Dynamoo's Blog

Monday, 5 December 2016

Malware spam: "Please Consider This" leads to Locky

This fake financial spam leads to malware:

From:    Aimee Guy
Date:    5 December 2016 at 13:32
Subject:    Please Consider This

Dear [redacted],

Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.

Please confirm the amount and let us know if you have any questions.

Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date.

The scripts download another component from one of the following locations, according to my usual reliable source:

admin3.rtaf.mi.th/8765r
buhoutserts.ru/8765r
chanet.jp/8765r
guardian-angels-diva.de/8765r
haibeiwuliu.com/8765r
hzxihe.com/8765r
linghangcj.com/8765r
markettv.ro/8765r
maycongtrinhduylong.com/8765r
natashacollis.com/8765r
ruifengweb.com/8765r
rulebraker.ru/8765r
szwanrong.com/8765r
temai1.com/8765r
travelinsider.com.au/8765r
tx318.com/8765r
ucbus.net/8765r
u-niwon.com/8765r
valuationssa.com.au/8765r
vipseal.de/8765r
viscarci.com/8765r
wdcd999.com/8765r
wiky.net/8765r
windshieldrepairvancouver.ca/8765r
wiselysoft.com/8765r
wishingwellhosting.com.au/8765r
wszystkodokuchni.pl/8765r
wudiai.com/8765r
xlr8services.com/8765r
xn--pasaer-spb.pl/8765r
youspeak.pt/8765r
zhiyuw.com/8765r
zwljfc.com/8765r

It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54. The malware then phones home to the following locations:

91.142.90.61/information.cgi [hostname: smtp-server1.ru] (Miran, Russia)
195.19.192.99/information.cgi (EkaComp, Russia)

These IPs were also used in this earlier attack.

Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99

Malware spam: "Emailing: _9376_924272" / "No subject" leads to ".osiris" Locky.

This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension ".osiris"

The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attacked to that is an XLS file of the same name and it includes this body text:

Your message is ready to be sent with the following file or link
attachments:

_9376_924272

Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.

The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xls

The macro in the malicious Excel file downloads a component from on of the following locations (according to my usual reliable source):

aetech-solutions.com/87t34f
analypia.com/87t34f
angiebundy.com/87t34f
antelope.co.uk/87t34f
cafe-bg.com/87t34f
dachbud.slask.pl/87t34f
davetoll.com/87t34f
dcareug.com/87t34f
deminico.com/87t34f
griptrix.com/87t34f
kamico.net/87t34f
kelbud.pl/87t34f
ktlelektro.cz/87t34f
laferwear.com/87t34f
masterstudio.org/87t34f
milano.koscian.pl/87t34f
paradiseinfiji.com/87t34f
rongdaistudio.com/87t34f
rsaf.cz/87t34f
sevenseas.lk/87t34f
soulscooter.com/87t34f
sparky.com/87t34f
ssivendorinformation.com/87t34f
sublimeshop.co.uk/87t34f
subys.com/87t34f
tppsk.marcinczaja.pl/87t34f
tybor.hu/87t34f
waat.co.uk/87t34f
www.riojadental.com/87t34f
www.stavros.ca/87t34f
zealcon.com/87t34f

You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:

185.82.217.28/checkupdate [hostname: olezhkakovtony11.example.com] (ITL, Bulgaria)
91.142.90.61/checkupdate (Miran, Russia)
195.19.192.99/checkupdate (OOO EkaComp, Russia)

Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99

Tuesday, 29 November 2016

Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from "61 2 97855412" - 2 page(s)

Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

The link in the email goes to a hacked Sharepoint account, in this case:

https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1

It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named

Fax_11292016_page1.js
Fax_11292016_page2.js

that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:

siliguribarassociation.org/images/staffs/documetns.png

A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:

stengeling.com/20aml/index.php

The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

4.77.129.110
18.17.224.92
31.209.107.100
37.15.90.12
43.132.208.7
45.249.111.213
52.61.200.235
61.25.216.8
67.25.164.206
74.174.194.169
88.214.198.162
92.74.29.236
111.241.115.90
115.249.171.24
119.71.196.177
135.55.94.211
143.99.241.18
147.89.60.135
156.180.11.60
162.74.9.51
168.227.171.254
176.114.21.171
184.131.179.44
207.77.174.212

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:

butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com

Malware spam: "Please find attached a XLS Invoice 378296" / creditcontrol@somecompany.com / Ansell Lighting

This fake financial spam comes with a malicious attachment, purporting to come from Ansell Lighting:

Subject:     Please find attached a XLS Invoice 378296
From:     creditcontrol@potomachealthcare.com (creditcontrol@potomachealthcare.com)
Date:     Tuesday, 29 November 2016, 10:32

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830

The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as INVOICE.TAM_378296_20161129_886C9EAB6.xls.

My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:

ayurvedic.by/087gbdv4
pregnancysquare.com/087gbdv4
qiqi-store.com/087gbdv4
roberttrocina.com/087gbdv4
satherm.pt/087gbdv4
sayvir.com/087gbdv4
secotral.fr/087gbdv4
semeystvo.com.ua/087gbdv4
spookmedia.nl/087gbdv4
sp-tulun.ru/087gbdv4
stocktradex.com/087gbdv4
swkitchens.com.au/087gbdv4
thegarageteam.gr/087gbdv4
tyfastener.com/087gbdv4

The Hybrid Analysis shows that this is Locky ransomware, phoning home to:

185.115.140.210/information.cgi [hostname: nikita.grachev.81.example.com] (Megaserver LLC, Russia)
213.32.90.193/information.cgi [hostname: sbg.13.vds.abcvg.ovh] (OVH, France)
95.213.195.123/information.cgi (Selectel SPb, Russia)

A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of 11/57.

Recommended blocklist:
185.115.140.210
213.32.90.193
95.213.195.123

Friday, 25 November 2016

Malware spam: [Vigor2820 Series] New voice mail message from 014xxxxxxxx on %date%

This fake voicemail spam leads to Locky ransomware and appears to come from within the victim's own domain, but this is just a simple forgery.

Subject:     [Vigor2820 Series] New voice mail message from 01435773591 on 2016/11/25 18:29:39
From:     voicemail@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Friday, 25 November 2016, 12:58

Dear webmaster :
    There is a message for you from 01435773591, on 2016/11/25 18:29:39 .
You might want to check it when you get a chance.Thanks!

The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript that looks like this.

This Malwr analysis shows behaviour consistent with Locky ransomware. My usual source tells me that all the download locations for this campaign are:

asrcargo.ru/yr387n3
easylation.com/yr387n3
jackybrith.net/yr387n3
namicg.com/yr387n3
nxarab.net/yr387n3
oyasinsaat.com.tr/yr387n3
pesaroeventi.it/yr387n3
plast-chem.com.pl/yr387n3
pornolartv.net/yr387n3
portalkerjaya.com/yr387n3
premierpromotions.co.uk/yr387n3
prizor.net/yr387n3
prongai.com/yr387n3
pulse-tv.net/yr387n3
puttechnologies.com/yr387n3
reginaautoauction.com/yr387n3
regionalclaimsrecovery.com/yr387n3
richcity.net/yr387n3
right-livelihoods.org/yr387n3
riyuegu.net/yr387n3
rooana.com/yr387n3
ruchengfcw.com/yr387n3
ruwechat.ru/yr387n3
ryrszs.com/yr387n3
sabinemerz.nl/yr387n3
saintsraw.com/yr387n3
sallymills.com/yr387n3
satherm.pt/yr387n3
sayvir.com/yr387n3
semeystvo.com.ua/yr387n3
setoxy.com/yr387n3
shenzhensh.com/yr387n3
shydnt.com/yr387n3
sienaert.org/yr387n3
signumtte.net/yr387n3
siken3d.com/yr387n3
sineria.com/yr387n3
sinmotor.com/yr387n3
sipho.es/yr387n3
skrzeczkowska.com/yr387n3
songpulatex.com/yr387n3
soonmarketing.com/yr387n3
sp-tulun.ru/yr387n3
square100.com/yr387n3
sreekrishnatemple.com/yr387n3
stamperia.pl/yr387n3
stevetoulch.com/yr387n3
stomatolog-implant.ro/yr387n3
sujiaotuoban.com/yr387n3
sunekitty.com/yr387n3
supplyglassess.com/yr387n3
swkitchens.com.au/yr387n3
sydayont.com/yr387n3
tarasarl.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
theoneworld.in/yr387n3
thoraxcenter.ru/yr387n3
tingfenglou.orgfree.com/yr387n3
tolga-tosun.com/yr387n3
trebleimp.com/yr387n3
tyfastener.com/yr387n3
unimarket.ch/yr387n3
uzmanfren.com.tr/yr387n3
vanaken.nu/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3

The C2s to block are the same as here, namely:

185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)

Recommended blocklist:
185.118.167.144
91.142.90.55