Sponsored by..

Monday, 5 December 2016

Malware spam: "Shipping status changed for your parcel # 1996466" / ups@ups-service.com

This fake UPS spam has a malicious attachment:

From:    UPS Quantum View [ups@ups-service.com]
Date:    5 December 2016 at 17:38
Subject:    Shipping status changed for your parcel # 1996466

Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.

There must be someone present at the destination address, on the delivery day, to receive the parcel.

Shipping type: UPS 3 Day Select
Box size: UPS EXPRESS BOX
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.

The delivery invoice  can be downloaded from our website :
https://wwwapps.ups.com/WebTracking/view_invoice?id=1996466&delivery_date=1204&account=[redacted]

 
Thank you for shipping with UPS

Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.
The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:

parkovka-rostov.ru/inst.exe
stela-krasnodar.ru/wp-content/uploads/pm22.dll

Those two locations are legitimate hacked sites. This has a detection rate of 7/56 plus a DLL with a detetion rate of 37/56. The malware appears to be Hancitor / Pony / Vawtrak, phoning home to:

cothenperci.ru/borjomi/gate.php
madingtoftling.com/ls5/forum.php


Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia). The following malicious domains are also hosted on the same IP:

atiline.ru
vkplitka.ru
teunugtin.ru
cyrebsedri.ru
verarsedme.ru
cothenperci.ru
undorrophan.ru
verciherthan.ru
cypegeding.com
ferabrighrob.com
nastylgilast.com
madingtoftling.com


Recommended blocklist:
185.31.160.11
parkovka-rostov.ru
stela-krasnodar.ru


Malware spam: "Please Consider This" leads to Locky

This fake financial spam leads to malware:

From:    Aimee Guy
Date:    5 December 2016 at 13:32
Subject:    Please Consider This

Dear [redacted],

Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.

Please confirm the amount and let us know if you have any questions.

Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date.

The scripts download another component from one of the following locations, according to my usual reliable source:

admin3.rtaf.mi.th/8765r
buhoutserts.ru/8765r
chanet.jp/8765r
guardian-angels-diva.de/8765r
haibeiwuliu.com/8765r
hzxihe.com/8765r
linghangcj.com/8765r
markettv.ro/8765r
maycongtrinhduylong.com/8765r
natashacollis.com/8765r
ruifengweb.com/8765r
rulebraker.ru/8765r
szwanrong.com/8765r
temai1.com/8765r
travelinsider.com.au/8765r
tx318.com/8765r
ucbus.net/8765r
u-niwon.com/8765r
valuationssa.com.au/8765r
vipseal.de/8765r
viscarci.com/8765r
wdcd999.com/8765r
wiky.net/8765r
windshieldrepairvancouver.ca/8765r
wiselysoft.com/8765r
wishingwellhosting.com.au/8765r
wszystkodokuchni.pl/8765r
wudiai.com/8765r
xlr8services.com/8765r
xn--pasaer-spb.pl/8765r
youspeak.pt/8765r
zhiyuw.com/8765r
zwljfc.com/8765r

It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54. The malware then phones home to the following locations:

91.142.90.61/information.cgi [hostname: smtp-server1.ru] (Miran, Russia)
195.19.192.99/information.cgi (EkaComp, Russia)


These IPs were also used in this earlier attack.

Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99


Malware spam: "Emailing: _9376_924272" / "No subject" leads to ".osiris" Locky.

This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension ".osiris"

The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attacked to that is an XLS file of the same name and it includes this body text:

Your message is ready to be sent with the following file or link
attachments:

  _9376_924272


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xls

The macro in the malicious Excel file downloads a component from on of the following locations (according to my usual reliable source):

aetech-solutions.com/87t34f
analypia.com/87t34f
angiebundy.com/87t34f
antelope.co.uk/87t34f
cafe-bg.com/87t34f
dachbud.slask.pl/87t34f
davetoll.com/87t34f
dcareug.com/87t34f
deminico.com/87t34f
griptrix.com/87t34f
kamico.net/87t34f
kelbud.pl/87t34f
ktlelektro.cz/87t34f
laferwear.com/87t34f
masterstudio.org/87t34f
milano.koscian.pl/87t34f
paradiseinfiji.com/87t34f
rongdaistudio.com/87t34f
rsaf.cz/87t34f
sevenseas.lk/87t34f
soulscooter.com/87t34f
sparky.com/87t34f
ssivendorinformation.com/87t34f
sublimeshop.co.uk/87t34f
subys.com/87t34f
tppsk.marcinczaja.pl/87t34f
tybor.hu/87t34f
waat.co.uk/87t34f
www.riojadental.com/87t34f
www.stavros.ca/87t34f
zealcon.com/87t34f

You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:

185.82.217.28/checkupdate [hostname: olezhkakovtony11.example.com] (ITL, Bulgaria)
91.142.90.61/checkupdate (Miran, Russia)
195.19.192.99/checkupdate (OOO EkaComp, Russia)


Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99




Tuesday, 29 November 2016

Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from "61 2 97855412" - 2 page(s)


Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.


The link in the email goes to a hacked Sharepoint account, in this case:

https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1

It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named

Fax_11292016_page1.js
Fax_11292016_page2.js

that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:

siliguribarassociation.org/images/staffs/documetns.png

A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:

stengeling.com/20aml/index.php

The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

4.77.129.110
18.17.224.92
31.209.107.100
37.15.90.12
43.132.208.7
45.249.111.213
52.61.200.235
61.25.216.8
67.25.164.206
74.174.194.169
88.214.198.162
92.74.29.236
111.241.115.90
115.249.171.24
119.71.196.177
135.55.94.211
143.99.241.18
147.89.60.135
156.180.11.60
162.74.9.51
168.227.171.254
176.114.21.171
184.131.179.44
207.77.174.212

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:

butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com


Malware spam: "Please find attached a XLS Invoice 378296" / creditcontrol@somecompany.com / Ansell Lighting

This fake financial spam comes with a malicious attachment, purporting to come from Ansell Lighting:

Subject:     Please find attached a XLS Invoice 378296
From:     creditcontrol@potomachealthcare.com (creditcontrol@potomachealthcare.com)
Date:     Tuesday, 29 November 2016, 10:32

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830

The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as INVOICE.TAM_378296_20161129_886C9EAB6.xls.

My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:

ayurvedic.by/087gbdv4
pregnancysquare.com/087gbdv4
qiqi-store.com/087gbdv4
roberttrocina.com/087gbdv4
satherm.pt/087gbdv4
sayvir.com/087gbdv4
secotral.fr/087gbdv4
semeystvo.com.ua/087gbdv4
spookmedia.nl/087gbdv4
sp-tulun.ru/087gbdv4
stocktradex.com/087gbdv4
swkitchens.com.au/087gbdv4
thegarageteam.gr/087gbdv4
tyfastener.com/087gbdv4

The Hybrid Analysis shows that this is Locky ransomware, phoning home to:

185.115.140.210/information.cgi [hostname: nikita.grachev.81.example.com] (Megaserver LLC, Russia)
213.32.90.193/information.cgi [hostname:  sbg.13.vds.abcvg.ovh] (OVH, France)
95.213.195.123/information.cgi (Selectel SPb, Russia)


A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of 11/57.

Recommended blocklist:
185.115.140.210
213.32.90.193
95.213.195.123

Friday, 25 November 2016

Malware spam: [Vigor2820 Series] New voice mail message from 014xxxxxxxx on %date%

This fake voicemail spam leads to Locky ransomware and appears to come from within the victim's own domain, but this is just a simple forgery.

Subject:     [Vigor2820 Series] New voice mail message from 01435773591 on 2016/11/25 18:29:39
From:     voicemail@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Friday, 25 November 2016, 12:58

Dear webmaster :
    There is a message for you from 01435773591, on 2016/11/25 18:29:39 .
You might want to check it when you get a chance.Thanks!
The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript that looks like this.

This Malwr analysis shows behaviour consistent with Locky ransomware. My usual source tells me that all the download locations for this campaign are:

asrcargo.ru/yr387n3
easylation.com/yr387n3
jackybrith.net/yr387n3
namicg.com/yr387n3
nxarab.net/yr387n3
oyasinsaat.com.tr/yr387n3
pesaroeventi.it/yr387n3
plast-chem.com.pl/yr387n3
pornolartv.net/yr387n3
portalkerjaya.com/yr387n3
premierpromotions.co.uk/yr387n3
prizor.net/yr387n3
prongai.com/yr387n3
pulse-tv.net/yr387n3
puttechnologies.com/yr387n3
reginaautoauction.com/yr387n3
regionalclaimsrecovery.com/yr387n3
richcity.net/yr387n3
right-livelihoods.org/yr387n3
riyuegu.net/yr387n3
rooana.com/yr387n3
ruchengfcw.com/yr387n3
ruwechat.ru/yr387n3
ryrszs.com/yr387n3
sabinemerz.nl/yr387n3
saintsraw.com/yr387n3
sallymills.com/yr387n3
satherm.pt/yr387n3
sayvir.com/yr387n3
semeystvo.com.ua/yr387n3
setoxy.com/yr387n3
shenzhensh.com/yr387n3
shydnt.com/yr387n3
sienaert.org/yr387n3
signumtte.net/yr387n3
siken3d.com/yr387n3
sineria.com/yr387n3
sinmotor.com/yr387n3
sipho.es/yr387n3
skrzeczkowska.com/yr387n3
songpulatex.com/yr387n3
soonmarketing.com/yr387n3
sp-tulun.ru/yr387n3
square100.com/yr387n3
sreekrishnatemple.com/yr387n3
stamperia.pl/yr387n3
stevetoulch.com/yr387n3
stomatolog-implant.ro/yr387n3
sujiaotuoban.com/yr387n3
sunekitty.com/yr387n3
supplyglassess.com/yr387n3
swkitchens.com.au/yr387n3
sydayont.com/yr387n3
tarasarl.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
theoneworld.in/yr387n3
thoraxcenter.ru/yr387n3
tingfenglou.orgfree.com/yr387n3
tolga-tosun.com/yr387n3
trebleimp.com/yr387n3
tyfastener.com/yr387n3
unimarket.ch/yr387n3
uzmanfren.com.tr/yr387n3
vanaken.nu/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3

The C2s to block are the same as here, namely:

185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)


Recommended blocklist:
185.118.167.144
91.142.90.55





Malware spam: "Important Information" leads to Locky

This spam leads to Locky ransomware:

Subject:     Important Information
From:     Etta Figueroa
Date:     Friday, 25 November 2016, 10:28

Dear [redacted], your payment was not processed due to the problem with credentials.
Payment details are in the attached document.

Please check it out as soon as possible.
The name of the sender varies. Attached is a ZIP file beginning with payment_ and then the first part of the victim's email address.

This analysis comes from my trusted usual source (thank you!). It contains a randomly-named malicious javascript that downloads a component from one of the following locations:

agamaflop.net/6mhcounvr
agamaflop.net/kvlj0
agamaflop.net/poiloazz
agamaflop.net/pvva9uxg3f
facerecognition.com.ba/gyqjnk
hnsdedu.net/9l27sq5hcj
imckart.com/vpggfsdc
inedinburgh.com/0fngc
inspire-consultants.com.my/1d9by
internationalsaws.it/z4xfmsb7
itrechtsanwalt.at/41k0ye7wk
jreeda.w8w.pl/buhj9
jsharvie.com/zoopyji
jsydjc.com/xfsxwi
jyxiangqin.com/wkpm9nwpru
karayurt.nl/4edqluaffx
kreanova.fr/xiczr
lp.shtoryfactura.ru/ckwvbkks
malamalamak9.net/xbrfr
mandsong.com/3dow6hd2
mandsong.com/6uwkeev5ht
mandsong.com/9civ9crw
mandsong.com/di9i5xie
mervereklam.com.tr/9obbe4
microcontroller-cafe.com/1ssyys
montazh5.ru/7eerbjgbjj
muffben.net/5pctik
muffben.net/dyixm8h6x
muffben.net/etfsc5g9
muffben.net/n86rv07wep
pivno.com/l828a3ny
project-group.pro/91wvhx2ei7
puttechnologies.com/k0ncwuajq
repka.eu/tg2cyp
rerda.com/cqmgybvcf
restauranttajmahal.ca/opylmin
ripalknurl.net/3jl4ewks
ripalknurl.net/e7u7dsirr
ripalknurl.net/rnxp9u
ripalknurl.net/rwznknsrm4
rokumedia.de/b66b634w
ruangmobil.com/aykz8o5zzj
rz218.com/is387c6h
saleedu.com/n4ykvsw3h
sansjan.net/gpcef
satthachkhe.vn/oecdiyyxpz
sgadoutdo.net/0bvwbh
sgadoutdo.net/flvnz
sgadoutdo.net/ougezzqzf
sgadoutdo.net/zyxird
shomesofa.com/gidg3gpe
signdepot.com.au/nj5eq
simtecs.net/dubvr1ic
sitivisibili.it/qyebiv2oa2
slife.pt/gcuwpyu
slut-land.com/qjqxbo2n
sonajp.com/aklky4epuq
soulchance.com/jezrfbp
spb-gruz.ru/mhdxe
starovencleaning.co.uk/txre3i
stservis14.ru/fnyyzvd
sunfriends.nl/ppayh4
svegev.ru/gxl013km34
sxxcjt.com/kmgppa4zj4
sxxcjt.com/ntcjqde8
szycfj.com/egej4hc
tasct.ru/gmwpep
templeofrefuge.net/s74uwv4l
thenomadhostel.com/iahepa
thinx.net/rkp2tpxlrg
todos.com.au/a2rjocg6
tokomuslim354.com/dnnvxm6r
tuurbo.be/g5es0jxs6q
tx318.com/sbg12g0d4
use-inc.tv/apzwj5ak4
vanks.cl/plby8w55
vanniersen.nl/rxbtadzgo
veritasresults.com/hpxw6g
vesan.info/dvwsp8v3f
vitreus.nl/hlap29

The malware then phones home to:

213.32.66.16/information.cgi (OVH, France)
89.108.118.180/information.cgi (Datalogika / Agava, Russia)
91.201.42.83/information.cgi [hostname: aportom.com] (RuWeb, Russia)


Recommended blocklist:
213.32.66.16
89.108.118.180
91.201.42.83



Moar Locky 2016-11-25

This data comes from my trusted usual source, so far I have only seen a single example.

This morning's spam run has a subject with one of the following words:

DOC
DOCUMENT
FAX
IMG
LABEL
ORD
PHOTO
PIC
SCAN
SHEET

..plus a four digit random number. Attached is a ZIP file with a name mating the subject, containing a randomly-named malicious javascript that attempts to download a component from one of the following locations:

jackybrith.net/yr387n3
premierpromotions.co.uk/yr387n3
prongai.com/yr387n3
right-livelihoods.org/yr387n3
ryrszs.com/yr387n3
semeystvo.com.ua/yr387n3
signumtte.net/yr387n3
supplyglassess.com/yr387n3
sydayont.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
trebleimp.com/yr387n3
uzmanfren.com.tr/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3

The payload is Locky ransomware, phoning home to:

185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)


Recommended blocklist:
185.118.167.144
91.142.90.55


Wednesday, 23 November 2016

Malware spam: "financial records subpoena" / lawfirmofoklahoma.com

This spam purports to come from Michael T Diver who is a real Oklahoma attorney, but it doesn't really and is jut a simple forgery:

From:    MICHAEL T. DIVER [michael -at- lawfirmofoklahoma.com]
Date:    23 November 2016 at 15:24
Subject:    RE:RE: financial records subpoena

See you in court !!!

Subpoena for server

Thank you,

MICHAEL T. DIVER

T (405) 608-4990

F (405) 608-4991
The telephone number and also potentially the email address are genuine, but they are certainly not being sent from this law firm.

The link in the email goes to a legitimate but hacked Vietnamese site at techsmart.vn/backup2/get.php?id=[base64-encoded-part] (the last bit is a Base 64 representation of the victim's email address).

In testing the payload site was down, but previous emails of this type have lead to the Vawtrak banking trojan.

Moar Locky: "Bill-12345" from victim's own domain

This spam has no body text and appears to come from within the sender's own domain. It leads to Locky ransomware. For example:

From:    julia newenham [julia.newenham@victimdomain.tld]
Date:    23 November 2016 at 10:44
Subject:    Bill-76137
There is a randomly-named ZIP (e.g. 589af1aa1aaf4cb9ce571fced687b8ac.zip) containing a randomly-named malicious javascript. My usual reliable source (thank you) identifies the following download locations for these scripts:

asrcargo.ru/08yhrf3
decorvise.com/08yhrf3
gyreunbar.com/08yhrf3
halsklam.net/08yhrf3
myphychoice.com/08yhrf3
naruto55.com/08yhrf3
netclip.ro/08yhrf3
nikanels.pl/08yhrf3
nikitassalon.com/08yhrf3
njzhigaokt.com/08yhrf3
nkfyfs.cn/08yhrf3
noamshop.com/08yhrf3
notretribu.eu/08yhrf3
nuevarazajeans.com/08yhrf3
odtahova-sluzba-praha.eu/08yhrf3
oehome.com.cn/08yhrf3
ogrodexmilicz.pl/08yhrf3
ogustine.com/08yhrf3
onushilon.org/08yhrf3
o-sis.jp/08yhrf3
ossiatzki.com/08yhrf3
ostra.ro/08yhrf3
ouiphone.fr/08yhrf3
ovsz.ru/08yhrf3
parenclub-devilsenangels.nl/08yhrf3
paronleather.com/08yhrf3
paulking.it/08yhrf3
pedalcars.ru/08yhrf3
peppyinsta.com/08yhrf3
piaristesafriquecentrale.org/08yhrf3
plastictas.nl/08yhrf3
popek.si/08yhrf3
pppconstruction.co.za/08yhrf3
propfisher.com/08yhrf3
pusulam.com.tr/08yhrf3
qybest.cn/08yhrf3
raivel.pt/08yhrf3
rdyy.cn/08yhrf3
reaga.cz/08yhrf3
realearthproperties.in/08yhrf3
realtorpics.net/08yhrf3
receptoare-satelit.ro/08yhrf3
revaitsolutions.com/08yhrf3
rimiller.com/08yhrf3

A malicious DLL is dropped with an MD5 of 4e207b30c5eae01fa136f3d89d59bbbe and
a detection rate of 9/56. The malware then communicates with:

80.87.202.49/information.cgi (JSC Server, Russia)
94.242.55.81/information.cgi (RNet, Russia)
95.46.114.205/information.cgi (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)


Recommended blocklist:
80.87.202.49
94.242.55.81
95.46.114.205


Malware spam "Please Pay Attention" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Please Pay Attention
From:     Bill Rivera
Date:     Wednesday, 23 November 2016, 9:45

Dear [redacted], we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment - please check it out.
The name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script that looks like this.

This particular script (and there will be others) downloads a malicious component from one of the following locations:

nielsredeker.nl/gmcoirnrm
gurlfanam.net/krwjx
vedicmotet.com/61y7mljr4
praam.cz/iessl
nightpeople.co.il/xklqq33nr

According to this Malwr report a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56.

The Hybrid Analysis clearly shows the ransomware in action and shows it communicating with the following URLs:

95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
195.123.209.8/information.cgi [hostname: kostya234.itldc-customer.net] (Layer6, Latvia)
213.32.66.16/information.cgi (OVH, France)


Recommended blocklist:
95.213.186.93
195.123.209.8
213.32.66.16

Tuesday, 22 November 2016

Malware spam: "Invoice 123456" from random sender in victim's own domain

This fake financial spam appears to come from a random sender in the victim's own domain, but this is just a simple forgery. The payload is Locky ransomware.

Subject:     Invoice 5639438
From:     random sender (random.sender@victimdomain.tld)
Date:     Tuesday, 22 November 2016, 8:43

Attached is the document 'Invoice 5639438'.

The reference number varies from email to email, but is consistent in the subject, body and the name of the attachment (e.g. Invoice 5639438.zip). This ZIP file contains a malicious WSF script (e.g. Invoice 7868933153.wsf) that looks like this.

According the the Malwr analysis, that script downloads from:

manage.parafx.com/98y4h?AdIXigNCmu=UdJVux

There are no doubt many other locations. That same analysis shows a DLL being dropped with an MD5 of de5d8250edf98262f335cd87fe6f6740 and a detection rate of 9/56. The Hybrid Analysis of the same sample shows the malware contacting the following C2 locations:

89.108.73.124/information.cgi (Agava, Russia)
91.211.119.98/information.cgi (Zharkov Mukola Mukolayovuch aka 0x2a.com.ua, Ukraine)
94.242.55.81/information.cgi (RNet, Russia)


Recommended blocklist:
89.108.73.0/24
91.211.119.98
94.242.55.81


UPDATE

My usual reliable source came up with these additional download locations:

adoptshawm.net/98y4h
hotelmm.ro/98y4h
houseller.eu/98y4h
huaphoto.net/98y4h
huduanjichuang.com/98y4h
i12.ir/98y4h
ifsaiumumi.com/98y4h
illinoisnavhda.org/98y4h
inkubator.biz.pl/98y4h
interdean.hu/98y4h
iphoneservices.com.ua/98y4h
iran-bazaar.ir/98y4h
irandivinggroup.com/98y4h
islandspirits.ca/98y4h
izww.cn/98y4h
jain4jain.com/98y4h
jaydeepuk.com/98y4h
jazz.kvalitne.cz/98y4h
jinqiaonkyy.com/98y4h
jkshea.com/98y4h
joesrv.com/98y4h
joplinglobeonline.com/98y4h
junhao8.com/98y4h
justsport.co.il/98y4h
kabele.ru/98y4h
klaxcar.ro/98y4h
kongkhak.go.th/98y4h
korbastudio.com/98y4h
krepiec.pl/98y4h
kstm.or.th/98y4h
kuponik.eu/98y4h
lanphuong.vn/98y4h
lesmouf.com/98y4h
lhesh.com/98y4h
lifanpower.pl/98y4h
lomtalay.com/98y4h
lp511.com/98y4h
ltinvest.de/98y4h
luanasahian.ro/98y4h
lumitech.ro/98y4h
manage.parafx.com/98y4h
maroeg.com/98y4h
maxifitness.ru/98y4h
mckains.net/98y4h
mediawax.be/98y4h
megalingeriemall.com/98y4h
melzer-casting.de/98y4h
microsupport.net/98y4h
militarydirect.com/98y4h
minmin.in/98y4h
mirokon30.ru/98y4h
mooymedia.nl/98y4h
morgoo.es/98y4h
mudrahviezda.sk/98y4h
mybankofgold.com/98y4h
mysolosource.com/98y4h
natalija.ru/98y4h
reoilmaya.com/98y4h

Malware spam: "Delivery status" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Delivery status
From:     Gilbert Hancock
Date:     Tuesday, 22 November 2016, 8:51

Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.

In the sample I analysed there was an attachment named document_recipientname.zip (i.e. the first part of the recipient's email address was in the name), containing a malicious javascript with a random name. This particular script (and there are probably many others) attempts to download a component from one of the following locations:

sbdma.com/ri3xnzkaoz
robertocostama.com/qpnst8glsz
kettycoony.com/ahkzls3w
sadhekoala.com/efgqy4tdw
sdwsgs.com/voh7


According to this Malwr analysis, a malicious DLL is dropped with an MD5 of ebf03567c2a907705a026ff0821d8e63 and a detection rate of 6/55. The Hybrid Analysis reveals the following C2 locations:

91.201.202.130/information.cgi [hostname: dominfo.dp.ua] (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
188.120.250.138/information.cgi [hostname: olezhkakovtonyuk.fvds.ru] (TheFirst-RU, Russia)
213.32.66.16/information.cgi (OVH, France)

For those Russian and Ukranian networks I would be tempted to block the entire /24 at least, but this is my minimum recommended blocklist:

91.201.202.130
95.213.186.93
188.120.250.138
213.32.66.16

UPDATE

These are additional download locations for this variant (thank you to my usual source):

87.244.17.86/bhigobrbr
beachbreak.com/beachbreak/hk7mqlgs
bursacicekmagazasi.com/yqrws0c
campossa.com/ped2hwz3
cniplc.com/1cbgu
convertus.com/3p80kj
csplane.com/ej7irq
dmsoinfo.com/1buigkyvl
dtinsani.com/1gon5mmzk
fabriquekorea.com/1f3mauxvzb
facerecognition.com.ba/9b7aecm
girlstravelling.com/llnza
girlstravelling.com/zj3ij
gto-cro.com/zcvofb
gtodo.com.ar/shvssbgwh
gumorca.com/ydsojspvx
gxaiq.com/y6lhc
hairchinadirect.com/iryscuex9
hancebile.com/03aviw5ree
hancebile.com/cmlucpol
hancebile.com/fppm5myp7r
hancebile.com/rk9q4pf1
hjertearken.dk/pxyti0
kettycoony.com/ahkzls3w
kettycoony.com/cx55khn
kettycoony.com/gl74xldx
kettycoony.com/qllgov6rp
lauiatraps.net/90iuiatl
lauiatraps.net/lknfc
lauiatraps.net/tltnctyadf
lauiatraps.net/zyqjw08qqt
liftaccessory.com/crvjl4
marvicedo.com/drvf1s5x
mcmustard.com/lotojt3
misicka.com/ho6guo1jn
monowheels.ru/2nbknagte9
newautolatino.com/wa7lm4i7vo
nuociss.com/css5igxfe
oualili.org/afdnzqtmbc
paidforall.com/wnvppxdp0
parskavand.com/wekzwe
pattumalamatha.com/biwkk3sp
phaseiv.org/9utjgbof
poltec.com.au/wjzfftju
profilab.ru/wsmie0k
remixsarkilar.com/um5mvc53
rndled.com/adf4t5s3
robertocostama.com/qpnst8glsz
rsahosting.com/quudvvjxe
sadhekoala.com/efgqy4tdw
sadhekoala.com/lvqh1
sadhekoala.com/qg7bhfv3sa
sadhekoala.com/vjhxxwuo
sbdma.com/ri3xnzkaoz
sdwsgs.com/voh7l
shouwangstudio.com/uddj8u
snehil.com/8jp3sr
starmakersentertainment.com/vvaury
suziemorris.net/qz3wodtpqe
talentinzicht.eu/2szzeegt
thegioitructuyen.org/lalvx1nrj
thegoldclubs.com/soaiga
thirdchild.org/ratorfeybm
touroflimassol.com/uekc5dx
touroflimassol.com/vil8begqiq
ulmustway.com/gggsslzj1c
ulmustway.com/jm2hp
ulmustway.com/kzqnerxm
ulmustway.com/stj6o
unkalojistik.com/hhwh0xv9
valpit.ru/kn3jm
vedexpert.com/qbaiegzzu
verdianthy.com/iool1e
warisstyle.com/mjuurbt2bx
wbakerpsych.com/j00gr8z
whatsapphd.com/fqi0a
woodmode-eg.com/dsi79s
xa12580.com/lzwkiqsi8s
xhumbrella.com/jb5c396v
znany-lekarz.pl/nrpfqwwq

Monday, 21 November 2016

Malware spam: "Your LogMein.com subscription has expired!" / billing@secure-lgm.com

This fake financial spam leads to malware:

From:    billing@secure-lgm.com
Date:    21 November 2016 at 18:35
Subject:    Your LogMein.com subscription has expired!

Dear client,

You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.


You can download the bill directly from the LogMeIn website:
https://accounts.logme.in/billing.aspx?clusterid=4557&view_bill_id=34466152&file_type=doc


Please use another credit card or payment method in order to avoid complete service interruption.
Event type: Credit Card Declined
Account email: [redacted].com
At: 21/11/2016

If you need more help, visit LogMeIn Support at:
http://solutions.logmein. com/SalesContactUs


Important Security Notice:
LogMeIn will never for your password or other sensitive information by email. 


(Please don't reply to this email, as it's sent from an address that's not monitored.)

© LogMeIn Inc      
The link in the email actually goes to a page at reg.vn/en/view_bill.php?id=encoded-email-address  (where the last part is the email address in Base 64 encoding). It downloads a malicious document lgm_bill69290.doc with a current detection rate of 8/55

Automated analysis [1] [2] shows malicious network traffic to and from:

newaronma.com/zapoy/forum.php
newaronma.com/ls5/forum.php
newaronma.com/blt/patha1.php?v=51
www.libinvestusa.com/images/inst.exe
www.libinvestusa.com/images/pm1.dll


A malicious executable is dropped with a detection rate of 7/57. The payload appears to be Hancitor / Vawtrak.

The domain secure-lgm.com appears to have been created for the purposes of sending the email. The probably fake WHOIS details are:

Registrant Name: Nikolay Vazov
Registrant Organization: NA
Registrant Street: 106 Vitosha Blvd.
Registrant City: Sofia
Registrant State/Province: Sofia
Registrant Postal Code: 1463
Registrant Country: bg
Registrant Phone: +359.28058181
Registrant Phone Ext:
Registrant Fax: +359.28058787
Registrant Fax Ext:
Registrant Email: nokolay.vazov@mail.bg


Recommended blocklist:
95.215.111.222
newaronma.com
libinvestusa.com


Something evil on 64.20.51.16/29 (customer of Interserver, Inc)

I wrote about this evil network on 64.20.51.16/29 (a customer of Interserver, Inc) over a year ago, identifying it as a hotbed of fraud. Usually these bad networks don't hang around for very long, but in this case it seems to be very persistent.

This time it came to notice from a terse spam with a PDF attached:

From:    Lisa Liang [ineedu98@hanmail.net]
To:    me@yahoo.com
Date:    20 November 2016 at 23:23
Subject:    11/21/2016 Amended

FYI
Attached is a file Amended copy.pdf which when you open it (not recommended) looks blurry with "VIEW" in big red letters.

The link in the email goes to bit.ly/2fJbyol - if you put the "+" on the end of a Bitly link then you can see the number of clickthroughs and what the landing page is (www.serviceupgrade.tech/pdf.php in this case).

Clicking through gives you a login page for "Adobe PDF Online" which is of course a generic phishing page.


Analysis of the 64.20.51.16/29 range finds 193 sites historically connected with it marked as being phishing or some other malicious activity. There are at least 284 sites currently within that range, of which the following are both hosted in that range currently and are malicious:

sparvicharityfoundation.com
ftp.eurocontrol-int.net
eurocontrol-int.net
bocusin.com
eurocontrol-int.net
meclp.com
lntedg.com
bs-shipmanagements.com
rolloninz.com
outlook-excell.com
safetech-online.com
lrbis.com
stmposlka.com
combinaparts.com
gsctechinology.com
writverify-online.com
ubsinvbnk.com
kiy-carbon.com
hsbcoffshores.com
natural-live.top
ftp.daemon-mail.com
ftp.paypalcenter.com
mobile-secure.us
zharmonics-online.com
nahpa-vn.com
djhexport.com
paypalcenter.com
victorialmpex.com
schmiditsports.com
lindner-stofftiere.com
novady.top

11% of the total sites in the range have been tagged by SURBL or Google as being bad, and to be honest there are probably a LOT more but those services haven't caught up yet.

In any case, there seems to be nothing of value in 64.20.51.16/29 and I strongly recommend that you block traffic to the entire range.




Thursday, 17 November 2016

Malware spam: "Sage Invoice [service@sage-invoices.com]" / "Outdated Invoice" leads to Trickbot

This fake financial spam leads to the Trickbot banking trojan.

From:    Sage Invoice [service@sage-invoices.com]
Date:    17 November 2016 at 10:54
Subject:    Outdated Invoice

This is a customer service e-mail from © Sage (UK) Limited to [redacted]
   
Sage Invoice Payments
Outdated Invoice

You have an outdated invoice from Sage Invoice Payments that needs your attention. To find out more details on this invoice, please see the enclosed document attached to this email.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54. Hybrid Analysis shows malicious network traffic to:

substan.merahost.ru/petrov.bin  [185.86.77.224] (Mulgin Alexander Sergeevich aka gmhost.com.ua, Ukraine)

A malicious file scsnsys.exe is dropped with a detection rate of 8/53.

The domain sage-invoices.com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication. The no doubt fake WHOIS details are:

Registry Registrant ID: Not Available From Registry
Registrant Name: Antonio Padula
Registrant Organization: Weighpack Systems Inc
Registrant Street: 5605 Rue Cypihot
Registrant City: Saint Laurent
Registrant State/Province: Quebec
Registrant Postal Code: H4S 1R3
Registrant Country: CA
Registrant Phone: +1.5144243344
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: test@orasore.com


I recommend that you block traffic from that domain or check your filters to see who may have it.

Recommended blocklist:
sage-invoices.com [email]
185.86.77.0/24

Wednesday, 16 November 2016

Phishing: "Office 365 Tax Refund Service" / updatemicrosoftonline.com

Microsoft Office 365 offering a tax refund service? Really? No, of course not, it's a phishing scam..

From:    Microsoft Office 365 Team [noreply@cloud.baddogwebdesign.com]
Date:    16 November 2016 at 10:58
Subject:    Office 365 Tax Refund Service

     Office 365 Microsoft


Office 365 Tax Refund Service.
    –
–    

CONFIGURE TODAY

Thanks for using Office 365. We are delighted to present our new service associated with HM Revenue & Customs. To continue processing your tax refund please configure your bank account.

It's easy to configure your bank account:

1     –    

Sign in to your account.
1     –    

Configure your bank account.
1     –    

You are eligible to receive a tax refund of £537.25 GBP

Thanks for subscribing to Office 365. We hope to continue serving you.
    –

–     Helpful resources

How to reactivate your Office 365 subscription
Already renewed? Verify your subscription here
What happens to my data and access when my subscription expires?
Get help and support for Office 365
    –
–    

This is a mandatory service communication. To set your contact preferences for other communications, visit the Promotional Communications Manager.

This message was sent from an unmonitored e-mail address. Please do not reply to this message.
Privacy | Legal
    –
–    

Microsoft Office
One Microsoft Way


The link in the email leads to updatemicrosoftonline.com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page..

This multi-phish page has twelve UK banks set up on it:

  • Barclays
  • Halifax
  • HSBC
  • Lloyds Bank
  • NatWest
  • Royal Bank of Scotland
  • Santander
  • TSB
  • Metro Bank
  • Clydesdale Bank
  • The Co-Operative Bank
  • Tesco Bank
Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft.  The screenshots below are the sequence if you choose TSB bank.





Once you have entered all the information, the process appears to fail and you are directed to a genuine HMRC site instead.

A list of sites found in 89.248.168.0/24 can be found here [pastebin]. I suggest that the entire network range looks questionable and should be blocked.

Wednesday, 9 November 2016

Malware spam: "Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016" leads to Locky

This spam has an interestingly malformed subject, however the attachment leads to Locky ransomware:

Subject:     Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016
From:     KELLY MOORHOUSE (kelly.moorhouse@edbn.org)
Date:     Wednesday, 9 November 2016, 12:52

KELLY MOORHOUSE

Last & Tricker Partnership

3 Lower Brook Mews
Lower Brook Street
Ipswich Suffolk IP4 1RA
T: 01473 252961  F: 01473 233709  M: 07778464004
email: kelly.moorhouse@edbn.org

This e-mail and any attachments may contain confidential and privileged
information and is intended only for the use of the individual or entity to
which it is addressed. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this e-mail and destroy any
copies from your system; you should not copy the message or disclose its
contents to anyone. Any dissemination, distribution or use of this
information by a person other than the intended recipient is unauthorized
and may be illegal. We cannot accept liability for any damage sustained as a
result of software viruses and advise you to carry out your own virus checks
before opening any attachment.
Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf) that looks like this.

For one sample script, the Hybrid Analysis and Malwr report indicate a binary is downloaded from one of the following locations:

alamanconsulting.at/0ftce4?aGiszrIV=gRLYYDHSna
naka-dent.mobi/0ftce4?aGiszrIV=gRLYYDHSna

This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56.

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)


These are the same C2s as seen here.

Recommended blocklist:
85.143.212.23
158.69.223.5


UPDATE

A full list of download locations from my usual source:
 
alamanconsulting.at/0ftce4
ayurvedic.by/0ftce4
ekaterinburg.kacatka.ru/0ftce4
hoangtranwater.com/0ftce4
hoteldseason.com/0ftce4
hotelvinayakpalace.in/0ftce4
hotloto.com/0ftce4
hqseconsulting.com/0ftce4
hupsoft.com/0ftce4
idontknow.eu/0ftce4
idplus.sg/0ftce4
ifreenet.it/0ftce4
ijai.fr/0ftce4
iloveyf.com/0ftce4
indospyshop.com/0ftce4
innsat.pl/0ftce4
inzt.net/0ftce4
iriscommunications.com.pk/0ftce4
istanbulsoft.com.tr/0ftce4
ivakil.com/0ftce4
jaysilverdp.com/0ftce4
jcuenca.es/0ftce4
jer.be/0ftce4
jingaiwang.com/0ftce4
joralan.es/0ftce4
jxhyhz.com/0ftce4
kembarastation.com/0ftce4
kenankaynak.com/0ftce4
ketoantamviet.edu.vn/0ftce4
konan.nl/0ftce4
kopeyskdom.ru/0ftce4
krasnodar-sp.ru/0ftce4
k-scope.ca/0ftce4
kyrre.cn/0ftce4
labtekindie.com/0ftce4
lacosanostra.co/0ftce4
lander.pl/0ftce4
laurenward.me/0ftce4
leftakis.gr/0ftce4
level3.tv/0ftce4
lifez.nl/0ftce4
lindafluge.no/0ftce4
lingerievalentine.ueuo.com/0ftce4
linkset.ro/0ftce4
lujin.ro/0ftce4
luke-woods.com/0ftce4
luostone.com/0ftce4
martos.pt/0ftce4
matbaa.be/0ftce4
mch.kz/0ftce4
mckm11.cba.pl/0ftce4
meditativyoga.net/0ftce4
micashu.org/0ftce4
michellemccarron.com/0ftce4
microscopiavirtual.cl/0ftce4
milagrotarim.com/0ftce4
mineralsteel.cl/0ftce4
mogadk.ru/0ftce4
mospi.ru/0ftce4
moydom.by/0ftce4
mschroll.de/0ftce4
mtsas.freehost.pl/0ftce4
muamusic.com/0ftce4
muellerhans.ch/0ftce4
musicphilicwinds.org/0ftce4
muziekupdate.nl/0ftce4
mvpdental.com/0ftce4
mypcdaddy.com/0ftce4
naarndonau.at/0ftce4
naka-dent.mobi/0ftce4
oontsheol.net/0ftce4
shukatsu-live.com/0ftce4
sport-grace.by/0ftce4
tikkatawgi.com/0ftce4
vologda.maxuma.ru/0ftce4
www.0898tz.com/0ftce4
www.limpotools.com/0ftce4

Malware spam: "Account temporarily suspended" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Nicole Roman
Date:    9 November 2016 at 10:44
Subject:    Account temporarily suspended

Dear Customer.

You have exceeded the limit of operations on your credit card.
Thus, we have temporarily blocked your account.
The full itemization of transactions and instructions are given in the document attached to this message.

Best regards.
The name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script that looks like this

That particular script attempts to download a binary from one of the following locations (you can be sure there are others);

hippaupsup.com/3gc7c2rp
melkar.com/icfi5mg
inspireyouths.org/j48tb3
ausulifer.net/3xwpi
koratwifi.info/io4h3

This Hybrid Analysis and this Malwr report show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56.

No C2 locations have been identified yet. I will post them here if I get them.


Malware spam: "Your Amazon.com order has dispatched" leads to Locky

This summary is not available. Please click here to view the post.