From: Kristina SalinasAttached is a malicious document with a random name. I have only seen one sample so far with a VirusTotal detection rate of 3/55. The Malwr report indicates that same behaviour as this earlier spam run which is dropping Nymaim ransomware.
Date: 15 December 2015 at 14:59
Subject: Rockspring Remittance Advice - WIRE
Dear Customer,
Please find attached your Remittance Details for the funds that will be deposited to your bank account on December 15th.
Rockspring Capital is now sending through the bank the addenda information including your remit information.
If you are not seeing your addenda information in your bank reporting you may have to contact your local bank representative.
Accounts Payable
Tuesday 15 December 2015
Malware spam: "Rockspring Remittance Advice - WIRE"
This fake financial spam comes with a malicious attachment:
Tainted network: Dmitry Shestakov / vds24.net on OVH
vds24.net (apparently belonging to "Dmitry Shestakov ") is a Russian reseller of OVH servers that has come up on my radar a few times in the past few days [1] [2] [3] in connection with domains supporting Teslacrypt malware and acting as landing pages for the Angler exploit kit.
Curious as to what was hosted on the vds24.net I set about trying to find out their IP address ranges. This proved to be somewhat difficult as they are spread in little chunks throughout OVH's IP space. I managed to identify:
5.135.58.216/29
5.135.254.224/29
51.254.10.128/29
51.254.162.80/30
51.255.131.64/30
149.202.234.116/30
149.202.234.144/30
149.202.234.188/30
149.202.237.68/30
176.31.24.28/30
178.32.95.152/29
178.33.200.128/26
Then using a reverse DNS function, I looked up all the domains associated with those ranges (there were a LOT) and then looked the see which were active plus their SURBL and Google ratings. You can see the results of the analysis here [csv].
There may well be legitimate domains in this range, but out of 1658 domains identified, 1287 (77.6%) are flagged by SURBL as being spammy. Only 11 (0.7%) are identified as malicious, but in reality I believe this to be much higher.
In particular, the following IP ranges seem to be clearly bad from those ratings:
51.254.10.131
51.254.162.81
51.255.131.66
51.255.142.101
149.202.234.190
149.202.237.68
178.33.200.138
I can see 61 active IPs in the vds24.net range, so perhaps it is only a small proportion. However, depending on your network stance, you may want to consider blocking all the IP ranges specified above just to be on the safe side.
UPDATE
One additional range has come to light, connected with the Dridex banking trojan:
51.254.51.176/30
Curious as to what was hosted on the vds24.net I set about trying to find out their IP address ranges. This proved to be somewhat difficult as they are spread in little chunks throughout OVH's IP space. I managed to identify:
5.135.58.216/29
5.135.254.224/29
51.254.10.128/29
51.254.162.80/30
51.255.131.64/30
149.202.234.116/30
149.202.234.144/30
149.202.234.188/30
149.202.237.68/30
176.31.24.28/30
178.32.95.152/29
178.33.200.128/26
Then using a reverse DNS function, I looked up all the domains associated with those ranges (there were a LOT) and then looked the see which were active plus their SURBL and Google ratings. You can see the results of the analysis here [csv].
There may well be legitimate domains in this range, but out of 1658 domains identified, 1287 (77.6%) are flagged by SURBL as being spammy. Only 11 (0.7%) are identified as malicious, but in reality I believe this to be much higher.
In particular, the following IP ranges seem to be clearly bad from those ratings:
51.254.10.131
51.254.162.81
51.255.131.66
51.255.142.101
149.202.234.190
149.202.237.68
178.33.200.138
I can see 61 active IPs in the vds24.net range, so perhaps it is only a small proportion. However, depending on your network stance, you may want to consider blocking all the IP ranges specified above just to be on the safe side.
UPDATE
One additional range has come to light, connected with the Dridex banking trojan:
51.254.51.176/30
Labels:
Evil Network,
Malware,
OVH,
Russia
Malware spam: "Invoice Attached" / "Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp."
This fake financial spam has a malicious attachment:
Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson
The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.
An analysis of five of the attachments [1] [2] [3] [4] [5] shows attempted downloads from:
modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe
Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:
servicexmonitoring899.tk
I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.
Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:
41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)
There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.
MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E
Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in
UPDATE
A source tells me (thank you) that servicexmonitoring899.tk is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:
google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org
Some of these domains are associated with Rovnix.
From: Ernestine HarveyThe sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:
Date: 15 December 2015 at 11:34
Subject: Invoice Attached
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Thank you!
Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson
The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.
An analysis of five of the attachments [1] [2] [3] [4] [5] shows attempted downloads from:
modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe
Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:
servicexmonitoring899.tk
I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.
Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:
41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)
There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.
MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E
Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in
UPDATE
A source tells me (thank you) that servicexmonitoring899.tk is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:
google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org
Some of these domains are associated with Rovnix.
Malware spam: "Invoice for Voucher ACH-2-197701-35" / "Reservations [res@affordablecarhire.com]"
This fake financial spam does not come from Affordable Car Hire but is instead a simple forgery with a malicious attachment.
I have only seen a single sample, with an attachment ACH-2-197701-35-invoice.xls which has a VirusTotal detection rate of 3/54. According to this Malwr report, it downloads a malicious binary from:
usahamanfaat.com/8iy45323f/i87645y3t23.exe
The payload here is the Dridex banking trojan, and it is identical to the one found in this spam run.
From: Reservations [res@affordablecarhire.com]
Date: 15 December 2015 at 11:50
Subject: Invoice for Voucher ACH-2-197701-35
Payment Link For BookingACH-2-197701-35
Please find attached your invoice for reservation number ACH-2-197701-35
This email was sent on 14/12/2015 at 16:25
ACH-2-197701-35-invoice.xls
116K
I have only seen a single sample, with an attachment ACH-2-197701-35-invoice.xls which has a VirusTotal detection rate of 3/54. According to this Malwr report, it downloads a malicious binary from:
usahamanfaat.com/8iy45323f/i87645y3t23.exe
The payload here is the Dridex banking trojan, and it is identical to the one found in this spam run.
Malware spam: "Order PS007XX20000584" / "Nicola Hogg [NHogg@pettywood.co.uk]"
This rather brief spam does not come from Petty Wood but is instead a simple forgery with a malicious attachment:
kutschfahrten-friesenexpress.de/8iy45323f/i87645y3t23.exe
There are probably other version of the document with different download locations. This malicious executable has a detection rate of 2/54 and between them these three reports [1] [2] [3] indicate malicious traffic to:
199.7.136.84 (Megawire Inc, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
The payload here is likely to be the Dridex banking trojan.
MD5s:
8b288305733214f8e0d95386d886af2d
f9c00d3db5fa6cd33bc3cd5a08766ad0
Recommended blocklist:
199.7.136.84
221.132.35.56
From: Nicola Hogg [NHogg@pettywood.co.uk]There is no body text, but instead there is an attachment PS007XX20000584 - Confirmation with Photos.DOC which has a VirusTotal detection rate of 5/55 and it contains a malicious macro [pastebin] which (according to this Malwr report) downloads a binary from:
Date: 15 December 2015 at 10:14
Subject: Order PS007XX20000584
kutschfahrten-friesenexpress.de/8iy45323f/i87645y3t23.exe
There are probably other version of the document with different download locations. This malicious executable has a detection rate of 2/54 and between them these three reports [1] [2] [3] indicate malicious traffic to:
199.7.136.84 (Megawire Inc, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
The payload here is likely to be the Dridex banking trojan.
MD5s:
8b288305733214f8e0d95386d886af2d
f9c00d3db5fa6cd33bc3cd5a08766ad0
Recommended blocklist:
199.7.136.84
221.132.35.56
Malware spam: "Reference Number #89044096, Notice of Unpaid Invoice" leads to Teslacrypt
This fake financial spam comes with a malicious attachment.
Attached is a file invoice_89044096_scan.doc which has a VirusTotal detection rate of 2/54, and which contains this malicious macro [pastebin] which attempts to download a binary from the following location:
thewelltakeberlin.com/92.exe
This domain was registered only today, and at the moment is not resolving properly. The payload here is likely to be Teslacrypt.
The WHOIS details for it are:
Registrant Name: Quinciano Huerta
Registrant Organization: Quinciano Huerta
Registrant Street: Vila Fonteles 163
Registrant City: Fortaleza
Registrant State/Province: CE
Registrant Postal Code: 60741-080
Registrant Country: BR
Registrant Phone: +55.8568257712
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: wexel@thewelltakeberlin.com
Nameservers are dns1.saymylandgoodbye.in and dns2.saymylandgoodbye.in hosted on 5.178.71.5 (Serverius, Netherlands) and 83.69.233.102 (Awax Telecom, Russia)
Those two IPs host or have recently hosted the following potentially malicious domains:
buildites.com
dauth-mail.ru
ddonaldducks.in
directly-success.com
dmikymaus.in
dsaymylandgoodbye.in
dsoftextrain644.com
gammus.com
hackeroff.net
kalamarkesof.org
linuxczar.com
metiztransport.ru
miracleworld1.com
obamalox.com
outreel.ru
pro100now.ru
rapdacity.ru
remarkablyxj.top
staringpartnerk.com
sufficientbe.top
superiorityci.top
trillionstudio.com
vmark.su
workcccbiz.in
Recommended minimum blocklist:
thewelltakeberlin.com
83.69.233.102
5.178.71.5
UPDATE
There is a good analysis of this malware at TechHelpList including the C2 domains involved.
From: Carol Mcgowan
Date: 15 December 2015 at 09:09
Subject: Reference Number #89044096, Notice of Unpaid Invoice
Dear Valued Customer,
It seems that your account has a past due balance of $263,49. Previous attempts to collect the outstanding amount have failed.
Please remit $263,49 from invoice #89044096 within three days or your account will be closed, any outstanding orders will be cancelled and this matter will be referred to a collection agency.
The payment notice is enclosed to the letter down below.
Attached is a file invoice_89044096_scan.doc which has a VirusTotal detection rate of 2/54, and which contains this malicious macro [pastebin] which attempts to download a binary from the following location:
thewelltakeberlin.com/92.exe
This domain was registered only today, and at the moment is not resolving properly. The payload here is likely to be Teslacrypt.
The WHOIS details for it are:
Registrant Name: Quinciano Huerta
Registrant Organization: Quinciano Huerta
Registrant Street: Vila Fonteles 163
Registrant City: Fortaleza
Registrant State/Province: CE
Registrant Postal Code: 60741-080
Registrant Country: BR
Registrant Phone: +55.8568257712
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: wexel@thewelltakeberlin.com
Nameservers are dns1.saymylandgoodbye.in and dns2.saymylandgoodbye.in hosted on 5.178.71.5 (Serverius, Netherlands) and 83.69.233.102 (Awax Telecom, Russia)
Those two IPs host or have recently hosted the following potentially malicious domains:
buildites.com
dauth-mail.ru
ddonaldducks.in
directly-success.com
dmikymaus.in
dsaymylandgoodbye.in
dsoftextrain644.com
gammus.com
hackeroff.net
kalamarkesof.org
linuxczar.com
metiztransport.ru
miracleworld1.com
obamalox.com
outreel.ru
pro100now.ru
rapdacity.ru
remarkablyxj.top
staringpartnerk.com
sufficientbe.top
superiorityci.top
trillionstudio.com
vmark.su
workcccbiz.in
Recommended minimum blocklist:
thewelltakeberlin.com
83.69.233.102
5.178.71.5
UPDATE
There is a good analysis of this malware at TechHelpList including the C2 domains involved.
Labels:
DOC,
Malware,
Netherlands,
Russia,
Serverius,
Spam,
Teslacrypt,
Viruses
Monday 14 December 2015
Malware spam: "Israel Burke" / "BCP Transportation, Inc."
This fake invoice comes with a malicious attachment:
Despite the name, this is not a Word document but is an XML document [pastebin] containing ActiveMIME data. The Malwr report for this indicates network traffic to:
109.234.34.224 (McHost.Ru, Russia)
80.96.150.201 (SC-Nextra Telecom SRL, Romania)
That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55.
I am not certain of the payload, but I suspect that this Word document is dropping Upatre leading to the Dyre banking trojan.
MD5s:
a81a19478dbe13778f06191cf39c8143
5b1db9050cc44db3a99b50a5ba9d902a
Recommended blocklist:
109.234.34.224
80.96.150.201
From: Israel Burke [BurkeIsrael850@business.telecomitalia.it]I have only seen one sample of this, it is possible that the company name and sender names are randomly generated. The attachment in this case was named invoice_scan_76926455.doc and has a detection rate of 3/55.
Date: 14 December 2015 at 15:00
Subject: Israel Burke
Dear Customer:
Attached please find an invoice(s) for payment. Please let us know if you have any questions.
We greatly appreciate your business!
Israel Burke
BCP Transportation, Inc.
Despite the name, this is not a Word document but is an XML document [pastebin] containing ActiveMIME data. The Malwr report for this indicates network traffic to:
109.234.34.224 (McHost.Ru, Russia)
80.96.150.201 (SC-Nextra Telecom SRL, Romania)
That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55.
I am not certain of the payload, but I suspect that this Word document is dropping Upatre leading to the Dyre banking trojan.
MD5s:
a81a19478dbe13778f06191cf39c8143
5b1db9050cc44db3a99b50a5ba9d902a
Recommended blocklist:
109.234.34.224
80.96.150.201
Malware spam: "Your order #12345678" / "11 Money Way, Pittsburgh, PA 15226"
This fake financial spam leads to malware:
Inside that ZIP file is a uniquely generated .JS file in the format invoice_XXXXXX.js or invoice_copy_XXXXXX.js which is highly obfuscated (like this) and deobfuscates to something like this.
The various versions of the macro attempts to download a binary from the following location:
miracleworld1.com/80.exe?1
I cannot get this to resolve at the moment, it turns out that the domain was only registered today.
Nameservers are DNS1.DONALDDUCKS.IN and DNS2.DONALDDUCKS.IN on 93.189.42.21 (NTCOM, Russia) and 178.33.200.177 (Dmitry Shestakov, Belize / OVH, France) respectively.
Looking at the nameservers, I can see that the following malicious domains are part of the same cluster, and I recommend you block all of them:
gammus.com
miracleworld1.com
soft2webextrain.com
Although I have not been able to acquire the payload, it is almost definitely Teslacrypt.
UPDATE
An updated version of the script is being spammed out that looks like this when deobfuscated. This attempts to download Teslacrypt from the following URLs:
firstwetakemanhat.com/91.exe?1
miracleworld1.com/91.exe?1
This has a detection rate of 4/55. firstwetakemanhat.com was registered just today and is hosted on:
193.150.0.78 (PE Govoruhin Vitaliy Sergeevich, Russia)
84.200.69.60 (Ideal-Hosting UG, Germany)
Nameservers are DNS1.GOGODNS.RU and DNS2.GOGODNS.RU which are hosted on the same two IPs.
The Malwr report shows more details, however this is my recommended blocklist (updated):
193.150.0.78
84.200.69.60
gammus.com
miracleworld1.com
soft2webextrain.com
firstwetakemanhat.com
From: Giuseppe SimsThe sender's name is randomly-generated but is always female. Also random are the order number and value, and there is an attachment in the format invoice_12345678_scan.zip that matches the reference in the document.
Date: 14 December 2015 at 14:19
Subject: Your order #25333445
Dear Valued Customer,
This letter was sent to you as a formal notice that you are obligated to repay our company the sum of 2,760$ which was advanced to you from our company on October 16, 2015.
Please, find the invoice enclosed down below.
This amount must be repaid until the date of maturity to payment obligation, December 28, 2015 and you have failed to repay our company the same despite repeated requests for this payment.
Thank you in advance for your prompt attention to this matter. We look forward to your remittance. If you have any questions, please do not hesitate to contact us.
Sincerely,
Giuseppe Sims
11 Money Way
Pittsburgh, PA 15226
Inside that ZIP file is a uniquely generated .JS file in the format invoice_XXXXXX.js or invoice_copy_XXXXXX.js which is highly obfuscated (like this) and deobfuscates to something like this.
The various versions of the macro attempts to download a binary from the following location:
miracleworld1.com/80.exe?1
I cannot get this to resolve at the moment, it turns out that the domain was only registered today.
Domain Name:miracleworld1.comI think they started spamming before the domain records could be pushed out fully. Shame.
Registry Domain ID:
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: webnic.cc
Updated Date:2015-12-14 21:24:21
Creation Date:2015-12-14 21:21:12
Registrar Registration Expiration Date:2016-12-14 13:21:11
Registrar:WEBCC
Registrar IANA ID:460
Registrar Abuse Contact Email:compliance_abuse@webnic.cc
Registrar Abuse Contact Phone:+603 8996 6799
Domain Status:Active
Registry Registrant ID:
Registrant Name:Eliisa Laukkanen
Registrant Organization:Eliisa Laukkanen
Registrant Street:Etelaesplanadi 89
Registrant City:Ingermaninkyla
Registrant State/Province:Ingermaninkyla
Registrant Postal Code:07810
Registrant Country:FI
Registrant Phone:+358.0460879234
Registrant Phone Ext:
Registrant Fax:+358.0460879234
Registrant Fax Ext:
Registrant Email:bomb@miracleworld1.com
Nameservers are DNS1.DONALDDUCKS.IN and DNS2.DONALDDUCKS.IN on 93.189.42.21 (NTCOM, Russia) and 178.33.200.177 (Dmitry Shestakov, Belize / OVH, France) respectively.
Looking at the nameservers, I can see that the following malicious domains are part of the same cluster, and I recommend you block all of them:
gammus.com
miracleworld1.com
soft2webextrain.com
Although I have not been able to acquire the payload, it is almost definitely Teslacrypt.
UPDATE
An updated version of the script is being spammed out that looks like this when deobfuscated. This attempts to download Teslacrypt from the following URLs:
firstwetakemanhat.com/91.exe?1
miracleworld1.com/91.exe?1
This has a detection rate of 4/55. firstwetakemanhat.com was registered just today and is hosted on:
193.150.0.78 (PE Govoruhin Vitaliy Sergeevich, Russia)
84.200.69.60 (Ideal-Hosting UG, Germany)
Nameservers are DNS1.GOGODNS.RU and DNS2.GOGODNS.RU which are hosted on the same two IPs.
The Malwr report shows more details, however this is my recommended blocklist (updated):
193.150.0.78
84.200.69.60
gammus.com
miracleworld1.com
soft2webextrain.com
firstwetakemanhat.com
Malware spam: "Invoice 14 12 15" / "THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]"
This terse fake financial spam is not from the awesomely-named Thunderbolts Limited but is instead a simple forgery with a malicious attachment:
Attached is a file fax00163721.xls which is fairly obviously not a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:
exfabrica.org/437g8/43s5d6f7g.exe
test-cms.reactive.by/437g8/43s5d6f7g.exe
This binary has a detection rate of 0/54. That VirusTotal report and this Hybrid Analysis both show traffic to:
199.7.136.84 (Megawire, Canada)
This malware is likely to be Dridex. Given that it is similar to the one found here, I would recommend blocking network traffic to:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169
MD5s:
a0de2560362cc6dfc53d1cd5ff50559b
bd22c4b0b6996a8405b2d33696e1e71e
b1fff594a8877042efd0ed4d67f6feb6
From: THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]Curiously, the bad guys have gone as far as to include a fake header to make it look like a fax:
Date: 14 December 2015 at 11:15
Subject: Invoice 14 12 15
This message contains 2 pages in PDF format.
X-Mailer: ActiveFax 3.92
Attached is a file fax00163721.xls which is fairly obviously not a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:
exfabrica.org/437g8/43s5d6f7g.exe
test-cms.reactive.by/437g8/43s5d6f7g.exe
This binary has a detection rate of 0/54. That VirusTotal report and this Hybrid Analysis both show traffic to:
199.7.136.84 (Megawire, Canada)
This malware is likely to be Dridex. Given that it is similar to the one found here, I would recommend blocking network traffic to:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169
MD5s:
a0de2560362cc6dfc53d1cd5ff50559b
bd22c4b0b6996a8405b2d33696e1e71e
b1fff594a8877042efd0ed4d67f6feb6
Malware spam: "Scan from a Samsung MFP" / "Gareth Evans [gareth@cardiffgalvanizers.co.uk]"
This fake scanned document does not come from Cardiff Galvanizers but is instead a simple forgery with a malicious attachment.
test1.darmo.biz/437g8/43s5d6f7g.exe
There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs:
199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is likely to be the Dridex banking trojan.
MD5s:
dcb019624fb8e92eb26adf2bef77d46c
21781d7e2969bd9676492c407a3da1cc
Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169
From: Gareth Evans [gareth@cardiffgalvanizers.co.uk]I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:
Date: 14 December 2015 at 10:43
Subject: FW: Scan from a Samsung MFP
Regards
Gareth
-----Original Message-----
Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.
This message has been scanned for malware by Websense. www.websense.com
test1.darmo.biz/437g8/43s5d6f7g.exe
There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs:
199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is likely to be the Dridex banking trojan.
MD5s:
dcb019624fb8e92eb26adf2bef77d46c
21781d7e2969bd9676492c407a3da1cc
Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169
Friday 11 December 2015
Malware sites and evil networks to block (2015-12-11)
This group of domains and IPs are related to this Teslacrypt attack, sharing infrastructure with some of the malicious domains in question. In addition to Teslacrypt, some of these are connected with PoSeidon, Pony and Gozi malware.
The analysis [csv] includes SURBL and Google ratings, ISP information and a recommended blocklist.
Malicious domains:
auth-mail.ru
blagooooossss.com
brostosoosossss.com
chromedoors.ru
debatelocator.ru
ggergregre.com
growthtoys.ru
hagurowrob.ru
hedtheresran.ru
listfares.ru
littmahedtbo.ru
mikymaus.in
mytorsmired.ru
poponkia.com
soft2webextrain.com
softextrain64.com
softextrain644.com
toftevenghertbet.ru
wordlease.ru
workcccbiz.in
Partly or wholly malicious IPs:
46.166.168.106
80.87.202.52
96.8.119.3
104.232.34.141
149.202.234.190
176.103.48.223
185.18.53.247
185.118.64.182
Recommended blocklist:
46.166.168.64/26 (Duomenu Centras, UA)
80.87.202.0/24 (JSC Server, RU)
96.8.119.0/27 (New Wave NetConnect, US)
104.232.34.128/27 (Net3 Inc, US)
149.202.234.188/30 (OVH / Dmitry Shestakov, BZ)
176.103.48.0/20 (PE Ivanov Vitaliy Sergeevich, UA)
185.18.53.247 (Fornex Hosting, NL)
185.118.64.176/28 (CloudSol LLC, Russia)
I've blocked traffic to 176.103.48.0/20 for two years with no ill-effects, it seems to be a particularly bad network. There may be a few legitimate sites hosted in these ranges, they would mostly be Russian.. so if you don't usually visit Russian websites then the collateral damage might be acceptable.
The analysis [csv] includes SURBL and Google ratings, ISP information and a recommended blocklist.
Malicious domains:
auth-mail.ru
blagooooossss.com
brostosoosossss.com
chromedoors.ru
debatelocator.ru
ggergregre.com
growthtoys.ru
hagurowrob.ru
hedtheresran.ru
listfares.ru
littmahedtbo.ru
mikymaus.in
mytorsmired.ru
poponkia.com
soft2webextrain.com
softextrain64.com
softextrain644.com
toftevenghertbet.ru
wordlease.ru
workcccbiz.in
Partly or wholly malicious IPs:
46.166.168.106
80.87.202.52
96.8.119.3
104.232.34.141
149.202.234.190
176.103.48.223
185.18.53.247
185.118.64.182
Recommended blocklist:
46.166.168.64/26 (Duomenu Centras, UA)
80.87.202.0/24 (JSC Server, RU)
96.8.119.0/27 (New Wave NetConnect, US)
104.232.34.128/27 (Net3 Inc, US)
149.202.234.188/30 (OVH / Dmitry Shestakov, BZ)
176.103.48.0/20 (PE Ivanov Vitaliy Sergeevich, UA)
185.18.53.247 (Fornex Hosting, NL)
185.118.64.176/28 (CloudSol LLC, Russia)
I've blocked traffic to 176.103.48.0/20 for two years with no ill-effects, it seems to be a particularly bad network. There may be a few legitimate sites hosted in these ranges, they would mostly be Russian.. so if you don't usually visit Russian websites then the collateral damage might be acceptable.
Labels:
Evil Network,
Netherlands,
OVH,
Russia,
Teslacrypt,
Ukraine
Malware spam: "Invoice #66626337/BA2DEB0F" leads to Teslacrypt
I have only seen one sample of this fake invoice spam, so it is possible that the invoice references and sender names are randomly generated.
soft2webextrain.com/87.exe?1
46.151.52.231/87.exe?1
This behaviour can be seen in these automated reports [1] [2]. The downloaded executable has a detection rate of 6/55 and an MD5 of 56214f61a768c64e003b68bae7d67cd2. This Malwr report gives a clearer indication of what the binary is doing, attempting to pull information from:
kochstudiomaashof.de
The screenshots indicate clearly that this is ransomware, specifically Teslacrypt.
Note that the soft2webextrain.com domain is on the same server as softextrain64.com seen yesterday, so 185.118.64.182 (CloudSol LLC, Russia) can be considered to be malicious.
UPDATE
I didn't spot originally that the "soft2webextrain.com" website is multhomed with another IP address on 149.202.234.190 which is an OVH IP allocated to a customer "Dmitry Shestakov" an which forms a small block of 149.202.234.188/30 which is probably also worth blocking.
UPDATE 2
I made an error with one of the IP addresses and specified 185.118.64.183 and it should have been 185.118.64.182.
Recommended blocklist:
185.118.64.182
149.202.234.188/30
46.151.52.231
kochstudiomaashof.de
From: Jarvis MirandaIn the sample I saw, the attached file was named SCAN_invoice_66626337.zip which contained a malicious javascript [pastebin] with a VirusTotal detection rate of 5/54. When deobfuscated it becomes a bit clearer that it is trying to download a binary from:
Date: 11 December 2015 at 08:25
Subject: Invoice #66626337/BA2DEB0F
Dear Client,
Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.
Thank you for understanding.
soft2webextrain.com/87.exe?1
46.151.52.231/87.exe?1
This behaviour can be seen in these automated reports [1] [2]. The downloaded executable has a detection rate of 6/55 and an MD5 of 56214f61a768c64e003b68bae7d67cd2. This Malwr report gives a clearer indication of what the binary is doing, attempting to pull information from:
kochstudiomaashof.de
The screenshots indicate clearly that this is ransomware, specifically Teslacrypt.
Note that the soft2webextrain.com domain is on the same server as softextrain64.com seen yesterday, so 185.118.64.182 (CloudSol LLC, Russia) can be considered to be malicious.
UPDATE
I didn't spot originally that the "soft2webextrain.com" website is multhomed with another IP address on 149.202.234.190 which is an OVH IP allocated to a customer "Dmitry Shestakov" an which forms a small block of 149.202.234.188/30 which is probably also worth blocking.
UPDATE 2
I made an error with one of the IP addresses and specified 185.118.64.183 and it should have been 185.118.64.182.
Recommended blocklist:
185.118.64.182
149.202.234.188/30
46.151.52.231
kochstudiomaashof.de
Labels:
Malware,
Russia,
Spam,
Teslacrypt,
Viruses
Thursday 10 December 2015
Malware spam: "Order 311286 Acknowledged" / "sales@touchstonelighting.co.uk"
This fake financial spam does not come from Touchstone Lighting but is instead a simple forgery with a malicious attachment.
There is no body text. Attached is a malicious Word document Order Acknowledgement.doc which appears to be exactly the same as the payload used for this spam run.
From: sales@touchstonelighting.co.uk
Date: 10 December 2015 at 12:02
Subject: Order 311286 Acknowledged
There is no body text. Attached is a malicious Word document Order Acknowledgement.doc which appears to be exactly the same as the payload used for this spam run.
Malware spam: "STMT ACWL-15DEC12-120106" / "accounts@mamsoft.co.uk [statements@mamsoft.co.uk]"
This fake financial email does not come from MAM Software but is instead a simple forgery with a malicious attachment.
life.1pworks.com/76t7h/76gjk.exe
There will probably be other versions of the document with different download locations. This executable has a detection rate of 2/54 and according to this Malwr report it contacts:
136.145.86.27 (University Of Puerto Rico, Puerto Rico)
Other analysis is pending, in the meantime I recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan.
MD5s:
6e8f48e7d53ac2c8f7b863078e9050b2
fbf7c8c4f90fcfdf284c3624d6baedf7
From: accounts@mamsoft.co.uk [statements@mamsoft.co.uk]Attached is a file XACWL-15DEC12-120106.DOC which I have only seen one variant of so far, with a VirusTotal detection rate of 6/54. According to the Malwr analysis, it downloads a file from:
Date: 10 December 2015 at 11:35
Subject: STMT ACWL-15DEC12-120106
The following are attached to this email:
XACWL-15DEC12-120106.DOC
life.1pworks.com/76t7h/76gjk.exe
There will probably be other versions of the document with different download locations. This executable has a detection rate of 2/54 and according to this Malwr report it contacts:
136.145.86.27 (University Of Puerto Rico, Puerto Rico)
Other analysis is pending, in the meantime I recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan.
MD5s:
6e8f48e7d53ac2c8f7b863078e9050b2
fbf7c8c4f90fcfdf284c3624d6baedf7
Malware spam: "Foreman&Clark Ltd" / "Last Payment Notice" leads to Teslacrypt
This fake financial spam does not come from the long-defunct Foreman & Clark, but instead it comes with a malicious attachment that leads to ransomware.
In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:
46.151.52.196/86.exe?1
softextrain64.com/86.exe?1
This pattern is the same as the spam run yesterday. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55 and the Malwr report indicates that it pulls data from the following domains:
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
gjesdalbrass.no
The characteristics of this malware indicate the Teslacrypt ransomware.
Recommended blocklist:
46.151.52.196
softextrain64.com
gjesdalbrass.no
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
From: Harlan Gardner
Date: 10 December 2015 at 08:48
Subject: Reference Number #20419955, Last Payment Notice
Dear Client,
This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $8,151.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.
Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.
Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.
Sincerely,
Harlan Gardner
Sales Manager
Foreman&Clark Ltd.
256 Raccoon RunSeattle,
WA 98101
In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:
46.151.52.196/86.exe?1
softextrain64.com/86.exe?1
This pattern is the same as the spam run yesterday. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55 and the Malwr report indicates that it pulls data from the following domains:
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
gjesdalbrass.no
The characteristics of this malware indicate the Teslacrypt ransomware.
Recommended blocklist:
46.151.52.196
softextrain64.com
gjesdalbrass.no
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
Labels:
Malware,
Spam,
Teslacrypt,
Viruses
Wednesday 9 December 2015
Fake "Fretter Inc" spam leads to Teslacrypt ransomware
This email claims to be from the long-dead retailer Fretter Inc, but it is not. Instead it comes with a malicious attachment leading to the Teslacrypt ransomware.
The Malwr report for that script shows it downloading from:
softextrain64.com/86.exe?1
The script itself shows an alternate location of:
46.151.52.197/86.exe?1
This has a VirusTotal detection rate of 3/55. A Malwr report on just the executable plus this Hybrid Analysis report shows it connecting to:
gjesdalbrass.no
It also tries to identify the IP address of the host by connecting to http://myexternalip.com/raw which is a benign service that you might consider to be a good indicator of compromise.
You can see in the screenshots of that Malwr report that this is ransomware, specifically Teslacrypt.
Recommended blocklist:
gjesdalbrass.no
softextrain64.com
46.151.52.197
From: Tonia Graves [GravesTonia8279@ikom.rs]There sender's name and the reference numbers change in each version. Attached is a file copy_invoice_11004118.zip which in turn contains a malicious script [VT 5/54] which in the sample I investigated was named invoice_iU9A2Y.js. When deofuscated it looks like this.
Date: 9 December 2015 at 14:50
Subject: Your order #11004118 - Corresponding Invoice #B478192D
Dear Valued Customer,
We are pleased to inform you that your order #11004118 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don't hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.
We look forward to your remittance and will the dispatch the goods.
Thank you for choosing our services we sincerely hope to continue doing business with you again.
Sincerely,
Tonia Graves
Sales Department Manager
Fretter Inc.
2715 Sycamore Road
Nyssa, OR 97913
The Malwr report for that script shows it downloading from:
softextrain64.com/86.exe?1
The script itself shows an alternate location of:
46.151.52.197/86.exe?1
This has a VirusTotal detection rate of 3/55. A Malwr report on just the executable plus this Hybrid Analysis report shows it connecting to:
gjesdalbrass.no
It also tries to identify the IP address of the host by connecting to http://myexternalip.com/raw which is a benign service that you might consider to be a good indicator of compromise.
You can see in the screenshots of that Malwr report that this is ransomware, specifically Teslacrypt.
Recommended blocklist:
gjesdalbrass.no
softextrain64.com
46.151.52.197
Labels:
Malware,
Spam,
Teslacrypt
Tuesday 8 December 2015
Malware spam: "EXB (UK) Ltd Invoice" / "Sales [sales@exbuk.co.uk]"
This fake financial spam does not come from EXB (UK) Ltd but is instead a simple forgery with a malicious attachment.
The payload (if it works) is likely to be the Dridex banking trojan.
UPDATE
According to the comments on this post plus some other sources, the macros in these documents download from:
cabezasdealambre.eu/76re459/98uy76t.exe
mfmanastacio.com/76re459/98uy76t.exe
216.119.110.104/76re459/98uy76t.exe
That payload is identical to the one found in this earlier spam run.
From: Sales [sales@exbuk.co.uk]Attached is a Word document named Invoice 1195288 from EXB (UK) Limited.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]) and which contain a complex macro [pastebin] that fails to run in automated analysis tools [4] [5] [6] [7] [8] [9].
Date: 8 December 2015 at 12:03
Subject: EXB (UK) Ltd Invoice
Dear Sirs,
Please find attached our invoice, Thank you for your order
Best Wishes
EXB (UK) Ltd
The payload (if it works) is likely to be the Dridex banking trojan.
UPDATE
According to the comments on this post plus some other sources, the macros in these documents download from:
cabezasdealambre.eu/76re459/98uy76t.exe
mfmanastacio.com/76re459/98uy76t.exe
216.119.110.104/76re459/98uy76t.exe
That payload is identical to the one found in this earlier spam run.
Malware spam: "Updated Statement - 2323191" / "David Lawale [David.Lawale@buildbase.co.uk]"
This fake financial spam does not come from Buildbase but is instead a simple forgery with a malicious attachment.
Attached is a file 151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.
UPDATE 1
Automated analysis is inconclusive [1] [2] [3] [4] [5] [6]. It is possible that there is an error in the macro.
UPDATE 2
According to the comments in this post and also some other sources, the the macros download from:
gulteknoofis.com/76re459/98uy76t.exe
kinderdeszorns.de/76re459/98uy76t.exe
agencjareklamowalodz.com/76re459/98uy76t.exe
This has a detection rate of 4/55. According to these reports [1] [2] [3] and other sources, the malware phones home to:
216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)
MD5s:
0316dbd20fbfd5a098cd8af384ca950f
1b4283c8531653a5156911be1e6535
5a2140f864d98949d44945500a7d18
6ce6e2b915688f2b474e65813dc361
Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169
From: David Lawale [David.Lawale@buildbase.co.uk]
Date: 8 December 2015 at 10:58
Subject: Updated Statement - 2323191
Hi,Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?Kind RegardsDavidDavid Lawale | Credit Controller | BuildbaseHarvey Road, Basildon, Essex, SS13 1QJtel: +44(0)1268 590718 | fax: +44(0)1268 590077www.buildbase.co.uk
Attached is a file 151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.
UPDATE 1
Automated analysis is inconclusive [1] [2] [3] [4] [5] [6]. It is possible that there is an error in the macro.
UPDATE 2
According to the comments in this post and also some other sources, the the macros download from:
gulteknoofis.com/76re459/98uy76t.exe
kinderdeszorns.de/76re459/98uy76t.exe
agencjareklamowalodz.com/76re459/98uy76t.exe
This has a detection rate of 4/55. According to these reports [1] [2] [3] and other sources, the malware phones home to:
216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)
MD5s:
0316dbd20fbfd5a098cd8af384ca950f
1b4283c8531653a5156911be1e6535
5a2140f864d98949d44945500a7d18
6ce6e2b915688f2b474e65813dc361
Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169
Monday 7 December 2015
Malware spam: "Your receipt from Apple Store, Manchester Arndale" / "manchesterarndale@apple.com"
This fake receipt does not come from an Apple Store, but is instead a simple forgery with a malicious attachment:
According to this Malwr report, the attachment downloads a malicious binary from:
steveyuhas.com/~steveyuhas/87tr65/43wedf.exe
This has a VirusTotal detection rate of precisely zero. Those reports indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
This is the same IP as seen in this earlier spam run, and I strongly recommend that you block it. The payload is likely to be the Dridex banking trojan.
From: manchesterarndale@apple.comAttached is a file emailreceipt_20150130R2155644709.xls which in the sample I analysed has a VirusTotal detection rate of 6/53.
Date: 7 December 2015 at 09:43
Subject: Your receipt from Apple Store, Manchester Arndale
Thank you for shopping at the Apple Store.
To tell us about your experience, click here.
According to this Malwr report, the attachment downloads a malicious binary from:
steveyuhas.com/~steveyuhas/87tr65/43wedf.exe
This has a VirusTotal detection rate of precisely zero. Those reports indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
This is the same IP as seen in this earlier spam run, and I strongly recommend that you block it. The payload is likely to be the Dridex banking trojan.
Malware spam: "Transglobal Express - Shipping Documentation (TG-1569311)" / "sales@transglobalexpress.co.uk"
This fake shipping spam does not come from Transglobal Express but is instead a simple forgery with a malicious attachment.
www.lama.rs/87tr65/43wedf.exe
This has a VirusTotal detection rate of just 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
I strongly recommend that you block traffic to that IP. The payload here is almost definitely the Dridex banking trojan.
MD5s:
fd7b410fd7936dd51c4b72ef4047c639
b55d33d92aa95d563e13c57c3bfc2dfe
afdsafadsfd
From: sales@transglobalexpress.co.ukAttached is a file 1569311-1Z2X12A50495162278.doc which in the samples I have seen has a detection rate of 7/55 and which contains this malicious macro [pastebin]. According to this Malwr report, the macro downloads a binary from:
Date: 7 December 2015 at 09:28
Subject: Transglobal Express - Shipping Documentation (TG-1569311)
Your Shipping Documentation for - TG-1569311
ORDER SUMMARY
Booking Ref: TG-1569311 Destination Country: UK Service: UPS Express Saver Collection date: 04/12/2015
Your Shipping Label (Air Waybill) Please find your Shipping Label for the above order attached.
- Print two copies of your label(s). Securely attach one copy to your parcel and give one to the UPS driver upon collection.
- Please use the label(s) we have provided to avoid any unwanted billing complications with UPS.
Don't have a printer? Please get in touch with us and we'll be happy to post your documentation to you.
You can access all order information and documentation via your My Account area on our website. You can track your parcel using your UPS Air Waybill number via our easy-to-use tracking page.
You can calculate your estimated transit time by visiting our Transit Times page and entering your collection and delivery postcode into the transit time calculator tools for your carrier. Please note that transit times do not account for customs delays. SECURITY - Please note that your consignment may be subject to X-Ray and/or opened for inspection.GET IN TOUCH!
Questions? Issues? Need to rearrange a collection? Call us on 0845 145 1212 (Monday- Friday 9:00-5:30pm), email sales@transglobalexpress.co.uk or say hello via our live chat feature at www.transglobal.org.uk. We are always happy to help. Many thanks for your order,Your Customer Services Team
All work is undertaken subject to our standard Terms and Conditions of carriage (BIFA 2005) which limit our liability.
Copies are available on request or can be downloaded from our web site: www.transglobal.org.uk
1569311-1Z2X12A50495162278.doc
59K
www.lama.rs/87tr65/43wedf.exe
This has a VirusTotal detection rate of just 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
I strongly recommend that you block traffic to that IP. The payload here is almost definitely the Dridex banking trojan.
MD5s:
fd7b410fd7936dd51c4b72ef4047c639
b55d33d92aa95d563e13c57c3bfc2dfe
afdsafadsfd
Thursday 3 December 2015
Malware spam: "ICM - Invoice #2393" / "Industrial Cleaning Materials (ICM)" [sales@icmsupplies.co.uk]
This fake financial spam does not come from Industrial Cleaning Materials but is instead a simple forgery with a malicious attachment:
www.ofenrohr-thermometer.de/u5y432/h54f3.exe
ante-prima.com/u5y432/h54f3.exe
This has a VirusTotal detection rate of 1/53. The payload appears to be the same as the one in this spam run earlier today and looks like the Dridex banking trojan.
From "Industrial Cleaning Materials (ICM)" [sales@icmsupplies.co.uk]I have seen two version of the attachment order_2393.doc with VirusTotal results of 2/54 [1] [2] and the Malwr reports [3] [4] show that they download a component from:
Date Thu, 03 Dec 2015 18:22:34 +0700
Subject ICM - Invoice #2393
Dear Customer,
Please find invoice 2393 attached.
Kind Regards,
ICM
Industrial Cleaning Materials
Unit 19 Highlode Ind Est
Stocking Fen Road
Ramsey
Huntingdon
Cambridgeshire
PE26 2RB
Tel: 01487 800011
fax 01487 812075
www.ofenrohr-thermometer.de/u5y432/h54f3.exe
ante-prima.com/u5y432/h54f3.exe
This has a VirusTotal detection rate of 1/53. The payload appears to be the same as the one in this spam run earlier today and looks like the Dridex banking trojan.
Malware spam: "Invoice from DATANET the Private Cloud Solutions Company" / "Holly Humphreys [Holly.Humphreys@datanet.co.uk]"
This fake financial email does not come from Datanet but is instead a simple forgery with a malicious attachment:
According to this Malwr report and this Hybrid Analysis the XLS file downloads a malicious binary from :
encre.ie/u5y432/h54f3.exe
There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55 and that report plus this Malwr report indicate malicious network traffic to:
162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)
The payload is almost definitely the Dridex banking trojan.
MD5s:
1bfd7cdc2731ec85617555f63473e3c9
0dcb805a3efa215bde97aa1f32559b77
Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169
UPDATE
I have seen another version of the document with an MD5 of c7fa6a1f345aec2f1db349a80257f459 and a VirusTotal result of 3/54. According to this Malwr report it downloads from:
parentsmattertoo.org/u5y432/h54f3.exe
From: Holly Humphreys [Holly.Humphreys@datanet.co.uk]I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro [pastebin] and has a VirusTotal detection rate of 3/55.
Date: 3 December 2015 at 08:57
Subject: Invoice from DATANET the Private Cloud Solutions Company
Dear Accounts Dept :
Your invoice is attached, thank you for your business.
If you have any queries please do not hesitate to contact us.
Regards
DATANET.CO.UK
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday
Please reply to Accounts@datanet.co.uk
________________________________
Holly Humphreys
Operations
Datanet - Hosting & Connectivity
E:
Holly.Humphreys@datanet.co.uk
W:
www.datanet.co.uk
T:
01252 810010
F:
01252 813391
S:
01252 813396 - Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24x7
DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of "CIA" - "Confidentiality, Integrity and Availability" at the heart of our private cloud solutions.
Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.
Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England - No. 03214053
According to this Malwr report and this Hybrid Analysis the XLS file downloads a malicious binary from :
encre.ie/u5y432/h54f3.exe
There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55 and that report plus this Malwr report indicate malicious network traffic to:
162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)
The payload is almost definitely the Dridex banking trojan.
MD5s:
1bfd7cdc2731ec85617555f63473e3c9
0dcb805a3efa215bde97aa1f32559b77
Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169
UPDATE
I have seen another version of the document with an MD5 of c7fa6a1f345aec2f1db349a80257f459 and a VirusTotal result of 3/54. According to this Malwr report it downloads from:
parentsmattertoo.org/u5y432/h54f3.exe
Malware spam: "Scanned image from MX-2600N"
This fake scanned image document appears to come from within the victim's own domain, but it is in fact just a simple forgery with a malicious attachment.
vinsdelcomtat.com/u5y432/h54f3.exe
There will probably be other versions of the document downloading from other locations, but for the moment the binary will be the same. This has a detection rate of 3/55 and this Malwr report shows that it communicates with a known bad IP of:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you block traffic to that IP. The payload is most likely to be the Dridex banking trojan.
MD5s
23964bc22c2c81f9a41fb9f747a6c995
33a7583730e94d7877e1047272626455
From: no-reply@victimdomain.tldAttached is a file named no-reply@victimdomain.tld_20151203_3248.doc which I have seen just a single sample of so far with a VirusTotal detection rate of 2/55, and which contains this malicious macro [pastebin]. Automated analysis tools [1] [2] show that the macro downloads a component from the following location:
Date: 3 December 2015 at 08:12
Subject: Scanned image from MX-2600N
Reply to: no-reply@victimdomain.tld [no-reply@victimdomain.tld]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.
vinsdelcomtat.com/u5y432/h54f3.exe
There will probably be other versions of the document downloading from other locations, but for the moment the binary will be the same. This has a detection rate of 3/55 and this Malwr report shows that it communicates with a known bad IP of:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you block traffic to that IP. The payload is most likely to be the Dridex banking trojan.
MD5s
23964bc22c2c81f9a41fb9f747a6c995
33a7583730e94d7877e1047272626455
Wednesday 2 December 2015
Malware spam: "Invoice from PASSION BEAUTY SUPPLY LTD" leads to Teslacrypt
Following on from this earlier spam run, this email has a malicious attachment that loads Teslacrypt ransomware.
74.117.183.84/76.exe?1
This has a detection rate of 3/55. The hosts contacts are the same as for the earlier spam run and I recommend you block them.
From: Monique Chen [ChenMonique412@magicleafstudio.com]The attachment is named invoice_copy_78350434.zip and it contains a malicious script invoice_copy_BD2E45I62A129S.js which has a VirusTotal detection rate of 2/55. The script is obfuscated (see example) but according to these analyses [1] [2] downloads a malicious executable from:
Date: 2 December 2015 at 19:22
Subject: Invoice from PASSION BEAUTY SUPPLY LTD
Dear Customer ,
Please review the attached copy of your Invoice (number: IN78350434) for an amount of $470.49.
Thank you for your business
74.117.183.84/76.exe?1
This has a detection rate of 3/55. The hosts contacts are the same as for the earlier spam run and I recommend you block them.
Labels:
Malware,
Spam,
Teslacrypt,
Viruses
Malware spam: "Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014" / "Fuel Card Services [adminbur@fuelcardgroup.com]"
This fake financial spam is not from Fuel Card Services Ltd but is instead a simple forgery with a malicious attachment:
The attachment is name ebill0765017.doc and it comes in two different versions. The payload appears to be identical to this spam run earlier today. The payload is the Dridex banking trojan.
From Fuel Card Services [adminbur@fuelcardgroup.com]
Date Wed, 02 Dec 2015 15:31:16 +0300
Subject Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014
Please note that this message was sent from an unmonitored mailbox which is unable
to accept replies. If you reply to this e-mail your request will not be actioned.
If you require copy invoices, copy statements, card ordering or card stopping please
e-mail support@fuelcardservices.com quoting your account number which can be found
in the e-mail below. If your query is sales related please e-mail info@fuelcardservices.com.
E-billing
-
From: adminbur@fuelcardservices.com
Sent: Wed, 02 Dec 2015 15:31:16 +0300
To: hiett@petroldirect.com
Subject: Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014
Account: B500101
Please find your e-bill 0765017 for 30/10/2015 attached.
To manage you account online please click http://eservices.fuelcardservices.com
If you would like to order more fuel cards please click http://www.fuelcard-group.com/cardorder/shell-burnley.pdf
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin.
Fuel Card Services Ltd
T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com
Supplied according to our terms and conditions. (see http://www.fuelcardservices.com/ebill.pdf).
Please also note that if you cannot open this attachment and are using Outlook Express
to view your mail you should select Tools / Options / Security Tab and deselect
the
option marked "Do not allow attachments to be opened that potentially may be a virus".
All of our outgoing mail is fully virus scanned but we recommend this facility is
re-enabled if you do not use virus scanning software.
The attachment is name ebill0765017.doc and it comes in two different versions. The payload appears to be identical to this spam run earlier today. The payload is the Dridex banking trojan.
Malware spam: "November Invoice #60132748" leads to Teslacrypt
This fake financial spam comes with a malicious attachment.
Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js [Pastebin obfuscated / deobfuscated] and this downloads a malicious file from:
74.117.183.84/76.exe?1
It also tries to contact 5.39.222.193, but this times out. An attempt to download from bestsurfinglessons.com comes up with a 404 error.
The Malwr report and Hybrid Analysis indicates that this communicates with the following compromised domains:
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
Both those reports indicate that this is the Teslacrypt ransomware.
Furthermore, the Hybrid Analysis report also shows other traffic to:
tsbfdsv.extr6mchf.com
alcov44uvcwkrend.onion.to
rbtc23drs.7hdg13udd.com
MD5s:
72c15108b68a0f07fdc4d17bd58aa368
0352acd36fedd29e12aceb0068c66b49
f16692fc9170ff68321a5d060b93e2e7
Recommended blocklist:
74.117.183.84
5.39.222.193
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
extr6mchf.com
alcov44uvcwkrend.onion.to
7hdg13udd.com
From: Valarie Davenport
Date: 2 December 2015 at 11:59
Subject: November Invoice #60132748
Hello ,
Please review the attached copy of your Electronic document.
A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
Thank you for your business.
Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js [Pastebin obfuscated / deobfuscated] and this downloads a malicious file from:
74.117.183.84/76.exe?1
It also tries to contact 5.39.222.193, but this times out. An attempt to download from bestsurfinglessons.com comes up with a 404 error.
The Malwr report and Hybrid Analysis indicates that this communicates with the following compromised domains:
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
Both those reports indicate that this is the Teslacrypt ransomware.
Furthermore, the Hybrid Analysis report also shows other traffic to:
tsbfdsv.extr6mchf.com
alcov44uvcwkrend.onion.to
rbtc23drs.7hdg13udd.com
MD5s:
72c15108b68a0f07fdc4d17bd58aa368
0352acd36fedd29e12aceb0068c66b49
f16692fc9170ff68321a5d060b93e2e7
Recommended blocklist:
74.117.183.84
5.39.222.193
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
extr6mchf.com
alcov44uvcwkrend.onion.to
7hdg13udd.com
Labels:
Malware,
Spam,
Teslacrypt,
Viruses
Malware spam: "Your Adler Invoice No. UK 314433178 IN" / "service@adlerglobal.com"
This fake financial spam does not come from Adler Manufacturing Limited but is instead a simple forgery, It is meant to have a malicious attachment, but all of the samples I have seen are malformed.
Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from:
vanoha.webzdarma.cz/4367yt/p0o6543f.exe
det-sad-89.ru/4367yt/p0o6543f.exe
These download locations were seen earlier, but the payload has changed to one with a detection rate of 4/55. Those earlier Malwr reports indicate malicious traffic to:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you block traffic to that IP. The payload is likely to be the Dridex banking trojan.
MD5s:
a68b72fbfb76964261a3601daa270647
5bb6f5b6dcd693af4c13e73bc6b7ed48
e81b373b90b0124b31648aa3a50ae2e7
From: service@adlerglobal.com
Date: 2 December 2015 at 11:36
Subject: Your Adler Invoice No. UK 314433178 IN
Dear Customer,
Thank you very much for having placed your order with Adler.
Your goods have been shipped. Please see attached invoice for payment of
your order.
For your convenience, you will find several payment methods described on the
attached invoice (please be sure to include your Adler Order #).
If you have any questions, feel free to contact us.
Best Regards,
Your Adler Customer Service Team
Adler Manufacturing Limited
Eastgate House, 35-43 Newport Road
Cardiff CF24 0AB
Tel.: 0800 0087 555
Fax 0800 0087 666
www.adlerglobal.com
Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from:
vanoha.webzdarma.cz/4367yt/p0o6543f.exe
det-sad-89.ru/4367yt/p0o6543f.exe
These download locations were seen earlier, but the payload has changed to one with a detection rate of 4/55. Those earlier Malwr reports indicate malicious traffic to:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you block traffic to that IP. The payload is likely to be the Dridex banking trojan.
MD5s:
a68b72fbfb76964261a3601daa270647
5bb6f5b6dcd693af4c13e73bc6b7ed48
e81b373b90b0124b31648aa3a50ae2e7
Subscribe to:
Posts (Atom)