Dynamoo's Blog

Monday, 24 October 2016

Generic email phish tries to bamboozle with jargon

This phishing spam tries to confuse potential victims by throwing legitimate-looking jargon around.

From: Postmaster [mailer-daemon@mailhost.rceit.com]

Date: 24 October 2016 at 15:43

To: victim@victimdomain.tld
Subject: Warning: Incoming Messages for victim@victimdomain.tld is [13 undelivered messages]

This message was created automatically by mail delivery software inbound-mail-x1.501.102.43.1

I'm afraid I wasn't able to deliver 13 contact email messages since October 16 2016 for victim@victimdomain.tld To retrieve your emails and reconfigure Port 486, Click Here Warning: Failure to do this will lead to total suspension of your email account. Remote host said: 550 sorry, can't deliver message to your inbox

Please delete and Ignore if this is not your email address.

Clicking on the link ends up at a generic phishing site (in this case the link was foodworkshighcountry.com.au/inbound/index2.htm?victim@victimdomain.tld) which throws even more jargon including these lines:

An error in your SMTP/POP settings is blocking your incoming emails……
Message：    　
Date：

Subject:    Error loading some of your inbox messages
User：    %0%
Bounce reason:
An error in your SMTP/POP settings is blocking your incoming e-mails
550-5.1.1 :POP configuration text can not be verified
550-5.1.2:Login encountered an unhandled error in your SSL settings
550-5.1.3:Login encountered an unhandled error in your SSL settings
Suggested Solution:

    Please fill out the form below. Once the error is fixed, our team will contact you.
    Email address:
    Password:



    Your e-mail may be completely blocked, if you do not report this error.

----------------
Content-Type: multipart/alternative; boundary=001a1135f63edd4472050da42d05.

Typing your username and password will send it to the bad guys. Not all phishing emails look stupid, and although this one doesn't really make sense when you look at it closely, it looks authentic enough that it might fool some people.

Malware spam: "Complaint letter" leads to Locky

This spam leads to Locky ransomware:

From     "Justine Hodge"
Date     Mon, 24 Oct 2016 19:27:53 +0600
Subject     Complaint letter

Dear [redacted],

Client sent a complaint letter regarding the data file you provided.
The letter is attached.

Please review his concerns carefully and reply him as soon as possible.

Best regards,
Justine Hodge

The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS scripts with a name starting with "saved letter".

My source tells me that this scripts download from one of the following locations:

adultmagstore.com/itc0h81
alkanshop.com/zrwcx8om
azaminsaat.com/nyzhvh2c
bwocc.org/dkttu
circolorisveglio.com/dw2hheb
coreywallace.com/qjkrlxp
corployalty.it-strategy.ru/p4icah5h
cruzdemiguel.com/jittrxkr
cz1321.com/zg4c4m
decorvise.com/g7k3n
denas-express.ru/fl5vy16
desthailand.com/wfmaq0az
disneyrentalvillas.com/k2ars5j2
downtownlaoffice.com/ixmh1
DSWRITINGS.ORG/lnf7gv
duvalitatli.com/umx3btc1
executivegolfmanagement.com/qtzsegm6
firephonesex.com/bxuobuam
fjbszl.com/m4q1pmr5
fraildata.net/09rz1jcj
fraildata.net/4s1szk77
fraildata.net/5ti18g
fraildata.net/9b8cba
getitsold.info/cndrdsu9
girlsoffire.com/d2k0b967
GNSTUDIO.NET/sxv6fhqo
greenmedicalgroup.org/dy7s5
gruffcrimp.com/352gr0
gruffcrimp.com/5inrze
gruffcrimp.com/8vzak
gruffcrimp.com/bki56h
gunnisonkoa.com/d5cw6
gzxyz.net/zznej
hetaitop.com/pgq8e
infopea.com/bm747o9
iwebmediasavvy.com/eu7mq36w
jejuep.com/jh7rrgbi
jejui.com/j1ldsf
julianhand.com/hollu
jzmkj.net/y7tf2
kak-vernut-devushku.gq/rwlr9
kirijones.net/2b8fnrqm
kirijones.net/4v7574mp
kirijones.net/66wey
kirijones.net/a2r3pme
lqfrdj.com/rbpkt
luobuma8.com/h5hq2que
myboatplans.net/p8gik2g8
nightpeople.co.il/o8le7
onlysalz.com/xjo100
payrentonline.org/l3mdiv7y
pblossom.com/t78u8
potchnoun.com/06p2vxua
potchnoun.com/38j2xn
potchnoun.com/5ngsn8g5
potchnoun.com/8x2nt
privateclubmag.com/wyztr73
prodesc.net/x7nlxq
relentlesspt.com/faisexor
riyuegu.net/o69ecb
royallife.co.uk/mx5nck
ryanrandom.com/hwv97p8
scope-t.com/loinhgm
sexybliss.co.uk/en8ds7nt
sunproductivity.com/m6ot1
taiyuwanli.com/cpkd9
theleadershipdoc.com/wm1bv
turservice.xaker007.net/k92b92
ukdistributionservices.com/x1397
vowedbutea.net/2f1okfif
vowedbutea.net/5491o
vowedbutea.net/8jtnj8nt
vowedbutea.net/apupuyh3
weekcoupon.com/hggbcg
wjyunfanbs.com/ihku0r53
www.studiorif.ru/toiu7
xn--80aa3c3a.xn--b1aajgfxm2a9g.xn--p1ai/xip5lltq
xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
yourrealestateconnection.us/rlfh0

The malware phones home to the following URLs:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)

The following URLs are also contacted but are not active:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
81.177.22.221

Thursday, 6 October 2016

Malware spam: "Invoice-123456-12345678-123-A1B2C3D4" / "01635 279370"

This fake financial spam leads to malware:

From:    invoices@[redacted].com
Date:    6 October 2016 at 07:16
Subject:    Invoice-365961-42888419-888-DE0628DA

Dear Customer,

Please find attached Invoice 42888419 for your attention.

Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

### This mail has been sent from an un-monitored mailbox ###

The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc.

The telephone number appears to belong to a company called Stearn who have absolutely nothing to do with this spam.

The sample I sent for automated analysis [1] [2] downloads some data from:

eaglemouth.org/d5436gh

I know from my sources (thank you, you know who you are) that there are additional download locations at:

dabihfluky.com/d5436gh
fauseandre.net/d5436gh

This particular variant of Locky ransomware uses black hat hosting for this download location rather than a hacked legitimate site. All these domains are hosted on the following IPs:

62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France)

Furthermore, those IPs are associated with these malicious domains (active ones are in bold):

stenokeid.org
dabihfluky.com
veddanagor.net
eaglemouth.org
writewile.su
bebopamelu.su
anoamans.com
shuspong.com
tchawane.com
teetypoop.com
thokelieu.com
uredosafe.com
awaftaxled.com
clankcutup.com
droukulnad.com
gweedbizen.com
haikhhoose.com
muangbouge.com
ovinekusum.com
shinalumen.com
wellyzimme.com
grimkonde.net
steyjixie.net
pryerungot.net
unzenjerib.net
uphershoji.net
palialawi.org

All of these are tagged for malware by SURBL. Most of them have either anonymous registration or obviously fake details, although this one (for the domain steyjixie.net) stands out:

Registry Registrant ID:
Registrant Name: Taras Ponomarev
Registrant Organization: N/A
Registrant Street: g. Belgorod, ul. Malysheva 96, kv. 124
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 111111
Registrant Country: RU
Registrant Phone: +7.527221603
Registrant Fax: +7.527221603
Registrant Email: info@steyjixie.net
Registry Admin ID:

A DLL is dropped with a detection rate of 13/56.

UPDATE

I completely forgot to include the C2. D'oh.

109.248.59.164/apache_handler.php (Netart, Russia)

Recommended blocklist:
62.84.69.75
85.118.45.12
109.248.59.164

Wednesday, 5 October 2016

Malware spam: "complaint letter" leads to Locky

This spam email message has a malicious attachment that leads to Locky ransomware:

Subject:     complaint letter
From:     Jae Mason
Date:     Wednesday, 5 October 2016, 10:48

Dear [redacted], client sent a complaint letter regarding the data file you provided.

The letter is attached. Please review his concerns carefully and reply him as soon as possible.

The sender name will vary. Attached is a ZIP file with a name in the format complaint_letter_955ce806.zip which contains a malicious .WSF script.

My source tells me that the scripts download from one of the following locations:

all-rides.com/owav14
bbs.vlibang.com/ojojbry
caggynext.net/0vm80
caggynext.net/1yz517
caggynext.net/36z66i
caggynext.net/6mcco3s
carpetcleaningwestchesterny.net/j2pkoex
dom-dekor.net/q62g3
drewolea.net/0fuhybw0
drewolea.net/1lc09
drewolea.net/25do4q7
drewolea.net/3r9jke
enricobasili.com/m4fqj4lt
goodkiddy.com/pvn5l
idealuze.com/lu814bj
instantstamp.com/j50mt
kencaedu.com/25do4q7
klamathkinetic.org/11c84e3
knoozroom.com/igv7j9e
lanamusty.net/11c84e3
lanamusty.net/1z5vbh
lanamusty.net/3b33zp
lanamusty.net/72mjp
lev-pr.com/i2acpqa1
lgbtbookstore.com/gech2hc
lzeshine.com/girq6q
markjenningsbates.com/72mjp
mediaalias.com/lplgnnaf
minoritycounselor.com/j8365gb
motionthatmovesme.com/h1n2ix7
mysolosource.com/l3x3oczx
ndsemi.com/gy5tw
nuntatimisoara.com/ekrc0i6
nuociss.com/b5ebfsuy
nytaihao.com/ffaw7
pattumalamatha.com/e7r2v1t
phohchaui.com/0mvwos0
phohchaui.com/1xqbcjm
pmfaccountant.com/ggbvw1nj
pobreloco.com/36z66i
praxis-blechert.de/t86h1a
rdoent.com/okq0h9
sasguildford.com/yccemkwd
semes.sk/y0fmps
shingpohk.com/wc2mp0d
snehil.com/vfksxp
sotaygiadinh.net/t9ifk7j
sportowy.info/tbccuj
supergem.net/mri7i
talentinzicht.eu/va7tgx6
technix.ca/jbatquey
theshopwiz.com/t6epks
tiaocuo.org/z4nyglmm
tulisasource.com/rne42v8
turkbyte.com/q7zorra
upper-classmen.com/k1hd6
vincentsvineyard.com/z02mw8ab
www.resumebuddy.net/rcz888
yinstrage.com/0g9b921
yinstrage.com/1tsi2zr
yinstrage.com/2ld6aep
yinstrage.com/5s56ss

There are no C2 servers.

Malware spam: "Document from.." leads to Locky

I have only received a single sample of this spam, presumably it comes from random senders. There is no body text in my sample.

Subject:     Document from Paige
From:     Paige cuddie (Paige592035@gmail.com)
Date:     Wednesday, 5 October 2016, 9:37

In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script [pastebin] DOC-20161005-WA0002715.wsf.

Automated analysis [1] [2] shows this sample downloads from:

euple.com/65rfgb?EfTazSrkG=eLKWKtL

There will be many other locations besides this.

Those same reports show the malware (in this case Locky ransomware) phoning home to:

88.214.236.36/apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100/apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)

The sample I found downloaded a legitimate binary from ciscobinary.openh264.org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.

Recommended blocklist:
88.214.236.0/23
109.248.59.0/24