Dynamoo's Blog

Wednesday, 7 September 2016

Malware spam: "Agreement form" leads to Locky

This fake financial spam leads to malware:

Subject:     Agreement form
From:     Marlin Gibson
Date:     Wednesday, 7 September 2016, 9:35

Hi there,

Roberta assigned you to make the payment agreement for the new coming employees.

Here is the agreement form. Please finish it urgently.

Best Regards,
Marlin Gibson
Support Manager

The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..

308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js

Automated analysis [1] [2] shows that the scripts [partly deobfuscated example] attempt to download a binary from one of the following locations:

donttouchmybaseline.ws/ecf2k1o
canonsupervideo4k.ws/afeb6
malwinstall.wang/fsdglygf
listofbuyersus.co.in/epzugs

Of those locations, only the first three resolve, as follows:

donttouchmybaseline.ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k.ws 51.255.227.230 (OVH, France / Kitdos)
malwinstall.wang 51.255.227.230 (OVH, France / Kitdos)

The registration details for all those domains are the same:

Registry Registrant ID:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Registry Admin ID:

These are the same details as found here. We know from that incident that the download locations are actually spread around a bit:

23.95.106.206 (New Wave NetConnect, US)
51.255.227.230 (OVH, France / Kitdos)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
216.244.68.195 (Wowrack, US)
217.13.103.48 (1B Holding ZRT, Hungary)

The following also presumably evil sites are also hosted on those IPs:

bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name

Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:

51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name

UPDATE

My trusted source (thank you) says that it phones home to the following IPs and URLs:

91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota.org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg.work/data/info.php
balichpjuamrd.work/data/info.php
mvvdhnix.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti.work/data/info.php
iruglwxkasnrcq.pl/data/info.php
xketxpqxj.work/data/info.php
qkmecehteogblx.su/data/info.php
bbskrcwndcyow.su/data/info.php
nqjacfrdpkiyuen.ru/data/info.php
ucjpevjjl.work/data/info.php
nyxgjdcm.info/data/info.php

In addition to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55

Monday, 5 September 2016

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.

Sincerely yours,
Tamika Good
Account manager

The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:

canonsupervideo4k.ws/1bcpr7xx

This appears to be multihomed on the following IP addresses:

23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)

Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru

Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:

91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55

Friday, 2 September 2016

Malware spam: "old office facilities" leads to Locky

This spam has a malicious attachment:

Subject:     old office facilities
From:     Kimberly Snow (Snow.741@niqueladosbestreu.com)
Date:     Friday, 2 September 2016, 8:55

Hi Corina,

Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.

Best wishes,
Kimberly Snow

The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number.

Analysis is pending, but this Malwr report indicates attempted communications to:

malwinstall.wang
sopranolady7.wang

..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.

UPDATE 1

According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs:

23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)

Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28

Malware spam: "Scanned image from MX2310U@victimdomain.tld" leads to Locky

This fake document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.

Subject:     Scanned image from MX2310U@victimdomain.tld
From:     office@victimdomain.tld (office@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 2 September 2016, 2:29

Reply to: office@victimdomain.tld [office@victimdomain.tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception

File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
Adobe(R)Reader(R) can be downloaded from the following URL:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other countries.

    http://www.adobe.com/

Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component from on of the following locations:

body-fitness.net/lagmslh
bushman-rest.com/aoeueyk
capannoneinliguria.com/lijrnub
foerschl.gmxhome.de/emyomqa
imakarademo.web.fc2.com/akwhorc
inge28.mytactis.com/cqmoxef
pennylanecupcakes.com.au/mhkqxia
rabbitfood.web.fc2.com/ixvnfyj
sakon118.web.fc2.com/srmrsgf
sebangou8.xxxxxxxx.jp/kfkdpvl
sojasaude.com.br/ahtoijg
sp-moto.ru/vodusim
t-schoener.de/mdexigc
www.bytove.jadro.szm.com/dgsqens
www.callisto.cba.pl/oqmfnar
www.ccnprodusenaturiste.home.ro/hiogthu
www.coropeppinumereu.it/xyhhytf
www.one-clap.jp/pourpjr
www.parrucchieriagiacomo.com/dekjxus
www.radicegioielli.com/aayfixd
www.sieas.com/mkndcbn
www.spiritueelcentrumaum.net/ksqoyps
www.vanetti.it/inywdjo
www.whitakerpd.co.uk/ymmcguk
www.xolod-teplo.ru/ygpwfty
yggithuq.utawebhost.at/getatoj

The payload is Locky ransomware, phoning home to:

212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers.xyz] (EDIS, Austria)

Recommended blocklist:
212.109.192.235
149.154.152.108

Thursday, 1 September 2016

Malware spam: "Please find attached invoice no" leads to Locky

This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.

Subject:     Please find attached invoice no: 329218
From:     victim@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Thursday, 1 September 2016, 12:42

Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
________________________________

Disclaimer

This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.

Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download from one of the following locations:

158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g

The payload appears to be Locky ransomware. It phones home to:

188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php

This is similar to the list here.

Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24