Malicious domains to block 2016-09-16

These domains are part of a cluster, some of with are serving the EITEST RIG exploit kit (similar to that described here). They all share nameservers running on 62.75.167.186 and 62.75.167.187.

kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
pronetanaliz.info
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
outsecurety.pw
kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
bwl2rola3cpm.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
businessprofessionalzgroup.com
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
siteanalytics.pro
pronetanaliz.info

The EK domains are running on a botnet (those are listed in italics). The other domains seem to serve some other sort of nastiness. Those IPs form part of a range rented from Host Europe Group consisting of the following IPs:

62.75.167.186
62.75.167.187
62.75.167.188
62.75.167.189
62.75.167.190

This is roughly analogous to 62.75.167.184/29 which might be worth blocking, but note that won't stop IP traffic to the EK domains which are on different IPs. These IPs are allocated to:

person:         Vasiliy Buyanov
address:        Tereshkovoy 37
address:
address:        664000 Irkutsk
address:        Russia
phone:          +7 901 6508840
e-mail:         admin@realhosters.com
nic-hdl:        VB5472-RIPE
remarks:        5408042
abuse-mailbox:  admin@realhosters.com
mnt-by:         BSB-SERVICE-MNT
created:        2015-10-07T08:35:50Z
last-modified:  2015-10-07T08:35:50Z
source:         RIPE

Malware spam: "Attached is the tax invoice of your company. Please do the payment in an urgent manner." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Tax invoice
From:     Kris Allison (Allison.5326@resorts.com.mx)
Date:     Tuesday, 13 September 2016, 11:22

Dear Client,

Attached is the tax invoice of your company. Please do the payment in an urgent manner.


Best regards,
Kris Allison

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:

adzebur.com/dsd7gk  [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
            [78.212.131.10] (21 Century Telecom Ltd, Russia)
            [31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f   [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
            [23.95.106.223] (New Wave Netconnect, US)
            [23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]

The payload then phones home to:

91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php   [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php   [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php

Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71

UPDATE: further analysis gives these other IPs to block..

78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116

Malware spam: "Budget report" leads to Locky (and also evil network on 23.95.106.128/25)

This fake financial spam leads to Locky ransomware:

From:    Lauri Gibbs
Date:    12 September 2016 at 15:11
Subject:    Budget report

Hi [redacted],

I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.


With many thanks,
Lauri Gibbs

Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:

921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js

The scripts are highly obfuscated however the Hybrid Analysis and Malwr report show that it downloads a component from:

lookbookinghotels.ws/a9sgrrak
trybttr.ws/h71qizc

These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked.

A DLL is dropped with a detection rate of about 8/57 [3] [4] which appears to phone home to:

51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte.ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy.ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)

Incidentally, the registrant information on the bad domains is also very familiar:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:


Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101

UPDATE - 2016/06/13

A list of the sites currently hosted on 23.95.106.128/25 and their SURBL ratings can be found here.

Malware spam: "Order Confirmation xxxxx" leads to Locky

This fake financial spam leads to malware:

From:    Ignacio le neve
Date:    9 September 2016 at 10:31
Subject:    Order Confirmation 355050211

--
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.

The name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip.

Contained within the ZIP file is a malicious .HTA script with a random name (example). This simply appears to be an encapsulated Javascript.

Analysis is pending, my trusted source (thank you) says that the various scripts download from one of the following locations:

adasurgical.com/7832ghd
agileprojects.ro/7832ghd
anatoliamaket.com/7832ghd
annurmaheshphotography.in/7832ghd
aycilinsaat.com/7832ghd
biogreentech.in/7832ghd
cardimax.com.ph/7832ghd
citycollection.com.tr/7832ghd
craskart.com/7832ghd
dashingleather.com/7832ghd
doctortools.eu/7832ghd
factumtech.com/7832ghd
flexfitent.com/7832ghd
goldenladywedding.com/7832ghd
iandiinternational.com/7832ghd
jmetalloysllp.com/7832ghd
linosys.info/7832ghd
marathazhunj.com/7832ghd
micaraland.com/7832ghd
moko-2.wptemplate.net/7832ghd
mylespollard.com.au/7832ghd
onlinepurohit.com/7832ghd
perfectfixuae.com/7832ghd
platformarchitects.com.au/7832ghd
rapiderbariyer.com/7832ghd
safiazsports.com/7832ghd
shagunproperty.com/7832ghd
sowhatresearch.com.au/7832ghd
stylecode.co.in/7832ghd
tipsforall.in/7832ghd
tscbearings.in/7832ghd
Ungelie.com/7832ghd
utsavi.net/7832ghd
walkerandhall.co.uk/7832ghd
webdesignselite.com/7832ghd
webnox.in/7832ghd
www.alfajerdecor.com/7832ghd
www.jmetalloysllp.com/7832ghd
www.mehrabtech.ae/7832ghd
www.pstimes.com/7832ghd
www.thegurukulians.com/7832ghd
yesiloglugrup.com/7832ghd

The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload is Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a but I do not have a sample yet.

This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above or monitoring/blocking access attempts with 7832ghd in the string.

UPDATE: The Hybrid Analysis of one of the scripts does not add much except to confirm that this is ransomware.

Malware spam: "[Vigor2820 Series] New voice mail message from xxxxx"

This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.

Subject:     [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
From:     voicemail@victimdomain.tld (voicemail@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Thursday, 8 September 2016, 13:15

Dear webmaster :
    There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
You might want to check it when you get a chance.Thanks!

Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:

158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman.web.fc2.com/g76gyui
dcqoutlet.es/g76gyui
dpskaunas.puslapiai.lt/g76gyui
fidelitas.heimat.eu/g76gyui
gam-e20.it/g76gyui
ghost-tony.com.es/g76gyui
josemedina.com/g76gyui
kreativmanagement.homepage.t-online.de/g76gyui
olivier.coroenne.perso.sfr.fr/g76gyui
portadeenrolar.ind.br/g76gyui
sitio655.vtrbandaancha.net/g76gyui
sp-moto.ru/g76gyui
srxrun.nobody.jp/g76gyui
thb-berlin.homepage.t-online.de/g76gyui
tst-technik.de/g76gyui
unimet.tmhandel.com/g76gyui
www.agridiving.net/g76gyui
www.alanmorgan.plus.com/g76gyui
www.aldesco.it/g76gyui
www.alpstaxi.co.jp/g76gyui
www.association-julescatoire.fr/g76gyui
www.bytove.jadro.szm.com/g76gyui
www.ccnprodusenaturiste.home.ro/g76gyui
www.gebrvanorsouw.nl/g76gyui
www.gengokk.co.jp/g76gyui
www.hung-guan.com.tw/g76gyui
www.idiomestarradellas.com/g76gyui
www.laribalta.org/g76gyui
www.mikeg7hen.talktalk.net/g76gyui
www.one-clap.jp/g76gyui
www.radicegioielli.com/g76gyui
www.rioual.com/g76gyui
www.spiritueelcentrumaum.net/g76gyui
www.texelvakantiehuisje.nl/g76gyui
www.threshold-online.co.uk/g76gyui
www.whitakerpd.co.uk/g76gyui
www.xolod-teplo.ru/g76gyui

Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu)

Unusually, this version of Locky does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above or you could monitor for the string g76gyui in your logs.

UPDATE: the Hybrid Analysis of the script can be found here.

Malware spam: "Agreement form" leads to Locky

This fake financial spam leads to malware:

Subject:     Agreement form
From:     Marlin Gibson
Date:     Wednesday, 7 September 2016, 9:35

Hi there,

Roberta assigned you to make the payment agreement for the new coming employees.

Here is the agreement form. Please finish it urgently.

Best Regards,
Marlin Gibson
Support Manager

The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..

308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js

Automated analysis [1] [2] shows that the scripts [partly deobfuscated example] attempt to download a binary from one of the following locations:

donttouchmybaseline.ws/ecf2k1o
canonsupervideo4k.ws/afeb6
malwinstall.wang/fsdglygf
listofbuyersus.co.in/epzugs

Of those locations, only the first three resolve, as follows:

donttouchmybaseline.ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k.ws   51.255.227.230 (OVH, France / Kitdos)
malwinstall.wang       51.255.227.230 (OVH, France / Kitdos)

The registration details for all those domains are the same:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:

These are the same details as found here. We know from that incident that the download locations are actually spread around a bit:

23.95.106.206 (New Wave NetConnect, US)
51.255.227.230 (OVH, France / Kitdos)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
216.244.68.195 (Wowrack, US)
217.13.103.48 (1B Holding ZRT, Hungary)

The following also presumably evil sites are also hosted on those IPs:

bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name

Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:

51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name

UPDATE

My trusted source (thank you) says that it phones home to the following IPs and URLs:

91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota.org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg.work/data/info.php
balichpjuamrd.work/data/info.php
mvvdhnix.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti.work/data/info.php
iruglwxkasnrcq.pl/data/info.php
xketxpqxj.work/data/info.php
qkmecehteogblx.su/data/info.php
bbskrcwndcyow.su/data/info.php
nqjacfrdpkiyuen.ru/data/info.php
ucjpevjjl.work/data/info.php
nyxgjdcm.info/data/info.php

In addition to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.


Sincerely yours,
Tamika Good
Account manager

The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:

canonsupervideo4k.ws/1bcpr7xx

This appears to be multihomed on the following IP addresses:

23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)

Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru

Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57.  These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:

91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55

Malware spam: "old office facilities" leads to Locky

This spam has a malicious attachment:

Subject:     old office facilities
From:     Kimberly Snow (Snow.741@niqueladosbestreu.com)
Date:     Friday, 2 September 2016, 8:55

Hi Corina,

Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.


Best wishes,
Kimberly Snow

The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number.

Analysis is pending, but this Malwr report indicates attempted communications to:

malwinstall.wang
sopranolady7.wang

..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.

UPDATE 1

According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs:

23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)

Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28

Malware spam: "Scanned image from MX2310U@victimdomain.tld" leads to Locky

This fake document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.

Subject:     Scanned image from MX2310U@victimdomain.tld
From:     office@victimdomain.tld (office@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 2 September 2016, 2:29

Reply to: office@victimdomain.tld [office@victimdomain.tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception

File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
Adobe(R)Reader(R) can be downloaded from the following URL:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other countries.

    http://www.adobe.com/

Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component from on of the following locations:

body-fitness.net/lagmslh
bushman-rest.com/aoeueyk
capannoneinliguria.com/lijrnub
foerschl.gmxhome.de/emyomqa
imakarademo.web.fc2.com/akwhorc
inge28.mytactis.com/cqmoxef
pennylanecupcakes.com.au/mhkqxia
rabbitfood.web.fc2.com/ixvnfyj
sakon118.web.fc2.com/srmrsgf
sebangou8.xxxxxxxx.jp/kfkdpvl
sojasaude.com.br/ahtoijg
sp-moto.ru/vodusim
t-schoener.de/mdexigc
www.bytove.jadro.szm.com/dgsqens
www.callisto.cba.pl/oqmfnar
www.ccnprodusenaturiste.home.ro/hiogthu
www.coropeppinumereu.it/xyhhytf
www.one-clap.jp/pourpjr
www.parrucchieriagiacomo.com/dekjxus
www.radicegioielli.com/aayfixd
www.sieas.com/mkndcbn
www.spiritueelcentrumaum.net/ksqoyps
www.vanetti.it/inywdjo
www.whitakerpd.co.uk/ymmcguk
www.xolod-teplo.ru/ygpwfty
yggithuq.utawebhost.at/getatoj

The payload is Locky ransomware, phoning home to:

212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers.xyz] (EDIS, Austria)

Recommended blocklist:
212.109.192.235
149.154.152.108

Malware spam: "Please find attached invoice no" leads to Locky

This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.

Subject:     Please find attached invoice no: 329218
From:     victim@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Thursday, 1 September 2016, 12:42

Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
________________________________

Disclaimer

This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.

Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download from one of the following locations:

158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g

The payload appears to be Locky ransomware. It phones home to:

188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php

This is similar to the list here.

Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24

Malware spam: "Our shipping service is sending the order form due to the request from your company."

This fake shipping email comes with a malicious attachment:

Subject:     Shipping information
From:     Charles Burgess
Date:     Thursday, 1 September 2016, 9:30

Dear customer,

Our shipping service is sending the order form due to the request from your company.

Please fill the attached form with precise information.

Very truly yours,
Charles Burgess

The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.

Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):


joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4

Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:

5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably Locky ransomware.

Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24

Malware spam: "bank transactions"

This fake financial spam comes with a malicious attachment:

From:    Rueben Vazquez
Date:    31 August 2016 at 10:06
Subject:    bank transactions


Good morning petrol.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.


Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.

According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):

www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis

Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:

95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably the Locky ransomware.

Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24

Malware spam: "The office printer is having problems so I've had to email the UPS label"

This fake UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.

From     "Laurence lumb" [Laurence.lumb25@ups.de]
Date     Thu, 18 Aug 2016 17:35:21 +0530
Subject     Emailing: Label

Good afternoon

The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.

Cheers

Laurence lumb

Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):

a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7

This dropped binary has a detection rate of 6/54. It phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)

Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183

Malware spam: "Jen [Jen@purple-office.com]" / "Documents from Purple Office - IN00003993"

These fake financial documents have a malicious attachment:

From:    Jen [Jen@purple-office.com]
Date:    15 August 2016 at 14:10
Subject:    Documents from Purple Office - IN00003993

Please find attached invoice/credit from Purple Office.

Best regards,

Purple Office 

Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here and here.

Malware spam: "Emma Critchley (emmacritchley@advantage-finance.co.uk)" / "Emailing - 9104896607509"

This fake financial spam has a malicious attachment. It does not come from Advantage Finance but is instead a simple forgery.

Subject:     Emailing - 9104896607509
From:     Emma Critchley (emmacritchley@advantage-finance.co.uk)
Date:     Monday, 15 August 2016, 13:28

Hi

Vicky has asked me to forward you the finance documents (Please see attached)


Many Thanks 

Attached is a DOCM file with a name that matches the subject. There are various versions, all of which download Locky ransomware from one of the following locations (thank you to my source):

devierdemuur.50webs.com/HJ6bhGHV
kittoyakudatu.web.fc2.com/HJ6bhGHV
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
rondoncompany.bake-neko.net/HJ6bhGHV
topfireart.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.bozenan.swk.vectranet.pl/HJ6bhGHV
www.carrosserie-promocar.net/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.scoutvda.it/HJ6bhGHV
www.tecnohellas.gr/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV

This phones home to the same servers as mentioned in this post.

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 

Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV

The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld

The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs

The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6

The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Malware spam: "Please sign the receipt attached for the arrival of new office facilities." leads to Locky

Yet another Locky campaign today..

From:    Erica Hutchinson
Date:    4 August 2016 at 12:34
Subject:    please sign

Dear [redacted]

Please sign the receipt attached for the arrival of new office facilities.


Best regards,
Erica Hutchinson

This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run.

Malware spam: "Emailing: Sheet / Document / Invoice" with a .docm leads to Locky

This malware-laden spam comes with a variety of subjects, for example:

Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf

There is no body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component from one of the following locations:

abi64.com/h78r3gfe
bikepaintpureworks.web.fc2.com/h78r3gfe
brupuoli.tempsite.ws/h78r3gfe
composit.vtrbandaancha.net/h78r3gfe
film-online.bejbiblues.cba.pl/h78r3gfe
ftp.bergamo.chiesacattolica.it/h78r3gfe
innal.com.mx/h78r3gfe
karnat.cba.pl/h78r3gfe
mbc.nekonikoban.org/h78r3gfe
potato.chottu.net/h78r3gfe
schello4u.de/h78r3gfe
tyouseikan.web.fc2.com/h78r3gfe
www.agriturismolapiana.net/h78r3gfe
www.artistsagainstwar.it/h78r3gfe
www.bwmodels.com/h78r3gfe
www.comunedicanischio.it/h78r3gfe
www.ekstraciuchy.pl/h78r3gfe
www.kishazy.hu/h78r3gfe

(Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here.