Spam: "Localizan a los 43 estudiantes desaparecidos en Ayotzinapa"

This Spanish-language malware spam comes with a malicious attachment.

From:    El Universal
Date:    16 December 2014 at 09:06
Subject:    Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Hoy 16 de diciembre del 2014 por la madrugada, agentes de la Policía Ministerial de Guerrero
han localizado con vida a los 43 estudiantes, desaparecidos el dia 26 de septiembre del 2014.

Para ver imágenes exclusivas del reencuentro de los estudiantes con sus familias, y las condiciones en que
vivieron durante su secuestro, anexamos un documento en este correo electrónico en formato Microsoft Word.


El Universal © todos los Derechos Reservados  2014.

This translates roughly as:

Located at 43 students missing in Ayotzinapa.

Today December 16, 2014 at dawn, agents of the Ministerial Police Guerrero
have been located alive at 43 students, missing the day September 26, 2014.

To view exclusive footage of the reunion of students and their families, and the conditions under which
They lived during his abduction, we attach a document to this email in Microsoft Word format.


The Universal © All Rights Reserved 2014.

This email relates to the kidnapping and possible murder of 43 Mexican students which has been blamed by some on the Mexican Police.

The Word document contains a malicious macro, and detailed instructions for the victim on how to disable the inbuilt security to enable it to run.

Once this has been done, the malicious macro [pastebin] runs. This attempts to download a file from:

http://www.milusz.eu/templates/default/00/ss.exe

At the moment, this download location is coming up with a 404 error. If the download were to work, it would save the file as %TEMP%\ test00010.exe. The Word document has a moderate detection rate of 10/54.

This type of malicious spam has been around for a long time, and this particular technique seems to be exclusively in Spanish, I have never seen this attack in English or any other language.

Malware spam: UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" [roughandtumble63@yahoo.co.uk]

This somewhat odd and terse spam comes with a malicious attachment.

From:    UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" <roughandtumble63@yahoo.co.uk>
Date:    17 December 2014 at 07:20
Subject:    Invoice as requested

There is no body text, but there is an malicious DOC attachment named 20140918_122519.doc which come in two slightly different versions with poor detection rates [1] [2]. The macros have been subtly changed from recent spam runs [1] [2] [pastebin] and download a second stage from one of the following locations:

http://openstacksg.com/js/bin.exe
http://worldinlens.net/js/bin.exe

This malicious executable is saved as %TEMP%\ADGYMSEKRJE.exe and has a detection rate of only 2/54.

Is is common with recent similar malware attempts, it attempts to phone home to 74.208.11.204 (1&1, US) as shown in the ThreatTrack report [pdf]. The Malwr report indicates a dropped file with an MD5 of ee826c184155a1fa1aea984f914e606a which is probably Dridex.

Malware spam: IFS Applications / vitacress.co.uk / DOC-file for report is ready

This fake payment advice spam is not from Vitacress but is a forgery with a malicious Word document attached.

From:    IFS Applications [Do_Not_Reply@vitacress.co.uk]
Date:    15 December 2014 at 07:49
Subject:    DOC-file for report is ready

The DOC-file for report Payment Advice is ready and is attached in this mail.

Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros [1] [2] [pastebin] that download a malware binary from one of the following locations:

http://gv-roth.de/js/bin.exe
http://notaxcig.com/js/bin.exe

This file is saved as %TEMP%\DYIATHUQLCW.exe  and is currently has a VirusTotal detection rate of just 1/52.

The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be blocked if you can:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)

The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet.

UPDATE 2014-12-16

A second wave of spam is in progress with a pair of new malicious Word documents with low detection rates [1] [2] containing new macros [1] [2] that download a malicious file from the following locations:

http://finepack.co.in/js/bin.exe
http://loneleaf.ca/js/bin.exe

This file is saved as %TEMP%\TQWTGECOROR.exe and it currently has a detection rate of just 1/54. The Malwr report shows it posting to 74.208.11.204 yet again, although it does not show the dropped Dridex binary that I would expect to see.

wavecable.com "Order - R58551" spam

This fake invoice comes with a malicious attachment.

From:    kaybd2@wavecable.com
Date:    12 December 2014 at 17:17
Subject:    Order - R58551

Thanks for placing order with us today! Your order is now on process. Outright Purchase: 6949 US Dollars Please click the word file provided below to see more details about your order. BILLING DETAILS Order Number: ZJW139855932 Purchase Date: 13.07 11.12.2014 Customer Email: info@[redacted]

Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56 on VirusTotal. That contains this macro [pastebin] which downloads an executable from:

http://www.2fs.com.au/tmp/rkn.exe

That has a VirusTotal detection rate of 5/55. The Malwr report shows HTTP traffic to the following URLs:

hxxp://5.187.1.78/
hxxp://46.250.6.1/yQ0rNl=kQUO%2C/Uy.%20%206vPh/sGiK2LtSiX75BirV=%3DyaE%2D0jZ5/
hxxp://46.250.6.1/QO&KN@tZOvZ%2Ba/JW/wI%20%3FqZCSz&CH
hxxp://46.250.6.1/lgXM77$&N~/fn0R&OPvY/0%26EySg.2
hxxp://46.250.6.1/BJHWvUNBFb%7E8FS7%20/ku_%2CLOZC/%3DA%26S@R%2CRsl
hxxp://46.250.6.1/hjr5mo3/Jx%2C%3DKciOwsc0h.ICAQCFqbLFj6Q6bvtk&2/%3F%2DcG~k1R%2Cfu%2Djty&Kch2t~I
hxxp://46.250.6.1/1o26ZIXNlEyK/68G%2DvlteIkwiQ~WG%2C9/qFcRXJ9%24FHkr
hxxp://46.250.6.1/ISTfN%3D%2BpR6z/sV3sFy=/&rwxy/8
hxxp://46.250.6.1/fBuw/4%241PoLX5P=ThT4Hyzu/wbkj9q/zTt
hxxp://46.250.6.1/StKeINKIun6v$l0%2478bpb=1.8S%2B/q~S%2BcrS%24F%24y/@HA%2B7e%7EK%2Bp1HeQ3l_Qlc/L
hxxp://5.135.28.106/riBmIaB8bRi/sb1VvM/U=_=/PPa
hxxp://46.250.6.1/fCBz41ytqa.%2DjS8cj_rj=m%2Dzuxyr/lcvsbBxg%2Dsx%2DfS/%3D7lus%3F7e%3D%2D2.ou61s~
hxxp://46.250.6.1/zkzwh6f08q+e%2Dj%26rf.21/96ih%2D4.lhse8%20x8kgn%2B/59f3%7Ef+j%7Es%3D=w%2C+z91o
hxxp://46.250.6.1/yw1oy1pkp2+f%20au%26p@%2D/fmqyfl=zerhywesazsz2&s%2C%24%24%2Csv@k=+sqvs%3F%7Ep/

The ThreatExpert report shows POSTing to 209.208.62.36:8080

Combining some extra lookup in the Malwr report indicates that these following IPs are suspect:

209.208.62.36 (Atlantic.net, US)
5.187.1.78 (Fornex Hosting, Germany)
46.250.6.1 (Briz, Ukraine)
5.135.28.106 (OVH, France)
66.213.111.72 (Ohio Public Libraries, US)
95.211.188.129 (Leaseweb, Netherlands)

A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.

Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129

"UK Fuels E-bill" (ebillinvoice.com) spam

This fake invoice comes with a malicious attachment:

From:     invoices@ebillinvoice.com
Date:     11 December 2014 at 08:06
Subject:     UK Fuels E-bill

Customer No :           35056
Email address :         [redacted]
Attached file name :    35056_49_2014.doc

Dear Customer

Please find attached your invoice for Week 49 2014.

In order to open the attached DOC file you will need
the software Microsoft Office Word.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely

Customer Services
UK Fuels Ltd



======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================

This spam is not from UK Fuels Ltd or ebillinvoice.com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors. This downloads a file from the following location:

http://KAFILATRAVEL.COM/js/bin.exe

This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56 at VirusTotal.

The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you block this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55.

UPDATE 2014-12-12

Another spam run pushing this is in progress, with two different Word attachments seen so far (all called  35056_49_2014.doc. These are currently undetected by AV vendors [1] [2] and contains two slightly different macros [1] [2] [pastebin] that then attempt to download a binary from one of the following locations:

http://imperialenergy.ca/js/bin.exe
http://jnadvertising.com/js/bin.exe

This is then saved as %TEMP%\RPDWVRNDBGX.exe. This executable is malicious but has a VirusTotal detection rate of just 2/56. The ThreatExpert report shows connections to:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)

Both these IPs have been seen before and are definitely worth blocking. According to the Malwr report, this executable drops a DLL widely identified as the Dridex banking trojan.

Spam: "Remittance Advice from Anglia Engineering Solutions Ltd"

This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.

From:     Serena Dotson
Date:     10 December 2014 at 10:33
Subject:     Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]

Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.


Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd
Tel: 01469 520572

The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros [1] [2] [pastebin] which attempts to download an executable from the following locations:

http://217.174.240.46:8080/stat/lld.php
http://187.33.2.211:8080/stat/lld.php

This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows attempted connections to the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)

Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic.

The payload is most likely Dridex, a banking trojan.

I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201
217.174.240.46
187.33.2.211

Something evil on 5.196.33.8/29

This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.

Specifically, VirusTotal lists badness on the following IPs:

5.196.33.8
5.196.33.9
5.196.33.10

There are also some doubtful looking IP addresses on 5.196.33.15 which may we have a malicious purpose.

All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.

Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
kiogosphwuysvx12.com
nelipraderson3.com
aderradpow.in
akojdurczopat.in
amoptrafnoger.in
apo83ggacer.in
apowiurbera.in
asdlpoqnoosgteer.in
asdpqwoieu12.in
asdqpwcya2.in
ashcytiqwer.in
askio2iytqrefa.in
asnodp3booztrea.in
azlaowumoa.in
blomcreaters.in
bvioplorazeno.in
bvopqcawea.in
bxpqy7everas.in
bzoapitradetn.in
cnertazootreas.in
coiqpyteramed.in
foksatboks3.in
golhahorsea.in
greolkopanx9.in
hiapwjertas.in
hokayreenols.in
jonofogolor.in
kiaowqptrea.in
koapnoxopaiuw72.in
kutradopretano98.in
lapouiqwg28.in
loatu27amop.in
looperfter4.in
mozgyterfaopetr.in
mxopa3ieravuk.in
nioapowedrakt.in
nitreamoptec.in
nloopboobs.in
npcowytrar.in
nxaopautrmoge.in
opqertasopma.in
poltraderano.in
sapertzalofasmo.in
vjogersamxe.in
vokjotreasmo.in
xboapvogtase.in
xnaiojipotram.in
xnaioqowhera.in
ywusbopa63a.in
zbtywraser.in
gpjfwsznuhdjgzwg.com
zntddwqtteq4.com

Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant ID:WIQ_27860746
Registrant Name:Gennadiy Borisov
Registrant Organization:N/A
Registrant Street1:ul. Lyulyak 5
Registrant Street2:
Registrant Street3:
Registrant City:Varna
Registrant State/Province:
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:yingw90@yahoo.com

"Soo Sutton" / "INVOICE 224245 from Power EC Ltd" spam

Another variant of this spam, this fake invoice comes with a malicious Word document attached.

From:     soo.sutton966@powercentre.com
Date:     8 December 2014 at 10:57
Subject:     INVOICE 224245 from Power EC Ltd

Please find attached INVOICE number 224245 from Power EC Ltd

Attached are one of two Word documents, both with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros [1] [2] [pastebin] which then downloads an executable from one of the following locations:

http://aircraftpolish.com/js/bin.exe
http://gofoto.dk/js/bin.exe

This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)

According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53.

Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish.com
gofoto.dk

UPDATE 2014-12-09:

A further couple of variants are being spammed out, both with low detections by VirusTotal [1] [2] and containing one of two malicious macros [1] [2] [pastebin] which down,loads from the following locations:

http://kawachiya.biz/js/bin.exe
http://darttoolinc.com/js/bin.exe

This is then saved as %TEMP%\YVXBZJRGJYE.exe and is presently undetected by vendors. The Malwr report and ThreatExpert report vary slightly, but both show traffic to the same IPs are before. The Malwr report also indicates that a DLL is dropped with a detection rate of 4/52 which is identified as the Dridex trojan.

Recommended blocklist:
203.172.141.250
74.208.11.204
 kawachiya.biz
 darttoolinc.com

"Mathew Doleman" / "lightmoorhomes.co.uk" spam comes with a malicious Word document

This spam came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.

From:     Mathew Doleman [order@lightmoorhomes.co.uk]
Date:     5 December 2014 at 08:32
Subject:     Order no. 98348936010

Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.

Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB

Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)

Best regards,
Sales Department
Mathew Doleman
+07966 566663

The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors. Some investigation shows that it contains a malicious macro [pastebin].

The macro downloads a file from http://hiro-wish.com/js/bin.exe which is completely undetected by any AV vendor at present. According to the internal data, this is a Windows Media Player component although the compile date is today so this seems unlikely.

Developer metadata

Copyright

© Microsoft Corporation. All rights reserved.

Publisher Microsoft Corporation

Product Microsoft® Windows® Operating System

Original name wmadmod.dll

Internal name wmadmod.dll

File version 11.0.5721.5145 (WMP_11.061018-2006)

Description Windows Media Audio Decoder

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2014-12-05 06:30:06

Entry Point 0x00006460

Number of sections 3

The ThreatTrack report and ThreatExpert report indicate traffic to the following locations that you wouldn't expect a legitimate MS application to call home to:

74.208.11.204 (1&1 Internet, US)
203.172.141.250 (Ministry of Education, Thailand)

The VirusTotal report shows it phoning home t:

46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)

Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish.com

"K J Watking & Co" fake Remittance Advice spam

This fake remittance advice spam has been hammering my inbox this morning. It uses randomly generated sender names but has a consistent fake company name of K J Watking & Co which is very close to a legitimate firm K J Watkin & Co who have nothing to do with this.

The spam comes with an Excel spreadsheet which contains a malicious macro.

Some sample spams are as follows:

From:     Brenton Glover
Date:     5 December 2014 at 07:20
Subject:     Remittance Advice for 430.57 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co


================

From:     Reba Fletcher
Date:     5 December 2014 at 08:23
Subject:     Remittance Advice for 520.60 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Reba Fletcher
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Jennifer Copeland
Date:     5 December 2014 at 07:36
Subject:     Remittance Advice for 866.73 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Jennifer Copeland
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Tia Maddox
Date:     5 December 2014 at 07:33
Subject:     Remittance Advice for 539.99 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Tia Maddox
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Weston Martinez
Date:     5 December 2014 at 08:33
Subject:     Remittance Advice for 248.65 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Weston Martinez
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Reva Morgan
Date:     5 December 2014 at 08:17
Subject:     Remittance Advice for 649.39 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Reva Morgan
Senior Accounts Payable Specialist
K J Watking & Co

The Excel attachments have random names such as BAC_0577719P.xls or BAC_581969Q.xls. So far I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2].

Each spreadsheet contains a different but similar malicious macro [1] [2] [pastebin] which then download a binary from the following locations:

http://79.137.227.123:8080/stat/lld.php
http://124.217.199.218:8080/stat/lld.php

This file is downloaded as test.exe and is then moved to %TEMP%\EWSUVRXTBUU.exe. It has a VirusTotal detection rate of just 2/52. According to the Malwr report this then drops a DLL with another low detection rate which is identified as Dridex. The ThreatExpert report [pdf] indicates that the malware attempts to communicate with the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)

Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218

UPDATE 2014-12-10:

Another spam run is in progress, with a slightly different payload. Again, there are two different XLS files both of which are undetected [1] [2] by AV vendors and containing one of two macros [1] [2] [pastebin] which download from the following locations:

http://41.0.5.138:8080/stat/lld.php
http://217.174.240.46:8080/stat/lld.php

The file is downloaded as test.exe and is saved as %TEMP%\LNUDTUFLKOJ.exe and is the same payload as found in this attack.

Something evil on 46.161.30.0/24 (KolosokIvan-net / Ivan Kolosok)

The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware.

In the past, this IP range has hosted various sites which have moved off. At the moment it seems to host just the following domains:

worldstocktrends.net
trackmepls.ru
casinoroyal7.ru
worldnews247.ru
clubstore29.ru
yourwebsupport.ru
countryregion.ru
chooseyourhost.ru

Active IPs are as follows:

46.161.30.16
46.161.30.18
46.161.30.20
46.161.30.20
46.161.30.24
46.161.30.41
46.161.30.42
46.161.30.43

Out of those domains, these following ones are linked with some sort of file locker malware:

casinoroyal7.ru [report]
clubstore29.ru [report]
yourwebsupport.ru [report]
chooseyourhost.ru [report]

The other domains have virtually no reference to them at all, which is somewhat suspicious.

The block as allocated as follows:

inetnum:        46.161.30.0 - 46.161.30.255
netname:        KolosokIvan-net
descr:          Net for customer ID 12510
country:        RU
admin-c:        KI811-RIPE
tech-c:         KI811-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-by:         MNT-PINSUPPORT
mnt-routes:     MNT-SELECTEL
changed:        admin@pinspb.ru 20130904
source:         RIPE

person:         Kolosok Ivan
address:        ul Lenina 19-56
phone:          +380766553642
e-mail:         kolosokivan@i.ua
nic-hdl:        KI811-RIPE
mnt-by:         KolosokIvan
changed:        kolosokivan@i.ua 20130830
source:         RIPE

route:          46.161.30.0/24
descr:          Selectel Customer
origin:         AS49505
mnt-by:         MNT-SELECTEL
changed:        korsakov@selectel.ru 20140901
source:         RIPE

There are no legitimate sites in this network range, so I strongly recommend that you block the entire 46.161.30.0/24 range.

More malware on Crissic Solutions LLC

Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report):

167.160.164.102 [VirusTotal report]
167.160.164.103 [VirusTotal report]
167.160.164.141 [VirusTotal report]
167.160.164.142 [VirusTotal report]

The following domains are being exploited (although there will probably be more soon).

citycentralone.biz
citycentraltwo.biz
citycentralfive.biz
citycentralfour.biz
seasononecoming.biz
seasonsixcoming.biz
seasontwocoming.biz
citycentralthree.biz
seasonfivecoming.biz
seasonfourcoming.biz
seasonsevencoming.biz
seasonthreecoming.biz
ultimateconnectioneleven.biz
saturdaynightsnow.biz
saturdaynightzero.biz
saturdaynightwater.biz
saturdaynighteleven.biz
saturdaynightknight.biz
mvsmicrocomcontrol.net
mvseyeoperationcontrol.net
dateswellsfolls.asia
limississippiviewsdooms.asia
limsviewsdooms.asia
limsviewsmakeoms.asia
dateshealthysfolls.asia

Subdomains in use start with one of qwe. or asd. or zxc. (see examples here [pastebin]).

Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended blocking 167.160.165.0/24 and 167.160.166.0/24 and now with multiple servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go.

Q:is sync.audtd.com a virus? A:probably not.

One of those things that makes you go "hmmm".. I kept seeing a lot of suspect looking traffic from Russian sites to sync.audtd.com, with strings like this:

http://sync.audtd.com/match/rambler/?uid=0123456789abcdef0123456789abcdef

audtd.com is parked on a Voxility IP of 5.254.113.29. I block large swathes of Voxility IP space because it has bad reputation, but it does have some legitimate customers. The domain registration details are hidden:

Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID:

However, sync.audtd.com is hosted on three completely different IPs:

148.251.87.17
148.251.81.131
148.251.81.140

These are hosted by Hetzner in Germany. Not exactly a squeaky clean network either, but they do have a lot of legitimate customers in addition to some evil ones.

Some Googling around and poking about at the very bottom of the search results reveals a possible lead in a Russian-language privacy policy [pdf] on a domain tbighistory.com. There was an English-language version that has since been deleted which read:

Privacy Policy
The Big History is an online technology company, Headquartered in the Russian
Federation. This Privacy policy relates to our technology service that our company provides
to online advertisers, web sites owners and other businesses that use our services.

OUR BUSINESS
We collect non-personally identifiable information regarding offline collected attributes and digital usage patterns of users of mobile devices and computers. In this policy, we refer to this non-personally identifiable information, together with other non-personally identifiable information that we obtain from third parties in order to influence which types of marketing messages and other content are displayed to you, as "Preference Data". We use Preference Data to prepare groups of users, referred to as "segments," based upon their behavior and preferences. We give our customers a limited right to use a user's membership in a segment as a basis for displaying advertisements and other content that are intended to reflect the user's preferences. We also collect non-personally identifiable information for other purposes: for example, to provide aggregate statistics for market research and analytics programs.

WHAT WE COLLECT
Non-PII includes but not limited to your IP host address, the date and time of the ad
request, pages viewed, browser type, the referring URL, Internet Service Provider, and your computer's operating system.

HOW WE COLLECT
We use non-personally identifiable data, including "cookies", "pixel tags," and in some
instances, statistical ID's, to collect and store Preference Data. We do not use flash cookies.
Cookies are small text files that contain a string of characters and uniquely identify a
browser. They are sent to a computer by Web site operators or third parties. Most
browsers are initially set up to accept cookies. You may, however, be able to change your
browser settings to cause your browser to refuse third-party cookies or to indicate when a
third-party cookie is being sent. Check your browser's "Help" files to learn more about
handling cookies on your browser. The Big History cookies will expire after 24 months from the date they are created.

Pixel tags are small strings of code that provide a method for delivering a graphic image on a Web page or other document. Pixel tags allow the operator of the Web page or other
document, or a third party who serves the pixel tag, to set, read, and modify cookies on,
and to transfer other data to, the browser used to view the Web page or other document.
Pixel tags may also be used to obtain information about the computer being used to view
that Web page or other document. The entity that sends the tag can view the IP address of
the computer that the tag is sent to, the time it was sent, the user's operating system and
browser type, and similar information.

INFORMATION SHARING
Collected Non-PII processes into targeting data segments, nevertheless it cannot be broken into segments of users that is small or unique enough for the users to be identified
personally.

All of the information we collect or record is restricted to our offices or designated sites.
Only employees who need the information to perform a specific job are granted access to
our data.

Collected data is processed into targeting data segments and then used by advertisers,
publishers and content providers to enhance users experience. TBH could share collected
and processed data with partners, based on that collected information could be used for
third party advertising purpose.

All of the information we share is transferring via secured protocol excluding non granted access.

OPT OUT
If you’d like to opt-out from having The Big History collect your Non-PII in connection with our Technology, please click here http://sync.audtd.com/optout. When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your Non-PII to tailor our online advertisement campaigns. Please note that if you delete, block or otherwise restrict cookies, or if you use a different computer or Internet browser, you may need to renew your opt-out choice.

CHANGES TO OUR POLICY
Our company could revise and change this website policy at any time, so we advise you to
check it periodically to always have up-to-date version.

CONTACT
If you have any questions about this website policy please feel free to contact us by email
info@tbighistory.com
Last Update: 5 September 2014

This site is called "The Big History" and it belongs to a clearly identified Russian company called Auditorius.

So, in fact Auditorius do fully spell out what they are doing in their privacy policy.. but the problem is that it isn't on the audtd.com domain itself, and rather stupidly they are using anonymous WHOIS details (plus some questionable websites). I think the lesson is that if you ARE involved in a legitimate tracking activity, then you must make sure that it is obvious and people can find out what is happening easily. If you don't people will just assume that is a virus.

Tainted network: Crissic Solutions (167.160.160.0/19)

Several IPs hosted on the Crissic Solutions range of 167.160.160.0/19 (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness.

I analysed over 1500 sites hosted in the Crissic IP address range (report here [csv]) and many sites were already marked as being malicious by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious.

Malware is hosted on the following IPs:
167.160.165.38 [VT report]
167.160.165.39 [VT report]
167.160.165.158 [VT report]
167.160.165.159 [VT report]
167.160.165.171 [VT report]
167.160.165.172 [VT report]
167.160.165.214 [VT report]
167.160.165.215 [VT report]
167.160.166.66 [VT report]
167.160.166.67 [VT report]
167.160.166.68 [VT report]

Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend blocking you traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence.

The following domains are being used to spread malware (new domains are being added all the time, blocking these may not be effective):
everydayfifth.biz
everydayfirst.biz
everydayfour.biz
everydaysecond.biz
everydaythird.biz
fantybrady.biz
fantybrown.biz
fantycelly.biz
fantyverko.biz
filterblowfred.biz
filterbrickpont.biz
filterglowpred.biz
filtersendcheck.biz
filtersongpreg.biz
fivejobtoday.biz
fivemegapack.biz
fourmegapack.biz
fridaynight1.biz
fridaynight2.biz
fridaynight3.biz
fridaynight4.biz
fridaynight5.biz
fridaynight6.biz
fridaynight7.biz
fridaynight8.biz
fridaynight9.biz
mondayworkfive.biz
mondayworkfour.biz
mondayworkone.biz
mondayworkseven.biz
mondayworksix.biz
mondayworkthree.biz
mondayworktwo.biz
ninemonthjet.biz
onemegapack.biz
secondmonthjet.biz
sevenjobtoday.biz
sixjobtoday.biz
sixmonthjet.biz
sundayfiveticket.biz
sundayfourticket.biz
sundaysixticket.biz
sundaytwoticket.biz
thirdmonthjet.biz
threemegapack.biz
tuesdaymorningfive.biz
tuesdaymorningfour.biz
tuesdaymorningone.biz
tuesdaymorningseven.biz
tuesdaymorningsix.biz
tuesdaymorningthree.biz
tuesdaymorningtwo.biz
twomegapack.biz
wednesdayfifthjob.biz
wednesdayfirstjob.biz
wednesdaysecondjob.biz
wednesdaythirdjob.biz
zerojobtoday.biz
zoneclickjohny.biz
zoneclickporno.biz
zoneclicksex.biz
zoneclickwindow.biz
babydomainscoolsxenons.com
babynamescoolsxenons.com
domainscoolsxenons.com
namescoolsxenons24.com
namesthecoolsxenons.com
nyparvermoligh.eu
robbulerolrom.eu
rurecranparro.eu
sitgoottinbab.eu
talonegahadti.eu
tertsinrowofthem.eu
usethethedttalhat.eu
watehorohar.eu
mvabsolutezeronotice.info
mvanchusaofficinalis.info
mvappealscourtcontrols.info
mvcalldownroister.info
mvcellulosicairforce.info
mvdaccrualairforce.info
mvdangraecumtekki.info
mvdcercidiumdeluge.info
mvdfamilytheophrastaceae.info
mvjacquemierssign.info
mvlongtimecetotalcontrol.info
mvmarasmustekkinotice.info
mvmolluskfamilynotice.info
mvpinnatifidamericancontrols.info
georgwitlhelmfriedrichhegel.us
onomustculusintercostalis.us
pearhatwthorn.us
toponytmkamarupan.us
vagabotndagetoil.us

Spam: "Telefonrechnung NTTCable November 2014"

This German-language spam leads to malware:

Von: NTTCable Europe S.A. [mailto:info@reisebuerowerther.de]
Gesendet: Mittwoch, 26. November 2014 21:15
Betreff: Telefonrechnung NTTCable November 2014

Ihre Kundennummer: 119683
Sehr geehrter Geschäftspartner,
anbei erhalten Sie die NTTCable-Telefonrechnung für den Leistungsmonat November 2014,
Telefonrechnung NTTCable November 2014.

Hinweise zum Format und der digitalen Signatur:
   
Ihre Rechnung ist im PDF-Format erstellt und mit einer digitalen Signatur versehen.
Somit erfüllt Ihre Rechnung alle Anforderungen des Signaturgesetzes.
   
Haben Sie Fragen zu Ihrer Rechnung?
   
Dann rufen Sie uns an. Unser Customer-Care-Team steht Ihnen telefonisch jederzeit gerne zur Verfügung.

Mit freundlichen Grüßen
Ihre Telefongesellschaft
______________________________________________
NTTCable Gruppe
Telefongesellschaft der Deutschen Industrie.
Escher Str. 19
D - 65510 Idstein
Tel: +49 0 6126 - 9 98 76 - 0
Fax:+49 0 6126 - 9 98 76 - 54
EMail: info@nttcable.de
Web: www.nttcable.de
NTTCable Europe S.A.
Registriert in Luxemburg Handelsregisternummer: B 160348
NTTCable Deutschland KG
Geschäftsführender Gesellschafter: Michael Gros
Registriert in Wiesbaden HRA 9407
NTTCable Service KG
Geschäftsführender Gesellschafter: Michael Gros
Registriert in Wiesbaden HRA 9404 

In this case the link in the email goes to http://illen-beauty.ru/wp-admin/3PAbHfSM5FEma from where it downloads a file 2014_11_rechnung_1_1_000309399002.zip containing a malicious executable 2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exe  which at the moment is quite widely detected at VirusTotal with 22/56 engines coming up positive.

The Malwr report shows that the payload is hardened against analysis, but it does show an attempted connection to 109.123.78.10 (UK2.net, UK) which might be worth looking for.

Spam: "Ihre Telekom Mobilfunk RechnungOnline Monat November 2014 (Nr. 95921500725106)"

This spam leads to malware:

From:     Deutsche Telekom AG [g.dogan@idolcarpet.com]
Date:     26 November 2014 at 06:57
Subject:     Ihre Telekom Mobilfunk RechnungOnline Monat November 2014 (Nr. 95921500725106)


Sehr geehrte Kundin, sehr geehrter Kunde,

als Anlage ist die Rechnung 7188201282 als PDF-Datei: Telefonrechnung Telekom November.

Der Gesamtbetrag im Monat November 2014 ist ausgewiesen mit: 271,02 Euro.



Mit freundlichen Grüßen,
Geschäftskundenservice

Telekom Deutschland GmbH
Aufsichtsrat: Timotheus Höttges Vorsitzender
Geschäftsführung: Niek Jan van Damme Sprecher, Thomas Dannenfeldt, Thomas Freude, Michael Hagspihl, Dr. Bruno Jacobfeuerborn, Dietmar Welslau, Dr. Dirk Wössner
Eintrag: Amtsgericht Bonn, HRB 59 19, Sitz der Gesellschaft Bonn
USt-Id.Nr.: DE 1287171
WEEE-Reg.-Nr.: 8820712 

The link in the email goes to http://taxi-haarlem.com/wp-content/ajisev8X7AOkLY from where it downloads rechnung_november_2014_0003900028.zip containing a malicious executable rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe which has an icon that looks like a PDF file.

This malware has a VirusTotal detection rate of 6/55. The Malwr report shows that it is hardeded against analysis, but it does connect to the following URL:

http://162.144.106.152:8080/974aade0/d0392bb4/

162.144.106.152 has been used several times recently in this type of attack, it is a compromised server belonging to Unified Layer in the US. I strongly suggest that you block traffic to this IP.

What the heck is with 104.152.215.0/25?

A contact gave me the heads up to an exploit kit running on 104.152.215.90 [virustotal] which appears to be using MS16-064 among other things [urlquery].

104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer:

NetRange:       104.152.215.0 - 104.152.215.127
CIDR:           104.152.215.0/25
NetName:        QUERYFOUNDRY
NetHandle:      NET-104-152-215-0-1
Parent:         QUERYFOUNDRY-06 (NET-104-152-212-0-1)
NetType:        Reassigned
OriginAS:       AS62638
Customer:       Shanghe Yang (C05354145)
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/net/NET-104-152-215-0-1

CustName:       Shanghe Yang
Address:        707 Wilshire Blvd
City:           Los Angeles
StateProv:      CA
PostalCode:     90017
Country:        US
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/customer/C05354145

707 Wilshire Boulevard is a massive office block  but I suspect that this is just an accommodation address, so there's no real lead on who this customer is.

A look at the contents of the /25 is puzzling, because I can see almost 1500 sites [csv] on a number of active IPs [txt], almost none of which have any kind of discernible web presence or reputation. 

Drilling down into the domains and registrants [csv] shows a list of either Chinese or US registrants, but in the vast majority of cases they look to be fake. The key indicator is that the email addresses listed are all of a similar format and bear no relationship whatsoever to the name of the registrant.

The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France:


address:     13, rue de rohrwiller bischwiller,67240 Bas-Rhin, France 139 a
address:     67240 Bischwiller
address:     Bas-Rhin
country:     FR

It isn't a big place according to Google.  I doubt if there is a Assad Sfdsadsfw, Yfdsjshfk Ynagkjhk, Qewqewq Sfwad or Poiug Pppobflgk living in that location.

Although there is not much data about the range, there are a couple of domains that are also flagged a malicious:

sxzav.xyz [Google diagnostics]
klioz.xyz [Google diagnostics]

Quite why they are flagged as malicious is a puzzle.

My personal opinion is that there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains.

Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it, alternatively these are the domains being used in this network block:

izhse.com.cn
nmfcd.com.cn
szeeo.com.cn
trfqg.com.cn
uzwqy.com.cn
ycrlru.cn
yifxu.cn
yivuu.cn
yoezuu.cn
yrmhmu.cn
yszrru.cn
yyknu.cn
bcczrvo.com
bzvod.com
cyhgeqm.com
dgudwco.com
dhidzbo.com
dhwgfub.com
dnzwafr.com
dqlivdc.com
enndmfy.com
eufxdtc.com
eugutxh.com
fprtrsz.com
fytwhsw.com
gwrvwed.com
heghsbq.com
hotkii.com
hsephqf.com
iondydc.com
jeyztjy.com
jjfnshu.com
jpkwin.com
jtgypou.com
jtvkrv.com
kudnzpq.com
lgyudpy.com
mhmzyqf.com
mhxipaw.com
mtqlgko.com
nekclhr.com
ngieznn.com
nwnfbmn.com
okjepel.com
pbqbgkd.com
pcerrxh.com
plqrwgl.com
qebywad.com
qtknjnb.com
ripyiht.com
scauyfs.com
svyqkuu.com
sxfkzgf.com
tfwvtxy.com
ubqyfht.com
uewswa.com
umremdh.com
uuyrvtf.com
vdblrqb.com
vjqmryt.com
wgsunfk.com
wubpcb.com
xjgvtvs.com
xqyvqtx.com
ypnmxpe.com
ysmryfm.com
yyxkaqs.com
zakagps.com
zbecfan.com
mudanguojiyulecheng.eu
feldo-luxury.fr
latable-brasserie.fr
lestudio-orthez.fr
limpid.fr
mariepapier.fr
mobile-prepaye.fr
piscines-spas-95.fr
taxi-saint-medard-de-guizieres.fr
thermoservices.fr
tout-com-magny.fr
vansboutique.fr
fxy101.org
fxy102.org
fxy103.org
fxy105.org
fxy106.org
fxy107.org
fxy108.org
fxy109.org
sz101.org
sz103.org
sz118.org
sz188.org
tz100.org
tz110.org
7381.pw
97897.pw
417700.pw
ccbjz.pw
cdjgey.pw
dfjglr.pw
dfojy.pw
dgkjgy.pw
dlgjt.pw
hljbjz.pw
hrbbz.pw
hzkhj.pw
jlbzj.pw
jsbzj.pw
kdjjt.pw
kjdkg.pw
lnbzj.pw
njkuy.pw
sdbzj.pw
sdjkls.pw
sdljog.pw
sjaux.pw
sldjog.pw
sxbzj.pw
sybzj.pw
szjbzj.pw
tjbyee.pw
whgiut.pw
cmslj.xyz
fdslj.xyz
fjdxz.xyz
hbdxz.xyz
hkdxz.xyz
hljdxz.xyz
hndxz.xyz
klioz.xyz
myslj.xyz
nhslj.xyz
njdxz.xyz
sxzav.xyz
tlslj.xyz
tnslj.xyz
whslj.xyz
wzslj.xyz
ycslj.xyz
yqslj.xyz
yyslj.xyz
zwslj.xyz

MyFax message from "unknown" spam leads to poorly-detected malware

Fax spam again. How quaint. This spam appears to come from the person receiving it (which is an old trick).

From: victim@victimdomain.com
Sent: 24 November 2014 15:31
To: norep.c@mefax.com
Subject: MyFax message from "unknown" - 3 page(s)


Fax Message [Caller-ID: 1-407-067-7356]

http://159593.webhosting58.1blu.de/messages/get_message.php

You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.

* The reference number for this fax is chd_did11-14186364797-10847113200-628.

View this fax using your PDF reader.
Thank you for using the MyFax service!

The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to the following URLs:

http://95.211.199.37:16792/2411us3/HOME/0/51-SP3/0/
http://95.211.199.37:16792/2411us3/HOME/1/0/0/
http://lasuruguayas.com/images/refus3.pnk

A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54. The Malwr report is here.

Oplamo Herbal Root scam

As far as I can tell, there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.

From:     Mr. Tom Good Hope [mrtomgood@gmail.com]
Reply-To:     mrtomgoodhope@gmail.com
Date:     22 November 2014 02:24
Subject:     SUPPLY BUSINESS OF OPLAMO

My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company.

I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase.


OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD,while they supply to our company at the rate of $430 USD.

Recently i got the contact information of a local producer in India that preserve {OPLAMO} herbal root to the quality our company needs for production and i came to know that this product can be purchase at rate of $280 US dollar per sachet in India.

Note that i can not release the contact information of the local producer easily to anybody that can not follow up with guidelines on how to make this supply on this first supply,because if any mistake occurs and my company finds out that i'm involve in given information to someone to supply this product to them they will consult a legal petition against me and i can not go to India to buy and supply this product to our company because i do not have money to handle this business and i don't want to release this information to our company management.

Our company buys 3000 sachets (each sachet contains 5 grams),but on the first order with any producer they want to give a trial order of 300 or 500 sachets and payment method for this first order is COD- cash on delivery, upon their satisfaction on this first order they would be making payment on T/T in advance.

Please read this business proposal very well before you reply me,if you can not handle this business according to my guideline its better you don't reply me,because i want you and i to be on safer side in this transaction.

Upon your reply i will clarify you more on how to start this business immediately,please drop your contact phone number for me to be able to contact you ASAP.

Thanks,

Mr Tom Goodhope

Company Secretary

mrtomgoodhope@gmail.com

"Tom Goodhope" sounds more Nigerian than British, but the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost.com] in the US.

Given that all the search results I can find for "Oplamo Herbal Root" or "Oplamo Root" seem to be similar scams, I would suggest that this doesn't even qualify as snake oil and I would give it a very wide berth.

"Ihr Zahlungsauftrag - 41401236123" spam

This German-language spam leads to malware.

Von: Sparkasse IT AG [mailto:assistant@fourmusic.com]
Gesendet: Freitag, 21. November 2014 15:03
Betreff: Ihr Zahlungsauftrag - 41401236123

Der Auftrag wurde entgegengenommen.
 21. November 2014, 02:02:17 Uhr

 Sie haben eine Zahlung über 2735,15 EUR an Miss Elita Zirne veranlasst.
 Wir haben die Sparkasse über die Versandbereitschaft des Artikels in Kenntnis gesetzt. Weitere Details zu diesem
Vorgang:
2014_11_Sparkasse_details_4543735454333.zip. 

In this case the link goes to agromark-bimsa.com.ar/VR7wkx13 where it downloads a file 2014_11_transaktions_id_000000039190.zip which in turn contains a malicious executable 2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe which has a VirusTotal detection rate of 14/55.

Automated analysis tools [1] [2] [3] are not particularly revealing, but similar recent malspam runs have been linked to Geodo.

StockTips.com spam.. or Joe Job?

When I saw this StockTips.com spam, I assumed that it was a pump-and-dump scam.

From:     StockTips.com
Date:     21 November 2014 07:58
Subject:     Sign up now

StockTips

Want to make money with stocks? Sign up at http://www.stocktips.com/ for a small monthly fee only.

© 2001-2012 StockTips.com. All Rights Reserved. StockTips.com is operated by Amerada Corp

Here is another version of the body text:

StockTips

Stock Tips Delivered to your Inbox! Stock Tips is the #1 stock alert service... As always membership is 100% FREE! Sign up now!

© 2001-2012 StockTips.com. All Rights Reserved. StockTips.com is operated by Amerada Corp

The spam was sent to an account that often receives pump-and-dump spam, and it has never signed up for anything like this. The most likely source for the email address in question is from the virus-infected computer of a contact.

So what is this? A virus? There's nothing malicious about this email. A Joe Job? Well, I've had a LOT of these, and even the most stupid email marketer tend not spam the same recipients over and over again. So perhaps it is a Joe Job.

IP address analysis

The IP addresses used to send the spam seem to be a mix of compromised PCs and servers, possibly forming part of a botnet. Legitimate companies don't use this kind of technique (obviously), but even real companies that do send spam tend to find a proper web host somewhere. This is another indicate that it might be a Joe Job.

62.143.125.49	Unitymedia, Germany	Project Honeypot shows that it has only been used for spam quite recently.  It looks to be a server rented from a legitimate company, although obviously for illegitimate purposes. Possibly the server has been compromised.
188.66.76.4	Gamma Telecom, UK	Project Honeypot shows just how spammy this IP is. And it has been used for stock spam in the past as well, which indicates this is not a one-off. It looks like this may be a compromised server.
80.38.8.21	Telefonica de Espana SAU, Spain	Resolves as 21.Red-80-38-8.staticIP.rima-tde.net, so a static IP rather than a DSL connection. Project Honeypot says that it used to be used for spam some time ago but has been clean for a long time.
88.156.185.92	Vectra S.A., Poland	Description is "Vectra Broadband Users" which indicates a DSL or cable connection. Project Honeypot has no data.
187.94.214.35	Feliz Acesse Comunicacao Ltda, Brazil	No data on this, could be a domestic IP address.
79.180.189.55	Bezeq International Ltd, Israel	Appears to be a domestic broadband user.
78.187.242.217	TurkTelekom, Turkey	ADSL subscriber
176.94.67.198	Arcor AG, Germany	Arcor / Vodafone DE business customer.

What about StockTips.com itself?

StockTips.com is a snazzy looking site..

But there is not one single piece of information that identifies who runs it, except for a reference to Amerada Corp which is also mentioned in the spam email. The WHOIS details for the domain are also hidden, so it is impossible to determine who actually owns the site.

A search for "Amerada Corp" comes up with nothing except that it is a former name of Hess Corporation who are clearly nothing to do with this.

Scrolling down the page gives a clue as to what this might be about..

A $37 signup fee? No thanks.. but it says it is a one time fee but the spam says a monthly fee. That's inconsistent. Another indicator of a Joe Job? Perhaps.

Something else caught me eye.

HAIR was the subject of a massive pump-and-dump spam run last year. After StockTips.com recommended HAIR in May of 2012, the share price basically fell off a cliff.

Hmmm.

A bit of Googling around shows a lot of negative comment about StockTips.com. There are some accusations that I have not been able to verify that they are involved in paid stock promotions for the penny stocks that they list.

The Penny Stock market has a lot of legitimate players, but there are also a lot of people who try to manipulate the market for their own gains. It is possible that StockTips.com has clashed in some way with the sort of people who run pump-and-dump scams, and they have decided to take their revenge by creating this fake spam run.

Perhaps if you have some experience with this outfit, you would like to share it in the comments? Note that all comments are owned by the people posting them.

"Duplicate Payment Received" spam from "Enid Tyson" has a malicious DOC

This fake financial spam has a malicious Word document attached.

From:     Enid Tyson
Date:     21 November 2014 15:36
Subject:     INV209473A Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks

Enid Tyson
Accounts Department

In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive). This contains a malicious macro [pastebin] which connects to the following URL:

http://79.137.227.123:8080/get1/get1.php

I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.

This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].

UPDATE:
A second version is going the rounds, with zero detections  and a download location of

http://61.221.117.205:8080/get1/get1.php

A copy of the malicious macro can be found here.