Malware spam: "Statement" leads to Locky

Another terse fake financial spam leading to Locky ransomware:

Subject:     Statement
From:     accounts@somedomain.tld
Date:     Tuesday, 8 November 2016, 10:59

For your Information.

The sender domain varies. Attached is a ZIP file with a name similar to Statement PDF - 56765041263.zip which in turn contains a malicious WSF script (like this) named in a format similar to SLM245260-0214.wsf.

Hybrid Analysis of this one sample shows a download occurring from:

gpstrackerbali.com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG

There will no doubt be many other locations, if I get more information then I will post it here. The script drops a DLL with a detection rate of 14/56 and the malware appears to phone home to:

185.118.66.90/message.php (vpsville.ru, Russia)
158.69.223.5/message.php (OVH, Canada)

Recommended blocklist:
185.118.66.90
158.69.223.5

Malware spam: "Financial documents" leads to Locky

The never-ending Locky ransomware onslaught continues. This fake financial spam has a malicious attachment:

Subject:     Financial documents
From:     Judy Herman
To:     [redacted]
Date:     Monday, 7 November 2016, 10:53

Hi [redacted],

These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.

Best Wishes,
Judy Herman 

Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:

http://coachatelier.nl/lg8s2
http://bechsautomobiler.dk/m8idi9j
http://desertkingwaterproofing.com/ma4562
http://zapashydro.net/6sgto2bd
http://owkcon.com/6xgohg6i

According to this Hybrid Analysis, the malware then phones home to:

195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
188.65.211.181/message.php (Knopp, Russia)

Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181

Malware spam: "!!! Urgent payment request" from random senders leads to Locky

This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.

Subject:     !!! Urgent payment request
From:     erika.whitwell@hillcrestlife.org (erika.whitwell@hillcrestlife.org)
Date:     Thursday, 3 November 2016, 10:01

ERIKA WHITWELL

Telefon: +49 1592 / 51-2545
Fax: +49 1592 / 5166-2545
E-Mail: erika.whitwell@hillcrestlife.org

Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js) which looks like this [pastebin].

Analysis is pending. Please check back later.

UPDATE

This Hybrid Analysis shows the script downloading from:

dornovametoda.sk/jhb6576?jPUTusVX=GXNaiircxm

There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here):

194.28.87.26/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
109.234.34.227/message.php (McHost.Ru, Russia)

Recommended blocklist:
194.28.87.26
93.170.123.119
109.234.34.0/24

Moar Locky 2016-11-03

I haven't had much time to look at the Locky runs overnight, but here is a data dump of download locations and C2s (at the bottom) from my usual reliable source:

Download locations:
10minutesto1.net/d05k5d
1stop-entertainment.com/ztpt8d0
3rock.ie/qdq1fv4c
3tr.ru/f92o6
a1match.dk/spcmi8qp
ac-elektrik.com/tvb20i
affordablewebsitesolutions.net/hdeaf
akira-sushi34.ru/przgzq
alexchen.name/aw9yipi
alexchen.name/c3ortzkj
alexeliades.com/fxhrz4
alkatech.gr/x3z70
allgameserver.com/ewxhiknt
allur.com.ua/skiz8q
alphabet-city.com.au/cbfi1
amadistrit.com/1bnao0hm
amadistrit.com/47r6wm
amadistrit.com/7exev9x1
amadistrit.com/9qci0
asambleacristiana.com.ar/e6q09un
assuredtenancyagreement.co.uk/yrz0c4v
astrainks.com/wdb2s8ny
ateliebucal.com/mxxnu
batavia-restaurant.nl/vk3p2se
bddja.com/p0u44p8z
bestcomp.ge/cp0oag4r
beta-net.lt/htfpant
beyondthedeals.com/iv41b8mg
bios.gr/mwrbr
burgeravenue.ru/tl0wf2ls
camdo89.com/rs0o9
campagno.com.au/gz4lot
carblogger.net/tzf9ba
ceramacity.ru/v6fjk
cnesa.cn/au6rql7
cokealong.com/0l609
cokealong.com/2ylfay
cokealong.com/6z1n11
cokealong.com/8qa1in
cokseyvar.com/fsodg2ho
colagung.com/izm4t243
contiades.gr/lhj4kx6
cxsite.net/l8tn0z
cyrilunrun.com/07ubcvl
cyrilunrun.com/2jnf9f8b
cyrilunrun.com/4x9yp6
cyrilunrun.com/7u1lgycs
dadashop.no/yfks5f9z
damoresilvia.com.ar/aulkfvs
deadpuppetsociety.com.au/mzgtl9z
de-btc.ru/xe1j6kx
decoulissen.be/vtdn792
derekbrooker.ca/xzziio9
dh1789.com/tu4ry8
dhback.com/hgp825l
diplocam.cm/zec5nk
douledu.com/h5vpn
dpshop.it/cq2we
drukarnia.lodz.pl/olsyi7
dtmx.pl/o0ico52
dulawa.pl/hbskw
edeldental.hu/rv97fz
edrsoft.com/atttlti
ertebat24.ir/n2khs
evotrade.ro/toz1iqw
exideworld.com.cn/zh2xd6
ezimu.com/dziykl
f8development.be/at2fpz
fiveclean.com/14msj3
fiveclean.com/3mz5l6t
fiveclean.com/76wl2
fiveclean.com/9q8jjta
kekjacint.hu/nygdhk
meskatha.com/2ccjhik
meskatha.com/49x930
meskatha.com/7i1ko82
meskatha.com/a0flf
www.50mi.cn/lbcc88r
www.compsec.co.nz/lpmn9vw
www.cvdesign.nl/h7fid1op
028happy.com/kjg56f7
1140746.net/kjg56f7
abercrombiesales.com/kjg56f7
accenti.mx/kjg56f7
acrilion.ru/kjg56f7
ahmetaksan.com/kjg56f7
alphabureau.ma/kjg56f7
antivirus.co.th/kjg56f7
apidesign.ca/kjg56f7
asastaff.com/kjg56f7
auwm.ru/kjg56f7
babuandanji.jp/kjg56f7
babyparka.ca/kjg56f7
bazkomp.pl/kjg56f7
bemmart.net/kjg56f7
bepxep.com/kjg56f7
bilisimarsivi.com/kjg56f7
blakslee.com/kjg56f7
boraba.net/kjg56f7
brokerclub.lt/kjg56f7
budeanu.ro/kjg56f7
buh-uchet71.ru/kjg56f7
byensbilleje.dk/kjg56f7
canals.cn/kjg56f7
capitalintroductionservices.com/kjg56f7
chaturk.com/kjg56f7
chuandishe.com/kjg56f7
cip.edu.pk/kjg56f7
cluster09server.com/kjg56f7
concern-block.ru/kjg56f7
daivupaint.com/kjg56f7
damai0769.com/kjg56f7
dela-cruz.eu/kjg56f7
delfin-lait.ru/kjg56f7
dienmaykhanhhuy.com/kjg56f7
dinglihn.com/kjg56f7
ding.sk/kjg56f7
discuzshop.com/kjg56f7
dongwooclean.com/kjg56f7
donrigsby.com/kjg56f7
draiveris.lt/kjg56f7
drede.ro/kjg56f7
dudenman.net/kjg56f7
dunyam.ru/kjg56f7
earthboundpermaculture.org/kjg56f7
edrian.com/kjg56f7
efson.707.cz/kjg56f7
eplotery.pl/kjg56f7
ev-entertainment.nl/kjg56f7
fcarmida.ru/kjg56f7
fedsav.com/kjg56f7
guardrupia.com/kjg56f7
inzt.net/kjg56f7
morgkelly.net/kjg56f7
365aiwu.net/43ftybb8
421pfyy.com/43ftybb8
677spo.com/43ftybb8
abgr.ru/43ftybb8
abrahams.ch/43ftybb8
adasulamasistemleri.com/43ftybb8
aifgroup.jp/43ftybb8
aircrew.co.in/43ftybb8
alkfor.ru/43ftybb8
allebanken.net/43ftybb8
almaks-mr.ru/43ftybb8
animals.org.il/43ftybb8
anime-one.com/43ftybb8
arnaudgranata.com/43ftybb8
atart.cn/43ftybb8
atforum.pl/43ftybb8
autoabs.lt/43ftybb8
automaler.ru/43ftybb8
awaelschool.com/43ftybb8
ayulduz.biz/43ftybb8
baraonda.gr/43ftybb8
basketballninja.com/43ftybb8
bassguitartips.com/43ftybb8
battleduck.ch/43ftybb8
bdvdo.net/43ftybb8
beamit.be/43ftybb8
beautyexpress.com.au/43ftybb8
bechsautomobiler.dk/43ftybb8
bestprservices.com/43ftybb8
bha-group.eu/43ftybb8
bhatiarasayanudyog.in/43ftybb8
birthdaystoday.net/43ftybb8
bluehost.hu/43ftybb8
bogaziciradyo.com/43ftybb8
bst.tw/43ftybb8
buhlmend.net/43ftybb8
bvn.lt/43ftybb8
cabanaionela.ro/43ftybb8
carmenortigosa.com/43ftybb8
casadalocacao.com/43ftybb8
chandrphen.com/43ftybb8
cheappaintball.net/43ftybb8
cheedellahousing.com/43ftybb8
chinatea.ro/43ftybb8
christen-in-nuernberg.de/43ftybb8
christmas-metal-meeting.de/43ftybb8
city-charger.ru/43ftybb8
classicnet.ir/43ftybb8
club-impact.ro/43ftybb8
coachatelier.nl/43ftybb8
coinobras.com/43ftybb8
consardproiectare.ro/43ftybb8
contserv.ro/43ftybb8
corinnenewton.ca/43ftybb8
cxsd.com.cn/43ftybb8
cyclingpromotion.com.au/43ftybb8
cyprushealthservices.com/43ftybb8
d2dlaundry.com/43ftybb8
debki-klara.pl/43ftybb8
deborahshallcross.com/43ftybb8
decactus.cl/43ftybb8
delanothayer.cl/43ftybb8
dersiz.com/43ftybb8
desertkingwaterproofing.com/43ftybb8
diandiandx.com/43ftybb8
drossell.com/43ftybb8
dwcell.com/43ftybb8
ecomission.com.au/43ftybb8
edu-net.ro/43ftybb8
ejiavip.com/43ftybb8
eldamennska.is/43ftybb8
el-sklep.com/43ftybb8
enkobud.dp.ua/43ftybb8
erotes.gr/43ftybb8
eskopb.com/43ftybb8
eurotrading.com.ua/43ftybb8
evogelbacher.de/43ftybb8
fazilusta.com/43ftybb8
fibrotek.com/43ftybb8
filmsites.nl/43ftybb8
gzycgj.com/43ftybb8
irk.24abcd.ru/43ftybb8
pastelesallegro.mx/43ftybb8
wonnapian.com/43ftybb8
ws.osenilo.com/43ftybb8
xiguacity.com/43ftybb8

C2s:
51.255.107.20/message.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
85.143.215.209/message.php (PrdmService LLC / Comfortel Ltd / Trader soft LLC, Russia)
91.230.211.103/message.php (Optibit LLC, Russia)
91.239.232.171/message.php (Hostpro Ltd, Ukraine)
93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
194.28.87.26/message.php (Hostpro Ltd, Ukraine)
51.255.107.20/linuxsucks.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
194.28.87.26/linuxsucks.php (Hostpro Ltd, Ukraine)

Recommended blocklist:
51.255.107.20
85.143.215.209
91.230.211.103
91.239.232.171
93.170.123.119
194.1.239.152
194.28.87.26

Malware spam: "Companies House - new company complaint" / noreply@companies-house.me.uk / noreply@companieshouses.co.uk leads to TrickBot

This fake Companies House spam leads to TrickBot malware:

From:    Companies House [noreply@companieshouses.co.uk]
Date:    2 November 2016 at 11:51
Subject:    Companies House - new company complaint
Signed by:    companieshouses.co.uk

Investigations and Enforcement Services

This message has been auto-generated in response to the company complaint submitted to our WebFiling  service.

The submission number is ID109202DLK02911

Please find the attached document for your review.

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500

The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday) 

Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.

The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:

    Registrant:
        Camell Williams

    Registrant type:
        Unknown

    Registrant's address:
        550 HOLTS LAKE CT STE 101
        Suite 101
        Apopka
        Florida
        32703
        United States

Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.

All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.

Attached is a Word document Complaint.doc  (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:

futuras.com/img/dododocdoc.exe

This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.

The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:

78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)

The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.

Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117