Sponsored by..

Wednesday, 27 July 2016

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be 
The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:

beauty-jasmine.ru/6dc2y

There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.

UPDATE

The C2 locations for this variant are:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)

Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30

Posted by at 1 comment:
Labels: , , , , , , , , , ,

Malware spam: "Sent from my Samsung device" leads to Locky

This spam comes in a few different variations:

From:    Lottie
Date:    27 July 2016 at 10:38
Subject:    scan0000510

Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:

alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765

The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:

 5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)

(Thank you to my usual source for this data)

There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.

Recommended blocklist:
5.9.253.160/27
178.62.232.244

Posted by at No comments:
Labels: , , , , , , , , ,

Tuesday, 26 July 2016

Malware spam: "list of activities" leads to Locky

This fake business spam has a malicious attachment:

From     "Penelope Phelps"
Date     Tue, 26 Jul 2016 23:02:43 +1100
Subject     list of activities

Hello,

Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.

Warm regards,
Penelope Phelps
ALLIED MINDS LTD
Security-ID: 4d2c95a750fe26a3560ffddfe374ff5c5c064bd78fea30
The sender's name, company and "Security-ID" vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script that looks like this. This Malwr report and this Hybrid Analysis show this particular sample downloading from:

akva-sarat.nichost.ru/bokkdolx

There will be many other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55. Further analysis is pending, however it is quite likely that this sample uses the same C2 servers as seen earlier today.



Posted by at No comments:
Labels: , , , ,

Malware spam: "Attached Image" leads to Locky

This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    26 July 2016 at 10:27
Subject:    Attached Image

**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************
Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:

www.isleofwightcomputerrepairs.talktalk.net/okp987g7v

There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:

31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

Recommended blocklist:
31.41.47.41
91.234.35.216

Posted by at No comments:
Labels: , , , , , ,

Monday, 25 July 2016

Malware spam: "Emailing: Photo 25-07-2016, 34 80 10" / "Emailing: Document 25-07-2016, 72 35 48"

This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
From:    Rebeca [Rebeca3@victimdomain.tld]
Date:    25 July 2016 at 10:16
Subject:    Emailing: Photo 25-07-2016, 34 80 10


Your message is ready to be sent with the following file or link
attachments:

Photo 25-07-2016, 34 80 10


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.

Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".

An alternative variant comes with a malicious Word document:

From:    Alan [Alan306@victimdomain.tld]
Date:    25 July 2016 at 12:40
Subject:    Emailing: Document 25-07-2016, 72 35 48

Your message is ready to be sent with the following file or link
attachments:

Document 25-07-2016, 72 35 48


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
The attachment is this case is a .DOCM filed named in a similar way as before.

This analysis is done by my usual trusted source (thank you). These scripts and macros download a component from one of the following locations:

0urkarachi.atspace.com/7h8gbiuomp
cantrell.biz/7h8gbiuomp
czemarserwis.home.pl/7h8gbiuomp
exploromania4x4club.ro/7h8gbiuomp
finaledithon.web.fc2.com/7h8gbiuomp
koushuen.co.jp/7h8gbiuomp
moehakiba.web.fc2.com/7h8gbiuomp
ostseeurlaub-tk.homepage.t-online.de/7h8gbiuomp
r-p-b.de/7h8gbiuomp
topmanagers.claas.fr/7h8gbiuomp
tpllaw.com/7h8gbiuomp
tutomogiya.web.fc2.com/7h8gbiuomp
vplegat.dk/7h8gbiuomp
www.aproso.de/7h8gbiuomp
www.ciapparelli.com/7h8gbiuomp
www.foto-aeree.it/7h8gbiuomp
www.gruetzi.es/7h8gbiuomp
www.isleofwightcomputerrepairs.talktalk.net/7h8gbiuomp
www.louislechien.net/7h8gbiuomp
www.motoslittetrecime.com/7h8gbiuomp
www.sistronic.com.co/7h8gbiuomp
www.tridi.be/7h8gbiuomp
www.vakantiehuisjeameland.nl/7h8gbiuomp
www.westline.it/7h8gbiuomp
zemlya.web.fc2.com/7h8gbiuomp

The payload here is Locky ransomware, and it phones home to the following addresses:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)

 Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176

Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)