Sponsored by..

Thursday, 15 December 2016

Malware spam: "Amount Payable" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Lynn Drake
Date:    15 December 2016 at 09:55
Subject:    Amount Payable

Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.


-
Best Regards,
Lynn Drake
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js. The highly obfuscated script of one sample can be seen here. Typical detection rates for the script are around 16/54.

There are many different scripts, downloading a component from one of the following locations (thanks to my usual reliable source):

0668.com/k5bhgn
250sb.com./jynvmx
addwords.com.tr/aah6qmhv
anti-dust.ru/7k6cp
asdream.pl/gbbs1c
atio.li/exjik
bappeda.dharmasrayakab.go.id/dlhalychp
braindouble.com/uycx51ix
buhoutserts.ru/ufdazc6vv
casino-okinawa.com/ejguf
catherineduret.ch/5qpqi5ezp
chinaxw.org/xw1ju7y6zc
chungcuvinhomemydinh.com/6dvjasf
crolic88.myjino.ru/1ddig
demo.shispare.com/bvsjq
environment.ae/0od5hn
forbrent.com/h9kqgq
fyd123.cn/kib6h2d9ga
groupeelectrogeneservice.com/eefpeywf9z
hedefosgb.com/dpyzsb6u
hlonline.kentucky.com/i7z78
innercityarts.squaremdesign.com/dyo1w7
jianhu365.com/z9puqdj2eu
malamut.org/gizb2zq
obaloco.com.br/67mfj
peopleprofit.in/pyihdg
roman64.humlak.cz/7bnisgf
rulebraker.ru/zsw4cnf9o
scaune.qmagazin.ro/5hktu4h
slankmethode.nl/4zzq1am
subys.com/mjguriv80
szwanrong.com/x5qxzpjsi
tecnomundo.uy/a8rnlgzv
test1.giaiphaponline.org/0ytdjs1
test.sousouyo.com/feaetpnuee
theamericanwake.com/xw1ju7y6zc
travelinsider.com.au/mwaefb4b
trietlong.net/heyus
tx318.com/kqe4ca
ucbus.net/usdxqqt6
u-niwon.com/kmjg6j9ske
vaaren.dk/ogcz6ys0d
viscarci.com/wyqs6353
walkonwheels.net.au/qmd1uu
wdcd999.com/lm5z2snyqn
web-shuttle.in/eeo9oc
windshieldrepairvancouver.ca/qcp8k7
wiselysoft.com/qcymgbug7
wszystkodokuchni.pl/sl5yko7
wudiai.com/mc3hnwd
www.espansioneimmobiliare.com/akktnck
www.myboatplans.net/6d7ukeco6
wx.utaidu.com/1eybujbru
xlr8services.com/n970foumf
xn--k1affefe.xn--p1ai/8wzzjk24u
youspeak.pt/liowrtxs
yukngobrol.com/h7sfu
zhiyuw.com/qfbdcvrul
zwljfc.com/ld1pvjozu
zzzort10xtest123.com/nin5k3bwo

According to this Malwr analysis, a DLL is dropped with a detection rate of 18/55.  This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:

86.110.117.155/checkupdate (Rustelekom, Russia)
185.129.148.56/checkupdate (MWTV, Latvia)
185.17.120.166/checkupdate (Rustelekom, Russia)

MWTV is a known bad host, so I recommend blocking the entire /24.

Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166

Posted by at 1 comment:
Labels: , , , , , ,

Monday, 12 December 2016

Malware spam: "New(910)" leads to Locky

This spam leads to Locky ransomware:

From:    Savannah [Savannah807@victimdomain.tld]
Reply-To:    Savannah [Savannah807@victimdomain.tld]
Date:    12 December 2016 at 09:50
Subject:    New(910)

Scanned by CamScanner


Sent from Yahoo Mail on Android

The spam appears to come from a sender within the victim's own domain, but this is just a simple forgery. The attachment name is a .DOCM file matching the name in the subject. Automated analysis [1] [2] indicates that it works in a similar way to this other Locky ransomware run today.
Posted by at No comments:
Labels: , , , , ,

Malware spam: "Invoice number: 947781" leads to Locky

This fake financial spam comes from multiple senders and leads to Locky ransomware:


From:    AUTUMN RHINES
Date:    12 December 2016 at 10:40
Subject:    Invoice number: 947781

Please find attached a copy of your invoice.


Tel: 0800 170 7234
Fax: 0161 850 0404

For all your stationery needs please visit Stationerybase.
The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56.

Automated analysis of a couple of these files [1] [2] [3] [4] show the macro downloading a component from miel-maroc.com/874ghv3  (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57.

All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
88.214.236.218/checkupdate (Overoptic Systems, UK / Russia)
91.219.31.14/checkupdate (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

Recommended blocklist:
176.121.14.95
88.214.236.218
91.219.31.14



Posted by at No comments:
Labels: , , , , , , ,

Friday, 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.


--
King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:

107.181.187.97/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
51.254.141.213/checkupdate (OVH, France)

It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:

91.142.90.46/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
195.123.209.23/checkupdate [hostame: prujio.com] (Layer6, Latvia)
185.127.24.247/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
185.46.11.236/checkupdate (Agava, Russia)
178.159.42.248/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)

Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24

Posted by at No comments:
Labels: , , , , , , , , ,

Monday, 5 December 2016

Malware spam: "Shipping status changed for your parcel # 1996466" / ups@ups-service.com

This fake UPS spam has a malicious attachment:

From:    UPS Quantum View [ups@ups-service.com]
Date:    5 December 2016 at 17:38
Subject:    Shipping status changed for your parcel # 1996466

Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.

There must be someone present at the destination address, on the delivery day, to receive the parcel.

Shipping type: UPS 3 Day Select
Box size: UPS EXPRESS BOX
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.

The delivery invoice  can be downloaded from our website :
https://wwwapps.ups.com/WebTracking/view_invoice?id=1996466&delivery_date=1204&account=[redacted]

 
Thank you for shipping with UPS

Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.
The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:

parkovka-rostov.ru/inst.exe
stela-krasnodar.ru/wp-content/uploads/pm22.dll

Those two locations are legitimate hacked sites. This has a detection rate of 7/56 plus a DLL with a detetion rate of 37/56. The malware appears to be Hancitor / Pony / Vawtrak, phoning home to:

cothenperci.ru/borjomi/gate.php
madingtoftling.com/ls5/forum.php

Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia). The following malicious domains are also hosted on the same IP:

atiline.ru
vkplitka.ru
teunugtin.ru
cyrebsedri.ru
verarsedme.ru
cothenperci.ru
undorrophan.ru
verciherthan.ru
cypegeding.com
ferabrighrob.com
nastylgilast.com
madingtoftling.com

Recommended blocklist:
185.31.160.11
parkovka-rostov.ru
stela-krasnodar.ru


Posted by at 2 comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)