Phishing: "Office 365 Tax Refund Service" / updatemicrosoftonline.com

Microsoft Office 365 offering a tax refund service? Really? No, of course not, it's a phishing scam..

From:    Microsoft Office 365 Team [noreply@cloud.baddogwebdesign.com]
Date:    16 November 2016 at 10:58
Subject:    Office 365 Tax Refund Service

     Office 365 Microsoft


Office 365 Tax Refund Service.
    –
–    

CONFIGURE TODAY

Thanks for using Office 365. We are delighted to present our new service associated with HM Revenue & Customs. To continue processing your tax refund please configure your bank account.

It's easy to configure your bank account:

1     –    

Sign in to your account.
1     –    

Configure your bank account.
1     –    

You are eligible to receive a tax refund of £537.25 GBP

Thanks for subscribing to Office 365. We hope to continue serving you.
    –

–     Helpful resources

How to reactivate your Office 365 subscription
Already renewed? Verify your subscription here
What happens to my data and access when my subscription expires?
Get help and support for Office 365
    –
–    

This is a mandatory service communication. To set your contact preferences for other communications, visit the Promotional Communications Manager.

This message was sent from an unmonitored e-mail address. Please do not reply to this message.
Privacy | Legal
    –
–    

Microsoft Office
One Microsoft Way

The link in the email leads to updatemicrosoftonline.com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page..

This multi-phish page has twelve UK banks set up on it:

• Barclays
• Halifax
• HSBC
• Lloyds Bank
• NatWest
• Royal Bank of Scotland
• Santander
• TSB
• Metro Bank
• Clydesdale Bank
• The Co-Operative Bank
• Tesco Bank

Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft.  The screenshots below are the sequence if you choose TSB bank.

Once you have entered all the information, the process appears to fail and you are directed to a genuine HMRC site instead.

A list of sites found in 89.248.168.0/24 can be found here [pastebin]. I suggest that the entire network range looks questionable and should be blocked.

Malware spam: "Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016" leads to Locky

This spam has an interestingly malformed subject, however the attachment leads to Locky ransomware:

Subject:     Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016
From:     KELLY MOORHOUSE (kelly.moorhouse@edbn.org)
Date:     Wednesday, 9 November 2016, 12:52

KELLY MOORHOUSE

Last & Tricker Partnership

3 Lower Brook Mews
Lower Brook Street
Ipswich Suffolk IP4 1RA
T: 01473 252961  F: 01473 233709  M: 07778464004
email: kelly.moorhouse@edbn.org

This e-mail and any attachments may contain confidential and privileged
information and is intended only for the use of the individual or entity to
which it is addressed. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this e-mail and destroy any
copies from your system; you should not copy the message or disclose its
contents to anyone. Any dissemination, distribution or use of this
information by a person other than the intended recipient is unauthorized
and may be illegal. We cannot accept liability for any damage sustained as a
result of software viruses and advise you to carry out your own virus checks
before opening any attachment.

Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf) that looks like this.

For one sample script, the Hybrid Analysis and Malwr report indicate a binary is downloaded from one of the following locations:

alamanconsulting.at/0ftce4?aGiszrIV=gRLYYDHSna
naka-dent.mobi/0ftce4?aGiszrIV=gRLYYDHSna

This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56.

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)

These are the same C2s as seen here.

Recommended blocklist:
85.143.212.23
158.69.223.5

UPDATE

A full list of download locations from my usual source:
 
alamanconsulting.at/0ftce4
ayurvedic.by/0ftce4
ekaterinburg.kacatka.ru/0ftce4
hoangtranwater.com/0ftce4
hoteldseason.com/0ftce4
hotelvinayakpalace.in/0ftce4
hotloto.com/0ftce4
hqseconsulting.com/0ftce4
hupsoft.com/0ftce4
idontknow.eu/0ftce4
idplus.sg/0ftce4
ifreenet.it/0ftce4
ijai.fr/0ftce4
iloveyf.com/0ftce4
indospyshop.com/0ftce4
innsat.pl/0ftce4
inzt.net/0ftce4
iriscommunications.com.pk/0ftce4
istanbulsoft.com.tr/0ftce4
ivakil.com/0ftce4
jaysilverdp.com/0ftce4
jcuenca.es/0ftce4
jer.be/0ftce4
jingaiwang.com/0ftce4
joralan.es/0ftce4
jxhyhz.com/0ftce4
kembarastation.com/0ftce4
kenankaynak.com/0ftce4
ketoantamviet.edu.vn/0ftce4
konan.nl/0ftce4
kopeyskdom.ru/0ftce4
krasnodar-sp.ru/0ftce4
k-scope.ca/0ftce4
kyrre.cn/0ftce4
labtekindie.com/0ftce4
lacosanostra.co/0ftce4
lander.pl/0ftce4
laurenward.me/0ftce4
leftakis.gr/0ftce4
level3.tv/0ftce4
lifez.nl/0ftce4
lindafluge.no/0ftce4
lingerievalentine.ueuo.com/0ftce4
linkset.ro/0ftce4
lujin.ro/0ftce4
luke-woods.com/0ftce4
luostone.com/0ftce4
martos.pt/0ftce4
matbaa.be/0ftce4
mch.kz/0ftce4
mckm11.cba.pl/0ftce4
meditativyoga.net/0ftce4
micashu.org/0ftce4
michellemccarron.com/0ftce4
microscopiavirtual.cl/0ftce4
milagrotarim.com/0ftce4
mineralsteel.cl/0ftce4
mogadk.ru/0ftce4
mospi.ru/0ftce4
moydom.by/0ftce4
mschroll.de/0ftce4
mtsas.freehost.pl/0ftce4
muamusic.com/0ftce4
muellerhans.ch/0ftce4
musicphilicwinds.org/0ftce4
muziekupdate.nl/0ftce4
mvpdental.com/0ftce4
mypcdaddy.com/0ftce4
naarndonau.at/0ftce4
naka-dent.mobi/0ftce4
oontsheol.net/0ftce4
shukatsu-live.com/0ftce4
sport-grace.by/0ftce4
tikkatawgi.com/0ftce4
vologda.maxuma.ru/0ftce4
www.0898tz.com/0ftce4
www.limpotools.com/0ftce4

Malware spam: "Account temporarily suspended" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Nicole Roman
Date:    9 November 2016 at 10:44
Subject:    Account temporarily suspended

Dear Customer.

You have exceeded the limit of operations on your credit card.
Thus, we have temporarily blocked your account.
The full itemization of transactions and instructions are given in the document attached to this message.

Best regards.

The name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script that looks like this

That particular script attempts to download a binary from one of the following locations (you can be sure there are others);

hippaupsup.com/3gc7c2rp
melkar.com/icfi5mg
inspireyouths.org/j48tb3
ausulifer.net/3xwpi
koratwifi.info/io4h3

This Hybrid Analysis and this Malwr report show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56.

No C2 locations have been identified yet. I will post them here if I get them.

Malware spam: "Your Amazon.com order has dispatched" leads to Locky

This summary is not available. Please click here to view the post.

Malware spam: "Suspicious movements" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Suspicious movements
From:     Marlene Parrish
Date:     Tuesday, 8 November 2016, 12:52

Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.
---
King regards,
Marlene Parrish
Account Manager
Tel.: 202-328-1800
U.S. Office of Personnel Management
1189 E Street, NW
Washington, DC 20415-1000

The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js) which looks like this (note the insane amount of whitespace).

That particular script downloads a malicious component from one of the following locations:

vexerrais.net/6sbdh
centinel.ca/wkr1j6n
3-50-90.ru/u4y5t
alpermetalsanayi.com/vuvls
flurrbinh.net/6mz3c5q

There will probably be other download locations. This Hybrid Analysis and this Malwr report show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56.

UPDATE

My usual reliable source (thank you) informs me that there are indeed C2 servers (see the end of the post). The download locations are as follows:

3-50-90.ru/u4y5t
365aiwu.net/hbdo6
85.92.144.157/y8giadzn
abclala.com/r2kvg2
abercrombiesales.com/nmuch6
accenti.mx/nryojp
acrilion.ru/84m9t
adriandomini.com.ar/bq62dx10
agorarestaurant.ro/cg06f
ajmontanaro.com/q9giar
alpermetalsanayi.com/vuvls
antivirus.co.th/jukwebgk
apidesign.ca/ijau8q2z
archmod.com/sapma828
assetcomputers.com.au/lkfpyww
avon2you.ru/ayz1waqm
ayurvedic.by/b9kk9k
babuandanji.jp/lq9kay
bepxep.com/mo05j41
berrysbarber.com/q6qsnfpf
bielpak.pl/a79a64h
bjshicheng.com/blewwab
bst.tw/gnjeebt
cafedelrey.es/snby1c
centinel.ca/wkr1j6n
cgrs168.com/xmej0mc
chandrphen.com/h4b1k
chaturk.com/mxaxemv1
cheedellahousing.com/h24ph1
ck.co.th/r2k6i6
codanuscorp.com/ay5v52r1
comovan.t5.com.br/byev5nd
competc.ca/qrc9n
concern-block.ru/nijp1xq
corinnenewton.ca/ctlt8b
cosmobalance.com/jsqlt0g
dekoral.eu/twnyr1s
dessde.com/zcwaya
dinglihn.com/zg3pnsj
dmamart.com/c5l2p
donrigsby.com/nts0mk
dowfrecap.net/0d08tp
dowfrecap.net/3muv7
dowfrecap.net/6f9tho
dowfrecap.net/7qd7rck9
drkitchen.ca/y5jllxe
drmulchandani.com/d6ymtf62
dunyam.ru/jge1b3e
dwcell.com/dph861ws
earthboundpermaculture.org/okez95b
edrian.com/dfc33k67
edubit.eu/b6ye94wv
eldamennska.is/h4yim
elektronstore.it/z298ejb9
elleart.nl/gn3pim41
eroger.be/918p2q
fibrotek.com/deoq2
flurrbinh.net/0nbir64
flurrbinh.net/3nrgpb
flurrbinh.net/6mz3c5q
flurrbinh.net/7wi66hp
geethikabedcollege.com/766epkuj
handsomegroup.com/ae2y1hr0
inzt.net/lbrisge
lashouli.com/rq4xoq3
odinmanto.com/0cz2zwz
odinmanto.com/2rw12
odinmanto.com/57evyr
odinmanto.com/7gplz
pastelesallegro.mx/ex67ri8
thisnspeel.com/04u77s
thisnspeel.com/2qrn06f
thisnspeel.com/3ypojyl0
thisnspeel.com/766epkuj
vexerrais.net/1jk8n
vexerrais.net/3nx3w
vexerrais.net/6sbdh
vexerrais.net/84fwijj
villaamericana.net/84fwijj
www.cutillas.fr/lmc80sdb

C2s:

185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd, Ukraine)
195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Latvia)
185.102.136.127/message.php [hostname: koltsov12.mgn-host.ru] (MGNHost, Russia)
188.65.211.181/message.php (Knopp, Russia)

Recommended blocklist:
185.67.0.102
195.123.211.229
185.102.136.127
188.65.211.181