Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change


King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7

Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:

escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7

This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:

31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22

Malware spam: "Confirmation letter" leads to Locky

Another spam run leading to Locky ransomware..

From:    Mavis Howe [Howe.4267@croestate.com]
Date:    3 August 2016 at 13:32
Subject:    Confirmation letter

Hi [redacted],

I attached the employment confirmation letter I prepared.
Please check it before you send it out.

Best regards

Mavis Howe

The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here.

Malware spam: "As you directed, I send the attachment containing the data about the new invoices"

Another day, another Locky ransomware run:

From:    Marian Mcgowan
Date:    3 August 2016 at 11:15
Subject:    Fw: New invoices

As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script  which according to this Malwr analysis downloads a binary from..

blog-aida.cba.pl/2zensi7t

..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:

93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]

Both those IPs are in known bad blocks.

Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24

Malware spam: "Unable to deliver your item, #000179376" / "FedEx International Ground" leads to ransomware

This fake FedEx email has a malicious attachment.

From:    FedEx International Ground [terry.mcnamara@luxmap.com]
Date:    2 August 2016 at 18:53
Subject:    [REDACTED], Unable to deliver your item, #000179376

Dear [Redacted],

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Thanks and best regards,
Terry Mcnamara,
Support Manager.

Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis on the sample shows that the script downloads ransomware from opros.mskobr.ru but a quick examination of the code reveals several download locations:

opros.mskobr.ru
alacahukuk.com
www.ortoservis.ru
aksoypansiyon.com
samurkasgrup.com

Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:

195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)

A couple of binaries are dropped onto the system, a.exe (detection rate 2/53) [may not be malicious] and a2.exe (detection rate 7/53).

The payload seems to be Nemucod / Crypted or some related ransomware.

Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32

Malware spam: "Please review the attached corrected annual report." / "Corrected report"

This spam comes with a malicious attachment:

Subject:     Corrected report
From:     Joey Cox (Cox.48@sodetel.net.lb)
Date:     Monday, 1 August 2016, 13:37

Dear webmaster,

Please review the attached corrected annual report.

Yours faithfully
Joey Cox

The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware from one of the following locations (thank you to my usual source for analysis):

121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a

The dropped binary then attempts to phone home to:

91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

The host for that last one comes up over and over again, it's time to block that /22..

Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22