Spam: Dr Happy's Terrorism Conference

Fake conferences are a pretty common scam. The criminals send out spam about serious-looking upcoming conferences that don't exist and then rip victims off for travel costs, conference fees and hotel accommodation. This spam about a fake conference about terrorism caught my eye because it comes from the amusingly named (but fake) Dr Happy Wisdom:

From:    Dr. Happy [shreyag@bajajcapital.com]
Reply-To:    "Dr. Happy" [iedhsto.officedesk@gmail.com]
Date:    15 June 2016 at 23:24
Subject:    INTERNATIONAL CONFERENCE PROGRAM 2016

Dear Sir/Madam,

 On behalf of the International Economic Development on Human Security and Terrorism Organization, I am pleased to invite you to our conference that will be held from August 15th to 19th, 2016 @ the conference place in Dallas Texas USA and August 22nd-26th 2016 @ in Dakar Senegal. The conference meeting will contain various talks and mini workshops related to the issues of Challenges to Economic Development & Human Security in our society.

The topic of the conference is "The Effect of Terrorism on Global Economy and Human Security " the sponsors of this event shall cover your round-trip air tickets from your country to the USA and from USA to Dakar Senegal back to your country and we shall also provide visa assistance with the U.S Embassy in your country of residence and your ground transportation from the airport to the conference venue. The hotel accommodation booking cost will be your own responsibility in Republic of Senegal. Please contact the conference secretariat for more information and registration for participation: [iedhsto.officedesk@gmail.com].

We look forward to your confirmed presence at the conference.

Respectfully Yours,

Dr. Happy Wisdom,

Program Assistant.

The email does actually originate from an IP address in Senegal (41.82.15.40) but then it is routed through a hacked server belonging to the domain bajajcapital.com which is a finance company in India. The compromise email account can be seen in the "From" field.

At best this scam is some sort of financial fraud. At worst, turning up to it could put your life in danger. Avoid.

Malware spam: ". CARTÓRIO POSTAL. Apontamento de Protesto. 10/06/2016 17:42:46"

This Portuguese-language spam leads to malware:

From:    formacion@salesianos-madrid.com
Date:    10 June 2016 at 21:42
Subject:    . CARTÓRIO POSTAL. Apontamento de Protesto. 10/06/2016 17:42:46

Levamos ao conhecimento de V. Sa. que se acha devidamente protocolado neste Tabelionato, para ser protestado, o título abaixo anexado.

Lei nº 9.492 de 10 setembro de 1997.
Art. 12. O protesto será registrado dentro de três dias úteis contados da protocolização do título ou documento de dívida.
§ 1º Na contagem do prazo a que se refere o caput exclui-se o dia da protocolização e inclui-se o do vencimento.

Favor comparecer munido deta intimação, no horário das 8:00h às 17:00h


Atenciosamente,Liliane peixoto.

The link in the email message in this case goes to:

www.sugarsync.com/pf/D3259546_878_449109824?directDownload=3Dtrue

This downloads an executable PROTESTO.exe with a VirusTotal detection rate of 15/56. Automated analysis [1] [2] [3] shows it dropping a further executable OViLQKDS.exe which has a detection rate of 16/56. Analysis of that is inconclusive [4] [5] [6] is inconclusive, but it looks like some kind of information stealer.

Malware spam: "David Bernard agent Fedex" / "Secure-FeDex" leads to Andromeda

This fake FedEx (or FeDex?) spam has a malicious attachment:

From:    Secure-FeDex
Date:    8 June 2016 at 18:17
Subject:    David Bernard agent Fedex

Deаr [redacted] ,
We tried tо delivеr уour item on June 08th, 2016, 10:45 АM.
The delivеry attempt failеd because thе аddress was business сlоsed оr nobodу сould sign fоr it.
Тo piсk up the package, please, рrint the receipt that is аttаchеd to this еmаil and visit FеdEx
office indicated in the invoice. If the pасkagе is nоt piсkеd up within 24 hоurs, it will bе returnеd to thе shipper.

 

Receipt Number:  98402839289
Eхpесted Delivеrу Dаte: June 08th, 2016
Class: Intеrnаtional Paсkаge Sеrviсe
Servicе(s): Delivеrу Cоnfirmation
Status: Notifiсatiоn sent

 

Thank you for choosing our service

 

 

©  FedEх  1995-2016

In this case there was an attachment FedEx_track_98404283928.zip which unzipped into a folder FedEx_track_98404283928 containing in turn a malicious script FedEx_track_98404283928.js which (according to Malwr) attempts to download a binary from one of the following locations:

www.brusasport.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.microsoft.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.mega.net/Brusa/vario/direct/teamviiverupdate2918372.exe
www.google.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.yahoo.com/Brusa/vario/direct/teamviiverupdate2918372.exe

Only the first one is a valid download location, the rest are a smokescreen. The dropped binary has a detection rate of 5/56 but automated analysis [1] [2] [3] is inconclusive. However those reports do seem to indicate attempted network traffic to:

secure.adnxs.metalsystems.it
upfd.pilenga.co.uk

These two subdomains appears to have been hijacked from unrelated Register.IT customers and are hosted on a questionable-looking customer of OVH Italy on 188.165.157.176:

organisation:   ORG-NQ1-RIPE
org-name:       Kitdos NOC
org-type:       OTHER
address:        UNKNOW
address:        UNKNOW UNKNOW
address:        US
e-mail:         kitdos.com@gmail.com
abuse-mailbox:  kitdos.com@gmail.com
phone:          +33.188866688
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-02-04T03:22:05Z
last-modified:  2016-02-23T13:14:14Z
source:         RIPE

Other hijacked subdomains on the same IP are:

tgr.tecnoagenzia.eu
bmp.pilenga.co.uk
maps.pilenga.co.uk
sundication.twitter.luigilatruffa.com
tit.pilenga.net
trw.pilenga.net
ocsp.pilenga.net
plda.pilenga.net
maps.pilenga.mobi
plda.pilenga.mobi

This Tweet from ‏@pancak3lullz indicates that this IP is associated with Anrdomeda rather than the usual recent patterns of Locky or Dridex (which has.. err.. dried up recently). It appears to have been a malicious IP for more than a month.

Of interest is that almost every part of this chain (including the spam sending IP of 31.27.229.22) is in Italy.

As with a great deal of recent spam, this is delivered via a .js script in a ZIP file. If you can configure your mail filters to reject such things then you will be a whole lot safer.

Recommended blocklist:
188.165.157.176/30

Malware spam: "Good morning" résumé spam drops Cerber ransomware and makes a statement

This fake résumé spam leads to malware:

From:    Dora Bain
Date:    7 June 2016 at 03:37
Subject:    Good morning

What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.

With gratitude,

--
Dora Bain

In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..

This downloads a file from 80.82.64.198/subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe  which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.

The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.

According to the VT report the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block.

That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.

Recommended blocklist:
80.82.64.0/24
85.93.0.0/24

Malware spam: "New Company Order" / "ABC Import & Export,LLC"

This fake financial spam leads to malware:

From:    accounting@abcimportexport.com
Reply-To:    userworldz@yahoo.com
To:    Recipients [accounting@abcimportexport.com]
Date:    31 May 2016 at 12:31
Subject:    New Company Order

Good Day,

Find the attached specifications in the purchase order for our company mid year order & projects before sending your Proforma Invoice and do get back to me with your quotations asap.
An Official order placement will follow as soon as possible.

CLICK HERE TO DOWNLOAD & VIEW PURCHASE ORDER IF DOESNT WORK THEN CLICK HERE TO DOWNLOAD SECURE PURCHASE ORDER 

https://gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip
Attention! This document was created with a newer version of Microsoft Word.. Please click Enable Content or Macro to view the content of our order

Best Regards,
Ameen La Binish

Purchasing Dept

ABC Import & Export,LLC 2534 Royal Lane
Suite # 205
Dallas,Texas 75229
USA
Toll Free : 1-800-666-5874
Office Main Line : 1-214-966-2627
Office Reception : 1-214-985-1696
Fax : 1-972-243-7275
Email: Sales@abcimportexports.co
Website: http://abcimportexport.com

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

The link in the email message goes to gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip . This contains a malicious executable scan purchase orders.exe which has a detection rate of 3/56. That VirusTotal report and these other analyses [1] [2] [3] shows network traffic to:

185.5.175.211 (Voxility SRL, Romania)

This executable drops another similar EXE [4] [5] [6] [7] which phones home to the same IP. Between them, these reports indicate some sort of keylogger. There seems to be little of anything of value in this /24, so I would recommend blocking 185.5.175.0/24

sdfsdaf