Dynamoo's Blog

Tuesday, 22 November 2016

Malware spam: "Invoice 123456" from random sender in victim's own domain

This fake financial spam appears to come from a random sender in the victim's own domain, but this is just a simple forgery. The payload is Locky ransomware.

Subject:     Invoice 5639438
From:     random sender (random.sender@victimdomain.tld)
Date:     Tuesday, 22 November 2016, 8:43

Attached is the document 'Invoice 5639438'.

The reference number varies from email to email, but is consistent in the subject, body and the name of the attachment (e.g. Invoice 5639438.zip). This ZIP file contains a malicious WSF script (e.g. Invoice 7868933153.wsf) that looks like this.

According the the Malwr analysis, that script downloads from:

manage.parafx.com/98y4h?AdIXigNCmu=UdJVux

There are no doubt many other locations. That same analysis shows a DLL being dropped with an MD5 of de5d8250edf98262f335cd87fe6f6740 and a detection rate of 9/56. The Hybrid Analysis of the same sample shows the malware contacting the following C2 locations:

89.108.73.124/information.cgi (Agava, Russia)
91.211.119.98/information.cgi (Zharkov Mukola Mukolayovuch aka 0x2a.com.ua, Ukraine)
94.242.55.81/information.cgi (RNet, Russia)

Recommended blocklist:
89.108.73.0/24
91.211.119.98
94.242.55.81

UPDATE

My usual reliable source came up with these additional download locations:

adoptshawm.net/98y4h
hotelmm.ro/98y4h
houseller.eu/98y4h
huaphoto.net/98y4h
huduanjichuang.com/98y4h
i12.ir/98y4h
ifsaiumumi.com/98y4h
illinoisnavhda.org/98y4h
inkubator.biz.pl/98y4h
interdean.hu/98y4h
iphoneservices.com.ua/98y4h
iran-bazaar.ir/98y4h
irandivinggroup.com/98y4h
islandspirits.ca/98y4h
izww.cn/98y4h
jain4jain.com/98y4h
jaydeepuk.com/98y4h
jazz.kvalitne.cz/98y4h
jinqiaonkyy.com/98y4h
jkshea.com/98y4h
joesrv.com/98y4h
joplinglobeonline.com/98y4h
junhao8.com/98y4h
justsport.co.il/98y4h
kabele.ru/98y4h
klaxcar.ro/98y4h
kongkhak.go.th/98y4h
korbastudio.com/98y4h
krepiec.pl/98y4h
kstm.or.th/98y4h
kuponik.eu/98y4h
lanphuong.vn/98y4h
lesmouf.com/98y4h
lhesh.com/98y4h
lifanpower.pl/98y4h
lomtalay.com/98y4h
lp511.com/98y4h
ltinvest.de/98y4h
luanasahian.ro/98y4h
lumitech.ro/98y4h
manage.parafx.com/98y4h
maroeg.com/98y4h
maxifitness.ru/98y4h
mckains.net/98y4h
mediawax.be/98y4h
megalingeriemall.com/98y4h
melzer-casting.de/98y4h
microsupport.net/98y4h
militarydirect.com/98y4h
minmin.in/98y4h
mirokon30.ru/98y4h
mooymedia.nl/98y4h
morgoo.es/98y4h
mudrahviezda.sk/98y4h
mybankofgold.com/98y4h
mysolosource.com/98y4h
natalija.ru/98y4h
reoilmaya.com/98y4h

Malware spam: "Delivery status" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Delivery status
From:     Gilbert Hancock
Date:     Tuesday, 22 November 2016, 8:51

Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.

In the sample I analysed there was an attachment named document_recipientname.zip (i.e. the first part of the recipient's email address was in the name), containing a malicious javascript with a random name. This particular script (and there are probably many others) attempts to download a component from one of the following locations:

sbdma.com/ri3xnzkaoz
robertocostama.com/qpnst8glsz
kettycoony.com/ahkzls3w
sadhekoala.com/efgqy4tdw
sdwsgs.com/voh7

According to this Malwr analysis, a malicious DLL is dropped with an MD5 of ebf03567c2a907705a026ff0821d8e63 and a detection rate of 6/55. The Hybrid Analysis reveals the following C2 locations:

91.201.202.130/information.cgi [hostname: dominfo.dp.ua] (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
188.120.250.138/information.cgi [hostname: olezhkakovtonyuk.fvds.ru] (TheFirst-RU, Russia)
213.32.66.16/information.cgi (OVH, France)

For those Russian and Ukranian networks I would be tempted to block the entire /24 at least, but this is my minimum recommended blocklist:

91.201.202.130
95.213.186.93
188.120.250.138
213.32.66.16

UPDATE

These are additional download locations for this variant (thank you to my usual source):

87.244.17.86/bhigobrbr
beachbreak.com/beachbreak/hk7mqlgs
bursacicekmagazasi.com/yqrws0c
campossa.com/ped2hwz3
cniplc.com/1cbgu
convertus.com/3p80kj
csplane.com/ej7irq
dmsoinfo.com/1buigkyvl
dtinsani.com/1gon5mmzk
fabriquekorea.com/1f3mauxvzb
facerecognition.com.ba/9b7aecm
girlstravelling.com/llnza
girlstravelling.com/zj3ij
gto-cro.com/zcvofb
gtodo.com.ar/shvssbgwh
gumorca.com/ydsojspvx
gxaiq.com/y6lhc
hairchinadirect.com/iryscuex9
hancebile.com/03aviw5ree
hancebile.com/cmlucpol
hancebile.com/fppm5myp7r
hancebile.com/rk9q4pf1
hjertearken.dk/pxyti0
kettycoony.com/ahkzls3w
kettycoony.com/cx55khn
kettycoony.com/gl74xldx
kettycoony.com/qllgov6rp
lauiatraps.net/90iuiatl
lauiatraps.net/lknfc
lauiatraps.net/tltnctyadf
lauiatraps.net/zyqjw08qqt
liftaccessory.com/crvjl4
marvicedo.com/drvf1s5x
mcmustard.com/lotojt3
misicka.com/ho6guo1jn
monowheels.ru/2nbknagte9
newautolatino.com/wa7lm4i7vo
nuociss.com/css5igxfe
oualili.org/afdnzqtmbc
paidforall.com/wnvppxdp0
parskavand.com/wekzwe
pattumalamatha.com/biwkk3sp
phaseiv.org/9utjgbof
poltec.com.au/wjzfftju
profilab.ru/wsmie0k
remixsarkilar.com/um5mvc53
rndled.com/adf4t5s3
robertocostama.com/qpnst8glsz
rsahosting.com/quudvvjxe
sadhekoala.com/efgqy4tdw
sadhekoala.com/lvqh1
sadhekoala.com/qg7bhfv3sa
sadhekoala.com/vjhxxwuo
sbdma.com/ri3xnzkaoz
sdwsgs.com/voh7l
shouwangstudio.com/uddj8u
snehil.com/8jp3sr
starmakersentertainment.com/vvaury
suziemorris.net/qz3wodtpqe
talentinzicht.eu/2szzeegt
thegioitructuyen.org/lalvx1nrj
thegoldclubs.com/soaiga
thirdchild.org/ratorfeybm
touroflimassol.com/uekc5dx
touroflimassol.com/vil8begqiq
ulmustway.com/gggsslzj1c
ulmustway.com/jm2hp
ulmustway.com/kzqnerxm
ulmustway.com/stj6o
unkalojistik.com/hhwh0xv9
valpit.ru/kn3jm
vedexpert.com/qbaiegzzu
verdianthy.com/iool1e
warisstyle.com/mjuurbt2bx
wbakerpsych.com/j00gr8z
whatsapphd.com/fqi0a
woodmode-eg.com/dsi79s
xa12580.com/lzwkiqsi8s
xhumbrella.com/jb5c396v
znany-lekarz.pl/nrpfqwwq

Monday, 21 November 2016

Malware spam: "Your LogMein.com subscription has expired!" / billing@secure-lgm.com

This fake financial spam leads to malware:

From:    billing@secure-lgm.com
Date:    21 November 2016 at 18:35
Subject:    Your LogMein.com subscription has expired!

Dear client,

You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.

You can download the bill directly from the LogMeIn website:
https://accounts.logme.in/billing.aspx?clusterid=4557&view_bill_id=34466152&file_type=doc

Please use another credit card or payment method in order to avoid complete service interruption.
Event type: Credit Card Declined
Account email: [redacted].com
At: 21/11/2016

If you need more help, visit LogMeIn Support at:
http://solutions.logmein. com/SalesContactUs

Important Security Notice:
LogMeIn will never for your password or other sensitive information by email.

(Please don't reply to this email, as it's sent from an address that's not monitored.)

© LogMeIn Inc

The link in the email actually goes to a page at reg.vn/en/view_bill.php?id=encoded-email-address (where the last part is the email address in Base 64 encoding). It downloads a malicious document lgm_bill69290.doc with a current detection rate of 8/55.

Automated analysis [1] [2] shows malicious network traffic to and from:

newaronma.com/zapoy/forum.php
newaronma.com/ls5/forum.php
newaronma.com/blt/patha1.php?v=51
www.libinvestusa.com/images/inst.exe
www.libinvestusa.com/images/pm1.dll

A malicious executable is dropped with a detection rate of 7/57. The payload appears to be Hancitor / Vawtrak.

The domain secure-lgm.com appears to have been created for the purposes of sending the email. The probably fake WHOIS details are:

Registrant Name: Nikolay Vazov
Registrant Organization: NA
Registrant Street: 106 Vitosha Blvd.
Registrant City: Sofia
Registrant State/Province: Sofia
Registrant Postal Code: 1463
Registrant Country: bg
Registrant Phone: +359.28058181
Registrant Phone Ext:
Registrant Fax: +359.28058787
Registrant Fax Ext:
Registrant Email: nokolay.vazov@mail.bg

Recommended blocklist:
95.215.111.222
newaronma.com
libinvestusa.com

Something evil on 64.20.51.16/29 (customer of Interserver, Inc)

I wrote about this evil network on 64.20.51.16/29 (a customer of Interserver, Inc) over a year ago, identifying it as a hotbed of fraud. Usually these bad networks don't hang around for very long, but in this case it seems to be very persistent.

This time it came to notice from a terse spam with a PDF attached:

From:   Lisa Liang [ineedu98@hanmail.net]
To:   me@yahoo.com
Date:   20 November 2016 at 23:23
Subject:   11/21/2016 Amended

FYI

Attached is a file Amended copy.pdf which when you open it (not recommended) looks blurry with "VIEW" in big red letters.

The link in the email goes to bit.ly/2fJbyol - if you put the "+" on the end of a Bitly link then you can see the number of clickthroughs and what the landing page is (www.serviceupgrade.tech/pdf.php in this case).

Clicking through gives you a login page for "Adobe PDF Online" which is of course a generic phishing page.

Analysis of the 64.20.51.16/29 range finds 193 sites historically connected with it marked as being phishing or some other malicious activity. There are at least 284 sites currently within that range, of which the following are both hosted in that range currently and are malicious:

sparvicharityfoundation.com
ftp.eurocontrol-int.net
eurocontrol-int.net
bocusin.com
eurocontrol-int.net
meclp.com
lntedg.com
bs-shipmanagements.com
rolloninz.com
outlook-excell.com
safetech-online.com
lrbis.com
stmposlka.com
combinaparts.com
gsctechinology.com
writverify-online.com
ubsinvbnk.com
kiy-carbon.com
hsbcoffshores.com
natural-live.top
ftp.daemon-mail.com
ftp.paypalcenter.com
mobile-secure.us
zharmonics-online.com
nahpa-vn.com
djhexport.com
paypalcenter.com
victorialmpex.com
schmiditsports.com
lindner-stofftiere.com
novady.top

11% of the total sites in the range have been tagged by SURBL or Google as being bad, and to be honest there are probably a LOT more but those services haven't caught up yet.

In any case, there seems to be nothing of value in 64.20.51.16/29 and I strongly recommend that you block traffic to the entire range.

Thursday, 17 November 2016

Malware spam: "Sage Invoice [service@sage-invoices.com]" / "Outdated Invoice" leads to Trickbot

This fake financial spam leads to the Trickbot banking trojan.

From:    Sage Invoice [service@sage-invoices.com]
Date:    17 November 2016 at 10:54
Subject:    Outdated Invoice

This is a customer service e-mail from © Sage (UK) Limited to [redacted]

Sage Invoice Payments
Outdated Invoice

You have an outdated invoice from Sage Invoice Payments that needs your attention. To find out more details on this invoice, please see the enclosed document attached to this email.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54. Hybrid Analysis shows malicious network traffic to:

substan.merahost.ru/petrov.bin [185.86.77.224] (Mulgin Alexander Sergeevich aka gmhost.com.ua, Ukraine)

A malicious file scsnsys.exe is dropped with a detection rate of 8/53.

The domain sage-invoices.com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication. The no doubt fake WHOIS details are:

Registry Registrant ID: Not Available From Registry
Registrant Name: Antonio Padula
Registrant Organization: Weighpack Systems Inc
Registrant Street: 5605 Rue Cypihot
Registrant City: Saint Laurent
Registrant State/Province: Quebec
Registrant Postal Code: H4S 1R3
Registrant Country: CA
Registrant Phone: +1.5144243344
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: test@orasore.com

I recommend that you block traffic from that domain or check your filters to see who may have it.

Recommended blocklist:
sage-invoices.com [email]
185.86.77.0/24