Dynamoo's Blog

Tuesday 11 April 2017

Malware spam: "DHL Urgent Delivery"

This fake DHL spam includes the recipients real name. In this case it was sent to someone in Germany, but written in English. The malware payload is identical to this one in Polish.

Von: DHL Parcel [mailto:info@glaefcke.de]
Gesendet: Dienstag, 11. April 2017 11:03
An: [redacted]
Betreff: DHL Urgent Delivery

YOUR DELIVERY IS TODAY

Hi, [redacted]

The scheduled delivery is Tue Apr 11 2017 before End of Day.

Please check your shipment and contact details below. If you need to make a change or track your shipment, click

http://nolp.dhl.com/set_identcodes.do&email=[redacted] . (JS-Document)
SHIPMENT CONTENTS:DELIVERY INFORMATION

Shipment number: 9670515551
Scheduled Delivery Date: Tue Apr 11 2017
Delivery Time: before End of Day
Email Address: [redacted]

Thank you for using On Demand Delivery.

DHL Express - Excellence. Simply delivered.

Malware spam: "Sprawdź stan przesylki DHL"

This spam targeting Polish victims seems quite widespread. It leads to malware. The email is personalised with the victim's real name which has been harvested from somewhere.

From: DHL Express (Poland) [mailto:biuro@nawigatorxxi.pl]
Sent: Monday, April 10, 2017 7:09 PM
To: [redacted]
Subject: Sprawdź stan przesylki DHL

Sprawdź stan przesylki DHL
Szanowny Kliencie, [redacted]

Informujemy, że w serwisie DHL24 zostało zarejestrowane zlecenie realizacji przesyłki, której jesteś odbiorcą.

Dane zlecenia:
- numer zlecenia:
9653788657

- data złożenia zlecenia:
poniedziałek, 10. kwietnia

Informacje o aktualnym statusie przesyłki znajdziesz na http://dhl24.com.pl/report.html&report=JavaScript&email=[redacted]. (JavaScript Raport)

Niniejsza wiadomość została wygenerowana automatycznie.

Dziękujemy za skorzystanie z naszych usług i aplikacji DHL24.

DHL Parcel (Poland)

UWAGA: Wiadomość ta została wygenerowana automatycznie. Prosimy nie odpowiadać funkcją Reply/Odpowiedz

The link goes to a malicious Javascript [example here] [Malwr report] which downloads a binary from:

freight.eu.com/download3696 (159.100.181.107 - World Wide Web Hosting LLC, Netherlands)

..this has a detection rate of 10/60. This Malwr report plus observed activity show traffic to the following IPs and ports:

5.196.73.150:443 (OVH, France)
31.220.44.11:8080 (HostHatch, Netherlands)
46.165.212.76:8080 (Leaseweb, Germany)
109.228.13.169:443 (Fasthosts, UK)
119.82.27.246:8080 (Tsukaeru.net, Japan)
173.230.137.155:8080 (Linode, US)
173.255.229.121:443 (Linode, US)
203.121.145.40:8080 (Pacific Internet, Thailand)
206.214.220.79:8080 (ServInt, US)

There may be other phone home locations not observed.

Recommended blocklist:
5.196.73.150
31.220.44.11
46.165.212.76
109.228.13.169
119.82.27.246
159.100.181.107
173.230.137.155
173.255.229.121
203.121.145.40
206.214.220.79

Monday 3 April 2017

borezo.info - spam selling anti-spam services

If you are in the business of selling spam filtering.. it is probably not a good idea to do it by sending out spam..

From:    Camille Arpaillange [contact@borezo.info]
To:    contact@[redacted]
Date:    3 April 2017 at 15:55
Subject:    [redacted] - Protect emails received on your domain name
Signed by:    sg.borezo.info

Discover our SaaS solution

Anti-Virus, Anti-Spam and Anti-Phishing SMTP Gateway
Try for free

Bonjour,

This email is intended for your IT service, if any. If you are working with an external partener, feel free to forward him this message.

Your current situation

Today, you are using your provider to handle incoming emails on [redacted].

Often, protection against viruses, spam, phishing and all other threats is not the strong point of this kind of solution.

Our proposal:

free trial without obligation

We offer you to try for free and without obligation our email filtering solution, compatible with your provider.

Easy setup

To filter your emails, you only have to update the MX entry in your DNS records, replacing entry of your provider by the one we will provide you after your subscription. Emails will then be filtered by our infrastructure, and then redistributed to your provider, so you can consult them like before.

Functions

Anti-Virus

You won't have to be afraid of ransomwares anymore

Anti-Spam

No more spam, and you stay in control of settings

Anti-Phishing

Your users will not be exposed to credentials theft

Services

Backup

Each user can access himself his personal backup

Statistics

You can have an overview of incoming email trafic

Settings

Anytime, you can change your filtering settings

Advantages

Simplicity

    No configuration change on your SMTP server or the one of your provider.
    No configuration change on users side.
    No maintenance on your side, we take care of everything (hosting, high availability, upgrade, etc.).

Protection

    Anti-Virus, Anti-Spam and Anti-Phishing protection, without raising the load of your infrastructure or the one of your provider.
    Content-Filtering feature, to filter attachments based on their type and/or extension.

Personalized

    For each domain, you can define options of each modules (Anti-Virus, Anti-Spam, etc.).

Security

    In case of unavailability of your SMTP server or the one of your provider, your emails are stored in security on our infrastructure, and delivred as soon as SMTP is back online.

Try for free

This email has been sent to contact@[redacted], click here to unsubscribe.

https://borezo.info/in-k/ - SIRET 53021905400026

Clicking on the link does appear to take you to some sort of business site at https://borezo.info/in-k/

Mail headers match the domain, borezo.info does seem to be the culprit..

Received: from dc3-1.borezo.info (dc3-1.borezo.info [212.83.146.78]) by [redacted] (Postfix) with ESMTP id 191E44A38D for <contact@[redacted]>; Mon,
3 Apr 2017 15:55:08 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; s=dkim; d=sg.borezo.info; t=1491231308; h=from:subject:date: message-id; bh=IfD7xgIgVLQy8yLzdCSO+L7mXRn/PImws7LTh1D1pws=; b=j9sTfOH7r3XUTaSD5urHMd1b5EUDq1P9chByrurkie+ckpZjyHojSRUJKSF0lj7OvZ1ze2 Yjlsfl7Q/UQ+U+F2IlFrcMseqXbPLB8xhOVPPh3Ei39qNIgyO+MVApaxDt1WhXcf/npcle 6GjoCgCAGPXFLoTogZGqI3RBB5JBbdE=
Received: tmail deliverd remote 302c5d48ea2a327a67769562d3ece1ce930df6bd; 03 Apr 2017 16:55:08 +0200
X-Env-From: Ym91bmNlLTEtY29udGFjdEBkeW5hbW9vLmNvLnVr@sg.borezo.info
Received: from 212.83.146.78 (dc3-1.borezo.info.) (localhost) (authenticated
   as noreply@borezo.info) by 212.83.146.78 (dc3-1.borezo.info.) with ESMTPS TLS
   1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; tmail 0.1.7;
   4a5b9f00fa05b580ff586bd74659fbea91085dce; 03 Apr 2017 16:55:02 +0200

WHOIS details seem valid.

Registry Registrant ID: C199006566-LRMS
Registrant Name: Romain Lauret
Registrant Organization:
Registrant Street: office #855805
Registrant Street: c/o OwO, BP80157
Registrant City: Roubaix Cedex 1
Registrant State/Province:
Registrant Postal Code: 59053
Registrant Country: FR
Registrant Phone: +33.972101007
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: pwa3o3znv0b53h47bo8c@v.o-w-o.info

The "Camille Arpaillange" name in the email matches the imprint on the website..

Company registration data is here. I think I will pass on this particular offer..

25.0.0.0/8 is not your private network

A recent phishing email originating from an Office 365 caused some confusion.. apparently originating fom an address in the 25.0.0.0.8 range which according to a WHOIS lookup is the UK's Ministry of Defence.

% Abuse contact for '25.0.0.0 - 25.255.255.255' is 'hostmaster@mod.uk'

inetnum:        25.0.0.0 - 25.255.255.255
netname:        UK-MOD-19850128
country:        GB
org:            ORG-DMoD1-RIPE
admin-c:        MN1891-RIPE
tech-c:         MN1891-RIPE
status:         LEGACY
notify:         hostmaster@mod.uk
mnt-by:         UK-MOD-MNT
mnt-domains:    UK-MOD-MNT
mnt-routes:     UK-MOD-MNT
mnt-by:         RIPE-NCC-LEGACY-MNT
created:        2005-08-23T10:27:23Z
last-modified: 2016-04-14T09:56:26Z
source:         RIPE

organisation:   ORG-DMoD1-RIPE
org-name:       UK Ministry of Defence
org-type:       LIR
address:        Not Published
address:        Not Published
address:        Not Published
address:        UNITED KINGDOM
phone:          +44(0)3067700816
e-mail:         mathew.newton643@mod.gov.uk
admin-c:        MN1891-RIPE
abuse-c:        MH12763-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        UK-MOD-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         UK-MOD-MNT
created:        2004-04-17T12:18:23Z
last-modified: 2016-10-06T11:09:40Z
source:         RIPE

person:         Mathew Newton
address:        ISS Design Directorate, Joint Forces Command
address:        UK Ministry of Defence
phone:          +44 (0)30 677 00816
e-mail:         mathew.newton643@mod.gov.uk
abuse-mailbox: hostmaster@mod.uk
notify:         mathew.newton643@mod.gov.uk
nic-hdl:        MN1891-RIPE
created:        2005-03-18T10:42:04Z
last-modified: 2016-12-20T10:33:13Z
source:         RIPE
mnt-by:         UK-MOD-MNT

In this case the connection appeared to come from dm5pr17cu002.internal.outlook.com which does indeed resolve to 25.173.128.134.. which would place it in the MoD's address range. Yes?

Well.. no, because the 25.0.0.0/8 range isn't routable. You can't send traffic to it from the Internet. But it isn't a "private" IP range, it is allocated to the MoD. But it does seem that some companies are taking advantage of this and are using 25.0.0.0/8 for internal networks (much the same as 10.0.0.0/8) when it isn't designed for that.

Of course you can make a DNS record point to anything, it doesn't mean that the server will resolve. A look at all the hosts in 25.173.0.0/16 reveals these apparently active servers:

blserver.net
www.blserver.net
blog.blserver.net
imap.blserver.net
mwhpr13cu002.internal.outlook.com
dm5pr17cu002.internal.outlook.com
25-173-116-219.1334762f6da5400c9f4cbba603d6c121.plex.direct
25-173-129-6.114b489248be4a2489583682ee5d5f3c.plex.direct
sql.engormix.com
has-on.info

In the case of the outlook.com servers the DNS has been misconfigured. What should resolve only PRIVATELY to an 25/8 address is resolving PUBLICALLY to an address in that range. Of course, the servers never respond.And note that this is just one /16, not the whole /8 (reverse DNS for the whole /8 is insane).

The upshot is that the MoD get a lot of abuse calls for bad things that people think originate from their network, but it isn't actually happening.

If you are going to use blocks like 25.0.0.0/8 for internal uses, I would suggest that you take great care not to expose the internal IPs to the outside world. I'm sure the poor people at the MoD would appreciate it.

Friday 31 March 2017

Leaked documents reveal post-Brexit switch to pre-decimal currency

So with the UK leaving the EU thing kicking off into full swing a lot of interesting stories have been lost in the noise. As expected not only have hard Brexiteers managed to sneak in proposals that we ditch the metric system, it now also seems that they want to ditch decimal currency too.

Madness? Well, they seem to believe that things were better in the old days. Like the 18th Century perhaps. Anyway, these top secret double encoded plans (presuambly leaked by Pro-Bremoaner criminals) have come to light outlining the steps of this particularly mad scheme. It already has a name in government - Dexit.

Basically, immediately after the UK leaves the EU the currency will change back to pounds, shillings and pence...you remember how that works, yes? 12 pence to a shilling, 20 shillings to a pound making 240 pence per pound... on a date pencilled in as being the first day of April in 2019.

All transactions will have to change at that point. However, the pound will still remain the pound including the new pound coin. Notes will still remain the same, although all new ones will contain animal fat by law. As with decimalisation, some coins will remain the same too - the 50p coin will remain valid as 10 shillings, 20p will be 4 shillings and so on for the 10p and 5p coins. New coins will be minted with the new denominations on, but they will circulate alongside the old ones. Copper coins are more of a problem and they will all be withdrawn and replaced.

The halfpenny will not return (thank goodness) and nor will the farthing (1/960th of a pound!). One might argue that the penny could be eliminated altogether as it isn't worth much these days, but apparently there is determination that it will come back.

All eCommerce sites operating in the UK and software will have to be updated to the new currency. It's not as simple as just changing the currency sign, and the law will state that all new computer software will have to support the new currency natively without mucking about with formulas. Formulae. Whatever.

One sticking point is the name of the coins. Technically the current currency is called "new pence", replacing the pre-decimal "old pence". Suggestions for the new coinage include "new old pence", "indedenpence" (clever!) and "Mike Pence".

There will be some exceptions:

In anticipation of Scottish independence, the new currency there will be called the "Groat".
In Gibraltar the currency will revert to the Euro when it is handed over to Spain (even though 99% of the population don't want that because democracy is so 2016)
In Northern Ireland the currency will be determined by whichever side wins the brutal 20-year civil war that follows Brexit.

All of this is quite a low price to pay for taking back control though, isn't it?

(Yes, this was an April Fool's joke, but not too far what what some Brexiters have actually suggested)

Thursday 30 March 2017

Malware spam: "Re:Payment Remittance Copy"

This fake financial spam leads to malware.

From:    AL HUDA LTD [ap.office@triumftools.sk]
Date:    30 March 2017 at 09:05
Subject:    Re:Payment Remittance Copy
Signed by:    triumftools.sk

Dear Sir,

As instructed by your customer for your payment,

Find attached formal remittance copy received from our bank and contact your client for payment confirmation. All payment details is in the attached HSBC TT-Copy.

Please Confirm

Best regards,
================================

Alan Bostock
Manager - Finance and Administration
HSBC Exchanger
TEL: (965) 24338094 -620
FAX: (965) 24332815 Mobile: (965) 600-11-868
==================================

Attached is a .GZ archive HSBC TT-Copy.pdf.gz (this assumes you have a program on your Windows PC that can handle .gz files). This contains a malicious executable doc9876543234500001.exe which currently has a VirusTotal detection rate of 32/60.

Analysis of the binary is pending. You can be certain that it is nothing good.

Monday 20 March 2017

More highly personalised malspam using hijacked domains

Following on from this spam some weeks ago, another one comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).

From: customerservice@newshocks.com [mailto:customerservice@newshocks.com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details

Hello [redacted],

We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.

If you have an online account with us, you can log in here to see the current status of your order.

You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here

All prices include VAT at the current rate. A full VAT receipt will be included with your order.

Delivery Address:

[Name and address redacted]

If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.

Best regards and many thanks,

Contact Us Opening Times Delivery Options Returns Policy Privacy Policy Terms & Conditions

The newshocks.com domain used in the "From" field matches the sending server of rel209.newshocks.com (also mail.newshocks.com) on 185.141.164.209. This appears to be a legitimate but unused domain belonging to a distributor of car parts.

The link in the email goes to clipartwin.com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit or similar. This is using another hijacked but apparently legitimate web server.

I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient. If you have seen something similar or have an idea of where the data came from, please leave a comment below.