Dynamoo's Blog

Monday 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*

Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249

Wednesday 19 July 2017

Necurs oddity II: avto111222@bigmir.net

Yesterday I saw a series spam emails from Necurs apparently attempting to collect replies to super.testtesttest2018@yahoo.com. Although that campaign is continuing today, a new spam run with similar characteristics has started this morning. For example:

From:    jKX Soto [ingmanz@redacted]
Reply-To:    jKX Soto [avto111222@bigmir.net]
Date:    19 July 2017 at 06:43
Subject:    CQJP

hDYNOX

TC

Subject, body text and vendor seem to be randomly generated. But in all cases, the Reply-To address is avto111222@bigmir.net (Bigmir is basically a Ukrainian version of Yahoo from what I can tell).

The purpose of this spam run is unclear, but spammers do sometimes launch probing attacks to see what kind of response they get from servers. This could be an attempt to clean up the Necurs email address database perhaps, perhaps for resale.

Tuesday 18 July 2017

Necurs oddity: super.testtesttest2018@yahoo.com / "hi test"

This email is sent from the Necurs botnet and appears to be collecting automatic replies, using a Reply-To email address of super.testtesttest2018@yahoo.com.

From:    Randi Collier [zegrtocbjez@hometelco.net]
Reply-To:    Randi Collier [super.testtesttest2018@yahoo.com]
Date:    18 July 2017 at 10:08
Subject:    hi

hi test

The name of the sender and the "From" email vary, however the "Reply-To" email is consistent, as is the subject and body text. The sending IP varies, but this does look like Necurs from the patterns I can see.

I can't see any particular purpose in harvesting bounce messages in this way. From Necurs samples I see, the bulk of the recipient addresses are invalid in any case.

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity


ACCOUNT NO
******969

Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.


    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.


If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services


Spam Policy   | Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.

In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]

The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)

Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95

Tuesday 13 June 2017

Bellatora Inc (ECGR) pump-and-dump spam

It's been a little while since we've since an illegal pump-and-dump spam from the Necurs botnet, but here is a new one pushing a company called Bellatora Inc (stock ticker ECGR)

From:    Lillie Maynard
Date:    13 June 2017 at 09:37
Subject:    Here's why this company's shares are about to go up tenfold next week.

Yes, it's been some time since I reached out to you with something good but trust me… the wait will have been worth it.

I promised you that I'd only give you a tip if I had something spectacular, and today I do.

Remember my buddy in California who works at Accel? I had lunch with him yesterday and he told me that he firm is about to invest 50 million bucks into a small Marijuana company.

Basically they make weed vaporizers and their stuff is flying off the shelf because both weed, and vaporizers are all the craze right now.

Anyway, long story short, they're putting all that cash in the company at a price of $1.17 per share and yes you guessed it… it's way higher than where the stock price is as we speak.

The price is at just over 10 cents right now. This means that when they announce their involvement in a few days it should go up about tenfold overnight.

In fact, if you look at the chart, the price was at a little over 2 dollars a few weeks ago. My buddy tells me that his firm ‘crashed' it artificially so that they'd have more bargaining power at the table and it makes sense... They're coming in at just $1.17 instead of over 2 dollars.

Nonetheless this is a really rare chance for us to get in. I'll pick up at least 50,000 shares today and I think you should do the same.

The name of the company is Bellatora Inc. and its ticker is ECGR. If you do decide to tell a couple of your friends, please do me a favor and don't mention me by name.

Thanks,
Lillie Maynard

Bellatora seems to be involved in the vaping market, including medical marijuana vaping. I've seen a couple of other P&D spam runs in the past pushing stocks in this industry [1] [2].

Over the past month, the price of ECGR stock has cratered from over $2 per share to just 10 cents today. Yesterday someone traded 455,000 shares of that stock.

According to MarketWired this company has changed names several times over the years:

Company History
- Formerly=Oncology Medical, Inc. until 9-2016
- Formerly=Vianet Technology Group, Ltd. until 4-07
- Formerly=UTTI Corp. until 2-07
- Formerly=Unitech Industries, Inc. until 1-99
- Note=12-96 state of incorporation California changed to Delaware upon emergence from Chapter XI bankruptcy under Federal Bankruptcy Code

A quick look at the financials for this company turns up.. nothing. Which is kind of odd.

Anyway, stock being pushed through illegal pump-and-dump operations such as this is not being done for YOUR benefit, but for some party who holds a lot of stock. Avoid.

The spam run has been going on for about six hours, but has slowed down in the past few hours.

Version 2 - 13th June

It didn't take long for the second version to come out.. and there could be a lot more to come.

From:    Alisa Rich
Date:    13 June 2017 at 15:39
Subject:    Let me tell you why this stock will go up 10x by next week.

Haven't heard from me in a while right? That's because I'm not one to waste your time.

Whenever I do email you, it's because I've got something good. Really good.

My good friend who works at the big VC out in NY invited me for a bite yesterday. Nothing unusual, we always eat lunch together right?

However yesterday he gave me a really amazing piece of information and I want to share that with you.

The place he works at is basically injecting more or less 50 mill into this small American company that's in the cannabis business. Apparently, they've got some really amazing distribution and even better technologies.

Anyway... to make a long story longer he said the value they are coming in at is right around 1.20 a share and that this announcement will be made public some time in the next few days.

Given that the shares are at just 12 cents right now, do you have any idea what's going to happen when the announcement is out?

Yep, you guessed right... It's going to jump up 10 times, literally overnight.

The cannabis company is: Bella tora Inc.

You can buy it if you type E C G R in your brokerage account.

Feel free to tell only your closest friends about this. I really have no clue when the next time I get a tip will be.

Take care,
Alisa Rich

Monday 5 June 2017

Malware spam: "John Miller Limited" / "Invoice"

This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does not match the company being spoofed, and varies from message to message.

From:    Felix Holmes
Date:    5 June 2017 at 10:20
Subject:    Invoice

Regards

Felix Holmes

cid:image001.jpg@01D00F00.660A92D0
Kirkburn Ind. Estate
Lockerbie
Dumfries and Galloway
DG11 2FF

Tel – 01576 208 741 (Accounts) 01576 208 747 (Main line)
Fax – 01576 208 748
Ext – 1008/1006
‘’New Website launched 30.05.2014 – visit www.[redacted].uk’’

Attached is a PDF file with a name similar to A4 Inv_Crd 914605.pdf - opening it up (NOT recommended) displays something fairly minimal.

The attachment currently has a detection rate of about 9/56. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis shows the malicious file downloading a component from cartus-imprimanta.ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other variants possibly exist.

A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:

192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)

The payload is not clear at this time, but it will be nothing good.

Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177

Thursday 11 May 2017

Malware spam with "nm.pdf" attachment

Currently underway is a malicious spam run with various subjects, for example:

Scan_5902
Document_10354
File_43359

Senders are random, and there is no body text. In all cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED or 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].

The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58.

Putting the .docm file back into Hybrid Analysis and Malwr [5] [6] shows the same sort of results, namely a download from:

easysupport.us/f87346b

Given that this seems to be coming from the Necurs botnet, this is probably Locky or Dridex.

UPDATE

A contact pointed out this Hybrid Analysis which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which matches this Tweet about something called "Jaff ransomware".

That report also gives two other locations to look out for:

trialinsider.com/f87346b
fkksjobnn43.org/a5/

This currently gives a recommended blocklist of:
47.91.107.213
trialinsider.com
easysupport.us