I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called savenepal.org which is soliciting donations via PayPal.
The site largely cloned from the legitimate ActionAid site which is genuinely seeking donations to go to Nepal.
ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the UK charities commission and we can see that the charity with this number is actually an orchestra.
Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:
The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:
com-indexhtml.link
com-indexhtml.us
grantsekit.com
Out of these, only com-indexhtml.us has a non-anonymous WHOIS entry:
Registrant ID: C4E83B25FA8AD52D
Registrant Name: Frank J. Moore
Registrant Address1: 2441 Byers Lane
Registrant City: Davis
Registrant State/Province: CA
Registrant Postal Code: 95616
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5307574940
Registrant Email: uscustomerhelp@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category: C12
I'm pretty sure that those contact details are fake. Going back through historical WHOIS comes up with different contact details:
Registrant ID: 29B0B5BBD7190398
Registrant Name: dinna james
Registrant Address1: po box 876
Registrant City: dl
Registrant State/Province: dl
Registrant Postal Code: 110098
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +1.918978978
Registrant Email: helpot80@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category: C12
Of course, these contact details could also be false and there's no definite connection to savenepal.org yet. But out of curiosity, who is helpot80@gmail.com? Googling doesn't reveal much, but it does show a copy of a conversation in the news.admin.net-abuse.email where someone who is claiming to use this email address is complaining about spam. If we then use Google Groups to find the original newsgroup post we see it was posted from an IP of 182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.
Another Google result is this Phishtank entry listing social2013.com/rockgrade/ which appears to be a copy of the Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of social2013.com before it expired in February 2015.
This WHOISology report links the address to several domains:
beauty6k.com
social2013.com
droughty.com
auto36.us
secure2013.us
Also, 94.242.255.129 has hosted many other domains, many of which appear to be scammy.
com-13.pw
com-21.us
com-indexhtml.us
news7d.com
mynews360.com
grantsekit.com
social2013.com
secured2014.com
usgrantskit.com
savenepal.org
com-indexhtml.link
huffingtonpost.com-indexhtml.link
dear.graphics
Many of these have the helpot80@gmail.com address listed in their historical WHOIS entries.
What else can we find out?
The email address is connected with this scammy looking Facebook page allegedly giving away "free laptops"
The email address also links to this Google+ profile naming them as "N. Al.". It also links to this YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.
I cannot prove that helpot80@gmail.com is connected with the savenepal.org, but they probably know whoever is behind it.
Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.
Thursday, 30 April 2015
Malware spam: "Rebecca McDonnell [rebecca@gascylindersuk.co.uk]" / "Telephone order form"
This fake financial email is not from Gas Cylinders UK but is instead a simple forgery with a malicious attachment.
http://morristonrfcmalechoir.org/143/368.exe
This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:
212.227.89.182 (1&1, Germany)
The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55.
From: Rebecca McDonnell [rebecca@gascylindersuk.co.uk]There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56 and contained this malicious macro [pastebin] which downloaded a component from the following location:
Date: 30 April 2015 at 09:54
Subject: Telephone order form
Telephone order form attached
Regards,
Rebecca McDonnell
Business Administrator
340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI: 01744 304338
Fax: 01942 275 312
Email: rebecca@gascylindersuk.co.uk
***** D i s c l a i m e r *****
This e-mail message is confidential and may contain legally privileged information. If you are not the intended recipient you should not read, copy, distribute, disclose or otherwise use the information in this e-mail. Please also telephone us on 0800 622 6330, immediately and delete the message from your system. E-mail may be susceptible to data corruption, interception and unauthorised amendment, and we do not accept liability for such corruption, interception or amendment or the consequences thereof.
http://morristonrfcmalechoir.org/143/368.exe
This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:
212.227.89.182 (1&1, Germany)
The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55.
Wednesday, 29 April 2015
cnwebregistry.cn / chinaygregistry.com scam and "Huayu Ltd"
This spam email is actually part of a long-running Chinese scam.
In this case the spam mentions the domain cnwebregistry.cn, but chinaygregistry.com is also on the same server and will be similarly fraudulent.
This video I made a while ago explains the scam in more detail:
From: Jim Bing [jim.bing@cnwebregistry.cn]Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a rogue Chinese domain registrar to get you to buy overpriced and worthless domains.
Date: 29 April 2015 at 14:27
Subject: Re:"[redacted]"
Dear CEO,
(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?
Best Regards,
Jim
General Manager
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnwebregistry.cn
In this case the spam mentions the domain cnwebregistry.cn, but chinaygregistry.com is also on the same server and will be similarly fraudulent.
This video I made a while ago explains the scam in more detail:
Tuesday, 28 April 2015
Malware spam: "INVOICE PD Will Comm" / "richard will [contactwill@hotmail.com]"
This malicious spam does not come from Will Communications but is instead a simple forgery with a malicious attachment.
The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56 and it contains this malicious macro [pastebin]. In this case, the macro downloads a component from:
http://massachusettsselfstorage.com/62/927.exe
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53. There may well be other documents that download from other locations, but the binary will be the same in all cases.
Automated analysis tools [1] [2] [3] show that it attempts to communicate with the following IP:
185.12.95.191 (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56.
MD5s:
67a5facf854a72382a8d8e308027baa3
f998950151c5922cd2c338290e78a420
59f03febb357e343f33937b9925b8846
From: richard will [contactwill@hotmail.com]
Date: 28 April 2015 at 09:05
Subject: INVOICE PD Will Comm
Thank-you for your payment!
Richard Will
Will Communications, Inc.
richard@willcommunications.com
The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56 and it contains this malicious macro [pastebin]. In this case, the macro downloads a component from:
http://massachusettsselfstorage.com/62/927.exe
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53. There may well be other documents that download from other locations, but the binary will be the same in all cases.
Automated analysis tools [1] [2] [3] show that it attempts to communicate with the following IP:
185.12.95.191 (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56.
MD5s:
67a5facf854a72382a8d8e308027baa3
f998950151c5922cd2c338290e78a420
59f03febb357e343f33937b9925b8846
Monday, 27 April 2015
Malware spam: "[1138593] Booking.com Invoice 01/03/2015 - 31/03/2015" / "invoice@booking.com"
This fake invoice email does not come from Booking.com but is a simple forgery with a malicious attachment.
http://voipconcerns.com/62/927.exe
There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57.
Automated analysis tools [1] [2] [3] show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57.
MD5s:
6aa26f04b22b284dda148ce317f53de8
a92cdc17c74b1a008d3c239006fdf042
1c90c45e0bdfb91a8a73c1f6d1e738fe
From: invoice@booking.comThe only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57. This contains a malicious macro [pastebin] which downloads a component from the following location:
Date: 27 April 2015 at 08:55
Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015
Dear customer,
Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.
If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail: ).
Thank you for working with Booking.com.
http://voipconcerns.com/62/927.exe
There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57.
Automated analysis tools [1] [2] [3] show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57.
MD5s:
6aa26f04b22b284dda148ce317f53de8
a92cdc17c74b1a008d3c239006fdf042
1c90c45e0bdfb91a8a73c1f6d1e738fe
Friday, 24 April 2015
Malware spam: "Pidwell, Nigel [nigel.pidwell@ssecontracting.com]" / "Western Order"
The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:
So far I have only seen one sample Western Order.doc [VT 4/57] which contains a malicious macro [pastebin] which is functionally identical to the one used in this spam run which was also happening this morning.
From: Pidwell, Nigel [nigel.pidwell@ssecontracting.com]
Date: 24 April 2015 at 08:47
Subject: Western Order
Regards
Nigel Pidwell
Administrator
SSE Contracting Limited
T: +44 (0) 1637 889506
E: nigel.pidwell@ssecontracting.com
Unit 8, Hurling Way,
St Columb Major Business Park, St Columb Major, Cornwall
TR9 6SX
www.sseenterprise.co.uk
So far I have only seen one sample Western Order.doc [VT 4/57] which contains a malicious macro [pastebin] which is functionally identical to the one used in this spam run which was also happening this morning.
Malware spam: "Colin Fox [colin@nofss.co.uk]" / "Invoice 519658"
This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
There may be different versions of the macro, but in this case it downloads a component from:
http://bepminhchi.com/83/61.exe
..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
149.154.64.70 (TheFirst-RU, Russia)
78.24.218.186 (TheFirst-RU, Russia)
89.28.83.228 (StarNet SRL, Moldova)
In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228
Sample MD5s:
da26ed1b6fe69d15a400b3bc70001918
b37ea697df790121e4dda35d8ba172c3
0ea69ef635257be03043a3f70f013475
29471c1aabae10d205f474a3299486ec
From: Colin Fox [colin@nofss.co.uk]The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].
Date: 24 April 2015 at 09:40
Subject: Invoice 519658
Please find Invoice 519658 attached
There may be different versions of the macro, but in this case it downloads a component from:
http://bepminhchi.com/83/61.exe
..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
149.154.64.70 (TheFirst-RU, Russia)
78.24.218.186 (TheFirst-RU, Russia)
89.28.83.228 (StarNet SRL, Moldova)
In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228
Sample MD5s:
da26ed1b6fe69d15a400b3bc70001918
b37ea697df790121e4dda35d8ba172c3
0ea69ef635257be03043a3f70f013475
29471c1aabae10d205f474a3299486ec
Thursday, 23 April 2015
Malware spam: "Refund on order 204-2374256-3787503" / "Amazon.co.uk [payments-messages@amazon.co.uk]"
This fake Amazon spam comes with a malicious attachment:
Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:
http://qube.co.il/42/335.exe
..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs:
185.12.95.191 (RuWeb CJSC, Russia)
87.236.215.151 (OneGbits, Lithuania)
94.23.171.198 (OVH, Czech Republic)
185.35.77.250 (Corgi Tech, UK)
149.154.64.70 (TheFirst-RU, Russia)
The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.
Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70
MD5s:
e52a8d15ee08d7f8b4efca1b16daaefb
57b54e248588af284871c2076f05651c
ca5c5b79ce16d888ba2a6747b9d033d3
From: Amazon.co.uk [payments-messages@amazon.co.uk]
Reply-To: "Amazon.co.uk" [payments-messages@amazon.co.uk]
Date: 23 April 2015 at 09:58
Subject: Refund on order 204-2374256-3787503
Dear Customer,
Greetings from Amazon.co.uk.
We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.
This amount has been credited to your payment method and will appear when your bank has processed it.
This refund is for the following item(s):
Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return
The following is the breakdown of your refund for this item:
Item Refund: £4.89
Your refund is being credited as follows:
GC: £4.89
These amounts will be returned to your payment methods within 5 business days.
The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.
Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:
http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1161010
Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
it: http://get.adobe.com/reader/
This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
refunds.
Thank you for shopping at Amazon.co.uk.
Sincerely,
Amazon.co.uk Customer Service
http://www.amazon.co.uk
Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.
An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
click OK, and then click OK again
Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:
http://qube.co.il/42/335.exe
..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs:
185.12.95.191 (RuWeb CJSC, Russia)
87.236.215.151 (OneGbits, Lithuania)
94.23.171.198 (OVH, Czech Republic)
185.35.77.250 (Corgi Tech, UK)
149.154.64.70 (TheFirst-RU, Russia)
The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.
Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70
MD5s:
e52a8d15ee08d7f8b4efca1b16daaefb
57b54e248588af284871c2076f05651c
ca5c5b79ce16d888ba2a6747b9d033d3
Wednesday, 22 April 2015
Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"
Made in Russia |
From: Tamika Cortez
Date: 22 April 2015 at 14:33
Subject: New document with ID:G27427P from RESTAURANT GROUP PLC was generated
New report with ID:G27427P was generated by our system. Please follow the link below to get your report.
Download report ID:G27427P
Best regards ,Tamika Cortez
RESTAURANT GROUP PLC
In this case, the link in the email goes to:
http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC
..which includes the victim's email address in the URL. In turn, this redirects to:
http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs
As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:
http://185.91.175.183/sas/evzxce.exe
..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs:
144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)
According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.
Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18
MD5s:
1fc2abec9c754e8cc1726bf40e0b3533
af8ff1ea180d5c45b4bb8c8f17c6cddc
57b54e248588af284871c2076f05651c
Tuesday, 21 April 2015
Malware spam: "Australian Taxation Office - Refund Notification" / "Australian Taxation Office [noreply@ato.gov.au]"
G'day mate. Despite not being an Aussie and never having paid a single Australian cent in tax, apparently I'm due a tax refund from the Australian Tax Office. Bonzer!
Despite the "gov.au" site that apparently displays in the link, it actually leads to a download from i.nfil.es and it leads to a ZIP file called report2104.zip which in turn contains the malicious executable report2104.exe.
Currently this malware has a reasonable detection rate of 23/57. Out of various automated analysis tools, only the Payload Security Hybrid Analysis engine gave a decent result indicating that a connection was made to a legitimate but hacked site relianceproducts.com and then several versions of the same .EXE were downloaded, which this VirusTotal report indicates is the Dyre banking trojan. That same VirusTotal post also lists a number of C&C servers that you might want to block:
213.239.214.42
81.162.123.76
77.87.99.67
62.122.69.150
91.238.74.70
62.122.69.172
91.194.239.126
94.231.178.46
194.28.190.167
80.234.34.137
213.111.243.60
46.149.253.52
37.57.101.221
134.249.63.46
85.192.165.229
46.151.48.149
195.34.206.204
62.122.69.159
188.123.34.203
178.18.172.215
91.232.157.139
46.151.49.128
195.206.255.131
37.232.185.114
176.120.201.9
62.182.33.16
46.180.147.50
46.175.23.130
46.151.48.184
84.16.55.12
84.16.54.22
84.16.55.122
93.184.71.88
83.168.164.18
212.89.237.65
176.109.58.78
212.37.81.96
95.165.196.227
195.34.239.93
77.234.235.48
109.236.121.136
217.12.59.238
181.189.152.131
194.28.190.183
95.67.88.84
176.56.24.229
178.136.123.22
From: Australian Taxation Office [noreply@ato.gov.au]
Date: 21 April 2015 at 21:36
Subject: Australian Taxation Office - Refund Notification
IMPORTANT NOTIFICATION
Australian Taxation Office - 22/04/2015
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 218.21 AUD.
To view/download your tax notification please click here or follow the link below :
https://www.ato.gov.au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=report2104_4343697
Brett Newman, Tax Refund Department Australian Taxation Office
Despite the "gov.au" site that apparently displays in the link, it actually leads to a download from i.nfil.es and it leads to a ZIP file called report2104.zip which in turn contains the malicious executable report2104.exe.
Currently this malware has a reasonable detection rate of 23/57. Out of various automated analysis tools, only the Payload Security Hybrid Analysis engine gave a decent result indicating that a connection was made to a legitimate but hacked site relianceproducts.com and then several versions of the same .EXE were downloaded, which this VirusTotal report indicates is the Dyre banking trojan. That same VirusTotal post also lists a number of C&C servers that you might want to block:
213.239.214.42
81.162.123.76
77.87.99.67
62.122.69.150
91.238.74.70
62.122.69.172
91.194.239.126
94.231.178.46
194.28.190.167
80.234.34.137
213.111.243.60
46.149.253.52
37.57.101.221
134.249.63.46
85.192.165.229
46.151.48.149
195.34.206.204
62.122.69.159
188.123.34.203
178.18.172.215
91.232.157.139
46.151.49.128
195.206.255.131
37.232.185.114
176.120.201.9
62.182.33.16
46.180.147.50
46.175.23.130
46.151.48.184
84.16.55.12
84.16.54.22
84.16.55.122
93.184.71.88
83.168.164.18
212.89.237.65
176.109.58.78
212.37.81.96
95.165.196.227
195.34.239.93
77.234.235.48
109.236.121.136
217.12.59.238
181.189.152.131
194.28.190.183
95.67.88.84
176.56.24.229
178.136.123.22
Malware spam: "LAG invoice I413136" / "Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]"
This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
http://eternitymobiles.com/25/144.exe
..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56.
Automated analysis tools [1] [2] [3] show that it attempts to communicate with a familiar IP:
89.28.83.228 (StarNet SLR, Moldova)
According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56.
Recommended blocklist:
89.28.83.228
MD5s:
02492b954b48f13412a844d689d064f1
7f7f476e83a253794b36cb7a16c04902
155643eb342c5b65a6f5a1391fe2396b
From: Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57 and which contains this malicious macro [pastebin], in turn this downloads a component from:
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136
Dear Accounts Payable,
Attached is a copy of invoice I413136 .The items were shipped. Please feel free to contact me if you have any questions or cannot read the attachment.
Thank you for your business.
Sincerely,
Lichelle Ebner
L. A. Grinding Company
Ph. (818) 846-9134
FAX (818)846-1786
http://eternitymobiles.com/25/144.exe
..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56.
Automated analysis tools [1] [2] [3] show that it attempts to communicate with a familiar IP:
89.28.83.228 (StarNet SLR, Moldova)
According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56.
Recommended blocklist:
89.28.83.228
MD5s:
02492b954b48f13412a844d689d064f1
7f7f476e83a253794b36cb7a16c04902
155643eb342c5b65a6f5a1391fe2396b
Monday, 20 April 2015
Malware spam: "Hector Malvido [handyman1181@hotmail.com]" / "Pending payment"
This spam comes with a malicious attachment:
http://kafilahgroup.com/55/55.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] [4] show it phoning home to:
89.28.83.228 (StarNet SLR, Moldova)
The Malwr report shows that it drops a Dridex DLL with a 3/57 detection rate.
Recommended blocklist:
89.28.83.228
MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e
From: Hector Malvido [handyman1181@hotmail.com]Attached is a file filename-1.doc (3/57 detection by AV vendors) which may come in many different versions, but the samples I have all have this malicious macro [pastebin] which downloads another component from the following location:
Date: 20 April 2015 at 10:51
Subject: Pending payment
This invoice shows in my records that has not being pay can you review your records please
http://kafilahgroup.com/55/55.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] [4] show it phoning home to:
89.28.83.228 (StarNet SLR, Moldova)
The Malwr report shows that it drops a Dridex DLL with a 3/57 detection rate.
Recommended blocklist:
89.28.83.228
MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e
Friday, 17 April 2015
Malware spam: "Julie Mckenzie [julie0526@swift-cut.co.uk]" / "Credit Card Statement"
This spam does not come from Swift Cut, but is instead a simple forgery with a malicious attachment:
These macros download a file from one of the following locations:
http://oolagives.com/24/733.exe
http://derekthedp.com/24/733.exe
http://sempersleep.com/24/733.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54 (identified clearly as a Dridex component). Automated analysis [1] [2] [3] [4] shows that it attempts to communicate with:
46.36.219.32 (FastVPS, Estonia)
I recommend that you block traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53.
MD5s:
6c784bec892ce3ef849b1f34667dccac
ec35660657404295a78d8d1bcb1f1071
89b87b7c5c38039a4a46060f00a1ec37
40862ce3abb02d69ec31b8a1b62fef95
59fe482009fecc8761809a9c974a143e
f840f9075a178ab579ed2e4c622bc291
From: Julie Mckenzie [julie0526@swift-cut.co.uk]Attached is a file C Swift Credit Card.doc which comes in at least four different versions, all of which are malicious and all of which have a macro similar to this one [pastebin].
Date: 17 April 2015 at 12:24
Subject: Credit Card Statement
Hi
Attached your credit card statement.
Can you return with receipts by Friday 17th April.
Thanks
Julie
Julie McKenzie
Sales Administrator
Tel +44 (0)1543 473300
E-mail julie@swift-cut.co.uk
These macros download a file from one of the following locations:
http://oolagives.com/24/733.exe
http://derekthedp.com/24/733.exe
http://sempersleep.com/24/733.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54 (identified clearly as a Dridex component). Automated analysis [1] [2] [3] [4] shows that it attempts to communicate with:
46.36.219.32 (FastVPS, Estonia)
I recommend that you block traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53.
MD5s:
6c784bec892ce3ef849b1f34667dccac
ec35660657404295a78d8d1bcb1f1071
89b87b7c5c38039a4a46060f00a1ec37
40862ce3abb02d69ec31b8a1b62fef95
59fe482009fecc8761809a9c974a143e
f840f9075a178ab579ed2e4c622bc291
Scam: "Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK)," / "Royal Queens Hotel"
From: United Nations Summit [no_replytoold@live.com]
Reply-To: unitednation.unt@gmail.com
Date: 16 April 2015 at 17:59
Subject: Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),
Dear Invitee, Nonprofit/NGO Colleague,
UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.
What's the scam? Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." These is no hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then vanish with your money.
Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.
The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel.
Venue: Queen Elizabeth II Conference Centre (QEIICC)
Date:5th-9th May, 2015.
Conference Theme:Impact and implications of the global financial and economic crisis on sustainable development & climate change proposals for an integrated global response to the crisis.
For further details about registration form,visa,flight ticket and other details, write an acceptance letter to be part of this event and send it directly via our Official e-mail together with your cellphone number for confirmation.
Send us e-mail:
unitednations_summit@secretary.net
unitednations.summit@aol.fr
or Call Dr. Pitt Thomas for more information +44703-597-1620.
We look forward to meeting you at the forthcoming Global Financial and Economic Crisis conference.
Register Now!!!!
Mrs.Kathleen Fitzpatrick
(Organizing Secretary)
Communication and Public Affairs.
United Nations-Nations Unites
Division for Social Policy and Economic Development Department of Economic
and Social Affairs Room UK2-1324, 2 United Nations Plaza, England, United
Kingdom.
There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a fake hotel website to make the scam more credible.
Avoid.
Thursday, 16 April 2015
Malware spam: "Decisive notification about your Automated Clearing House payment"
This fake ACH spam leads to malware:
I haven't had the time to analyse it fully, but it is rather different from other offerings. From what I can tell, it downloads an encrypted file [pastebin] from:
sundsvallsrk.nu/tmp/1623782.txt or
hpg.se/tmp/1623782.txt
And some sort of executable from Dropbox with a detection rate of 3/57. Automated analysis tools are inconclusive at the moment [1] [2] although the Payload Security report does show several dropped files including two malicious scripts [pastebin].
Of note is that one of the scripts downloads what looks like a PNG from:
savepic.su/5540444.png
For now, I would recommend blocking traffic to
sundsvallsrk.nu
hpg.se
savepic.su
For researchers only, I have an archive of some of the files here, password is infected.
From: aileen.alberts@[redacted]The link in the email goes to a download location at dropbox.com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro [pastebin].
Date: 16 April 2015 at 15:55
Subject: Decisive notification about your Automated Clearing House payment
The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.
Rejected ACH paymentAutomated Clearing House transfer Case # L669461617 Transaction Total 27504.02 US Dollars [redacted] Reason of Termination Download full details
Please visit the link provided at the top to see more information about this problem.
I haven't had the time to analyse it fully, but it is rather different from other offerings. From what I can tell, it downloads an encrypted file [pastebin] from:
sundsvallsrk.nu/tmp/1623782.txt or
hpg.se/tmp/1623782.txt
And some sort of executable from Dropbox with a detection rate of 3/57. Automated analysis tools are inconclusive at the moment [1] [2] although the Payload Security report does show several dropped files including two malicious scripts [pastebin].
Of note is that one of the scripts downloads what looks like a PNG from:
savepic.su/5540444.png
For now, I would recommend blocking traffic to
sundsvallsrk.nu
hpg.se
savepic.su
For researchers only, I have an archive of some of the files here, password is infected.
Wednesday, 15 April 2015
pdatamc.org / publicdmc.cn domain scam
This email message is actually a spam promoting a long-running scam where an unscrupulous party is attempting to sell overpriced and worthless domains to their intended victim.
From: Bruce Lo [mailto:bruce@publicdmc.cn]I've explained this particular scam so many times that I made a video explaining it..
Date: 14:59 Wednesday 15th April 2015
Subject: [victimdomain] Registration
Priority: High
To whom it may concern:
We are the Registrars accredited by China Internet Network Information Center. We have something to confirm with you. On April 7, 2015, we received an application in which a company by the name Presg Group applied to register " victimdomain " as their Brand Name and some Asia domain names through our firm.
Now we are handling this registration. After our initial checking, we found that the name are identical to your company's. We need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If not, please let us know within 7 workdays, in which case we will dicuss the matter more thoroughly. If not otherwise advised within that time limit we will proceed with the registration for Presg Group . We will be waiting for your reply. Have a nice day!
Best Regards
Bruce Lo
Registration Dept.
Phone: +86.55165184482
Fax: +86.55165128724
Website:http://www.pdatamc.org/
Address: No. 789, XiYou Road, Zhengwu District, HeFei City, AnHui Province, China
businessexecutives01.com / theexecutivesbrand.com scam
This is a grubby "Who's Who scam"
There are a number of this scammy spam sites on the same servers. I recommend that you block all the following sites as spam:
businessexecutives01.com
dirtyemojis.ru
foldemholdem.com
ironchampusa.ru
truepeptide.net
theexecutivesbrand.com
From: Sterling HudsonThe link in the email does to www.businessexecutives01.com:8133/wayne/ which is an anonymously registered domain hosted on a spam server at 123.249.39.89 in China. The links on businessexecutives01.com website all lead to theexecutivesbrand.com which is basically a mirror of the content.
Date: 15 April 2015 at 14:12
Subject: Re: you were chosen as a potential candidate...
Dear,
You were recently chosen as a potential candidate to represent 2015 Worldwide Branding Registry of Distinguished Professionals and Executives.
We are pleased to inform you that your candidacy was formally approved May 2nd. Congratulations. The Publishing Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals.
Given your background, the Director believes your profile makes a fitting addition to our publication. There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your registry listing within seven business days.
Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishments within their own geographical area.
To verify your profile and accept the candidacy, please visit here.
Our registration deadline for this year's candidates is May 28th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievement and look forward to welcoming you to our association.
Sincerely,
Benjamin Morisson
Editor in Chief
Worldwide Selection Committee 2015
If you don't want to receive emails any more, please Unsubscribe
There are a number of this scammy spam sites on the same servers. I recommend that you block all the following sites as spam:
businessexecutives01.com
dirtyemojis.ru
foldemholdem.com
ironchampusa.ru
truepeptide.net
theexecutivesbrand.com
Malware spam: "Invoice from Living Water" / "Natalie [mailto:accounts@living-water.co.uk]"
This fake invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.
http://adlitipcenaze.com/353/654.exe
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:
89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100
MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328
From: Natalie [mailto:accounts@living-water.co.uk]In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55. This contains a malicious macro [pastebin] which downloads a file from the following location:
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water
Dear Customer :
Your invoice is attached. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Living Water
0203 139 9051
http://adlitipcenaze.com/353/654.exe
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:
89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100
MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328
Tuesday, 14 April 2015
Digital Networks CJSC aka DINETHOSTING and 79.137.224.0/20
A few years ago Digital Networks CJSC (DINETHOSTING) was hosting a significant amount of toxic crap in the 79.137.224.0/20 range (examples: [1] [2] [3] [4]). Although they still host a significant amount of crap, this particular range now looks almost clean and does have quite a few legitimate (mostly Russian) customers on it.
I ran an analysis on 1672 sites [csv] in this range and only two were tagged as malicious by Google and none by SURBL, which is actually less than I would expect on a sample of this size. I note that many sites have reputational problems at WOT which seem to be because of an expired Spamhaus listing (see this example).
If you've blocked this /20 then I suggest that it is reasonably safe to unblock, although I would regard other DINETHOSTING ranges with caution.
I ran an analysis on 1672 sites [csv] in this range and only two were tagged as malicious by Google and none by SURBL, which is actually less than I would expect on a sample of this size. I note that many sites have reputational problems at WOT which seem to be because of an expired Spamhaus listing (see this example).
If you've blocked this /20 then I suggest that it is reasonably safe to unblock, although I would regard other DINETHOSTING ranges with caution.
Labels:
DINETHOSTING,
Russia
Malware spam: "Kairen Varker [mailto:kvarker@notifications.kashflow.com]" / "Invoice from"
This fake invoice has a malicious attachment:
http://925balibeads.com/94/053.exe
This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] [4] shows the malware phoning home to:
78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)
The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57.
Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228
MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995
From: Kairen Varker [mailto:kvarker@notifications.kashflow.com] On Behalf Of Kairen VarkerIn this case the attachment is called Invoice-83230.xls which is currently undetected by AV vendors. It contains this malicious macro [pastebin] which downloads a component from the following location (although there are probably more than this):
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from
I have made the changes need and the site is now mobile ready . Invoice is attached
http://925balibeads.com/94/053.exe
This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] [4] shows the malware phoning home to:
78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)
The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57.
Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228
MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995
Labels:
Dridex,
Lithuania,
Malware,
Moldova,
OVH,
Russia,
South Africa,
Spam,
TheFirst-RU,
Viruses
Subscribe to:
Posts (Atom)