Malware spam: "[Vigor2820 Series] New voice mail message from xxxxx"

This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.

Subject:     [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
From:     voicemail@victimdomain.tld (voicemail@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Thursday, 8 September 2016, 13:15

Dear webmaster :
    There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
You might want to check it when you get a chance.Thanks!

Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:

158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman.web.fc2.com/g76gyui
dcqoutlet.es/g76gyui
dpskaunas.puslapiai.lt/g76gyui
fidelitas.heimat.eu/g76gyui
gam-e20.it/g76gyui
ghost-tony.com.es/g76gyui
josemedina.com/g76gyui
kreativmanagement.homepage.t-online.de/g76gyui
olivier.coroenne.perso.sfr.fr/g76gyui
portadeenrolar.ind.br/g76gyui
sitio655.vtrbandaancha.net/g76gyui
sp-moto.ru/g76gyui
srxrun.nobody.jp/g76gyui
thb-berlin.homepage.t-online.de/g76gyui
tst-technik.de/g76gyui
unimet.tmhandel.com/g76gyui
www.agridiving.net/g76gyui
www.alanmorgan.plus.com/g76gyui
www.aldesco.it/g76gyui
www.alpstaxi.co.jp/g76gyui
www.association-julescatoire.fr/g76gyui
www.bytove.jadro.szm.com/g76gyui
www.ccnprodusenaturiste.home.ro/g76gyui
www.gebrvanorsouw.nl/g76gyui
www.gengokk.co.jp/g76gyui
www.hung-guan.com.tw/g76gyui
www.idiomestarradellas.com/g76gyui
www.laribalta.org/g76gyui
www.mikeg7hen.talktalk.net/g76gyui
www.one-clap.jp/g76gyui
www.radicegioielli.com/g76gyui
www.rioual.com/g76gyui
www.spiritueelcentrumaum.net/g76gyui
www.texelvakantiehuisje.nl/g76gyui
www.threshold-online.co.uk/g76gyui
www.whitakerpd.co.uk/g76gyui
www.xolod-teplo.ru/g76gyui

Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu)

Unusually, this version of Locky does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above or you could monitor for the string g76gyui in your logs.

UPDATE: the Hybrid Analysis of the script can be found here.

Malware spam: "Agreement form" leads to Locky

This fake financial spam leads to malware:

Subject:     Agreement form
From:     Marlin Gibson
Date:     Wednesday, 7 September 2016, 9:35

Hi there,

Roberta assigned you to make the payment agreement for the new coming employees.

Here is the agreement form. Please finish it urgently.

Best Regards,
Marlin Gibson
Support Manager

The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..

308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js

Automated analysis [1] [2] shows that the scripts [partly deobfuscated example] attempt to download a binary from one of the following locations:

donttouchmybaseline.ws/ecf2k1o
canonsupervideo4k.ws/afeb6
malwinstall.wang/fsdglygf
listofbuyersus.co.in/epzugs

Of those locations, only the first three resolve, as follows:

donttouchmybaseline.ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k.ws   51.255.227.230 (OVH, France / Kitdos)
malwinstall.wang       51.255.227.230 (OVH, France / Kitdos)

The registration details for all those domains are the same:

  Registry Registrant ID:
  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru
  Registry Admin ID:

These are the same details as found here. We know from that incident that the download locations are actually spread around a bit:

23.95.106.206 (New Wave NetConnect, US)
51.255.227.230 (OVH, France / Kitdos)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
216.244.68.195 (Wowrack, US)
217.13.103.48 (1B Holding ZRT, Hungary)

The following also presumably evil sites are also hosted on those IPs:

bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name

Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:

51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name

UPDATE

My trusted source (thank you) says that it phones home to the following IPs and URLs:

91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota.org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg.work/data/info.php
balichpjuamrd.work/data/info.php
mvvdhnix.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti.work/data/info.php
iruglwxkasnrcq.pl/data/info.php
xketxpqxj.work/data/info.php
qkmecehteogblx.su/data/info.php
bbskrcwndcyow.su/data/info.php
nqjacfrdpkiyuen.ru/data/info.php
ucjpevjjl.work/data/info.php
nyxgjdcm.info/data/info.php

In addition to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55

Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."

This fake financial spam has a malicious attachment:

From:    Tamika Good
Date:    5 September 2016 at 08:43
Subject:    Credit card receipt

Dear [redacted],

We are sending you the credit card receipt from yesterday. Please match the card number and amount.


Sincerely yours,
Tamika Good
Account manager

The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_

A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:

canonsupervideo4k.ws/1bcpr7xx

This appears to be multihomed on the following IP addresses:

23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)

Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:

  Registrant Name: Dudenkov Denis
  Registrant Organization: Eranet International Limited
  Registrant Street: Lenina 18 Lenina 18
  Registrant City: Vladivostok
  Registrant State/Province: RU
  Registrant Postal Code: 690109
  Registrant Country: RU
  Registrant Phone: 85222190860
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: volosovik@inbox.ru

Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57.  These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:

91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)

The payload is probably Locky ransomware.

Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55

Malware spam: "old office facilities" leads to Locky

This spam has a malicious attachment:

Subject:     old office facilities
From:     Kimberly Snow (Snow.741@niqueladosbestreu.com)
Date:     Friday, 2 September 2016, 8:55

Hi Corina,

Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.


Best wishes,
Kimberly Snow

The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number.

Analysis is pending, but this Malwr report indicates attempted communications to:

malwinstall.wang
sopranolady7.wang

..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.

UPDATE 1

According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs:

23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)

Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28

Malware spam: "Scanned image from MX2310U@victimdomain.tld" leads to Locky

This fake document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.

Subject:     Scanned image from MX2310U@victimdomain.tld
From:     office@victimdomain.tld (office@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 2 September 2016, 2:29

Reply to: office@victimdomain.tld [office@victimdomain.tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception

File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
Adobe(R)Reader(R) can be downloaded from the following URL:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other countries.

    http://www.adobe.com/

Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component from on of the following locations:

body-fitness.net/lagmslh
bushman-rest.com/aoeueyk
capannoneinliguria.com/lijrnub
foerschl.gmxhome.de/emyomqa
imakarademo.web.fc2.com/akwhorc
inge28.mytactis.com/cqmoxef
pennylanecupcakes.com.au/mhkqxia
rabbitfood.web.fc2.com/ixvnfyj
sakon118.web.fc2.com/srmrsgf
sebangou8.xxxxxxxx.jp/kfkdpvl
sojasaude.com.br/ahtoijg
sp-moto.ru/vodusim
t-schoener.de/mdexigc
www.bytove.jadro.szm.com/dgsqens
www.callisto.cba.pl/oqmfnar
www.ccnprodusenaturiste.home.ro/hiogthu
www.coropeppinumereu.it/xyhhytf
www.one-clap.jp/pourpjr
www.parrucchieriagiacomo.com/dekjxus
www.radicegioielli.com/aayfixd
www.sieas.com/mkndcbn
www.spiritueelcentrumaum.net/ksqoyps
www.vanetti.it/inywdjo
www.whitakerpd.co.uk/ymmcguk
www.xolod-teplo.ru/ygpwfty
yggithuq.utawebhost.at/getatoj

The payload is Locky ransomware, phoning home to:

212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers.xyz] (EDIS, Austria)

Recommended blocklist:
212.109.192.235
149.154.152.108

Malware spam: "Please find attached invoice no" leads to Locky

This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.

Subject:     Please find attached invoice no: 329218
From:     victim@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Thursday, 1 September 2016, 12:42

Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
________________________________

Disclaimer

This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.

Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download from one of the following locations:

158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g

The payload appears to be Locky ransomware. It phones home to:

188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php

This is similar to the list here.

Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24

Malware spam: "Our shipping service is sending the order form due to the request from your company."

This fake shipping email comes with a malicious attachment:

Subject:     Shipping information
From:     Charles Burgess
Date:     Thursday, 1 September 2016, 9:30

Dear customer,

Our shipping service is sending the order form due to the request from your company.

Please fill the attached form with precise information.

Very truly yours,
Charles Burgess

The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.

Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):


joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4

Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:

5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably Locky ransomware.

Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24

Malware spam: "bank transactions"

This fake financial spam comes with a malicious attachment:

From:    Rueben Vazquez
Date:    31 August 2016 at 10:06
Subject:    bank transactions


Good morning petrol.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.


Yours truly,
Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.

According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):

www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis

Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:

95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

The payload is probably the Locky ransomware.

Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24

Malware spam: "The office printer is having problems so I've had to email the UPS label"

This fake UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.

From     "Laurence lumb" [Laurence.lumb25@ups.de]
Date     Thu, 18 Aug 2016 17:35:21 +0530
Subject     Emailing: Label

Good afternoon

The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.

Cheers

Laurence lumb

Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):

a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7

This dropped binary has a detection rate of 6/54. It phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)

Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183

Malware spam: "Jen [Jen@purple-office.com]" / "Documents from Purple Office - IN00003993"

These fake financial documents have a malicious attachment:

From:    Jen [Jen@purple-office.com]
Date:    15 August 2016 at 14:10
Subject:    Documents from Purple Office - IN00003993

Please find attached invoice/credit from Purple Office.

Best regards,

Purple Office 

Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here and here.

Malware spam: "Emma Critchley (emmacritchley@advantage-finance.co.uk)" / "Emailing - 9104896607509"

This fake financial spam has a malicious attachment. It does not come from Advantage Finance but is instead a simple forgery.

Subject:     Emailing - 9104896607509
From:     Emma Critchley (emmacritchley@advantage-finance.co.uk)
Date:     Monday, 15 August 2016, 13:28

Hi

Vicky has asked me to forward you the finance documents (Please see attached)


Many Thanks 

Attached is a DOCM file with a name that matches the subject. There are various versions, all of which download Locky ransomware from one of the following locations (thank you to my source):

devierdemuur.50webs.com/HJ6bhGHV
kittoyakudatu.web.fc2.com/HJ6bhGHV
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
rondoncompany.bake-neko.net/HJ6bhGHV
topfireart.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.bozenan.swk.vectranet.pl/HJ6bhGHV
www.carrosserie-promocar.net/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.scoutvda.it/HJ6bhGHV
www.tecnohellas.gr/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV

This phones home to the same servers as mentioned in this post.

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 

Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV

The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld

The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs

The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6

The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Malware spam: "Please sign the receipt attached for the arrival of new office facilities." leads to Locky

Yet another Locky campaign today..

From:    Erica Hutchinson
Date:    4 August 2016 at 12:34
Subject:    please sign

Dear [redacted]

Please sign the receipt attached for the arrival of new office facilities.


Best regards,
Erica Hutchinson

This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run.

Malware spam: "Emailing: Sheet / Document / Invoice" with a .docm leads to Locky

This malware-laden spam comes with a variety of subjects, for example:

Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf

There is no body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component from one of the following locations:

abi64.com/h78r3gfe
bikepaintpureworks.web.fc2.com/h78r3gfe
brupuoli.tempsite.ws/h78r3gfe
composit.vtrbandaancha.net/h78r3gfe
film-online.bejbiblues.cba.pl/h78r3gfe
ftp.bergamo.chiesacattolica.it/h78r3gfe
innal.com.mx/h78r3gfe
karnat.cba.pl/h78r3gfe
mbc.nekonikoban.org/h78r3gfe
potato.chottu.net/h78r3gfe
schello4u.de/h78r3gfe
tyouseikan.web.fc2.com/h78r3gfe
www.agriturismolapiana.net/h78r3gfe
www.artistsagainstwar.it/h78r3gfe
www.bwmodels.com/h78r3gfe
www.comunedicanischio.it/h78r3gfe
www.ekstraciuchy.pl/h78r3gfe
www.kishazy.hu/h78r3gfe

(Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here.

Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change


King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7

Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:

escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7

This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:

31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22

Malware spam: "Confirmation letter" leads to Locky

Another spam run leading to Locky ransomware..

From:    Mavis Howe [Howe.4267@croestate.com]
Date:    3 August 2016 at 13:32
Subject:    Confirmation letter

Hi [redacted],

I attached the employment confirmation letter I prepared.
Please check it before you send it out.

Best regards

Mavis Howe

The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here.

Malware spam: "As you directed, I send the attachment containing the data about the new invoices"

Another day, another Locky ransomware run:

From:    Marian Mcgowan
Date:    3 August 2016 at 11:15
Subject:    Fw: New invoices

As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script  which according to this Malwr analysis downloads a binary from..

blog-aida.cba.pl/2zensi7t

..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:

93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]

Both those IPs are in known bad blocks.

Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24

Malware spam: "Unable to deliver your item, #000179376" / "FedEx International Ground" leads to ransomware

This fake FedEx email has a malicious attachment.

From:    FedEx International Ground [terry.mcnamara@luxmap.com]
Date:    2 August 2016 at 18:53
Subject:    [REDACTED], Unable to deliver your item, #000179376

Dear [Redacted],

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Thanks and best regards,
Terry Mcnamara,
Support Manager.

Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis on the sample shows that the script downloads ransomware from opros.mskobr.ru but a quick examination of the code reveals several download locations:

opros.mskobr.ru
alacahukuk.com
www.ortoservis.ru
aksoypansiyon.com
samurkasgrup.com

Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:

195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)

A couple of binaries are dropped onto the system, a.exe (detection rate 2/53) [may not be malicious] and a2.exe (detection rate 7/53).

The payload seems to be Nemucod / Crypted or some related ransomware.

Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32

Malware spam: "Please review the attached corrected annual report." / "Corrected report"

This spam comes with a malicious attachment:

Subject:     Corrected report
From:     Joey Cox (Cox.48@sodetel.net.lb)
Date:     Monday, 1 August 2016, 13:37

Dear webmaster,

Please review the attached corrected annual report.

Yours faithfully
Joey Cox

The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware from one of the following locations (thank you to my usual source for analysis):

121.83.206.211/~ftp-yama/9z6nu
12-land.co.jp/gyukmx
209.202.52.42/~wevugoja/eijz2y
213.228.128.12/~joaod/2xbjbu
213.228.128.12/~joaod/74ujkijl
217.26.70.200/~pitagora/4nm1k
218.228.19.9/~yossi/9ssfpkz
67.23.226.139/~jneccsio/2egblt4m
79.96.153.93/cxzlkz
80.109.240.71/~r.theeuwes/6c1arl9
abufarha.net/55hhso
akeseverin.com/audqp
akva-sarat.nichost.ru/xc2kao
arogyaforhealth.com/l9bwo0
b-doors.ru/l65n0 - hash
bisericaromaneasca.ro/jzvtuc
bobbysinghwpg.com/k3v1t3v4
canplus.fc2web.com/faepi1
certifiedbanker.org/lg305
climairuk.com/kmbw8q
clinic.gov.ua/sku4ql
darkhollowcoffee.com/n69xfk
darkhollowcoffee.com/xlbps
enexp.ru/r2wbp6
fotografuj.pl/8hotlfc2
fotografuj.pl/y4m2b
gp-logistics.ru/uwkop
keven.site.aplus.net/rb9skl
krovgid.ru/wooq2
libertymanuals.com/o97dh92i
mobile-kontent.com/ou6ne
openspace.pro/teg7qur
paletteswapninja.com/~playre5/0mxupm8q
programistyczni.strefa.pl/j7xk8c
ramsayconstruction.ca/b27ix9s
rom-stroy.ru/s0kphjat
schlebach.25mm.ru/ycz6sn
seahawkexports.com/7954qp3a
shagunproperty.com/8ikrr
sigovka.ru/w790cg8h
steelfs.com.mx/00ucikvv
stroymonolit.su/7oiy5i8
tvoy-android.com/i8rsoei
u2319351.plsk.regruhosting.ru/vsfvyj1j
ultramarincentr.ru/jtmms
uxeurope.com/~guest/7rj3px
visionaero.com/9grdv
wordpress.pro-tiler.ru/mk9yi4wl
www.robtozier.com/bg58a

The dropped binary then attempts to phone home to:

91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

The host for that last one comes up over and over again, it's time to block that /22..

Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22

Scam: Fanrong Europe Fund / fanrongfund.info / fanrongeuropefund.info / fanrongeuropefund.com

This spam email advertising a "too good to be true" investment is a scam:

From:    Tim Hoffman [letter@612.com]
To:    contact [contact@victimdomain.tld]
Date:    30 July 2016 at 09:26
Subject:    Fanrong Europe Fund – 1 Half 2016 return +32.69%.

Dear Sirs,

Please be informed that the Fanrong Europe Fund reported strong 1 Half 2016 with return +32.69%.

Fanrong Europe Fund is a registered hedge fund that managed by a team of stock market experts that located in Zurich, Switzerland. The Fanrong Europe Fund Strategy is Long/Short Equity. The Fund was launched in April 2014. It is open-ended hedge fund. We are open for new investors.

We welcome you to contact us through our web-site to learn more about investing with us:
www.FanrongFund.info

Kind regards,
Tim Hoffman
e-marketing manager
Fanrong Europe Fund
www.FanrongFund.info


Reply to: marketing@fanrongfund.info

If you do not want to receive this newsletter send an email to: unsubscribe@fanrongfund.info

NOTICE: Your address was obtained from open sources where you were agreed to receive the marketing information from third parties.

I have received two of these emails, one coming from the IPs 188.69.207.57 and 188.69.223.168 which are both allocated to a mobile phone provider in Lithuania (UPDATE: also 188.69.223.54). The website fanrongfund.info was created just a few days ago (28th July 2016) and is registed to the following (presumably fake) registrant:

Registrant ID: JLD4030131633
Registrant Name: James Dean
Registrant Organization:
Registrant Street: Vorstadt 20
Registrant City: Zug
Registrant State/Province:
Registrant Postal Code: 6300
Registrant Country: CH
Registrant Phone: +41.417120101
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jd767@yahoo.com

The site is hosted (apparently) in the British Virgin Islands on an IP allocated to the Public Domain Registry (PDR). It uses nameservers from Russian company AYBHOST.COM.

The website is pretty generic looking and opens with these words of wisdom:

Our main trade approach is:
"Close the position if it runs to loss, and hold it if it runs to profit".

Hans Messner
fund manager "Fanrong Europe Fund"

What next. "Buy low, sell high"? Here are some screenshots in case you see another version of this on your travels:

The "About" page carries this text:

We are the EU-domiciled investment manager with successful experience in stock trade in EU. Our professional assets managers have personal approach to trade with bear and bulls market. We use self-made investment strategy that allows getting the constant positive result in short-term horizon. All investment process is in full accordance with IIS (International Investment Standards) of Fanrong Capital (Hong Kong) (fanrongcapital.com).

Presumably this is copied off an earlier scam site, in this case there is an official warning about that particular firm.

fanrongfund.info appears to have mirrors at:

fanrongeuropefund.info
fanrongeuropefund.com

Both of these are hosted on 46.4.24.196 (Hetzner, Germany). The WHOIS details for those are inconsistent with each other.

fanrongeuropefund.info
Registrant ID: HSM1859139253
Registrant Name: Hans Messner
Registrant Organization: Fanrong Europe Fund
Registrant Street: Leutschenbachstrasse 95
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8050
Registrant Country: CH
Registrant Phone: +41.445632589
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.info

fanrongeuropefund.com
Registry Registrant ID: Not Available From Registry
Registrant Name: Li Yong
Registrant Organization:
Registrant Street: Schwingerstrasse 9
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8006
Registrant Country: CH
Registrant Phone: +41.442289632
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.com

For completeness, the domain fanrongcapital.com is hosted on 5.100.152.26  (the same block as fanrongfund.info) and this particular corporation seems to be using a free email address..

Registry Registrant ID: Not Available From Registry
Registrant Name: Wei Zhang
Registrant Organization: Fanrong Capital
Registrant Street: 20F, 1 Harbor View Street
Registrant City: Hong Kong
Registrant State/Province: Hong Kong
Registrant Postal Code: 111000
Registrant Country: HK
Registrant Phone: +852.58085536
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: fanrongcapital@yahoo.com

Nothing about this offer is legitimate. Avoid it, or if you have invested money in this fictitious firm then you should contact the police immediately.

Malware spam: "Voicemail from Anonymous" / SureVoIP [voicemailandfax@surevoip.co.uk]

This fake voicemail spam has a malicious attachment:

From     SureVoIP [voicemailandfax@surevoip.co.uk]
Date     Fri, 29 Jul 2016 17:47:41 +0700
Subject     Voicemail from Anonymous <Anonymous> 00:02:15

Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain.tld

The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf.

According to my trusted source (thank you as ever):

64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry

The downloaded binary is Locky ransomware, phoning home to:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]

Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139

Malware spam: "Bank account record" leads to Locky

This fake financial spam leads to malware:

Subject:     Bank account record
From:     Stephen Ford (Ford.24850@aworkofartcontracting.com)
Date:     Friday, 29 July 2016, 10:56

Good morning,

Did you forget to finish the Bank account record?
Read the attachment and let me know if there is anything I didn't make clear.

Yours sincerely,
Stephen Ford

57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe 

The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attacked is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record" (sample here).

According to the Hybrid Analysis on that script and Malwr report on a partly deobfuscated version the script downloads a binary from:

oleanderhome.com/q59ldt5r

This dropped binary has a detection rate of 5/55 and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2].

The is also traffic to kassa.p0.ru which is more of a puzzle and doesn't look particularly malicious. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs.

If I get more information on this I will post it here.

UPDATE

My trusted source (thank you) gives the following download locations:

211.18.200.4/~tlas021/3rwcozqv
80.241.232.207/fefj1r
agazoumi.com/t30z6j8
alci.dommel.be/clf26lu
amandinearmand.perso.sfr.fr/6piy70m
azmusclemart.com/pb79s
bartocha-photography.com/~fib-naturfoto/99xny
blekitniproba.cba.pl/fo1k6o
chelmy.cba.pl/yv7h2r3
childmoon.web.fc2.com/coy0nl
fcc-thechamps.de/6g5vo1a
garo903.web.fc2.com/2mf4v0
handball-literatur.de/3ua7j
happurg-schulanger.atspace.org/0s6lyu6
hw.srca.org/iwg54jh
impregui.com/h3cywm
inhouserecording.atspace.com/t4wj9316
intracorpwestsidecollection.com/ifs0j92
joslinsalesltd.com/kro1gx
jyoumon.web.fc2.com/7tcec
kenestyonline.com/h782hd
minocki.republika.pl/nvlx7
minocki.republika.pl/s125d6
newt150.tripod.com/4bcsv
oleanderhome.com/q59ldt5r
ratnam.fx.perso.sfr.fr/vtpm9k
senzai.nobu-naga.net/2jv74
smc.psuti.ru/3rcxu
theuniongroup.com/5sv0c
tomart3d.cba.pl/3ivctw
voisin-sa.com/~voisin9689/vnsaumj
vova318.vline.ru/mkmkr
wbbs176.web.fc2.com/20srj
wktkwkbaaan.web.fc2.com/0mm9qx
wn420pjpa.homepage.t-online.de/046ss5
www.13one.de/vz8gl5a
www.astool.com/ljgzai
www.attivita-antroposofiche-roma.org/gpjjr5u
www.damasoinfante.com/7pmfw
www.dukewayne.talktalk.net/todga
www.erikacostruzioni.com/0z1hkf
www.ferresur.es/3k58w8z
www.fotosdelburgo.com/oerwg1
www.frank-nickel.de/7e46f9t5
www.hydroenergie.fr/yzhhkit
www.istruiscus.it/qzdy65b0
www.istruiscus.it/r5ncu
www.kassa.p0.ru
www.snvl-ptrc.go.ro/srhgx
zauber-fred.de/0zth9jfv

C2 servers are the same as found here.

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]

Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139

Malware spam: "Self Billing Statement" / Kathryn Smith [kathryn@powersolutions.com] leads to Locky

This fake financial spam comes with a malicious attachment:

From     Kathryn Smith [kathryn@powersolutions.com]
Date     Thu, 28 Jul 2016 16:21:41 +0530
Subject     Self Billing Statement

I do not know if there is any body text at present. Attached is a file with a name similar to Self Billing Statement_431.zip which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js)

Analysis by a trusted party shows that these scripts download a component from one of the following locations:

apachost.com/j988765
avon-beraterin-mank.de/j988765
cukiernia_izabela.republika.pl/j988765
dawstaw.cba.pl/j988765
gnetgnethouse.web.fc2.com/j988765
gumka.strefa.pl/j988765
kreacjonizm.cba.pl/j988765
levivanesch.nl/j988765
maka.ken-shin.net/j988765
okhtinka.ru.hoster-ok.com/j988765
robertstefan.home.ro/j988765
sardain.fr/j988765
sonomama.kan-be.com/j988765
taityou0615.web.fc2.com/j988765
tolearn.tora.ru/j988765
www.andyschwietzer.homepage.t-online.de/j988765
www.aspadeljaen.com/j988765
www.camelu.com/j988765
www.flagships.de/j988765
www.schwarzer-baer-kastl.de/j988765
www.uasm.de/j988765

This originally dropped this payload since updated to this payload, both of which are Locky ransomware. The C2 servers to block are exactly the same as found in this earlier spam run.

Malware spam: "Please check the attached invoice and confirm me if I sent the right data" leads to Locky

This fake financial spam leads to malware:

Subject:     Invoice
From:     Kendall Harrison (Harrison.59349@chazsmedley.com)
Date:     Thursday, 28 July 2016, 10:33

Hello,

Please check the attached invoice and confirm me if I sent the right data

Yours sincerely,
Kendall Harrison

320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3 

The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted".

The Malwr analysis for the partially deobfuscated script and this Hybrid Analysis show this particular sample downloading from:

83.235.64.44/~typecent/xvsb58

This drops a malicious Locky ransomware binary with a detection rate of 7/55. Analysis of this binary is pending.

UPDATE

Thank you to my usual source for this analysis. The download locations for the various scripts are:

01ad681.netsolhost.com/7j0jlq3
12-land.co.jp/vrquj
178.78.87.8/xjzhm
83.235.64.44/~typecent/xvsb58
arabian-horse-highlights.homepage.t-online.de/kzm2n
bajasae.grupos.usb.ve/4y13jg1
baldwinhistory.portalstream.net/rqbljjx
billy-hanjo.homepage.t-online.de/2r713u
blanquerna.eresmas.net/tt2e8s4
burkersdorf.eu/8y5n3f
campustouren.de/k6tkk
christilipp.com/cnb0o
creartnet.com/5ylah
dev12.gammat.net/oxg2m3
exclusive-closet.com/fld2h8
fremdesland.x.fc2.com/iya9qt
gkxxx.x.fc2.com/dxfom
idd00dnu.eresmas.net/wdmlqe
it4cio.servicos.ws/u8c3x
jozefow.cba.pl/ouini6
karumaengeki.web.fc2.com/f3ry4
kbridge.web.fc2.com/hj1fr
lacrima.ru/hvn1c
luzdevelas.es/9belfi
mbiurorachunkowe.republika.pl/6t6sz
motorkote.org/0gq654
okhtinka.ru.hoster-ok.com/qdiqooeo
papamama.com.sg/zhbepez
piggy.riffle.be/~gniff/r9bzz
robertstefan.home.ro/pycz4o
sav-krelingen.de/36r3qe8
schefman.info/snjqz
slit.xxxxxxxx.jp/l58gd3p
sv-r.ru/btawsoc
www.acheri.it/magii
www.andyschwietzer.homepage.t-online.de/r3a0tw
www.chantale.force9.co.uk/lsyeuw
www.clefranceitalie.org/cj937f7l
www.inari.net/ov5u1k
www.kan-therm.ru/qara9i
www.marinoderosas.com/59nue8uo
www.panella.org/eo9lk
www.rgtalp14.it/ykb84n40
www.ruyssinck-demeyer.be/v4xo5r28
www.schwarzer-baer-kastl.de/tt7ea
www.uasm.de/qwqiyk
yourparty.cba.pl/5avhe
zckupila.republika.pl/m6w6uu5f

C2 locations:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)

Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be 

The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:

beauty-jasmine.ru/6dc2y

There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.

UPDATE

The C2 locations for this variant are:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)

Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30

Malware spam: "Sent from my Samsung device" leads to Locky

This spam comes in a few different variations:

From:    Lottie
Date:    27 July 2016 at 10:38
Subject:    scan0000510

Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:

alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765

The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)

(Thank you to my usual source for this data)

There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.

Recommended blocklist:
5.9.253.160/27
178.62.232.244

Malware spam: "list of activities" leads to Locky

This fake business spam has a malicious attachment:

From     "Penelope Phelps"
Date     Tue, 26 Jul 2016 23:02:43 +1100
Subject     list of activities

Hello,

Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.

Warm regards,
Penelope Phelps
ALLIED MINDS LTD
Security-ID: 4d2c95a750fe26a3560ffddfe374ff5c5c064bd78fea30

The sender's name, company and "Security-ID" vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script that looks like this. This Malwr report and this Hybrid Analysis show this particular sample downloading from:

akva-sarat.nichost.ru/bokkdolx

There will be many other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55. Further analysis is pending, however it is quite likely that this sample uses the same C2 servers as seen earlier today.

Malware spam: "Attached Image" leads to Locky

This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    26 July 2016 at 10:27
Subject:    Attached Image

**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************

Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:

www.isleofwightcomputerrepairs.talktalk.net/okp987g7v

There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:

31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

Recommended blocklist:
31.41.47.41
91.234.35.216