Dynamoo's Blog

Friday, 5 December 2014

"K J Watking & Co" fake Remittance Advice spam

This fake remittance advice spam has been hammering my inbox this morning. It uses randomly generated sender names but has a consistent fake company name of K J Watking & Co which is very close to a legitimate firm K J Watkin & Co who have nothing to do with this.

The spam comes with an Excel spreadsheet which contains a malicious macro.

Some sample spams are as follows:

From:    Brenton Glover
Date:    5 December 2014 at 07:20
Subject:    Remittance Advice for 430.57 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co

================

From:    Reba Fletcher
Date:    5 December 2014 at 08:23
Subject:    Remittance Advice for 520.60 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Reba Fletcher
Senior Accounts Payable Specialist
K J Watking & Co

================

From:    Jennifer Copeland
Date:    5 December 2014 at 07:36
Subject:    Remittance Advice for 866.73 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Jennifer Copeland
Senior Accounts Payable Specialist
K J Watking & Co

================

From:    Tia Maddox
Date:    5 December 2014 at 07:33
Subject:    Remittance Advice for 539.99 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Tia Maddox
Senior Accounts Payable Specialist
K J Watking & Co

================

From:    Weston Martinez
Date:    5 December 2014 at 08:33
Subject:    Remittance Advice for 248.65 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Weston Martinez
Senior Accounts Payable Specialist
K J Watking & Co

================

From:    Reva Morgan
Date:    5 December 2014 at 08:17
Subject:    Remittance Advice for 649.39 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Reva Morgan
Senior Accounts Payable Specialist
K J Watking & Co

The Excel attachments have random names such as BAC_0577719P.xls or BAC_581969Q.xls. So far I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2].

Each spreadsheet contains a different but similar malicious macro [1] [2] [pastebin] which then download a binary from the following locations:

http://79.137.227.123:8080/stat/lld.php
http://124.217.199.218:8080/stat/lld.php

This file is downloaded as test.exe and is then moved to %TEMP%\EWSUVRXTBUU.exe. It has a VirusTotal detection rate of just 2/52. According to the Malwr report this then drops a DLL with another low detection rate which is identified as Dridex. The ThreatExpert report [pdf] indicates that the malware attempts to communicate with the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)

Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218

UPDATE 2014-12-10:

Another spam run is in progress, with a slightly different payload. Again, there are two different XLS files both of which are undetected [1] [2] by AV vendors and containing one of two macros [1] [2] [pastebin] which download from the following locations:

http://41.0.5.138:8080/stat/lld.php
http://217.174.240.46:8080/stat/lld.php

The file is downloaded as test.exe and is saved as %TEMP%\LNUDTUFLKOJ.exe and is the same payload as found in this attack.

Thursday, 4 December 2014

Something evil on 46.161.30.0/24 (KolosokIvan-net / Ivan Kolosok)

The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware.

In the past, this IP range has hosted various sites which have moved off. At the moment it seems to host just the following domains:

worldstocktrends.net
trackmepls.ru
casinoroyal7.ru
worldnews247.ru
clubstore29.ru
yourwebsupport.ru
countryregion.ru
chooseyourhost.ru

Active IPs are as follows:

46.161.30.16
46.161.30.18
46.161.30.20
46.161.30.20
46.161.30.24
46.161.30.41
46.161.30.42
46.161.30.43

Out of those domains, these following ones are linked with some sort of file locker malware:

casinoroyal7.ru [report]
clubstore29.ru [report]
yourwebsupport.ru [report]
chooseyourhost.ru [report]

The other domains have virtually no reference to them at all, which is somewhat suspicious.

The block as allocated as follows:

inetnum:        46.161.30.0 - 46.161.30.255
netname:        KolosokIvan-net
descr:          Net for customer ID 12510
country:        RU
admin-c:        KI811-RIPE
tech-c:         KI811-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-by:         MNT-PINSUPPORT
mnt-routes:     MNT-SELECTEL
changed:        admin@pinspb.ru 20130904
source:         RIPE

person:         Kolosok Ivan
address:        ul Lenina 19-56
phone:          +380766553642
e-mail:         kolosokivan@i.ua
nic-hdl:        KI811-RIPE
mnt-by:         KolosokIvan
changed:        kolosokivan@i.ua 20130830
source:         RIPE

route:          46.161.30.0/24
descr:          Selectel Customer
origin:         AS49505
mnt-by:         MNT-SELECTEL
changed:        korsakov@selectel.ru 20140901
source:         RIPE

There are no legitimate sites in this network range, so I strongly recommend that you block the entire 46.161.30.0/24 range.

Wednesday, 3 December 2014

Monday, 1 December 2014

Q:is sync.audtd.com a virus? A:probably not.

One of those things that makes you go "hmmm".. I kept seeing a lot of suspect looking traffic from Russian sites to sync.audtd.com, with strings like this:

http://sync.audtd.com/match/rambler/?uid=0123456789abcdef0123456789abcdef

audtd.com is parked on a Voxility IP of 5.254.113.29. I block large swathes of Voxility IP space because it has bad reputation, but it does have some legitimate customers. The domain registration details are hidden:

Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID:

However, sync.audtd.com is hosted on three completely different IPs:

148.251.87.17
148.251.81.131
148.251.81.140

These are hosted by Hetzner in Germany. Not exactly a squeaky clean network either, but they do have a lot of legitimate customers in addition to some evil ones.

Some Googling around and poking about at the very bottom of the search results reveals a possible lead in a Russian-language privacy policy [pdf] on a domain tbighistory.com. There was an English-language version that has since been deleted which read:

Privacy Policy
The Big History is an online technology company, Headquartered in the Russian
Federation. This Privacy policy relates to our technology service that our company provides
to online advertisers, web sites owners and other businesses that use our services.

OUR BUSINESS
We collect non-personally identifiable information regarding offline collected attributes and digital usage patterns of users of mobile devices and computers. In this policy, we refer to this non-personally identifiable information, together with other non-personally identifiable information that we obtain from third parties in order to influence which types of marketing messages and other content are displayed to you, as "Preference Data". We use Preference Data to prepare groups of users, referred to as "segments," based upon their behavior and preferences. We give our customers a limited right to use a user's membership in a segment as a basis for displaying advertisements and other content that are intended to reflect the user's preferences. We also collect non-personally identifiable information for other purposes: for example, to provide aggregate statistics for market research and analytics programs.

WHAT WE COLLECT
Non-PII includes but not limited to your IP host address, the date and time of the ad
request, pages viewed, browser type, the referring URL, Internet Service Provider, and your computer's operating system.

HOW WE COLLECT
We use non-personally identifiable data, including "cookies", "pixel tags," and in some
instances, statistical ID's, to collect and store Preference Data. We do not use flash cookies.
Cookies are small text files that contain a string of characters and uniquely identify a
browser. They are sent to a computer by Web site operators or third parties. Most
browsers are initially set up to accept cookies. You may, however, be able to change your
browser settings to cause your browser to refuse third-party cookies or to indicate when a
third-party cookie is being sent. Check your browser's "Help" files to learn more about
handling cookies on your browser. The Big History cookies will expire after 24 months from the date they are created.

Pixel tags are small strings of code that provide a method for delivering a graphic image on a Web page or other document. Pixel tags allow the operator of the Web page or other
document, or a third party who serves the pixel tag, to set, read, and modify cookies on,
and to transfer other data to, the browser used to view the Web page or other document.
Pixel tags may also be used to obtain information about the computer being used to view
that Web page or other document. The entity that sends the tag can view the IP address of
the computer that the tag is sent to, the time it was sent, the user's operating system and
browser type, and similar information.

INFORMATION SHARING
Collected Non-PII processes into targeting data segments, nevertheless it cannot be broken into segments of users that is small or unique enough for the users to be identified
personally.

All of the information we collect or record is restricted to our offices or designated sites.
Only employees who need the information to perform a specific job are granted access to
our data.

Collected data is processed into targeting data segments and then used by advertisers,
publishers and content providers to enhance users experience. TBH could share collected
and processed data with partners, based on that collected information could be used for
third party advertising purpose.

All of the information we share is transferring via secured protocol excluding non granted access.

OPT OUT
If you’d like to opt-out from having The Big History collect your Non-PII in connection with our Technology, please click here http://sync.audtd.com/optout. When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your Non-PII to tailor our online advertisement campaigns. Please note that if you delete, block or otherwise restrict cookies, or if you use a different computer or Internet browser, you may need to renew your opt-out choice.

CHANGES TO OUR POLICY
Our company could revise and change this website policy at any time, so we advise you to
check it periodically to always have up-to-date version.

CONTACT
If you have any questions about this website policy please feel free to contact us by email
info@tbighistory.com
Last Update: 5 September 2014

This site is called "The Big History" and it belongs to a clearly identified Russian company called Auditorius.

So, in fact Auditorius do fully spell out what they are doing in their privacy policy.. but the problem is that it isn't on the audtd.com domain itself, and rather stupidly they are using anonymous WHOIS details (plus some questionable websites). I think the lesson is that if you ARE involved in a legitimate tracking activity, then you must make sure that it is obvious and people can find out what is happening easily. If you don't people will just assume that is a virus.

Thursday, 27 November 2014

Tainted network: Crissic Solutions (167.160.160.0/19)

Several IPs hosted on the Crissic Solutions range of 167.160.160.0/19 (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness.

I analysed over 1500 sites hosted in the Crissic IP address range (report here [csv]) and many sites were already marked as being malicious by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious.

Malware is hosted on the following IPs:
167.160.165.38 [VT report]
167.160.165.39 [VT report]
167.160.165.158 [VT report]
167.160.165.159 [VT report]
167.160.165.171 [VT report]
167.160.165.172 [VT report]
167.160.165.214 [VT report]
167.160.165.215 [VT report]
167.160.166.66 [VT report]
167.160.166.67 [VT report]
167.160.166.68 [VT report]

Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend blocking you traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence.

The following domains are being used to spread malware (new domains are being added all the time, blocking these may not be effective):
everydayfifth.biz
everydayfirst.biz
everydayfour.biz
everydaysecond.biz
everydaythird.biz
fantybrady.biz
fantybrown.biz
fantycelly.biz
fantyverko.biz
filterblowfred.biz
filterbrickpont.biz
filterglowpred.biz
filtersendcheck.biz
filtersongpreg.biz
fivejobtoday.biz
fivemegapack.biz
fourmegapack.biz
fridaynight1.biz
fridaynight2.biz
fridaynight3.biz
fridaynight4.biz
fridaynight5.biz
fridaynight6.biz
fridaynight7.biz
fridaynight8.biz
fridaynight9.biz
mondayworkfive.biz
mondayworkfour.biz
mondayworkone.biz
mondayworkseven.biz
mondayworksix.biz
mondayworkthree.biz
mondayworktwo.biz
ninemonthjet.biz
onemegapack.biz
secondmonthjet.biz
sevenjobtoday.biz
sixjobtoday.biz
sixmonthjet.biz
sundayfiveticket.biz
sundayfourticket.biz
sundaysixticket.biz
sundaytwoticket.biz
thirdmonthjet.biz
threemegapack.biz
tuesdaymorningfive.biz
tuesdaymorningfour.biz
tuesdaymorningone.biz
tuesdaymorningseven.biz
tuesdaymorningsix.biz
tuesdaymorningthree.biz
tuesdaymorningtwo.biz
twomegapack.biz
wednesdayfifthjob.biz
wednesdayfirstjob.biz
wednesdaysecondjob.biz
wednesdaythirdjob.biz
zerojobtoday.biz
zoneclickjohny.biz
zoneclickporno.biz
zoneclicksex.biz
zoneclickwindow.biz
babydomainscoolsxenons.com
babynamescoolsxenons.com
domainscoolsxenons.com
namescoolsxenons24.com
namesthecoolsxenons.com
nyparvermoligh.eu
robbulerolrom.eu
rurecranparro.eu
sitgoottinbab.eu
talonegahadti.eu
tertsinrowofthem.eu
usethethedttalhat.eu
watehorohar.eu
mvabsolutezeronotice.info
mvanchusaofficinalis.info
mvappealscourtcontrols.info
mvcalldownroister.info
mvcellulosicairforce.info
mvdaccrualairforce.info
mvdangraecumtekki.info
mvdcercidiumdeluge.info
mvdfamilytheophrastaceae.info
mvjacquemierssign.info
mvlongtimecetotalcontrol.info
mvmarasmustekkinotice.info
mvmolluskfamilynotice.info
mvpinnatifidamericancontrols.info
georgwitlhelmfriedrichhegel.us
onomustculusintercostalis.us
pearhatwthorn.us
toponytmkamarupan.us
vagabotndagetoil.us

Spam: "Telefonrechnung NTTCable November 2014"

This German-language spam leads to malware:

Von: NTTCable Europe S.A. [mailto:info@reisebuerowerther.de]
Gesendet: Mittwoch, 26. November 2014 21:15
Betreff: Telefonrechnung NTTCable November 2014

Ihre Kundennummer: 119683
Sehr geehrter Geschäftspartner,
anbei erhalten Sie die NTTCable-Telefonrechnung für den Leistungsmonat November 2014,
Telefonrechnung NTTCable November 2014.

Hinweise zum Format und der digitalen Signatur:

Ihre Rechnung ist im PDF-Format erstellt und mit einer digitalen Signatur versehen.
Somit erfüllt Ihre Rechnung alle Anforderungen des Signaturgesetzes.

Haben Sie Fragen zu Ihrer Rechnung?

Dann rufen Sie uns an. Unser Customer-Care-Team steht Ihnen telefonisch jederzeit gerne zur Verfügung.

Mit freundlichen Grüßen
Ihre Telefongesellschaft
______________________________________________
NTTCable Gruppe
Telefongesellschaft der Deutschen Industrie.
Escher Str. 19
D - 65510 Idstein
Tel: +49 0 6126 - 9 98 76 - 0
Fax:+49 0 6126 - 9 98 76 - 54
EMail: info@nttcable.de
Web: www.nttcable.de
NTTCable Europe S.A.
Registriert in Luxemburg Handelsregisternummer: B 160348
NTTCable Deutschland KG
Geschäftsführender Gesellschafter: Michael Gros
Registriert in Wiesbaden HRA 9407
NTTCable Service KG
Geschäftsführender Gesellschafter: Michael Gros
Registriert in Wiesbaden HRA 9404

In this case the link in the email goes to http://illen-beauty.ru/wp-admin/3PAbHfSM5FEma from where it downloads a file 2014_11_rechnung_1_1_000309399002.zip containing a malicious executable 2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exe which at the moment is quite widely detected at VirusTotal with 22/56 engines coming up positive.

The Malwr report shows that the payload is hardened against analysis, but it does show an attempted connection to 109.123.78.10 (UK2.net, UK) which might be worth looking for.

Wednesday, 26 November 2014

Spam: "Ihre Telekom Mobilfunk RechnungOnline Monat November 2014 (Nr. 95921500725106)"

This spam leads to malware:

From:    Deutsche Telekom AG [g.dogan@idolcarpet.com]
Date:    26 November 2014 at 06:57
Subject:    Ihre Telekom Mobilfunk RechnungOnline Monat November 2014 (Nr. 95921500725106)

Sehr geehrte Kundin, sehr geehrter Kunde,

als Anlage ist die Rechnung 7188201282 als PDF-Datei: Telefonrechnung Telekom November.

Der Gesamtbetrag im Monat November 2014 ist ausgewiesen mit: 271,02 Euro.

Mit freundlichen Grüßen,
Geschäftskundenservice

Telekom Deutschland GmbH
Aufsichtsrat: Timotheus Höttges Vorsitzender
Geschäftsführung: Niek Jan van Damme Sprecher, Thomas Dannenfeldt, Thomas Freude, Michael Hagspihl, Dr. Bruno Jacobfeuerborn, Dietmar Welslau, Dr. Dirk Wössner
Eintrag: Amtsgericht Bonn, HRB 59 19, Sitz der Gesellschaft Bonn
USt-Id.Nr.: DE 1287171
WEEE-Reg.-Nr.: 8820712

The link in the email goes to http://taxi-haarlem.com/wp-content/ajisev8X7AOkLY from where it downloads rechnung_november_2014_0003900028.zip containing a malicious executable rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe which has an icon that looks like a PDF file.

This malware has a VirusTotal detection rate of 6/55. The Malwr report shows that it is hardeded against analysis, but it does connect to the following URL:

http://162.144.106.152:8080/974aade0/d0392bb4/

162.144.106.152 has been used several times recently in this type of attack, it is a compromised server belonging to Unified Layer in the US. I strongly suggest that you block traffic to this IP.

Tuesday, 25 November 2014

What the heck is with 104.152.215.0/25?

A contact gave me the heads up to an exploit kit running on 104.152.215.90 [virustotal] which appears to be using MS16-064 among other things [urlquery].

104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer:

NetRange:       104.152.215.0 - 104.152.215.127
CIDR:           104.152.215.0/25
NetName:        QUERYFOUNDRY
NetHandle:      NET-104-152-215-0-1
Parent:         QUERYFOUNDRY-06 (NET-104-152-212-0-1)
NetType:        Reassigned
OriginAS:       AS62638
Customer:       Shanghe Yang (C05354145)
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/net/NET-104-152-215-0-1

CustName:       Shanghe Yang
Address:        707 Wilshire Blvd
City:           Los Angeles
StateProv:      CA
PostalCode:     90017
Country:        US
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/customer/C05354145

707 Wilshire Boulevard is a massive office block but I suspect that this is just an accommodation address, so there's no real lead on who this customer is.

A look at the contents of the /25 is puzzling, because I can see almost 1500 sites [csv] on a number of active IPs [txt], almost none of which have any kind of discernible web presence or reputation.

Drilling down into the domains and registrants [csv] shows a list of either Chinese or US registrants, but in the vast majority of cases they look to be fake. The key indicator is that the email addresses listed are all of a similar format and bear no relationship whatsoever to the name of the registrant.

The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France:

address:     13, rue de rohrwiller bischwiller,67240 Bas-Rhin, France 139 a
address:     67240 Bischwiller
address:     Bas-Rhin
country:     FR

It isn't a big place according to Google. I doubt if there is a Assad Sfdsadsfw, Yfdsjshfk Ynagkjhk, Qewqewq Sfwad or Poiug Pppobflgk living in that location.

Although there is not much data about the range, there are a couple of domains that are also flagged a malicious:

sxzav.xyz [Google diagnostics]
klioz.xyz [Google diagnostics]

Quite why they are flagged as malicious is a puzzle.

My personal opinion is that there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains.

Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it, alternatively these are the domains being used in this network block:

izhse.com.cn
nmfcd.com.cn
szeeo.com.cn
trfqg.com.cn
uzwqy.com.cn
ycrlru.cn
yifxu.cn
yivuu.cn
yoezuu.cn
yrmhmu.cn
yszrru.cn
yyknu.cn
bcczrvo.com
bzvod.com
cyhgeqm.com
dgudwco.com
dhidzbo.com
dhwgfub.com
dnzwafr.com
dqlivdc.com
enndmfy.com
eufxdtc.com
eugutxh.com
fprtrsz.com
fytwhsw.com
gwrvwed.com
heghsbq.com
hotkii.com
hsephqf.com
iondydc.com
jeyztjy.com
jjfnshu.com
jpkwin.com
jtgypou.com
jtvkrv.com
kudnzpq.com
lgyudpy.com
mhmzyqf.com
mhxipaw.com
mtqlgko.com
nekclhr.com
ngieznn.com
nwnfbmn.com
okjepel.com
pbqbgkd.com
pcerrxh.com
plqrwgl.com
qebywad.com
qtknjnb.com
ripyiht.com
scauyfs.com
svyqkuu.com
sxfkzgf.com
tfwvtxy.com
ubqyfht.com
uewswa.com
umremdh.com
uuyrvtf.com
vdblrqb.com
vjqmryt.com
wgsunfk.com
wubpcb.com
xjgvtvs.com
xqyvqtx.com
ypnmxpe.com
ysmryfm.com
yyxkaqs.com
zakagps.com
zbecfan.com
mudanguojiyulecheng.eu
feldo-luxury.fr
latable-brasserie.fr
lestudio-orthez.fr
limpid.fr
mariepapier.fr
mobile-prepaye.fr
piscines-spas-95.fr
taxi-saint-medard-de-guizieres.fr
thermoservices.fr
tout-com-magny.fr
vansboutique.fr
fxy101.org
fxy102.org
fxy103.org
fxy105.org
fxy106.org
fxy107.org
fxy108.org
fxy109.org
sz101.org
sz103.org
sz118.org
sz188.org
tz100.org
tz110.org
7381.pw
97897.pw
417700.pw
ccbjz.pw
cdjgey.pw
dfjglr.pw
dfojy.pw
dgkjgy.pw
dlgjt.pw
hljbjz.pw
hrbbz.pw
hzkhj.pw
jlbzj.pw
jsbzj.pw
kdjjt.pw
kjdkg.pw
lnbzj.pw
njkuy.pw
sdbzj.pw
sdjkls.pw
sdljog.pw
sjaux.pw
sldjog.pw
sxbzj.pw
sybzj.pw
szjbzj.pw
tjbyee.pw
whgiut.pw
cmslj.xyz
fdslj.xyz
fjdxz.xyz
hbdxz.xyz
hkdxz.xyz
hljdxz.xyz
hndxz.xyz
klioz.xyz
myslj.xyz
nhslj.xyz
njdxz.xyz
sxzav.xyz
tlslj.xyz
tnslj.xyz
whslj.xyz
wzslj.xyz
ycslj.xyz
yqslj.xyz
yyslj.xyz
zwslj.xyz

Monday, 24 November 2014

MyFax message from "unknown" spam leads to poorly-detected malware

Fax spam again. How quaint. This spam appears to come from the person receiving it (which is an old trick).

From: victim@victimdomain.com
Sent: 24 November 2014 15:31
To: norep.c@mefax.com
Subject: MyFax message from "unknown" - 3 page(s)

Fax Message [Caller-ID: 1-407-067-7356]

http://159593.webhosting58.1blu.de/messages/get_message.php

You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.

* The reference number for this fax is chd_did11-14186364797-10847113200-628.

View this fax using your PDF reader.
Thank you for using the MyFax service!

The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to the following URLs:

http://95.211.199.37:16792/2411us3/HOME/0/51-SP3/0/
http://95.211.199.37:16792/2411us3/HOME/1/0/0/
http://lasuruguayas.com/images/refus3.pnk

A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54. The Malwr report is here.

Saturday, 22 November 2014

Oplamo Herbal Root scam

As far as I can tell, there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.

From:    Mr. Tom Good Hope [mrtomgood@gmail.com]
Reply-To:    mrtomgoodhope@gmail.com
Date:    22 November 2014 02:24
Subject:    SUPPLY BUSINESS OF OPLAMO

My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company.

I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase.

OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD,while they supply to our company at the rate of $430 USD.

Recently i got the contact information of a local producer in India that preserve {OPLAMO} herbal root to the quality our company needs for production and i came to know that this product can be purchase at rate of $280 US dollar per sachet in India.

Note that i can not release the contact information of the local producer easily to anybody that can not follow up with guidelines on how to make this supply on this first supply,because if any mistake occurs and my company finds out that i'm involve in given information to someone to supply this product to them they will consult a legal petition against me and i can not go to India to buy and supply this product to our company because i do not have money to handle this business and i don't want to release this information to our company management.

Our company buys 3000 sachets (each sachet contains 5 grams),but on the first order with any producer they want to give a trial order of 300 or 500 sachets and payment method for this first order is COD- cash on delivery, upon their satisfaction on this first order they would be making payment on T/T in advance.

Please read this business proposal very well before you reply me,if you can not handle this business according to my guideline its better you don't reply me,because i want you and i to be on safer side in this transaction.

Upon your reply i will clarify you more on how to start this business immediately,please drop your contact phone number for me to be able to contact you ASAP.

Thanks,

Mr Tom Goodhope

Company Secretary

mrtomgoodhope@gmail.com

"Tom Goodhope" sounds more Nigerian than British, but the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost.com] in the US.

Given that all the search results I can find for "Oplamo Herbal Root" or "Oplamo Root" seem to be similar scams, I would suggest that this doesn't even qualify as snake oil and I would give it a very wide berth.

"Ihr Zahlungsauftrag - 41401236123" spam

This German-language spam leads to malware.

Von: Sparkasse IT AG [mailto:assistant@fourmusic.com]
Gesendet: Freitag, 21. November 2014 15:03
Betreff: Ihr Zahlungsauftrag - 41401236123

Der Auftrag wurde entgegengenommen.
21. November 2014, 02:02:17 Uhr

Sie haben eine Zahlung über 2735,15 EUR an Miss Elita Zirne veranlasst.
Wir haben die Sparkasse über die Versandbereitschaft des Artikels in Kenntnis gesetzt. Weitere Details zu diesem
Vorgang:
2014_11_Sparkasse_details_4543735454333.zip.

In this case the link goes to agromark-bimsa.com.ar/VR7wkx13 where it downloads a file 2014_11_transaktions_id_000000039190.zip which in turn contains a malicious executable 2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe which has a VirusTotal detection rate of 14/55.

Automated analysis tools [1] [2] [3] are not particularly revealing, but similar recent malspam runs have been linked to Geodo.

Friday, 21 November 2014

StockTips.com spam.. or Joe Job?

When I saw this StockTips.com spam, I assumed that it was a pump-and-dump scam.

From:    StockTips.com
Date:    21 November 2014 07:58
Subject:    Sign up now

StockTips

Want to make money with stocks?

Sign up at http://www.stocktips.com/ for a small monthly fee only.

© 2001-2012 StockTips.com. All Rights Reserved.
StockTips.com is operated by Amerada Corp

Here is another version of the body text:

StockTips

Stock Tips Delivered to your Inbox!
Stock Tips is the #1 stock alert service... As always membership is 100% FREE!

Sign up now!

The spam was sent to an account that often receives pump-and-dump spam, and it has never signed up for anything like this. The most likely source for the email address in question is from the virus-infected computer of a contact.

So what is this? A virus? There's nothing malicious about this email. A Joe Job? Well, I've had a LOT of these, and even the most stupid email marketer tend not spam the same recipients over and over again. So perhaps it is a Joe Job.

IP address analysis

The IP addresses used to send the spam seem to be a mix of compromised PCs and servers, possibly forming part of a botnet. Legitimate companies don't use this kind of technique (obviously), but even real companies that do send spam tend to find a proper web host somewhere. This is another indicate that it might be a Joe Job.

62.143.125.49	Unitymedia, Germany	Project Honeypot shows that it has only been used for spam quite recently. It looks to be a server rented from a legitimate company, although obviously for illegitimate purposes. Possibly the server has been compromised.
188.66.76.4	Gamma Telecom, UK	Project Honeypot shows just how spammy this IP is. And it has been used for stock spam in the past as well, which indicates this is not a one-off. It looks like this may be a compromised server.
80.38.8.21	Telefonica de Espana SAU, Spain	Resolves as 21.Red-80-38-8.staticIP.rima-tde.net, so a static IP rather than a DSL connection. Project Honeypot says that it used to be used for spam some time ago but has been clean for a long time.
88.156.185.92	Vectra S.A., Poland	Description is "Vectra Broadband Users" which indicates a DSL or cable connection. Project Honeypot has no data.
187.94.214.35	Feliz Acesse Comunicacao Ltda, Brazil	No data on this, could be a domestic IP address.
79.180.189.55	Bezeq International Ltd, Israel	Appears to be a domestic broadband user.
78.187.242.217	TurkTelekom, Turkey	ADSL subscriber
176.94.67.198	Arcor AG, Germany	Arcor / Vodafone DE business customer.

What about StockTips.com itself?

StockTips.com is a snazzy looking site..

But there is not one single piece of information that identifies who runs it, except for a reference to Amerada Corp which is also mentioned in the spam email. The WHOIS details for the domain are also hidden, so it is impossible to determine who actually owns the site.

A search for "Amerada Corp" comes up with nothing except that it is a former name of Hess Corporation who are clearly nothing to do with this.

Scrolling down the page gives a clue as to what this might be about..

A $37 signup fee? No thanks.. but it says it is a one time fee but the spam says a monthly fee. That's inconsistent. Another indicator of a Joe Job? Perhaps.

Something else caught me eye.

HAIR was the subject of a massive pump-and-dump spam run last year. After StockTips.com recommended HAIR in May of 2012, the share price basically fell off a cliff.

Hmmm.

A bit of Googling around shows a lot of negative comment about StockTips.com. There are some accusations that I have not been able to verify that they are involved in paid stock promotions for the penny stocks that they list.

The Penny Stock market has a lot of legitimate players, but there are also a lot of people who try to manipulate the market for their own gains. It is possible that StockTips.com has clashed in some way with the sort of people who run pump-and-dump scams, and they have decided to take their revenge by creating this fake spam run.

Perhaps if you have some experience with this outfit, you would like to share it in the comments? Note that all comments are owned by the people posting them.

"Duplicate Payment Received" spam from "Enid Tyson" has a malicious DOC

This fake financial spam has a malicious Word document attached.

From:    Enid Tyson
Date:    21 November 2014 15:36
Subject:    INV209473A Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks

Enid Tyson
Accounts Department

In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive). This contains a malicious macro [pastebin] which connects to the following URL:

http://79.137.227.123:8080/get1/get1.php

I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.

This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].

UPDATE:
A second version is going the rounds, with zero detections and a download location of

http://61.221.117.205:8080/get1/get1.php

A copy of the malicious macro can be found here.

Something evil on 46.8.14.154

46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort.

The following subdomains have been active on that server, they are ALL hijacked GoDaddy domains:

band.animagraphic.net
casual.animagraphics.org
emissions.usanicotinebiz.com
family.animagraphics.com
format.animagraphics.net
george.animagraphics.net
hunger.usanicotinenow.com
indictment.animagraphic.net
interest.animagraphics.org
keeps.animagraphics.net
nearest.zeezoarticles.com
overwhelmingly.ecigvv.com
revolt.animagraphics.biz
south.animagraphics.com
tests.animagraphics.net
textile.animagraphics.org
this.animagraphics.net
transplant.madvapor.com
floatingtpoint.vzeliquid.com
delivering.animagraphics.biz
week.animagraphics.biz
speaks.animagraphics.biz
automobile.animagraphics.biz
herself.vvmod.com
obtained.vzmod.com
unixtbased.ecigvv.com
transplant.madvapor.com
metric.animagraphics.com
norway.animagraphics.com
plays.nicotinegiant.com
majority.usanicotinenow.com
underground.usanicotinenow.com
o.animagraphic.net
costs.animagraphic.net
illinois.animagraphic.net
rape.animagraphics.net
usable.animagraphics.net
presents.animagraphics.net
upper.hotzonenow.com

Domains spotted so far with malicious subdomains:

animagraphics.org
usanicotinebiz.com
animagraphics.com
animagraphics.net
usanicotinenow.com
zeezoarticles.com
ecigvv.com
animagraphics.biz
madvapor.com
vzeliquid.com
vvmod.com
vzmod.com
madvapor.com
nicotinegiant.com
hotzonenow.com

The best thing to do is to block traffic to 46.8.14.154 because these domains seem to change every few minutes.

Tuesday, 18 November 2014

"INCOMING FAX REPORT" spam, let's party like it's 1999

Hang on, I think I need to load some more papyrus into the facsimile machine, the 1990s are back!

From:    Incoming Fax [no-reply@efax.co.uk]
Date:    18 November 2014 13:16
Subject:    INCOMING FAX REPORT : Remote ID: 766-868-5553

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

http://mrconsultantpune.com/dropbox/document.php

*********************************************************

This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:

http://108.61.229.224:13861/1811us1/HOME/0/51-SP3/0/
http://108.61.229.224:13861/1811us1/HOME/1/0/0/
http://159593.webhosting58.1blu.de/mandoc/narutus1.pmg

It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.

Recommended blocklist:
108.61.229.224
159593.webhosting58.1blu.de

Monday, 17 November 2014

"Test message" spam plague continues..

This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125" which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses.

If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.

From: Hollie <Laurie.17@123goa.com>
Date: 17 November 2014 19:04
Subject: Test 8657443T

test message.

Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard.

----------

From: Bethany <Toney.b0c@tbmeca.pl>
Date: 17 November 2014 20:00
Subject: Test 513081H

test message.

George Washington's existing building was constructed in 1960 and has had many renovations since its opening. His parents ran a restaurant, but his father emigrated to South America and never returned.
From 1971 to 1975, he was head of the Semiconductor Electronics Research Department. AIDS, which marked one of the most painful parts of Blotzer's life.

----------

From: Lilly <Glenn.75@ottcommunications.com>
Date: 17 November 2014 19:18
Subject: Test 547004K

test message.

On its full length, it passes through 14 provinces of Turkey. During the night, Dudu develops a cough and in the morning he is rushed to a local hospital.
The regular season was won by the Sevilla FC Puerto Rico, which became the first team to win two regular season cups. Letter to the World Narcotic Defense Association.

----------

From: Eddie <Darwin.87@satfilm.net.pl>
Date: 17 November 2014 19:20
Subject: Test 769978N

test message.

District 16 in the upper chamber. These allegations were followed by a long investigation of the convent that caused much inner strife amongst the nuns.
The teams alternate turns on who will pick first depending on the night. Bellona's report on RTG lighthouses.

----------

From: Alba <Young.69@discoverwhitewater.org>
Date: 17 November 2014 20:18
Subject: Test 7900710A

test message.

DR B1 and DQ B1 polymorphisms in patients with coronary artery ectasia. The Thames at Brentford.
Chi world GNI percapita. Little known gems are unearthed.

----------

From: Neal <Nichole.23b@business.telecomitalia.it>
Date: 17 November 2014 19:03
Subject: Test 974193J

test message.

It is a very good preparation for further studies in law, literature and linguistics. IPSC and USPSA provide for two power factors, major and minor.
Lake Agassiz can also be seen today. He threatened her, saying that if she told anyone, he would kill her too.

----------

From: Sabrina <Ross.68a@213-5-41-251.bestgo.pl>
Date: 17 November 2014 19:17
Subject: Test 685552L

test message.

The episode starts with girls comments about Alyona's leaving. US 52 leaves the highway here.
Cwmgors Community Centre by Aberdare Blog. Darcy invites Spinner over after she finishes packing for summer camp so they can spend time together before she leaves.

----------

From: Debora <Raquel.6b8@mmgphotographystudio.com>
Date: 17 November 2014 20:22
Subject: Test 409258E

test message.

Combined with manual transmission, these cars were often used as drag racers due to their light weight. A break in his health led to his retirement in 1920.
The company milled lumber and ground flour. Improving the existing headroom under the bridge from 3.

Interfax "Failed Fax Transmission" spam comes with malicious .DOCM file

This fake fax spam comes with a malicious attachment

From:    Interfax [uk@interfax.net]
Date:    13 November 2014 20:29
Subject:    Failed Fax Transmission to 01616133969@fax.tc<00441616133969>

Transmission Results

Destination Fax: 00441616133969

Contact Name: 01616133969@fax.tc

Start Time: 2014/11/13 20:05:27

End Time: 2014/11/13 20:29:00

Transmission Result: 3220 - Communication error

Pages sent: 0

Subject: 140186561.XLS

CSID:

Duration (In Seconds): 103

Message ID: 485646629

Thank you for using Interfax
E-mail: uk@interfax.net
Home page: http://www.interfax.net

Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe

This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:

http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E

It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53.

If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.

Friday, 14 November 2014

Dear spammers.. alotbqobutarkwqechsdovmzfwa to you too.

Dear spammers,

Sending links out like this to drive people to your fake meds site does not work.

From: Tudu [tudu@tin.it]
Sent: 15 November 2014 03:42
To: bernie@nternet.net
Subject:

https://www.google.com/#&q=alotbqobutarkwqechsdovmzfwa&btnI=qysawyt

Even if you stuff your page with what you think are unique keywords such as:

njhzxtfnpvcqgoyuayuhvtsi

dcyfwfcuiahjrifjmpxwlshj

crulbvxcm

ejerwja

uxsiyulmkggsnwjdsujrq

srpxkpnrzupqgfwzlkqonlhhrsk

fcgfsrlomywpykhasppybuen

svsoyteg

yuezkbmsqyhpsicqslrwhvcru

scveevyvstumdryosftulvn

ocwpikfchbarwqinqdrorqiufsqp

alotbqobutarkwqechsdovmzfwa

esbmoulaj

xfshvrgaeckuzhosymxzccjplpcwg

ywifvjeikl

qfwtytmfeeqzf

aaosxoqtdcduwycjhyannf

ybyqgfztbadtwbrvwhypbdjs

xiitpggczmb

nsjgtbsklpwpldu

zvgpumys

pthnpdo

xaorfzpfgviomnbrcbasmfoormsr

gxascwhwfbjdmpcgdey

ykqlnxzt

tdcgedlfvlleuyqn

mgoozaxm

mlrbtiyhpqdwthpdiqgvwkq

uhcjljmguohkmywgylmin

coxmfzumeftmqfczjvnols

sitlhrcwzueprwfyxv

ntxaawsgvdinzyhiylfdgd

nvhwjvqwcxkovoitkxfkjbttfvr

yimclbkcepmqhiec

ebhnypr

oezgaikkapwzthzkfbrtrowmu

xyejkdaxhc

iixpkiijdgrkvqrkngpmxrfwohwvr

amgfgmedyl

cqqbjakpkepaje

hmibwgcdexsm

rjmiavdxujexjktnmtp

kvqthzutebojwnzpzvzhzbrfcb

saeelzoemfcahrlzyllnugbwze

jvnfagrti

lvdycqtozmiwphqmpa

pufhpiotdvdimlsp

cimbmhkagoxnbaxngvxyfcrtlcnxc

qbnuhspjgqawxrf

jbhbhyqkurdqgktvvs

frcmtegacgvxqshruzeakhxfzxq

dtctnrkgwwvdg

ajtnchnawtnrtnlvkxho

yjyhzpenvqmgibef

masyqrwqslofd

khcldmiexfrrruq

fvqadsbhetodzgqvywuxtowhwa

ungrhogqrabqwzrajtjpomvcirxkfp

nncneijcvcwwnyxxgowjvvm

olwdtxqggnsudjtzhyt

mhxmtdnkzseiiizpzmwjnpwtppp

sihsozhgbpybvanyfrfttlk

tkbjkzpdpyvylkon

mmgaklau

jtenvfqsybmghjcabaeetj

fmjcfqmjzstssznbgdpqwaoc

lhedbliildq

qivwguigzmcwkdpezdds

wllbbhjyrditsxzlunskabhqiedg

niazkntdfyoncfgyzq

ndwbqjjtbaoqgegxo

ahjznanwpcmcpvrnsbmtxrssavfv

gmgxhwptdawtd

abwwkrykctoaywhhwrjofirpjfss

oaxhwkodgnvmtmd

dkligclavpa

nsrquhibivbijwvgutozsh

zhwsicrhehejyxggffcsebodxtpgtf

ckrsugdugtefqlebtixupguhdcnmlx

hitsfbk

dilvysgqresg

uqeguta

xuivhwgnruxgnnyrilaxwkqnfv

xuafdrsacr

rkwxzzrmerkcyllbw

qtvzkfzcfzukksxfnrmp

xhkldsr

clavwtpoujkmtbvmrhvqn

oqszjgojzeqfijbpgvnhuqfck

cuszgksdz

czgukflpmspirlhvejmwwojwzgfhh

zafgbpytcoehgeyfhwktqcwhpk

zboupfxmctek

upmihrmqu

odtiuxpysrcozahkrvcr

rkqfakqcwjwrks

ycxkfqyydheisfwydapfrkraur

wzunqlutibfsrrgxmnlqtevs

vlsealvrrvboe

asglyylkuscbammxtkdxornguidnd

ytkcijrfpvj

qaqjzhlprprjivzyrhpvhmenkzj

ojgtgpajla

lbccjwlyrwxd

rolpcaytfijigoogljgzow

zvclpenmm

owitfuirvwlzz

mitjvykqxhkkxirgzegyiddtj

oabwjyjkrcbqxzzp

auzidohkvsthbpduiakqn

rvthoowlmrpkyvpijbidoamdaonie

rybberhm

rybuxcxehxiardpehok

xwisbggcwxopkjyhpjq

dhnebpfvpmpktdm

nuowacsgolfcqvoohuasktwnyw

ovxzcmcf

ueqakehjhnpdajljlxn

lehmezqstjowkzzykxgnvqzli

kkiwyqlemxuksrbodhnyglijwcoml

yduzveynpyktsewzrpqblaw

flnxsjbelopudwaiuxod

lbpwduzwwcoipfxqsgccnxjaoukgua

rktlnsorbpfjgjqhq

xnyezxt

nqkqmewjrjiqckuaf

vvbmbwfovoff

iogxxkdqq

ftcndjjdx

glbhxwhj

fxjocyuhsedsntabgoo

uokhkuqvwrxrpijbdxfw

..it isn't going to stop awkward bastards like me from hijacking your search results.

[FYI.. I did not send out the spam you clicked. Somebody sent out a spam advertising a fake meds site healthshdweb.com - I am merely hijacking their attempts to direct people to the site through superiour search engine optimisation]