Dynamoo's Blog

Thursday, 29 September 2016

Malware spam: "Bill for documents" / "Bill for papers" / "Bill for parcel" leads to Locky

This spam leads to Locky ransomware. The sample I have seen have no body text, but have subjects in the format:

Bill for documents 31564-29-09-2016
Bill for parcel 08388-28-09-2016
Bill for papers 657-29-09-2016

Each subject has a random number appended by the date. Attached is a RAR archive file with a name similar to Bill 657-29-09-2016.rar containing a malicious .js script which downloads a binary from one of the following locations (according to a trusted source):

81millstreet.nl/8g74crec
alamanconsulting.at/8g74crec
aseandates.com/8g74crec
bandbcreuse.com/8g74crec
baraderoteinforma.com.ar/8g74crec
birthstory.com/8g74crec
cafe-bg.com/8g74crec
cmcomunicacion.es/8g74crec
delphinph.com/8g74crec
droukulnad.com/8g74crec
econopaginas.com/8g74crec
eitanbehar.org/8g74crec
g2cteknoloji.com/8g74crec
gadget24.ro/8g74crec
globalremoteservices.com/8g74crec
gomelnaushnik.com/8g74crec
iachovski.com/8g74crec
ingpors.sk/8g74crec
kelownatownhomes.com/8g74crec
lafripouniere.com/8g74crec
mergrain.com/8g74crec
opmsk.ru/8g74crec
parentchildmothergoose.com/8g74crec
parroquiansg.org/8g74crec
pecschool.com/8g74crec
serenadacourt.com/8g74crec
sipcomponents.com/8g74crec
slaterarts.com/8g74crec
smokintech.com/8g74crec
spaciodentalrd.com/8g74crec
sundanceballoons.com/8g74crec
techsilicon.com/8g74crec
teothemes.com/8g74crec
travelinsider.com.au/8g74crec
undiaem.com/8g74crec
unforgettabletymes.com/8g74crec
veganvet.net/8g74crec
victorcasino.com/8g74crec
w3hostingserver.com/8g74crec

The malware then phones home to the following servers:

194.67.208.69/apache_handler.php (Marosnet, Russia)
89.108.83.45/apache_handler.php (Agava, Russia)

Payload detection for the version analysed was 16/56 but there could be an updated payload by now.

Recommended blocklist:
194.67.208.69
89.108.83.45

Wednesday, 28 September 2016

Something evil on 69.64.63.77

This appears to be some sort of exploit kit leveraging hacked sites, for example:

[donotclick]franchidiscarpa[.]com/index.php
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4

You can see this EK infecting a legitimate site in this URLquery report. The IP address appears to be a customer of ServerYou:

OrgName:        MegaHosterNetwork
OrgId:          MEGAH
Address:        Zaporozhskogo kazachestva 15
City:           Zaporozhzhe
StateProv:
PostalCode:     69097
Country:        UA
RegDate:        2012-09-02
Updated:        2012-09-02
Ref:            https://whois.arin.net/rest/org/MEGAH

These other domains are hosted on the same IP:

[donotclick]j8le7s5q745e.org
[donotclick]3wdev4pqfw1u.org
[donotclick]fg1238tq38le.net

All of those domains are registered to:

Registrant Name: sergey muromov
Registrant Organization: sergey muromov
Registrant Street: veteranov 45-87
Registrant City: sank-tpeterburg
Registrant State/Province: leningradckaya
Registrant Postal Code: 458223
Registrant Country: RU
Registrant Phone: +7.66473838987
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: muromov96@bk.ru

It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking.

Locky download and C2 locations 2016-09-28

It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.

Binary download locations:

agri-host.us/67fgbcni
bigballsincowtown.com/67fgbcni
deeryarch.me/67fgbcni
dfl210.ru/67fgbcni
dslayer.net/67fgbcni
hasatbey.com/67fgbcni
house-of-quality.com/67fgbcni
intesols.com/67fgbcni
ivankhoo.com/67fgbcni
kolonker.com/67fgbcni
komsutekstil.com/67fgbcni
lucianasaliani.com/67fgbcni
marlonmendieta.com/67fgbcni
muangbouge.com/67fgbcni
naughtypixelads.com/67fgbcni
noorgames.com/67fgbcni
obtenloya.com/67fgbcni
patriciaclarkfinley.com/67fgbcni
permanentmark.sk/67fgbcni
podaripodarok.ru/67fgbcni
ramsdale.org/67fgbcni
rikuzentakata-mpf.org/67fgbcni
sigglab.com/67fgbcni
thehotelandrea.com/67fgbcni
travicoperu.com/67fgbcni
villaangela.info/67fgbcni
wmediatraining.com/67fgbcni
zahrady-landart.sk/67fgbcni
bathecista.com/1xz8pu
bathecista.com/8rjz1fr
bildungsmedien.org/je62fq
casaxavier.com.mx/p5hq150
cdou.ru/mhr53p
centralfirepro.com/sba7l
chimesmedia.com/ecn343f
chole-ray.com/yb1ambd
cydotomasyon.com/o8sh8
cylooks.com/y1kj5y4i
czeladz24.com/qvms47
depersoneelskamer.nl/v2h0o
doorleads.com/d9txgc
drsearsprime-time.com/pzcpg
edunayok.org/i4qnmc13
etustime.com/xa7sajm4
fatquote.net/0znym9
fatquote.net/4kj0ecdq
formationinnovation.net/dvzeb154
galinakireeva.ru/tmdq8o9z
gideroto.com/gtslcf
gonenisi.com/f5f91g1
healingwaterscc.com/souanzj5
hobbydays.ru/rrzvs
housellaw.com/lhfxwgx7
i-mdv.com/yb7rwfj
inchallahrencontre.net/rax72ya
i-school-tutor.com/ucg4c8
izmirisgb.com/dknjf
linoteil.com/1fm2x9
linoteil.com/8ncfzoi
lordalexleon.com/vbsmt6d
mineralhound.com/micmlf
ncbwhb.com/padk5n
nevis-football.com/u7tohi
nvwriter.com/eh4zm
panusnikom.com/k6hk6
pblossom.com/a91a5u
portal.rimpro.ru/s20c5
powercomm.ie/v57lkb
rimiller.com/sw1axrg
roxyperu.com/j6qpb5eb
servisix.com/csavi3l
shendiaoqzj.com/az1j2cq
shinganist.com/hl8he62
softgallery.dk/x5yjlhh
sscsci.com/c761057
styleyate.net/0o9tl6d
styleyate.net/2sn8erda
sunteamvn.com/uda8s
susanthomas.net/mq9ea3
taitong.info/tl6q7zlc
tanerkaplama.com/oa9wr5p
teamindo.com/sfpkv
tzabanga.com/bnxg4hp
vicwulaw.com/vjbql
waspyfauna.com/0vzw8y
waspyfauna.com/4aegrg
xfjt.org/lcwg8o
youtuberankchecker.net/wkmdc

C2s:

176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh.biz/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
rluqypf.pw/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk.biz/apache_handler.php [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap.info/apache_handler.php
kdbbpmrdfnlno.pl/apache_handler.php
jlhxyspgvwcnjb.work/apache_handler.php
dceaordeoe.ru/apache_handler.php
gisydkcsxosyokkuv.work/apache_handler.php
mqlrmom.work/apache_handler.php
wfgtoxqbf.biz/apache_handler.php
ndyevynuwqe.su/apache_handler.php
vgcfwrnfrkkarc.work/apache_handler.php

Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158

Tuesday, 27 September 2016

Malware spam: "Attached:Scan(70)" and others leads to Locky

This fake scanned document leads to Locky ransomware:

Subject:     Attached:Scan(70)
From:     Zelma (Zelma937@victimdomain.tld)
To:     victim@victimdomain.tld;
Date:     Tuesday, 27 September 2016, 14:15

There does not appear to be any body text. My trusted source tells me that the subject is a combination of the words Attached / Copy / File / Emailing and Document / Receipt / Scan plus a random two-digit number. Attached is a ZIP file with a name similar to the subject, containing a malicious .wsf scriot.

This script then downloads components from one of the following locations:

akseko.ru/78hceef
altorelevo.net/78hceef
amsterdamrent.com/78hceef
art-asfalt.com/78hceef
australiandesignerweddings.com/78hceef
baitcalculator.com/78hceef
bb-alarm.com/78hceef
bezdeals.com/78hceef
brambory.net/78hceef
ccaglobal.org/78hceef
cg3dstudio.com/78hceef
cimetieremontroyal.com/78hceef
dashandling.com/78hceef
deadly-city.com/78hceef
dealerjoin.com/78hceef
diemsolutions.com/78hceef
essennarose.com/78hceef
eventbuzzuk.com/78hceef
fixturesexpress.com/78hceef
frecuenciaurbana.es/78hceef
gharazi.com/78hceef
google-seo-top.com/78hceef
gouri-gouri.com/78hceef
grijspaardt.nl/78hceef
haikhhoose.com/78hceef
hedefosgb.com/78hceef
homemadebakeryindonesia.com/78hceef
hurbtrade.com/78hceef
idealuze.com/78hceef
intardesign.com/78hceef
johnlesterart.com/78hceef
karacanalbum.com/78hceef
linbao.org/78hceef
maxtherm.net/78hceef
mediaalias.com/78hceef
mysolosource.com/78hceef
nerosk.ru/78hceef
peryskop.biz/78hceef
profsonstage.com/78hceef
speaklifegreetings.com/78hceef
upav.org/78hceef
usedtextilemachinerylive.com/78hceef
wssunhui.com/78hceef
www.musicbarpriatelia.sk/78hceef
xdesign-p.com/78hceef

The payload is Locky ransomware, phoning home to:

5.196.200.247/apache_handler.php (OVH, Ireland / Just Hosting, Russia)
62.173.154.240/apache_handler.php (JSC Internet-Cosmos, Russia)
uiwaupjktqbiwcxr.xyz/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
rflqjuckvwsvsxx.click/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
dypvxigdwyf.org/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
ntqgcmkmnratfnwk.org/apache_handler.php
wababxgqgiyfrho.su/apache_handler.php
ytqeycxnbpuygc.ru/apache_handler.php
ocuhfpcgyg.pl/apache_handler.php
cifkvluxh.su/apache_handler.php
sqiwysgobx.click/apache_handler.php
yxmagrdetpr.biz/apache_handler.php
xnoxodgsqiv.org/apache_handler.php
vmibkkdrlnircablv.org/apache_handler.php

Recommended blocklist:
5.196.200.0/24
62.173.154.240
86.110.118.114

Tuesday, 20 September 2016

Evil network: 178.33.217.64/28 et al (evolution-host.com, customer of OVH)

This customer of OVH appears to be registered with fake details, and are distributing malware via a block at 178.33.217.64/28. Currently, the following IPs are distributing some sort of unidentified exploit kit:

178.33.217.64
178.33.217.70
178.33.217.71
178.33.217.78
178.33.217.79

A list of the domains associated with those IPs can be found here [pastebin].

OVH have allocated the IP range to this customer:

organisation:   ORG-JR46-RIPE
org-name:       Jason Reily
org-type:       OTHER
address:        32 Oldfarm Road
address:        GB21DB London
address:        GB
e-mail:         ourbills@evolution-host.com
abuse-mailbox: ourbills@evolution-host.com
phone:          +353.8429143
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-05-24T18:16:03Z
last-modified: 2016-05-24T18:16:03Z
source:         RIPE

There is no such address in London, the postcode is obviously invalid and the telephone number appears to be an Irish mobile phone. Checking the evolution-host.com domain reveals something similar:

Registrant Name: OWEN PHILLIPSON
Registrant Organization: EVOLUTION HOST
Registrant Street: 24 OLDFARM ROAD
Registrant City: LONDON
Registrant State/Province: LONDON
Registrant Postal Code: SW19 3RQ
Registrant Country: GB
Registrant Phone: +353.851833708
Registrant Phone Ext:
Registrant Fax: +44.7479012225
Registrant Fax Ext:
Registrant Email: info@evolutionhost.co.uk
Registry Admin ID:

Again, an invalid address with a different street number from before and an Irish telephone number. We can look at evolutionhost.co.uk too..

    Registrant:
        Owen Phillipson

    Registrant type:
        UK Sole Trader

    Registrant's address:
        24 Oldfarm Road
        London
        London
        SW19 3RQ
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data
source on 09-Feb-2014

Obviously Nominet's validation process isn't worth rat shit. The Evolution Host website appears to have no contact details at all.

RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block all of them:

91.134.220.108/30
92.222.208.240/28
149.202.98.244/30
176.31.223.164/30
178.33.217.64/28

UPDATE

A contact says that IP listed at the beginning of the post are the Neutrino Exploit Kit.