Sponsored by..

Wednesday, 16 September 2015

Malware spam: "Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/"

This fake Lloyds Bank spam comes with a malicious payload:

From:    RSTNAME} Crabtree [Chang.Crabtree@lloydsbankcommercial.com]
Date:    15 September 2015 at 13:18
Subject:    Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/

Please find attached our document pack for the above customer. Once completed please return via email to the below address.

If you have any queries relating to the above feel free to contact us at

MN2Lloydsbanking@lloydsbankcommercial.com
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 7117152. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC453043.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.

In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:

thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt

A further download  then takes place from:

vandestaak.com/css/libary.exe

This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).

Recommended blocklist:
197.149.90.166
vandestaak.com
thebackpack.fr
obiectivhouse.ro

MD5s:
4b944c5e668ea9236ac9ab3b1192243a
1939eba53a1289d68d1fb265d80e60a1

Malware spam: "HSBC SecureMail" / "You have received a secure message"

This fake HSBC email message has a malicious payload:


From:    HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@hsbc.co.uk]
Date:    16 September 2015 at 13:13
Subject:    You have received a secure message


You have received a secure message
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.hsbc.co.uk/secureemail


HSBC_Payment_87441653
16K
Attacked is a file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56.

UPDATE: The Hybrid Analysis report shows network traffic to a familiar Nigerian IP of 197.149.90.166 which I strongly recommend you block. The traffic pattern is indicative of Upatre dropping the Dyre banking trojan.

MD5:
359f0c584d718f44e9777e259f013031

Monday, 14 September 2015

Spam from "Vanessa Reynolds" / vanessa.reynolds@breedandco.com

This spam does not seem to have a malicious payload, but is likely sent out by the same people who send out Upatre/Dyre malware spam (or possible Dridex):
From     "Vanessa Reynolds" [vanessa.reynolds@breedandco.com]
Date     Fri, 14 Sep 2015 10:34:32 GMT
Subject     Hello, how are you?

Hello, Calvin  how are you?
The name after "Hello" varies in each version, for example:

Hello, Sheldon  how are you?
Hello, Lawanda  how are you?
Hello, Thurman  how are you?
Hello, Darlene  how are you?
Hello, Rhea  how are you?

The email is always "from" Vanessa Reynolds / vanessa.reynolds@breedandco.com although this is in fact just a simple forgery and Breed & Co (who are are a hardware store in Texas) are nothing to do with this.

The purpose of this spam is unknown. One possibility is that the spammers are probing mail servers for responses (to enumerate valid mailboxes). The other is that this could be a targeted attack on Breed & Co by disrupting email and other means of communication.

Some sending IPs for the record:
175.111.117.26
82.208.233.93
85.100.114.244
103.1.69.172
111.196.186.87
202.134.161.161

Friday, 11 September 2015

Malware spam: "Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva" / reports@officeteam.co.uk

This fake financial spam comes with a malicious payload:
From     "reports@officeteam.co.uk" [reports@officeteam.co.uk]
Date     Fri, 11 Sep 2015 10:39:32 GMT
Subject     Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva

Please find attached your sales order acknowledgement

Order No: EF150085
Account: PFM895
Your Reference: 14 /Geneva
Web Reference:
Kind Regards
Office Team
In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet).

In this case, the payload is Upatre downloading the Dyre banking trojan.

MD5:
0a7e68a84765d639210b77575c2373bd

Thursday, 10 September 2015

Malware spam: "New Fax - 3901535011" / "UK2Fax" [fax2@fax1.uk2fax.co.uk]

This fake fax spam comes with a malicious attachment:

From     "UK2Fax" [fax2@fax1.uk2fax.co.uk]
Date     Thu, 10 Sep 2015 14:07:11 +0100
Subject     New Fax - 3901535011

UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT
Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the same Upatre/Dyre payload as seen it this attack also seen today.

Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]

This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:

From     "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
Date     Thu, 10 Sep 2015 06:32:37 -0500
Subject     Payroll Received by Intuit

Dear, petrol
We received your payroll on Sep 10, 2015 at 09:01.

Attached is a copy of your Remittance. Please click on the attachment in order to
view it.

Please note the deadlines and status instructions below:

If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
paid two (2) banking days from the date received or on your paycheck date, whichever
is later. 

If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
days from the date received or on your paycheck date, whichever is later. 

YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.

Funds are typically withdrawn before normal banking hours so please make sure you
have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.

Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
date or your employees will not be paid on time. 

Intuit does not process payrolls on weekends or federal banking holidays. A list
of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Sincerely,

Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software.

If you have any questions or comments about this email, please DO NOT REPLY to this
email. If you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect
is a phishing email, please forward it to immediately to spoof@intuit.com.

© 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
trademarks and/or registered service marks of Intuit Inc. in the United States and
other countries. All other marks are the property of their respective owners, should
be treated as such, and may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706 
Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.

In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.

MD5:
4dbdf9e73db481b001774b8b9b522ebe

Tuesday, 8 September 2015

ipserver.su, 5.133.179.0/24 and 212.38.166.0/24

A follow-up to this post, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:

person:         Oleg Nikol'skiy
address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
phone:          +18552100465
e-mail:         abuse@ipserver.su
nic-hdl:        ON929-RIPE
mnt-by:         IPSERVER-MNT
changed:        abuse@ipserver.su 20150528
created:        2015-05-28T11:11:09Z
last-modified:  2015-05-28T11:11:09Z
source:         RIPE


I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service.

Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating.

Here's what is odd. None of the sites that I found [pastebin] have a negative reputation, I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all.

I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation, then my suggestion is that you block traffic to:

5.133.179.0/24
212.38.166.0/24

In the meantime I will continue digging..

Evil network: 89.144.2.0/24 / spoofing Echo Romeo LLP (AS199762)

This post at malware.kiwi caught my eye after a sort-of challenge by Techhelplist. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.

This appears to be a binary options scam that is using illegally hacked sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit.me, more of which in another post.

It turns out that dailybusinessdirect.com is hosted alongside a cluster of related domains on a set of IPs apparently belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they are listed as the owner 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites.

UPDATE: there is evidence that Echo Romeo are the victim of a type of corporate identity theft. Scroll to the bottom for me.

Here's an oddity - Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, none of those customer sites are actually hosted in this IP address range.

The first thing I noticed was a cluster of sites and IPs that appear to be closely related to dailybusinessdirect.com:

89.144.2.85
topinvestmentnews.com
news-finance-today.com

89.144.2.86
profit-method.biz
thesknews.com
huffnewstoday.com
businessnewsclub.com
businessdailygroup.com
investmentnewstoday.com

89.144.2.157
24-finances-news.com
finance-news-cbm.com

89.144.2.158
finances24-news.com
businessinfodaily.com
finance-today-news.com
dailybusinessdirect.com

Some of these domains have anonymous WHOIS details, some have details that look fake. I have not found any way to trace ownership of these domains.. after all, these are not amateurs, these are professional fraudsters who tend not to make silly mistakes.

I checked all the active sites in the 89.144.2.0/24 range against SURBL which came up with these results [csv]. Out of 56 sites identified, 13 are identified by SURBL as being spamming and/or phishing. But what of the rest?

A look at the Google Safe Browsing Diagnostic for AS199762 gave some interesting results:

Safe Browsing

Diagnostic page for AS199762 (ECHOROMEO-AS)

What happened when Google visited sites hosted on this network?
Of the 13 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, 89.144.2.0/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2015-09-07, and the last time suspicious content was found was on 2015-08-24.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, t9e.net/, 89.144.2.0/, that infected 7 other site(s), including, for example, kgdbase.com/, kgdbase.eu/, softbase.xyz/.
Drilling down to the Google diagnostic for t9e.net is surprising:

Safe Browsing

Diagnostic page for t9e.net

What is the current listing status for t9e.net?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 150 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 22277 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-09-07, and the last time suspicious content was found on this site was on 2015-08-24.Malicious software includes 25596 trojan(s), 61 exploit(s).
This site was hosted on 2 network(s) including AS199762 (ECHOROMEO-AS), AS35042 (ISP4P).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, t9e.net did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including kgdbase.com/, kgdbase.eu/, softbase.xyz/.
25,596 trojans and 61 exploits? I think that's a site to avoid, and as you might guess t9e.net has anonymous WHOIS details.

Also in this range:
  • The domains travsolut.com and travsolut.org on 89.144.2.143 are associated with suspect-looking job offers and claim to have been founded in 2002 in Australia, yet the domains were only created in 2015 with the .org being registered to an address in Spain.
  • On 89.144.2.148, the domains weksrubaz.ru, linturefa.ru and xablopefgr.ru are all associated with with the POSeidon malware.  On the same IP, srachechno.com is associated with a later version of the same malware.
  • Meanwhile on 89.144.2.149, dornegromant.com is also associated with POSeidon [pdf]
  • On 89.144.2.150 another POSeidon domain lurks, repherfeted.com.
  • And on 89.144.2.151 there is litramoloka.com which is again POSeidon, as is cawasuse.ru on 89.144.2.152.
  • On 89.144.2.153 is the domain ranferolto.com tagged as Infostealer.Posfind by Symantec. 
  • On 89.144.2.154 the domains gowasstalpa.com and nasedrontit.com are associated with the Pony Downloader
  • On 89.144.2.180 the website clarkgrp.org has been accused of being fake. If that is the case, then marlin-staff.com on the same IP will probably be too.
Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?

UPDATE:
I asked Echo Romeo about this and their response was very quick..

Echo Romeo had pointed out something that I had missed. The registrant details for the IP block were very similar to their real details..

organisation:   ORG-ERL2-RIPE
org-name:       ECHO ROMEO LLP
org-type:       OTHER
address:        47 GLENMOOR ROAD , WEST PARLEY , FERNDOWN , DORSET , UNITED KINGDOM
admin-c:        JL7999-RIPE
phone:          +44 1202872908
e-mail:         info@echoromeonet.co.uk
abuse-mailbox:  abuse@echoromeonet.co.uk
mnt-ref:        echoromeo-mnt
mnt-by:         echoromeo-mnt
changed:        info@echoromeonet.co.uk 20140128
created:        2014-01-28T17:28:45Z
last-modified:  2014-02-17T12:18:41Z
source:         RIPE


But in fact, their domain name is just echoromeo.co.uk and not echoromeonet.co.uk at all. The WHOIS details for the fake domain are:

Domain name:
        echoromeonet.co.uk

    Registrant:
        ECHO ROMEO LLP

    Registrant type:
        Unknown

    Registrant's address:
        47 GLENMOOR ROAD
        WEST PARLEY
        FERNDOWN
        BH22 8QE
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data
source on 25-Jan-2014

    Registrar:
        101Domain, Inc. [Tag = 101INC-US]
        URL: https://101domain.com

    Relevant dates:
        Registered on: 25-Jan-2014
        Expiry date:  25-Jan-2016
        Last updated:  03-Nov-2014

    Registration status:
        Registered until expiry date.

    Name servers:
        ns1.echoromeonet.co.uk    212.38.166.68
        ns2.echoromeonet.co.uk    5.133.179.64

These closely match the real contact details of Echo Romeo. The fake website itself is hosted on 212.38.166.68 (one of the nameservers). It looks very different from the real website.

But all the contact details on the FAKE website point to the REAL Echo Romeo. The whole site looks like a fake created just to get hold of a range of IP address.

Let's go back to these IPs..

The 89.144.2.0/24 range with the fake registration details is carved out of an IP block belonging to isp4p.net (IP Interactive UG, Germany). Presumably the bad guys used the fake Echo Romeo domain and name to persuade IP Interactive to lease them a set of IP addresses.

Although the nameservers of 212.38.166.68 and 5.133.179.64 appear to be on very different blocks, they are actually allocated to the same person:

inetnum:        5.133.179.0 - 5.133.179.255
netname:        IPSERVER
descr:          IPSERVER WORLD LTD
remarks:        abuse-mailbox: abuse@ipserver.su
country:        GB
admin-c:        ON929-RIPE
tech-c:         ON929-RIPE
status:         ASSIGNED PA
mnt-by:         RAPIDSWITCH-MNT
changed:        abuse@rapidswitch.com 20120918
created:        2012-09-18T09:09:38Z
last-modified:  2015-08-12T07:25:02Z
source:         RIPE

person:         Oleg Nikol'skiy
address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
phone:          +18552100465
e-mail:         abuse@ipserver.su
nic-hdl:        ON929-RIPE
mnt-by:         IPSERVER-MNT
changed:        abuse@ipserver.su 20150528
created:        2015-05-28T11:11:09Z
last-modified:  2015-05-28T11:11:09Z
source:         RIPE

route:          5.133.176.0/21
descr:          RapidSwitch
origin:         AS20860
mnt-by:         RAPIDSWITCH-MNT
mnt-routes:     GB10488-RIPE-MNT
changed:        richard@iomart.com 20120712
created:        2012-07-12T15:08:31Z
last-modified:  2012-07-12T15:08:31Z
source:         RIPE


Both have been leased from Iomart in the UK. .SU domains such as ipserver.su are such a strong indicator of badness that I even have a little graphic for them.

A quick look at the 5.133.179.0/24 and 212.38.166.0/24 ranges indicates they are full of crap. There may be legitimate sites hosted there, but I would recommend blocking them.

The evidence that I can find does seem to point toward this spoof IP range being set up by organised criminals in Russia, and my opinion is that Echo Romeo LLP have nothing to do with this at all and are the good guys.

Recommended blocklist:
89.144.2.0/24
5.133.179.0/24
212.38.166.0/24

Monday, 7 September 2015

Something evil on 184.105.163.192/26 / White Falcon Communications / Dmitry Glazyrin

So.. I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243 hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26 suballocated to:

contact:ID;I:POC-DC-1258
contact:Auth-Area:contacts
contact:Class-Name:contact
contact:Name:Dmitry Glazyrin
contact:Company:White Falcon Communications
contact:Street-Address:3-758 Riverside Dr
contact:City:Port Coquitlam
contact:Province:BC
contact:Postal-Code:V3B 7V8
contact:Country-Code:CA
contact:Phone:+1-510-580-4100


The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..

bilettver.ru
ituslugi-ekb.ru
kerept.ru
porno-gt.com
pornosup.com
redkrab.com
vgubki.com
erotubik.com
autowagen.ru
decoitalcolor.ru
jimbobox.ru
kr-enot.ru
alemanas.ru
dynamo-energia.ru
master-lesa.ru
kinoprosmotra.net
multi-torrent.com
pl-games.ru
voyeur-hard.com
fishemania.com
learnigo.ru
qazashki.net
surfus.ru
mysuppadomainname.gq
kinoprosmotrov.net
multtracker.com
kyricabgr.tk
onlyhdporno.com
stat-irc.tk
white-wolves.tk
blondescript.com
dc-dcbcf352.hotvideocentral.com
wishfishworld.com
5ka.info
igro-baza1.ru
igro-baza2.ru
igro-baza3.ru
igro-baza4.ru
igro-baza5.ru
kinorelizov.net
torrent-mult.com
trailer-games.ru
vvpvv10.ru
vvpvv9.ru
todoke.ru
glazikvovana.cf
glazikvovana.ga
glazikvovana.gq
glazikvovana.ml
glazikvovana.tk
glazikvovki.cf
glazikvovki.ga
glazikvovki.gq
glazikvovki.ml
glazikvovki.tk
popochkavovana.cf
popochkavovana.ga
popochkavovana.gq
popochkavovana.ml
popochkavovana.tk
popochkavovki.cf
popochkavovki.ga
popochkavovki.gq
popochkavovki.ml
popochkavovki.tk
resnichkavovana.cf
resnichkavovana.ga
resnichkavovana.gq
resnichkavovana.ml
resnichkavovana.tk
resnichkavovki.cf
resnichkavovki.ga
resnichkavovki.gq
resnichkavovki.ml
resnichkavovki.tk
samaragss.ru
wechkavovana.cf
wechkavovana.ga
wechkavovana.gq
wechkavovana.ml
wechkavovana.tk
wechkavovki.cf
wechkavovki.ga
wechkavovki.gq
wechkavovki.ml
wechkavovki.tk
zalypkavovana.ml
zalypkavovana.tk

zalypkavovki.cf
zalypkavovki.ga
zalypkavovki.gq
zalypkavovki.ml
zalypkavovki.tk
zybikvovana.cf
zybikvovana.ga
zybikvovana.gq
zybikvovana.ml
zybikvovana.tk
zybikvovki.cf
zybikvovki.ga
zybikvovki.gq
zybikvovki.ml
zybikvovki.tk
staffrc.com
stopudof.com
35igr.ru
adandc.ru
avgyst.ru
comedy24.ru
e7ya.ru
funrussia.ru
ladykafe.ru
med-cafe.ru
mykazantip.ru
ohotaforum.ru
powerpoint-ppt.ru
sibledy.ru
turistvip.ru
ya-pisatel.ru
kypitest.ru
anykadavai.tk
forwarditaly.org
getyourimesh.com
mymobi.ml
yellowfrance.org

Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].

Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.

So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".

However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.

* fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.

Malware spam: "Credit Note CN-60938 from Stilwell Financial Inc" / "message-service@post.xero.com"

This fake financial spam comes with a malicious payload.
From:    Accounts [message-service@post.xero.com]
To:    hp_printer@victimdomain.com
Date:    7 September 2015 at 11:55
Subject:    Credit Note CN-60938 from Stilwell Financial Inc for victimdomain.com (0178)

Hi Boris,

To download your credit note CN-60938 for 401.04 GBP please follow the link below : https://get.xerofiles.com/[snip]

This has been allocated against invoice number

If you have any questions, please let us know.

Thanks,
Stilwell Financial Inc

In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.

Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
Received: from 78.187.120.220.static.ttnet.com.tr (unknown [95.9.34.122])
    by [redacted] (Postfix) with ESMTP id 74F50400BE;
    Mon,  7 Sep 2015 11:59:12 +0100 (BST)
Received: from mail2.go.xero.com (198.61.155.105) by
 GCN5B9ZDBKTFX.mail.protection.outlook.com (10.997.33.92) with Microsoft SMTP

 Server id 05.9.975.7 via Frontend Transport; Mon, 7 Sep 2015 12:55:16 +0200
From: Accounts <message-service@post.xero.com>
To:  hp_printer@[redacted]
Date: Mon, 7 Sep 2015 12:55:16 +0200
Subject: Credit Note CN-60938 from Stilwell Financial Inc for [redacted] (0178)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailer: aspNetEmail ver 3.5.2.0
Message-ID: <504359-L45H474JYDT96LCSOCCGF9O9R1IXJTQ2949EW0C2@xero.com>
The fake parts of the headers are highlighted. The actual sending IP is 95.9.34.122 in Turkey. I don't know what the payload is in this case as the download location doesn't work, it will most likely be some sort of banking trojan.

Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]

This spam does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From     "Companies House" [WebFiling@companieshouse.gov.uk]
Date     Mon, 7 Sep 2015 12:40:01 +0100
Subject     RE: Case 0676414

The submission number is: 0676414

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500  

The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.

This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.

MD5:
f1d62047d22f352a14fe6dc0934be3bb

Friday, 4 September 2015

Malware spam: "RE:resume" aka "What happened to your files?" / Cryptowall 3.0

This fake résumé spam leads to ransomware:

From:     fredrickkroncke@yahoo.com
Date:    5 September 2015 at 03:50
Subject:    RE:resume
Signed by:    yahoo.com

Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply

Kind regards

Teresa Alexander
The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:



Protected Document
This document is protected by Microsoft Office.
Please enable Editing and Content to see this document.

Can’t view? Follow the steps below.
Open the document in Microsoft Office. Previewing online does not work for protected documents.
If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
Once you have enabled editing, please hit “Enable Content” on the yellow bar above.
Following these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.

The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:

46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga.net)
192.186.235.39 (satisgoswamicollege.org)
52.88.9.255 (entriflex.com)
23.229.143.32 (eliasgreencondo.com)

Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.

Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)


This further references another bunch of domains that you might want to block, especially in a corporate environment:

namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com


This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:

68.178.254.208 (erointernet.com)

Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.

The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.

Recommended blocklist:
46.30.46.0/24
gaiga.net
satisgoswamicollege.org
entriflex.com
eliasgreencondo.com
erointernet.com
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com

MD5s:
d6b3573944a4b400d6e220aabf0296ec
5b311508910797c91cc9c9eb4b4edb0c


DYNAMOO®

DYNAMOO® is a registered trade mark :)


Tuesday, 1 September 2015

Malware spam: "Complaint of your Internet activity"

This spam comes with a malicious attachment:

From:    Margret Kuhic
Date:    1 September 2015 at 16:10
Subject:    Complaint of your Internet activity

This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.

Margret Kuhic
Dynamic Communications Agent
T: 1-679-732-5379
F: 100.173.9045
All the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a valid attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56.

This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor:

197.149.90.166 (Cobranet, Nigeria)

Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494


Malware spam: "Private message notification 41447" / "Adrien Abbott"

This spam comes with a malicious attachment:
From:    Adrien Abbott
Date:    1 September 2015 at 12:34
Subject:    Private message notification 41447

You've received a private message. Please open the attached to view it.

Adrien Abbott
Chief Tactics Executive
home: 1-583-761-3793
work: 380.022.2492
twitter: @nicole
skype: nicole
messenger: nicole
I have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other variants could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56, the Hybrid Analysis report shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to:

197.149.90.166 (Cobranet, Nigeria)

..which is an IP that has been used several time for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor.

MD5:
7c94abe2e3b60f8a72b7358d50d04ee0

Sunday, 30 August 2015

WARNING: projectmanagementinternational.org / "Project Management International" aka Patty Jones and Anthony Christopher Jones

"Project Management International" (projectmanagementinternational.org) appears to be another website run by Patty Jones (aka Patchree Patchrint) and Anthony Christopher Jones of California.

These so-called training courses run by the Joneses are promoted through spam and have a terrible reputation. One BBB report for a previous incarnation of this scheme sums up many of the complaints that I have seen:

Grant Funding USA advertised a 3-day grant writing workshop for non-profit professionals to be held November 12-14 at the Georgetown Law School campus in Washington DC. The course was described as an overview of the grant writing process and concluding with a certificate in professional grant writing. The cost was $495. My organization paid the fee, I received a confirmation email. I received a credit card authorization letter requesting authorization; we completed and submitted it. I spoke with an individual over the phone confirming my registration. I received a registration packet (about 15 pages) with suggestions for preparation and materials to bring to the course. On the first day, November 12, I arrived at Georgetown Law at 8 AM. The guard was unaware of our course and was working on figuring out where we needed to be (there were 7 other students). After about 45 minutes, we all received an email from the organization Grant Funding USA that said our instructor had fallen ill and they were working on securing a substitute instructor to start the class by the afternoon.At 1pm, we received an email from the same email address saying that they were unable to secure a substitute for Wednesday, but class would begin promptly at 8am on Thursday. I called the number for the organization multiple times and continually got their voicemail. On Thursday, November 13 at 8AM, I arrived at Georgetown again, and found the other students in the lobby upset and confused. The guard was unaware of the course and said he had no information for us. He directed me to the Georgetown Student Life office (who would have been responsible for securing the space). They informed me that Georgetown has never heard of Grant Funding USA nor has a relationship with them. There was no workshop scheduled to be held on their campus. Grant Funding USA has not answered my numerous calls or emails. Other participants fooled by this scam were from Smithsonian Institute and State Gov't of New Jersey.
This story seems to be echoed over and over again. A venue is booked at a prestigious location, but changed at the last minute. The person taking the course very often seems to be ill and doesn't turn up. Sometimes an ill-prepared substitute teacher is found, but has difficulty being paid. Calls to the so-called institute are either not answered or met with hostility. Read the comments for more stories such as this.

On to this particular scheme called "Project Management International" which should not be confused with many reputable organisations of a similar name, using the domain projectmanagementinternational.org which just frames another site at ipmam862026.sitebuilder.name.com. The "ipma" part of the name is significant as I will mention later. The site is promoted through spam email such as the one found here:

Project Management Certification Course (July 28-31, 2015: University of Southern California)

The Project Management Certification Course will be offered July 28 - 31, 2015 at the University of Southern California in Los Angeles, CA . Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .

July 28 - 31, 2015
University of Southern California

Los Angeles, California

The PMCC is designed for those seeking professional project management certification. It serves as both a thorough professional education and recognized certification. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development. 

Project Management Masters Certification program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 36 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials.

The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request.

Program Description

Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.

The skills developed in the Project Management Masters Certification program apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets. 

Our approach to project management education offers proven, results-focused learning.

Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.

Tuition

Tuition for the four-day Project Management Certification Course is $995.00

Program Schedule and Content
1. Project Initiation, Costing, and Selection, Day 1
2. Project Organization and Leadership, Day 2
3. Detailed Project Planning, Day 2 and 3
4. Project Monitoring and Control, Day 3 and 4
5. Project Risk and Stakeholder Management, Day 4 

Benefits
·   A Project Management International Certificate of Accomplishment is awarded upon completion of the four day program of five courses. Completion letters are given for each course.
·   Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.
·   Each class is highly focused and promotes maximum interaction.
·   You can network with other project management professionals from a variety of industries.
·   Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.
·    Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will have met all education requirements for eligibility.

Registration

Participants may reserve a seat online at the Project Management International website, by calling the Program Office toll-free at (800) 288-8387, or by sending their name and contact information via email to the Program Registrar .

Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.

To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.

The site is generic looking but fairly smart:


It lists some upcoming courses:
August 25 - 28, 2015: University of Houston
September 22- 25, 2015: University of Miami
October 6-9, 2015: University of Southern California  

The domain was registered on May 20th 2015 to an anonymous registrant. The site itself lists no contact details on the Contact page:


It appears to be using an email address of "info@projectmanagementinternational.org" for correspondence, but a look at the underlying HTML tells a different story:
<h4> If you have any additional questions, simply email us directly at  <a href="mailto:info@grantfundingusa.org?subject=ContactUS"> </a> <a href="mailto:grantfundingusa@gmail.com?subject=Contact+Us" target="_self" title="info@thefundinginstitute.org">info@projectmanagementinternational.org </a>  and our coordinators will respond to you directly.  </h4>
The underlying code references both info@grantfundingusa.org and grantfundingusa@gmail.com (the organisation mentioned in the BBB report I mentioned earlier) and which is the same site I warned about a year ago. The only other contact details on the site are a telephone number of 800-288-8387.

The "About Project Management page" features some generic text about Project Management:


The text is almost identical to the defunct website Institute of Program Management America (IPMA) that I mentioned last year. If you remember, this new website also uses "IPMA" in its underlying URL (ipmam862026.sitebuilder.name.com) which also links the two schemes. A RipOffReport for IPMA also shows the same pattern as before.

There is little doubt that this is the same scheme as mentioned in all my previous posts on the activities of Jones and Patchrint. My personal recommendation is that you give this "Project Management International" a very wide berth, and if you feel that you have been defrauded then you would be doing a lot of people a favour if your pursued them aggressively. Also, if you have any positive (or negative) experiences then sharing them in the Comments would be appreciated.

Thursday, 27 August 2015

Malware spam: "Payslip for period end date 27/08/2015" / "noreply@fermanagh.gov.uk"

This spam does not come from Fermanagh District Council. Of course it doesn't. It is instead a simple forgery with a malicious attachment:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    27 August 2015 at 12:28
Subject:    Payslip for period end date 27/08/2015

Dear administrator

Please find attached your payslip for period end 27/08/2015

Payroll Section

Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.

This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.

MD5:
fdea30868df48bff9e7c2b2605431d23

Wednesday, 26 August 2015

Malware spam: "RE:resume" leads to Cryptowall

This fake resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware.

In the only sample I saw, the spam looks like this:

From:    emmetrutzmoser@yahoo.com
To:   
Date:    26 August 2015 at 23:29
Subject:    RE:resume
Signed by:    yahoo.com

Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply

Best regards

Janet Ronald
Attached was a file Janet_Ronald_resume.doc [VT 5/56] which (of course) contains a malicious macro that looks like this [pastebin].

The format of this message is very similar to this other fake resume spam seen recently, and a key feature here is that the message is really sent through Yahoo! and is not a forgery.

Deobfuscating the macro shows that a file is downloaded from http://46.30.46.60/444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report shows some of this in action, but Techhelplist did the hard work of decrypting it..


To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report which has some nice screenshots.

Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:

46.30.46.60 (Eurobyte, Russia)
linecellardemo.net / 23.229.194.224 (GoDaddy, US)

You might want to block the entire 46.30.46.0/24 range because.. well, Russia really.

MD5s:
41177ea4a2c88a2b0d320219389ce27d
d1e23b09bb8f5c53c9e4d01f66db3654

Fake fax spam spoofs multiple senders, has malicious payload

This fake fax spam comes from random senders - company names and attachment names vary from spam to spam.

From: "Heaney, Vandervort and Hilll"
Subject: Fax #AhnxlQ8 from Donny Kub
Date: Wed, 26 Aug 2015 14:02:30 +0000

You have a fax.
Data sent: Wed, 26 Aug 2015 14:03:30 +0000
TO: info@victimdomain.com

*********************************
We are a new fax delivery service - Heaney, Vandervort and Hilll.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: "Fast. Cheap. Best quality."
*********************************
Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56 detection rate at VirusTotal.

The Hybrid Analysis report shows it phoning home to:

197.149.90.166/260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166/260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM


This pattern marks the malware out as being Upatre/Dyre.  197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.



Malware spam: "Scanned image from MX-2600N" / "noreply@victimdomain.com"

NOTE:  As of December 2015 there is an updated version of this spam run.

This spam is not from a scanner, but it is instead a simple forgery with a malicious attachment:

From:    noreply@victimdomain.com
Reply-To:    noreply@victimdomain.com
To:    victim@victimdomain.com
Date:    19 May 2014 at 18:11
Subject:    Scanned image from MX-2600N

Reply to: noreply@victimdomain.com [noreply@victimdomain.com]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.
The email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros [1] [2] [3] which attempt to download a malicious component from one of the following locations:

http://fotolagi.com/45ygege/097uj.exe
http://asterixpr.republika.pl/45ygege/097uj.exe
http://detocoffee.ojiji.net/45ygege/097uj.exe


This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis [1] [2] shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan.