Dynamoo's Blog

Monday 28 July 2014

Something evil on 88.198.252.168/29 (Ransomware)

88.198.252.168/29 (Hetzner, Germany) is infected with a whole bunch of ransomware landing pages, like this:

In the past this IP range has been used to host a number of legitimate Austrian sites, but at the moment it appears to be hosting ransomware landing pages exclusively.

The domains in use are a combination of crappy .in domains registered to a series of fake addresses, plus a bunch of subdomains of legitimate domains that have been hijacked. What is interesting about these hijacked domians is that they all use afraid.org as namerservers.

This hijacking at afraid.org is because these particular domain users are using the free afraid.org service which allows anyone to create a subdomain of your domain and point is where they like (explained in this FAQ). The bad news is that this sort of hijacking is a quick way to ruin your domain's reputation. A full list of the subdomains and domain I can find is here [pastebin].

Although this is a Hetzner IP, it is suballocated to a customer who may or may not know anything about this abuse of the IPs in the range:

inetnum:        88.198.252.168 - 88.198.252.175
netname:        ANDY-CONTE
descr:          Andy Conte
country:        DE
admin-c:        DS15036-RIPE
tech-c:         DS15036-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Dmitry Seleznev
address:        Ivana Franko 38-364
address:        121351 Moscow
address:        RUSSIAN FEDERATION
phone:          +79270473970
nic-hdl:        DS15036-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

Blocking these landing pages will probably not stop a PC from becoming infected with ransomware, but monitoring or blocking the following list may give you some intelligence as to what is happening on your own network.

Recommended blocklist:
88.198.252.168/29
fernandocoelho.net.br
duk66.com
cerone.com.ar
gigliotti.com.ar
clawmap.com
lareferencedentaire.com
izaksuljkic.tk
suulaav.com.np
iseoz.com
friendfamily.id.au
hamiltonewave.com
bandloudi.org
loware.com
private-checker.com
hewmet.eu
mightycoronanation.com
muzzu.com.ar
cuidadonatural.cl
acousauth.com
aybear.com
perthorthodontist.com.au
settleurdebt.com
irisstom.ru
quinha.com.br
tjma.tk
projectsmanaged.com.au
bonata.ro
seguy.cl
deepthots.com
kaki5.web.id
law-enforcement-dtwnourq.in
law-enforcement-dwygrbjz.in
ttx79.com
danielbyrnes.net
universalpeacesociety.org.au
law-enforcement-ebvcbwuw.in
tartsandcrafts.ca
snaggleboards.com
pata1.info
gomeansgo.com
blindsided.us
dlaurentfamily.com
thedrunction.com
bal-tazaar.be
rcs.gr
totten.co
tools-bejo.net
siecon.com.mx
johordt.tk
redstarsclub.su
andrewerdna.co.za
y2014.net
interkatsolutions.com
astrocode.ro
channings.me
utn88.com
hkhotspot.com
muzcgb-ural.ru
mwautomotriz.com
theclubpointbar.ch
jpsa.org.za
tonykohn.tk
takony.hu
grosiragen.com
latanska.com
myipo.pw
study7979.com
weisms.com
armturist.ru
aap73.com
ufaopen.ru
hmh.ro
acupuncturaveterinara.ro
123erp.net
s1.lv
law-enforcement-jjuawtsk.in
gloverhouse.co
comercialmontenegro.cl
ritterservices.net
ancilla.com.au
familiestogether.biz
e-forever.tk
pkp88.com
seppalat.fi
balticexperts.eu
emad.com.ar
iostardata.com
resultadoshumbertoabrao.com.br
ttgrules.com
ket87.com
thejobarena.com
wolf-tec.net
partirviajes.tur.ar
1729.su
pimpthesebums.com
satoshidaily.info
worldslegendshalloffame.com
bahosss.ru
besthub.ro
tsdnasaud.ro
alte.co
cuaca.co.id
smartzbloz.net
at-who.com
perciun.md
dubinkin.me
opoopoiso.com
wtr2.ro
sysmanager.ro
halfluke.info
greenhopetz.com
tucglam.com.ar
diegonunez.com.ar
extex-project.org
moserag.ch
rizahilmi.com
tattomasaj.ro
parabolaresear.ch
dreamstartups.com
morganvenable.com
tourismwelfare.org.np
caribgonewild.net
manausclass.com.br
thatsagreatshadeoflife.com
ymu88.com
cellotelecom.com
katamari.one.pl
excuse.ro
towelie.net
recursosmendoza.com.ar
znd88.com
fkmpp.web.id
niedermaier.li
law-enforcement-tugeyogn.in
bernardifinancial.com
jobvolume.ru
saints-eagle.ru
dextm.ro
rutahostal.cl
institutosinapsis.com.ve
hilinknet.ir
uac55.com
pablodelamaza.cl
szamajuanangel.com.ar
simpsons.com.ar
law-enforcement-vbzcqvfd.in
splashweave.com
megaorganizada.com.br
cliovirtual.cl
kancilja.si
prudentialworld.net
juegosychorradas.com
juancruzweb.com.ar
detectmobile.co.za
mpas.co.za
aapialang.co.id
album.web.tr
g24.ch
whereiszacbunch.com
preguntasconducir.com.ar
iwanacakadut.com
x-alps.com.ar
alexandrearsenaultj.tk
shockata.nl
vipny37.com
angrybirdsonline.com.ar
nursani.web.id
3hstudio.ro
freeebooksdownload.com.ar
getcash4bills.com
tqchoaphung.tk
aksoftware.ru
mol-ck.com
borrowedwine.com
jobvolume.bg
xn--leppnen-8wa.net
npa99.com
paysuper.com
nextclick.ro
scribetown.com
espertiseconsulting.com.ar
kitsune-sama.com.ar
system-check-adnfecjx.in
system-check-awppaaid.in
system-check-bfuljagg.in
system-check-cabhpfuv.in
system-check-dgaaixxq.in
system-check-efbxqcsa.in
system-check-elotpdux.in
system-check-etldvwxb.in
system-check-evkfmgay.in
system-check-faliyfse.in
system-check-fpkbcyot.in
system-check-fshknbfm.in
system-check-fyeltkhn.in
system-check-hiudyjbm.in
system-check-icrkskuc.in
system-check-lrimafgm.in
system-check-ndyihbuc.in
system-check-npgodwaj.in
system-check-nsgycsvo.in
system-check-nzsupdku.in
system-check-pjiosnkb.in
system-check-qufngsmj.in
system-check-rcabswpl.in
system-check-rrhoipny.in
system-check-udkoeulo.in
system-check-ukxmncwd.in
system-check-vbjiikcz.in
system-check-vorxvayt.in
system-check-vqypvqft.in
system-check-wxotxgwd.in
system-check-zagcqrhq.in
system-check-zfwwxmnq.in

Saturday 26 July 2014

"PLEASE SEND PI" spam / something evil on 198.27.110.192/26

"PI" in this case seems to refer to a Proforma Invoice rather than Π - but in fact the attachment is malware.

Date:     Fri, 25 Jul 2014 22:50:14 -0700 [01:50:14 EDT]
From:     OLINMETALS TRADING CO
Subject:     PLEASE SEND PI

Greetings,

Regarding our previous conversation about our urgent purchase, kindly
find attached PI and let us know if the quantity can fit in 40ft
container.
kindly revise the Proforma invoice so that we can proceed with an
advance payment as agreed.

We look forward to your urgent response with revised proforma invoice.

Thks & Rgds,
OLINMETALS TRADING CO., LTD
Tel : 0097143205171
Fax : 0097143377150

It sounds like a fiendish maths question from an obscure exam. How much Π can you fit in a 40ft container? Anyway, the attachment Order.zip contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53. The ThreatExpert report [pdf] and ThreatTrack report [pdf] show that the malware phones home to walex2.ddob.us/sddob/gate.php on 198.27.110.200 (OVH Canada reassigned to Big Kesh, LLC, US).

Looking at the domains registered on 198.27.110.200 and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs:

frank.ddob.us	198.27.110.196
walex.ddob.us	198.27.110.196	[1]
dino.ddob.us	198.27.110.197	[2] [3]
mrson.ddob.us	198.27.110.200
walex2.ddob.us	198.27.110.200	[4]
robert.xiga.us	198.27.110.200	[5]
daniel.ddob.us	198.27.110.201	[6]
robert.ddob.us	198.27.110.201	[7]
326.xiga.us	198.27.110.203
frannky.ddob.us	198.27.110.210	[9]
janet.ddob.us	198.27.110.211
sayee.ddob.us	198.27.110.211	[10]
dino.ddob.us	198.27.110.213	[11] [12]
biolo.xiga.us	198.27.110.216

I think this is enough evidence to block the entire 198.27.110.192/26 as a precaution (although there do appear to be a small number of legitimate sites too). For the record, this is suballocated to:

NetRange:       198.27.110.192 - 198.27.110.255
CIDR:           198.27.110.192/26
OriginAS:       AS16276
NetName:        OVH-CUST-445017
NetHandle:      NET-198-27-110-192-1
Parent:         NET-198-27-64-0-1
NetType:        Reassigned
RegDate:        2014-03-07
Updated:        2014-03-07
Ref:            http://whois.arin.net/rest/net/NET-198-27-110-192-1

CustName:       Big Kesh, LLC
Address:        1077 Jearsey ln ne
City:           Palm Bay
StateProv:      FL
PostalCode:     32905
Country:        US
RegDate:        2014-03-07
Updated:        2014-03-07
Ref:            http://whois.arin.net/rest/customer/C04889220

In the case of Big Kesh LLC I will be charitable and assume that this behaviour is happening without their consent.

The domains xiga.us and ddob.us appear to be used for purely malicious purposes, so I recommend that you block them. The registrant details are probably fake but here they are:

xiga.us
Registrant ID:                               06BFAFB5641FA567
Registrant Name:                             Xieng Hyua
Registrant Address1:                         Red Bulevard
Registrant City:                             North Bergen
Registrant State/Province:                   NJ
Registrant Postal Code:                      07047
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.6874598745
Registrant Email:                            xiga@fbi.al
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

ddob.us
Registrant ID:                               0121C76442E2ED55
Registrant Name:                             Jackson Togan
Registrant Address1:                         Zhongzeng District 100
Registrant City:                             Zhongzeng District
Registrant State/Province:                   Zhongzeng District
Registrant Postal Code:                      100
Registrant Country:                          TAIWAN, PROVINCE OF CHINA
Registrant Country Code:                     TW
Registrant Phone Number:                     +92.68974568
Registrant Email:                            jackson.togan@yahoo.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

Recommended blocklist:
198.27.110.192/26
xiga.us
ddob.us

Friday 25 July 2014

"eFax message" spam

Another tired old spam template leading to malware..

From:    eFax Corporate [message@inbound.efax.com]
Date:    25 July 2014 14:25
Subject:    eFax message - 4 pages

Fax Message [Caller-ID: 948-468-7596]

You have received a 4 pages fax at 2014-07-25 13:24:21 GMT.

* The reference number for this fax is latf1_did11-1187609582-1911573644-58.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2014 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

In this case the link in the email goes to verzaoficial.com/css/fax_390392029_072514.exe which downloads a file with a VirusTotal detection rate of just 1/45. Automated analysis [pdf] is fairly inconclusive as to what it does.

Tiffany & Co "invoice 0625859 July" spam

This fake Tiffany & Co email has a malicious attachment:

Date:     Fri, 25 Jul 2014 17:32:38 +0800 [05:32:38 EDT]
From:     "J.Parker" [rcaukomti@tiffany.co.uk]
Subject:     invoice 0625859 July

Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.
Thanks

J.parker
Tiffany & Co.

Attached to the message is an archive invoice copy.zip which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51. The CAMAS report shows that the malware downloads components from the following locations:

brandsalted.com/333
daisyblue.ru/333
expositoresrollup.es/333
fbcashmethod.ru/333
madrasahhusainiyahkl.com/333
sexyfoxy.ts6.ru/333
siliconharbourng.com/333
www.huework.com/333
www.martijnvanhout.nl/333
www.ricebox.biz/333
www.zag.com.ua/333

Those sites are similar to the one found in the recent "Birmingham Mail" spam run. I recommend that you block the following domains on your network:

brandsalted.com
daisyblue.ru
expositoresrollup.es
fbcashmethod.ru
madrasahhusainiyahkl.com
sexyfoxy.ts6.ru
siliconharbourng.com
huework.com
martijnvanhout.nl
ricebox.biz
zag.com.ua

"Help & Advice - Virgin Media Business" / Virginmedia Business spam

A bit of a malspam tsunami today, this fake email claims to be from Virgin Media Business.

Date:     Fri, 25 Jul 2014 19:57:24 +0700 [08:57:24 EDT]
From:     Virginmedia Business [services@virginmediabusiness.co.uk]
Reply-To:     Legal Aid Agency [re-LU-VTRBH-APSYPL@virginmediabusiness.co.uk]

Virgin Media Automated Billing Reminder

Date 25th July 2014

This e-mail has been sent you by Virgin Media to inform you that we were
unable to process your most recent payment of bill. This might be due to
one of the following reasons:

    A recent change in your personal information such as Name or address.
    Your Credit or Debit card has expired.
    Insufficient funds in your account.
    Cancellation of Direct Debit agreement.
    Your Card issuer did not authorize this transaction.

To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.

Please fulfill attached form and send it back to our email adress.

Please ensure all address and contact details are up to date, once submitted your account details will automatically be updated within 24 Hours.

Kind Regards,

Virgin Media

Customer Services Team

Ellis Willis

Attached is an archive file form_27429-070.zip which in turn contains a folder billing_form91_4352-2105.pdf which in turn contains a malicious executable billing_form91_4352-2105.pdf.scr which has a VirusTotal detection rate of 3/53. The Comodo CAMAS report indicates that is is largely the same in behaviour as this HMRC malware from earlier today.

HM Revenue and Customs "Notice of Underreported Income" spam

The second HMRC spam run of the day, this one contains a malicious link.

From:    HM Revenue and Customs [noreply@hmrc.gov.uk]
Reply-To:    HM Revenue and Customs [noreply@hmrc.gov.uk]
Date:    25 July 2014 12:19
Subject:    Notice of Underreported Income

Taxpayer ID: ufwsd-000007954108UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form here.

In this case the link in the email goes to ecanovas.com/boceto/hmrc.exe which the user is expected to download and run. It has a VirusTotal detection rate of 3/51. Automated analysis tools are pretty inconclusive [1] [2] [3] but do reveal some of the behavioural activity.

HMRC "Tax Notice July 2014" spam

This fake HMRC tax notice comes with a malicious attachment:

Date:     Fri, 25 Jul 2014 16:48:37 +0900 [03:48:37 EDT]
From:     HMRC Revenue&Customs [Rosanne@hmrc.gov.uk]
Reply-To:     Legal Aid Agency [re-HN-WFCLL-OECGTZ@hmrc.gov.uk]

Dear [redacted] ,

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 34320-289.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
2014 © All rights reserved

Attached is a file P6_rep_34320-289.zip which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53.

The CAMAS report shows that a second component is downloaded from 37.139.47.167/bt/2.exe which in turn has a VirusTotal detection rate of 5/52.

The IP address of 37.139.47.167 is in the same /24 as the two other IPs mentioned here. I would very strongly recommend blocking traffic to at least 37.139.47.0/24 or the whole 37.139.40.0/21 range (although there do seem to be some legitimate Russian-language sites in there). The IP belongs to:

inetnum:        37.139.40.0 - 37.139.47.255
netname:        COMFORTEL-NET
descr:          COMFORTEL ltd.
country:        RU
admin-c:        ME3174-RIPE
tech-c:         RASS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     MNT-PIN
mnt-domains:    PIRIX-MNT
source:         RIPE # Filtered

person:         Mikhail Evdokimov
address:        PIRIX
address:        Obukhovskoy Oborony, 120-Z
address:        192012, St.Petersburg
address:        Russia
phone:          +7 812 3343610
fax-no:         +7 812 6002014
nic-hdl:        ME3174-RIPE
mnt-by:         RUNNET-MNT
source:         RIPE # Filtered

person:         Dmitry Rassohin
address:        194156, St.Petersburg, Russia
address:        Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone:          +7 931 2700021
nic-hdl:        RASS-RIPE
mnt-by:         RASS-MNT
source:         RIPE # Filtered

route:          37.139.40.0/21
descr:          PIRIXROUTE
origin:         AS56534
mnt-by:         MNT-PIN
source:         RIPE # Filtered

adminsecret.monster.com abused by spammers

I noticed a whole load of queries in URLquery about adminsecret.monster.com (such as this one) which I thought to be kind of odd..

"Adminsecret" sounds really interesting from a security perspective, but really it's a site aimed at executive assistants and people with similar roles.

The pages being queries are "articles" that look like this:

This doesn't look very much like a tip on how to be a better admin. There also appears to be a webspam campaign active to drive traffic to these sites:

So a mix of payday loans and movie downloads. So let's go back to this "Blended Movie Online" page with the prominent "Watch Now" button. This actually takes you to a site livingfilms.net that tantalisingly waves another "download" button at you.

Clicking "Download Now" leads you into a cesspit of adware. Instead of getting a move, you are directed to dowload a file Blended.exe from allbestnew.com. Of course, this isn't a move file at all, but some piece of crappy adware with a VirusTotal detection rate of 17/51 (mostly detected as InstallRex).

Various analysis tools [1] [2] [3] piece together what this adware does, but from a network point of view it makes a connection to the following domains:

r2.homebestmy.info
r1.homebestmy.info
c1.setepicnew.info
i1.superstoragemy.com
getdottamy.info
getyouraddon.co.il

This last one is the clue as to who is making this adware, registered to:

descr:        Justplug.it LTD
descr:        Harbel 10
descr:        Oranit Israel
descr:        4481300
descr:        Israel
phone:        +972 72 2124145
fax-no:       +972 72 2124145
e-mail:       admin AT justplug.it

Justplug.it allows you to make your own browser extensions. Hmm. Looks like a good candidate to block if you don't want unauthorised BHOs and the like.

So, for this particular issue I would recommend the following blocklist:

livingfilms.net
allbestnew.com
homebestmy.info
setepicnew.info
superstoragemy.com
getdottamy.info
getyouraddon.co.il
justplug.it

Back to the livingfilms.net site, if you want to watch the movie online instead of downloading it you get redirected to www.themovienation.com/signup?sf=blue_newjs&ref=82937 which is some sort of movie subscription service based in the British Virgin Islands. Frankly you'd be better off with Netflix, Amazon, Google or some other reputable service.

Oh yes.. and there's payday loan crap too:

So right now I would say that adminsecret.monster.com is horribly compromised and is probably a good candidate for blocking until they get the issues sorted out.

UPDATE: emails to info -at- adminsecret.com bounce, so far I have not been able to contact them.

Thursday 24 July 2014

Scam: "brunerinvestment.com" is not The Brunner Investment Trust PLC

This simple spam is backed up by a fairly sophisticated fake website.

From:    brunner investment [investment@brunner.com]
Reply-To:    brunnerinvestment@gmail.com
To:    50
Date:    24 July 2014 12:08

Dear

The Brunner Trust PLC, is working on expanding its international portfolio Globally and financing projects in form of debt financing from the tune of $1million to $500million,
we also offer personal and business loans from the tune of $100,000 USD to $1,000,000.00 USD

We would be happy to receive an Executive summary to see if you have any Viable project we can finance and partner together
by making financial investment in Form of soft loans.

Email your projects summary to us at: info@brunerinvestment.com

Regards,
Stefan Hofrichter
Chief Economist and Head of Global Economics & Strategy

The Brunner Investment Trust PLC is a real organisation with a website at brunner.co.uk - the domain that the spammers are soliciting replies to is brunerinvestment.com (note the missing "n" in "brunner"). It was registered on 31st May 2014 with anonymous WHOIS details.

This is the real Brunner Invesment Trust site:

And this is the fake one:

The differences are subtle:

Of course the main purpose of the web site is to encourage you to think that you are talking to a real person, to which end the contact details are completely fake:

Although the postal address is correct, the rest of the details are fake:

Brunner Investment Trust Plc
199 Bishopsgate,
London, EC2M 3TY
Tel:+44 703 195 6304
Tel/Fax: +44 745 227 1933
Email: info@brunerinvestment.com
brunnerinvestment@gmail.com

The telephone numbers quotes appear to be "follow me anywhere" numbers that forward to another number, which could be anywhere in the world.

So what's the scam? Well, there's probably an up-front fee to even discuss financing.. and if it's like this recent scam it could be tens of thousands of dollars. Of course, there is no financing available (remember that this is a fake site, not the Brunner Investment Trust) and once the scammers have your money they will vanish.

I note as well that the site is fairly well done although somewhat buggy (and it randomly pops up adverts) which looks rather like the same cloned websites I discussed earlier this month.

Some technical details for this - the site is hosted on 93.188.160.4 which is allocated to Hostinger International in Lithunia (although the servers might be in Amsterdam). The spam originates from 168.167.134.124 (Botswana Telecommunications Corporation) via an unknown mail relay on 82.105.253.84 (Telecom Italia, Verona, Italy).

Avoid.

"You have received a new VoiceMail" spam

This tired old malware spam is doing the rounds again.

From:     Voice Mail [voicemail_sender@local]
Subject:     You have received a new VoiceMail
Date:     Thu, 24 Jul 2014 17:31:25 +0700 [06:31:25 EDT]

You have received a voice mail message.
Message length is 00:03:27.

As you might expect, the attachment VoiceMail.zip does not contain a voice mail at all, but it is a malicious executable VoiceMail.scr which has a a VirusTotal detection rate of 3/53.

The CAMAS report and Anubis report shows the malware downloading an encrypted file from the followng locations:

egozentrica.com/wp-content/uploads/2014/07/tor2800_2.7z
reneerlaw.com/wp-content/uploads/2014/07/tor2800_2.7z

Blocking those sites may give some protection against this malware.

NatWest "You have received a secure message" spam

This spam contains a link going to a malicious file:

From:   NatWest [secure.message@natwest.co.uk]
Date:   24 July 2014 14:06
Subject:   You have received a new secure message

You have received a secure message

To read your secure message click here . You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 2568.
First time users - will need to register after opening the attachment.

About Email Encryption - http://www.natwest.com/content/global_options/terms/Email_Encryption.pdf

Another version uses the telephone number 0131 556 2164.

There are probably several different versions, in the ones I have the download location is:

http://avlabpro.com/img/report934875438jdfg8i45jg_07242014.exe
http://dentairemalin.com/images/report934875438jdfg8i45jg_07242014.exe

This malware has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] as to what it does.

Wednesday 23 July 2014

Birminghammail / Paul Fulford "Redirected message" spam

This spam pretends to be from a journalist called Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.

Date:     Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
From:     Birminghammail [paul.fulford@birminghammail.co.uk]
Subject:     Redirected message

Dear [redacted]!

Please find attached the original letter received by our system.

I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)

Poor Mr Fulford thinks that his email has been hacked.. it hasn't, but I suspect that he has pissed off some Russian spammers somewhere.

Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe which has a VirusTotal detection rate of 5/53. The Malwr report shows that this part reaches out to the following IPs:

37.139.47.103
37.139.47.117

Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53. The Malwr report is inconclusive.

I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites.

inetnum:        37.139.40.0 - 37.139.47.255
netname:        COMFORTEL-NET
descr:          COMFORTEL ltd.
country:        RU
admin-c:        ME3174-RIPE
tech-c:         RASS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     MNT-PIN
mnt-domains:    PIRIX-MNT
source:         RIPE # Filtered

person:         Mikhail Evdokimov
address:        PIRIX
address:        Obukhovskoy Oborony, 120-Z
address:        192012, St.Petersburg
address:        Russia
phone:          +7 812 3343610
fax-no:         +7 812 6002014
nic-hdl:        ME3174-RIPE
mnt-by:         RUNNET-MNT
source:         RIPE # Filtered

person:         Dmitry Rassohin
address:        194156, St.Petersburg, Russia
address:        Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone:          +7 931 2700021
nic-hdl:        RASS-RIPE
mnt-by:         RASS-MNT
source:         RIPE # Filtered

route:          37.139.40.0/21
descr:          PIRIXROUTE
origin:         AS56534
mnt-by:         MNT-PIN
source:         RIPE # Filtered

UPDATE: a slightly different version of the spam is doing the rounds today, with the fake senders being Allyson.Mays@birminghammail.co.uk and Troy.Short@birminghammail.co.uk (there seems to be nobody working for the Birmingham Mail with that name).

The attachment is in the format letter_549588.zip and letter_235708.zip and which unzips to a folder original_letter_234389_193.eml containing a malicious executable original_letter_234389_193.eml.exe which has a VirusTotal detection rate of 4/54.

The Malwr analysis shows that this reaches out to the following sites:

www.zag.com.ua
daisyblue.ru
37.139.47.117

This drops a further file called mss3.exe with an MD5 of 8e5ea3a1805df3aea28c76adb13b3d9e which is still pending analysis.

Tuesday 22 July 2014

IGPK (Integrated Cannabis Solutions Inc) pump-and-dump spam

There seems to be a low-volume pump-and-dump spam run promoting IGPK (Integrated Cannabis Solutions Inc), the second recent spam I've seen for a cannabis company after this one.

Date:     Mon, 21 Jul 2014 21:15:06 +0400 [07/21/14 13:15:06 EDT]
From:     carolinehopkinsd@arcusinvest.com
Subject:     Check out this company that investors buy

Dear Classified Investor,
If you have been watching to the news, I am sure you have
learned about this new and exciting gigantic business that
everyone is talking about, right in USA! We're talking about
medical marijuana and the colossal Dot Bong Boom currently
underway. INTEGRATED CANNABIS SOLUTIONS INC I G_P-K, offers
a secret, backdoor way to get some of the best potentially
lucrative marijuana investments in the world! Published by
the WSJ, legal marijuana could be the next big thing. This
legal marijuana company is, effortlessly, the utmost
possibly lucrative purchase in this domain right now. I
G_P-K +4% on Friday the 18th of July, seems is groomed
totally for a popular surge up the graphs that can bring
openly compensate us five hundred percent or more. Don't
wait, take 5 minutes and invest early this week, while I
G_P-K is still available for purchase before Wall Street
learns about it!

IGPK has a turnover of about $2m but is haemorrhaging cash which is not a good sign, but it doesn't mean that the company is necessarily going to fold.

It looks like some sort of stock promotion started last month, but this is simply low-grade spam. However a look a the stock chart shows that the spam run has pushed up the price by 45% to $0.08.. but that is down from $0.74 in May so the price has certainly slumped.

The mail originates from 61.234.227.151 (Railcom, China) via a mailserver at 185.8.3.210 (GNC, Armenia). Despite the "arcusinvest.com" domain in the email there is no evidence that it actually comes from this domain (that belongs to Arcus Investment Ltd, a real UK investment company).

Unless you want to lose out, you should never buy stock promoted by spam as the price tends to collapse as soon as the promotion stops.. or even while the promotion is still going on!

Monday 21 July 2014

Something evil on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic)

Here another bunch of Cushion Redirect sites closely related to this attack a few weeks ago but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the redirect in action in this URLquery report and VirusTotal has a clear indication of badness on this IP.

All the sites are hijacked subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer. Domains in use are:

e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia

To give credit to the owners of dora-explorer.co.uk, they have spotted that something is wrong, although it looks like the nameservers of their webhost (eu1.downtownhost.com and eu2.downtownhost.com) are improperly secured.

A full list of all the subdomains I can find is here [pastebin] but I would recommend applying a temporary block to these domains until the webhost secures them, although the most effective way of securing your network is to permablock 188.120.198.1.

Recommended blocklist:
188.120.198.1
~~e-meskiesprawy24.com.pl~~
~~dora-explorer.co.uk~~
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia

UPDATE: It definitely appears that downtownhost.com have not secured their nameservers as a few more customer sites are being abused in this way. It appears that the attackers are going through downtownhost.com's customers in alphabetical order. For example, the following subdomain are in use:

dfmgjne934eod8khquq1axg.elluse.com
280pfzhnb4usz3hajazvtlw.eaila.com
zefh96abfex1r32md0jdh7p.e-oman.me

Additional sites to block:
~~elluse.com~~
~~eaila.com~~
~~e-oman.me~~

UPDATE 2: it looks like downtownhost.com have fixed the problem. These recently-flagged domains can now be considered to be safe.

4-cheap.co.uk
aandelenblog.be
apteka-erekcja.pl
arcadehaven.co.uk
bewegwijzeringborden.nl
bitfrog.co.uk
carpediemcosmetics.de
cewh-cesf.ca
charlie-lola.co.uk
check-email.org
cialis25.pl
cialis25.pl
clashofclanshackdownload.com
deepfryershop.co.uk
designwonen.be
dora-explorer.co.uk
eaila.com
elluse.com
e-meskiesprawy24.com.pl
e-meskiesprawy24.pl
e-oman.me

Friday 18 July 2014

Something evil on 5.135.211.52 and 195.154.69.123

This is some sort of malware using insecure OpenX ad servers to spread. Oh wait, insecure is pretty much the default configuration for OpenX servers..

..anyway, I don't know quite what it is, but it's running on a bunch of hijacked GoDaddy subdomains and is triggering a generic Javascript detection on my gateway. Domains spotted in this cluster are:

fart.somerspointnjinsurance.com
farms.somerspointnjinsurance.com
farming.somerspointnjinsurance.com
farma.risleyhouse.net
farmer.risleyhouse.net
farmers.risleyhouse.net
par.ecofloridian.info
papers.ecofloridian.com
papa.trustedelderlyhomecare.net
paper.trustedelderlyhomecare.org
pap.trustedelderlyhomecare.info
fas.theinboxexpert.com
fashion.theinboxexpert.com

The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT]. This second IP has also been used to host "one two three" malware sites back in May.

Recommended blocklist:
5.135.211.52
195.154.69.123
somerspointnjinsurance.com
risleyhouse.net
ecofloridian.info
ecofloridian.com
trustedelderlyhomecare.net
trustedelderlyhomecare.org
trustedelderlyhomecare.info
theinboxexpert.com

Thursday 17 July 2014

"Notificación de transferencia de fondos a su favor" spam

This Spanish-language spam has a malicious Word document as an attachment.

From:    HSBC Transferencias [Mexico_contacto@hsbc.com.mx]
Reply-To:    respuesta@hsbc.com.mx
Date:    17 July 2014 11:01

¡BIENVENIDO A HSBC!

El motivo de este correo es informarle que el día de hoy recibió una transferencia SPEI la cual se encuentra retenida debido a anomalías en su cuenta. Para mas detalles sobre esta situación le adjuntamos un documento en formato Microsoft Word donde explicamos el motivo de la retención y los pasos a seguir.

Banco emisor: BBVA BANCOMER

Importe: $94,000.00

Fecha: 17/07/2014

Folio: 89413

Estatus: Retenida

Recomendamos seguir los pasos descritos en el documento adjunto en este correo.

Para cualquier duda o aclaración nos ponemos a sus órdenes en contacto@hsbc.com.mx o si lo prefiere, puede comunicarse a Banca por Internet en los siguientes teléfonos:
     México D.F. (55) 5721 1635
     Desde cualquier estado de la República al 01800 4722 638 LADA sin costo.

Con gusto le atenderemos

The attachment is essentially the same as the one mentioned here which tries to lure the victim into removing their Word security settings so that a malicious macro can run.

The VirusTotal detection rate is a pretty poor 4/54. You can see some of the text strings in the Malwr report which feature a reverse URL of exe.ss/pw/arc/lc.paip//:ptth which is reverse to try to download a file from http://piap.cl/cra/wp/ss.exe (currently 404ing). The VBA in the document can be found here [pastebin].

As mentioned before, this is a long-running campaign apparently targeting users in Mexico, and as yet I have not seen this in any language except Spanish.

Wednesday 16 July 2014

"You've received a new fax" / "You have a new Secure Message" spam

This pair of spam messages leads to a malicious ZIP file downloaded via goo.gl (and not Dropbox as the spam says)

From:    Fax [fax@victimdomain]
Date:    16 July 2014 16:12
Subject:    You've received a new fax

New fax at SCAN7905518 from EPSON by https://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800

Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/8AanL9

(Dropbox is a file hosting service operated by Dropbox, Inc.)

-------------

From:    NatWest [secure.message@natwest.com]
Date:    16 July 2014 14:47
Subject:    You have a new Secure Message

You have received a encrypted message from NatWest Customer Support

In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )

Please download your ecnrypted message at:

https://goo.gl/8AanL9

(Dropbox is a file hosting service operated by Dropbox, Inc.)

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4612.

I have seen three goo.gl URLs leading to three different download locations, as follows

https://goo.gl/1dlcL3 leads to
http://webbedenterprisesinc.com/message/Document-6936124.zip

https://goo.gl/8AanL9 leads to
http://rollermodena.it/Document-2816409172.zip

https://goo.gl/pwgQID leads to
http://www.vetsaudeanimal.net/Document-9879091.zip

In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54. The Malwr report shows that this then downloads components form the following locations (hosted by OVH France):
http://94.23.247.202/1607h/HOME/0/51Service%20Pack%203/0/
http://94.23.247.202/1607h/HOME/1/0/0/

An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54. The Malwr report for that is inconclusive.

Recommended blocklist:
94.23.247.202
vetsaudeanimal.net
rollermodena.it
webbedenterprisesinc.com

Tuesday 15 July 2014

Scam? thejointventuregroup.com (The Joint Venture Group) and other domains

This slimy proposition plopped into my spamtrap:

From:    Lori Henderson [info@loriwiththejointventuregroup.com]
Date:    15 July 2014 02:11
Subject:    Attention Investors
Sailing list:    xkuqlvkqlvveull of 1541

Investment opportunities like the one I am about to share comes along once every twenty years. Companies that produce earnings of billions annually are not the norm. This proprietary product is that will do just that. We have already received letters of interest to purchase this unique product from:

Mercedes Benz

General Motors

Caterpillar

Pep Boys

The U.S. Army, just to name a few.

If you are an accredited investor and would like to own a portion of with an estimated gross volume in the billions, then reply to this email and you will receive the details. Please be advised, this is a limited.

Regards,

Haven Henderson

info@loriwiththejointventuregroup.com

To stop getting mails

The email originates from 76.182.212.168, an IP address in Arlington, Texas. The domain "loriwiththejointventuregroup.com" is registered with anonymous details. The same content is mirrored on several sites:

thejointventuregroup.com
loriwiththejointventuregroup.com
thomwiththejointventuregroup.com
walterwiththejointventuregroup.com
tiarrawiththejointventuregroup.com
marvawiththejointventuregroup.com

The site has been knocked together using a sitebuilding tool by a 12 year old (by the looks of it).

The site quotes a company name and address as follows:
The Joint Venture Group P.O. BOX 1063 CEDAR HILL TX 75106

..but I can find no verifiable proof about the existence of a firm of this name in Texas.

Perhaps a clue into the operation can be found on a page labelled "Consulting Position"

The Joint Venture Group is looking for self-motivated individuals who are experienced in marketing to project developers and business owners who need private funding.

In addition to providing funding capital for project developers and business owners who cannot qualify for conventional bank financing, The Joint Venture Group also provides a safe investment opportunity to accredited investors. This private investment fund pays $2,500 in monthly commissions, for every client that is enrolled by the consultant into the fund. The commission percentage is based on a minimum investment of $1,000,000. Click here to learn more.

If you are a motivated individual looking for a great opportunity to receive a consistent monthly income in the amount of $2,500 on every enrolled client, than fill out the application below and please name the consultant that referred you to this page.

Let's have a look at that "handshake" picture more closely..

It says: "If you're not a part of the solution, there's good money to be made in prolonging the problem". Funny, yes. Something that a consulting firm would have on their site? Definitely not.

It could well be that Lori, Thom, Walter, Tiarra and Marva are real people who have fallen for this sham and the promise of easy riches.

So, it it a scam? My personal opinion that it is. "The Joint Venture" group offer easy money - loans for just about any project, a rate of return for investors that is unrealistic, and of course it is promoted via spam by a company that hides all its real contact details. It certainly looks scammy according to the duck test.

Perhaps a clue can be found on the "Procedures page".

Please be advise, there is a 100% REFUNDABLE deposit of $20K which is a Success Fee. The deposit will be returned when funding is arranged. The deposit is also refundable if The Joint Venture Group fails to arrange funding by the end of 365 days. Proof of funds are required on all funding submissions. There will be no exceptions made.

So, this is saying: you give us twenty thousand bucks and we'll sort out your finance. Honest. You can trust us. We have a domain name and everything.

The Joint Venture Group is comprised of pf private investors who will provide funding for a variety of commercial developments and business projects to those who do not qualify for traditional bank financing. We also offer a safe investment fund to accredited investor which pays 12% annually, 1% each month. The minimum entry amount is $1M. The investment also provides funding for our clients that require funding. Our minimum funding amount is $1M with no maximum. You can review the details and funding procedures by clicking here.

Say after me.. one meelion dollars!

The Joint Venture Group claim to be a multibillion dollar outfit, but their web design (and spelling) is awful.

Well, OK I have seen the website for Berkshire Hathaway which is has nearly half a trillion dollars worth of assets but also has a website that looks like it was designed in 30 minutes in 1994. But at least Warren Buffett knows how to spell.

Nothing about The Joint Venture Group looks legitimate. I would give it a wide berth if I were you.

Monday 14 July 2014

"Important - Internal Only" spam

This spam comes with a malicious payload:

Date:     Mon, 14 Jul 2014 16:12:49 +0000 [12:12:49 EDT]
From:     Administrator [Administrator@victimdomain]
Subject:     Important - Internal Only

File Validity: 07/14/2014
Company : http://victimdomain
File Format: Office - Excel ,PDF
Name: Internal Only
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: Internal Only.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the
person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by
intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any
dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and
may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this
e-mail and any printouts immediately from
your system and destroy all copies of it.

Attached to the message is an archive file Internal Only - victimdomain which in turn contains a malicious executable Internal Only.scr which has a VirusTotal detection rate of 9/54 which indicates that this is a variant of Upatre. The Malwr analysis shows that it contacts the following URLs:

http://renovarweb.com/comprar/css/404.tar
http://vivatsaultppc.com/421w52q4ok9
http://vivatsaultppc.com/tv8m80f8d8d0

This drops a few files, including mkird.exe which has a VirusTotal detection rate of 6/54 (Malwr analysis here) and an encoded file 404[1].tar which only McAfee spots as being suspect (Upatre-Enc.b).

Blocking the following domains may give some protection:
renovarweb.com
vivatsaultppc.com