Sponsored by..

Monday 11 April 2016

Evil networks to block 2016-04-11

I realise it has been a while since my last list of bad networks you might want to block. Hopefully in the next couple of days I will have another list outlining some bad problems with PlusServer IP ranges, in the mean times here are a load of network blocks with a high concentration of Angler EK and other nastiness. (The links go to my Pastebin with more details). 

Thursday 7 April 2016

foocrypt.net / fookey.org / foocrypt.net spam

The line between genius and madness is a fine one. Decide for yourself which side of the line this email is on.

From:    Cryptopocalypse NOW 01 04 2016 [no-reply@foocrypt.net]
Date:    7 April 2016 at 18:24
Subject:    Cryptopocalypse NOW 01 04 2016

Cryptopocalypse NOW 01 04 2016

Now available through iTunes - iBooks @ https://itunes.apple.com/us/book/cryptoapocalypse-now/id1100062356?ls=1&mt=11

Cryptopocalypse NOW is the story behind the trials and tribulations encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption."

"FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening several commonly used Symmetric Open Source Encryption methods so that they are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'.

"FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under export control by the Australian Department of Defence Defence Export Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology as per the ‘Wassenaar Arrangement’

A permit from Defence Export Control is expected within the next 2 months as the Australian Signals Directorate is currently assessing the associated application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical Encryption."

Early releases of "Cryptopocalypse NOW" will be available in the period leading up to June, 2016.

This is Volume 1 of N, where N represents an arbitrary number greater than 1 but less than infinity.

Limited Edition Collectors Versions and Hard Back Editions are available via the store on http://www.foocrypt.net/

© FooCrypt 1980 - 2016, All Rights Reserved.


Mark A. Lane

© Mark A. Lane 1980 - 2015, All Rights Reserved.

Disclaimer :  To remove yourself from this email list, kindly goto http://www.foocrypt.net/unsub.html
Err.. no. "Quantum Encryption" is a branch of quantum physics, it's a completely different level of encryption in the same way that an aeroplane is not like a car. Attached is some weird semi-messianic picture..

The email originates from (Loose Foot Computing, Canada). This also happens to be the IP address of:


So, the email was sent from the server it is spamvertising. That's normally a pretty certain indicator that the person running the web site is doing the spamming, and that it isn't a Joe Job. If you visit the spamvertised website (not recommended) then you can find a link to a crowdfunding appeal at www.gofundme.com/foocrypt which tells you all you need to know about the credibility of the project..

Yes.. so far it has raised $5 out of a $1,000,000 target in nearly two months. Good luck with the other $999,995.

The sender is apparently one "Mark A Lane" but other than some connections to Australia, I cannot identify an individual behind it. The following website do all seem to be related however:


The closest I can get to contact details is the WHOIS entry for fookey.org:

Registrant ID:90b5527af50723f4
Registrant Name:Mark Lane
Registrant Organization:FOOCRYPT
Registrant Street: P.O. Box 66
Registrant City:Briar Hill
Registrant State/Province:Victoria
Registrant Postal Code:3088
Registrant Country:AU
Registrant Phone:+61.411414431
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:foocrypt@gmail.com

Curiously, that name and address also turns up on this somewhat ungrammatical CV.

Name: Mark Andrew Lane
Postal Address: P.O. Box 66,
Briar Hill, Victoria. 3088.
Telephone: 0411414431
Email: mark.andrew.lane@gmail.com

I mean it would be weird if they weren't related in some way. But that CV mentions nothing about cryptography at all.. a bit of a mystery.

This message was sent to a random and nonexistant email address. Crucially, it does seem to be just random spam and not malware or phishing, but is still best avoided.

Friday 1 April 2016

Fake boss scams meet AI robocallers in a dangerous escalation of fraud

Many of us will be familiar with the "fake boss" scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady bank account for a business transaction you are not allowed to talk about.

This type of fraud is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and convincing calls have to be made to unsuspecting minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.

Now, the notorious Russian gang dubbed Den Duraka by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer.

Sporting the clumsy Russian acronym LOZHNYY, this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using hacked credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers.

Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were not suspicious as this seemed consistent with the behaviour of their CEOs.

Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely ignore any communications from your CEO and indeed any C-level executive. You have been warned!

(If you hadn't spotted the clues in the Russian names above.. this is an April Fools joke)

Wednesday 30 March 2016

Malware spam: "Additional Costs" leads to Locky

About the 9000th malicious spam run of the week so far, this one drops Locky ransomware. Again.

From:    Gregg gale
Date:    30 March 2016 at 13:42
Subject:    Additional Costs

Based on our contact (#084715), we're required to inform you about additional costs associated with your account, more information attached.

Reference numbers and sender names vary, the attachments are similar to the ones in this spam run. Various Malwr analyses for the samples I captured [1] [2] [3] [4] [5] show download locations at:


This binary has a detection rate of 7/56. Analysis of the binary [6] [7] [8] shows that it phones home to the same IPs reported here.

Malware spam: "Facture client N° FC_462982347 du 30/03/2016" leads to Locky

This French-language spam is pretending to be a renewal for anti-virus software, however instead it has a malicious attachment:

From:    administrator [netadmin@victimdomain.tld]
Date:    30 March 2016 at 11:09
Subject:    Facture client N° FC_462982347 du 30/03/2016


Veuillez trouver ci-joint la facture pour le renouvellement de votre antivirus.

Bonne réception

It pretends to come from within the victim's own domain, but this is a simple forgery. The reference number changes from email to email, attached is a ZIP file named consistently with the subject (e.g. FC_462982347.zip). This ZIP file contains a malicious script (typical detection rate 8/56) which then downloads Locky ransomware. According to these automated analyses [1] [2] [3] [4] [5] show the scripts downloading from the following locations (there are almost definitely more):


This dropped binary has a detection rate of 7/56. According to these analyses [6] [7] [8] it phones home to the same servers detailed in this earlier blog post.

Malware spam: "Additional Information Needed #869420" leads to ransomware

This spam has a malicious attachment, leading to ransomware.

From:    Joe holdman [holdmanJoe08@seosomerset.co.uk]
Date:    30 March 2016 at 08:55
Subject:    RE: Additional Information Needed #869420

We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.

An analysis of three scripts [1] [2] [3] shows binary downloads from:


This binary has a detection rate of 6/56.  Automated analysis [4] [5] shows network traffic to: (Krek Ltd, Russia) (OVH, France / Bondhost, Montenegro) (TheFirst-RU, Russia)

These characteristics are consistent with Locky ransomware.

Recommended blocklist:

Tuesday 29 March 2016

Malware spam: "CCE29032016_00034" / "Sent from my iPhone"

The malware spammers have been busy again today. I haven't had time to look at this massive spam run yet, so I am relying on a trusted third party analysis (thank you!)

These spam emails look like the victim is sending them to themselves (but they aren't). Reference numbers vary a little between emails, but the basic pattern is:

From:    victim
To:    victim
Date:    29 March 2016 at 17:50
Subject:    CCE29032016_00034

Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:


This payload has a detection rate of 4/56. The malware calls back to: (Keyweb, Germany / 300GB.ru, Russia) (OVH, France / Bondhost, Montenegro) (McHost, Russia)

McHost is almost purely a black-hat ISP in my opinion and should be blocked on sight.

Recommended blocklist:

Malware spam: "Re: New Order P2016280375" / Rose Lu [salesdeinnovative@technologist.com]

This fake financial spam comes with a malicious attachment:

From:    Rose Lu [salesdeinnovative@technologist.com]
Date:    29 March 2016 at 02:30
Subject:    Re: New Order P2016280375

Good Day,
Please find enclosed our new order P2016280375 for your kind attention and prompt execution.
I look forward to receiving your order acknowledgement in due course.
Best regards
Rose Lu
Office Manager
Suzhou  Eagle Electric Vehicle Manufacturing Co., Ltd.
Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China
Web: http://www.eagle-ev.com

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58. The Malwr report is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..


So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn.no-ip.biz hosted on: (Airtel, Nigeria)

I strongly recommend that you block traffic to that IP. In fact, the entire very large is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before) so you might want to consider blocking those too.

Monday 28 March 2016

Malware spam: "Envoi d’un message : 9758W-TERREDOC-RS62937-15000" / Christine Faure [c.faure@technicoflor.fr]

This French-language spam comes with a malicious attachment:
From:    Christine Faure [c.faure@technicoflor.fr]
Date:    28 March 2016 at 16:54
Subject:    Envoi d’un message : 9758W-TERREDOC-RS62937-15000

Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :

Message de sécurité
To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:



Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to: (Park-web Ltd, Russia) (300GB.ru, Russia / Keyweb, Germany) (Host Sailor, Netherlands) (SKS-Lugan, Ukraine) (MWTV, Latvia) (OVH, Germany / Unihost, SC)

All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.

The other binary appears to be another version of Locky which appears to phone home to the same servers.

Recommended blocklist:

Thursday 24 March 2016

Malware spam: "FW: Payment Receipt" from multiple recipients leads to Locky

This fake financial spam comes from random recipients, for example:

From:    Marta Wood
Date:    24 March 2016 at 10:10
Subject:    FW: Payment Receipt

Dear [redacted],

Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.

Marta Wood
Technical Manager - General Insurance

Attached is a ZIP file that incorporates the recipients name plus a word such as payment, details or receipt plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk.

VirusTotal detection rates for the scripts are fairly low (examples [1] [2] [3] [4] [5] [6]). Automated analysis [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] shows binary download locations at:

natstoilet.com/l2ps0sa [404]
yourhappyjourney.com/asl2sd [404]

Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries, I will try to add a list later.

The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically is it Locky. Automated analyses [21] [22] [23] [24] [25] [26] show it phoning home to: (ITL, Latvia) (Total Server Solutions, US) (ITL, Netherlands) (PE Dunaeivskyi Denys Leonidovich, Ukraine)


Some further download locations from another source (thank you!):


MD5s for downloaded binaries:


Recommended blocklist:

Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk

This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:

From:    customer.service@axminster.co.uk
Date:    24 March 2016 at 10:11
Subject:    Your order has been despatched

Dear Customer

The attached document* provides details of items that have been packed and are ready for despatch.

Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.

Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm

Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)

Kind regards

Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH

* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8]  shows download locations at:


This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to: (Bright House Networks, US) (Level 3 Communications US, / Impsat, Argentina) (FHU Climax Rafal Kraj, Poland) (Dataconstructs, US) (TE Data, Egypt) (Contabo, Germany) (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands) (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine) (Hetzner, Germany) (LetsHost, Ireland)

It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.


Some additional download locations from another source (thank you!)


Recommended blocklist:

Monday 21 March 2016

Malware spam: "FX Service" / "Fax transmission" spoofing victim's domain

This fake fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple forgery with a malicious attachment.

From:    FX Service [emailsend@w.e191.victimdomain.tld]
Date:    21 March 2016 at 14:32
Subject:    Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff

Please find attached to this email a facsimile transmission we
have just received on your behalf

(Do not reply to this email as any reply will not be read by
a real person)
Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:


There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56.  This Malwr report of the payload indicates that it is Locky ransomware.

All of those sources plus this Deepviz report show network traffic to the following IPs: (Ukrainian Internet Names Center, Ukraine) (MWTV, Latvia) (Keyweb AG, Germany / 300GB.ru, Russia) (ITL Company, Ukraine)

If I receive more information I will post it here.

Recommended blocklist:

Friday 18 March 2016

Evil networks to block 2016-03-18

A follow-up to this list posted a few days ago. These networks are primarily distributing Angler and in my opinion you should block their entire ranges to be on the safe side. All the links go to Pastebin. 

Malware spam: "Proof of Delivery Report: 16/03/16-17/03/16" / UKMail Customer Services [list_reportservices@ukmail.com]

This spam does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    UKMail Customer Services [list_reportservices@ukmail.com]
Date:    18 March 2016 at 02:46
Subject:    Proof of Delivery Report: 16/03/16-17/03/16

Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report

iMail Logo
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:


There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis  show network traffic to: (Dataconstructs, US)

I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.


This DeepViz report shows some additional IP addresses contacted: (Level 3, US / Impsat, Argentina) (FHU Climax Rafal Kraj, Poland) (Hetzner / NoTaG Community, Germany)


Some additional download locations from a trusted source (thank you!):


Recommended blocklist:

Thursday 17 March 2016

Malware spam: "PDFPart2.pdf" / "Sent from my Samsung Galaxy Note 4 - powered by Three"

This spam run has a malicious attachment. It appears to come from within the user's own domain.

From:    Administrator [admin@victimdomain.tld]
Date:    17 March 2016 at 12:54
Subject:    PDFPart2.pdf

Sent from my Samsung Galaxy Note 4 - powered by Three

Sent from my Samsung Galaxy Note 4 - powered by Three
All the attachments that I saw were corrupt, but it appears to be trying to download a script that installs Locky ransomware, as seen here.

Malware spam: "Documentxx" apparently coming from the victim leads to Locky

This spam appears to come from the victim, but this is just a simple forgery (explained here). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is no body text. Here is an example:
From:    victim@domain.tld
To:    victim@domain.tld
Date:    17 March 2016 at 10:37
Subject:    Document32
Inside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13]  indicate that the script attempts to download a binary from the following locations:


The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to: (PS Internet Company LLC, Kazakhstan) (Infium UAB, Ukraine) (SmartApe, Russia) (Ukrainian Internet Names Center, Ukraine)

This is Locky ransomware.

Recommended blocklist:

Malware spam: "Remittance Adivce" from random senders

This fake financial spam has a malicious attachment and poor spelling in the subject field.

From:    Booth.Garth19@idsbangladesh.net.bd
Date:    17 March 2016 at 09:17
Subject:    Remittance Adivce

Please find attached a remittance advice for payment made yo you today.

Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.

Kind Regards

Garth Booth
Sender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:


This download location is almost certainly completely malicious, and is hosted at: (ITL, Ukraine)

This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to: (PSINet, Canada) (DotSi, Portugal)

The payload is uncertain, but it could be the Dridex banking trojan.


The DeepViz analysis  also shows traffic to: (Leaseweb, Netherlands)

Recommended blocklist:

Malware spam: "Interparcel Documents" / Interparcel [bounce@interparcel.com]

This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
From:    Interparcel [bounce@interparcel.com]
Date:    17 March 2016 at 08:51
Subject:    Interparcel Documents

Your Interparcel collection has been booked and your documents are ready.

There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.

Thank you for booking with Interparcel.
Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:


The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to: (Culturegrid.nl, Netherlands) (Level 3, US / Impsat, Argentina) (FHU Climax Rafal Kraj, Poland) (Hetzner / NoTaG Community, Germany)

As mentioned before, these characteristics look like the Dridex banking trojan.

Recommended blocklist:

Monday 14 March 2016

Malware spam: "Traffic report ID: 62699928" leads to Teslacrypt

This fake legal email has a malicious attachment:

From:    Myrna baker
Date:    14 March 2016 at 15:58
Subject:    Traffic report ID: 62699928

Dear Citizen,

We are contacting you on behalf of a local Traffic Violation Bureau.

Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 49757
Unfortunately, we will have no other option rather than passing this case to the local police authorities.

Please, see the report with the documents proofs attached for more information on this case.
Details in the email vary from message to message. The payload is Teslacrypt ransomware, as see in this earlier spam run.

Malware spam: "Credit details ID: 87320357" leads to Teslacrypt

So many Teslacrypt campaigns, so little time... I've had to rely on third party analysis on this particular one (thank you!)
From:    Ladonna feather
Date:    14 March 2016 at 14:50
Subject:    Credit details ID: 87320357

Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply. 
Send names, references and attachment names vary. The malicious scripts in the attachment attempt to download from:


This is Teslacrypt ransomware with VirusTotal detection rates of 1/57 [1] [2]. The malware attempts to phone home to:

The download locations for the executable files can all be considered as malicious: (Amazon AWS, US) (Middle East Internet Company Limited, Saudi Arabia) (Sadecehosting, Turkey) (Maginfo JSC, Russia) (Baikal TransTeleCom, Russia) (IRONNET Ltd, Russia) (Hong Kong Broadband Network Ltd, Hong Kong) (Hutchison Global Communications, Hong Kong) (Kyivstar GSM, Ukraine) (Kyivstar GSM, Ukraine) (SDS-Vostok Ltd, Russia) (ER-Telecom Holding, Russia) (Krym Infostroy Ltd, Ukraine)

Out of these, only the first three (for giveitallhereqq.com) appear to be static IPs, the others (for washitallawayff.com) are dynamic and are likely part of a botnet, so blocking the domain might be better.

Recommended blocklist:


Malware spam: "Blocked Transaction. Case No 19706002" leads to Teslacrypt

This fake financial transaction has a malicious attachment:

From:    Judy brittain
Date:    14 March 2016 at 08:12
Subject:    Blocked Transaction. Case No 19706002

The Automated Clearing House transaction (ID: 19706002), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID: 09293
Transaction Amount: 607,89 USD
Sender e-mail: brittainJudy056@panick.com.ar
Reason of Termination: See attached statement
The sender's name, references and dollar amounts vary from message to messages. The attachment names are randomly-generated (the format seems the same as this) containing either one or four malicious scripts. According to this analysis the scripts download from:


Although the infection mechanism seems the same as this spam run, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here.

Sunday 13 March 2016

Malware spam: "Debt #85533 , Customer Case Nr.: 878" leads to Teslacrypt

The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments, however.

From:    Lamar drury
Date:    13 March 2016 at 18:43
Subject:    Debt #85533 , Customer Case Nr.: 878

Dear Customer,

Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.

We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.

Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.

We hope on your understanding.

Kind regards,
Finance Department
Lamar drury
878 N Davis St, Jacksonville,
FL 85533
Phone nr: 464-182-2340 
Attached is a ZIP file, that in the samples I saw starts with:
  • doc_scan_
  • money_
  • payment_details_
  • payment_
  • warning_
  • see_it_
  • payment_scan_
  • finance_
  • warning_letter_
  • report_
  • transaction_
  • details_
  • incorrect_operation_
  • confirmation_
  • document_
  • problem_
  • financial_judgement_
 ..plus a random number. Inside are one to four malicious .js scripts, named in the following format:

  • details_
  • mail_
  • post_
  • Post_Parcel_Case_id00-
  • Post_Parcel_Confirmation_id00-
  • Post_Parcel_Label_id00-
  • Post_Shipment_Confirmation_id00-
  • Post_Shipment_Label_id00-
  • Post_Tracking_Case_id00-
  • Post_Tracking_Confirmation_id00-
  • Post_Tracking_Label_id00-
The first three have a random string, the ones beginning with "Post" are followed by a random number and a #.  There are at least 22 unique scripts with the following MD5s:


These appear [1] [2] to download a malicious binary from one of the following locations:


Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56.

The download locations have the following IP addresses: (DA International Group Ltd, Bulgaria) (Quadranet Inc, US) (Amazon AWS, US) (Hudson Valley Host / Colocrossing, US) (Middle East Internet Company Limited, Saudi Arabia) (Sadecehosting, Turkey)

Those IP addresses can be considered as evil, and they also host the following sites:


Recommended blocklist:

Saturday 12 March 2016

Malware spam: "Urgent Notice # 78815053" leads to Teslacrypt

This spam comes from random senders, and has random references, dollar amounts and attachment names:

From:    Donnie emily
Date:    12 March 2016 at 14:01
Subject:    Urgent Notice # 78815053

Dear Customer!

According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.

Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.

We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.

Please check out the file and do not hesitate to pay off the debt.

Otherwise we will have to start a legal action against you.

Donnie emily
758 N Davis St, Jacksonville,
FL 17323
Phone nr: 026-762-3482 
Attached is a randomly-named ZIP file, in the sample I have seen they begin with:
  • letter_
  • confirm_
  • access_
  • unconfirmed_operation_
  • operation_
  • details_
..plus a random number. There may be other formats. Inside is a malicious script beginning with:
  • details_
  • post_
  • mail_
..plus a random string of characters. I have seen six versions of this script, I do not know how many there are in total. VirusTotal results show detection rates between 4 and 7 out of 57 [1] [2] [3] [4] [5] [6] and automated analysis tools [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] show the script attempting to download a binary from:


This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:


It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to: (Petersburg Internet Network Ltd, Russia) (FOP Sedinkin Olexandr Valeriyovuch, Russia)

The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs: (Hudson Valley Host  / Colocrossing, US) (Amazon AWS, US) (Middle East Internet Company Limited, Saudi Arabia) (Sadecehosting, Turkey)

The following malicious domains are also on the same servers:


In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.

Recommended blocklist:

Friday 11 March 2016

Malware spam: "FW: Payment 16-03-#507586" / "We have received this documents from your bank, please review attached documents."

These spam messages come from various senders with different references and attachment names.

From:    Thanh Sears
Date:    11 March 2016 at 10:29
Subject:    FW: Payment 16-03-#507586

Dear [redacted],

We have received this documents from your bank, please review attached documents.

Yours sincerely,

Thanh Sears
Financial Manager

This email has been scanned by the Symantec Email Security.cloud service.

Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script containing one of the following strings plus a random number and also it seems a # sign at the end of some.

  • Post_Shipment_Confirmation_id
  • Post_Shipment_Label_id
  • q.
  • Post_Shipment_Case_id
  • Post_Tracking_Confirmation_id
  • Post_Parcel_Confirmation_id
Detection rates for these scripts are all zero at the moment [1] [2] [3]. A Malwr analysis of some of the samples [4] [5] [6] shows download locations at:


There are probably other download locations. The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to block are the same as found in this earlier Locky run.


Two further download locations can be found at:


The dropped binaries are different again [1] [2],  but it is still Locky phoning home to the C2s detailed here.


Further download locations are at:

Again, the dropped binaries are all different but seem to be Locky [1] [2] [3] [4] [5].

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan leads to malware. It appears to come from within the victim's own domain, but this is a trivial forgery.

From:    admin [lands375@victimdomain.tld]
Date:    11 March 2016 at 09:02
Subject:    Scanned image

Image data in PDF format has been attached to this email.
Attached is a document named in a similar format to 11-03-2016-6440705503.zip which contains a randomly-named malicious script. So far I have seen three versions of this script (VirusTotal results [1] [2] [3]) which according to the Malwr reports [4] [5] [6] download a malicious binary from:


This is Locky ransomware, the same as dropped in this other spam run - that post also contains a list of C2s to block.

Malware spam: Your Amazon order #137-89653734-2688148 / AMAZON.COM [Mailer-daemon@amazon.com]

This fake Amazon spam comes with a malicious attachment:

From:    AMAZON.COM [Mailer-daemon@amazon.com]
Date:    11 March 2016 at 09:09
Subject:    Your Amazon order #137-89653734-2688148


Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order #137-89653734-2688148 Placed on March 11, 2016

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:


That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to: (Petersburg Internet Network, Russia) (FLP Kochenov Aleksej Vladislavovich, Ukraine)

There are probably other download locations and C2s, I will update this post if I find out what they are.


Some additional C2s from various sources: (PS Internet Company LLC. Kazakhstan) (Petersburg Internet Network, Russia) (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)

Some additional download locations for this and other locky spam runs today:


Recommended blocklist: