Sponsored by..

Thursday, 8 September 2016

Malware spam: "[Vigor2820 Series] New voice mail message from xxxxx"

This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.

Subject:     [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
From:     voicemail@victimdomain.tld (voicemail@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Thursday, 8 September 2016, 13:15

Dear webmaster :
    There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
You might want to check it when you get a chance.Thanks!
Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:

158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman.web.fc2.com/g76gyui
dcqoutlet.es/g76gyui
dpskaunas.puslapiai.lt/g76gyui
fidelitas.heimat.eu/g76gyui
gam-e20.it/g76gyui
ghost-tony.com.es/g76gyui
josemedina.com/g76gyui
kreativmanagement.homepage.t-online.de/g76gyui
olivier.coroenne.perso.sfr.fr/g76gyui
portadeenrolar.ind.br/g76gyui
sitio655.vtrbandaancha.net/g76gyui
sp-moto.ru/g76gyui
srxrun.nobody.jp/g76gyui
thb-berlin.homepage.t-online.de/g76gyui
tst-technik.de/g76gyui
unimet.tmhandel.com/g76gyui
www.agridiving.net/g76gyui
www.alanmorgan.plus.com/g76gyui
www.aldesco.it/g76gyui
www.alpstaxi.co.jp/g76gyui
www.association-julescatoire.fr/g76gyui
www.bytove.jadro.szm.com/g76gyui
www.ccnprodusenaturiste.home.ro/g76gyui
www.gebrvanorsouw.nl/g76gyui
www.gengokk.co.jp/g76gyui
www.hung-guan.com.tw/g76gyui
www.idiomestarradellas.com/g76gyui
www.laribalta.org/g76gyui
www.mikeg7hen.talktalk.net/g76gyui
www.one-clap.jp/g76gyui
www.radicegioielli.com/g76gyui
www.rioual.com/g76gyui
www.spiritueelcentrumaum.net/g76gyui
www.texelvakantiehuisje.nl/g76gyui
www.threshold-online.co.uk/g76gyui
www.whitakerpd.co.uk/g76gyui
www.xolod-teplo.ru/g76gyui


Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu)

Unusually, this version of Locky does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above or you could monitor for the string g76gyui in your logs.

UPDATE: the Hybrid Analysis of the script can be found here.

Wednesday, 7 September 2016

Malware spam: "Agreement form" leads to Locky

This fake financial spam leads to malware:

Subject:     Agreement form
From:     Marlin Gibson
Date:     Wednesday, 7 September 2016, 9:35

Hi there,

Roberta assigned you to make the payment agreement for the new coming employees.

Here is the agreement form. Please finish it urgently.

Best Regards,
Marlin Gibson
Support Manager
The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..

308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js


Automated analysis [1] [2] shows that the scripts [partly deobfuscated example] attempt to download a binary from one of the following locations:

donttouchmybaseline.ws/ecf2k1o
canonsupervideo4k.ws/afeb6
malwinstall.wang/fsdglygf
listofbuyersus.co.in/epzugs


Of those locations, only the first three resolve, as follows:

donttouchmybaseline.ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k.ws   51.255.227.230 (OVH, France / Kitdos)
malwinstall.wang       51.255.227.230 (OVH, France / Kitdos)


The registration details for all those domains are the same:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:

These are the same details as found here. We know from that incident that the download locations are actually spread around a bit:

23.95.106.206 (New Wave NetConnect, US)
51.255.227.230 (OVH, France / Kitdos)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
216.244.68.195 (Wowrack, US)
217.13.103.48 (1B Holding ZRT, Hungary)


The following also presumably evil sites are also hosted on those IPs:

bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name


Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:

51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48

bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name


UPDATE

My trusted source (thank you) says that it phones home to the following IPs and URLs:

91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota.org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg.work/data/info.php
balichpjuamrd.work/data/info.php
mvvdhnix.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti.work/data/info.php
iruglwxkasnrcq.pl/data/info.php
xketxpqxj.work/data/info.php
qkmecehteogblx.su/data/info.php
bbskrcwndcyow.su/data/info.php
nqjacfrdpkiyuen.ru/data/info.php
ucjpevjjl.work/data/info.php
nyxgjdcm.info/data/info.php


In addition to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55



Monday, 5 September 2016

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.


Sincerely yours,
Tamika Good
Account manager
The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:

canonsupervideo4k.ws/1bcpr7xx

This appears to be multihomed on the following IP addresses:

23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)


Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru


Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57.  These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:

91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48

91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55


Friday, 2 September 2016

Malware spam: "old office facilities" leads to Locky

This spam has a malicious attachment:

Subject:     old office facilities
From:     Kimberly Snow (Snow.741@niqueladosbestreu.com)
Date:     Friday, 2 September 2016, 8:55

Hi Corina,

Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.


Best wishes,
Kimberly Snow
The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number.

Analysis is pending, but this Malwr report indicates attempted communications to:

malwinstall.wang
sopranolady7.wang

..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.

UPDATE 1

According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs:

23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)


Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28


Malware spam: "Scanned image from MX2310U@victimdomain.tld" leads to Locky

This fake document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.

Subject:     Scanned image from MX2310U@victimdomain.tld
From:     office@victimdomain.tld (office@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 2 September 2016, 2:29

Reply to: office@victimdomain.tld [office@victimdomain.tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception

File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
Adobe(R)Reader(R) can be downloaded from the following URL:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other countries.

    http://www.adobe.com/

Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component from on of the following locations:

body-fitness.net/lagmslh
bushman-rest.com/aoeueyk
capannoneinliguria.com/lijrnub
foerschl.gmxhome.de/emyomqa
imakarademo.web.fc2.com/akwhorc
inge28.mytactis.com/cqmoxef
pennylanecupcakes.com.au/mhkqxia
rabbitfood.web.fc2.com/ixvnfyj
sakon118.web.fc2.com/srmrsgf
sebangou8.xxxxxxxx.jp/kfkdpvl
sojasaude.com.br/ahtoijg
sp-moto.ru/vodusim
t-schoener.de/mdexigc
www.bytove.jadro.szm.com/dgsqens
www.callisto.cba.pl/oqmfnar
www.ccnprodusenaturiste.home.ro/hiogthu
www.coropeppinumereu.it/xyhhytf
www.one-clap.jp/pourpjr
www.parrucchieriagiacomo.com/dekjxus
www.radicegioielli.com/aayfixd
www.sieas.com/mkndcbn
www.spiritueelcentrumaum.net/ksqoyps
www.vanetti.it/inywdjo
www.whitakerpd.co.uk/ymmcguk
www.xolod-teplo.ru/ygpwfty
yggithuq.utawebhost.at/getatoj

The payload is Locky ransomware, phoning home to:

212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers.xyz] (EDIS, Austria)

Recommended blocklist:
212.109.192.235
149.154.152.108

Thursday, 1 September 2016

Malware spam: "Please find attached invoice no" leads to Locky

This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.

Subject:     Please find attached invoice no: 329218
From:     victim@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Thursday, 1 September 2016, 12:42

Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
________________________________

Disclaimer

This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download from one of the following locations:

158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g

The payload appears to be Locky ransomware. It phones home to:

188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php

This is similar to the list here.

Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24


Malware spam: "Our shipping service is sending the order form due to the request from your company."

This fake shipping email comes with a malicious attachment:

Subject:     Shipping information
From:     Charles Burgess
Date:     Thursday, 1 September 2016, 9:30

Dear customer,

Our shipping service is sending the order form due to the request from your company.

Please fill the attached form with precise information.

Very truly yours,
Charles Burgess
The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.

Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):


joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4

Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:

5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably Locky ransomware.

Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24

Wednesday, 31 August 2016

Malware spam: "bank transactions"

This fake financial spam comes with a malicious attachment:

From:    Rueben Vazquez
Date:    31 August 2016 at 10:06
Subject:    bank transactions


Good morning petrol.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.


Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.

According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):

www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis

Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:

95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably the Locky ransomware.

Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24


Thursday, 18 August 2016

Malware spam: "The office printer is having problems so I've had to email the UPS label"

This fake UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.

From     "Laurence lumb" [Laurence.lumb25@ups.de]
Date     Thu, 18 Aug 2016 17:35:21 +0530
Subject     Emailing: Label

Good afternoon

The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.

Cheers

Laurence lumb
Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):

a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7


This dropped binary has a detection rate of 6/54. It phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)

Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183






Monday, 15 August 2016

Malware spam: "Jen [Jen@purple-office.com]" / "Documents from Purple Office - IN00003993"

These fake financial documents have a malicious attachment:

From:    Jen [Jen@purple-office.com]
Date:    15 August 2016 at 14:10
Subject:    Documents from Purple Office - IN00003993

Please find attached invoice/credit from Purple Office.

Best regards,

Purple Office 
Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here and here.

Malware spam: "Emma Critchley (emmacritchley@advantage-finance.co.uk)" / "Emailing - 9104896607509"

This fake financial spam has a malicious attachment. It does not come from Advantage Finance but is instead a simple forgery.

Subject:     Emailing - 9104896607509
From:     Emma Critchley (emmacritchley@advantage-finance.co.uk)
Date:     Monday, 15 August 2016, 13:28

Hi

Vicky has asked me to forward you the finance documents (Please see attached)


Many Thanks 
Attached is a DOCM file with a name that matches the subject. There are various versions, all of which download Locky ransomware from one of the following locations (thank you to my source):

devierdemuur.50webs.com/HJ6bhGHV
kittoyakudatu.web.fc2.com/HJ6bhGHV
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
rondoncompany.bake-neko.net/HJ6bhGHV
topfireart.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.bozenan.swk.vectranet.pl/HJ6bhGHV
www.carrosserie-promocar.net/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.scoutvda.it/HJ6bhGHV
www.tecnohellas.gr/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


This phones home to the same servers as mentioned in this post.


Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Friday, 12 August 2016

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs


The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190


Thursday, 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Thursday, 4 August 2016

Malware spam: "Please sign the receipt attached for the arrival of new office facilities." leads to Locky

Yet another Locky campaign today..

From:    Erica Hutchinson
Date:    4 August 2016 at 12:34
Subject:    please sign

Dear [redacted]

Please sign the receipt attached for the arrival of new office facilities.


Best regards,
Erica Hutchinson

This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run.

Malware spam: "Emailing: Sheet / Document / Invoice" with a .docm leads to Locky

This malware-laden spam comes with a variety of subjects, for example:

Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf


There is no body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component from one of the following locations:

abi64.com/h78r3gfe
bikepaintpureworks.web.fc2.com/h78r3gfe
brupuoli.tempsite.ws/h78r3gfe
composit.vtrbandaancha.net/h78r3gfe
film-online.bejbiblues.cba.pl/h78r3gfe
ftp.bergamo.chiesacattolica.it/h78r3gfe
innal.com.mx/h78r3gfe
karnat.cba.pl/h78r3gfe
mbc.nekonikoban.org/h78r3gfe
potato.chottu.net/h78r3gfe
schello4u.de/h78r3gfe
tyouseikan.web.fc2.com/h78r3gfe
www.agriturismolapiana.net/h78r3gfe
www.artistsagainstwar.it/h78r3gfe
www.bwmodels.com/h78r3gfe
www.comunedicanischio.it/h78r3gfe
www.ekstraciuchy.pl/h78r3gfe
www.kishazy.hu/h78r3gfe

(Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here.

Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change


King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:

escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7


This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:

31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22






Wednesday, 3 August 2016

Malware spam: "Confirmation letter" leads to Locky

Another spam run leading to Locky ransomware..
From:    Mavis Howe [Howe.4267@croestate.com]
Date:    3 August 2016 at 13:32
Subject:    Confirmation letter

Hi [redacted],

I attached the employment confirmation letter I prepared.
Please check it before you send it out.

Best regards

Mavis Howe
The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here.

Malware spam: "As you directed, I send the attachment containing the data about the new invoices"

Another day, another Locky ransomware run:

From:    Marian Mcgowan
Date:    3 August 2016 at 11:15
Subject:    Fw: New invoices

As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script  which according to this Malwr analysis downloads a binary from..

blog-aida.cba.pl/2zensi7t

..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:

93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]

Both those IPs are in known bad blocks.

Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24



Tuesday, 2 August 2016

Malware spam: "Unable to deliver your item, #000179376" / "FedEx International Ground" leads to ransomware

This fake FedEx email has a malicious attachment.

From:    FedEx International Ground [terry.mcnamara@luxmap.com]
Date:    2 August 2016 at 18:53
Subject:    [REDACTED], Unable to deliver your item, #000179376

Dear [Redacted],

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Thanks and best regards,
Terry Mcnamara,
Support Manager.
Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis on the sample shows that the script downloads ransomware from opros.mskobr.ru but a quick examination of the code reveals several download locations:

opros.mskobr.ru
alacahukuk.com
www.ortoservis.ru
aksoypansiyon.com
samurkasgrup.com


Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:

195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)


A couple of binaries are dropped onto the system, a.exe (detection rate 2/53) [may not be malicious] and a2.exe (detection rate 7/53).

The payload seems to be Nemucod / Crypted or some related ransomware.

Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32