This fairly brief spam has a malicious attachment:
From: Alexandra Nunez Date: 10 May 2016 at 21:10 Subject: Re:
hi [redacted],
As promised, the document you requested is attached
Regards,
Alexandra Nunez
The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:
I blogged about "Project Management International" last year, an outfit running (in my personal opinion) fake or low-quality seminars, at that time using the domain projectmanagementinternational.org.
This outfit is run by Anthony Christopher Jones and Patchree "Patty" Patchrint (aka Patty Jones) from California. I've written about this oufit several times in the past five years, but it turns out that Jones and Patchrint have been running similar schemes since 2008.
In 2011 ABC15 news in Arizona investigated a previous incarnation of these scheme, named "NAPPPA"...
These Jones / Patchrint operations seem to pop up from time to time and then disappear, usually after being exposed for what they are. This latest iteration of the fake "Project Management International" organisation uses the domain projmanagementintl.org. It's a flashy-looking site, but really it is just made from a standard template.
The "Registration" page lists some prestigious universities as hosting these courses.
From what I can tell, the usual thing that happens is that at the last minute the location is changed to a nearby hotel or conference centre, and it seems that no booking are ever made with the university. All feedback on the courses seems to indicate that they are all of very poor quality. There are numerous reports that the people hired to teach these courses are also not paid as promised.
The courses themselves are advertised through spam email (example here)
The Project Management Fundamentals Course
will be offered May 25-27, 2016 at the University of Utah campus in Salt Lake City, Utah. Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .
May 25-27, 2016 Salt Lake City, Utah8:00am - 5:00pm
The Project Management Fundamentals Course
is designed for those seeking professional project management certification. It serves as a thorough introduction to the fundamentals of project management. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.
Project Management Fundamentals Course provides 24 hours of project management education hours for both PMI's Certified Associate in Project Management (CAPM)
® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 24 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials. Additionally, the program awards 2.4 Continuing Education Units (CEUs) upon request.
Program Description
Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.
The skills developed in the Project Management Fundamentals Course apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.
Our approach to project management education offers proven, results-focused learning.
Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.
Tuition
Tuition for the three-day Project Management Fundamentals Course is $595.00
Program Schedule and Content
1.Project Initiation, Costing, and Selection, Day 1
2.Project Organization and Leadership, Day 1
3.Detailed Project Planning, Day 2
4.Project Monitoring and Control, Day 2
5.Project Risk and Stakeholder Management, Day 3
Benefits
·A Project Management International Certificate of Accomplishment is awarded upon completion of the three day program. ·
Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.· Each class is highly focused and promotes maximum interaction.·
You can network with other project management professionals from a variety of industries.· Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.·
Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will receive 24 project management education hours towards the requirements for eligibility.
Registration
Participants may reserve a seat online at the Project Management International website
, by calling the Program Office toll-free at (888) 201-6372, or by sending their name and contact information via email to the Program Registrar.
Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.
To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.
Contact numbers listed on the spamvertised site are:
If you see these telephone numbers on other seminar sites, then it will be the same operation. The site quotes a PO box as a contact address but reveals no other information about this so-called corporation.
Project Management International PO BOX 812112 Los Angeles, California 90081
If you feel you have been scammed by this operation then I urge you to report it to the police, FBI, FTC or your local AG's Office. If you would like to share your experiences (positive or negative) then please feel free to use the Comments section below.
This fake financial spam leads to malware. Details change slightly from email to email:
From: Administrator [adminHb@victimdomain.tld] Date: 5 May 2016 at 11:29 Subject: Statement 6BBC0E
Please See Attached
______________________________________________________________________ Scanned by MailDefender Plus, powered by Symantec Email Security.cloud http://www.intycascade.com/products/symantec/ ______________________________________________________________________ --- This email has been checked for viruses by Avast antivirus software. http://www.avast.com
It must be safe.. scanned by both Symantec and Avast! Well, of course that's just BS and the attached DOC file leads to malware, specifically the same payload as seen in this slightly earlier spam run.
This fake document scan appears to come from within the victim's own domain (but this is just a simple forgery) and has a malicious attachment:
From: DocuCentre-IV [DocuCentre1230@victimdomain.tld] Date: 5 May 2016 at 10:27 Subject: Scan Data
Number of Images: 1
Attachment File Type: PDF
----=_Part_45251_4627454344.4826709420825--
Details vary slightly from message to message. Attached is a DOC file (not a PDF) starting with PIC, DOC or IMG in the samples I have seen plus a random number. Typical VirusTotal detection rates are 6/56 [1][2][3][4][5][6]. Various automated analyses of these documents [7][8][9][10][11][12] [13][14][15][16][17] show a binary being downloaded from the following locations:
This spam email comes with a malicious attachment.
From: Elfrida Wymer [WymerElfrida9172@recordshred.com] Date: 3 May 2016 at 12:40 Subject: You Are Fired BBF904D
We regret to inform you, yet we no longer need require your services. Attached you can find additional information and the payout roll for the last month.
It's a bit of a self-fulfilling prophecy. If you are daft enough to download the ZIP file, and extract and run the script then perhaps you WILL get fired.
This fake financial spam has a malicious attachment. It comes from random senders. Last week a fake "Second Reminder" spam was sent out.
From: Ernestine Perkins Date: 3 May 2016 at 08:54 Subject: Third Reminder - Outstanding Account
Dear Client,
We have recently sent you a number of letters to remind you that the balance of $9308.48 was overdue. For details please check document attached to this mail
We ask again that if you have any queries or are not able to make full payment immediately, please contact us.
Regards,
Ernestine Perkins Franchise - Sales Manager / Director - Business Co
Attached is a ZIP file which in the samples I have seen begins with Scan_ or Document_ each one of which contains four identical copies of the same script, e.g.:
Typical detection rates for the scripts seem to be about 3/56. The samples I have seen download a malicious binary from one of the following locations (there are probably more): digigoweb.in/k3lxe rfacine.com.br/z0odld boontur.com/b2hskde
These binaries are all slightly different, with detection rates of 4 to 6 out of 56 [1][2][3]. Various automated analyses [4][5][6][7][8][9][10][11][12][13][14] show that this is Locky ransomware, and it phones home to:
From: Janis Faulkner [FaulknerJanis8359@ono.com] Date: 29 April 2016 at 11:13 Subject: Second Reminder - Unpaid Invoice
We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid. For details please check invoice attached to this mail
Regards,
Janis Faulkner Chief Executive Officer - Food Packaging Company
Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.
The scripts I have seen download slightly different binaries from the following locations:
VirusTotal detection rates are in the range of 8/56 to 10/56 [1][2][3][4]. In addition to those reports, various automated analyses [5][6][7][8][9] show that this is Locky ransomware phoning home to:
This fake document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.
There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of malicious scripts, the ones that I have seen download a binary from:
The payload is Locky ransomware. This is hosted on what appears to be a bad server at:
134.249.238.140 (Kyivstar GSM, Ukraine)
Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo.at domain shows that it is multihomed on many IPs:
From: Kieth Valentine [Kieth.Valentine87@assistedlivingflorida.com] Date: 28 April 2016 at 16:32 Subject: Latest invoice [Urgent]
Hello,
We are writing to you about fact, despite previous reminders, there remains an outstanding amount of USD 5883,16 in respect of the invoice(s) contained in current letter. This was due for payment on 17 April, 2016.
Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue. The total amount due from you is therefore USD 5883,16
If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we will begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take affect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.
This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.
To view the the original invoice in the attachment please use Adobe Reader.
We await your prompt reaction to this email.
Best wishes,
Kieth Valentine
Royal Bancshares of Pennsylvania, Inc. 1(265)530-0620 Ext: 300 1(265) 556-3611
The only sample I have seen of this is malformed and the attachment cannot be downloaded. However, what it should be in this case is a file Latest invoice18.zip containing a malicious script 2016INV-APR232621.pdf.js. Analysis of this obfuscated script is pending, it is likely to be either Locky ransomware or the Dridex banking trojan.
This fake financial spam comes from randomly-generated senders, for example:
From: Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br] Date: 28 April 2016 at 11:40 Subject: FW: Invoice
Please find attached invoice #342012
Have a nice day
Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are: http://rabitaforex.com/pw3ksl http://tribalsnedkeren.dk/n4jca http://banketcentr.ru/v8usja http://3dphoto-rotate.ru/h4ydjs http://switchright.com/2yshda http://cafe-vintage68.ru/asad2fl http://minisupergame.ru/a9osfg
The payload looks like Locky ransomware. The DeepViz report shows it phoning home to:
There is currently a very minimalist spam run leading to Locky ransomware, for example:
From: victim@victimdomain.tld To: victim@victimdomain.tld Date: 28 April 2016 at 11:21 Subject: Scan436
The spam appears to come from the victim's own email address. There is no body text, but attached is a ZIP file with a name matching the subject, e.g.:
The downloaded executable is Locky ransomware and has a VirusTotal detection rate of 2/56. This Hybrid Analysis shows Locky quite clearly, and this DeepViz report shows it phoning home to:
From: CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com] Date: 27 April 2016 at 16:22 Subject: Message from "RNP0BB8A7"
Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).
Datos escaneo: 27.04.2016 00:31:10 (+0000) Preguntas a: soporte@victimdomain.tld
Attached is a randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:
This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:
From: Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br] Date: 27 April 2016 at 12:23 Subject: Price list
Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.
The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.
Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations: aaacollectionsjewelry.com/ur8fgs adamauto.nl/gdh46ss directenergy.tv/l2isd games-k.ru/n8eis jurang.tk/n2ysk lbbc.pt/n8wisd l-dsk.com/k3isfa mavrinscorporation.ru/hd7fs myehelpers.com/j3ykf onlinecrockpotrecipes.com/k2tspa pediatriayvacunas.com/q0wps soccerinsider.net/mys3ks warcraft-lich-king.ru/i4ospd haraccountants.co.uk/k9sjf
This downloads Locky ransomware. The executable then phones home to the following servers:
From: Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com] Date: 26 April 2016 at 12:58 Subject: Missing payments for invoices inside
Hi there!
Hope you are good.
Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.
BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.
Kind Regards
Jeffry Rogers
Henderson Group
Tel: 337-338-4607
I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:
This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:
Following on from this post and previous ones in that series, here is a new set of IP ranges where the Angler EK seems to be clustering. In addition, I updated the list of PlusServer ranges where Angler is becoming a critical problem too.
This fake Amazon email leads to malware. On some mail clients there may be no body text:
From: auto-shipping@amazon.co.uk Amazon.co.uk To: Date: Fri, 22 Apr 2016 10:50:56 +0100 Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)
Dear Customer,
Greetings from Amazon.co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account
Your order #525-2814418-9619799 (received April 22, 2016)
Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us. Occasionally though, we know you may want to return items. Read more about our Returns Policy at: http://www.amazon.co.uk/returns-policy/
Further, under the United Kingdom's Distance Selling Regulations, you have the right to cancel the contract for the purchase of any of these items within a period of 7 working days, beginning with the day after the day on which the item is delivered. This applies to all of our products. However, we regret that we cannot accept cancellations of contracts for the purchase of video, DVD, audio, video games and software products where the item has been unsealed. Please note that we are unable to accept cancellation of, or returns for, digital items once downloading has commenced. Otherwise, we can accept returns of complete product, which is unused and in an "as new" condition.
Our Returns Support Centre will guide you through our Returns Policy and, where relevant, provide you with a printable personalised return label. Please go to http://www.amazon.co.uk/returns-support to use our Returns Support Centre.
To cancel this contract, please pack the relevant item securely, attach your personalised return label and send it to us with the delivery slip so that we receive it within 7 working days after the day of the date that the item was delivered to you or, in the case of large items delivered by our specialist couriers, contact Amazon.co.uk customer services using the link below within 7 working days after the date that the item was delivered to you to discuss the return.
For your protection, where you are returning an item to us, we recommend that you use a recorded-delivery service. Please note that you will be responsible for the costs of returning the goods to us unless we delivered the item to you in error or the item is faulty. If we do not receive the item back from you, we may arrange for collection of the item from your residence at your cost. You should be aware that, once we begin the delivery process, you will not be able to cancel any contract you have with us for services carried out by us (e.g. gift wrapping).
Please also note that you will be responsible for the costs of collection in the event that our specialist courier service collect a large item from you to return to us.
As soon as we receive notice of your cancellation of this order, we will refund the relevant part of the purchase price for that item.
Should you have any questions, feel free to visit our online Help Desk at:
http://www.amazon.co.uk/help
If you've explored the above links but still need to get in touch with us, you will find more contact details at the online Help Desk.
Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail. Please do not reply to this message.
Thank you for shopping at Amazon.co.uk
-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------
Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:
This dropped executable has a detection rate of 6/56. The Hybrid Analysis and DeepViz Analysis plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs:
186.250.48.10 (Redfox Telecomunicações Ltda., Brazil) 193.90.12.221 (MultiNet AS, Norway) 194.116.73.71 (Topix, Italy) 200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload here appears to be the Dridex banking trojan.
Another identical round of this spam is being sent out, complete with the formatting error that prevents the body text being displayed on some email clients. VirusTotal detection rates for the two samples I have seen are 5/57 [1][2]. Hybrid Analysis of the attachments [3][4] shows download locations at:
From: Milan Bell [Milan.Bell5@viuz-en-sallaz.fr] Date: 21 April 2016 at 17:45 Subject: FW: Latest order delivery details
Good morning!
Hope you are good.
Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.
I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.
Many thanks and good luck
Milan Bell
DORIC NIMROD AIR ONE LTD
tel. 443-682-9021
The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.
This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:
Cheekily the URL references a well-known security company. The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:
176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)
You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:
This fake financial spam does not come from Covance but is instead a simple forgery with a malicious attachment:
From: FSPRD@covance.com Reply-To: donotreply@covance.com Date: 21 April 2016 at 12:03 Subject: Dispatched Purchase Order
Purchase Order, 11300 / 0006432242, has been Dispatched. Please detach and print the attached Purchase Order.
***Please do not respond to this e-mail as the mailbox is not monitored. ________________________________ Confidentiality Notice: In accordance with Covance's Data Classification Policy, this email, including attachment(s), is classified as Confidential or Highly Confidential. This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or dissemination of the content of this e-mail is strictly prohibited.
If you have received this e-mail transmission in error or this email is not intended for you, please delete or destroy all copies of this message in your possession and inform the sender. Thank you.
Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn another archive file with a name like 5611205-19.04.2016.tar and it that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56.
So far I have seen two versions of this script, downloading from:
193.90.12.221 (MultiNet AS, Norway) 194.116.73.71 (Topix, Italy) 64.76.19.251 (Impsat, Argentina) 200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload appears to be the Dridex banking trojan.
Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56.
There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56. The Hybrid Analysis of the dropped binary shows network traffic to:
193.90.12.221 (MultiNet AS, Norway) 200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload is not clear, but is probably the Dridex banking trojan.
This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:
From: Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk] Date: 20 April 2016 at 11:01 Subject: Document No™2958719
Thanks for using electronic billing
Please find your document attached
Regards
Beerhouse Self Drive
In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:
bi.pushthetraffic.com/87ty8hbvcr44
There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers:
Veuillez trouver en pièce-jointe, la facture de vos achats. SANS FRAIS DE TRANSPORT Votre marchandise est partie et vous devriez la recevoir dans les prochains jours.
Attached is a file 093887283-19.04.2016.zip which contains a semi-randomly named script (e.g. 741194709-18.04.2016.PDF.js) with VirusTotal detection rates of 6/56 [1][2]. According to these Malwr reports [3][4] the script downloads a file from one of the following locations:
There are probably other scripts with different download locations, the binary has a detection rate of 10/55.The Hybrid Analysis report shows that this executable attempts to download another executable from:
buhjolk.at/files/Yd6aGF.exe
At the moment that location is 404ing and the main payload fails, although that could be easily fixed I guess. This is probably attempting to drop Locky ransomware.
The loader also attempts to interact with some servers belonging to BMG, possibly to generate false data for anyone doing network analysis.
To be on the safe side, it might be worth blocking:
Please do confirm the Quote Price and get back to me as soon as possible.
Regards Sales Department
Attached is a fie with an unusual extension, ORDER LIST.ace which is actually a compressed archive (basically a modified ZIP file). It contains an executable ORDER LIST.exe which has a VirusTotal detection rate of 15/56. That same VirusTotal report indicates traffic to:
booksam.tk/pony/gate.php
This is hosted on:
46.4.100.109 (Hetzner, Germany)
That IP address might be worth blocking. The Hybrid Analysis indicates that this steals FTP and perhaps other passwords. This is a Pony loader which will probably try to download additional malware, but it is not clear what that it might be.
This fake financial spam has a malicious attachment:
From: Hillary Odonnell [Hillary.OdonnellF@eprose.fr] Date: 13 April 2016 at 18:40 Subject: Prompt response required! Past due inv. #FPQ479660
Hello,
I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?
Thank you,
Jake Gill
Accounts Receivable Department
Diploma plc
(094) 426 8112
The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).
There seem to be several different versions of the attachment, I checked four samples [1][2][3][4] and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive [5][6][7][8] (as are the Hybrid Analyses [9][10][11][12]) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on 212.76.140.230 - MnogoByte, Russia). The payload appears to be Dridex.
We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with:
This fake financial email comes with a malicious attachment:
From: Tran Reply-To: Tran, Reuben - ADVANCED ONCOTHERAPY PLC [TranReuben1322@telecom.kz] Date: 13 April 2016 at 16:24 Subject: Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC
Good morning,
Please advise status on these
If shipped, please send invoice & tracking
--------------------------------------------- CONFIDENTIALITY NOTICE: This e-mail, including any attachments and/or linked documents, is intended for the sole use of the intended addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any unauthorized review, dissemination, distribution, or copying is prohibited. If you have received this communication in error, please contact the original sender immediately by reply email and destroy all copies of the original message and any attachments. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Xylem Inc.
I have only seen a single copy of this, it is likely that the company name will vary from email to email. The attachment due #46691848.doc has a VirusTotal detection rate of 5/56. According to this Malwr report it downloads a file from:
mgmt.speraelectric.info/flows/login.php
Right at the moment this is just a copy of the Windows Calculator and is harmless, but the payload could be switched later to something more malicious, probably Locky ransomware or the Dridex banking trojan.
PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again.
So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).
Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too.
UPDATE 2016-04-25
Here are some more PlusServer ranges where Angler has been rampant:
PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in 188.138.105.0/24) that the only safe option is to block traffic to those network ranges.
With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed.
I realise it has been a while since my last list of bad networks you might want to block. Hopefully in the next couple of days I will have another list outlining some bad problems with PlusServer IP ranges, in the mean times here are a load of network blocks with a high concentration of Angler EK and other nastiness. (The links go to my Pastebin with more details).
