Sponsored by..

Wednesday, 2 November 2016

Malware spam: "Companies House - new company complaint" / noreply@companies-house.me.uk / noreply@companieshouses.co.uk leads to TrickBot

This fake Companies House spam leads to TrickBot malware:

From:    Companies House [noreply@companieshouses.co.uk]
Date:    2 November 2016 at 11:51
Subject:    Companies House - new company complaint
Signed by:    companieshouses.co.uk

Investigations and Enforcement Services

This message has been auto-generated in response to the company complaint submitted to our WebFiling  service.

The submission number is ID109202DLK02911

Please find the attached document for your review.

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500

The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday) 
Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.


The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:

    Registrant:
        Camell Williams

    Registrant type:
        Unknown

    Registrant's address:
        550 HOLTS LAKE CT STE 101
        Suite 101
        Apopka
        Florida
        32703
        United States


Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.

All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.

Attached is a Word document Complaint.doc  (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:

futuras.com/img/dododocdoc.exe

This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.

The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:

78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)


The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.

Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117


Tuesday, 1 November 2016

Malware spam: "New Fax Message" / administrator@local-fax.com leads to TrickBot

This fake fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

From:    Administrator [administrator@local-fax.com]
To:    annie@[redacted]
Date:    1 November 2016 at 13:28
Subject:    New Fax Message
Signed by:    local-fax.com

Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.

[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]

Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.



Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54. Both the Malwr report and Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:

www.tessaban.com/img/safafaasfasdddd.exe

This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr and Hybrid Analysis reports give the following suspect traffic:

91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)

I can match all those IPs except the last to this ThreatGeek report, those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (highlighted):

5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)
37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)
68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


3NT Solutions (aka Inferno Solutions / inferno.name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit. FLP Kochenov Aleksej Vladislavovich aka uadomen.com has appeared here so many times [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] that really I have to categorise that as an Evil Network too.

If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a recommended blocklist of:

37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24


However, there's more to this too. The original email message is actually signed by local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.

All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..


Malware spam: "This is to inform that the transaction you made yesterday is declined." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Transaction declined
From:     Chandra Frye
Date:     Tuesday, 1 November 2016, 10:48

Dear [redacted],

This is to inform that the transaction you made yesterday is declined.

Please look through the attachment for the verification of the card details.

Best Regards,
Chandra Frye
The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs) which looks like this [pastebin]. That particular sample plus one other I received communicates with the URLs below, but you can be sure that there are many more examples:

51qudu.com/mqy2pj4
bjzst.cn/qgq4dx
danapardaz.net/zrr8rtz
litchloper.com/66qpos7m
creaciones-alraune.es/dx8a5
adasia.my/f5qyi10
alecrim50.pt/g28w495t
zizzhaida.com/a0s9b
silscrub.net/07ifycb

Hybrid Analysis is inconclusive. If I get hold of the C2s or other download locations then I will post them here.

UPDATE

My usual reliable source tells me that these are all the download locations:

17173wang.com/f6w0p
176.9.41.156/rodru
4office.pl/zyjkry6
51qudu.com/mqy2pj4
akbarcab.com/p8vw992v
alpinivel.pt/as4jcmm
americanjuniorgolfschool.com/hkba7
apiaa.ro/jqm6ltfw
atech.co.th/lyyrdp9
badyna.pl/saf0zv
baoan99.com/jllkv
baranteks.com/hrnf0q44
beesket.com/jrd8d411
bikebrowse.com/mjjoy
biolume.nl/rq8mabk
bionorica.md/m61yk
birim.org/x5s8d
bisskultur.de/rawmjx
bjsunny.net/claocm
bjzst.cn/qgq4dx
blastech.cc/nsg5xyi
carsmotor.net/stab2
cascinamatine.com/a7w59h
cdxybg.com/iribzm
charoenpan.com/jv4fj
chbeirlaw.com/oyem1
civc.co.uk/y5rcauj
containermx.com/vzndc
creaciones-alraune.es/dx8a5
crossfitgladstone.com/orfx8
cvanchen.com/m61yk
danapardaz.net/zrr8rtz
daricacicekci.com/jqec1k7r
doctornauchebe.it-strategy.ru/k1d7d
eatfatlosefat.com/yx7s1
ebooks.w8w.pl/slhj1l
econsult.com.tw/dqtvy
fieldserviceca.net/dndovr
koranjebus.net/1bpsrbfa
koranjebus.net/4rwg5
koranjebus.net/94rgo
koranjebus.net/9fif0
litchloper.com/2be1xz
litchloper.com/66qpos7m
litchloper.com/96iq4o
litchloper.com/9qknusm
nbsbjt.net/icefdwl
silscrub.net/40l8w
silscrub.net/79d6w4
sonsytaint.com/0dqj0dd
sonsytaint.com/4mgxlrf
sonsytaint.com/89hs1ix
zizzhaida.com/3m6ij
zizzhaida.com/98g4ubq

These are the C2s:

91.234.32.202/linuxsucks.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
81.177.22.164/linuxsucks.php (NETPLACE, Russia)


Recommended blocklist:
91.234.32.202
81.177.22.164

Monday, 31 October 2016

Malware spam: "Wrong tracking number" leads to Locky

This spam email leads to Locky ransomware:

From     "Samuel Rodgers"
Date     Mon, 31 Oct 2016 15:21:22 +0530
Subject     Wrong tracking number

It looks like the delivery company gave us the wrong tracking number.

Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.
The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script [pastebin] named something like tracking number A99DB PDF.vbs.

That script tries to download a component from:

tastebudsmarketing.com/uw6lin
mechap.com/xd7uh
coffeeteashop.ru/daz2rp
ficussalm.com/0bqzcn96
waynesinew.com/0fqt9he1

There will no doubt be other locations. At present I do not have those or the C2 servers, but will update this post if I get them.

UPDATE

The full list of download locations is as follows (thank you to my usual source):

365cuit.com/d9x9f0
7ut.ru/ge9j0et2
8hly.com/jc45tun
a1akeyssportfishing.com/etrt5
academy24.nl/k6lxc
aconetrick.com/2ejczfc
aconetrick.com/564nr0
aconetrick.com/6yoajl7
aconetrick.com/bwt2ixo
ami-mo.ca/k5xhdz2
ami-mo.ca/kr641jxw
archilog.at/imwjmt
architectureetenvironnement.ma/g31701d
badznaptak.pl/inlgm49
bebmila.it/eczde9
buenotour.com/j97s7
business-cambodia.com/he8wtc
campossa.com/vjbfdtj
cdqdms.com/d887wn9
cintasuci.com/cl6pa
coffeeteashop.ru/daz2rp
comistus.net/j6y95
customrestaurantapps.com/gn7c2se
dgtoca.net/d1wr3
dicresco.vn/gq1bjtbb
ecig-ok.com/luflbx4
eijsvogel.nl/gpbka1n2
elgrandia.com.mx/ginlp2f
epsihologie.com/jd2qrzg
eredmenyek.net/ff2i98t
ficussalm.com/0bqzcn96
ficussalm.com/2m6u1jt9
ficussalm.com/65s3r
ficussalm.com/8pmjmwp
financesystem.net/inliid
frijaflail.com/21fpb
frijaflail.com/37cu2
frijaflail.com/6u982pak
frijaflail.com/bnrxxvsk
mcmustard.com/u6ll6y
mechap.com/xd7uh
personalizar.net/nrwnmk
personalizar.net/qz5x2mmr
robertocostama.com/xyulv
shouwangstudio.com/xkocl94
sintasia.com/ziyd0iap
tastebudsmarketing.com/uw6lin
thegioitructuyen.org/rw6ost0e
timwhid.com/1mdm3
timwhid.com/33ck9bxc
timwhid.com/6twktm
timwhid.com/bnkxqf
tjbjpw.com/wsdou72d
tonglizhongji.com/xia3fu0
tropicalcoffeebreak.com/mqomzf
utopiamanali.com/tylv91
valpit.ru/syrwg2r3
vedexpert.com/zt4ug
visualtopshop.com/svnjzk9
warisstyle.com/sq1sae
wayneboyce.com/u5ahu
waynesinew.com/0fqt9he1
waynesinew.com/2psuru2
waynesinew.com/67egbs
waynesinew.com/9li2sv1r
wbakerpsych.com/mm3kuv
wedding-pix.net/u39ssq
wei58.com/wnticba
wklm.it/qjv1ap
xa12580.com/pq2xb
xhumbrella.com/rb374woh
yurtdax.com/wgltz
zbdesignsas.com/m13o692o
znany-lekarz.pl/wd7zj

The malware phones home to:

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
5.187.7.111/linuxsucks.php (Fornet Hosting, Spain)


Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152

Friday, 28 October 2016

Malware spam: "Payment history" leads to Locky

Another morning, another spam run pushing Locky ransomware:

Subject:     Payment history
From:     Theodore Wilkins
Date:     Friday, 28 October 2016, 10:09

The payment history for the first week of October 2016 is attached as you requested.

Please review it and let us know if you have any question.
The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script [pastebin] (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].

There are many different variants of the script, downloading components from:

2rtt-2rm.ru/grb7c
92hanju.com/utl41nrt
a1plus2.de/ljwxw6vh
accubattery.eu/sjc2at
aegischina.com/yrp6eyv
agrobiciuffa.com.ar/l5e7m6i
allaboutseniors.in/wtm1i0yg
alpha-next.com/ssvmwa
angundoviz.com/lhk96wx
aoteatrial.net/02yls0
aoteatrial.net/142y5x
aoteatrial.net/4865ht
aoteatrial.net/7gojeo
artmusic.dk/izpv2d39
autoreal16.ru/r1j54weq
bachledowka.net/xausf
beauty-link.jp/umjwg8f
bikemielec.com/b7owupi
bircansigorta.com/s84vkrx
blaauw-woonidee.nl/hvlqf9v4
bts-site.nl/fb80j
bumbocubeb.net/04s7752
bumbocubeb.net/163yebg7
bumbocubeb.net/4rjsepe
bumbocubeb.net/8p54eb8
burdur-bld.gov.tr/usl1pm4
buron.dk/t8nh96d
butterflytiger.com/o7eancbx
caraudiogdl.com/zm74gwvw
cavafis.gr/ouyrvo
chanet.jp/mrf40le
chernozem-msk.ru/l5wvp4nc
clinicaharvard.com/umuyki
cmmsrilanka.lk/xztuej9
codelime.net/u9dhbjib
cronos-com.ru/hbxxkshz
dadou0531.com/gych5
dcproduction.fr/wrs9q6
dohere.net/zyme3z
dollheiser.de/v5oqpb4
doogo.com.ar/vw280ik8
drewnianaskrzynka.pl/nfw15wn9
eajhosting.nl/q7jijj3k
edhalper.it/tmnm2v
efb-demarco.de/ywkdd
eflproject.org/vco8bi
egda.pl/unu16fq9
elma.7080.ru/qe3sp3
energiclima.com/sesmgrv4
enzyma.es/lpzd1gev
er-mecanicautomotriz.com/fxlkkv
e-testers.it/jy5ipe3
eurobnr.ro/qd0gn425
euromac.es/oodhs
expert-as.ru/ulfzbh
finahistory.com/jhrni
hellomissdance.com/a03sf
helsby.biz/apwms
hltrader.com/audu4f4o
huodaibbs.com/bqmvde
ilmdesign.com/aos8ly25
joshdult.net/0ia6e4
joshdult.net/3c554n2
joshdult.net/73eqx7oc
joshdult.net/9p4eh
nowon.dk/woqb5j
plookseri.net/097ga
plookseri.net/1s4bzaa1
plookseri.net/5t9nja
plookseri.net/9jyg2s70
shop.ukrtk.com/ck6jfe2e
verdianthy.com/diqlfy1
weddingandfashion.it/djzuf5c
zencart.alpm.gogzmermedia.com/h0woq
zlotysalmo.net/0zx0ken3
zlotysalmo.net/3v8va8ov
zlotysalmo.net/75vepy6f
zlotysalmo.net/9v50aob

(Thank you to my usual source for this data). The malware phones home to:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks.php [hostname: tarasik1.infium.net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks.php (Dunaevskiy Denis Leonidovich, Ukraine)


It also attempts to contact the following URLs which appear to be dead:

pqrifsjpryygmip.pw/linuxsucks.php
uxpxpirusm.xyz/linuxsucks.php
wbaskcsxiffiax.info/linuxsucks.php
kcydflvipqsvqxw.work/linuxsucks.php
haxkbqwyudoeghlhj.biz/linuxsucks.php
mdecrwmtscal.su/linuxsucks.php
pqpmswodyqlbbjmwm.pl/linuxsucks.php
yppsuvfjmnsbi.org/linuxsucks.php
fpeuwdde.xyz/linuxsucks.php
qggdljlijbygeutc.click/linuxsucks.php
juiweirqvt.su/linuxsucks.php
gyhbiuo.ru/linuxsucks.php

A DLL is dropped with a detection rate of 12/57.

Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79

Thursday, 27 October 2016

Moar Locky 2016-10-27

Lots of Locky today, here are some additional download locations for those naughty .wsf scripts.

139.162.29.193/g67eihnrv
1water.com.au/g67eihnrv
adenadataediting.com/g67eihnrv
aghadiinfotechforclient.com/g67eihnrv
agile-scrum-training.com/g67eihnrv
anandlab.com/g67eihnrv
axzio.com/g67eihnrv
banatlebanon.com/g67eihnrv
banknifty.com/g67eihnrv
bindaasdelhi.org/g67eihnrv
bmbuildingpteltd.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cfolio.uk/g67eihnrv
cibr.in/g67eihnrv
ctc.crru.ac.th/g67eihnrv
cttcleaning.com/g67eihnrv
davaomarbled.com/g67eihnrv
dev.searchthruster.com/g67eihnrv
dmlevents.com/g67eihnrv
dollsdelight.com/g67eihnrv
dreamruntech.com/g67eihnrv
drhairchandigarh.in/g67eihnrv
dryilmazyildirim.com/g67eihnrv
dssstaging.net/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eurofranq.com/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
flyingbtc.com/g67eihnrv
ftp-reklama.gpd24.pl/g67eihnrv
fullservicetech.com/g67eihnrv
goldseparator.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
infomazza.com/g67eihnrv
intomim.com/g67eihnrv
intralab.co.id/g67eihnrv
intrekmedya.com/g67eihnrv
italics.in/g67eihnrv
jackpotfutures.com/g67eihnrv
joshturansky.com/g67eihnrv
jus2chat.com/g67eihnrv
kakapublicity.com/g67eihnrv
kalkashimlataxiservice.in/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kaushikjanmejay.com/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
kursuskomputer.web.id/g67eihnrv
librahost.com/g67eihnrv
livingfreehomeramps.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
mgregency.com/g67eihnrv
micaraland.com/g67eihnrv
mileshilton-barber.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
olivierimmobiliare.com/g67eihnrv
paihotel.in/g67eihnrv
physioandpain.com/g67eihnrv
projects.seawindsolution.com/g67eihnrv
prototypingjob.com/g67eihnrv
pubbligrafica360.it/g67eihnrv
riverlifechurch.tv/g67eihnrv
saurabh-kachhadiya.comyr.com/g67eihnrv
scpolytechnic.com/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
srisaioilfield.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
tasveeranarts.in/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
tutorialcodeigniter.16mb.com/g67eihnrv
twoj-sennik.pl/g67eihnrv
ui.worklab.in/g67eihnrv
uniquebulldogpuppies.com/g67eihnrv
uniquecoders.in/g67eihnrv
videoregistrator.bg/g67eihnrv
vkwelaarts.co.za/g67eihnrv
webihawks.com/g67eihnrv
www.3shadz.com/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.camko-motor.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.hayatesabz.ir/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv
zinger.nl/g67eihnrv

Malware spam: "E-TICKET 41648" leads to Locky

More Locky ransomware today..

From     "Matthew standaloft"
Date     Thu, 27 Oct 2016 15:20:27 +0530
Subject     E-TICKET 41648

Dear Sir ,

Please find the attached E-ticket as per your requested.


Thanks & Regards ,

Matthew standaloft
Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil from one of the following locations (according to my usual source):

agile-scrum-training.com/g67eihnrv
axzio.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cttcleaning.com/g67eihnrv
dmlevents.com/g67eihnrv
dreamruntech.com/g67eihnrv
dryilmazyildirim.com/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
fullservicetech.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
intomim.com/g67eihnrv
jackpotfutures.com/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
librahost.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
micaraland.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
riverlifechurch.tv/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
vkwelaarts.co.za/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv

This drops a malicious DLL with a detection rate of 9/56. The following C2 servers are contacts:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks.php (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
213.159.214.86/linuxsucks.php (JSC Server, Russia)


Recommeded blocklist (also see this other spam run today):
83.217.11.193
91.201.202.12
213.159.214.86 

Malware spam: "This is from the Telephone Company to remind you that your bill is overdue." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Bill overdue
From:     Alexandria Maxwell
Date:     Thursday, 27 October 2016, 9:35

This is from the Telephone Company to remind you that your bill is overdue.

Please see the attached bill for the fine charge.
The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script [pastebin] detailed bill C43A9.vbs

The Malwr Report and Hybrid Analysis for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download from:

198zc.com/f7ss3oy
3d-schilling.de/jrz8hn
502mm.com/wwe0mac6
88cui.de/rwl8ov
abmelectric.ca/q0o4780r
actiononsports.com/kq0u93a1
aiccard.co.th/dvja1te
alefunny.pl/fksf4
alvida.de/klv2aog3
antiguarelojeria.com/kkzyr
ardnas.nl/f2v5o
art-yoga.myjino.ru/r1es12r
astra-antiques.com/bt32u5
atgem.ch/okl2jok
ayubatikpekalongan.com/cb2it0jj
babilon.by/sws2z1
bachvietxd.com/cbm2v
bathboating.co.uk/fptmhcm
bazalt-gracze.pl/cux57
begbuilders.com/i7ux0sxr
bestseptik.ru/zkmdw66
bibigame.net/ilc753c
bibob-hairshop.nl/fm0tue
bluecuracao.nl/iplibwz
brkos.borec.cz/dwz8li
buypc.ro/vds7o
callideo.fr/msn9ar
casadecandomble.com.br/rhn2dn
cneedu.cn/t1k2wlus
cztaxes.cz/rx19j
dabar.name/hscgqx
dadaniu.cn/o1ws9s
danor.ro/ip9f85t
dicatex.com.ar/tx3or
digicap.net/s6bhb6
dmtya.ru/mpozceu
dont.pl/cvjjw1
dovgan.bclas.ru/gtyvx
dzx800.com/j3sll
dzyncreative.com/o2ilww
ebgboz.nl/pzxc1je
ecentz.com/nvp7s9t
edepolama.com/o56szw
eiskgd.ru/vgvr31
ekofil.pl/o3pp6
elektrik1.ru/vn2q7au
englishukcentral.com/gw59b8
enrico.ru/wqhni
esysports.com/k3qsnhm
favourfinance.com/ouzoy
fbstone.com/gud0y
fengxiaohui.com/k5sqnm
fightsportuk.com/s9e9qdm
flutygoy.net/1b2sy4r
flutygoy.net/48jc5on
flutygoy.net/82okzzkq
flutygoy.net/9vvgvtk
guguhah.com/0w6rv87d
guguhah.com/3mikeq
guguhah.com/7ut2t95
guguhah.com/9bxqzgzo
khstarter.com/fy5cns7
monecouth.net/1gz0ae
monecouth.net/702t90
monecouth.net/8qxfzegf
monecouth.net/atb1yedm
morenaart.com/ng8if4c
njlsyb.com/rp7pn
sozluktr.com/x65mjo
szylbx.com/bgmhcx14
tahradeep.com/0u0zb
tahradeep.com/1tuqd
tahradeep.com/7emuv
tahradeep.com/94rttn
theatosc.net/1clhtqam
theatosc.net/558x66
theatosc.net/8j3wm
theatosc.net/a952l

A DLL is dropped with a detection rate of 11/56, and the malware then phones home to:


91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)


Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150

Wednesday, 26 October 2016

Malware spam: "Your order has been proceeded." leads to Locky

This curiously worded spam email leads to Locky ransomware:

Subject:     Your order has been proceeded
From:     Elijah Farrell
Date:     Wednesday, 26 October 2016, 12:41


Your order has been proceeded.

Attached is the invoice for your order 2026326638.

Kindly keep the slip in case you would like to return or state your product's warranty.
The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name.

The various scripts download a component from one of the following locations (thank you to my usual source for this):

198zc.com/vnrymi
3d-schilling.de/ytm08hf
abaffbedip.net/0ec4sb62
abaffbedip.net/1roef5v
abaffbedip.net/5k4oh5
abaffbedip.net/8b0lk2p
actiononsports.com/yduc1
aiccard.co.th/sy7hb7
alefunny.pl/vjjw0
alvida.de/zhw8nw6
antiguarelojeria.com/zg28jio
ayso722.org/ny8s6fn
banana2.jp/zsf0952
begbuilders.com/xjtb9k
bibliocultura.org/hdhwx7sf
bluecuracao.nl/xt8w2p3
bonetti.nl/bqc565q
brkos.borec.cz/skxkk33b
callideo.fr/zwg1d
caulgreet.com/0gxgwa
caulgreet.com/2sqh38d1
caulgreet.com/6o04pdt
caulgreet.com/9gl7t
chuvafeatherstone.com/rve6j
ciscscout.net/rvkbiv3t
cloudafis.com/kpw6h4uh
cngmalaysia.org/f4cda
cpugame.com/r3octl
cryochoice.com/n4801d
dadaniu.cn/cyk9hpr
danor.ro/xnnhp5
dmtya.ru/zqzii
dominoassociates.com/keg4g
dongyigg.com/onirn0r
dont.pl/stuf3
dovgan.bclas.ru/wk7tah
dzyncreative.com/v1djrmn
ecentz.com/sbvv8md
edepolama.com/xlyrh
edu02.ru/nk6z1
entersukses.com/cudm8
ergobois.com/j87ns
esteticapro.com/tje1ya
esysports.com/ybn7qw
exquisiteescape.com/fa8f7fk9
fazendacristal.com/djgyn
fbstone.com/xjlq6
fengxiaohui.com/yulge
filenetp8.info/esg742j9
flw123.com/kygiq6t
gerardfetter.com/fudjm1m
gongzuoshu.com/lojhvcj7
grandfm.com/my98xg7a
guymorgandaily.com/ilgx8tki
hankookm.com/lun77kyf
hfhhk.com/edfwyi1
hotsigns.net/ayxpi
jean-ealogy.com/dauwq7a
khstarter.com/w8811bg
landondavid.com/d5t56y4b
lanmaicao.com/bxyi91
lcmaya.com/d79p8w
mannersfromtheheart.com/cn450b
milianjie.com/dg1ie
morenaart.com/qbwnl
nakedglobal.com/d6s6f
roweliced.net/12fi9dc
roweliced.net/35lz355g
roweliced.net/6vgrs4
roweliced.net/a1f8yb
sheatcatan.com/1cb7jn
sheatcatan.com/3oze6ie
sheatcatan.com/74mqu
sheatcatan.com/awcdu3
titmaius.net/0f7ygeg
titmaius.net/1zsxe
titmaius.net/6g32j
titmaius.net/8u0ie

The downloaded binary then phones home to:

78.46.170.94/linuxsucks.php [hostname: k-42.ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks.php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost.hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks.php [hostname: weblinks-3424.ru] (Sobis, Russia)


It also tries to phone home to these URLs which are currently not resolving:

umjjvccteg.biz/linuxsucks.php
hbnatserncelosskp.biz/linuxsucks.php
rqnegynlpkohoohp.pw/linuxsucks.php
ymrorgauixirigj.biz/linuxsucks.php
ayyxamwyvfyqidija.pw/linuxsucks.php
yfjxvok.ru/linuxsucks.php
lbbauqqpynjem.xyz/linuxsucks.php
tnvnmjdyokgyj.pl/linuxsucks.php
hoiedes.pl/linuxsucks.php
toaqabrl.xyz/linuxsucks.php
leacfrc.info/linuxsucks.php
jkjxnrnirmqt.pw/linuxsucks.php

Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225




Malware spam: "Western Union Help Desk" / "Proof" leads to Adwind

Just by way of a change, here's some malspam that doesn't lead to Locky..

From:    Western Union Help Desk [mes@prosselltda.cl]
Reply-to:    Western Union Help Desk [mes@prosselltda.cl]
Date:    26 October 2016 at 20:07
Subject:    Proof

Dear All,

To comply with customer service standards, we need to have the Proof of Payment for the following attached transaction that has been marked as paid by one of your Locations.

Please e-mail us a copy of the ?To Receive Money Form?  as a Proof of Payment. If no TRMF or reason for delay were received by the above mentioned due date, we will consider the Transaction as Paid in Error and will proceed to reinstate it accordingly charging Paying Account.

In case there are an Automatic Customer Receipt (ACR) and a Handwritten Form, please send us both.

Click To View  Click to download  Click to open on browser

Thanks

Shameer Illyas

| Agent Support Officer |

|  Western Union Money Transfer |


In this case, the link in the email goes to:

linamhost.com/host/Western_Union_Agent_Statement_and_summary_pdf.jar

This is a Java file, if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it won't run. VirusTotal identifies it as the Adwind Backdoor. The Malwr report shows it attempting to contact:

boscpakloka.myvnc.com     [158.69.56.128] (OVH, US)

A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis. Check the Dropped Files section of the Malwr Report for more.

Personally, I recommend blocking all dynamic DNS domains such as myvnc.com in corporate environments. At the very least I recommend blocking 158.69.56.128.

Tuesday, 25 October 2016

Malware spam: "Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data" leads to Locky

Perhaps minimalist spam works better, there is currently a Locky spam run with on of the subjects Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript that looks like this [pastebin]. There is no body text.

These automated analyses [1] [2] [3] [4] show that it is Locky. My usual sources tell me that the various scripts download from one of the following locations:

abplhomes.com/g76dbf
alyatater.com/g76dbf
baedalapp.com/g76dbf
beaumontschool.com/g76dbf
blastspraypolish.com/g76dbf
codefinder.co/g76dbf
copperfilters.com/g76dbf
cultural-ecology.com/g76dbf
designera.org/g76dbf
dev.indonesiatextile.id/g76dbf
dwimultimakmur.com/g76dbf
dziennikarze.lo-kolaczyce.pl/g76dbf
easytravelvault.com/g76dbf
elitednadt.com/g76dbf
emreker.com/g76dbf
faisal-ibrahim.info/g76dbf
fpi-canada.com/g76dbf
fresflor.net/g76dbf
gellyrepin.com/g76dbf
himytutor.com/g76dbf
informing.asia/g76dbf
jciindia.in/g76dbf
kantoor.vescolub.nl/g76dbf
kendalpos.com/g76dbf
lamurindo.com/g76dbf
lilxtreme.com/g76dbf
lookbeauty.ir/g76dbf
mahendradesai.net/g76dbf
newdesign.well.pk/g76dbf
nitrogenwebs.com/g76dbf
panaceapeople.com/g76dbf
permars.com/g76dbf
privatestashstorage.com/g76dbf
promo.worldloft.ru/g76dbf
read4change.com/g76dbf
runmyaccounts.ch/g76dbf
rws1.com.au/g76dbf
samuderaciptaraya.com/g76dbf
sendat.vn/g76dbf
shopro.ir/g76dbf
srcc.co.th/g76dbf
swissmades.com/g76dbf
tacunair.com/g76dbf
tciislandguide.com/g76dbf
uatsa.cl/g76dbf
vicampro.com/g76dbf
web.justproductions.co.uk/g76dbf
wivebeday.com/g76dbf
www.fireballindia.com/g76dbf
www.jockytours.com/g76dbf
www.pb2bb2c.com/g76dbf
www.pharmaciela.com/g76dbf

The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh

A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56. The malware then phones home to one of the following locations:

185.127.27.100/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks.php (Volia DataCentre, Ukraine)


The malware also attempts to contact the following locations, all of which seem to be inactive:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221

Monday, 24 October 2016

Generic email phish tries to bamboozle with jargon

This phishing spam tries to confuse potential victims by throwing legitimate-looking jargon around.

From: Postmaster [mailer-daemon@mailhost.rceit.com]Date: 24 October 2016 at 15:43

To: victim@victimdomain.tld
Subject: Warning: Incoming Messages for victim@victimdomain.tld is [13 undelivered messages]



This message was created automatically by mail delivery software inbound-mail-x1.501.102.43.1

I'm afraid I wasn't able to deliver 13 contact email messages since October 16 2016 for victim@victimdomain.tld

To retrieve your emails and reconfigure Port 486, Click Here

Warning: Failure to do this will lead to total suspension of your email account.

Remote host said: 550 sorry, can't deliver message to your inbox


                                                                                               Please delete and Ignore if this is not your email address.

Clicking on the link ends up at a generic phishing site (in this case the link was foodworkshighcountry.com.au/inbound/index2.htm?victim@victimdomain.tld) which throws even more jargon including these lines:

An error in your SMTP/POP settings is blocking your incoming emails……
Message:      
Date:   

Subject:     Error loading some of your inbox messages
User:     %0%
Bounce reason:   
An error in your SMTP/POP settings is blocking your incoming e-mails
550-5.1.1 :POP configuration text can not be verified
550-5.1.2:Login encountered an unhandled error in your SSL settings
550-5.1.3:Login encountered an unhandled error in your SSL settings
Suggested Solution:   

    Please fill out the form below. Once the error is fixed, our team will contact you.
    Email address:   
    Password:   
       

    
    Your e-mail may be completely blocked, if you do not report this error.


----------------
Content-Type: multipart/alternative; boundary=001a1135f63edd4472050da42d05.


Typing your username and password will send it to the bad guys. Not all phishing emails look stupid, and although this one doesn't really make sense when you look at it closely, it looks authentic enough that it might fool some people.

Malware spam: "Complaint letter" leads to Locky

This spam leads to Locky ransomware:

From     "Justine Hodge"
Date     Mon, 24 Oct 2016 19:27:53 +0600
Subject     Complaint letter

Dear [redacted],

Client sent a complaint letter regarding the data file you provided.
The letter is attached.

Please review his concerns carefully and reply him as soon as possible.

Best regards,
Justine Hodge
The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS scripts with a name starting with "saved letter".

My source tells me that this scripts download from one of the following locations:

adultmagstore.com/itc0h81
alkanshop.com/zrwcx8om
azaminsaat.com/nyzhvh2c
bwocc.org/dkttu
circolorisveglio.com/dw2hheb
coreywallace.com/qjkrlxp
corployalty.it-strategy.ru/p4icah5h
cruzdemiguel.com/jittrxkr
cz1321.com/zg4c4m
decorvise.com/g7k3n
denas-express.ru/fl5vy16
desthailand.com/wfmaq0az
disneyrentalvillas.com/k2ars5j2
downtownlaoffice.com/ixmh1
DSWRITINGS.ORG/lnf7gv
duvalitatli.com/umx3btc1
executivegolfmanagement.com/qtzsegm6
firephonesex.com/bxuobuam
fjbszl.com/m4q1pmr5
fraildata.net/09rz1jcj
fraildata.net/4s1szk77
fraildata.net/5ti18g
fraildata.net/9b8cba
getitsold.info/cndrdsu9
girlsoffire.com/d2k0b967
GNSTUDIO.NET/sxv6fhqo
greenmedicalgroup.org/dy7s5
gruffcrimp.com/352gr0
gruffcrimp.com/5inrze
gruffcrimp.com/8vzak
gruffcrimp.com/bki56h
gunnisonkoa.com/d5cw6
gzxyz.net/zznej
hetaitop.com/pgq8e
infopea.com/bm747o9
iwebmediasavvy.com/eu7mq36w
jejuep.com/jh7rrgbi
jejui.com/j1ldsf
julianhand.com/hollu
jzmkj.net/y7tf2
kak-vernut-devushku.gq/rwlr9
kirijones.net/2b8fnrqm
kirijones.net/4v7574mp
kirijones.net/66wey
kirijones.net/a2r3pme
lqfrdj.com/rbpkt
luobuma8.com/h5hq2que
myboatplans.net/p8gik2g8
nightpeople.co.il/o8le7
onlysalz.com/xjo100
payrentonline.org/l3mdiv7y
pblossom.com/t78u8
potchnoun.com/06p2vxua
potchnoun.com/38j2xn
potchnoun.com/5ngsn8g5
potchnoun.com/8x2nt
privateclubmag.com/wyztr73
prodesc.net/x7nlxq
relentlesspt.com/faisexor
riyuegu.net/o69ecb
royallife.co.uk/mx5nck
ryanrandom.com/hwv97p8
scope-t.com/loinhgm
sexybliss.co.uk/en8ds7nt
sunproductivity.com/m6ot1
taiyuwanli.com/cpkd9
theleadershipdoc.com/wm1bv
turservice.xaker007.net/k92b92
ukdistributionservices.com/x1397
vowedbutea.net/2f1okfif
vowedbutea.net/5491o
vowedbutea.net/8jtnj8nt
vowedbutea.net/apupuyh3
weekcoupon.com/hggbcg
wjyunfanbs.com/ihku0r53
www.studiorif.ru/toiu7
xn--80aa3c3a.xn--b1aajgfxm2a9g.xn--p1ai/xip5lltq
xn--b1aajgfxm2a9g.xn--p1ai/dxd3v
yourrealestateconnection.us/rlfh0

The malware phones home to the following URLs:

109.234.35.215/linuxsucks.php (McHost.ru, Russia)
91.200.14.124/linuxsucks.php [hostname: artem.kotyuzhanskiy.example.com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks.php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)


The following URLs are also contacted but are not active:

mehksltbkd.info/linuxsucks.php
wugijvpctg.click/linuxsucks.php
svyegag.su/linuxsucks.php
fvhnnhggmck.ru/linuxsucks.php
tdlqkewyjwakpru.ru/linuxsucks.php
tnhtfmoglsjarf.work/linuxsucks.php
bhfcyqagglplpt.info/linuxsucks.php
yxlpkrhhkbyhrn.work/linuxsucks.php
fhbllecpavbrxlvci.org/linuxsucks.php
krtwpukq.su/linuxsucks.php
yptehqhsgdvwsxc.biz/linuxsucks.php
otcnomgbqko.work/linuxsucks.php

Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
 
81.177.22.221



Thursday, 6 October 2016

Malware spam: "Invoice-123456-12345678-123-A1B2C3D4" / "01635 279370"

This fake financial spam leads to malware:

From:    invoices@[redacted].com
Date:    6 October 2016 at 07:16
Subject:    Invoice-365961-42888419-888-DE0628DA

Dear Customer,

Please find attached Invoice 42888419 for your attention.

Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

### This mail has been sent from an un-monitored mailbox ###

The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc.

The telephone number appears to belong to a company called Stearn who have absolutely nothing to do with this spam.

The sample I sent for automated analysis [1] [2] downloads some data from:

eaglemouth.org/d5436gh 

I know from my sources (thank you, you know who you are) that there are additional download locations at:

dabihfluky.com/d5436gh
fauseandre.net/d5436gh


This particular variant of Locky ransomware uses black hat hosting for this download location rather than a hacked legitimate site. All these domains are hosted on the following IPs:

62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France)


Furthermore, those IPs are associated with these malicious domains (active ones are in bold):


stenokeid.org
dabihfluky.com
veddanagor.net
eaglemouth.org

writewile.su
bebopamelu.su
anoamans.com
shuspong.com
tchawane.com
teetypoop.com
thokelieu.com
uredosafe.com
awaftaxled.com
clankcutup.com
droukulnad.com
gweedbizen.com
haikhhoose.com
muangbouge.com
ovinekusum.com
shinalumen.com
wellyzimme.com
grimkonde.net
steyjixie.net
pryerungot.net
unzenjerib.net
uphershoji.net
palialawi.org

All of these are tagged for malware by SURBL. Most of them have either anonymous registration or obviously fake details, although this one (for the domain steyjixie.net) stands out:

Registry Registrant ID:
Registrant Name: Taras Ponomarev
Registrant Organization: N/A
Registrant Street: g. Belgorod, ul. Malysheva 96, kv. 124
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 111111
Registrant Country: RU
Registrant Phone: +7.527221603
Registrant Fax: +7.527221603
Registrant Email: info@steyjixie.net
Registry Admin ID: 


A DLL is dropped with a detection rate of 13/56.

UPDATE

I completely forgot to include the C2. D'oh.

109.248.59.164/apache_handler.php (Netart, Russia)

Recommended blocklist:
62.84.69.75
85.118.45.12

109.248.59.164

Wednesday, 5 October 2016

Malware spam: "complaint letter" leads to Locky

This spam email message has a malicious attachment that leads to Locky ransomware:

Subject:     complaint letter
From:     Jae Mason
Date:     Wednesday, 5 October 2016, 10:48

Dear [redacted], client sent a complaint letter regarding the data file you provided.

The letter is attached. Please review his concerns carefully and reply him as soon as possible.
The sender name will vary. Attached is a ZIP file with a name in the format complaint_letter_955ce806.zip which contains a malicious .WSF script.

My source tells me that the scripts download from one of the following locations:

all-rides.com/owav14
bbs.vlibang.com/ojojbry
caggynext.net/0vm80
caggynext.net/1yz517
caggynext.net/36z66i
caggynext.net/6mcco3s
carpetcleaningwestchesterny.net/j2pkoex
dom-dekor.net/q62g3
drewolea.net/0fuhybw0
drewolea.net/1lc09
drewolea.net/25do4q7
drewolea.net/3r9jke
enricobasili.com/m4fqj4lt
goodkiddy.com/pvn5l
idealuze.com/lu814bj
instantstamp.com/j50mt
kencaedu.com/25do4q7
klamathkinetic.org/11c84e3
knoozroom.com/igv7j9e
lanamusty.net/11c84e3
lanamusty.net/1z5vbh
lanamusty.net/3b33zp
lanamusty.net/72mjp
lev-pr.com/i2acpqa1
lgbtbookstore.com/gech2hc
lzeshine.com/girq6q
markjenningsbates.com/72mjp
mediaalias.com/lplgnnaf
minoritycounselor.com/j8365gb
motionthatmovesme.com/h1n2ix7
mysolosource.com/l3x3oczx
ndsemi.com/gy5tw
nuntatimisoara.com/ekrc0i6
nuociss.com/b5ebfsuy
nytaihao.com/ffaw7
pattumalamatha.com/e7r2v1t
phohchaui.com/0mvwos0
phohchaui.com/1xqbcjm
pmfaccountant.com/ggbvw1nj
pobreloco.com/36z66i
praxis-blechert.de/t86h1a
rdoent.com/okq0h9
sasguildford.com/yccemkwd
semes.sk/y0fmps
shingpohk.com/wc2mp0d
snehil.com/vfksxp
sotaygiadinh.net/t9ifk7j
sportowy.info/tbccuj
supergem.net/mri7i
talentinzicht.eu/va7tgx6
technix.ca/jbatquey
theshopwiz.com/t6epks
tiaocuo.org/z4nyglmm
tulisasource.com/rne42v8
turkbyte.com/q7zorra
upper-classmen.com/k1hd6
vincentsvineyard.com/z02mw8ab
www.resumebuddy.net/rcz888
yinstrage.com/0g9b921
yinstrage.com/1tsi2zr
yinstrage.com/2ld6aep
yinstrage.com/5s56ss

There are no C2 servers.

Malware spam: "Document from.." leads to Locky

I have only received a single sample of this spam, presumably it comes from random senders. There is no body text in my sample.

Subject:     Document from Paige
From:     Paige cuddie (Paige592035@gmail.com)
Date:     Wednesday, 5 October 2016, 9:37 
In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script [pastebin] DOC-20161005-WA0002715.wsf.

Automated analysis [1] [2] shows this sample downloads from:

euple.com/65rfgb?EfTazSrkG=eLKWKtL

There will be many other locations besides this.

Those same reports show the malware (in this case Locky ransomware) phoning home to:

88.214.236.36/apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100/apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)


The sample I found downloaded a legitimate binary from ciscobinary.openh264.org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.

Recommended blocklist:
88.214.236.0/23
109.248.59.0/24


Monday, 3 October 2016

Malware spam: "I have shipped your packet. Please check the report enclosed here to view more info."

This spam email leads to Cerber ransomware:

From:    Trevor David
Date:    3 October 2016 at 13:46
Subject:    Pede Industries

Hello
I have shipped your packet. Please check the report enclosed here to view more info.

Word doc password: JqpcGrKK9


Pede Industries
Company names and senders are randomly generated. Attached is a randomly-named .DOT file with password protection. The password protection makes it hard to analyse, but my source tell me that these documents download from:

www.ldlogistic.it/kls.doc
csir.bdx6.siteinternet.com/kls.doc

The dropped malware apparently has an MD5 of 0e7913875724151d8e822add07ec75b2.

Once downloaded, the malware attempts to make a C2 connection to an IP in the range
31.184.234.0/23:6892 (GTO, Montenegro and Virty.io, Russia). I don't know which is the active IP, but blocking the entire /23 might be a good precaution.

Malware spam: "[Scan] 2016-1003 15:26:26" / "Sent with Genius Scan for iOS." leads to Locky

This fake document scan leads to Locky ransomware:

From:    DAMON ASHBROOK
Date:    3 October 2016 at 10:56
Subject:    [Scan] 2016-1003 15:26:26

--
Sent with Genius Scan for iOS.
The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat.

This Malwr analysis shows some of the infection in action. Overall my sources tell me that the various malicious macros download from:

acaciainvest.ro/jhg45s
alraysa.com/jhg45s
anthonycarducci.lawyerpublicity.com/jhg45s
antiquescollectablesandjuststuff.com/jhg45s
atronis.com/jhg45s
bluewaterappco.com/jhg45s
boservice.info/jhg45s
catlong.com/jhg45s
cedrussauna.com/jhg45s
craftsreviews.com/jhg45s
denvertracy.com/jhg45s
dickenshandchimes.com/jhg45s
far-infraredsaunas.com/jhg45s
foe-2.com/jhg45s
gcandcbuilderssite.aaomg.com/jhg45s
hostmyimage.biz/jhg45s
icdsarch.com/jhg45s
inmopromo.com/jhg45s
lesscellantshautegamme.ca/jhg45s
maxleather.aaomg.com/jhg45s
mmm2.aaomg.com/jhg45s
monkeysdragon.net/jhg45s
orhangazitur.com/jhg45s
parkerneem.com/jhg45s
test.cedrussauna.net/jhg45s
tsukasagiku.com/jhg45s
villadiana.lv/jhg45s
webhost911.com/jhg45s

C2 locations are:

149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou.info/apache_handler.php
krmwgapkey.work/apache_handler.php
hruicryqytbmc.xyz/apache_handler.php
vswaagv.org/apache_handler.php
smskymrtssawsjb.org/apache_handler.php
wvandssbv.org/apache_handler.php
ytxsbkfjmyxglvt.click/apache_handler.php
rqybmggvssutf.xyz/apache_handler.php
qaemlwlsvqvgcmbke.click/apache_handler.php
btlyarobjohheg.ru/apache_handler.php
civjvjrjjlv.pw/apache_handler.php
xlarkvixnlelbsvxl.xyz/apache_handler.php

A DLL is dropped with a detection rate of 19/57.

Recommended blocklist:
149.202.52.215
217.12.199.244

Malware spam: "please sign" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     please sign
From:     Ricardo Buchanan
Date:     Monday, 3 October 2016, 10:27

Hi [redacted],

I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.



Best Wishes,
Ricardo Buchanan
CEO
In the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name. This obfuscated script [pastebin] appears to download Locky ransomware. Analysis is pending.

UPDATE

This Hybrid Analysis clearly shows Locky in action. According to my sources there are no C2s, and the download locations are:

027tzx.com/lscpv
5v5.net/wmas4
a1hose.com/j9ccher
arabhashtag.com/q2aatrh
arcworks.ca/xmz948l8
AVTORESURS.NET/n5rz8w
basofttech.com/lf7agf
bassbudsgame.com/ptqrx0bl
bradjones.com.au/qglrydv
champi.nl/v5zovddy
charge2go.com/coplbr
clinicaavellaneda.com/ovg45gh
crossroadspd.com/515grm
dangras.net/1f5d4mlo
dangras.net/3geg2zj
dangras.net/5edbite
dangras.net/6lebt
demo.academia-moscow.ru/f6wmma
demo.hostfabrica.ru/n8ygd
dotcom-enterprises.com/cpgskvx9
edrozd.net/zuz15wuc
eskrow.ru/gk2sabe
ferumusky.com/229k9z
ferumusky.com/3surnwl
ferumusky.com/5o11b5s
ferumusky.com/6nfhu0lt
galelaure.com/gvn4j9eq
glosalonline.com/adsry1c
hoamiu.info/lgvdn1l
honeine.com/h03dyzp
hrbqcc.com/kz3vidu6
jetxaviation.com/xbvqdt
joplinglobeonline.com/cc3al2x7
klipink.com/vfvlqynq
louisirby.com/cmlfoyb
louisirby.com/ejtocks
medicangka.com/0s7ygu
medicangka.com/2wn3r
medicangka.com/515grm
medicangka.com/65l4byy
mlsmaids.com/b2ofgow7
mrwebdirectory.net/vl4h091
mucicsitta.net/09xhx
mucicsitta.net/2imhkap
mucicsitta.net/4li3zc
mucicsitta.net/64vvi
mutiarafurniture.com/qwal3v9
netclip.ro/v6wj6yln
nonprofitbenefit.com/h6lne
ossiatzki.com/dyke9
p2pbikini.com/cm9s56to
parasaymamakina.net/ja152
relianceclouds.com/tr56dz8z
remont-vanosa.ru/j292hr
rondeaho.com/08dqn
rondeaho.com/24agob
rondeaho.com/4h2vq
rondeaho.com/5ubi0cxh
rosewong.com/va8asq
sentedesign.pt/pbery0
shinipri.com/brzvbi
softwaregolower.com/rddt0z
superoriente.com/kbgt8m4
syncfish.com/k7brjhgm
tandjsalon.com/gd5ke
tinoprins.nl/uji62x
trulytechnology.com/xs5t4q8
verafleischer.com/eh36e
vinabuhmwoo.com/64vvi
vipmarketing.co.il/ub0ybv5
welsell.com/tgtmzm
www.4u-byme.com/ay7ugmad
yogajourneyretreat.com/ewgjrey
yoobux.com/euy7k8
youspeak.pt/l5j3iw
yuzhuyuan.com/65l4byy
zachmacphoto.com/be8il1jb
zsvlomnica.sk/229k9z



Thursday, 29 September 2016

Malware spam: "Receipt 103-526" / Receipt.xls

This spam leads to Locky ransomware:

From     rosalyn.gregory@gmail.com
Date     Thu, 29 Sep 2016 21:07:46 +0800
Subject     Receipt 103-526
I cannot tell if there is any body text, however there is an attachment Receipt.xls which contains malicious code [pastebin] that in the case of the sample I analysed downloads a binary from:

opmsk.ru/g76ub76

There will be many other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:

89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

A malicious DLL is dropped with a detection rate of 6/57. Malicious IPs and domains overlap quite a bit with this earlier attack. This version of Locky encrypts files with a .odin extension.

UPDATE - a source indicates these are all the download locations in this attack:

1gouw.com/g76ub76
368lx.com/g76ub76
81millstreet.nl/g76ub76
alliswelltour.com/g76ub76
ampconnect.com/g76ub76
anhsaodem.info/g76ub76
aseandates.com/g76ub76
birthstory.com/g76ub76
cmcomunicacion.es/g76ub76
dedivan.ru/g76ub76
demo.website.pl/g76ub76
econopaginas.com/g76ub76
gadget24.ro/g76ub76
globalremoteservices.com/g76ub76
innogenap.com/g76ub76
juyinggroup.com/g76ub76
kelownatownhomes.com/g76ub76
mediumsize.org/g76ub76
opmsk.ru/g76ub76
parentchildmothergoose.com/g76ub76
parroquiansg.org/g76ub76
slaterarts.com/g76ub76
sonajp.com/g76ub76
studiorif.ru/g76ub76
unforgettabletymes.com/g76ub76

Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132