This fake financial spam comes with a malicious attachment.The sender's name, subject and body text has a variety of text in, including:
Subject:
Fwd: Final Notice About Unpaid Bill
Fw: Important Notice About Created Invoice
Re: Important Message About New Invoice
Body text:
Pls see the bill attached.
review the report attached.
check the invoice attached.
Some more examples can be seen here.
Attached is a randomly-named document, of which I have seen three samples (VirusTotal results [1] [2] [3]). The Malwr report on one of the samples plus these Hybrid Analysis reports [4] [5] [6] shows a download of an encrypted file from:
darrallmacqueen.com/b2.jpg?XhVee=9
darrallmacqueen.com/b2.jpg?XhVee=20
darrallmacqueen.com/b2.jpg?XhVee=16
The dropped files seem pretty random, indeed in all the samples the binaries were different with some generic detections [1] [2] [3] [4]. All of the samples crash in Malwr [5] [6] [7] [8].
It all seems a little odd and if I get more information on what is happening, I will update this post. In the meantime the only mitigating step I can think of is to block traffic to darrallmacqueen.com which should stop the files downloading.
Thursday, 10 March 2016
Wednesday, 9 March 2016
Malware spam: "Please find attached 2 invoices for processing." leads to Locky
These fake financial spam emails come from random sources with different names and reference numbers:
Attached is a file with a name similar to Payment_2016_March_111812.zip which contains two scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates [1] [2] [3] [4] [5] [6]. The Malwr reports for those samples [7] [8] [9] [10] [11] [12] show that the scripts download a binary from:
ihsanind.com/system/logs/87jhg44g5
nguoitieudungthongthai.com/system/logs/987i6u5y4t
astralia.ro/08o76g445g [404]
Only two of the download locations work, dropping binaries with a detection rate of 5/55 [1] [2]. Note that there may be other download locations.
The Malwr reports indicate that the malware phones home to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)
The payload is the Locky ransomware.
UPDATE
I received the following information from another source (thank you)
Additional download locations:
ari-ev.com/system/logs/765uy453gt5
hipnotixx.com/27h8n
myonlinedeals.pk/system/logs/43d5f67n8
planetarchery.com.au/system/logs/q32r45g54
saachi.co/system/logs/43ghy8n
shofukai.web.fc2.com/23rt54y56
www.ekowen.sk/09y8j
Payload MD5s:
252957f37b8bd7a57473eab5f1a65d5c
39443da2c5454e0cb3ab42e407266d12
536162e0df26db751c3aa192af512413
6d42c5aa20117483b47b6e9c10444626
80baac1953a3fa6b74c2cd9689a0d81c
84a47c9c74efe890d7e0e9935fc96bda
b81006520f0d50317a66c0eb9d2185a5
e12fde01606227d45e8048fb4e5cc88c
eebb1e3a4fefcbacf3a7076b32180673
Additional C2s:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
Recommended blocklist:
78.40.108.39
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18
From: Melisa Keller
Date: 9 March 2016 at 12:08
Subject: FW: Invoice 2016-M#111812
Dear server,
Please find attached 2 invoices for processing.
Yours sincerely,
Melisa Keller
Financial Manager
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
Attached is a file with a name similar to Payment_2016_March_111812.zip which contains two scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates [1] [2] [3] [4] [5] [6]. The Malwr reports for those samples [7] [8] [9] [10] [11] [12] show that the scripts download a binary from:
ihsanind.com/system/logs/87jhg44g5
nguoitieudungthongthai.com/system/logs/987i6u5y4t
astralia.ro/08o76g445g [404]
Only two of the download locations work, dropping binaries with a detection rate of 5/55 [1] [2]. Note that there may be other download locations.
The Malwr reports indicate that the malware phones home to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)
The payload is the Locky ransomware.
UPDATE
I received the following information from another source (thank you)
Additional download locations:
ari-ev.com/system/logs/765uy453gt5
hipnotixx.com/27h8n
myonlinedeals.pk/system/logs/43d5f67n8
planetarchery.com.au/system/logs/q32r45g54
saachi.co/system/logs/43ghy8n
shofukai.web.fc2.com/23rt54y56
www.ekowen.sk/09y8j
Payload MD5s:
252957f37b8bd7a57473eab5f1a65d5c
39443da2c5454e0cb3ab42e407266d12
536162e0df26db751c3aa192af512413
6d42c5aa20117483b47b6e9c10444626
80baac1953a3fa6b74c2cd9689a0d81c
84a47c9c74efe890d7e0e9935fc96bda
b81006520f0d50317a66c0eb9d2185a5
e12fde01606227d45e8048fb4e5cc88c
eebb1e3a4fefcbacf3a7076b32180673
Additional C2s:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
Recommended blocklist:
78.40.108.39
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18
Labels:
Italy,
Kazakhstan,
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]
This terse spam has a malicious attachment. There is no body text.
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe
There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:
64.76.19.251 (Impsat, Argentina)
I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.
UPDATE
A contact sent some more download locations (thank you!)
oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe
..and also some additional C2s..
188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234
From: Idris Mohammed [idrismohammed25@gmail.com]Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
Date: 9 March 2016 at 09:55
Subject: DOC-Z21193008
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe
There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:
64.76.19.251 (Impsat, Argentina)
I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.
UPDATE
A contact sent some more download locations (thank you!)
oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe
..and also some additional C2s..
188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234
Tuesday, 8 March 2016
Malware spam: "Please see attached (scanned document) file for your invoice" leads to Locky
This fake financial spam leads to the Locky ransomware. Sender names, reference numbers and attachment names will vary.
From: Kris Bentley [BentleyKris59113@annarborultimate.org]The payload appears to be identical to the one found in this spam run.
Date: 8 March 2016 at 14:35
Subject: FW: Invoice #098377-2016-03
Dear infon,
Please see attached (scanned document) file for your invoice.
Thank you for your business
Kris Bentley
Sales Manager
Malware spam: "Compensation - Reference Number #368380" leads to Locky
This fake financial spam comes with a malicious attachment:
Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:
ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf
Those same reports indicate the malware attempts to phone home to the following IPs:
89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)
Those automated reports all indicate that this is the Locky ransomware.
UPDATE
A trusted source also informs me of these additional download locations;
51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4
In addition, there is another IP address the malware phones home to:
212.47.223.19 (Web Hosting Solutions Oy, Estonia)
Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196
212.47.223.19
From: Orval Burgess
Date: 8 March 2016 at 11:10
Subject: Compensation - Reference Number #368380
Dear Customer,
The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.
Sincerely,
Orval Burgess
Account Manager
Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:
ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf
Those same reports indicate the malware attempts to phone home to the following IPs:
89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)
Those automated reports all indicate that this is the Locky ransomware.
UPDATE
A trusted source also informs me of these additional download locations;
51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4
In addition, there is another IP address the malware phones home to:
212.47.223.19 (Web Hosting Solutions Oy, Estonia)
Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196
212.47.223.19
Malware spam: "Samson Floyd agent Fedex" / "FeDex-service"
This fake FedEx spam has a malicious attachment:
Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:
www.fotoleonia.it/files/sample.exe
This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:
www.claudiocalaprice.com/modules/fedex/pad.exe
This has similar detections to the first binary. That Malwr report also indicates the binary POSTing data to:
pdf.repack.bike/new_and/state.php
This is hosted on:
151.80.76.200 (Kitdos, US / OVH, France)
I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.
None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.
From: FeDex-service
Date: 8 March 2016 at 11:40
Subject: Samson Floyd agent Fedex
Dear [redacted],
We attempted to deliver your item on March 07th, 2016, 11:40 AM.
The delivery attempt failed because the address was business closed or
nobody could sign for it. To pick up the parcel,please, print the receipt
that is attached to this email and visit Fedex office indicated in the
invoice. If the package is not picked up within 48 hours, it will be returned
to the shipper.
Label: US45928402845
Expected Delivery Date: March 07th, 2016
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Thank you for choosing our service
Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:
www.fotoleonia.it/files/sample.exe
This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:
www.claudiocalaprice.com/modules/fedex/pad.exe
This has similar detections to the first binary. That Malwr report also indicates the binary POSTing data to:
pdf.repack.bike/new_and/state.php
This is hosted on:
151.80.76.200 (Kitdos, US / OVH, France)
I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.
None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.
Malware spam: "Order 1307605 (Acknowledgement)" / rick.adrio@booles.co.uk
This fake financial spam has a malicious attachment:
stopmeagency.free.fr/9uj8n76b5.exe
reclamus.com/9uj8n76b5.exe
lhs-mhs.org/9uj8n76b5.exe
izzy-cars.nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi.web.fc2.com/9uj8n76b5.exe
The dropped binary has changed from earlier and has a detection rate of 2/55, it phones home to the same IP address as seen in this campaign. It appears to be the Dridex banking trojan.
From rick.adrio@booles.co.ukAttached is a file pm51A.docm which I have seen two versions of (VirusTotal results [1] [2]). According to these Malwr reports [3] [4] and various other sources the macro in the document downloads from:
Date Tue, 08 Mar 2016 15:58:07 +0530
Subject Order 1307605 (Acknowledgement)
Please find document attached
CONFIDENTIALITY AND DISCLAIMER NOTICE:
This email contains proprietary information which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission error has misdirected
this email, please notify the author by replying to this email. If you are not the
intended recipient you must not use, disclose, distribute, copy, print, or rely on
this email and delete all copies. Boole's Tools and Pipe Fittings Ltd is a private
company limited by shares. Registered in the United Kingdom No. 683745. Registered
office: PO Box 1586, Gemini One, John Smith Drive, Oxford Business Park South, Oxford,
OX4 9JF, United Kingdom.
stopmeagency.free.fr/9uj8n76b5.exe
reclamus.com/9uj8n76b5.exe
lhs-mhs.org/9uj8n76b5.exe
izzy-cars.nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi.web.fc2.com/9uj8n76b5.exe
The dropped binary has changed from earlier and has a detection rate of 2/55, it phones home to the same IP address as seen in this campaign. It appears to be the Dridex banking trojan.
Malware spam: "Emailing: 20121005154449756" / Gary Atkinson [Gary@garrardwindows.co.uk]
This spam does not come from Garrard Windows but is instead a simple forgery with a malicious attachment:
jatukarm-30.com/9uj8n76b5.exe
stopmeagency.free.fr/9uj8n76b5.exe
The downloaded binary appears to be Dridex and is the same as found in this spam run.
From Gary Atkinson [Gary@garrardwindows.co.uk]Attached is a file 20121005154449756.zip which contains a randomly-named script. I have seen two samples so far (VirusTotal results [1] [2]). The Malwr reports [3] [4] show the script downloads from the following locations:
Date Tue, 08 Mar 2016 12:09:33 +0300
Subject Emailing: 20121005154449756
Please find attached document as requested.
jatukarm-30.com/9uj8n76b5.exe
stopmeagency.free.fr/9uj8n76b5.exe
The downloaded binary appears to be Dridex and is the same as found in this spam run.
Malware spam: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 / Accounts Payable [vendoramendments@yorkshirewater.co.uk]
This fake financial spam does not come from Yorkshire Water but is instead a simple forgery with a malicious attachment.
According to the Malwr report and Hybrid Analysis on this sample, it downloads a malicious binary from:
lhs-mhs.org/9uj8n76b5.exe
This binary has a detection rate of 2/54 and all those reports indicate that it phones home to:
38.64.199.3 (PSINet, Canada)
I recommend that you block traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan.
From Accounts Payable [vendoramendments@yorkshirewater.co.uk]I have only seen a single sample with an attachment named Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP which contains a randomly-named malicious script with a detection rate of 3/54.
Date Tue, 08 Mar 2016 10:32:52 +0200
Subject Pay_Advice_Vendor_0000300320_1000_for_03.03.2016
-----------------------------------------
Spotted a leak?
If you spot a leak please report it immediately. Call us on 0800 57 3553 or go to
http://www.yorkshirewater.com/leaks
Get a free water saving pack
Don't forget to request your free water and energy saving pack, it could save you
money on your utility bills and help you conserve water. http://www.yorkshirewater.com/savewater
The information in this e-mail, and any files transmitted with it, is confidential
and may also be legally privileged. The contents are intended solely for the addressee
only and are subject to the legal notice available at http://www.keldagroup.com/email.htm.
This email does not constitute a binding offer, acceptance, amendment, waiver or
other agreement, or create any obligation whatsoever, unless such intention is clearly
stated in the body of the email. If you are not the intended recipient, please return
the message by replying to it and then delete the message from your computer. Any
disclosure, copying, distribution or action taken in reliance on its contents is
prohibited and may be unlawful.
Yorkshire Water Services Limited
Registered Office Western House, Halifax Road, Bradford, BD6 2SZ
Registered in England and Wales No 2366682
According to the Malwr report and Hybrid Analysis on this sample, it downloads a malicious binary from:
lhs-mhs.org/9uj8n76b5.exe
This binary has a detection rate of 2/54 and all those reports indicate that it phones home to:
38.64.199.3 (PSINet, Canada)
I recommend that you block traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan.
Monday, 7 March 2016
Evil networks to block 2016-03-07
Some more evil networks you might want to block, following on from an update about a week ago.
5.9.253.160/27
69.175.66.72/29
85.204.74.0/24
89.108.83.0/24
91.227.68.0/24
107.182.226.128/28
146.185.243.0/24
162.244.32.64/26
184.154.47.96/29
185.46.8.0/24
185.49.68.0/24
188.138.71.208/28
188.138.71.224/29
204.45.251.0/24
5.9.253.160/27
69.175.66.72/29
85.204.74.0/24
89.108.83.0/24
91.227.68.0/24
107.182.226.128/28
146.185.243.0/24
162.244.32.64/26
184.154.47.96/29
185.46.8.0/24
185.49.68.0/24
188.138.71.208/28
188.138.71.224/29
204.45.251.0/24
Labels:
Angler EK,
Evil Network,
Malware,
Viruses
Malware spam: "E-Service (Europe) Ltd Invoice No: 10013405" / andrew.williams@eurocoin.co.uk
This fake financial spam leads to malware:
Attached is a ZIP file named Invoice 10013405.zip which contains one of a wide range of randomly-named scripts.
A trusted third party analysis (thank you!) shows that there are download locations at:
aqarhits.com/system/logs/87tg7v645c.exe
alexkote.ru/wp-content/plugins/87tg7v645c.exe
azshop24.com.vn/system/logs/87tg7v645c.exe
dsignshop.com.au/system/logs/87tg7v645c.exe
fibrefamily.ru/system/logs/87tg7v645c.exe
jldoptics.com/system/logs/87tg7v645c.exe
kiddyshop.kiev.ua/image/data/87tg7v645c.exe
kievelectric.kiev.ua/art/media/87tg7v645c.exe
lightsroom.ru/system/logs/87tg7v645c.exe
ptunited.net/system/logs/87tg7v645c.exe
scs-smesi.ru/published/PD/87tg7v645c.exe
shapes.com.pk/system/logs/87tg7v645c.exe
sub4.gustoitalia.ru/system/logs/87tg7v645c.exe
surprise.co.in/system/logs/87tg7v645c.exe
texfibre.eu/system/logs/87tg7v645c.exe
www.promumedical.com/system/logs/87tg7v645c.exe
www.souqaqonline.com/system/logs/87tg7v645c.exe
The dropped binary has a detection rate of 5/56 and the Malwr report clearly shows this is the Locky ransomware.
My contact reports that the malware phones home to:
192.121.16.196 (EDIS, Netherlands)
46.108.39.18 (EDIS, Romania)
212.47.223.19 (Web Hosting Solutions OY, Estonia)
109.237.111.168 (Krek Ltd, Russia)
185.92.220.35 (Choopa LLC, Netherlands)
89.108.85.163 (Agava Ltd, Russia)
192.71.213.69 (EDIS, Spain)
Recommended blocklist:
192.121.16.196
46.108.39.18
212.47.223.19
109.237.111.168
185.92.220.35
89.108.85.163
192.71.213.69
From Andrew Williams [andrew.williams@eurocoin.co.uk]
Date Mon, 07 Mar 2016 17:37:49 +0530
Subject E-Service (Europe) Ltd Invoice No: 10013405
Dear Customer,
Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.
Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment on:
Tel (44) 01707 280000
Email: accounts@e-service.co.uk
Or logon and register to access your customer portal where you can view all historic
orders & transactions on www.e-service.co.uk
PLEASE NOTE NEW E-SERVICE (EUROPE) BANK DETAILS:
Currency A/C No. Sort Code Swift Code IBAN No.
GBP 21698613 40-04-37 MIDLGB22 GB48MIDL40043721698613
EUR 71685997 40-05-15 MIDLGB22 GB75MIDL40051571685997
Kind regards
E-Service (Europe) Accounts Team
Attached is a ZIP file named Invoice 10013405.zip which contains one of a wide range of randomly-named scripts.
A trusted third party analysis (thank you!) shows that there are download locations at:
aqarhits.com/system/logs/87tg7v645c.exe
alexkote.ru/wp-content/plugins/87tg7v645c.exe
azshop24.com.vn/system/logs/87tg7v645c.exe
dsignshop.com.au/system/logs/87tg7v645c.exe
fibrefamily.ru/system/logs/87tg7v645c.exe
jldoptics.com/system/logs/87tg7v645c.exe
kiddyshop.kiev.ua/image/data/87tg7v645c.exe
kievelectric.kiev.ua/art/media/87tg7v645c.exe
lightsroom.ru/system/logs/87tg7v645c.exe
ptunited.net/system/logs/87tg7v645c.exe
scs-smesi.ru/published/PD/87tg7v645c.exe
shapes.com.pk/system/logs/87tg7v645c.exe
sub4.gustoitalia.ru/system/logs/87tg7v645c.exe
surprise.co.in/system/logs/87tg7v645c.exe
texfibre.eu/system/logs/87tg7v645c.exe
www.promumedical.com/system/logs/87tg7v645c.exe
www.souqaqonline.com/system/logs/87tg7v645c.exe
The dropped binary has a detection rate of 5/56 and the Malwr report clearly shows this is the Locky ransomware.
My contact reports that the malware phones home to:
192.121.16.196 (EDIS, Netherlands)
46.108.39.18 (EDIS, Romania)
212.47.223.19 (Web Hosting Solutions OY, Estonia)
109.237.111.168 (Krek Ltd, Russia)
185.92.220.35 (Choopa LLC, Netherlands)
89.108.85.163 (Agava Ltd, Russia)
192.71.213.69 (EDIS, Spain)
Recommended blocklist:
192.121.16.196
46.108.39.18
212.47.223.19
109.237.111.168
185.92.220.35
89.108.85.163
192.71.213.69
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "Order Confirmation - Payment Successful, Ref. 81096454" leads to ransomware
This fake financial spam comes from various senders with different references, amounts and slightly different addresses. There is a malicious attachment which appears to be ransomware.
Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary [1] [2] [3] [4] [5] [6]. These Hybrid Analysis reports on three of the samples [7] [8] [9] show the script download a malicious binary from:
blablaworldqq.com/80.exe?1
hellomydearqq.com/69.exe?1
hellomydearqq.com/80.exe?1
At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:
51.254.226.223 (OVH, France)
173.82.74.197 (Multacom Corporation, US)
The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54 [1] [2]. Analysis of these files [3] [4] [5] [6] indicates behaviour consistent with ransomware, and these binaries attempt to phone home to the following domains:
conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com
The two IPs specified as binary download locations have hosted a number of other evil sites:
pren874bwsdbmbwe.returnyourfiless.ru
itsyourtimeqq.su
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
thisisyourchangeqq.com
gutentagmeinliebeqq.com
returnyourfiless.ru
pren874bswsdbmbwe.returnyourfiless.ru
83gd65jfh24jbrwke43.brocksard.su
gubbosiak.su
yy4nfsdp4hpfas7hefp4w.gubbosiak.su
golemmalik.su
bb34dbsjneefnsdefjsn.golemmalik.su
hellomenqq.su
helloguysqq.su
hellowomenqq.su
invoiceholderqq.su
3j2gdpsipa74bgm441.biz
mayofish.com
l4rdnvb5jskjb45sdfb.mayofish.com
skuawill.com
belableqq.com
fausttime.com
pot98bza3sgfjr35t.fausttime.com
maniupulp.com
h5534bvnrnkj345.maniupulp.com
sifetsere.com
p47kjndfbj8hsdfsd3e.sifetsere.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
wakonratio.com
sdfsdfsd.wakonratio.com
fjfhsflj54t8ak439sm.wakonratio.com
ball-provide.com
piglyeleutqq.com
helloworldqqq.com
helloyungmenqq.com
hpareyouhereqq.com
pigglywigglyqq.com
lastooooomene3ie3.com
lastooooomene2ie2e.com
promsortirovochnie.com
belahhoast.net
Recommended blocklist:
51.254.226.223
173.82.74.197
conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com
From: Ellen thorp
Date: 7 March 2016 at 07:08
Subject: Order Confirmation - Payment Successful, Ref. 81096454
Dear Client,
Thank you for your transaction of $477,84. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
Double check please the document enclosed to this email.
Thank you for your order and we hope to see you again as our customer.
Respectfully,
Ellen thorp
Chief Accountant
95 N Forks Ave,
Forks, WA 30212
Phone: 028-959-7736
Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary [1] [2] [3] [4] [5] [6]. These Hybrid Analysis reports on three of the samples [7] [8] [9] show the script download a malicious binary from:
blablaworldqq.com/80.exe?1
hellomydearqq.com/69.exe?1
hellomydearqq.com/80.exe?1
At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:
51.254.226.223 (OVH, France)
173.82.74.197 (Multacom Corporation, US)
The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54 [1] [2]. Analysis of these files [3] [4] [5] [6] indicates behaviour consistent with ransomware, and these binaries attempt to phone home to the following domains:
conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com
The two IPs specified as binary download locations have hosted a number of other evil sites:
pren874bwsdbmbwe.returnyourfiless.ru
itsyourtimeqq.su
spannflow.com
nnrtsdf34dsjhb23rsdf.spannflow.com
blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
thisisyourchangeqq.com
gutentagmeinliebeqq.com
returnyourfiless.ru
pren874bswsdbmbwe.returnyourfiless.ru
83gd65jfh24jbrwke43.brocksard.su
gubbosiak.su
yy4nfsdp4hpfas7hefp4w.gubbosiak.su
golemmalik.su
bb34dbsjneefnsdefjsn.golemmalik.su
hellomenqq.su
helloguysqq.su
hellowomenqq.su
invoiceholderqq.su
3j2gdpsipa74bgm441.biz
mayofish.com
l4rdnvb5jskjb45sdfb.mayofish.com
skuawill.com
belableqq.com
fausttime.com
pot98bza3sgfjr35t.fausttime.com
maniupulp.com
h5534bvnrnkj345.maniupulp.com
sifetsere.com
p47kjndfbj8hsdfsd3e.sifetsere.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
wakonratio.com
sdfsdfsd.wakonratio.com
fjfhsflj54t8ak439sm.wakonratio.com
ball-provide.com
piglyeleutqq.com
helloworldqqq.com
helloyungmenqq.com
hpareyouhereqq.com
pigglywigglyqq.com
lastooooomene3ie3.com
lastooooomene2ie2e.com
promsortirovochnie.com
belahhoast.net
Recommended blocklist:
51.254.226.223
173.82.74.197
conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com
Labels:
Malware,
Ransomware,
Spam,
Teslacrypt,
Viruses
Friday, 4 March 2016
Marketing1.net spammer rides again.. but for how much longer?
Marketing1.net have been one of the more annoying spammers I've seen over the past few years. Their sporadic spam campaign, sent to scraped email addresses has been going on since at least 2014.
This latest spam claims they are going out of business. I can only hope so.
None of the WHOIS records reflect a real company, and there is scant information about the spammer's real identities.
However, this outfit isn't just a bunch of spammers. They are also liars.
Clicking through the link reveals a landing page which clearly claims that this is the last day of their "Sale".
If you click the first link, rather confusingly it gives a different offer with a date of January 15th 2016, claiming that this is the "Last SALE before product discontinuation".
Except it was also the last chance to buy exactly the same product on July 24th 2015..
..and July 10th..
..and June 19th..
..and June 5th..
Get the picture? The data is ALWAYS on sale. So what is this data? Luckily you can download a sample to see just how good the data is. Here is a tiny sample:
Woolworths ceased trading in 2009. And indeed the sample data is full of companies that haven't existed for years or have just plain out of date and inaccurate details.
In other words, the quality of the data is complete shit. The fact that they have to resort to spam to sell this shit indicates that perhaps they have no actual valid data at all. And the fact that they hide who they really are is just the icing on the cake.
Let's hope that these spammers really are closing down. I somehow doubt that they are telling the truth though. Avoid.
Update 2016-07-15
I hadn't heard anything from these spammers for a while, then this plopped into my mailbox..
The domain used in the spam email is marketing1-eu.site (66.96.161.163 - Endurance International Group, US) which forwards to marketing1-co.net (89.187.85.8 - Coreix Ltd, UK) and then onto marketing1.net on the same IP.
As previously established, this company always has a closing down sale, and the data they provide is complete crap. Avoid at all costs.
This latest spam claims they are going out of business. I can only hope so.
From: Audrey Martin [info@mapps-uk.net]The link in the spam goes to www.mapps-uk.net (37.220.22.107 - Redstation, UK - fake WHOIS details) and then goes to a landing page at marketing1-euro.net (89.187.85.8 - Pickaweb / Coreix, UK - fake WHOIS details) and then finally to marketing1.net (also 89.187.85.8 with fake WHOIS details). The email also originates from 37.220.22.107.
Date: 4 March 2016 at 11:06
Subject: We are giving away all our European business databases before to close down
Hi there,
We are sending you this email because you visited our website in the past. As you may already know, we have developed the largest business databases on CD in Europe. The software provided with the databases allows to run unlimited searches by Industry/Location/Company Size/Premises type or Job title, and to export the search results to Excel. All from your computer.
We are closing down because the cost to update all databases regularly have become too high. We have had fantastic years developing the Marketing1 applications. Thousands of businesses across Europe have used them to create successful marketing campaigns.
Before to close down, we have decided, as ultimate gesture, to give you something unprecedented.
We are giving you all our European databases. That represents an access to millions of companies across Europe. If you want to expand your business now or in the future, you should not miss this offer.
You will get the 7 following applications:
1) Marketing1 UK 2015: 5.8mio UK Businesses. 800'000 records with email. Unlimited export.
2) Top Managers UK 2015: 30,000 Executives from the 5000 largest companies in the UK (incl. email for all records). Excel file with full data, included.
3) Marketing1 France 2015 (application in French): 5mio French Companies. 650'000 records with email. Unlimited export.
4) Top Managers France 2015: 35,000 Executives from the largest companies in France (incl. email for all records). Excel file with full data, included.
5) Marketing1 Germany 2015 (application in German): 5mio German companies. 1.7 mio records with email. Unlimited export.
6) Top Managers Germany 2015: 50,000 Executives from the largest companies in Germany (incl. email for all records). Excel file with full data, included.
7) Marketing1 Belgium 2015 (application in English): 1.8 mio Belgian companies. 500'000 records with email. Unlimited export.
The value for all those databases, is over £5000. We are offering it all to you for a symbolic price: £99. You only have to pay £99 and you get all the applications above. The offer ends today at 5PM. Do not miss it.
You will immediately get access to a download page from which you can download all applications. The download page will stay online for 6 months (so you can download the applications at a later time).
How to place your order. Free samples
Click here to access the offer page. It contains links to all websites. You can also download free samples for all applications from the same page.
The offer ends today at 5PM. Do not miss it.
To your success,
Best Regards,
Audrey Martin
Marketing1 Team
Unsubscribe: Click here if you do not want to receive any further emails from us
M1 Solutions. 152 City Road, London EC1V 2NX
None of the WHOIS records reflect a real company, and there is scant information about the spammer's real identities.
However, this outfit isn't just a bunch of spammers. They are also liars.
Clicking through the link reveals a landing page which clearly claims that this is the last day of their "Sale".
If you click the first link, rather confusingly it gives a different offer with a date of January 15th 2016, claiming that this is the "Last SALE before product discontinuation".
Except it was also the last chance to buy exactly the same product on July 24th 2015..
..and July 10th..
..and June 19th..
..and June 5th..
Get the picture? The data is ALWAYS on sale. So what is this data? Luckily you can download a sample to see just how good the data is. Here is a tiny sample:
Woolworths ceased trading in 2009. And indeed the sample data is full of companies that haven't existed for years or have just plain out of date and inaccurate details.
In other words, the quality of the data is complete shit. The fact that they have to resort to spam to sell this shit indicates that perhaps they have no actual valid data at all. And the fact that they hide who they really are is just the icing on the cake.
Let's hope that these spammers really are closing down. I somehow doubt that they are telling the truth though. Avoid.
Update 2016-07-15
I hadn't heard anything from these spammers for a while, then this plopped into my mailbox..
From: Audrey Martin [info@mapps-fr.net] via bnc3.mailjet.comObviously this is pretty much the same closing down sale they had in March. And here's the ever-changing final date again (which was actually last week)
Date: 15 July 2016 at 12:02
Subject: We are giving away all our European business databases before to close down
Mailing list: [info.mapps-fr.net.ztmj-xqo6.mj] Filter messages from this mailing list
Signed by: bnc3.mailjet.com
Good Morning,
We are sending you this email because you visited our website in the past. As you may already know, we are the developer and publisher of Marketing1, the largest business database on CD in the UK. The database is the only one on the market to contain details not available anywhere else on over 5 million Businesses in the UK including 4,6 million named decision makers available by job function and 800,000 Businesses with email addresses.
We did not only develop the UK database, but several ones across Europe. We are closing down because the cost to update all databases regularly have become too high. We have had fantastic years developing the Marketing1 applications. Thousands of businesses across Europe have used them to generate targeted lists for successful marketing campaigns.
Before to close down, we have decided, as ultimate gesture, to give you all our European databases. That represents an access to millions of companies across Europe. There is no catch.
You will get the 7 following applications:
1) Marketing1 UK 2016: 5.8mio UK Businesses. 800'000 records with email. Unlimited export.
2) Top Managers UK 2015: 30,000 Executives from the 5000 largest companies in the UK (incl. email for all records).
3) Marketing1 France 2015: 5mio French Companies. 650'000 records with email. Unlimited export.
4) Top Managers France 2015: 35,000 Executives from the largest companies in France (incl. email for all records). Excel file with full data, included.
5) Marketing1 Germany 2016: 5mio German companies. 1.7 mio records with email. Unlimited export.
6) Top Managers Germany 2015: 50,000 Executives from the largest companies in Germany (incl. email for all records). Excel file with full data, included.
7) Marketing1 Belgium 2015: 1.8 mio Belgian companies. 500'000 records with email. Unlimited export.
How do those applications work
The databases are delivered in a convenient software format. Search by Industry/Location/Company Size/Premises type or Job title, and export the results into Excel or txt files. With unlimited export. All from your computer.
The value for all those databases, is over £5000. We are offering it all to you for a symbolic price: £49. You only have to pay £49 and you get all the applications above. The offer ends today at 3PM. Do not miss it.
You will get access to a download page from which you can download all applications. The download page will stay online for 6 months (so you can download the applications at a later time).
How to place your order. Free samples
Click here to access the offer page. It contains links to all websites. You can also download free samples for all applications from the same page.
The offer ends today at 3PM. Do not miss it.
To your success,
Best Regards,
Audrey Martin
Marketing1 Team
Unsubscribe: Click here if you do not want to receive any further emails from us
M1 Solutions. 152 City Road, London EC1V 2NX
The domain used in the spam email is marketing1-eu.site (66.96.161.163 - Endurance International Group, US) which forwards to marketing1-co.net (89.187.85.8 - Coreix Ltd, UK) and then onto marketing1.net on the same IP.
As previously established, this company always has a closing down sale, and the data they provide is complete crap. Avoid at all costs.
Labels:
Spam
Malware spam: "Remittance" from random companies with .rtf attachment
This fake financial spam appears to come from random companies. The body text is similar in call cases.
Sample 1:
Sample 2:
Attached is a file named in a format similar to rem.advice-6430760513.rtf or invoice-9200564788.rtf. Detection rates are pretty low [1] [2] [3] and the Malwr reports are inconclusive [4] [5] [6] although I suspect the attachment itself may be malformed. Further analysis is pending.
UPDATE
These Hybrid Analysis reports [1] [2] [3] show the file downloading a malicious binary from one of the following fruit-flavoured domains:
wildberry.markettimingintelligence.com/zalupa/kurva.php
raspberry.diversified-capital-management.com/zalupa/kurva.php
This file is dropped as %TEMP%\sdjgbcjkds.exe and both those sites are hosted on:
31.131.24.76 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
Along with another domain of strawberry.reactionpointtimingindicator.com. All of these are hijacked GoDaddy domains.
The Malwr report for the executable shows it communicating with:
24.172.94.181 (Time Warner, US)
This is the same IP as seen here which Sophos identified as being Dridex.
Recommended blocklist:
31.131.24.76
24.172.94.181
Sample 1:
From: Ignacio - Floris of London
Date: 4 March 2016 at 09:42
Subject: Remittance
Dear Sir/Madam,
I hope you are well. I am writing you to let you know that total amount qualified in the contract has been sent to your bank account on the 3rd of March at 14 through BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Ignacio Knox
Accounts Payable
Sample 2:
From: Audra - ECLECTIC BAR GRP PLC
Date: 4 March 2016 at 09:48
Subject: Remittance
Dear Sir/Madam,
Hope you are OK. I am writing you to let you know that entire amount specified in the contract has been paid into your bank account on the 1st of March at 16 over BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note in the attachment.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Audra Pratt
Accounts Payable
Attached is a file named in a format similar to rem.advice-6430760513.rtf or invoice-9200564788.rtf. Detection rates are pretty low [1] [2] [3] and the Malwr reports are inconclusive [4] [5] [6] although I suspect the attachment itself may be malformed. Further analysis is pending.
UPDATE
These Hybrid Analysis reports [1] [2] [3] show the file downloading a malicious binary from one of the following fruit-flavoured domains:
wildberry.markettimingintelligence.com/zalupa/kurva.php
raspberry.diversified-capital-management.com/zalupa/kurva.php
This file is dropped as %TEMP%\sdjgbcjkds.exe and both those sites are hosted on:
31.131.24.76 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
Along with another domain of strawberry.reactionpointtimingindicator.com. All of these are hijacked GoDaddy domains.
The Malwr report for the executable shows it communicating with:
24.172.94.181 (Time Warner, US)
This is the same IP as seen here which Sophos identified as being Dridex.
Recommended blocklist:
31.131.24.76
24.172.94.181
Malware spam: "Closing bill" / "MyBill [mybill.central@affinitywater.co.uk]"
This fake financial spam does not come from Affinity Water but is instead a simple forgery with a malicious attachment.
Attached is a partly randomly-named file, for exampple 081155545_1735494_18836.xls - the first two numbers are random, the third is always "18836". So far I have seen just two variants of this (there may be more) with detection rates of about 5/56 [1] [2] which according to the Malwr reports [3] [4] download a binary from the following locations:
prettymom.ru/system/logs/vbry73f34f.exe
desean.com.sg/system/logs/vbry73f34f.exe
This binary has a detection rate of 6/56. Analysis is pending, however this looks like the Dridex banking trojan.
UPDATE 1
The comments in the VirusTotal scan give some more download locations:
2.casino-engine.ru/games/megajack/vbry73f34f.exe
shop-bedep.com/system/logs/vbry73f34f.exe
17.rent-shops.ru/system/logs/vbry73f34f.exe
Curiously "Bedep" is the name of a trojan. These Hybrid Analysis reports [1] [2] [3] show malicious traffic to:
188.165.215.180 (OVH, France)
I strongly recommend that you block traffic to that IP.
UPDATE2
Some additional download locations and C&C servers to block, from another source (thank you!)
jean-daniel.com.ua/system/logs/vbry73f34f.exe
namkeendelights.com/system/logs/vbry73f34f.exe
Overall, some of these download locations look like good candidates for blocking, especially:
81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)
These additional C&C servers have been seen before:
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57
From MyBill [mybill.central@affinitywater.co.uk]
Date Fri, 04 Mar 2016 14:50:57 +0530
Subject Closing bill
Dear customer
Please find attached a copy of closing bill as requested.
Kind Regards
Natasha Hawkes
Customer Relations Advisor
affinitywater.co.uk
_________________________________________________________________________
This e-mail
(including any attachments) is confidential and may also be legally privileged or
otherwise protected from disclosure. If you are not the intended recipient of this
e-mail or any parts of it please notify us by reply e-mail or by telephone on 01707
268 111 immediately on receipt and then delete the message from your system. You
should not disclose the contents to any other person, nor take copies nor use it
for any purposes and to do so could be unlawful. The presence of this footnote indicates:
this email message has been tested for the presence of known computer viruses, unless
the email has been encrypted (in part or full) wherein the email will not be checked
for computer viruses. All incoming and outgoing emails may be monitored in line with
current legislation. Affinity Water Limited (Company Number 02546950) is registered
in England and Wales having their registered office, at Tamblin Way, Hatfield, Hertfordshire,
AL10 9EZ. www.affinitywater.co.uk
_____________________________________________________________________________
Attached is a partly randomly-named file, for exampple 081155545_1735494_18836.xls - the first two numbers are random, the third is always "18836". So far I have seen just two variants of this (there may be more) with detection rates of about 5/56 [1] [2] which according to the Malwr reports [3] [4] download a binary from the following locations:
prettymom.ru/system/logs/vbry73f34f.exe
desean.com.sg/system/logs/vbry73f34f.exe
This binary has a detection rate of 6/56. Analysis is pending, however this looks like the Dridex banking trojan.
UPDATE 1
The comments in the VirusTotal scan give some more download locations:
2.casino-engine.ru/games/megajack/vbry73f34f.exe
shop-bedep.com/system/logs/vbry73f34f.exe
17.rent-shops.ru/system/logs/vbry73f34f.exe
Curiously "Bedep" is the name of a trojan. These Hybrid Analysis reports [1] [2] [3] show malicious traffic to:
188.165.215.180 (OVH, France)
I strongly recommend that you block traffic to that IP.
UPDATE2
Some additional download locations and C&C servers to block, from another source (thank you!)
jean-daniel.com.ua/system/logs/vbry73f34f.exe
namkeendelights.com/system/logs/vbry73f34f.exe
Overall, some of these download locations look like good candidates for blocking, especially:
81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)
These additional C&C servers have been seen before:
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57
Thursday, 3 March 2016
Malware spam: "Order Delay - Package Ref. 30432839"
This spam comes with a malicious attachment. The name of the sender and the reference number will vary from message to message.
isthereanybodyqq.com/69.exe?1
isthereanybodyqq.com/80.exe?1
ujajajgogoff.com/69.exe?1
ujajajgogoff.com/80.exe?1
Data is then POSTed to:
dustinhansenbook.com/wstr.php
agri-distribution.net/wstr.php
onegiantstore.com/wp-includes/theme-compat/wstr.php
The VirusTotal reports for the dropped binary [1] [2] indicate Ransomware, but those Malwr reports look more like the Dridex banking trojan. Either way it is Nothing Good.
The download locations are interesting, hosted on the following IPs:
78.135.108.94 (Sadecehosting, Turkey)
162.211.67.244 (Secure Dragon LLC, US)
The following domains are either hosted on these IPs or use them as namesevers. They all look highly suspect and worthy of futher analysis:
ohelloweuqq.com
ujajajgogoff.com
ohellohowru.ws
ujajajgogo.ws
gangthatgirlfast.ws
gutentagmenliebe.ws
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
Recommended blocklist:
78.135.108.94
162.211.67.244
UPDATE
Smarter folks than I think this is Teslacrypt.
From: Lorna trevor-roper [trevor-roperLorna54235@cable.net.co]So far I have seen three samples, with attachments named in the format Invoice_ref-30432839.zip containing a malicious script starting with invoice_ and then having some variable elements in it. These have detection rates of 3/55 or so [1] [2] [3] and which the Malwr reports [4] [5] [6] indicate attempt to GET a binary from one of the following locations:
Date: 3 March 2016 at 17:28
Subject: Order Delay - Package Ref. 30432839
Respected Customer,
The delay of your parcel ref. # 30432839 cannot be controlled due to the unstable weather conditions in our region.
We are doing everything we can to arrange the best shipping time for your package.
Please check the information on your purchase in the attached file. There your will also find the info on the new delivery time.
Sincerely,
Sales Department Manager
Lorna trevor-roper
3000 E Grand Ave,
Des Moines, IA 27222
308-590-9335
isthereanybodyqq.com/69.exe?1
isthereanybodyqq.com/80.exe?1
ujajajgogoff.com/69.exe?1
ujajajgogoff.com/80.exe?1
Data is then POSTed to:
dustinhansenbook.com/wstr.php
agri-distribution.net/wstr.php
onegiantstore.com/wp-includes/theme-compat/wstr.php
The VirusTotal reports for the dropped binary [1] [2] indicate Ransomware, but those Malwr reports look more like the Dridex banking trojan. Either way it is Nothing Good.
The download locations are interesting, hosted on the following IPs:
78.135.108.94 (Sadecehosting, Turkey)
162.211.67.244 (Secure Dragon LLC, US)
The following domains are either hosted on these IPs or use them as namesevers. They all look highly suspect and worthy of futher analysis:
ohelloweuqq.com
ujajajgogoff.com
ohellohowru.ws
ujajajgogo.ws
gangthatgirlfast.ws
gutentagmenliebe.ws
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
Recommended blocklist:
78.135.108.94
162.211.67.244
UPDATE
Smarter folks than I think this is Teslacrypt.
Labels:
Malware,
Ransomware,
Spam,
Teslacrypt,
Turkey,
Viruses
Malware spam: "FreePDF: 1922110025984.doc" / "Worrall, Antony" [Ant.Worrall@cmco.eu]
This fake financial spam has a malicious attachment.
Atached is a randomly-named file that matches the reference in the subject. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run.
From "Worrall, Antony" [Ant.Worrall@cmco.eu]
Date Thu, 03 Mar 2016 14:25:14 +0430
Subject FreePDF: 1922110025984.doc
140 Years of Innovation. Lifting.
Positioning. Securing. Safely.
Atached is a randomly-named file that matches the reference in the subject. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run.
Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]
This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:
Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:
coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe
The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:
188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234
From Sally Webb [swebb@thekmgroup.co.uk]
Date Thu, 03 Mar 2016 10:58:07 +0100
Subject Receipt - Order No 173535
--
regards,
Sally
*Sally Webb*
Recruitment Media Sales Executive
KM Media Group
DDI : 01622 794500
Email : swebb@thekmgroup.co.uk
*KM Media Group is Kent's only independent multimedia company*
*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*
*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*
Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:
coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe
The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:
188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234
Wednesday, 2 March 2016
Malware spam spoofing "Hillsong Church London"
This rather confused spam comes with a subject saying one thing.. for example:
GREKA ENGINEERING & TECHNOLOGY LTD March Invoice #2875
LIMITLESS EARTH PLC March Invoice #75913
FALKLAND ISLANDS HLDGS March Invoice #58093
MULTI UNITS FRANCE March Invoice #6689
SHORE CAPITAL GROUP LTD March Invoice #1612
But the body text is from a church..
The Malwr reports are a mixed bunch with only the first three giving any data [1] [2] [3] [4] [5] showing download locations at:
oimedoaeklmrf.giftcardnanny.ca/nu2o3mk4/c987ah8j9ei1.php
eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php
doaemdpmekd.securalive.eu/8fjvimkel1/c987ah8j9ei1.php
In fact, all these locations are on the same server (and are the same binary), hosted on:
193.201.227.90 (PE Tetyana Mysyk, Ukraine)
According to VirusTotal, there are a few hijacked GoDaddy subdomains on that IP. This method is a little unusual for this type of attack.
Those Malwr reports and this Hybrid Analysis show the malware phoning home to:
24.172.94.181 (Time Warner Cable, US)
It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.
Recommended blocklist:
193.201.227.90
24.172.94.181
GREKA ENGINEERING & TECHNOLOGY LTD March Invoice #2875
LIMITLESS EARTH PLC March Invoice #75913
FALKLAND ISLANDS HLDGS March Invoice #58093
MULTI UNITS FRANCE March Invoice #6689
SHORE CAPITAL GROUP LTD March Invoice #1612
But the body text is from a church..
Hi there,Attached is either an Excel spreadsheet named in a style similar to Hillsong-C2E24.xls (VT results [1] [2] [3]) or a ZIP file with a similar name to Hillchurch-03234D.zip containing a script TR7433029032016.js or TR913740032016.js (VT results [4] [5]).
Please find the remittance advice for the payment made on the 19th Feb 2015 from
Hillsong Church London.
Please let me know if there are any queries.
Kind regards,
Joan Terry
The material contained in this email may be confidential, and may also be the subject
of copyright and/ or privileged information. If you are not the intended recipient,
any use, disclosure or copying of this document is prohibited. If you have received
this document in error, please advise the sender and delete the document.
This email communication does not create or vary any contractual relationship between
Hillsong and you. Internet communications are not secure and accordingly Hillsong
does not accept any legal liability for the contents of this message.
Please note that neither Hillsong nor the sender accepts any responsibility for viruses
and it is your responsibility to scan the email and any attachments.
Hillsong Church London
www.hillsong.co.uk http://www.hillsong.co.uk
The Malwr reports are a mixed bunch with only the first three giving any data [1] [2] [3] [4] [5] showing download locations at:
oimedoaeklmrf.giftcardnanny.ca/nu2o3mk4/c987ah8j9ei1.php
eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php
doaemdpmekd.securalive.eu/8fjvimkel1/c987ah8j9ei1.php
In fact, all these locations are on the same server (and are the same binary), hosted on:
193.201.227.90 (PE Tetyana Mysyk, Ukraine)
According to VirusTotal, there are a few hijacked GoDaddy subdomains on that IP. This method is a little unusual for this type of attack.
Those Malwr reports and this Hybrid Analysis show the malware phoning home to:
24.172.94.181 (Time Warner Cable, US)
It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.
Recommended blocklist:
193.201.227.90
24.172.94.181
Malware spam: "Invoice" / "Payment Confirmation" lead to Locky
The fake financial spam emails lead to the Locky ransomware:
I received only two samples (VT [1] [2]) of which only one worked in Malwr (this is the other). However, third-party analysis (thank you) shows download locations at:
cabanasestina.ro/num/5buybbtyu8
camberfam.de/num/5f6vtvrtv
ecofriend.co.jp/num/0ujinybvt
e-monalisa.ro/num/7yh5c44duyy
sumiden-e.co.jp/num/87hn8bv6r
leksvik.historielag.org/num/887hb56f
www.countrysaloonriki.sk/num/9987tg6v54
Each location has a different binary (VT [1] [2] [3] [4] [5] [6]) which between them phone home to the following IPs:
95.213.184.10 (Selectel, Russia)
192.71.213.69 (EDIS, Spain)
217.172.182.99 (PlusServer, Germany)
The payload is Locky ransomware.
Recommended blocklist:
95.213.184.10
192.71.213.69
217.172.182.99
From: Cedrick Burch
Date: 2 March 2016 at 10:31
Subject: Payment Confirmation
Dear User,
The attached document is a transaction payment confirmation from USMarketing Ltd.
Thank you for your business - we appreciate it very much.
Sincerely,
Cedrick Burch
Project Manager
=============
From: Alfredo Bauer
Date: 2 March 2016 at 10:24
Subject: Invoice
Dear User,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Alfredo Bauer
Project Manager
I received only two samples (VT [1] [2]) of which only one worked in Malwr (this is the other). However, third-party analysis (thank you) shows download locations at:
cabanasestina.ro/num/5buybbtyu8
camberfam.de/num/5f6vtvrtv
ecofriend.co.jp/num/0ujinybvt
e-monalisa.ro/num/7yh5c44duyy
sumiden-e.co.jp/num/87hn8bv6r
leksvik.historielag.org/num/887hb56f
www.countrysaloonriki.sk/num/9987tg6v54
Each location has a different binary (VT [1] [2] [3] [4] [5] [6]) which between them phone home to the following IPs:
95.213.184.10 (Selectel, Russia)
192.71.213.69 (EDIS, Spain)
217.172.182.99 (PlusServer, Germany)
The payload is Locky ransomware.
Recommended blocklist:
95.213.184.10
192.71.213.69
217.172.182.99
Subscribe to:
Posts (Atom)