Sponsored by..

Thursday 24 September 2015

Evil network: 64.20.51.16/29 (Interserver Inc and Muhammad Naeem Nasir)

This DHL-themed phish got me looking at an IP address range of 64.20.51.16/29 which is a range belonging to Interserver Inc in the US, but which has been reallocated to a customer. But who? Because the WHOIS details for that block are not valid..
%rwhois V-1.5:003fff:00 city.trouble-free.net (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-INTSRV.64.20.32.0/19
network:Auth-Area:64.20.32.0/19
network:Network-Name:INTSRV-64.20.51.16
network:IP-Network:64.20.51.16/29
network:Org-Name:N/A N/A
network:Street-Address:N/A
network:City:N/A
network:State:na
network:Postal-Code:N/A
network:Country-Code:US
network:Created:20150624
network:Updated:20150922
network:Updated-By:abuse@interserver.net
Well, that's quite a sloppy move by Interserver to allow that, but it doesn't mean that the block is evil. However, an analysis of the sites currently and formerly hosted in that range indicate a very high proportion of phishing sites.. in fact, the range is a hotbed of sophisticated fraud sites, many of which seem to be undiscovered.

I combined current reverse IP data from DomainTools and current and historical data from DNSDB and then ran them through an IP lookup and a check against the Google Safe Browsing and SURBL reputations. The results [csv] show a very large number of sites flagged by SURBL in particular, amounting to 47 out of 167 sites (i.e. 28%) that I can identify as being currently hosted in that range.

In addition, a large number of phishing and other malicious sites have been hosted on 64.20.51.16/29 in the past and are now hosted elsewhere.

nswo.co.uk / "La Casa Limpia - a Balaeric Island Villa"


At first glance, some of the remaining sites look legitimate. Consider nswo.co.uk entitled "La Casa Limpia - a Balaeric Island Villa".

It looks utterly legitmate, although it is an odd domain name for a villa in Spain. Let's check those WHOIS details..

    Domain name:
        nswo.co.uk

    Registrant:
        P J Green

    Registrant type:
        UK Sole Trader

    Registrant's address:
        100 Malderen Road
        Islington
        London
        Greater London
        LN23 6AU
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data source on 10-Dec-2012
Despite Nominet claiming to verify the address, there is no such road as "Malderen Road" anywhere in the United Kingdom, and the post code of "LN23 6AU" is also completely invalid and exists nowhere in the UK. A bit of investigation shows that the site is almost a complete rip-off of  a legitimate site at palmyramenorca.com.. but with different contact details.

dominioncollege.ca / "Dominion College"


Consider also dominioncollege.ca - a professional looking website billing itself as Dominion College of Canada.


Apparently, Dominion College is the "Highest Ranking Creative Arts University". But there is no such university in Canada, and the domain for this "150 year old" institution was only registered in August 2015.

Domain name:           dominioncollege.ca
Domain status:         registered
Creation date:         2015/08/14
Expiry date:           2016/08/14
Updated date:          2015/08/19
DNSSEC:                Unsigned

Registrar:
    Name:              PublicDomainRegistry.com Inc
    Number:            3059041
The "About Us" page gives another clue.


That is actually Old Dominion University in Virginia, United States. A completely different and wholly legitimate institution.

hkbbr.org / "Hong Kong Business Bureau Registry"

Consider hkbbr.org billing itself as the Hong Kong Business Bureau Registry..

Yet a Google search for that term only returns hardly anything except content from the site itself, indicating that there is no such organisation.


The domain was registered in 2013 to an anonymous registrant. What is the point of this site? Well, it looks like it is a register of legitimate Hong Kong businesses. You can search for business in their online services page..


Well, it looks like a search.. but in fact it just loads results from a page www.hkbbr.org/entity/ which has an open directory.. so you can see that there actually only 43 companies in the database. One or more of which will be fake.

Presumably this forms part of a scam where the victim has to deal with a fake company, and the scammers use this web site to try to convince the victim that they are dealing with a legitimate company.

tricountysalesmexia.com / "Tri County Sales Mexia"


Consider tricountysalesmexia.com, entitled "Tri County Sales Mexia's Premier Pre-Owned Late Model Luxury and Exotic Vehicle Dealer - Mexia | Texas"


We added up the value of the cars listed on this "Tri County Sales" site. There were 218 cars valued at around $13.2 million, or around $60,000 per car.

Their website shows plush offices..


Now, Tri County Sales is a real company and I suspect a reliable vendor of used vehicles. But in reality the company's premises look like this:


Does it look like somewhere that stocks $13 million dollars worth of high-end exotic vehicles? Of course not. Let's take a look at one of the more notable cars on the website.


This is a pretty rare car. But look closely at the partial logo in the top left hand corner of the large photo..


It's the logo of Southlake Motorcars, where the image was stolen from..


Several of the other vehicles also turn up on other sites. You can be assured that although Tri County Sales is a real company, this website does not belong to them and is a scam.

goldwestgroup.com / "Gold West Group"

Consider goldwestgroup.com calling itself "Gold West Group"..


It's a bit vague about where it has mines, but the facility pictured at the top is the Obuasi Gold Mine in Ghana belonging exclusively to AngloGold Ashanti and no-one else.

The site itself mentions a Chile address, and the WHOIS details are consistent.

Registrant Name: Manu DeSouza
Registrant Organization: Gold West Group
Registrant Street: Europa Oficinas
Registrant Street: Guardia Vieja 255
Registrant City: Providencia
Registrant State/Province: Santiago
Registrant Postal Code: 2103
Registrant Country: Chile
Registrant Phone: +56.22997704
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: webmaster@goldwestgroup.com
But AngloGold Ashanti have no operations in Chile. This site is a scam.

edichem.com / "Edible Chemical Inc"

Consider edichem.com describing itself as "Edible Chemical Inc"..



This site is riddle with spelling errors and has some comically bad photo manipulation.

The offices in the picture actually belong to a company called APAG.

Let's have a look at that so-called CEO..


"Birningham University"? Quite a typo. And that photo is of a completely different person called Peter Westenthaler.

This fake company has even gone to the effort of setting up a Facebook page at www.facebook.com/edichem.biz:


cllinternational.com / "Courier Logistics Limited"

Consider cllinternational.com calling itself "Courier Logistics Limited":


In what way is this logo meant to reflect "Courier Logistics Limited"?

It doesn't.. it belongs to the IEEE Robotics and Automation Society.

The purpose of this site appears to be to generate fake courier tracking numbers, so a victim who has ordered a product will assume that it is actually on it's way. The tracking lookup seems to respond to a six-digit tracking code. The fake tracking site is on another IP, 185.24.233.16 in Ireland.


steadyprivateloan.com / "Steady Private Loan"

Most of the fake companies I have found so far have zero internet footprint. This fake finance company has at least attractive a couple of complaints:

Edmond L.
Beware !!! Do not deal with TERRANCE CLARK / CLARK BRIAN of Goldmine Private Loan now with a new name "Steady Private Loan". These are scam artist.
8 months ago

Sharon Todd
I agree. We fell for their Goldmine Loan and now Steady Private Loan owe us $21,195 ...They look fantastic but do not fall for them. We are reporting them to the FBI
7 months ago

Unlike some of the other sites, this is a bit more amateurish and generic.



It claims to be based in Delaware.



The bottom line here is that there is no such corporation as "Steady Private Loan" in Delaware. This site is a scam.

madrewson.net / "Madrewson Consult"

Consider madrewson.net calling itself "Madrewson Consult". This bills itself as some sort of HR consultancy, but you can guarantee that everythig it touches is fake.


There are a bunch of testimonials on the "About Us" page.

These are all attractive, well-photographed people aren't they? And they pop up in so many places. The photo of "Helen Pyzowski" turns up in a bunch of places. "Adam Smith" is a stock image. "Kristin Malie" turns up in a bunch of places. "John L. Skelley" turns up in a bunch of places. The testimonials are fake, as is this so-called company.

mobgifts.net / "Coca Cola Promo"


"Coca Cola" themed prize scams are well known (and documented on the Coca Cola corporate site) but I've never seen anyone go to the effort of creating a fake website to go with it.


There are several photos of people being handed cheques. But what is that cheque exactly?


This is someone winning a prize alright.. but for developing a mobile app, not a lottery. All the other pictures of people getting cheques are similarly bogus. There is no such thing a the Coca Cola Promo free lottery.

braincure-biotech.com / "Braincure Biotech"

Consider this so-called Taiwanese biochemistry firm, "Braincure Biotech" (braincure-biotech.com)


The site looks professional but very generic. But is it genuine? Unfortunately, the Taiwanese companies registry is in Chinese only and is quite difficult to use. So let's just Google it.


There are virtually zero references to this "company" apart from its own website. And by the time you look, probably this blog. A quick check of the body text of the site reveals that it is copied from other genuine biotech sites. This company does not exist, but presumably is there as part of an investment or employment scam.

What else is there?

Trawling through the IP address range shows many fake blogs (set up to promote goodness only knows what), some Bitcoin and make-money-fast sites and a whole load of sites that appear to be suspended. I cannot confirm a single legitimate site in this range.

Who is behind this?

Although the IP address range is owned by Interserver Inc it is allocated to a customer. However, Interserver seems to have displayed poor governance here because it not only has allocated the range to an anonymous registrant, but it has not acted on the extremely high concentration of fraudulent sites.

Looking at the range, I can see several nameservers..

ns3.boldhosts.com
64.20.51.18

ns4.boldhosts.com
64.20.51.19

ns2.paidhoster.com
64.20.51.20

ns1.ok2host.com
64.20.51.21

ns2.ok2host.com
64.20.51.22

ok2host.com has anonymous WHOIS details, but the other two are related:

BOLDHOSTS.COM
Registry Registrant ID:
Registrant Name: Abdul Razzaq
Registrant Organization: Boldhosts
Registrant Street: Street 18 Clifton Block 8  
Registrant City: Karachi
Registrant State/Province: Sind(en)
Registrant Postal Code: 75500
Registrant Country: PK
Registrant Phone: +92.2135491130
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@boldhosts.com


PAIDHOSTER.COM
Registrant Name: Sajid Mahmood
Registrant Organization: GroomHost
Registrant Street: Progressive Center Shahrah e Faisal  
Registrant City: Karachi
Registrant State/Province: Sind(en)
Registrant Postal Code: 75400
Registrant Country: PK
Registrant Phone: +92.215681734
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@boldhosts.com

Although paidhoster.com does not resolve, both boldhosts.com and ok2host.com do and are hosted on adjacent IPs of 76.73.85.141 and 76.73.85.142 respectively, indicating that they might be the same company. Groomhost.com is also mentioned in the WHOIS details above, and that is hosted on 76.73.85.140.

It turns out that there is another IP block of 76.73.85.136/29 hosting a variety of possibly white-label web hosts:

network:Auth-Area:76.73.0.0/17
network:Class-Name:network
network:OrgName:Naeem Nasir
network:OrgID;I:FDC-11211
network:Address:Street number 18 clifton block 8
network:City:Karachi
network:StateProv:Sindh
network:PostalCode:75500
network:Country:PK
network:NetRange:76.73.85.136 - 76.73.85.143
network:CIDR:76.73.85.136/29
network:NetName:FDC-11211-76.73.85.136

The WHOIS details for the IP range don't give a lot of data, but we can also find the same registrant details for the domain sandhost.com:

Registry Registrant ID:
Registrant Name: Muhammad Naeem Nasir
Registrant Organization:
Registrant Street: Street  18  clifton block 8
Registrant City: Karachi
Registrant State/Province: Sindh
Registrant Postal Code: 75500
Registrant Country: Pakistan
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: naeem.nasir@yahoo.com
The AA419 database shows several hits for this email address going back to 2011, so it seems that whoever this Pakistani web host is, they have been tolerating this activity on their network for several years, even if they are just providing hosting services rather than perpetrating fraud.

Conclusion

I really just skimmed the surface with my analysis here, but it is clear that the 64.20.51.16/29 block is being used almost exclusively for fraud. Moreover, the fraud is extremely sophisticated involving things like fake business registries and couriers. It is also clear that the Pakistani web hosts apparently providing these services have been doing so for some time.

Recommended blocklist:
64.20.51.16/29
76.73.85.136/29
185.24.233.16

Wednesday 23 September 2015

Phish: "SHIPMENT LABEL" / "DHL Courier Services [roger@community.mile.org]"

This DHL-themed spam is actually a phishing email:

From:    DHL Courier Services [roger@community.mile.org]
To:   
Date:    23 September 2015 at 11:15
Subject:    SHIPMENT LABEL
Signed by:    community.mile.org

Dear customer,

Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.

The mailing label is attached in this email.Please print and show at the nearest DHL office to receive the shipment.

Thank you for using DHL services.


Princess Court 11
Wapping Ln,London,
E1W2DA,United Kingdom
Toll Free:+442075532200
Office Hours:9:00am-7:00pm
Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report).


If the potential victim clicks "Click here" then they are directed to ow.ly/Sq9to and from there to a phishing page at br1-update.be/wg/lhd.php on 64.20.51.22 (Inetserver Inc, US) which belongs to a netblock 64.20.51.16/29 which also looks highly suspect.


The phishing page itself is a complex script which is Base 64 encoded, then hex encoded (Pastebin here) which is presumably phishing for email accounts. The spam itself appears to have been sent from a compromised webmail account at community.mile.org

For the moment, I would suggest that the entire 64.20.51.16/29 range is malicious and should be blocked.

Malware spam: "Bankline ROI - Password Re-activation Form" / "secure.message@rbs.co.uk"

This fake banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:

From     "RBS" [secure.message@rbs.co.uk]
Date     Wed, 23 Sep 2015 11:28:48 GMT
Subject     Bankline ROI - Password Re-activation Form

Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3.  A signatory on the bank mandate must sign the form.

Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk

On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.

<>

Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered. 

Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different
details.

If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.

Regards
Bankline Product Support

This e-mail message is confidential and for use by the intended recipient only. If
the message is received by anyone other than the intended recipient, please return
the message to the sender by replying to it and then delete the message from your
computer. Internet e-mails are not necessarily secure. Ulster Bank Limited and Ulster
Bank Ireland Limited (\"Bankline Bank Group\")/ Royal Bank of Scotland Group plc
does not accept responsibility for changes made to this message after it was sent.
Ulster Bank Group / Royal Bank of Scotland Group plc may monitor e-mails for business
and operational purposes. By replying to this message you give your consent to our
monitoring of your email communications with us. Whilst all reasonable care has been
taken to avoid the transmission of viruses, it is the responsibility of the recipient
to ensure that the onward transmission, opening or use of this message and any attachments
will not adversely affect its systems or data. No responsibility is accepted by any
member of Ulster Bank Group / Royal Bank of Scotland Group plc in this regard and
the recipient should carry out such virus and other checks as it considers appropriate.

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56. The Hybrid Analysis report shows behaviour consistent with Upatre / Dyre and shows that the malware communicates with a known bad IP of 197.149.90.166 (Cobranet, Nigeria) which I definitely recommend blocking or monitoring.

Tuesday 22 September 2015

(More) Domains and businesses associated with Michael Price of BizSummits

Following on from this post, here are some business and domains closely associated with Michael Price of BizSummits, presented without comment for research purposes only.


COO Summit
cooleaders.org

Hiring Spring
hiringspring.com

Exit Partners LLC
exitpartners.net

Exact Leads
exactleads.com

VisitorLeads
visitorleads.com

ListK
listk.com

LoudJob
loudjob.com

Franchisee Funnel
franchiseefunnel.com

Supply Chain Summit
supplychainsummit.org

Hospital Growth Summit
hospitalgrowthsummit.org

CFO Summit
cfosummit.org

Safety Management Summit
safetysummit.org

Project Management Summit
projectmanagementsummit.org

CMO Summit
cmosummit.org

PR Summit
prsummit.org

Corp Summits
corpsummits.com

Quality Management Summit
qualitysummit.org

Corporate Counsel Summit
corporatecounselsummit.org

Executive Summits
execsummits.com

BizSummits
bizsummits.org

Marketing LeadFunnel
marketingleadfunnel.net

Meeting Setters
meetingsetters.com

CEO Ventures
ceoventures.com

HR LeadFunnel
hr-leadfunnel.com

Survey Executives
surveyexecutives.com

iListK
ilistk.com

IT LeadFunnel
itleadfunnel.com

Finance LeadFunnel
financeleadfunnel.com

GoPresent
gopresent.com

AffluentNames.com
affluentnames.com

Documents.me / Nouvou, Inc.
documents.me

AngelPool
angelpool.org

Critical Fit
criticalfit.com

HR Summit
hrsummit.org

Corp Venturing
corpventuring.com

PlugMeIn
plugmein.com

Retargetable
retargetable.com

LeadFunnel
leadfunnel.com

Pathfinder Careers
pathfindercareer.com

The Sales Management Association
salesmgtassoc.org

Executive Angels
executiveangels.net

CareerLeaper
careerleaper.com

Packed Events
packedevents.com

TeamEx
teamex.com

iCirc
icirc.net

HR Management Association
hrmanagementassociation.org

Product Conception Group
productconception.com

Monday 21 September 2015

Malware spam: "Your Sage subscription invoice is ready" / "noreply@sage.com"

This fake Sage email contains a malicious attachment.

From:    noreply@sage.com [noreply@sage.com]
Date:    21 September 2015 at 11:30
Subject:    Your Sage subscription invoice is ready

Dear Ralph Spivey

Account number: 45877254

Your Sage subscription invoice is now online and ready to view.

Sage One subscriptions

    Please follow the link bellow to view/download your account invoice: http://www.sageone.co.uk/

Got a question about your invoice?

Call us on 1890 88 5045

If you're an Accountant, please call 1890 92 21 06
If you're a Business Partner, please call 1890 94 53 85

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.

The link in the email actually goes to a download location at Cubby rather than sageone.co.uk, this downloads a file invoice.zip which in turn contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56. The Hybrid Analysis report shows that this is Upatre dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria.

Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)

I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery] which sends traffic to:

[donotclick]kfc.i.illuminationes.com/snitch

This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.


The injected script sends the keywords and referring site upstream, for example:

[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.se
Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.

UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.

Friday 18 September 2015

Malware spam: "Transaction confirmation" / "donotreply@lloydsbank.co.uk"

This fake banking spam comes with a malicious attachment:

From     donotreply@lloydsbank.co.uk
Date     Fri, 18 Sep 2015 11:52:36 +0100
Subject     Transaction confirmation

Dear Customer,

Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.

Best regards,
Your personal Manager

Thora Blanda

tel: 0345 300 0000

LLOYDS BANK. 
Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria.

E.ON "You've got mail" spam

I haven't used E.ON for a couple of years, and I no longer have an account with them. So I was surprised to get this E.ON-themed spam. Is it malware? No, it really is E.ON spamming me..

------------
From:    E.ON Energy [eon@eonenergy.com]
Reply-To:    "E.ON Energy" [eon@eonenergy.com]
Date:    17 September 2015 at 19:02
Subject:    You've got mail

You've got mail.
If you are having trouble viewing this email, you can view it here.

E.ON

You've got mail

Dear Conrad Longmore

Thanks for letting us know you'd like us to send you information by email.

What does this mean for me?
You'll receive contact from us by email instead of through the post. We're introducing our emails gradually, so you'll still get a few things through the post until we're all up and running.
What kind of things will you send me?
We'll only send you important information that you need to know about your account, including:



  • Changes to Direct Debit payments, if you've chosen to pay this way.



  • Asking for meter readings



  • Reminding you about any appointments you have  with us.



  • Reminding you about paying for the energy you've used, if you haven't already told us when
  • you're going to pay.



  • Anything else we think you'll need to know about your service from us.
  • Don't worry, we won't send you information to sell you anything, unless you've already told us we can.
    What if I change my mind?
    Visit our website and let us know.
    If you change your mind, we'll still send you reminders by email if you've not paid us what you owe.
    As you're an online customer, we'll also still send you an email when your bill is ready to view and other emails related to your online account you automatically get when you've signed up online.
    If you've got questions about your account or anything else, click here. You won't get through to us by replying to this email.
    Yours sincerely

    E.ON Customer Services


    Helping our customers. We're on it. E.ON

    twitter
    Facebook
    Follow us on Facebook and Twitter and keep up to date.


    Disclaimer Notice
    This email has been sent by E.ON Energy Solutions Limited. While we have checked this email and any attachments for viruses, we cannot guarantee that they are virus-free. You must therefore take full responsibility for virus checking.

    This message and attachments are confidential and should only be read by those to whom they are addressed.
    If you are not the intended recipient, please contact us, delete the message from your computer and destroy any copies. Any distribution or copying without prior permission is prohibited.

    Internet communications are not always secure and therefore E.ON does not accept legal responsibility for this message. The recipient is responsible for verifying its authenticity before acting on the contents. Any views or opinions presented are solely those of the author and do not necessarily represent those of E.ON.

    Registered Address
    E.ON Energy Solutions Limited. Registered office: Westwood Way, Westwood Business Park, Coventry, CV4 8LG. Registered in England and Wales No. 3407430.

    CONSENT CSS

    Ooookay. So it's a phish or malware, right? Well, in this case floating over the links clearly shows an eonenergy.com domain, rather than something malicious. And at least E.ON have shown good practice by using their own domain rather than some random tracking domain that others do.

    It's been a long time since I logged onto E.ON because these days I generate all my electricity from a secondhand Russian nuclear reactor plucked from a rusty submarine that I have buried under the lawn.

    Logging on to my account gives this message..

    And from that point onwards there is nothing at all that I can do. I can't turn off the E.ON spam because I don't have an account with them!

    It's probably 15 years or so since I registered on E.ON.. when I registered it was part of TXU, then PowerGen which then became E.ON. So if you have registered an account with any of those companies in the past decade and a half, then you might get this spam from E.ON, even if you closed your account a long time ago..

    UPDATE:
    E.ON have posted some information about the cock-up and an apology here.

    Thursday 17 September 2015

    Malware spam: hrwfmailerprod@lancashire.gov.uk / REFURBISHMENT

    This fake financial spam (presumably) comes in several different variants (I saw two):

    From     "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]
    To     hp_printer@victimdomain.com
    Date     Thu, 17 Sep 2015 12:16:26 GMT
    Subject     FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)


    From             Mabel Winter
    To             hp_printer@victimdomain.com
    Sent             Thu, 17 Sep 2015 12:12:26 GMT
    ID             7216378
    Number             6767609,1
    Title             Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT

    Negotiation Preview Immediately upon publishing
    Negotiation Open Immediately upon publishing
    Negotiation Close September 21, 2015 10:00 am GMT
    Company R.R. Donnelley & Sons Company
    Subject ITT Clarifications
    To view the message, please open attachment. 
    The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.

    The payload appears to be Upatre/Dyre as seen earlier today.

    Malware spam: "Shell E-Bill for Week 38 2015"

    This fake financial spam comes with a malicious attachment:

    From     [invoices@ebillinvoice.com]
    To     administrator@victimdomain.com
    Date     Thu, 17 Sep 2015 11:10:15 GMT
    Subject     Shell E-Bill for Week 38 2015

    Customer No         : 28834
    Email address       : administrator@victimdomain.com
    Attached file name  : 28834_wk38_2015.PDF

    Dear Customer,

    Please find attached your invoice for Week 38 2015.

    In order to open the attached PDF file you will need
    the software Adobe Acrobat Reader.

    For instructions of how to download and install this
    software onto your computer please visit
    http://www.adobe.com/products/acrobat/readstep2.html

    If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.

    Yours sincerely

    Customer Services

    ======================================================
    This email, its content and any files transmitted with
    it are confidential and intended solely for the use of
    the individual(s) to whom it is addressed.
    If you are not the intended recipient, be advised that
    you have received this email in error and that any use,
    dissemination, forwarding, printing or copying of
    this email is strictly prohibited.
    ======================================================

    Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.

    MD5:
    0d9c66ffedce257ea346d2c7567310ac

    Wednesday 16 September 2015

    Malware spam: "Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/"

    This fake Lloyds Bank spam comes with a malicious payload:

    From:    RSTNAME} Crabtree [Chang.Crabtree@lloydsbankcommercial.com]
    Date:    15 September 2015 at 13:18
    Subject:    Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/

    Please find attached our document pack for the above customer. Once completed please return via email to the below address.

    If you have any queries relating to the above feel free to contact us at

    MN2Lloydsbanking@lloydsbankcommercial.com
    Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 7117152. Telephone: 0845 603 1637

    Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

    Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

    Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

    HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC453043.

    This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.

    In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:

    thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
    thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
    obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
    obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt

    A further download  then takes place from:

    vandestaak.com/css/libary.exe

    This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).

    Recommended blocklist:
    197.149.90.166
    vandestaak.com
    thebackpack.fr
    obiectivhouse.ro

    MD5s:
    4b944c5e668ea9236ac9ab3b1192243a
    1939eba53a1289d68d1fb265d80e60a1

    Malware spam: "HSBC SecureMail" / "You have received a secure message"

    This fake HSBC email message has a malicious payload:


    From:    HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@hsbc.co.uk]
    Date:    16 September 2015 at 13:13
    Subject:    You have received a secure message


    You have received a secure message
    Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
    First time users - will need to register after opening the attachment.
    About Email Encryption - http://www.hsbc.co.uk/secureemail


    HSBC_Payment_87441653
    16K
    Attacked is a file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56.

    UPDATE: The Hybrid Analysis report shows network traffic to a familiar Nigerian IP of 197.149.90.166 which I strongly recommend you block. The traffic pattern is indicative of Upatre dropping the Dyre banking trojan.

    MD5:
    359f0c584d718f44e9777e259f013031

    Monday 14 September 2015

    Spam from "Vanessa Reynolds" / vanessa.reynolds@breedandco.com

    This spam does not seem to have a malicious payload, but is likely sent out by the same people who send out Upatre/Dyre malware spam (or possible Dridex):
    From     "Vanessa Reynolds" [vanessa.reynolds@breedandco.com]
    Date     Fri, 14 Sep 2015 10:34:32 GMT
    Subject     Hello, how are you?

    Hello, Calvin  how are you?
    The name after "Hello" varies in each version, for example:

    Hello, Sheldon  how are you?
    Hello, Lawanda  how are you?
    Hello, Thurman  how are you?
    Hello, Darlene  how are you?
    Hello, Rhea  how are you?

    The email is always "from" Vanessa Reynolds / vanessa.reynolds@breedandco.com although this is in fact just a simple forgery and Breed & Co (who are are a hardware store in Texas) are nothing to do with this.

    The purpose of this spam is unknown. One possibility is that the spammers are probing mail servers for responses (to enumerate valid mailboxes). The other is that this could be a targeted attack on Breed & Co by disrupting email and other means of communication.

    Some sending IPs for the record:
    175.111.117.26
    82.208.233.93
    85.100.114.244
    103.1.69.172
    111.196.186.87
    202.134.161.161

    Friday 11 September 2015

    Malware spam: "Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva" / reports@officeteam.co.uk

    This fake financial spam comes with a malicious payload:
    From     "reports@officeteam.co.uk" [reports@officeteam.co.uk]
    Date     Fri, 11 Sep 2015 10:39:32 GMT
    Subject     Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva

    Please find attached your sales order acknowledgement

    Order No: EF150085
    Account: PFM895
    Your Reference: 14 /Geneva
    Web Reference:
    Kind Regards
    Office Team
    In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet).

    In this case, the payload is Upatre downloading the Dyre banking trojan.

    MD5:
    0a7e68a84765d639210b77575c2373bd

    Thursday 10 September 2015

    Malware spam: "New Fax - 3901535011" / "UK2Fax" [fax2@fax1.uk2fax.co.uk]

    This fake fax spam comes with a malicious attachment:

    From     "UK2Fax" [fax2@fax1.uk2fax.co.uk]
    Date     Thu, 10 Sep 2015 14:07:11 +0100
    Subject     New Fax - 3901535011

    UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT
    Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the same Upatre/Dyre payload as seen it this attack also seen today.

    Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]

    This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:

    From     "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
    Date     Thu, 10 Sep 2015 06:32:37 -0500
    Subject     Payroll Received by Intuit

    Dear, petrol
    We received your payroll on Sep 10, 2015 at 09:01.

    Attached is a copy of your Remittance. Please click on the attachment in order to
    view it.

    Please note the deadlines and status instructions below:

    If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
    paid two (2) banking days from the date received or on your paycheck date, whichever
    is later. 

    If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
    days from the date received or on your paycheck date, whichever is later. 

    YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.

    Funds are typically withdrawn before normal banking hours so please make sure you
    have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.

    Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
    date or your employees will not be paid on time. 

    Intuit does not process payrolls on weekends or federal banking holidays. A list
    of federal banking holidays can be viewed at the Federal Reserve website.

    Thank you for your business.

    Sincerely,

    Intuit Payroll Services

    IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
    concerning your current service, software, or billing. Please note that if you previously
    opted out of receiving marketing materials from Intuit, you may continue to receive
    notifications similar to this communication that affect your service or software.

    If you have any questions or comments about this email, please DO NOT REPLY to this
    email. If you need additional information please contact us.

    If you receive an email message that appears to come from Intuit but that you suspect
    is a phishing email, please forward it to immediately to spoof@intuit.com.

    © 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
    trademarks and/or registered service marks of Intuit Inc. in the United States and
    other countries. All other marks are the property of their respective owners, should
    be treated as such, and may be registered in various jurisdictions.

    Intuit Inc. Customer Communications
    2800 E. Commerce Center Place, Tucson, AZ 85706 
    Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.

    In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.

    MD5:
    4dbdf9e73db481b001774b8b9b522ebe

    Tuesday 8 September 2015

    ipserver.su, 5.133.179.0/24 and 212.38.166.0/24

    A follow-up to this post, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:

    person:         Oleg Nikol'skiy
    address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
    phone:          +18552100465
    e-mail:         abuse@ipserver.su
    nic-hdl:        ON929-RIPE
    mnt-by:         IPSERVER-MNT
    changed:        abuse@ipserver.su 20150528
    created:        2015-05-28T11:11:09Z
    last-modified:  2015-05-28T11:11:09Z
    source:         RIPE


    I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service.

    Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating.

    Here's what is odd. None of the sites that I found [pastebin] have a negative reputation, I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all.

    I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation, then my suggestion is that you block traffic to:

    5.133.179.0/24
    212.38.166.0/24

    In the meantime I will continue digging..

    Monday 7 September 2015

    Something evil on 184.105.163.192/26 / White Falcon Communications / Dmitry Glazyrin

    So.. I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243 hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26 suballocated to:

    contact:ID;I:POC-DC-1258
    contact:Auth-Area:contacts
    contact:Class-Name:contact
    contact:Name:Dmitry Glazyrin
    contact:Company:White Falcon Communications
    contact:Street-Address:3-758 Riverside Dr
    contact:City:Port Coquitlam
    contact:Province:BC
    contact:Postal-Code:V3B 7V8
    contact:Country-Code:CA
    contact:Phone:+1-510-580-4100


    The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..

    bilettver.ru
    ituslugi-ekb.ru
    kerept.ru
    porno-gt.com
    pornosup.com
    redkrab.com
    vgubki.com
    erotubik.com
    autowagen.ru
    decoitalcolor.ru
    jimbobox.ru
    kr-enot.ru
    alemanas.ru
    dynamo-energia.ru
    master-lesa.ru
    kinoprosmotra.net
    multi-torrent.com
    pl-games.ru
    voyeur-hard.com
    fishemania.com
    learnigo.ru
    qazashki.net
    surfus.ru
    mysuppadomainname.gq
    kinoprosmotrov.net
    multtracker.com
    kyricabgr.tk
    onlyhdporno.com
    stat-irc.tk
    white-wolves.tk
    blondescript.com
    dc-dcbcf352.hotvideocentral.com
    wishfishworld.com
    5ka.info
    igro-baza1.ru
    igro-baza2.ru
    igro-baza3.ru
    igro-baza4.ru
    igro-baza5.ru
    kinorelizov.net
    torrent-mult.com
    trailer-games.ru
    vvpvv10.ru
    vvpvv9.ru
    todoke.ru
    glazikvovana.cf
    glazikvovana.ga
    glazikvovana.gq
    glazikvovana.ml
    glazikvovana.tk
    glazikvovki.cf
    glazikvovki.ga
    glazikvovki.gq
    glazikvovki.ml
    glazikvovki.tk
    popochkavovana.cf
    popochkavovana.ga
    popochkavovana.gq
    popochkavovana.ml
    popochkavovana.tk
    popochkavovki.cf
    popochkavovki.ga
    popochkavovki.gq
    popochkavovki.ml
    popochkavovki.tk
    resnichkavovana.cf
    resnichkavovana.ga
    resnichkavovana.gq
    resnichkavovana.ml
    resnichkavovana.tk
    resnichkavovki.cf
    resnichkavovki.ga
    resnichkavovki.gq
    resnichkavovki.ml
    resnichkavovki.tk
    samaragss.ru
    wechkavovana.cf
    wechkavovana.ga
    wechkavovana.gq
    wechkavovana.ml
    wechkavovana.tk
    wechkavovki.cf
    wechkavovki.ga
    wechkavovki.gq
    wechkavovki.ml
    wechkavovki.tk
    zalypkavovana.ml
    zalypkavovana.tk

    zalypkavovki.cf
    zalypkavovki.ga
    zalypkavovki.gq
    zalypkavovki.ml
    zalypkavovki.tk
    zybikvovana.cf
    zybikvovana.ga
    zybikvovana.gq
    zybikvovana.ml
    zybikvovana.tk
    zybikvovki.cf
    zybikvovki.ga
    zybikvovki.gq
    zybikvovki.ml
    zybikvovki.tk
    staffrc.com
    stopudof.com
    35igr.ru
    adandc.ru
    avgyst.ru
    comedy24.ru
    e7ya.ru
    funrussia.ru
    ladykafe.ru
    med-cafe.ru
    mykazantip.ru
    ohotaforum.ru
    powerpoint-ppt.ru
    sibledy.ru
    turistvip.ru
    ya-pisatel.ru
    kypitest.ru
    anykadavai.tk
    forwarditaly.org
    getyourimesh.com
    mymobi.ml
    yellowfrance.org

    Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].

    Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.

    So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".

    However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.

    * fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.

    Malware spam: "Credit Note CN-60938 from Stilwell Financial Inc" / "message-service@post.xero.com"

    This fake financial spam comes with a malicious payload.
    From:    Accounts [message-service@post.xero.com]
    To:    hp_printer@victimdomain.com
    Date:    7 September 2015 at 11:55
    Subject:    Credit Note CN-60938 from Stilwell Financial Inc for victimdomain.com (0178)

    Hi Boris,

    To download your credit note CN-60938 for 401.04 GBP please follow the link below : https://get.xerofiles.com/[snip]

    This has been allocated against invoice number

    If you have any questions, please let us know.

    Thanks,
    Stilwell Financial Inc

    In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.

    Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
    Received: from 78.187.120.220.static.ttnet.com.tr (unknown [95.9.34.122])
        by [redacted] (Postfix) with ESMTP id 74F50400BE;
        Mon,  7 Sep 2015 11:59:12 +0100 (BST)
    Received: from mail2.go.xero.com (198.61.155.105) by
     GCN5B9ZDBKTFX.mail.protection.outlook.com (10.997.33.92) with Microsoft SMTP

     Server id 05.9.975.7 via Frontend Transport; Mon, 7 Sep 2015 12:55:16 +0200
    From: Accounts <message-service@post.xero.com>
    To:  hp_printer@[redacted]
    Date: Mon, 7 Sep 2015 12:55:16 +0200
    Subject: Credit Note CN-60938 from Stilwell Financial Inc for [redacted] (0178)
    MIME-Version: 1.0
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    X-Mailer: aspNetEmail ver 3.5.2.0
    Message-ID: <504359-L45H474JYDT96LCSOCCGF9O9R1IXJTQ2949EW0C2@xero.com>
    The fake parts of the headers are highlighted. The actual sending IP is 95.9.34.122 in Turkey. I don't know what the payload is in this case as the download location doesn't work, it will most likely be some sort of banking trojan.

    Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]

    This spam does not come from Companies House, but is instead a simple forgery with a malicious attachment:

    From     "Companies House" [WebFiling@companieshouse.gov.uk]
    Date     Mon, 7 Sep 2015 12:40:01 +0100
    Subject     RE: Case 0676414

    The submission number is: 0676414

    For more details please check attached file.

    Please quote this number in any communications with Companies House.

    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.

    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other Organizations that handle public funds.

    If you have any queries please contact the Companies House Contact Centre
    on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

    Note: This email was sent from a notification-only email address which cannot
    accept incoming email. Please do not reply directly to this message.

    Companies House
    4 Abbey Orchard Street
    Westminster
    London
    SW1P 2HT
    Tel +44 (0)303 1234 500  

    The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.

    This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.

    MD5:
    f1d62047d22f352a14fe6dc0934be3bb

    Friday 4 September 2015

    Malware spam: "RE:resume" aka "What happened to your files?" / Cryptowall 3.0

    This fake résumé spam leads to ransomware:

    From:     fredrickkroncke@yahoo.com
    Date:    5 September 2015 at 03:50
    Subject:    RE:resume
    Signed by:    yahoo.com

    Hi my name is Teresa Alexander attach is my resume
    Awaiting your prompt reply

    Kind regards

    Teresa Alexander
    The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:



    Protected Document
    This document is protected by Microsoft Office.
    Please enable Editing and Content to see this document.

    Can’t view? Follow the steps below.
    Open the document in Microsoft Office. Previewing online does not work for protected documents.
    If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
    Once you have enabled editing, please hit “Enable Content” on the yellow bar above.
    Following these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.

    The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:

    46.30.46.117 [Eurobyte LLC, Russia)
    186.202.153.84 (gaiga.net)
    192.186.235.39 (satisgoswamicollege.org)
    52.88.9.255 (entriflex.com)
    23.229.143.32 (eliasgreencondo.com)

    Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.

    Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)


    This further references another bunch of domains that you might want to block, especially in a corporate environment:

    namepospay.com
    optiontosolutionbbs.com
    optionpay2all.com
    democraticash.com


    This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:

    68.178.254.208 (erointernet.com)

    Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.

    The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.

    Recommended blocklist:
    46.30.46.0/24
    gaiga.net
    satisgoswamicollege.org
    entriflex.com
    eliasgreencondo.com
    erointernet.com
    namepospay.com
    optiontosolutionbbs.com
    optionpay2all.com
    democraticash.com

    MD5s:
    d6b3573944a4b400d6e220aabf0296ec
    5b311508910797c91cc9c9eb4b4edb0c