam has a malicious attachment, leading to ransomware.

From:    Joe holdman [holdmanJoe08@seosomerset.co.uk]
Date:    30 March 2016 at 08:55
Subject:    RE: Additional Information Needed #869420


We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.

An analysis of three scripts [1] [2] [3] shows binary downloads from:

cainabela.com/zFWvTM.exe
downloadroot.com/vU4VAZ.exe
folk.garnet-soft.com/jDFXfL.exe

This binary has a detection rate of 6/56.  Automated analysis [4] [5] shows network traffic to:

93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)


These characteristics are consistent with Locky ransomware.

Recommended blocklist:
93.170.131.108
5.135.76.18
82.146.37.200

Tuesday, 29 March 2016

Malware spam: "CCE29032016_00034" / "Sent from my iPhone"

The malware spammers have been busy again today. I haven't had time to look at this massive spam run yet, so I am relying on a trusted third party analysis (thank you!)

These spam emails look like the victim is sending them to themselves (but they aren't). Reference numbers vary a little between emails, but the basic pattern is:

From:    victim
To:    victim
Date:    29 March 2016 at 17:50
Subject:    CCE29032016_00034

Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:

3r.com.ua/ty43ff333.exe
canadattparts.com/ty43ff333.exe
chilloutplanet.com/ty43ff333.exe
gazoccaz.com/ty43ff333.exe
hindleys.com/ty43ff333.exe
jeweldiva.com/ty43ff333.exe
kandyprive.com/ty43ff333.exe
labonacarn.com/ty43ff333.exe
silvec.com/ty43ff333.exe
tbde.com.vn/ty43ff333.exe
zecapesca.com/ty43ff333.exe


This payload has a detection rate of 4/56. The malware calls back to:

84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)


McHost is almost purely a black-hat ISP in my opinion and should be blocked on sight.

Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24

Malware spam: "Re: New Order P2016280375" / Rose Lu [salesdeinnovative@technologist.com]

This fake financial spam comes with a malicious attachment:


From:    Rose Lu [salesdeinnovative@technologist.com]
Date:    29 March 2016 at 02:30
Subject:    Re: New Order P2016280375

Good Day,
Please find enclosed our new order P2016280375 for your kind attention and prompt execution.
I look forward to receiving your order acknowledgement in due course.
 
Best regards
Rose Lu
Office Manager
Suzhou  Eagle Electric Vehicle Manufacturing Co., Ltd.
Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China
Skype:rose.lu22
Email:luyi@eg-ev.com
Web: http://www.eagle-ev.com
        http://www.eg-ev.com
       http://szeagle.en.alibaba.com
        http://www.chinaelectricvehicle.com
        http://szeagle-golfcar.en.made-in-china.com

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58. The Malwr report is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..

Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe


So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn.no-ip.biz hosted on:

105.112.39.114 (Airtel, Nigeria)

I strongly recommend that you block traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before) so you might want to consider blocking those too.

Monday, 28 March 2016

Malware spam: "Envoi d’un message : 9758W-TERREDOC-RS62937-15000" / Christine Faure [c.faure@technicoflor.fr]

This French-language spam comes with a malicious attachment:
From:    Christine Faure [c.faure@technicoflor.fr]
Date:    28 March 2016 at 16:54
Subject:    Envoi d’un message : 9758W-TERREDOC-RS62937-15000

Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :

9758W-TERREDOC-RS62937-15000
Message de sécurité
To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:

store.brugomug.co.uk/765f46vb.exe
ggbongs.com/765f46vb.exe
dragonex.com/765f46vb.exe
homedesire.co.uk/765f46vb.exe

scorpena.com/765f46vb.exe
pockettypewriter.co.uk/765f46vb.exe
enduro.si/pdf/765f46vb.exe
185.130.7.22/files/qFBC5Y.exe

Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to:

83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)


All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.

The other binary appears to be another version of Locky which appears to phone home to the same servers.

Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100





Thursday, 24 March 2016

Malware spam: "FW: Payment Receipt" from multiple recipients leads to Locky

This fake financial spam comes from random recipients, for example:

From:    Marta Wood
Date:    24 March 2016 at 10:10
Subject:    FW: Payment Receipt

Dear [redacted],

Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.

Regards,
Marta Wood
Technical Manager - General Insurance

Attached is a ZIP file that incorporates the recipients name plus a word such as payment, details or receipt plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk.

VirusTotal detection rates for the scripts are fairly low (examples [1] [2] [3] [4] [5] [6]). Automated analysis [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] shows binary download locations at:

stie.pbsoedirman.com/msh4uys
projectpass.org/o3isua
natstoilet.com/l2ps0sa [404]
yourhappyjourney.com/asl2sd [404]


Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries, I will try to add a list later.

The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically is it Locky. Automated analyses [21] [22] [23] [24] [25] [26] show it phoning home to:

195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)


UPDATE

Some further download locations from another source (thank you!):

byprez.com/oeepsl3s
caidongrong.com/e5owzc
emprendamosjuntos.com/dk3oas
epicld.com/n3sjax
fallrunathon.com/pw9eoa
famouscouponcodes.com/nxj3sa
hudesign.com/k39skad
kanberdemir.com/b5uas
mqhchurch.net/k2usy
mskphilly.org/yt7wei
optionstrategiesinsiders.org/zpq9sa
plexcera.com/m4uxj2
tigabersaudara.com/k3isa
www.naturseife-gartetal.de/oe9fja


MD5s for downloaded binaries:

0b0f29dc216e481659e84efc349823e1
0bd4f9b53991e86e39945559be074f40
2aea58b3328728ee5f0117112f8d8bd1
3da8d515085dc46be0c5e8d0aa959a5d
8630de2e42fb8e26764a994a4b7c65a9
8b07f6a6b52462395ed8dc91c4b7e7e6
8b6bc36cf0fc6db4fe7f2257cdc75905
9b52fbfe6d763bdbd9156b308ce4cd9f
9ebc25f1e53a2174213ea128a3cdb166
ab7c78cbd32ca79dff83f00aec693b2c
c070835d983f162b48f4fc370e30cf02
c9be9e7751b8f164d04a31a71d0199c6
f5d668c551cecb12f6404214fb0c8251



Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39

Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk

This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:

From:    customer.service@axminster.co.uk
Date:    24 March 2016 at 10:11
Subject:    Your order has been despatched

Dear Customer

The attached document* provides details of items that have been packed and are ready for despatch.

Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.

Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm

Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)

Kind regards

Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk

* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8]  shows download locations at:

skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe


This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:

71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)


It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.

UPDATE

Some additional download locations from another source (thank you!)

webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe



Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41




Monday, 21 March 2016

Malware spam: "FX Service" / "Fax transmission" spoofing victim's domain

This fake fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple forgery with a malicious attachment.

From:    FX Service [emailsend@w.e191.victimdomain.tld]
Date:    21 March 2016 at 14:32
Subject:    Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff

Please find attached to this email a facsimile transmission we
have just received on your behalf

(Do not reply to this email as any reply will not be read by
a real person)
Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:

http://modaeli.com/89h766b.exe
http://spormixariza.com/89h766b.exe
http://sebastiansanni.org/wp-content/plugins/hello123/89h766b.exe
http://cideac.mx/wp-content/plugins/hello123/89h766b.exe


There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56.  This Malwr report of the payload indicates that it is Locky ransomware.

All of those sources plus this Deepviz report show network traffic to the following IPs:

195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine)


If I receive more information I will post it here.

Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90






Friday, 18 March 2016

Evil networks to block 2016-03-18

A follow-up to this list posted a few days ago. These networks are primarily distributing Angler and in my opinion you should block their entire ranges to be on the safe side. All the links go to Pastebin.

85.204.74.0/24
89.45.67.0/24
89.108.83.0/24
148.251.249.96/28
184.154.89.128/29
184.154.135.120/29
185.30.98.0/23
185.117.73.0/24
185.141.25.0/24
194.1.237.0/24
212.22.85.0/24
217.12.210.128/25 


Malware spam: "Proof of Delivery Report: 16/03/16-17/03/16" / UKMail Customer Services [list_reportservices@ukmail.com]

This spam does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    UKMail Customer Services [list_reportservices@ukmail.com]
Date:    18 March 2016 at 02:46
Subject:    Proof of Delivery Report: 16/03/16-17/03/16

Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD



...........................................................................................................................................................................................
iMail Logo
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:

kervanburak.com/wp-content/plugins/hello123/r34t4g33.exe

There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis  show network traffic to:

64.147.192.68 (Dataconstructs, US)

I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.

UPDATE 1

This DeepViz report shows some additional IP addresses contacted:

64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)


UPDATE 2

Some additional download locations from a trusted source (thank you!):

almexports.com/wp-content/plugins/hello123/r34t4g33.exe
cky.org.uk/wp-content/plugins/hello123/r34t4g33.exe
felipemachado.com/wp-content/plugins/hello123/r34t4g33.exe
ioy.co.il/wp-content/plugins/hello123/r34t4g33.exe
muhidin.eu.pn/wp-content/plugins/hello123/r34t4g33.exe
tribebe.com/wp-content/plugins/hello123/r34t4g33.exe
voiceofveterans.in/wp-content/plugins/hello123/r34t4g33.exe


Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78

Thursday, 17 March 2016

Malware spam: "PDFPart2.pdf" / "Sent from my Samsung Galaxy Note 4 - powered by Three"

This spam run has a malicious attachment. It appears to come from within the user's own domain.

From:    Administrator [admin@victimdomain.tld]
Date:    17 March 2016 at 12:54
Subject:    PDFPart2.pdf

Sent from my Samsung Galaxy Note 4 - powered by Three

Sent from my Samsung Galaxy Note 4 - powered by Three
All the attachments that I saw were corrupt, but it appears to be trying to download a script that installs Locky ransomware, as seen here.