Sponsored by..

Friday, 29 April 2016

Malware spam: "Second Reminder - Unpaid Invoice"

This fake financial spam leads to malware:

From:    Janis Faulkner [FaulknerJanis8359@ono.com]
Date:    29 April 2016 at 11:13
Subject:    Second Reminder - Unpaid Invoice

 We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail


Janis Faulkner
Chief Executive Officer - Food Packaging Company 

Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.

The scripts I have seen download slightly different binaries from the following locations:


VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2] [3] [4]. In addition to those reports, various automated analyses [5] [6] [7] [8] [9] show that this is Locky ransomware phoning home to: (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine) (Park-web Ltd, Russia) (Relink Ltd, Russia) (Agava Ltd, Russia) (Relink, Russia / OVH, France)

I strongly recommend that you block traffic to:

Malware spam: "Attached Doc" / "Attached Image" / "Attached Document" / "Attached File"

This fake document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.

Example subjects include:

Attached Doc
Attached Image
Attached Document
Attached File

Example senders:


There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of malicious scripts, the ones that I have seen download a binary from:


The VirusTotal detection rate for the dropped binary is 3/55. That VirusTotal report and this Hybrid Analysis show subsequent traffic to:


The payload is Locky ransomware. This is hosted on what appears to be a bad server at: (Kyivstar GSM, Ukraine)

Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo.at domain shows that it is multihomed on many IPs: (ER-Telecom Holding, Russia) (Sibirtelecom, Russia) (RCS & RDS Business, Romania) (Lanet Network Ltd, Ukraine) (Airbites, Ukraine) (Kyivstar, Ukraine) (Lanet Network Ltd, Ukraine) (Apex, Ukraine) (Triolan, Ukraine) (Triolan, Ukraine)

These IPs are likely to be highly dynamic, so blocking them may or may not work. If you want to try, here is a recommended blocklist:

Thursday, 28 April 2016

Malware spam: "Royal Bancshares of Pennsylvania, Inc." / "Latest invoice [Urgent]"

This fake financial spam leads to malware:

From:    Kieth Valentine [Kieth.Valentine87@assistedlivingflorida.com]
Date:    28 April 2016 at 16:32
Subject:    Latest invoice [Urgent]


We are writing to you about fact, despite previous reminders, there remains an outstanding amount of USD 5883,16 in respect of the invoice(s) contained in current letter. This was due for payment on 17 April, 2016.

Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue.
The total amount due from you is therefore USD 5883,16

If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we will begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take affect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.

This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.

To view the the original invoice in the attachment please use Adobe Reader.

We await your prompt reaction to this email.

Best wishes,

Kieth Valentine

Royal Bancshares of Pennsylvania, Inc.
1(265)530-0620 Ext: 300
1(265) 556-3611
The only sample I have seen of this is malformed and the attachment cannot be downloaded. However, what it should be in this case is a file Latest invoice18.zip containing a malicious script 2016INV-APR232621.pdf.js. Analysis of this obfuscated script is pending, it is likely to be either Locky ransomware or the Dridex banking trojan.

Malware spam: "FW: Invoice" from multiple senders

This fake financial spam comes from randomly-generated senders, for example:

From:    Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br]
Date:    28 April 2016 at 11:40
Subject:    FW: Invoice

Please find attached invoice #342012

Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:


The payload looks like Locky ransomware. The DeepViz report shows it phoning home to: (Firstbyte, Russia) (Relink, Russia) (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine) (Relink, Russia / OVH, France) (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua.  Ukraine)

These two Hybrid Analysis reports [1] [2] show Locky more clearly.

Recommended blocklist:

Minimalist spam leads to Locky ransomware

There is currently a very minimalist spam run leading to Locky ransomware, for example:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    28 April 2016 at 11:21
Subject:    Scan436
The spam appears to come from the victim's own email address. There is no body text, but attached is a ZIP file with a name matching the subject, e.g.:


Inside is a semi-randomly named script that downloads malware. Download locations I have seen so far are:


The downloaded executable is Locky ransomware and has a VirusTotal detection rate of 2/56. This Hybrid Analysis shows Locky quite clearly, and this DeepViz report shows it phoning home to: (Relink LLC, Russia / OVH, France) (Relink LLC, Russia) (Firstbyte, Russia)

Recommended blocklist:

Wednesday, 27 April 2016

Malware spam: Message from "RNP0BB8A7" / CLAUDIA MARTINEZ leads to Locky

This Spanish-language spam leads to malware:

From:    CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com]
Date:    27 April 2016 at 16:22
Subject:    Message from "RNP0BB8A7"

Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).

Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@victimdomain.tld
Attached is a  randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:


This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:


This DeepViz report shows the malware phoning home to: (Digital Ocean, US) (Digital Ocean, Singapore) (Digital Ocean, Netherlands)

There's a triple whammy for Digital Ocean! Well done them.

Recommended blocklist:

Malware spam: "Thank you. Our latest price list is attached. For additional information, please contact your local ITT office."

This fake financial spam leads to malware:

From:    Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date:    27 April 2016 at 12:23
Subject:    Price list

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.

Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:



This downloads Locky ransomware. The executable then phones home to the following servers: (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine) (Digital Ocean, Singapore) (Digital Ocean, US)  (Digital Ocean, Netherlands)

Recommended blocklist:

Tuesday, 26 April 2016

Malware spam: "Missing payments for invoices inside"

This fake financial spam leads to malware:

From:    Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com]
Date:    26 April 2016 at 12:58
Subject:    Missing payments for invoices inside

Hi there!

Hope you are good.

Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.

BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.

Kind Regards

Jeffry Rogers

Henderson Group

Tel: 337-338-4607
I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:


This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to: (OrionVM Retail Pty Ltd, Australia) (Hetzner, Germany) (FPT Telecom Company, Vietnam) (EASY Net, Czech Republic)

The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.

Recommended blocklist:

Monday, 25 April 2016

Friday, 22 April 2016

Malware spam: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

This fake Amazon email leads to malware. On some mail clients there may be no body text:

From: auto-shipping@amazon.co.uk Amazon.co.uk
Date: Fri, 22 Apr 2016 10:50:56 +0100
Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #525-2814418-9619799 (received April 22, 2016)

Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  Occasionally though, we know you may want to return items. Read more about our Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have the right to cancel the contract for the purchase of any of these items within a period of 7 working days, beginning with the day after the day on which the item is delivered. This applies to all of our products. However, we regret that we cannot accept cancellations of contracts for the purchase of video, DVD, audio, video games and software products where the item has been unsealed. Please note that we are unable to accept cancellation of, or returns for, digital items once downloading has commenced. Otherwise, we can accept returns of complete product, which is unused and in an "as new" condition.

Our Returns Support Centre will guide you through our Returns Policy and, where relevant, provide you with a printable personalised return label.  Please go to http://www.amazon.co.uk/returns-support to use our Returns Support Centre.

To cancel this contract, please pack the relevant item securely, attach your personalised return label and send it to us with the delivery slip so that we receive it within 7 working days after the day of the date that the item was delivered to you or, in the case of large items delivered by our specialist couriers, contact Amazon.co.uk customer services using the link below within 7 working days after the date that the item was delivered to you to discuss the return.


For your protection, where you are returning an item to us, we recommend that you use a recorded-delivery service. Please note that you will be responsible for the costs of returning the goods to us unless we delivered the item to you in error or the item is faulty. If we do not receive the item back from you, we may arrange for collection of the item from your residence at your cost. You should be aware that, once we begin the delivery process, you will not be able to cancel any contract you have with us for services carried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection in the event that our specialist courier service collect a large item from you to return to us.

As soon as we receive notice of your cancellation of this order, we will refund the relevant part of the purchase price for that item.

Should you have any questions, feel free to visit our online Help Desk at:

If you've explored the above links but still need to get in touch with us, you will find more contact details at the online Help Desk.

Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail. Please do not reply to this message.

Thank you for shopping at Amazon.co.uk

Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom

Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:


This dropped executable has a detection rate of 6/56. The Hybrid Analysis and DeepViz Analysis plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs: (Redfox Telecomunicações Ltda., Brazil) (MultiNet AS, Norway) (Topix, Italy) (Novanet da Barra Ass e Inf LTDA, Brazil)

The payload here appears to be the Dridex banking trojan.

Recommended blocklist:

UPDATE 2016-04-26

Another identical round of this spam is being sent out, complete with the formatting error that prevents the body text being displayed on some email clients. VirusTotal detection rates for the two samples I have seen are 5/57 [1] [2]. Hybrid Analysis of the attachments [3] [4] shows download locations at:


A trusted source tells me there are other download locations at:


From here a binary is dropped on the system with a detection rate of 3/56. Those Hybrid analyses plus this DeepViz report show network traffic to: (Hetzner, Germany)

Apparently there are C2 servers here: (Redfox Telecomunicações Ltda, Brazil) (Novanet da Barra Ass e Inf LTDA, Brazil)

The payload still appears to be Dridex.

Recommended blocklist:

Thursday, 21 April 2016

Malware spam: "FW: Latest order delivery details" is somewhat rude

This fake financial spam leads to malware:

From:    Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]
Date:    21 April 2016 at 17:45
Subject:    FW: Latest order delivery details

Good morning!

Hope you are good.

Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.

I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.

Many thanks and good luck

Milan Bell


tel. 443-682-9021
The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.

This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:


Cheekily the URL references a well-known security company.  The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at: (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)

You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to: (OrionVM, Australia) (Hetzner, Germany) (PT Telecom Company, Vietnam) (Datacate , US)

It is not clear what the payload is, but there are indications it is the Dridex banking trojan.

Recommended blocklist:

Malware spam: "Dispatched Purchase Order" / FSPRD@covance.com

This fake financial spam does not come from Covance but is instead a simple forgery with a malicious attachment:

From:    FSPRD@covance.com
Reply-To:    donotreply@covance.com
Date:    21 April 2016 at 12:03
Subject:    Dispatched Purchase Order

Purchase Order, 11300 / 0006432242,  has been Dispatched.  Please detach and print the attached Purchase Order.

***Please do not respond to this e-mail as the mailbox is not monitored.
Confidentiality Notice: In accordance with Covance's Data Classification Policy, this email, including attachment(s), is classified as Confidential or Highly Confidential. This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or dissemination of the content of this e-mail is strictly prohibited.

If you have received this e-mail transmission in error or this email is not intended for you, please delete or destroy all copies of this message in your possession and inform the sender. Thank you.

Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn another archive file with a name like 5611205-19.04.2016.tar and it that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56.

So far I have seen two versions of this script, downloading from:


The downloaded binary is the same in both cases. This Hybrid Analysis and DeepViz Analysis indicate network traffic to: (MultiNet AS, Norway) (Topix, Italy) (Impsat, Argentina) (Novanet da Barra Ass e Inf LTDA, Brazil)

The payload appears to be the Dridex banking trojan.

Recommended blocklist:

Malware spam: "BalanceUK_INVOICE_X002380_1127878" / adminservices@grouphomesafe.com

This fake financial spam does not come from BalanceUK Limited but is instead a simple forgery with a malicious attachment:

From:    adminservices@grouphomesafe.com
Date:    21 April 2016 at 10:33
Subject:    "BalanceUK_INVOICE_X002380_1127878"

Thank you for placing your order with BalanceUK Ltd

Please find attached your document.

BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
TA12 6HB

Email: Balanceuk.orders@erahomesecurity.com
Tel: 01935 826 960
Fax: 01935 829 215

***  Please do not reply to this email address  ***

Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56.

This malicious script [pastebin] downloads an executable from:


There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56. The Hybrid Analysis of the dropped binary shows network traffic to: (MultiNet AS, Norway) (Novanet da Barra Ass e Inf LTDA, Brazil)

The payload is not clear, but is probably the Dridex banking trojan.

Recommeded blocklist:

Wednesday, 20 April 2016

Malware spam: "Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]" / "Document No™2958719"

This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:

From:    Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]
Date:    20 April 2016 at 11:01
Subject:    Document No™2958719

Thanks for using electronic billing

Please find your document attached


Beerhouse Self Drive
In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:


There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers: (MultiNet AS, Norway) (Letshost / Digiweb, Ireland) (Contabo GmbH, Germany) (FUFO Studio Agata Grabowska, Poland) (Computers Equipnemt, Bulgaria) (TOV Dream Line Holding, Ukraine) (Topix, Italy) (Impsat, Argentina)

Recommended blocklist:

Tuesday, 19 April 2016

Malware spam: "Facture : 1985 corrigée" / "Louis - Buvasport [louis64@buvasport.com]"

This French-language spam leads to malware:

From:    Louis - Buvasport [louis64@buvasport.com]
Date:    19 April 2016 at 13:29
Subject:    Facture : 1985 corrigée

Cher Client,

Veuillez trouver en pièce-jointe, la facture de vos achats. SANS FRAIS DE TRANSPORT
Votre marchandise est partie et vous devriez la recevoir dans les prochains jours.

Si vous avez des questions, n'hésitez pas à nous contacter.



Attached is a file 093887283-19.04.2016.zip which contains a semi-randomly named script (e.g. 741194709-18.04.2016.PDF.js) with VirusTotal detection rates of 6/56 [1] [2]. According to these Malwr reports [3] [4] the script downloads a file from one of the following locations:


There are probably other scripts with different download locations, the binary has a detection rate of 10/55.The Hybrid Analysis report shows that this executable attempts to download another executable from:


At the moment that location is 404ing and the main payload fails, although that could be easily fixed I guess. This is probably attempting to drop Locky ransomware.

The loader also attempts to interact with some servers belonging to BMG, possibly to generate false data for anyone doing network analysis.

To be on the safe side, it might be worth blocking: (Telesweet, Ukraine)

Monday, 18 April 2016

Malware spam: "Please do confirm the Quote Price and get back to me as soon as possible"

This fake financial spam leads to malware:
From: khlee@ahnchem.com sales
Date: Mon, 18 Apr 2016 13:46:21 +0100
Subject: Re: Quote Price

Dear Sir


Please do confirm the Quote Price and get back to me as soon as possible.

Sales Department
Attached is a fie with an unusual extension, ORDER LIST.ace which is actually a compressed archive (basically a modified ZIP file). It contains an executable ORDER LIST.exe which has a VirusTotal detection rate of 15/56. That same VirusTotal report indicates traffic to:


This is hosted on: (Hetzner, Germany)

That IP address might be worth blocking. The Hybrid Analysis indicates that this steals FTP and perhaps other passwords. This is a Pony loader which will probably try to download additional malware, but it is not clear what that it might be.

Wednesday, 13 April 2016

Malware spam: "Prompt response required! Past due inv. #FPQ479660" / "Jake Gill"

This fake financial spam has a malicious attachment:

From:    Hillary Odonnell [Hillary.OdonnellF@eprose.fr]
Date:    13 April 2016 at 18:40
Subject:    Prompt response required! Past due inv. #FPQ479660


I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?

Thank you,

Jake Gill

Accounts Receivable Department

Diploma plc

(094) 426 8112
The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).

There seem to be several different versions of the attachment, I checked four samples [1] [2] [3] [4] and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive [5] [6] [7] [8] (as are the Hybrid Analyses [9] [10] [11] [12]) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on - MnogoByte, Russia). The payload appears to be Dridex.

We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with: (Culturegrid.nl, Netherlands) (OVH, Spain) (TANET, Taiwan) (FPT Telecom Company, Vietnam)

These are all good IPs to block.

According to DNSDB, these other domains have all been hosted on the address:


You can bet that they are all malicious too.

Recommended blocklist:

Malware spam: "Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC"

This fake financial email comes with a malicious attachment:
From:    Tran
Reply-To:    Tran, Reuben - ADVANCED ONCOTHERAPY PLC [TranReuben1322@telecom.kz]
Date:    13 April 2016 at 16:24
Subject:    Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC

Good morning,

Please advise status on these

If shipped, please send invoice & tracking

CONFIDENTIALITY NOTICE: This e-mail, including any attachments and/or linked documents, is intended for the sole use of the intended addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any unauthorized review, dissemination, distribution, or copying is prohibited. If you have received this communication in error, please contact the original sender immediately by reply email and destroy all copies of the original message and any attachments. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Xylem Inc.
I have only seen a single copy of this, it is likely that the company name will vary from email to email. The attachment due #46691848.doc has a VirusTotal detection rate of 5/56. According to this Malwr report it downloads a file from:


Right at the moment this is just a copy of the Windows Calculator and is harmless, but the payload could be switched later to something more malicious, probably Locky ransomware or the Dridex banking trojan.

Tuesday, 12 April 2016

PlusServer has a PlusSized problem with Angler

PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again.

So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).

Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too.

UPDATE 2016-04-25

Here are some more PlusServer ranges where Angler has been rampant:

UPDATE 2016-05-10

Heavy Angler activity has also been spotted in the following ranges:

In addition, some Angler activity has been observed in the following ranges but is not yet widespread (I will update if I see more activity):

PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in that the only safe option is to block traffic to those network ranges.

With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed.

Baldock is not the same as Badlock

Baldock is not the same as Badlock.