Sponsored by..

Tuesday, 3 May 2016

Malware spam: "Third Reminder - Outstanding Account" leads to Locky

This fake financial spam has a malicious attachment. It comes from random senders. Last week a fake "Second Reminder" spam was sent out.

From:    Ernestine Perkins
Date:    3 May 2016 at 08:54
Subject:    Third Reminder - Outstanding Account

 Dear Client,

We have recently sent you a number of letters to remind you that the balance of $9308.48 was overdue.
For details please check document attached to this mail


We ask again that if you have any queries or are not able to make full payment immediately, please contact us.


Regards,

Ernestine Perkins
Franchise - Sales Manager / Director - Business Co 

Attached is a ZIP file which in the samples I have seen begins with Scan_ or Document_ each one of which contains four identical copies of the same script, e.g.:

48524088_48524088 - copy (2).js
48524088_48524088 - copy (3).js
48524088_48524088 - copy (4).js
48524088_48524088 - copy.js
48524088_48524088.js


Typical detection rates for the scripts seem to be about 3/56.  The samples I have seen download a malicious binary from one of the following locations (there are probably more):

digigoweb.in/k3lxe
rfacine.com.br/z0odld
boontur.com/b2hskde


These binaries are all slightly different, with detection rates of 4 to 6 out of 56 [1] [2] [3]. Various automated analyses [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] show that this is Locky ransomware, and it phones home to:

31.184.197.126 (Petersburg Internet Network, Russia)
78.47.110.82 (Hetzner, Germany)
91.226.93.113 (Sobis, Russia)
91.219.29.64 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)


Recommended blocklist:
31.184.197.126
78.47.110.82
91.226.93.113
91.219.29.64

Friday, 29 April 2016

Malware spam: "Second Reminder - Unpaid Invoice"

This fake financial spam leads to malware:

From:    Janis Faulkner [FaulknerJanis8359@ono.com]
Date:    29 April 2016 at 11:13
Subject:    Second Reminder - Unpaid Invoice

 We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail

Regards,

Janis Faulkner
Chief Executive Officer - Food Packaging Company 

Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.


The scripts I have seen download slightly different binaries from the following locations:

cafeaparis.eu/f7yhsad
amatic.in/hdy3ss
zona-sezona.com.ua/hj1lsp
avcilarinpazari.com/u7udssd


VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2] [3] [4]. In addition to those reports, various automated analyses [5] [6] [7] [8] [9] show that this is Locky ransomware phoning home to:

91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
83.217.8.155 (Park-web Ltd, Russia)
31.41.44.246 (Relink Ltd, Russia)
89.108.84.155 (Agava Ltd, Russia)
51.254.240.60 (Relink, Russia / OVH, France)


I strongly recommend that you block traffic to:

91.234.32.19
83.217.8.155
31.41.44.246
89.108.84.155
51.254.240.60




Malware spam: "Attached Doc" / "Attached Image" / "Attached Document" / "Attached File"

This fake document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.

Example subjects include:

Attached Doc
Attached Image
Attached Document
Attached File


Example senders:

epson@victimdomain.tld
scanner@victimdomain.tld
xerox@victimdomain.tld

There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of malicious scripts, the ones that I have seen download a binary from:

emcartaz.net.br/08j78h65e
kizilirmakdeltasi.net/08j78h65e
easytravelvault.com/08j78h65e
64.207.144.148/08j78h65e
cdn.cs2.pushthetraffic.com/08j78h65e


The VirusTotal detection rate for the dropped binary is 3/55. That VirusTotal report and this Hybrid Analysis show subsequent traffic to:

giotuipo.at/api/
giotuipo.at/files/dDjk3e.exe
giotuipo.at/files/VTXhFO.exe


The payload is Locky ransomware. This is hosted on what appears to be a bad server at:

134.249.238.140 (Kyivstar GSM, Ukraine)

Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo.at domain shows that it is multihomed on many IPs:

109.194.247.26 (ER-Telecom Holding, Russia)
95.189.128.70 (Sibirtelecom, Russia)
79.119.196.161 (RCS & RDS Business, Romania)
5.248.229.186 (Lanet Network Ltd, Ukraine)
188.230.17.38 (Airbites, Ukraine)
134.249.238.140 (Kyivstar, Ukraine)
5.58.29.200 (Lanet Network Ltd, Ukraine)
212.3.103.225 (Apex, Ukraine)
93.95.187.243 (Triolan, Ukraine)
178.151.243.153 (Triolan, Ukraine)

These IPs are likely to be highly dynamic, so blocking them may or may not work. If you want to try, here is a recommended blocklist:

109.194.247.26
95.189.128.70
79.119.196.161
5.248.229.186
188.230.17.38
134.249.238.140
5.58.29.200
212.3.103.225
93.95.187.243
178.151.243.153






Thursday, 28 April 2016

Malware spam: "Royal Bancshares of Pennsylvania, Inc." / "Latest invoice [Urgent]"

This fake financial spam leads to malware:

From:    Kieth Valentine [Kieth.Valentine87@assistedlivingflorida.com]
Date:    28 April 2016 at 16:32
Subject:    Latest invoice [Urgent]

Hello,

We are writing to you about fact, despite previous reminders, there remains an outstanding amount of USD 5883,16 in respect of the invoice(s) contained in current letter. This was due for payment on 17 April, 2016.

Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue.
The total amount due from you is therefore USD 5883,16

If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we will begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take affect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.

This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.

To view the the original invoice in the attachment please use Adobe Reader.

We await your prompt reaction to this email.

Best wishes,

Kieth Valentine

Royal Bancshares of Pennsylvania, Inc.
1(265)530-0620 Ext: 300
1(265) 556-3611
The only sample I have seen of this is malformed and the attachment cannot be downloaded. However, what it should be in this case is a file Latest invoice18.zip containing a malicious script 2016INV-APR232621.pdf.js. Analysis of this obfuscated script is pending, it is likely to be either Locky ransomware or the Dridex banking trojan.

Malware spam: "FW: Invoice" from multiple senders

This fake financial spam comes from randomly-generated senders, for example:

From:    Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br]
Date:    28 April 2016 at 11:40
Subject:    FW: Invoice

Please find attached invoice #342012

Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:

http://rabitaforex.com/pw3ksl
http://tribalsnedkeren.dk/n4jca
http://banketcentr.ru/v8usja
http://3dphoto-rotate.ru/h4ydjs
http://switchright.com/2yshda
http://cafe-vintage68.ru/asad2fl
http://minisupergame.ru/a9osfg


The payload looks like Locky ransomware. The DeepViz report shows it phoning home to:

83.217.26.168 (Firstbyte, Russia)
31.41.44.246 (Relink, Russia)
91.219.31.18 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.60 (Relink, Russia / OVH, France)
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua.  Ukraine)


These two Hybrid Analysis reports [1] [2] show Locky more clearly.

Recommended blocklist:
83.217.26.168
31.41.44.246
91.219.31.18
51.254.240.60
91.234.32.19

Minimalist spam leads to Locky ransomware

There is currently a very minimalist spam run leading to Locky ransomware, for example:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    28 April 2016 at 11:21
Subject:    Scan436
The spam appears to come from the victim's own email address. There is no body text, but attached is a ZIP file with a name matching the subject, e.g.:

file238.zip
file164.zip
file84.zip
Document4.zip
Doc457.zip
Scan1.zip
Doc5.zip
file394.zip
Scan436.zip

Inside is a semi-randomly named script that downloads malware. Download locations I have seen so far are:

nailahafeez.goldendream.info/8778h4g
kfourytrading.com/8778h4g
kasliknursery.com/8778h4g
allied.link/8778h4g
xtrategiamx.com/8778h4g


The downloaded executable is Locky ransomware and has a VirusTotal detection rate of 2/56. This Hybrid Analysis shows Locky quite clearly, and this DeepViz report shows it phoning home to:

51.254.240.60 (Relink LLC, Russia / OVH, France)
31.41.44.246 (Relink LLC, Russia)
83.217.26.168 (Firstbyte, Russia)


Recommended blocklist:
31.41.44.246
51.254.240.60
83.217.26.168





Wednesday, 27 April 2016

Malware spam: Message from "RNP0BB8A7" / CLAUDIA MARTINEZ leads to Locky

This Spanish-language spam leads to malware:

From:    CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com]
Date:    27 April 2016 at 16:22
Subject:    Message from "RNP0BB8A7"

Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).

Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@victimdomain.tld
Attached is a  randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:

mebdco.com/8759j3f434
amwal.qa/8759j3f434
ecmacao.com/8759j3f434
lifeiscalling-sports.com/8759j3f434


This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:

absxpintranet.in/8759j3f434
amismaglaj.com.ba/8759j3f434
caegpa.com/8759j3f434
codeaweb.net/8759j3f434
coorgcalling.com/8759j3f434
gedvendo.com/8759j3f434
gedvendo.com.pe/8759j3f434
mc2academy.com/8759j3f434
teyseerlab.com/8759j3f434
www.adgroup.ae/8759j3f434
www.rumbafalcon.com/8759j3f434


This DeepViz report shows the malware phoning home to:

107.170.20.33 (Digital Ocean, US)
139.59.166.196 (Digital Ocean, Singapore)
146.185.155.126 (Digital Ocean, Netherlands)


There's a triple whammy for Digital Ocean! Well done them.

Recommended blocklist:
107.170.20.33
139.59.166.196
146.185.155.126

Malware spam: "Thank you. Our latest price list is attached. For additional information, please contact your local ITT office."

This fake financial spam leads to malware:

From:    Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date:    27 April 2016 at 12:23
Subject:    Price list

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.

Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:

aaacollectionsjewelry.com/ur8fgs
adamauto.nl/gdh46ss
directenergy.tv/l2isd
games-k.ru/n8eis
jurang.tk/n2ysk
lbbc.pt/n8wisd
l-dsk.com/k3isfa
mavrinscorporation.ru/hd7fs
myehelpers.com/j3ykf
onlinecrockpotrecipes.com/k2tspa
pediatriayvacunas.com/q0wps
soccerinsider.net/mys3ks
warcraft-lich-king.ru/i4ospd

haraccountants.co.uk/k9sjf

This downloads Locky ransomware. The executable then phones home to the following servers:

176.114.3.173 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
139.59.166.196 (Digital Ocean, Singapore)
107.170.20.33 (Digital Ocean, US)
146.185.155.126  (Digital Ocean, Netherlands)


Recommended blocklist:
176.114.3.173
139.59.166.196
107.170.20.33
146.185.155.126

Tuesday, 26 April 2016

Malware spam: "Missing payments for invoices inside"

This fake financial spam leads to malware:

From:    Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com]
Date:    26 April 2016 at 12:58
Subject:    Missing payments for invoices inside

Hi there!

Hope you are good.

Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.

BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.

Kind Regards

Jeffry Rogers

Henderson Group

Tel: 337-338-4607
I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:

web.spartanburgcommunitycollege.com/gimme/some/loads_nigga.php

This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:

103.245.153.154 (OrionVM Retail Pty Ltd, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (FPT Telecom Company, Vietnam)
213.192.1.171 (EASY Net, Czech Republic)


The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.

Recommended blocklist:
103.245.153.154
176.9.113.214
210.245.92.63
213.192.1.171


Monday, 25 April 2016

Friday, 22 April 2016

Malware spam: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

This fake Amazon email leads to malware. On some mail clients there may be no body text:

From: auto-shipping@amazon.co.uk Amazon.co.uk
To
Date: Fri, 22 Apr 2016 10:50:56 +0100
Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #525-2814418-9619799 (received April 22, 2016)


Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  Occasionally though, we know you may want to return items. Read more about our Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have the right to cancel the contract for the purchase of any of these items within a period of 7 working days, beginning with the day after the day on which the item is delivered. This applies to all of our products. However, we regret that we cannot accept cancellations of contracts for the purchase of video, DVD, audio, video games and software products where the item has been unsealed. Please note that we are unable to accept cancellation of, or returns for, digital items once downloading has commenced. Otherwise, we can accept returns of complete product, which is unused and in an "as new" condition.

Our Returns Support Centre will guide you through our Returns Policy and, where relevant, provide you with a printable personalised return label.  Please go to http://www.amazon.co.uk/returns-support to use our Returns Support Centre.

To cancel this contract, please pack the relevant item securely, attach your personalised return label and send it to us with the delivery slip so that we receive it within 7 working days after the day of the date that the item was delivered to you or, in the case of large items delivered by our specialist couriers, contact Amazon.co.uk customer services using the link below within 7 working days after the date that the item was delivered to you to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend that you use a recorded-delivery service. Please note that you will be responsible for the costs of returning the goods to us unless we delivered the item to you in error or the item is faulty. If we do not receive the item back from you, we may arrange for collection of the item from your residence at your cost. You should be aware that, once we begin the delivery process, you will not be able to cancel any contract you have with us for services carried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection in the event that our specialist courier service collect a large item from you to return to us.

As soon as we receive notice of your cancellation of this order, we will refund the relevant part of the purchase price for that item.

Should you have any questions, feel free to visit our online Help Desk at:
http://www.amazon.co.uk/help

If you've explored the above links but still need to get in touch with us, you will find more contact details at the online Help Desk.

Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail. Please do not reply to this message.

Thank you for shopping at Amazon.co.uk

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------

Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:

www.smileybins.com.au/0u8ggf5f5
kpmanish.com/0u8ggf5f5
neoventtechnologies.com/0u8ggf5f5
itronsecurity.com/0u8ggf5f5
bnacoffees.com/0u8ggf5f5
ambikaonline.com/0u8ggf5f5
usacarsimportsac.com/0u8ggf5f5
giftsandbaskets.co.th/0u8ggf5f5


This dropped executable has a detection rate of 6/56. The Hybrid Analysis and DeepViz Analysis plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs:

186.250.48.10 (Redfox Telecomunicações Ltda., Brazil)
193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload here appears to be the Dridex banking trojan.

Recommended blocklist:
186.250.48.10
193.90.12.221
194.116.73.71
200.159.128.144


UPDATE 2016-04-26

Another identical round of this spam is being sent out, complete with the formatting error that prevents the body text being displayed on some email clients. VirusTotal detection rates for the two samples I have seen are 5/57 [1] [2]. Hybrid Analysis of the attachments [3] [4] shows download locations at:

shagunproperty.com/987gby8nn8
aysanatorganizasyon.com/987gby8nn8


A trusted source tells me there are other download locations at:

cubasedersi.com/987gby8nn8
denizlikinaorganizasyon.com/987gby8nn8
factumtech.com/987gby8nn8
kurudomatesci.com/987gby8nn8
nuevomomento.com/987gby8nn8
seahawkexports.com/987gby8nn8
solucionhumana.mx/987gby8nn8
tipsforall.in/987gby8nn8


From here a binary is dropped on the system with a detection rate of 3/56. Those Hybrid analyses plus this DeepViz report show network traffic to:

176.9.113.216 (Hetzner, Germany)

Apparently there are C2 servers here:

186.250.48.10 (Redfox Telecomunicações Ltda, Brazil)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload still appears to be Dridex.

Recommended blocklist:
176.9.113.216
186.250.48.10
200.159.128.144


Thursday, 21 April 2016

Malware spam: "FW: Latest order delivery details" is somewhat rude

This fake financial spam leads to malware:

From:    Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]
Date:    21 April 2016 at 17:45
Subject:    FW: Latest order delivery details

Good morning!

Hope you are good.

Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.

I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.

Many thanks and good luck

Milan Bell

DORIC NIMROD AIR ONE LTD

tel. 443-682-9021
The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.

This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:

trendmicro.healdsburgdistricthospital.com/RIB/assets.php

Cheekily the URL references a well-known security company.  The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:

176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)

You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:

103.245.153.154 (OrionVM, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (PT Telecom Company, Vietnam)
23.249.1.171 (Datacate , US)


It is not clear what the payload is, but there are indications it is the Dridex banking trojan.

Recommended blocklist:
176.103.56.30
103.245.153.154
176.9.113.214
210.245.92.63
23.249.1.171



Malware spam: "Dispatched Purchase Order" / FSPRD@covance.com

This fake financial spam does not come from Covance but is instead a simple forgery with a malicious attachment:

From:    FSPRD@covance.com
Reply-To:    donotreply@covance.com
Date:    21 April 2016 at 12:03
Subject:    Dispatched Purchase Order

Purchase Order, 11300 / 0006432242,  has been Dispatched.  Please detach and print the attached Purchase Order.

***Please do not respond to this e-mail as the mailbox is not monitored.
________________________________
Confidentiality Notice: In accordance with Covance's Data Classification Policy, this email, including attachment(s), is classified as Confidential or Highly Confidential. This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or dissemination of the content of this e-mail is strictly prohibited.

If you have received this e-mail transmission in error or this email is not intended for you, please delete or destroy all copies of this message in your possession and inform the sender. Thank you.

Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn another archive file with a name like 5611205-19.04.2016.tar and it that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56.

So far I have seen two versions of this script, downloading from:

mountainworldtreks.com/9uhg5vd3
secondary36.obec.go.th/9uhg5vd3


The downloaded binary is the same in both cases. This Hybrid Analysis and DeepViz Analysis indicate network traffic to:

193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
193.90.12.221
194.116.73.71
64.76.19.251
200.159.128.144

Malware spam: "BalanceUK_INVOICE_X002380_1127878" / adminservices@grouphomesafe.com

This fake financial spam does not come from BalanceUK Limited but is instead a simple forgery with a malicious attachment:

From:    adminservices@grouphomesafe.com
Date:    21 April 2016 at 10:33
Subject:    "BalanceUK_INVOICE_X002380_1127878"

Thank you for placing your order with BalanceUK Ltd

Please find attached your document.

BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
Martock,
Somerset,
TA12 6HB

Email: Balanceuk.orders@erahomesecurity.com
Tel: 01935 826 960
Fax: 01935 829 215


***  Please do not reply to this email address  ***

Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56.

This malicious script [pastebin] downloads an executable from:

dd.ub.ac.id/9uhg5vd3

There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56. The Hybrid Analysis of the dropped binary shows network traffic to:

193.90.12.221 (MultiNet AS, Norway)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload is not clear, but is probably the Dridex banking trojan.

Recommeded blocklist:
193.90.12.221
200.159.128.144


Wednesday, 20 April 2016

Malware spam: "Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]" / "Document No™2958719"

This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:

From:    Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]
Date:    20 April 2016 at 11:01
Subject:    Document No™2958719

Thanks for using electronic billing

Please find your document attached

Regards


Beerhouse Self Drive
In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:

bi.pushthetraffic.com/87ty8hbvcr44

There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers:

193.90.12.221 (MultiNet AS, Norway)
212.126.59.41 (Letshost / Digiweb, Ireland)
93.104.211.103 (Contabo GmbH, Germany)
155.133.82.82 (FUFO Studio Agata Grabowska, Poland)
212.50.14.39 (Computers Equipnemt, Bulgaria)
91.194.251.204 (TOV Dream Line Holding, Ukraine)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)


Recommended blocklist:
193.90.12.221
212.126.59.41
93.104.211.103
155.133.82.82
212.50.14.39
91.194.251.204
194.116.73.71
64.76.19.251



Tuesday, 19 April 2016

Malware spam: "Facture : 1985 corrigée" / "Louis - Buvasport [louis64@buvasport.com]"

This French-language spam leads to malware:

From:    Louis - Buvasport [louis64@buvasport.com]
Date:    19 April 2016 at 13:29
Subject:    Facture : 1985 corrigée

Cher Client,

Veuillez trouver en pièce-jointe, la facture de vos achats. SANS FRAIS DE TRANSPORT
Votre marchandise est partie et vous devriez la recevoir dans les prochains jours.

Si vous avez des questions, n'hésitez pas à nous contacter.

Cordialement,

BUVA SPORTS 

Attached is a file 093887283-19.04.2016.zip which contains a semi-randomly named script (e.g. 741194709-18.04.2016.PDF.js) with VirusTotal detection rates of 6/56 [1] [2]. According to these Malwr reports [3] [4] the script downloads a file from one of the following locations:

pushdkim.com/267h67c5e
pay.360degreeinfo.com/267h67c5e


There are probably other scripts with different download locations, the binary has a detection rate of 10/55.The Hybrid Analysis report shows that this executable attempts to download another executable from:

buhjolk.at/files/Yd6aGF.exe

At the moment that location is 404ing and the main payload fails, although that could be easily fixed I guess. This is probably attempting to drop Locky ransomware.

The loader also attempts to interact with some servers belonging to BMG, possibly to generate false data for anyone doing network analysis.

To be on the safe side, it might be worth blocking:

93.79.82.215 (Telesweet, Ukraine)


Monday, 18 April 2016

Malware spam: "Please do confirm the Quote Price and get back to me as soon as possible"

This fake financial spam leads to malware:
From: khlee@ahnchem.com sales
To
Date: Mon, 18 Apr 2016 13:46:21 +0100
Subject: Re: Quote Price

Dear Sir

FYI,

Please do confirm the Quote Price and get back to me as soon as possible.

Regards
Sales Department
Attached is a fie with an unusual extension, ORDER LIST.ace which is actually a compressed archive (basically a modified ZIP file). It contains an executable ORDER LIST.exe which has a VirusTotal detection rate of 15/56. That same VirusTotal report indicates traffic to:

booksam.tk/pony/gate.php

This is hosted on:

46.4.100.109 (Hetzner, Germany)

That IP address might be worth blocking. The Hybrid Analysis indicates that this steals FTP and perhaps other passwords. This is a Pony loader which will probably try to download additional malware, but it is not clear what that it might be.

Wednesday, 13 April 2016

Malware spam: "Prompt response required! Past due inv. #FPQ479660" / "Jake Gill"

This fake financial spam has a malicious attachment:

From:    Hillary Odonnell [Hillary.OdonnellF@eprose.fr]
Date:    13 April 2016 at 18:40
Subject:    Prompt response required! Past due inv. #FPQ479660

Hello,

I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?

Thank you,

Jake Gill

Accounts Receivable Department

Diploma plc

(094) 426 8112
The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).

There seem to be several different versions of the attachment, I checked four samples [1] [2] [3] [4] and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive [5] [6] [7] [8] (as are the Hybrid Analyses [9] [10] [11] [12]) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on 212.76.140.230 - MnogoByte, Russia). The payload appears to be Dridex.

We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with:

195.169.147.88 (Culturegrid.nl, Netherlands)
178.33.167.120 (OVH, Spain)
210.70.242.41 (TANET, Taiwan)
210.245.92.63 (FPT Telecom Company, Vietnam)


These are all good IPs to block.

According to DNSDB, these other domains have all been hosted on the 212.76.140.230 address:

onlineaccess.bleutree.com
egotayx.net
wgytaab.net
emoaxmyx.net
wmbyaxma.net
emeotalyx.net
ezhoyznyx.net
wmeybtala.net
wzhybyzna.net
onlineaccess.bleutree.info
onlineaccess.bleutree.mobi


You can bet that they are all malicious too.

Recommended blocklist:
212.76.140.230
195.169.147.88
178.33.167.120
210.70.242.41
210.245.92.63


Malware spam: "Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC"

This fake financial email comes with a malicious attachment:
From:    Tran
Reply-To:    Tran, Reuben - ADVANCED ONCOTHERAPY PLC [TranReuben1322@telecom.kz]
Date:    13 April 2016 at 16:24
Subject:    Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC

Good morning,

Please advise status on these

If shipped, please send invoice & tracking


---------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail, including any attachments and/or linked documents, is intended for the sole use of the intended addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any unauthorized review, dissemination, distribution, or copying is prohibited. If you have received this communication in error, please contact the original sender immediately by reply email and destroy all copies of the original message and any attachments. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Xylem Inc.
I have only seen a single copy of this, it is likely that the company name will vary from email to email. The attachment due #46691848.doc has a VirusTotal detection rate of 5/56. According to this Malwr report it downloads a file from:

mgmt.speraelectric.info/flows/login.php

Right at the moment this is just a copy of the Windows Calculator and is harmless, but the payload could be switched later to something more malicious, probably Locky ransomware or the Dridex banking trojan.

Tuesday, 12 April 2016

PlusServer has a PlusSized problem with Angler

PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again.

So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).

85.25.102.0/24
85.25.107.0/24
85.25.160.0/24 
85.93.93.0/24
188.138.17.0/24
188.138.70.0/24 
188.138.71.0/24
188.138.75.0/24
188.138.102.0/24
188.138.105.0/24 
188.138.125.0/24 
217.172.189.0/24
217.172.190.0/24

Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too.

UPDATE 2016-04-25

Here are some more PlusServer ranges where Angler has been rampant:

85.25.218.0/24
85.25.237.0/24
188.138.25.0/24
188.138.68.0/24

UPDATE 2016-05-10

Heavy Angler activity has also been spotted in the following ranges:

62.75.203.0/24
62.75.207.0/24
85.25.43.0/24 
85.25.79.0/24
85.25.159.0/24
85.25.217.0/24
188.138.33.0/24
188.138.68.0/24
188.138.125.0/24

In addition, some Angler activity has been observed in the following ranges but is not yet widespread (I will update if I see more activity):

62.75.167.0/24
85.25.41.0/24

85.25.74.0/24

85.25.106.0/24
85.25.207.0/24

188.138.41.0/24
188.138.57.0/24
188.138.69.0/24
188.138.102.0/24

PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in 188.138.105.0/24) that the only safe option is to block traffic to those network ranges.

With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed.