Dynamoo's Blog

Wednesday, 6 November 2013

"Voice Message from Unknown" spam / VoiceMail.zip

This fake voice mail spam comes with a malicious attachment:

Date:     Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From:     Administrator [voice9@victimdomain]
Subject:     Voice Message from Unknown (886-966-4698)

- - -Original Message- - -

From: 886-966-4698

Sent: Wed, 6 Nov 2013 22:22:28 +0800

To: recipients@victimdomain

Subject: Private Message

The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file.

This malware file has a detection rate of 3/47 at VirusTotal. Automated analysis tools [1] [2] show an attempted connection to twitterbacklinks.com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before in this type of attack.

Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28 which contains the following domains:
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com

Those domains are consistent with the ones compromised here and it it likely that they have all also been compromised.

Recommended blocklist:
69.26.171.176/28
216.151.138.240/28
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com

"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit

This fake invoice email leads to a malicious Word document:

From: Dave Porter [mailto:dave.porter@blueyonder.co.uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd

Dear Customer :

Your invoice is attached to the link below:
[donotclick]http://www.vantageone.co.uk/invoice17731.doc
Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Victoria Commercial Ltd

The email originates from bosmailout13.eigbox.net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.

Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.

A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.com
feeds.nsupdatedns.com

It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60
feed404.dnsquerys.com
feeds.nsupdatedns.com
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
static.invoice-appmy.com
vantageone.co.uk

Tuesday, 5 November 2013

USPS spam / Label_442493822628.zip

This fake USPS spam has a malicious attachment:

Date:     Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
From:     USPS Express Services [service-notification@usps.gov]
Subject:     USPS - Missed package delivery

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

Label: 442493822628

Print this label to get this package at our post office.

Please attention!
For mode details and shipping label please see the attached file.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
USPS Logistics Services.

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46. Automated analysis [1] [2] shows an attempted connection to sellmakers.com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised.

"ACH Notification : ACH Process End of Day Report" spam / ACAS1104201336289204PARA7747.zip

This fake ACH (or is it Paychex?) email has a malicious attachment:

Date:     Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
From:     "Paychex, Inc" [paychexemail@paychex.com]
Subject:     ACH Notification : ACH Process End of Day Report

Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@paychex.com during regular business hours.

Thank you for your cooperation.

Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46. Automated analysis [1] [2] shows an attempted connection to slowdating.ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised.

The malware drops several files, including this one with a detection rate of 4/46 that also calls home to the same domain [1] [2] and a payload file with another low detection rate of 5/46 that rummages through the system [1] [2]. The payload appears to be a Zbot variant.

Monday, 4 November 2013

"Payment Overdue - Please respond" spam / Payroll_Report-PaymentOverdue.exe

This fake SAGE spam has a malicious attachment:

Date: Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
From: Payroll Reports [payroll@sage.co.uk]

Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.

Sincerely,
Bernice Swanson

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet.

This malware has a VirusTotal detection rate of just 4/47, and automated analysis tools [1] [2] [3] shows an attempted connect to goyhenetche.com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones too.

CCDCOE.org "Information Security Audit" spam

Here's a weird spam email..

From: CCDCOE [mailto:ccdcoe@ccdcoe.org]
Sent: Monday, November 04, 2013 12:16 PM
Subject: Information Security Audit

Dear Sir,

I am writing to inform you that NATO Cooperative Cyber Defence Centre of Excellence
conducted an information security audit of the network infrastructureof your organization. It
was carried out as part of exercise Steadfast Jazz 2013.

Our specialists have obtained access to theprivate network and the administration panel of the
website of your organization.

The level of information security of your organization does not meet the requirements of
NATO cyber security guidelines.

It is strongly recommended that you pay attention to this fact.

For more information you should contact NATO Cooperative Cyber Defence Centre of
Excellence.

Sincerely,

Col. Artur Suzik
Director,NATO Cooperative Cyber Defence Centre of Excellence

E-mail: ccdcoe@ccdcoe.org
Phone: +3727176800
Fax: +3727176308
Adress: Filtri tee 12, Tallinn 10132, Estonia

The email was sent to a target in Estonia, and the CCDCOE is a genuine NATO facility, also located in Estonia. The domain, telephone and fax number all appear genuine, and there are no attachments to the email nor are there any links.

However, the email is not genuine as it comes from 213.157.216.139 which is a Caucasus Online LLC ASDL subscriber in Georgia. Caucasus Online IPs are often seen in conjunction with botnets, so this is almost definitely a botnet node. The CCDCOE logo used in the email is also out of date.

A close examination of the mail headers shows that some of them have been faked in order to spoof an originating IP of 217.146.66.99 in Estonia.

Received: from dvb35.srv.it.ge (HELO dvb35.srv.it.ge) (213.157.216.139)
by [redacted] with SMTP; 4 Nov 2013 10:15:35 -0000
Received: mx1.zone.ee (HELO ccdcoe.org) ([217.146.66.99]) by
dvb35.srv.it.geL with ESMTP; Mon, 4 Nov 2013 12:01:08 +0200
Received: by ccdcoe.org (Postfix, from userid 309) id fu73vb6de6220; Mon, 4 Nov
2013 12:00:45 +0200
Received: from 10.1.1.218 (10.1.1.218:35781) by ccdcoe.org (Postfix) with SMTP
id gkuuqe31b7s45.9.2013.11.04.59.56; Mon, 4 Nov 2013 11:59:06 +0200
Message-ID: <20130e3f74d2.4353bd02@user>
From: "CCDCOE" <ccdcoe@ccdcoe.org>
To: [redacted]
Subject: Information Security Audit
Organization: CCDCOE

I can't figure out the purpose of this message, but it is almost definitely malicious. Perhaps there is a second part to this why has not been seen yet?

Wednesday, 30 October 2013

"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com

Oh my, do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.

Date:     Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From:     eFax Corporate [message@inbound.efax.com]
Subject:     Corporate eFax message from "673-776-6455" - 2 pages

Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.

-----------------------

Date:     Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From:     eFax Corporate [message@inbound.efax.com]
Subject:     Corporate eFax message from "877-579-4466" - 5 pages

Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.

Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file.

This has a very low detection rate at VirusTotal of just 1/46. Automated analysis tools [1] [2] [3] show an attempted connection to a domain bulkbacklinks.com on 69.26.171.187. This is part of the same compromised Xeex address range as seen here and here.

Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list.

Something evil on 144.76.207.224/28

The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report) [hat tip to Malekal.com judging from the report].

This is a Hetzner IP range suballocated to:
inetnum:        144.76.207.224 - 144.76.207.239
netname:        SPHERE-LTD
descr:          Sphere LTD.
country:        DE
admin-c:        AR10715-RIPE
tech-c:         AR10715-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Alexander Redko
address:        Russia, 107031, Moscow, Proezd Dmitrosvkiy 8
phone:          +79104407852
nic-hdl:        AR10715-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious:
1valubin.info
2valubin.info
3valubin.info
4valubin.info
5valubin.info
6valubin.info
7valubin.info
8valubin.info
9valubin.info
10valubin.info
11valubin.info
12valubin.info
13valubin.info
14valubin.info
1togenhaym.info
2togenhaym.info
3togenhaym.info
4togenhaym.info
5togenhaym.info
6togenhaym.info
7togenhaym.info
8togenhaym.info
9togenhaym.info
10togenhaym.info
11togenhaym.info
12togenhaym.info
13togenhaym.info
14togenhaym.info
15togenhaym.info
16togenhaym.info
17togenhaym.info
poovergosa.info
galikvento.info

I would recommend blocking all those domains plus the 144.76.207.224/28 range.

Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges that I can find.
5.9.217.0/26
5.9.249.112/28
5.9.255.192/27
46.22.212.16/28
78.46.169.160/27
78.47.67.128/29
78.47.217.112/28
80.79.117.168/29
80.79.118.132/30
80.79.118.252/30
88.198.103.96/28
144.76.192.96/27
144.76.207.224/28
195.2.252.0/23
195.88.208.0/23

Tuesday, 29 October 2013

Suspect network: 69.26.171.176/28

69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network

There are three very recent Malwr reports involving sites in this range:

69.26.171.179 - bookmarkingbeast.com
69.26.171.181 - allisontravels.com
69.26.171.182 - robotvacuumhut.com

As a precaution, I would recommend temporarily blocking the whole range. These other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection:
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com