Sponsored by..

Thursday 8 January 2015

Persistent hijacked GoDaddy domains serve malware via Turkish IPs

Last year I wrote about a small bunch of IPs belonging to Radore Veri Merkezi Hizmetleri A.S in Turkey that seemed to be aggressively pushing an exploit kit via hijacked GoDaddy domains. Today I was slightly surprised to see that this is still going on, and in some cases using the same domains as they were all those months ago.

Let's start by looking at an example hijacked domain gssportspics.com which is a neat little site with some high school photos of sports and events on.


We can look up the DNS details for www.gssportspics.com and they look OK with an IP of 184.168.152.5 which belongs to GoDaddy.

01/08/15 14:06:28 dns www.gssportspics.com
Mail for www.gssportspics.com is handled by smtp.secureserver.net mailstore1.secureserver.net
Canonical name: gssportspics.com
Aliases:
  www.gssportspics.com
Addresses:
  184.168.152.5


The domain is registered by GoDaddy, the domain is hosted by GoDaddy. Makes sense, and the website is clean of malware as far as I can tell.

But the problem is that there are a whole bunch of subdomains also using the gssportspics.com that you can't easily tell are there. For example, these subdomains all exist too:

invu.gssportspics.com
yossi.gssportspics.com
auckle.gssportspics.com
sively.gssportspics.com
truset.gssportspics.com
vishal.gssportspics.com
sovieana.gssportspics.com
wiramart.gssportspics.com
gardenhour.gssportspics.com
spechtling.gssportspics.com

Let's look up one of these..

01/08/15 14:24:45 dns vishal.gssportspics.com
Canonical name: vishal.gssportspics.com
Addresses:
  31.210.96.158


Well, that IP address ain't GoDaddy.

inetnum:        31.210.64.0 - 31.210.127.255
netname:        TR-RADORE-20110504
descr:          Radore Veri Merkezi Hizmetleri A.S.
country:        TR
org:            ORG-RHTH1-RIPE
admin-c:        RLA11-RIPE
tech-c:         RLA11-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      RADORE-MNT
mnt-routes:     RADORE-MNT
mnt-domains:    RADORE-MNT
notify:         registry@rh.com.tr
changed:        hostmaster@ripe.net 20110504
changed:        hostmaster@ripe.net 20130410
changed:        bit-bucket@ripe.net 20130930
source:         RIPE


Well, we've been here before and I can tell you that these sort of hijacked sites are hosted on the following IPs:

31.210.96.155
31.210.96.156
31.210.96.157
31.210.96.158


I don't know how this Turkish host suballocates IPs to customers, but it is roughly equivalent to 31.210.96.152/29.

So how are these hijacks happening? Actually, I don't know although I do know that this is very common with GoDaddy accounts that use domaincontrol.com namservers. Perhaps the accounts are being phished, hit in an XSS attack or there is a weakness in GoDaddy's DNS architecture. GoDaddy are normally very good at cleaning this sort of thing up, so let's hope they can put a stop to this now.

What the exact payload of these IPs is I don't know because it is hardened against analysis, but they have hosted Ponmocup in the past.  I have observed traffic being sent to these server via hacked sites, and given the subdomain hijacking then it is clear that something very bad is going on. You can see an example of URLquery failing to analyse one of these sites here.. I suspect that the payload only works once per visiting IP.

You can see an example of some of the LIVE subdomains hosted on these IPs here [pastebin] or a full list of ALL the hijacked subdomains that I seen over time in this range here.

Currently, these following domains all have hijacked subdomains, as far as I can tell, they are all legitimate sites and I would hesitate to block them.. instead I would recommend blocking the IP address ranges listed above instead.

21ideas.com
2cuonline.com
4runnerliftkits.com
8jutawan.com
aabathlifts.com
adventureresponsibly.com
advertisementdevil.com
advertisewiththedevil.com
aesirholdings.com
agentonpoint.com
ahtcna.com
alhogames.com
alisonleese.com
allknowingpsychic.com
alloyfurnacerolls.com
alloymuffles.com
alloyradianttubes.com
allprodelta.com
alternateolympics.com
alternativeolympics.com
ancestorworshippublishing.com
animalgenetics.com
antonzuponcic.com
arc4g.com
aredietsok.com
aredietsokay.com
assistlist.com
asstimate.net
atvguidebooks.com
atv-guidebooks.com
atvtrailguides.com
autoeventregistration.com
automotiveeventregistration.com
automotiveservicesavings.com
autoserviceevent.com
aylesburyironing.com
azproremodelers.com
bahenasteel.com
bakecakesnow.com
basslakeshagclub.com
be3ny.com
benahavisrealestate.com
berkshirecapitalholdings.com
bestsilvercufflinks.com
bgtoledorent.com
birdsexingkit.com
blingmatters.com
blurlight.com
boeckman.net
breastimate.com
bridgenations.com
bristolblog.com
bristolwatch.com
bumperstickerpatriots.com
buybackmyvehicle.com
buynewaz.com
buynowbuynewaz.com
bvvk.com
canadianpilotcars.com
caninecolorgenetics.com
caninepaternitytesting.com
caseybassett.com
castlelawpa.com
caytechpools.com
charlesawells.com
chrisvessey.com
ciunev.com
concretevibration.com
connecteli.com
connectmetv.com
consul-tec.com
consumerdevil.com
cruzeonover.com
custom-chocolate-favors.com
customerdevil.com
dealerholidayevent.com
deespilotcars.com
defeattheliberalmedia.com
deliveredbythedevil.com
devilforacause.com
devilwithacause.com
dkshealth.com
drinkbluphoria.com
drinkcalories.net
drjaneaxelrod.com
dropoutgobig.com
dunstablekitchens.com
eaglepocatello.com
effectsllc.com
egunt.com
ellagphotography.com
empowerprinciples.com
engpua.com
enhancementlasers.com
enhancinglasers.com
equinepaternitytesting.com
exceltoner.com
exceltoners.com
facenewbook.com
fantasticfountain.com
fathersnsons.com
fatlosstoolkit.com
felixtreitler.com
feltedfibers.com
fighttheliberalmedia.com
fortheloveofgadgets.com
frankryn.com
freegascardregistration.com
fubarpaintball.com
funtrecks.net
funtreks.net
funtrekspublishing.com
gee-wizsolutions.com
getpaid365days.com
gillspools.com
girlsgoneglamis.com
gliscastings.net
gliscentrifugal.com
glisfabrications.com
glisinc.com
golfironworks.com
golfnewsalaska.com
golfnewsarkansas.com
golfnewscolorado.com
golfnewsconnecticut.com
golfnewsdelaware.com
golfnewsgeorgia.com
golfnewsidaho.com
golfnewsillinois.com
golfnewsindiana.com
golfnewsiowa.com
golfnewskansas.com
golfnewskentucky.com
golfnewslouisiana.com
golfnewsmaine.com
golfnewsmaryland.com
golfnewsmassachusetts.com
golfnewsmississippi.com
golfnewsmissouri.com
golfnewsmontana.com
golfnewsnebraska.com
golfnewsnewengland.com
golfnewsnewhampshire.com
golfnewsnewjersey.com
golfnewsnewmexico.com
golfnewsnewyork.com
golfnewsnorthcarolina.com
golfnewsnorthdakota.com
golfnewsohio.com
golfnewsoklahoma.com
golfnewspennsylvania.com
golfnewsrhodeisland.com
golfnewssouthcarolina.com
golfnewssouthdakota.com
golfnewstennessee.com
golfnewsutah.com
golfnewsvermont.com
golfnewsvirginia.com
golfnewswestvirginia.com
golfnewswisconsin.com
golfnewswyoming.com
grafikcase.com
grafikdevils.com
grafik-devils.com
grafik-skins.com
greatserviceforless.com
greatsoundevents.com
gregorylknox.com
grupa-kim.com
gryphonaz.com
gryphoncompanies.com
gryphonus.com
gssportspics.com
haosjer.com
hartford-capital.com
hbacagreenproremodelers.com
hbacaproremodelers.com
heattreatalloy.com
historyhobbybooks.com
hockeydoneright.com
hugesavingsevent.com
humphreyslawncare.com
icecreamtruckuniversity.com
imokh.com
inboccaproductions.com
inkandtonersale.com
integratedpipe.com
italy-in-bocca.com
javaemulator.com
jmydesign.com
joannheilman.com
joeamericashow.com
joechenphoto.com
jsjenterprises.com
juddnelsonstudios.com
kaitlinsplayground.com
kevindonnellymd.com
knoxkomputerservice.com
kokobon.com
ksupride.com
ksupridewrestling.com
ksuwrestling.net
lakehousetimberranch.com
laser-enhancements.com
laserhairenhancement.com
launchyourline.com
learningoverip.com
leashyourcamera.com
lendmecash.com
letseatinitaly.com
lifestylology.com
lindseytoothman.com
lionizetheworld.com
lionizeyourself.com
lions-mark.com
lovetoner.com
lovetoners.com
lsclinks.com
lusitanogold.com
makingwaves-salon.com
mangiamoinitalia.com
mangiamoneicantucci.com
mapclimber.com
matthewstarner.com
maxscenesdesign.com
mdmofgeorgia.com
memorialdaysavingsevent.com
mendezign.com
metoly.com
micksher.com
middlefieldma.net
midnightastronomy.com
mikemcmortgage.com
miracline.com
momsagainstmercury.com
monizarealty.com
mrsstyleseeker.com
mwhiteman.com
myabadi.com
mycameraleash.com
myfuturephysique.com
mystagingbox.com
my-ui.com
nacprint.com
newcarsat.com
newlogiq.com
newworldheroes.com
ngage-games.com
nitplus.com
nutritionbydesign.com
ny007ny.com
oharvest.net
omarker.net
omobia.com
onlybetterdeal.com
organixharvest.com
ozarkmountain4x4club.com
palermolundahl.com
pamsdogacademy.com
pamsdogtraining.com
panjiaying.com
panochevalleysolar.com
paulguardino.com
paxamericanaspirits.com
peekaboopumpkin.com
pennyappleapparel.com
pinkdollaratm.com
powerplaycreative.com
prestigehonda.net
propertiespain.com
qualitycomforthomeservices.com
realdealpsychic.com
registerforautoevent.com
reikisolar.com
remodelgreaterphoenix.com
renzograciemexico.com
restoremystuff.com
revolvertactical.net
richmondguitarx.com
rled.net
roaringlion.com
roaringlionenergydrink.com
savedalyfield.com
searchtrusted.com
secrettomb.com
sellitandforgetitnow.com
sellitandforgetittoday.com
shamrocksmokrz.com
shynlaw.com
signaturetoner.com
signaturetoners.com
skyviewphoto.com
slyforkfarm.com
snuffbottleworld.net
softmn.com
southvalleyrugby.com
specialpsychic.com
sportdoneright.com
springcleaningevent.com
squeezepagecentral.com
stainlessfabrications.com
stevesenergydrink.com
strongpsychic.com
studiosylverline.com
sunblockmaterials.com
tabeer-e-pakistan.com
tacomaliftkits.com
tagdeedlingua.com
tagdeed-translation.com
tagdeed-translations.com
techsupportauctions.com
teeboxpromo.com
telecomchicago.com
telecomillinois.com
telecomindiana.com
telecommichigan.com
tfgjustsayin.net
theafternoonjoker.com
theartdepot.net
thecinema6.com
thecollegeaddressshop.com
theeveningjoker.com
thehiddencorner.com
theknowledgekingdom.com
themorningjoker.com
thenightlyjoker.com
thinkadmit.com
thisishowthisworks.com
thisweekinwhiteness.com
thomasdesgrp.com
thomasdesigngroupllc.com
timkennywebdesign.com
timothykenny.com
timsicecreamtruck.com
timsroadtrip.com
toyotaliftkits.net
toyteclifts.net
trademarkrestoration.com
trademarkrestorationinc.com
tri-swelding.com
tropicaltoner.com
tuftsclimatejustice.com
turkrdns.com
twibularity.com
usdays.com
usedcarsat.com
usedmobi.com
valentinesalesevent.com
vehicleexchangeprogram.com
vehicleservicediscount.com
virtualsofts.com
warpets.com
webrunchhard.com
wenerdhard.com
whhholdingusainc.com
whhusainc.net
whichcameratookthis.com
whybuyanewhome.com
xn--80afcbdab0arg8e4c.com
xn--h1adlaje.net
yourcakedecoratingclass.com
yourcrystalball.com
yourspartanmovers.com
zombiesurvivalaptitudetest.com
zoomtoner.com
zoopoints.com
z-sat.com



Malware spam "INVOICE ADVISE 08/01/2015" and "NOVEMBER INVOICE" from multiple fake senders

These two spam runs have different email messages but the same payload. In both cases, there are multiple fake senders

Sample 1 - INVOICE ADVISE 08/01/2015

From:    Mia Holmes
Date:    8 January 2015 at 09:11
Subject:    INVOICE ADVISE 08/01/2015

Good morning

Happy New Year

Please could you advise on the  November GBP invoice in the attachment for me?

Many thanks

Kind Regards
Mia Holmes
Accountant
SULA IRON & GOLD PLC

Sample 2 - NOVEMBER INVOICE

From:    Reed Barrera
Date:    8 January 2015 at 09:16
Subject:    NOVEMBER INVOICE

Good morning

Happy New Year

Please could you advise on the  November GBP invoice in the attachment for me?

Many thanks

Kind Regards
Reed Barrera
Controller
ASSETCO PLC
Other sender names include:
Marlin Rodriquez
Accountant
CLONTARF ENERGY PLC

Olive Pearson
Senior Accountant
ABERDEEN UK TRACKER TRUST PLC

Andrew Salas
Credit Management
AMTEK AUTO
The attachment is in a Word document (in one sample it was a Word document saved as an XLS file). Example filenames include:

RBAC_9971IV.xls
INV_6495NU.doc
2895SC.doc

There are four different malicious files that I have seen so far, all with low detection rates [1] [2] [3] [4] which contain in turn one of these macros [1] [2] [3] [4] leading to a download from one of the following locations:

http://188.241.116.63:8080/mops/pops.php
http://108.59.252.116:8080/mops/pops.php
http://178.77.79.224:8080/mops/pops.php
http://192.227.167.32:8080/mops/pops.php

This file is downloaded as g08.exe which is then copied to %TEMP%\1V2MUY2XWYSFXQ.exe. This file has a detection rate of 3/56.

The VT report shows a POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known malware server which I recommend that you block. This IP is confirmed in the Malwr report which also shows a dropped DLL which is the same as found in this spam run and has a detection rate of just 2/56.

For researchers only, a copy of the files can be found here. Password = infected

Malware spam: "Ieuan James" / "invoice EME018.docx"

So far this morning I've seen a handful of these malformed malware spams, claiming to be from a Ieuan James and with a subject of invoice EME018.docx. The body text contains some Base64 encoded data which presumably is meant to be an attachment.

For example..

From:    Ieuan James
Date:    8 January 2015 at 07:25
Subject:    invoice EME018.docx

--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: text/plain;
        charset=us-ascii
Content-Transfer-Encoding: 7bit

--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: application/msword;
        name="invoice EME018.doc";
        x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
Content-Disposition: attachment;
        filename="invoice EME018.doc"
Content-Transfer-Encoding: base64

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAB/AAAA////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaptVm1UAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAPk/AQD5PwEAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
[snipped for clarity]
Some assembly is required with this malware, but if you decode the Base64 area you get one of two different Word documents with VirusTotal detection rates of just 1/56 [1] [2]. These malicious documents contain one of two macros [1] [2] [pastebin] that download an additional component from one of the following locations:

http://ecovoyage.hi2.ro/js/bin.exe
http://mateusz321.cba.pl/js/bin.exe

This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55. The Malwr report for this shows that it connects to:

http://74.208.11.204/
http://129.215.249.52/qZXI6nYL8NLtqX6%3DZ/@mF6s4lFjMN4JSfB%2CVPutSGtX/6Ww_r5R%3FlP_ce2A
http://78.140.164.160/LL7yk@O6E/Qyiy/6yz%3Dzs18r/s4$rV

It also queries some other hosts, meaning that it looks like it attempts to connect home to:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
129.215.249.52 (Edinburgh University, UK)
78.140.164.160 (Webazilla, US)
37.1.208.21 (3NT Solutions LLP aka inferno.name, UK)
86.156.238.178 (BT, UK)

In addition, the Malwr report says that a malicious DLL is dropped with a detection rate of 2/56.

Recommended minimum blocklist:
59.148.196.153
74.208.11.204
129.215.249.52
78.140.164.160
37.1.208.21
86.156.238.178

In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range.

For researchers, a copy of all the files is available here, password is infected.

Wednesday 7 January 2015

Exploit kits on Choopa LLC / Gameservers.com IP addresses

While chasing down this exploit kit yesterday, I noticed an awful lot of related IP addresses and domains that also seemed to be hosting malware.

The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE

ooshuchahxe.co.vu
ahjoneeshae.co.vu
phamiephim.co.vu
kaemahchuum.co.vu
pahsiefoono.co.vu
kaghaingai.co.vu
buengaiyei.co.vu
ohmiajusoo.co.vu
oodeerahshe.co.vu
paotuchepha.co.vu
aedeequeekou.co.vu
eikoosiexa.co.vu
phielaingi.co.vu
thohbeekee.co.vu

A typical exploit landing page looks like this [URLquery report] which appears to be the Nuclear EK.

These are hosted on the following Choopa LLC / Gamservers.com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:

108.61.165.69
108.61.165.70

108.61.165.96
108.61.167.160
108.61.172.139
108.61.175.125
108.61.177.107
108.61.177.89

All these malicious domains use the following nameservers:


ns1.thallsbe.com
ns1.yotelepa.com
ns1.zenteep.com
ns1.neverflouwks.com
ns1.daxpyorgilgere.com
ns1.irkoblik.com
ns2.thallsbe.com
ns2.yotelepa.com
ns2.zenteep.com
ns2.neverflouwks.com
ns2.daxpyorgilgere.com
ns2.irkoblik.com

Nameservers are mostly (but not all hosted on Choopa LLC IPs):

64.187.225.245
104.224.147.220
108.61.123.219
108.61.172.145
108.61.198.148
108.61.211.121

As I said, these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google (long list, sorry, scroll past it if you like):

offearfactory.cf
ukforsavectory.cf
ukforshivaflow.cf
soundchecker.cf
tobiahsebastiani.cf
crazystuff.ga
atproserafic.ga
soundchecker.ga
terriblelow.ml
stumbleupons.ml
ukforprimeebook.cf
greendriver.ga
ukforsavectory.ga
yellowcheck.ml
misterybook.cf
sporterafic.cf
thorteutsch.cf
imainconfig.ga
materofteck.ga
sporterafic.ga
pleskinebook.ga
lowensineflow.ga
warriordriver.ga
materofteck.ml
sporterafic.ml
lowensineflow.ml
mipkohoophw.cf
mipkoewushohn.cf
mipkoeerrw.ml
mipkohiocoh.ml
qdujbffg.cf
floraperf.cf
floreamva.cf
sintroota.cf
akcyvwkudu.cf
jepeugcpaq.cf
kzjzbbezgt.cf
rittfpynit.cf
unitedbeer.cf
vuktrontas.cf
wchiekohya.cf
wingasheng.cf
nikelnstate.cf
quitambient.cf
xotadddance.cf
xoteaddrack.cf
bloxianoiaba.cf
boyconroewom.cf
myfreenomapi.cf
walltaddates.cf
walltaddonce.cf
walltaddrave.cf
xoteaddotion.cf
trohqueenexai.cf
trotesaiheohu.cf
truechiekitha.cf
trueitheipoag.cf
vukontasixtas.cf
vuvatyisedron.cf
wallddforbake.cf
walltadddabit.cf
walltadddance.cf
walltadddsims.cf
wallteaddrack.cf
oproquanterbot.cf
veterloshamerr.cf
vuflowdeadcrow.cf
wallaerkinderr.cf
wallteaddotion.cf
wicomertulatti.cf
walltadddoppler.cf
amixionifyredhedi.cf
shamidgewoodpiste.cf
shoeufflorthrudis.cf
shoppaycleagoncad.cf
sosanasisernitive.cf
sourustieronixtur.cf
sparetediapletecu.cf
stekoneyredecklan.cf
subspironimitells.cf
sultintemicrearti.cf
coolmember.ga
krogralind.ga
rzanygngis.ga
unitedbeer.ga
wchiekohya.ga
weisewieku.ga
xotaddates.ga
xotaddrave.ga
junoreactor.ga
quitambient.ga
xoteaddrack.ga
dealerstrike.ga
trudahsheeso.ga
vumalworrest.ga
walltaddates.ga
walltaddonce.ga
walltaddrave.ga
wamipkoleoxw.ga
xoteaddotion.ga
proquantterms.ga
tritaeneiquoh.ga
trohqueenexai.ga
trotesaiheohu.ga
troyeachahgie.ga
truechiekitha.ga
truexauphudei.ga
victorysecret.ga
vuxeersktrace.ga
wallddforbake.ga
walltadddabit.ga
walltadddance.ga
walltadddsims.ga
wallteaddrack.ga
xotadddoppler.ga
veterloshamerr.ga
victoaddroplen.ga
vuflowdeadcrow.ga
vuvtrassktrace.ga
wallaerkinderr.ga
wallteaddotion.ga
wheallstechaxa.ga
wolscelipartin.ga
wolvestreyrmst.ga
walltadddoppler.ga
serckinvenaftovan.ga
shamidgewoodpiste.ga
shoppaycleagoncad.ga
sosanasisernitive.ga
sourustieronixtur.ga
sparetediapletecu.ga
stekoneyredecklan.ga
subspironimitells.ga
sultintemicrearti.ga
facilygda.ml
iqmhaslyzd.ml
kriendbasi.ml
queezerbot.ml
rittfpynit.ml
xotaddrave.ml
contermance.ml
crazyworlds.ml
junoreactor.ml
loborrowave.ml
quitambient.ml
vuxtronrace.ml
xoteaddrack.ml
bloxianoiaba.ml
trudahsheeso.ml
vumalworrest.ml
vumullefloor.ml
walltaddates.ml
walltaddonce.ml
walltaddrave.ml
xoteaddotion.ml
lodborrowpler.ml
proquantterms.ml
triceebicicha.ml
triilequadaev.ml
tritaeneiquoh.ml
troshiechooph.ml
trotesaiheohu.ml
victorysecret.ml
vuxeersktrace.ml
wallddforbake.ml
walltadddabit.ml
walltadddance.ml
walltadddsims.ml
wallteaddrack.ml
wamipkoicjnew.ml
oproquantables.ml
veterloshamerr.ml
victoaddroplen.ml
wallteaddotion.ml
wickleyoregene.ml
wolscelipartin.ml
walltadddoppler.ml
serckinvenaftovan.ml
shamidgewoodpiste.ml
shoeufflorthrudis.ml
shoppaycleagoncad.ml
sosanasisernitive.ml
sourustieronixtur.ml
sparetediapletecu.ml
stekoneyredecklan.ml
subspironimitells.ml
sultintemicrearti.ml
sintroota.tk
sionixire.tk
bugleryambur.tk
zarauphudei.cf
zaraachwahgie.cf
zaragietheeghe.cf
zarabixampw.ga
zaradhoophw.ga
zarasicjnew.ga
zarauphudei.ga
zaraachwahgie.ga
zaraeqwuadaev.ga
zaraheeteghoh.ga
zaraohgeegheis.ga
zaratiihuw.ml
zarabixampw.ml
zarasicjnew.ml
zarasorsarw.ml
zaraulleoxw.ml
zaraachwahgie.ml
zaraeqwuadaev.ml
zaraewneiquoh.ml
uzaraeserexwai.ml
zaragietheeghe.ml
zaraweethiocoh.ml

In addition, these domains are tagged as malicious by SURBL:
xoteaddrack.cf
wallddforbake.cf
xoteaddrack.ga
walltadddsims.ga
walltaddates.ml
walltadddabit.ml
wallteaddrack.ml
siewaxiesha.co.vu
fourkopoll.co.vu
kurramithompartherd.co.vu

These are the TLDs and SLDs being abused, operated by Freenom (cf, ga, gq, ml, tk) or CoDotVu (co.vu). It looks like perhaps Freenom cleaned up their space, but you can make your own mind up if you want to block traffic to these as a precaution:
co.vu
cf
ga
gq
ml
tk


A full list of all the domains that I can find associated with these servers can be found here [pastebin].

Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121

64.187.225.245
104.224.147.220

UPDATE:
Choopa LLC say they have terminated those IPs. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised.


Invoice spam with malicious XLS file from multiple companies

This spam run looks very similar to this one going out at roughly the same time, except this has a malicious XLS file rather than a DOC/

From:    Courtney Stark
Date:    7 January 2015 at 12:27
Subject:    Invoice 1252.70 GBP

Please find attached invoice for 1252.70 GBP.

Any queries please contact us.

Courtney Stark
Senior Accounts Payable Specialist
AVIVA

The "sender" is spoofed from multiple companies, so far I have seen:

Courtney Stark
Senior Accounts Payable Specialist
AVIVA

Phyllis Cobb
Senior Accounts Payable Specialist
DIGITAL BARRIERS LTD

Colby Burris
Senior Accounts Payable Specialist
XAAR

Randy Welch
Senior Accounts Payable Specialist
CAMELLIA

Kendra Cervantes
Senior Accounts Payable Specialist
TRINITY EXPLORATION & PRODUCTION

In the samples I have seen, there are two slightly different malicious Excel files with fairly low detection rates [1] [2] containing one of these two macros [1] [2] [pastebin] which downloads an executable from one of the following locations:

http://87.106.165.232:8080/mans/pops.php
http://193.136.19.160:8080/mans/pops.php

These locations are also found with this spam run and the payload is identical.


"Remittance Advice" malware spam from multiple spoofed companies

This fake financial spam claims to be from one of several legitimate companies. They are not sending the spam, not have their systems been compromised. Instead, this has a malicious Word document attached.

From:    Dominique Valenzuela
Date:    7 January 2015 at 11:38
Subject:    Remittance Advice for 3996.63 GBP

Please find attached a remittance advice for recent BACS payment of 3996.63 GBP.

Any queries please contact us.

Dominique Valenzuela
Senior Accounts Payable Specialist
HERMES PACIFIC INVESTMENTS PLC

These different fake senders have been spotted so far:

Reyna Alvarado
Senior Accounts Payable Specialist
AVATION PLC

Dominique Valenzuela
Senior Accounts Payable Specialist
HERMES PACIFIC INVESTMENTS PLC

Alfreda Carney
Senior Accounts Payable Specialist
RED ROCK RESOURCES

Dave Hancock
Senior Accounts Payable Specialist
HANSA TRUST

Kendra Cervantes
Senior Accounts Payable Specialist
TRINITY EXPLORATION & PRODUCTION

The amount of the so-called payment, the name of the sender and the attachment name changes in each case. So far I have spotted three different Word documents, all with low detection rates at VirusTotal [1] [2] [3] which contains one of three different macros [1] [2] [3] [pastebin] which downloads a second stage from one of the following locations:

http://193.136.19.160:8080/mans/pops.php
http://94.23.160.102:8080/mans/pops.php
http://87.106.165.232:8080/mans/pops.php


This file is downloaded as test.exe and is then moved to %TEMP%\1V2MUY2XWYSFXQ.exe. This has a VirusTotal detection rate of 4/56 and that report also says that it POSTs data to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine).

For research purposes, a copy of these files can be found here [password=infected]



Malware spam: "Eliza Fernandes" / "NUCSOFT-Payroll December 2014"

This fake spam pretends to be from an Indian company called Nucsoft but it isn't, instead it comes with a malicious Word document attached. Nucsoft are not sending out the spam, nor have their systems been compromised in any way.

From:    Eliza Fernandes [eliza_fernandes@nucsoft.co.in]
Date:    7 January 2015 at 07:27
Subject:    NUCSOFT-Payroll December 2014

Please find the data for payroll processing.


Please forward the PDF of summary.

 Regards,
Eliza Fernandes


NUCSOFT Ltd.
Finance Dept.

-------------------------------------------------------------------------------------------------
DISCLAIMER:
This message contains privileged and confidential information and is intended only for an individual named. If you are not the intended recipient, you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,
-------------------------------------------------------------------------------------------------
                          NUCSOFT : With You - Until Success  and Beyond....
                          Visit us at http://www.nucsoft.com
-------------------------------------------------------------------------------------------------
Attached is a malicous Word document (not a PDF) called Payroll Dec'14.doc which has a VirusTotal detection rate of 3/56. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://cerovski1.net.amis.hr/js/bin.exe

This is saved as %TEMP%\1V2MUY2XWYSFXQ.exe and has a VirusTotal detection rate of just 1/56.

The Malwr report shows network connections to the following IPs:

59.148.196.153 (HKBN, Hing Kong)
74.208.11.204 (1&1, US)

It also drops a DLL with a detection rate of 20/56, identified as Dridex.

Recommended blocklist:
59.148.196.153
74.208.11.204

Note - for research purposes, a copy of the DOC and dropped files is here [zip]. Password is "infected".

Tuesday 6 January 2015

hqq.tv serving up exploit kit (via Digital Ocean and Choopa)

I will confess that I haven't had a lot of time to look at this, but here's an infection chain starting from a scummy-looking video streaming site called cine-stream.net. I do not recommend visiting any of the sites labelled [donotclick]

Step 1
[donotclick]cine-stream.net/1609-le-pre-nol-est-une-ordure-en-streaming.html
89.248.170.206 (Ecatel Ltd, Netherlands)
URLquery report

Step 2
[donotclick]hqq.tv/player/embed_player.php?vid=7SO84O65X5SM&autoplay=no
199.83.130.198 (Incapsula, US)

Step 3
[donotclick]agroristaler.info/dasimotulpes16.html
128.199.48.44 (Digital Ocean, Netherlands)
URLquery report

Step 4
[donotclick]aflesministal.info/chat.html
178.62.147.144 (Digital Ocean, Netherlands)
128.199.52.108 (Digital Ocean, Netherlands)

Step 5
[donotclick]pohfefungie.co.vu/VUZQBUgAAgtAGlc.html
[donotclick]eixaaweexum.co.vu/VxFVBkgAAgtAGlc.html
108.61.165.69 (Choopa LLC / Game Servers, Netherlands)
URLquery report

The Digital Ocean and Choopa IPs host several apparently malicious domains:

108.61.165.69
eixaaweexum.co.vu
ienaakeoke.co.vu
weswalkers.co.vu
pohfefungie.co.vu
vieleevethu.co.vu

178.62.147.144
128.199.52.108

sebitibir.info
abrisgalor.info
aflesministal.info

128.199.48.44
abibruget.info
alsonutird.info
fiflakutir.info
fistikopor.info
agroristaler.info
poliloparatoser.info

In my opinion, .co.vu domains are often bad news and are good candidates for blocking. In the mean time I would recommend the following minimum blocklist:

108.61.165.69
178.62.147.144
128.199.52.108
128.199.48.44

"PAYMENT ADVICE 06-JAN-2015" malware spam

This spam has a malicious attachment:
From:    Celeste , Senior Accountant
Date:    6 January 2015 at 10:13
Subject:    PAYMENT ADVICE 06-JAN-2015

Dear all,

Payment has been made to you in amount GBP 18898,28 by BACS.

See attachment.

Regards,

Celeste
Senior Accountant

I have only seen one sample so far, with a document BACS092459_473.doc which has a VirusTotal detection rate of 0/56 and which contains this macro [pastebin] which attempts to download an additional component from:

http://206.72.192.15:8080/mans/pops.php

This is exactly the same file as seen in this parallel spam run today and it has the same characteristics.

Malware spam: SGBD National Payments Centre / Saint Gobain UK / This is your Remittance Advice

This fake financial spam has a malicious payload:

Date:    6 January 2015 at 08:56
Subject:    This is your Remittance Advice #ATS29858

DO NOT REPLY TO THIS EMAIL ADDRESS

Please find attached your remittance advice from Saint Gobain UK.
For any queries relating to this remittance please notify the Payment Enquiry Team on 01484913947

Regards,
SGBD National Payments Centre

Note that this email is a forgery. Saint Gobain UK are not sending the spam, nor have their systems been compromised in any way. Instead, criminals are using a botnet to spam out malicious Excel documents.

Each email has a different reference number, and the attachment file name matches. The telephone number is randomly generated in each case, using a dialling code of 01484 which is Huddersfield (in the UK). There will probably be a lot of confused people in Huddersfield at the moment.

There are actually four different version of the malicious Excel file, none of which are detected by anti-virus vendors [1] [2] [3] [4] containing four different but similar macros [1] [2] [3] [4] [pastebin] which then download a component from one of the following locations:

http://213.174.162.126:8080/mans/pops.php
http://194.28.139.100:8080/mans/pops.php
http://206.72.192.15:8080/mans/pops.php
http://213.9.95.58:8080/mans/pops.php


This file is downloaded as test.exe and it then saved as %TEMP%\1V2MUY2XWYSFXQ.exe. It has a VirusTotal detection rate of just 3/48. That report shows that the malware then connects to the following URLs:

http://194.146.136.1:8080/
http://179.43.141.164/X9BMtSKOfaz/e&WGWM+o%3D_c%26%248/InRRqJL~L
http://179.43.141.164/TiHlXjsnCOo8%2C/fS%24P/VZFrel2ih%2Dlv+%26aTn
http://179.43.141.164/suELl1XsT%2CFX.k%26z4./sn%3F=/%3Ffw/HFBN@8J
http://179.43.141.164/fhmhi/igm/c&@%7E%2Dj.==m~cg_%2B%2C%3Daggs.%2Dkgm%26$~@fk@g/a%2Cgm+lkb%2D.~$kh/


194.146.136.1 is allocated to PE "Filipets Igor Victorovych" in Ukraine. 179.43.141.164 is Private Layer Incin Panama. I would definitely recommend blocking them and possibly the entire /24s in which they are hosted.

The Malwr report shows no activity, indicating that it is hardened against analysis.

Recommend blocklist:
194.146.136.1
179.43.141.164

213.174.162.126
194.28.139.100
206.72.192.15
213.9.95.58

Friday 2 January 2015

binarysmoney.com / clickmoneys.com / thinkedmoney.com "job" spam

I've been plagued with these for the past few days:

Date:    2 January 2015 at 11:02
Subject:    response

Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

We cooperate with different countries and currently we have many clients in the world.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1500 up to $5000 per month.

The job offers a good salary so, interested candidates please registration on the our site: www.binarysmoney.com

Attention! Accept applications only on this and next week.

Respectively submitted
Personnel department

Subject lines include:

New employment opportunities
Staff Wanted
Employment invitation
new job
New job offer
Interesting Job

response

Spamvertised sites seen so far are binarysmoney.com, clickmoneys.com and thinkedmoney.com, all multihomed on the following IPs:

46.108.40.76 (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania)
201.215.67.43 (VTR Banda Ancha S.A., Chile)
31.210.63.94 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)

Another site hosted on these IPs is moneyproff.com. All the domains have apparently fake WHOIS details.

It looks like a money mule spam, but in fact it leads to some binary options trading crap.


There is no identifying information on the page at all. Trustworthy? Nope. But let's look at that relaxed looking chap at the top of the page, in a picture called matthew.png.

Well, that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere.

Binary options are a haven for scammers, and my opinion is that this is such a scam given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:

46.108.40.76
201.215.67.43
31.210.63.94
clickmoneys.com
thinkedmoney.com
binarysmoney.com
moneyproff.com

Wednesday 31 December 2014

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@inet.ba

This post by Brian Krebs drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics..

Safe Browsing
Diagnostic page for AS198252 (ELTAKABEL-AS)

What happened when Google visited sites hosted on this network?

    Of the 165 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, office-hosts.org/, invoice-ups.org/, refforwarding.eu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2014-12-31, and the last time suspicious content was found was on 2014-12-26.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that appeared to function as intermediaries for the infection of 525 other site(s) including, for example, webtretho.com/, detik.com/, zaodich.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that infected 572 other site(s), including, for example, webtretho.com/, detik.com/, zaodich.com/.
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts.

An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very many bad sites, the WHOIS details for that block being..

inetnum:        217.71.48.0 - 217.71.63.255
descr:          TXTV d.o.o. Tuzla
org:            ORG-TdT1-RIPE
netname:        BA-TXTV-20030807
country:        BA
admin-c:        IK879-RIPE
tech-c:         IK879-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-NSC1
mnt-routes:     MNT-NSC1
notify:         ripe@txtv.ba
changed:        hostmaster@ripe.net 20030807
changed:        hostmaster@ripe.net 20040625
changed:        hostmaster@ripe.net 20050719
changed:        bitbucket@ripe.net 20081003
changed:        hostmaster@ripe.net 20110804
changed:        hostmaster@ripe.net 20140324
changed:        bit-bucket@ripe.net 20140325
source:         RIPE

organisation:   ORG-TdT1-RIPE
org-name:       TXTV d.o.o. Tuzla
org-type:       LIR
address:        TXTV d.o.o.
address:        Admir Jaganjac
address:        Focanska 1N
address:        75000
address:        Tuzla
address:        BOSNIA AND HERZEGOVINA
phone:          +38735353333
fax-no:         +38735266114
tech-c:         TXTV1-RIPE
abuse-mailbox:  abuse@txtv.ba
mnt-ref:        MNT-TXTV
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
admin-c:        AJ2947-RIPE
admin-c:        AA26986-RIPE
admin-c:        IK879-RIPE
abuse-c:        NSC11-RIPE
source:         RIPE
e-mail:         ripe@txtv.ba
changed:        bitbucket@ripe.net 20140324

person:         Igor Krneta
address:        Majora Drage Bajalovica 18
address:        78000 Banjaluka, BA
e-mail:         ripe@elta-kabel.com
phone:          +387 51 961 001
nic-hdl:        IK879-RIPE
mnt-by:         MNT-NAVIGOSC
changed:        ikrneta@navigosc.net 20071126
source:         RIPE

route:          217.71.50.0/24
descr:          Inet subnet #1
origin:         AS31630
mnt-by:         GENELEC-MNT
changed:        aadeno@inet.ba 20061029
source:         RIPE


I highlighted the part of most interest, which appears to be a block suballocated to someone using the email address aadeno@inet.ba.

I took a look at the sites hosted in this /24 and these are the results [csv]. There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.

Recommended blocklist:
217.71.50.0/24
darotkskeu.com
hijuvchr.com
humhfsara.com
lomospaoerotr.com
noerdfjkieswp.com
p28aa.com
pkoefkosaep.com
teeirkfoews.com
niggercar.es
invoice-ups.net
www-myups.net
invoice-myups.org
invoice-ups.org
office-hosts.org
softupdates.org
updatedns.org
www-myups.org
abdilo.ru
bihilafes.ru
cloudughtold.su
dedicnqher.su
dnspqajr.su
dnsxjkd.su
hosrvnwj.su
hostfjwmr.su
hostsple.su
hostyksn.su
servergotold.su
serverhersse.su
servermexyr.su
serveruey.su
serverxpqk.su
serviolt.su
ugulddedic.su
usehostru.su
uttofhost.su
vpsjsner.su
vpslopwz.su
baycityads.biz
blingstarscpm.biz
plustimber.biz
plutoads.biz
tempomedia.biz
dsffdsk323721372131.com
ny-discount-sales.com
rxmega-shop.com
rx-product-shop.com
safe-refill-rx.com
viphealhtmarket.com
datadirects.eu
dataremark.eu
dataresultsid.eu
datasynchronize.eu
datavail.eu
datsunplus.eu
dedistarid.eu
detectionstream1.eu
dmpcheck.eu
drellmedia.eu
elitemembers.eu
eplymedia.eu
eravideoads.eu
euserviceid.eu
forwardingref.eu
glowcheck.eu
iprecognition.eu
newsettingso.eu
ordealsting.eu
planacheck.eu
pluginverifys.eu
proudeuro.eu
refforwarding.eu
resellerapis.eu
rpmstatus.eu
samjectstar.eu
secondtierdirect.eu
selldataset.eu
soundads.eu
spokenads.eu
stretchstrong.eu
syncdata1.eu
trackingstreamchk.eu
trackstats.eu
trafficlax.eu
verablade.eu
club-rx-bestseller.ru
fuckaustralia.ru
rx-bestseller.ru




NetGuard Toolbar (ngcmp.com) spam

Sometimes a spam comes through and it isn't immediately obvious what they are trying to do:

From:    Brad Lorien [bclorien@ngcmp.com]
Date:    31 December 2014 at 01:12
Subject:    Real estate (12/30/2014)

Our company reaches an online community of almost 41 million people,
who are mostly US and Canadian based. We have the ability to present
our nearly 41 million strong network with a best, first choice when
they are looking online for what your company does.

We are seeking a preferred choice to send our people who are looking
for real estate in Abilene and surrounding markets.

I’m in the office weekdays from 9:00 AM to 5:00 PM Pacific time.

Best regards,

Brad Lorien
Network Specialist, SPS EServices
Phone: (877) 489.2929, ext. 64
There is no link or attachment in the email. So presumably the spammer is soliciting replies to the email address bclorien@ngcmp.com which is a valid address. The domain ngcmp.com uses a mail server mail.ngcmp.com to receive email messages, hosted on 38.71.66.127 (PSInet / Virtual Empire, US). A look at the spam headers are rather revealing..

Received: from [38.71.66.126] (port=60856 helo=ngcmp.net)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <bclorien@ngcmp.com>)
    id 1Y67tI-0006Ub-TC
    for [redacted]; Wed, 31 Dec 2014 01:16:17 +0000
Received: from mail.ngcmp.com (211.sub-75-215-49.myvzw.com [75.215.49.211])
    by ngcmp.net (Postfix) with ESMTPA id 0812E3E34E
    for <[redacted]>; Tue, 30 Dec 2014 19:18:13 -0600 (CST)
    (envelope-from bclorien@ngcmp.com)
We can see that the spam was sent via a relay at 38.71.66.126 which is one IP different from the server handling incoming mail, which pretty much firmly identifies that whoever controls the ngcmp.com domain is actually sending the spam. The mail headers also identify the originating IP as well as the relay, which is a Verizon Wireless customer at 75.215.49.211, possibly someone sending spam using throwaway cell phones to avoid being traced.

An examination of those two PSInet addresses shows the following domains are associated with them:

ncmp.co
ngmp.co
ngcmp.com
ng-portal.com
ngcmp.net
ng-central.net
luxebagscloset.com
reviewwordofmouth.com


All of these domains have anonymous WHOIS details, but you can see that there is a common pattern here. I don't recommend that you visit spam sites, but I did in this case to see what it was about.


It appears to be some crappy toolbar called NetGuard and indeed the ngcmp.com pulls down many resources from the netguardtoolbar.com website. The site claims to be from a company called "NG Systems" but gives no other identification. netguardtoolbar.com has also had anonymous WHOIS details since it was registered in 2008.

If we look at the "Privacy" page of the site, we can see what this is all about.

NetGuard does not ask you for any personally identifiable information such as an email address, phone number, your name, or any such data. We do track IP addresses only of those who choose to download our App. We also track downloads of the NetGuard App, as well as uninstalls of the NetGuard App, so that we may have accurate data on those two items only in dealing with our Advertisers. Our Advertisers assist us in maintaining our NetGuard App Community, which allows us to provide the public with even more features as time and innovation allows. NetGuard does, as part of our advertising process, allow Advertisers who maintain an active Advertiser Account, to present their websites when an end user of the NetGuard does a search on any of the major search engines. This in no way changes the search results contained on the native pages of the major search engines, but does allow NetGuard to continue to present the general public with more options as time and innovation allows. 
This is basically adware. Going back to the original spam message, these "41 million people" are presumably suckers who have downloaded this crap, and NG Systems are busy spamming out to find more low-life advertisers to fill up their network. Or am I just sounding annoyed?

Predictably, there seems to be no such corporation as "NG Systems", but if you download the Toolbar it turns out it is digitally signed by a company called "IP Marketing Concepts, Inc." 

If we drill down into the certificate details we can find out  more about this mystery corporation.
CN = IP Marketing Concepts, Inc.
OU = SECURE APPLICATION DEVELOPMENT
O = IP Marketing Concepts, Inc.
L = Lewes
S = Delaware
C = US


Some Googling around finds a Delware corporation number 4099908 founded in 2006, but as Delware is a "go to" place for corporation trying to hide their identities, it is hard to find out more information without paying.

The executable itself is tagged by only one AV engine as malicious, but VirusTotal does note that it looks like a PUA. Malwr notes that individual components appear to be Russian in origin.

So all in all, this spam is being sent out by a company that goes a very, very long way to disguise its origins. Would you really want to either install their product or advertise on their network?


Wednesday 24 December 2014

Malware spam: Rhianna Wellings / Rhianna@teckentrupdepot.co.uk / Signature Invoice 44281

Teckentrup Depot UK is a legitimate UK company, but these emails are not from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are not responsible for this in any way.

From:    Rhianna Wellings [Rhianna@teckentrupdepot.co.uk]
Date:    24 December 2014 at 07:54
Subject:    Signature Invoice 44281

Your report is attached in DOC format.

To load the report, you will need the Microsoft® Word® reader, available to download at http://www.microsoft.com/
Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro [1] [2] [pastebin] which then downloads an additional component from one of these two locations:

http://Lichtblick-tiere.de/js/bin.exe
http://sunfung.hk/js/bin.exe

The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56. The ThreatExpert report shows traffic to the following IPs:

74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)

According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56, detected as the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere.de
sunfung.hk

Tuesday 23 December 2014

"Remittance Advice" spam comes with a malicious Excel attachment

This fake remittance advice comes with a malicious Excel attachment.

From:    Whitney
Date:    23 December 2014 at 09:12
Subject:    Remittance Advice -DPRC93

Confidentiality and Disclaimer:  This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error.

This email and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the Telecommunications (Lawful Business Practices)(Interception of Communications) Regulations 2000.

The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, this is poorly-detected by AV vendors [1] [2] [3] [4].

If you read this blog regularly then you might have seen me mention these attacks many times before, and most of these have a familiar pattern. However, the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself.

The macro itself looks like this [pastebin] and as far as I can tell from it, it loads some data from the Excel spreadsheet and puts it into a file %TEMP%\windows.vbs. So far I have seen four different scripts [1] [2] [3] [4] which download a component from one of the following locations:

http://185.48.56.133:8080/sstat/lldvs.php
http://95.163.121.27:8080/sstat/lldvs.php
http://92.63.88.100:8080/sstat/lldvs.php
http://92.63.88.106:8080/sstat/lldvs.php

It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe.

The ThreatExpert report shows traffic to the following:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)

VirusTotal indicates a detection rate of just 3/54, and identifies it as Dridex.

Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107

185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106

Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well.






Monday 22 December 2014

"Tiket alert" spam. Tiket? Really?

Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

From:    FBR service [jon.wo@fbi.com]
Date
:    22 December 2014 at 18:29
Subject:    Tiket alert

Look at the link file for more information.

http://mitsuba-kenya.com/ticket/fsb.html

Assistant Vice President, FBR service
Management Corporation
I have seen another version of this where the download location is negociomega.com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe.

This has a VirusTotal detection rate of 2/54. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:

http://202.153.35.133:42463/2212us12//0/51-SP3/0/
http://202.153.35.133:42463/2212us12//1/0/0/
http://moorfuse.com/images/unk12.pne


202.153.35.133 is Excell Media Pvt Ltd, India.

Recommended blocklist:
202.153.35.133
moorfuse.com
mitsuba-kenya.com
negociomega.com

Angler EK on 193.109.69.59

193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit.

The infection chain that I have seen is as follows (don't click those links, obviously):

[donotclick]www.opushangszer.hu/hora-at-200-b-csiptetos-gitarhangolo/1-864-359
-->
[donotclick]bettersaid.net/7b614b6f9fb62682c46d303fea879a38.swf
-->
[donotclick]www.smallbusinesssnapshot.com/

a6107b69be5422d82da0c2109cc7f20f.php?q=7a7581fad469383e7313d27d1cedf2d3
-->
[donotclick]qwe.holidayspeedfive.biz/em3t8gxum0
-->
[donotclick]qwe.holidayspeedfive.biz/

KuCRwb_Bwr38O4rT6dqEUCT9x5K26Bw_PNEHE3DJ_U9vgmcD31TZILN2BlAmHabL

The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:

qwe.holidayspeedsix.biz
qwe.holidayspeedfive.biz
qwe.holidayspeedseven.biz


A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted in this /23 indicates that most of them appear to be selling counterfeit goods, so blocking the entire /23 will probably be no great loss.

Recommended minimum blocklist:
193.109.69.59
holidayspeedsix.biz
holidayspeedfive.biz
holidayspeedseven.biz

Friday 19 December 2014

Malware spam: "Blocked Transaction. Case No 970332"

This fake ACH spam leads to malware:

Date:    19 December 2014 at 16:06
Subject:    Blocked Transaction. Case No 970332

The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID     083520
Transaction Amount     1458.42 USD
Sender e-mail     info@victimdomain
Reason of Termination     See attached statement

Please open the word file enclosed with this email to get more info about this issue. 
In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54. Inside are a series of images detailing how to turn off macro security.. which is a very bad idea.











If you are daft enough to enable macros, then this macro [pastebin] will run which will download a malicious binary from http://nikolesy.com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51 as is identified as the Dridex banking trojan.

Malware spam: no-replay@my-fax.com / "Employee Documents - Internal Use"

This fake fax spam leads to malware:

From:    Fax [no-replay@my-fax.com]
Date:    19 December 2014 at 15:37
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://crematori.org/myfax/company.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
The download locations in the email vary, so far I have seen:

http://newsurveyresults.com/myfax/company.html
http://ChallengingDomesticAbuse.co.uk/myfax/company.html
http://crematori.org/myfax/company.html
http://gnrcorbus.com/myfax/company.html
http://sonata-arctica.wz.cz/myfax/company.html

Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55. Most automated analysis tools are inconclusive [1] [2] but the VT report shows network connections to the following locations:

http://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http://202.153.35.133:40542/1912uk22//1/0/0/
http://natural-anxiety-remedies.com/wp-includes/images/wlw/pack22.pne


Recommended blocklist:
202.153.35.133
natural-anxiety-remedies.com




Malware spam: "BACS payment Ref:901109RW"

This spam comes with a malicious attachment, in a format similar to the following:

From:    Fern
Date:    19 December 2014 at 10:09
Subject:    BACS payment Ref:901109RW


Please see below our payment confirmation for funds into your account on Tuesday re invoice 901109RW

Accounts Assistant
Tel:  01874 662 346
Fax: 01874 501 248

To add credibility, the attachment has the same name as the reference in the subject and body text (in this case it is 901109RW.xls). The reference is randomly generated.

So far, I have seen three different type of attachment, all undetected by AV vendors [1] [2] [3] containing a different malicious macro each [1] [2] [3] [pastebin]. These macros then try to download an executable from the following locations:

http://78.129.153.23/sstat/lldvs.php
http://5.9.253.183/sstat/lldvs.php
http://185.48.56.123/sstat/lldvs.php


The file is downloaded as test.exe and is then moved to %TEMP%\VMUYXWYSFXQ.exe. It has a VirusTotal detection rate of 2/54. VT also reports that it phones home to 194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

Additional analysis is pending.

UPDATE:
A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal and a different macro [pastebin], however it downloads the same binary from http://78.129.153.23/sstat/lldvs.php as the previous example does.