Fake 'Document', 'Neopost documents', 'Clients accounts' SPAM, Locky C2
FYI...
Fake 'Document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/docum...elivers-locky/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Document No 25845584' (random numbers) pretending to come from random names at accounts@ your-own-email-domain or company with a random named zip attachment containing an hta file... One of the emails looks like:
From: random names at accounts@your own email domain or company
Date: Wed 28/09/2016 01:38
Subject: Document No 25845584
Attachment: Document No 25845584.zip
Thanks for using electronic billing
Please find your document attached
Regards
MAVIS CAWLEY
28 September 2016: Document No 25845584.zip: Extracts to: GVJL2720.hta - Current Virus total detections 16/55*
MALWR** was unable to get any payload or find any download sites. Payload Security*** shows a download of an encrypted filedatalinks .ir/g76vub8 which is transformed by the script to a working Locky binary. (Unfortunately Payload Security does not show the actual file or allow it to be downloaded in the free web version)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1475037203/
** https://malwr.com/analysis/Yzk5OTE2N...I5MjI0NmZiZTg/
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
144.76.172.200
52.24.123.95
52.85.209.134
52.33.248.56
128.241.90.219
___
Locky download and C2 locations ...
- http://blog.dynamoo.com/2016/09/lock...s-2016-09.html
28 Sep 2016 - "It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.
Binary download locations:
(Long list of domain names at the dynamoo URL above.)...
C2s:
176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh .biz/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
rluqypf .pw/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk .biz/apache_handler.php [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap .info/apache_handler.php
kdbbpmrdfnlno .pl/apache_handler.php
jlhxyspgvwcnjb .work/apache_handler.php
dceaordeoe .ru/apache_handler.php
gisydkcsxosyokkuv .work/apache_handler.php
mqlrmom .work/apache_handler.php
wfgtoxqbf .biz/apache_handler.php
ndyevynuwqe .su/apache_handler.php
vgcfwrnfrkkarc .work/apache_handler.php
Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158 "
___
Fake 'Neopost documents' SPAM - Locky – Odin version
- https://myonlinesecurity.co.uk/neopo...-odin-version/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Neopost documents' 0000888121970 coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file...
Screenshot: https://myonlinesecurity.co.uk/wp-co...t-1024x730.png
28 September 2016: 0000888121970_statement_000088812197051.zip: Extracts to: ZQSA4705.wsf
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from one of these locations:
http ://bigballsincowtown .com/67fgbcni?gjGmIb=KpIHjmIwkWU
http ://lucianasaliani .com/67fgbcni?gjGmIb=KpIHjmIwkWU
which is transformed by the script to aCOldXqKQqm2.dll (VirusTotal 6/57***) posts back to C&C
http ://194.67.208.69 /apache_handler.php - Payload Security[4] shows a lot more C2 connections... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1475081527/
** https://malwr.com/analysis/Yjg1Yzg5M...Y5NTJjMzA0NGE/
Hosts
69.89.27.246
174.127.104.173
70.40.220.107
176.103.56.98
194.67.208.69
*** https://www.virustotal.com/en/file/3...is/1475077530/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
69.89.27.246
174.127.104.173
176.103.56.98
194.67.208.69
45.63.98.158
86.110.118.114
___
Something evil on 69.64.63.77
- http://blog.dynamoo.com/2016/09/some...-69646377.html
28 Sep 2016 - "This appears to be some sort of exploit kit leveraging hacked sites, for example:
[donotclick]franchidiscarpa[.]com/index.php
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
You can see this EK infecting a legitimate site in this URLquery report*. The IP address appears to be a customer of ServerYou... Country: UA ...
These other domains are hosted on the same IP:
[donotclick]j8le7s5q745e .org
[donotclick]3wdev4pqfw1u .org
[donotclick]fg1238tq38le .net
All of those domains are registered to:
.. Registrant Country: RU ...
It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking."
* http://urlquery.net/report.php?id=1475082161540
77.81.224.215: https://www.virustotal.com/en/ip-add...5/information/
69.64.63.77: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/f1...9a84/analysis/
___
Fake 'Clients accounts' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/clien...elivers-locky/
27 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Clients accounts' coming as usual from random companies, names and email addresses with a random named zip attachment containing a wsf file... One of the emails looks like:
From: Lon Kane <Kane.84@ fixed-189-180-187-189-180-32.iusacell .net>
Date: Thu 01/09/2016 19:22
Subject:Clients accounts
Attachment: a966ea5acc18.zip
Dear monika.griffithe,
I attached the clients’ accounts for your next operation.
Please look through them and collect their data. I expect to hear from you soon.
Lon Kane
VP Finance & Controller ...
27 September 2016: a966ea5acc18.zip: Extracts to: Clients accounts 32C58E xls.wsf
Current Virus total detections 8/55*. MALWR**... Payload Security*** shows a download of an encrypted file from
techskillscenter .net/zenl0z which is transformed by the script to 2Ez76BlaytMAH.dll (VirusTotal 6/57[4]) Unusually, Payload Security describes this dll file as informative, rather than malicious, which would normally mean it has some sort of anti-analysis/sandbox protection to it... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1474996887/
** https://malwr.com/analysis/YTU5OWRkM...ZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
173.247.251.145
5.196.200.247
94.242.55.225
86.110.118.114
69.195.129.70
4] https://www.virustotal.com/en/file/e...is/1474997682/
:fear::fear: :mad:
Fake 'Bill', 'Debit Card blocked', 'Receipt', 'New Order' SPAM
FYI...
Fake 'Bill' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malw...ents-bill.html
29 Sep 2016 - "This spam leads to Locky ransomware. The sample I have seen have no body text, but have subjects in the format:
Bill for documents 31564-29-09-2016
Bill for parcel 08388-28-09-2016
Bill for papers 657-29-09-2016
Each subject has a random number appended by the date. Attached is a RAR archive file with a name similar to Bill 657-29-09-2016.rar containing a malicious .js script which downloads...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following servers:
194.67.208.69/apache_handler.php (Marosnet, Russia)
89.108.83.45/apache_handler.php (Agava, Russia)
Payload detection for the version analysed was 16/56* but there could be an updated payload by now.
Recommended blocklist:
194.67.208.69
89.108.83.45 "
* https://www.virustotal.com/en/file/b...4a00/analysis/
- https://myonlinesecurity.co.uk/bill-...rs-locky-odin/
29 Sep 2016 - "... Locky downloaders with a series of blank/empty emails with the basic subject of 'Bill for documents' 57608-28-09-2016 pretending to come from no reply @ random companies, with a semi- random named .rar attachment containing a .JS file. These are using the new .Odin file extension on the encrypted files.. The MALWR report* shows contact with an attempted download of Net framework and some sort of mapping... The subjects vary with each email. They all start with 'bill' for and either documents, paper or parcel the a series of random numbers and the date, looking something like:
Bill for documents 57608-28-09-2016
Bill for papers 9341672-28-09-2016
Bill for parcel 422-29-09-2016
... One of the emails looks like:
From: no-reply@ simplyorganic .com
Date: Thu 29/09/2016 00:44
Subject: Bill for documents 57608-28-09-2016
Attachment: Bill 57608-28-09-2016.rar
Body content: totally blank
29 September 2016: Bill 57608-28-09-2016.rar: Extracts to: Bill 5100-4868433109.js
Current Virus total detections 8/53**. MALWR* shows a download of an encrypted file from one of these locations:
http ://g2cteknoloji .com/8g74crec?rnhaXNpMuW=MWIKgpzUlE which is transformed by the script to ErUxQjD1.dll
(VirusTotal 9/57***) shows C2 on http ://89.108.83.45 /apache_handler.php and also shows various other script files. Payload Security[4] shows a few other C2 servers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://malwr.com/analysis/YmI0YzExZ...Q1ZWMyYWMyNWQ/
Hosts
185.26.144.135
194.67.208.69
89.108.83.45
** https://www.virustotal.com/en/file/4...is/1475114609/
*** https://www.virustotal.com/en/file/b...is/1475120852/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.26.144.135
89.108.83.45
194.67.208.69
45.63.98.158
69.195.129.70
52.42.26.69
52.84.40.221
___
Fake 'Debit Card blocked' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malw...ked-leads.html
29 Sep 2016 - "The attachment on this spam email leads to Locky ransomware:
From: "Ambrose Clements"
Subject: Temporarily blocked
Date: Thu, 29 Sep 2016 13:37:53 +0400
Dear [redacted]
this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
We attached the scan of transactions. Please confirm whether you made these transactions.
Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download...
(Many domain names listed at the dynamoo URL above.)
The decoded malware then phones home to:
195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo .pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
gqackht .biz/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
bgldptjuwwq .org/apache_handler.php
cxnlxkdkxxxt .xyz/apache_handler.php
rcahcieii .work/apache_handler.php
uxaoooxqqyuslylw .click/apache_handler.php
vwktvjgpmpntoso .su/apache_handler.php
upsoxhfqut .work/apache_handler.php
nqchuuvgldmxifjg .click/apache_handler.php
ofoclobdcpeeqw .biz/apache_handler.php
kfvigurtippypgw .pl/apache_handler.php
toescilgrgvtjcac .work/apache_handler.php
Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132 "
- https://myonlinesecurity.co.uk/your-...elivers-locky/
29 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Temporarily blocked' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .WSF file... One of the emails looks like:
From: Jarvis Mason <Mason.2892@ paneltek .ca>
Date: Thu 01/09/2016 19:22
Subject: Temporarily blocked
Attachment: debit_card_4b69ba102.zip
Dear [redacted],
this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
We attached the scan of transactions. Please confirm whether you made these transactions.
King regards,
Jarvis Mason
Technical Manager – Online Banking ...
1 September 2016: ea00debit_card_4b69ba102.zip: Extracts to: debit card details 92CF6066.wsf
Current Virus total detections 6/54*. Payload Security** shows a download of an encrypted file from
fhgmediaent .com/66aslu which is transformed by the script to 1lenb5SzGBo0mpu.dll (VirusTotal 10/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1475140581/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.227.132.66
91.200.14.93
195.123.210.11
185.117.155.20
91.234.33.132
*** https://www.virustotal.com/en/file/2...is/1475141313/
___
Fake 'Receipt' xls SPAM - Locky
- http://blog.dynamoo.com/2016/09/malw...eceiptxls.html
29 Sep 2016 - "This spam leads to Locky ransomware:
From rosalyn.gregory@ gmail .com
Date Thu, 29 Sep 2016 21:07:46 +0800
Subject Receipt 103-526
I cannot tell if there is any body text, however there is an -attachment- Receipt.xls which contains malicious code... that in the case of the sample I analysed downloads a binary from:
opmsk .ru/g76ub76
There will be -many- other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:
89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov .example .com] (SKS-LUGAN, Ukraine)
xpcwwlauo .pw/apache_handler.php [hostname: vjc .kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
A malicious DLL is dropped with a detection rate of 6/57*. Malicious IPs and domains overlap quite a bit with this earlier attack**. This version of Locky encrypts files with a .odin extension...
Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132 "
1] https://malwr.com/analysis/ZGRhZWJjN...JjYmZhNTUyN2I/
Hosts
85.17.31.113
89.108.83.45
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
85.17.31.113
91.200.14.93
89.108.83.45
195.123.210.11
91.234.33.132
* https://www.virustotal.com/en/file/7...is/1475156266/
** http://blog.dynamoo.com/2016/09/malw...ked-leads.html
___
Fake 'New Order' SPAM - delivers Java Adwind
- https://myonlinesecurity.co.uk/new-o...s-java-adwind/
29 Sep 2016 - "We continue to see Java Adwind Trojans daily... This one is an email with the subject of 'New Order' pretending to come from Claudia Schmiesing <claudia.schmiesing@ gmx .net> with a fuzzy unclear embedded image, that has a link hidden behind it, that when-clicked downloads a zip file containing a Java.jar file. This particular version is very badly detected. Java Adwind is normally quite well detected on Virus Total...
Screenshot: https://myonlinesecurity.co.uk/wp-co...g-1024x695.png
29 September 2016: flwfbq.zip: Extracts to: ORDER.jar - Current Virus total detections 4/55*. MALWR**
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1475172675/
** https://malwr.com/analysis/MWNkNzg3Y...ZkODJlNWI3Mzg/
Hosts
23.105.131.212
:fear::fear: :mad:
Fake 'Receipt', 'Parcel details' SPAM
FYI...
Fake 'Receipt' SPAM - delivers Locky – Odin
- https://myonlinesecurity.co.uk/rando...rs-locky-odin/
30 Sep 2016 - "The Locky ransomware malware gang appear to be copying Dridex this week and going back to using word docs with embedded macros to deliver the ransomware... Locky downloaders.. a blank/empty email with the subject of 'Receipt' 45019-0740 (random numbers) pretending to come from random names at gmail .com with a random named word doc. The doc attachment name matches the subject line... One of the emails looks like:
From: chandra.har?@ gmail .com
Date: Fri 30/09/2016 10:12
Subject: Receipt 45019-0740
Attachment: Receipt 45019-0740.doc
Body content: Totally Blank/Empty
30 September 2016: Receipt 45019-0740.doc - Current Virus total detections 9/55*
.. MALWR** shows a download of an encrypted file from http ://travelinsider .com.au/021ygs7
which is transformed by the script to hupoas.dll (VirusTotal 8/57***). C2 is
http ://149.202.52.215 /apache_handler.php . Payload Security[4] shows the multiple additional C2 sites. Neither online sandbox actually show any Locky screenshots today, but Malwr clearly shows odin files in the lists... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1475226679/
** https://malwr.com/analysis/ZTNmNmYwN...RjNjkxNjdmNWE/
Hosts
203.98.84.123
89.108.83.45
149.202.52.215
*** https://www.virustotal.com/en/file/7...is/1475227548/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
203.98.84.123
89.108.83.45
91.200.14.93
149.202.52.215
185.43.4.143
___
Fake 'Parcel details' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/anoth...elivers-locky/
30 Sep 2016 - "... Locky downloaders.. an email pretending to be a DHL cannot deliver message with the subject of 'Parcel details' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with DHL_parcel containing a WSF file... fake/spoofed DHL (and other delivery companies) malspam emails... One of the emails looks like:
From: DHL <Phelps.0827@ parket-ekonom .ru>
Date: Fri 30/09/2016 10:48
Subject: Parcel details
Attachment: DHL_parcel_06cda564b.zip
Dear berkeley,
We couldn’t deliver your parcel on September 30th because we couldn’t verify the given address.
Attached is the shipment label. Please print it out to take the parcel from our office.
Label-ID: acd8e33709cb62ea9825f9de779d1dfb8f6b566af6779b11928a9e053f
Best Wishes,
Reyes Phelps
DHL Express Service
30 September 2016: DHL_parcel: Extracts to: DHL parcel 25514DCA.wsf - Current Virus total detections 7/55*
.. MALWR** seems unable to decode/decrypt these very heavily obfuscated scripting files. Payload Security*** shows a download of an encrypted file from fernandoarias .org/tmlvg7el which is transformed by the script to
a working Locky file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1475228984/
** https://malwr.com/analysis/NTQzM2YzM...ZkODA4ZmU2YjE/
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
91.186.0.7
52.34.245.108
52.222.157.47
52.41.235.21
:fear::fear: :mad:
Fake 'Scan', 'please sign' SPAM
FYI...
Fake 'Scan' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...2626-sent.html
3 Oct 2016 - "This -fake- document scan leads to Locky ransomware:
From: DAMON ASHBROOK
Date: 3 October 2016 at 10:56
Subject: [Scan] 2016-1003 15:26:26
--
Sent with Genius Scan for iOS.
The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat. This Malwr analysis* shows some of the infection in action. Overall my sources tell me that the various malicious macros download...
(Long list of domain-names listed at the dynamoo URL above.)
C2 locations are:
149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou .info/apache_handler.php
krmwgapkey .work/apache_handler.php
hruicryqytbmc .xyz/apache_handler.php
vswaagv .org/apache_handler.php
smskymrtssawsjb .org/apache_handler.php
wvandssbv .org/apache_handler.php
ytxsbkfjmyxglvt .click/apache_handler.php
rqybmggvssutf .xyz/apache_handler.php
qaemlwlsvqvgcmbke .click/apache_handler.php
btlyarobjohheg .ru/apache_handler.php
civjvjrjjlv .pw/apache_handler.php
xlarkvixnlelbsvxl .xyz/apache_handler.php
A DLL is dropped with a detection rate of 19/57**.
Recommended blocklist:
149.202.52.215
217.12.199.244 "
* https://malwr.com/analysis/MzdlZjhkO...I1YzIyZWZkNGI/
Hosts
69.89.29.98
149.202.52.215
** https://www.virustotal.com/en/file/8...is/1475489696/
___
Fake 'please sign' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...-to-locky.html
3 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: please sign
From: Ricardo Buchanan
Date: Monday, 3 October 2016, 10:27
Hi [redacted],
I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.
Best Wishes,
Ricardo Buchanan
CEO
In the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name... obfuscated script... appears to download Locky ransomware. Analysis is pending.
UPDATE: This Hybrid Analysis* clearly shows Locky in action. According to my sources there are no C2s..."
(Long list of domain-names at the dynamoo URL above.)
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
65.49.80.83
165.246.165.245
52.34.245.108
52.85.184.19
63.245.215.95
- https://myonlinesecurity.co.uk/lots-...onday-morning/
3 Oct 2016 - "... loads of Locky today. We are seeing multiple subjects, emails and attachments. We are seeing XLS files and the typical .wsf files inside zips... email looks like:
From: KIETH WOOLDRIDGE <kieth.wooldridge.61@ kimiabiosciences .com> (random senders)
Date: Mon 03/10/2016 08:45
Subject: [Scan] 2016-1003 12:14:45
Attachment: 2016-1003 12-14-45.xls
—
Sent with Genius Scan for iOS.
... (another) version is:
From: Anita Ramsey <Ramsey.663@ equestrianarts .org> (random senders)
Date: Mon 03/10/2016 09:51
Subject: please sign
Attachment: paperwork_scan_35886e2.zip extracts to paperwork scan ~D45D50C5.wsf
Hi [redacted],
I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.
Best Wishes,
Anita Ramsey
Head of Corporate Relations
MALWR [1] [2] [3] | VirusTotal [4][5][6] downloads from
http ://mmm2.aaomg .com/jhg45s and http ://crossroadspd .com/jhg45s which will be converted to siluans.dll
(Virustotal 14/57*) or from ossiatzki .com/dyke9 which is converted to MMCnbLicrHhc.dll (virusTotal 14/57**)..
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://malwr.com/analysis/YzBlYzNkM...ZmYTI0ZWJlYmM/
Hosts
96.0.130.2
217.12.199.244
2] https://malwr.com/analysis/OWMwZTM2N...NmNmU4ZWRjZmY/
Hosts
208.71.139.66
217.12.199.244
3] https://malwr.com/analysis/NDJlYjI0Y...VjOGJlMWJkMzE/
4] https://www.virustotal.com/en/file/6...is/1475484796/
5] https://www.virustotal.com/en/file/2...is/1475484485/
6] https://www.virustotal.com/en/file/7...is/1475484779/
* https://www.virustotal.com/en/file/8...is/1475479730/
** https://www.virustotal.com/en/file/8...is/1475479730/
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
111.221.40.34
54.218.66.17
52.85.184.121
:fear::fear: :mad:
Fake 'Refund', 'Bill for parcel', 'Voicemail', 'Travel Itinerary' SPAM
FYI...
Fake 'Refund' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/refun...elivers-locky/
4 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Refund' pretending to come from various randomly chosen delivery, parcel or postal companies with a semi random named zip attachment starting with refund containing a WSF file... a very small portion of the several hundred received in the last few minutes, so -Any- delivery company is likely to be spoofed.
Royal Mail
PostNL
Schenker AG
Japan Post Group
FedEx
DHL
DHL Express
One of the emails looks like:
From: Royal Mail <Reynolds.21@ usacabs .com>
Date: Thu 01/09/2016 19:22
Subject: Refund
Attachment: refund_scan_a2e0a7b.zip
Dear [redacted], please submit the return form to receive the refund.
The parcel must have its original packaging. The return form is attached in this mail.
Best regards,
Elsa Reynolds
Royal Mail
4 October 2016: refund_scan_a2e0a7b.zip: Extracts to: refund scan 392CDC4.wsf
Current Virus total detections 8/54*. Payload Security** shows a download of an encrypted file from
motos13 .com/w0bmffo which is transformed by the script to a working Locky file. Unfortunately Payload Security does not show or allow download of the file in the free web version. This looks like the version with no C2 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1475567273/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.93.240.134
52.85.184.21
52.41.235.21
___
Fake 'Bill for parcel' SPAM - delivers Locky – Odin
- https://myonlinesecurity.co.uk/bill-...rs-locky-odin/
4 Oct 2016 - "... Locky downloaders.. a -blank- email with the subject of 'Bill for parcel' 064983-04-10-2016 pretending to come from no-reply @ random email addresses with a random named zip attachment containing a WSF file. This version of Locky with an Odin-extension is using DLL files, whereas last night’s version* used .exe files.
* https://myonlinesecurity.co.uk/surev...elivers-locky/
The subject line will always start with 'Bill' for then it will be either 'Parcel, Document, Documents, Papers' or other similar words then a random number then today’s date... One of the emails looks like:
From: no-reply@ speroresources .com
Date: Tue 04/10/2016 08:04
Subject: Bill for parcel 064983-04-10-2016
Attachment: Bill 772-04-10-2016.zip
Body content: totally blank/empty
4 October 2016: Bill 772-04-10-2016.zip: Extracts to: Bill 3609756-04-10-2016.wsf
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://aluvista .com/erg7cbr?QJWtIXrQ=oUDSEKIWsF which is transformed by the script to WkOUeAz1.dll
(VirusTotal 7/56***). C2 is http ://158.255.6.115 /apache_handler.php - other C2 locations are shown in the Payload Security report[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1475561395/
** https://malwr.com/analysis/ZTRlYTJiZ...IzNmQyM2ViMzk/
Hosts
78.46.34.83
158.255.6.115
*** https://www.virustotal.com/en/file/7...is/1475567524/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
78.46.34.83
158.255.6.115
81.177.26.201
52.85.184.9
___
Fake 'Voicemail' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/surev...elivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Voicemail' from [random name] [random number] <[random number]> [random time] pretending to come from voicemailandfax@ random email addresses with a semi-random named zip attachment containing a HTA file... One of the emails looks like:
From: SureVoIP <voicemailandfax@ nexgtech .com>
Date: Mon 03/10/2016 22:22
Subject: Voicemail from Sherri metcalf 00780261644 <00780261644> 00:01:40
Attachment: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip
Message From “Sherri metcalf 00780261644” 00780261644
Created: 2016.10.03 16:23:42
Duration: 00:01:40 ...
3 October 2016: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip: Extracts to: 0332451600272.hta
Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
acaciainvest .ro/98h86f?HmaeXAiu=CQDbSkNs which is transformed by the script to xsyMCaVC1.exe
(VirusTotal 5/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1475531086/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
188.240.2.32
149.202.52.215
81.177.26.201
52.85.184.21
*** https://www.virustotal.com/en/file/b...is/1475531106/
___
Fake 'Travel Itinerary' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/trave...elivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Travel Itinerary' pretending to come from random airline companies with a semi-random named zip attachment starting with 'Travel_Itinerary' containing a WSF file... I have seen these pretend to come from just about every airline in existence. Some received include:
Asiana Airlines <Flynn.92@ dsldevice .lan>
Swiss Air Lines <Hamilton.560@ dsldevice .lan>
Lufthansa <Cardenas.4568@ sewerlinereplacementrichmond .com>
Thai Airways <Mercer.030@ airtelbroadband .in>
Singapore Airlines <Burt.5051@ nbftv .no>
Cathay Pacific <Pacheco.074@ telecomitalia .it>
Turkish Airlines <Barker.585 @sabanet .ir>
Emirates <Flores.935@ deborahkellymft .com>
Virgin Australia <Terry.46@ philipskillman .com>
Qantas Airways <Weiss.213@ ceas .com.ve>
One of the emails looks like:
From: Asiana Airlines <Flynn.92@ dsldevice .lan>
Date: Mon 03/10/2016 19:09
Subject: Travel Itinerary
Attachment: Travel_Itinerary-a884558.zip
Dear [redacted]
Thank you for flying with us! We attached the Travel Itinerary for Your booking number #3FD6F18.
See the paid amount and flight information.
Best regards,
Stephan Flynn
Asiana Airlines
3 October 2016: Travel_Itinerary-a884558.zip: Extracts to: Travel_Itinerary-4F2AD50.wsf
Current Virus total detections 5/54*. MALWR is unable to fully analyse these and get any download links or payload. Payload Security** shows a download of an encrypted file from
onlinesigortam .net/njahqfis which is transformed by the script to a working Locky file...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1475518144/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
159.253.36.221
185.135.80.235
91.219.31.49
178.63.238.182
69.195.129.70
50.112.202.19
52.85.184.9
:fear::fear: :mad:
Fake 'Document', 'complaint letter', 'Cancellation request' SPAM
FYI...
Fake 'Document' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...-leads-to.html
5 Oct 2016 - "I have only received a single sample of this spam, presumably it comes from random senders. There is no-body-text in my sample.
Subject: Document from Paige
From: Paige cuddie (Paige592035@ gmail .com)
Date: Wednesday, 5 October 2016, 9:37
In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script... DOC-20161005-WA0002715.wsf. Automated analysis [1] [2] shows this sample downloads from:
euple .com/65rfgb?EfTazSrkG=eLKWKtL
There will be many other locations besides this. Those same reports show the malware (in this case Locky ransomware) phoning home to:
88.214.236.36 /apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100 /apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)
The sample I found downloaded a legitimate binary from ciscobinary.openh264 .org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.
Recommended blocklist:
88.214.236.0/23
109.248.59.0/24 "
1] https://malwr.com/analysis/MDdlZDI1N...ZkYjY3YzEyMWU/
Hosts
23.88.37.83
88.214.236.36
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.88.37.83
88.214.236.36
109.248.59.100
52.32.150.180
52.85.184.129
52.41.235.21
___
Fake 'complaint letter' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/compl...elivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with complaint_letter_ containing a WSF file... note the misspelled/typo error in the email body, 'King regards'. We have seen that quite frequently... One of the emails looks like:
From: Roxie Davis <Davis.863@ adsl.viettel .vn>
Date: Wed 05/10/2016 10:20
Subject: complaint letter
Attachment: complaint_letter_cb9d039ea.zip
Dear [redacted], client sent a complaint letter regarding the data file you provided.
The letter is attached. Please review his concerns carefully and reply him as soon as possible.
King regards,
Roxie Davis
5 October 2016: complaint_letter_cb9d039ea.zip: complaint letter 4A683AD.wsf
Current Virus total detections 8/53*... Payload Security** shows a download of an encrypted file from
upper-classmen .com/k1hd6 which is transformed by the script to RpKwxNZ92.dll (VirusTotal 8/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustotal.com/en/file/2...is/1475660416/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.138.189.69
109.248.59.100
88.214.236.36
217.12.223.78
109.248.59.164
91.219.31.49
*** https://www.virustotal.com/en/file/a...is/1475661773/
___
Fake 'Cancellation request' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/cance...elivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Cancellation request' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with Cancellation_Form_ containing a .JS file... One of the emails looks like:
From: Katharine Clayton <Clayton.892@ myfghinc .com>
Date: Wed 05/10/2016 19:40
Subject: Cancellation request
Attachment: Cancellation_Form_3805419.zip
Dear [redacted], to cancel the request you made on October 4th, you need to fill out the cancellation form attached in this email.
Contact us if you need further assistance.
Best regards,
Katharine Clayton
Clients Support
5 October 2016: Cancellation_Form_3805419.zip: Extracts to: Cancellation Form 4FDE6.js
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from
http ://noisecontrols .com/dctpl4c which is transformed by the script to CSWzQT0oHGGp27m.dll
(VirusTotal 11/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1475693156/
** https://malwr.com/analysis/MGQwNDU3Z...FkODY5MWI3MjQ/
Hosts
101.100.175.250
*** https://www.virustotal.com/en/file/0...is/1475694004/
:fear::fear: :mad:
Fake 'Your Order', 'Invoice' SPAM
FYI...
Fake 'Your Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/your-...elivers-locky/
6 Oct 2016 - "... Locky downloader.. an email with the subject of 'Your Order' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting order_details_ containing a .JS file... One of the emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: order_details_bfa256b5.zip
Your order has been proceeded. Attached is the invoice for your order A-1376657.
Kindly keep the slip in case you would like to return or state your product’s warranty.
6 October 2016: order_details_bfa256b5.zip: Extracts to: Cancellation Form 0D582E2.js
Current Virus total detections 7/54*. MALWR** shows a download of an encrypted file from
http ://pioneerschina .com/xwks4 which is transformed by the script to Prxa55gCpc.dll (VirusTotal 12/56***)
C2 http ://217.12.223.78 /apache_handler.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1475741537/
** https://malwr.com/analysis/N2JhMWQ4N...86ec016cdab8ad
Hosts
69.195.71.128
217.12.223.78
*** https://www.virustotal.com/en/file/b...is/1475742167/
- http://blog.dynamoo.com/2016/10/malw...nevitable.html
6 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Adrian Salinas
Date: 6 October 2016 at 10:13
Subject: Your Order
Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.
Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js
According to my source, these various scripts then download a component...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following IPs (belonging pretty much to the usual suspects):
46.8.44.105 /apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76 /apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21 /apache_handler.php (TheFirst-RU, Russia)
217.12.223.78 /apache_handler.php (ITL, Ukraine)
46.183.221.134 /apache_handler.php (Dataclub, Latvia) ...
Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78 "
___
Fake 'Invoice' SPAM - .doc attachment leads to Locky
- http://blog.dynamoo.com/2016/10/malw...-12345678.html
6 Oct 2016 - "This -fake- financial spam leads to malware:
From: invoices@ [redacted] .com
Date: 6 October 2016 at 07:16
Subject: Invoice-365961-42888419-888-DE0628DA
Dear Customer,
Please find attached Invoice 42888419 for your attention.
Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept'
### This mail has been sent from an un-monitored mailbox ###
The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc... The sample I sent for automated analysis [1] [2] downloads some data from:
eaglemouth .org/d5436gh
... my sources (thank you, you know who you are) that there are additional download locations at:
dabihfluky .com/d5436gh
fauseandre .net/d5436gh
This particular variant of Locky ransomware uses black hat hosting for this download location rather than a -hacked- legitimate site. All these domains are hosted on the following IPs:
62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France) ...
(Many domain-names listed at the dynamoo URL above.) ...
A DLL is dropped with a detection rate of 13/56*.
UPDATE: I completely forgot to include the C2. D'oh.
109.248.59.164 /apache_handler.php (Netart, Russia)
Recommended blocklist:
62.84.69.75
85.118.45.12
109.248.59.164 "
1] https://malwr.com/analysis/ODUxOTJmO...cwN2E5ODBmMjU/
Hosts
85.118.45.12
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.84.69.75
109.248.59.164
52.32.150.180
54.192.203.206
* https://virustotal.com/en/file/9a443...is/1475744035/
:fear::fear: :mad:
Fake 'wrong paychecks' SPAM
FYI...
Fake 'wrong paychecks' SPAM - delivers Locky/Odin
- https://myonlinesecurity.co.uk/wrong...rs-locky-odin/
7 Oct 2016 - "... Locky downloader.. an email with the subject of 'wrong paychecks' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with paychecks_ containing a .JS file... One of the emails looks like:
From: Guy Bennett <Bennett.75@ janicerich .com>
Date: Thu 06/10/2016 22:17
Subject: wrong paychecks
Attachment: paychecks_43b3b18.zip
Hey [redacted]. They send us the wrong paychecks. Attached is your paycheck arrived to my email by mistake.
Please send mine back too.
Best regards,
Guy Bennett
7 October 2016: ea00paychecks_43b3b18.zip: Extracts to: paychecks exported 5648A20E.js
Current Virus total detections 11/54*. MALWR** shows a download of an encrypted file from
http ://bdfxb .com/jp0zuso which is transformed by the script to YXljL8XPAjn.dll (VirusTotal 10/56***). Payload Security[4] shows multiple C2 and additional download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1475801339/
** https://malwr.com/analysis/OTNiMTUxM...g0OTJjN2NhMjU/
Hosts
182.92.220.92
*** https://www.virustotal.com/en/file/a...is/1475820102/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
31.210.120.156
185.82.217.98
185.75.46.122
185.154.13.182
95.213.179.232
69.195.129.70
:fear::fear: :mad:
Dridex - random subjects with cab files - SPAM
FYI...
Dridex - random subjects with cab files - SPAM
- https://myonlinesecurity.co.uk/dride...ith-cab-files/
11 Oct 2016 - "... an email with a variety of subjects along the lines of 'Form Sydnee I. Hahn' (initial word is either Form/Token/License/Certificate or other similar word followed by a name that matches the name in the body of the email, coming as usual from random companies, names and email addresses with a semi-random named cab file attachment (that matches the subject word) containing a .JS file (cab files are Microsoft specific archives (zip files) that are normally used for windows updates. Almost any unzipping tool will extract them, however windows explorer will natively extract and -autorun- any content inside a cab file if double clicked to open them. This looks like Dridex today, rather than the Locky ransomware...
Update 09.30 UTC: A second run starting with a mix of .cab files and .zip files, possibly because many mail filtering systems including Mail Scanner used on a high proportion of Linux mail servers detects and warns about .cab files by default. Some servers are set to block them automatically. This server is set to warn about potentially dangerous file extensions but not block them (to certain domains only) so I can obtain malware samples to warn/alert and submit to anti-virus companies and help protect everybody. For every cab file that I have received so far, I also got a warning message to my postmaster/admin email address. The sort of subjects we are seeing include:
Form Sydnee I. Hahn
Token Jolie T. Barrett
License Armando H. Bates
Certificate Brittany T. Beach
Archive Linda K. McLaughlin
Papers Sylvia C. Price
Agreement Dieter U. Vinson
Report David W. Rogers
Document Isaac Q. Lucas
One of the emails looks like:
From: HilariSydnee I. Hahn <rtep.springvale@ ljh .com.au>
Date: Tue 11/10/2016 08:03
Subject: Form Sydnee I. Hahn
Attachment: Form.cab
Good morning
Please review your Form.
I’m waiting for your reply
Kindest regards
Sydnee I. Hahn
An alternative body content:
Hi
Here is your Token.
Pls inform me the answer as soon as posible
Regards
Jolie T. Barrett
An alternative body content:
Greetings
Here is your License.
I’m still waiting for your answer
Cain M. Rogers
11 October 2016: Form.cab: Extracts to: 20792.tmp - Current Virus total detections 0/55*
.. MALWR** shows a download from http ://www .mobilemanager .fr/log.khp which gave me 20792.tmp (VirusTotal 6/56***)
Detections are inconclusive but Payload Security[4] indicates that this is most probably Dridex banking Trojan, However that also shows an error in running the file with an unsupported system message. That might mean that there is a fault with the Dridex binary or more likely that the Dridex malware gang have added even more protections to their malware and stopping it running when a sandbox or VM is detected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1476169831/
** https://malwr.com/analysis/YTFmNTQ5M...dlOTYxZDc3YmE/
Hosts
217.76.132.43
*** https://www.virustotal.com/en/file/e...is/1476170061/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
217.76.132.43
195.154.163.166
88.213.204.147
:fear::fear: :mad:
Fake 'Payment - wire transfer' SPAM
FYI...
Fake 'Payment - wire transfer' SPAM - delivers Java Adwind
- https://myonlinesecurity.co.uk/did-y...s-java-adwind/
12 Oct 2016 - "... daily.. -fake- financial themed emails containing java adwind attachments...
This article[1] from a couple of years ago explains why you should remove it.
If you cannot remove it then it -must- be kept up-to-date[2] .. be extremely careful with what you download or open...
1] https://www.theguardian.com/technolo...ack-technology
2] https://java.com/en/download/
... The email looks like:
From: Account <order@ coreadmin .eficaz .cl>
Date: Wed 12/10/2016 04:56
Subject: RE: Payment
Attachment: Details.zip
Hi,
Did you authorize any wire transfer to our account?
We have received an amount of USD79,948.12 from your account and we do not know what this fund is for.
We do not have any transaction with your company that we know about. So why making payment to us.
Please see the attached remittance documents and double-check with your bank.
We wait for your comment.
Best Regards,
Leo Lee,
Navkar Corporation Ltd
215 Lumpoo Road, Wadsampraya, Pranakorn
Bangkok, 10200 Thialand ...
12 October 2016: details.jar (119kb) - Current Virus total detections 5/55*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1476250143/
** https://www.hybrid-analysis.com/samp...ironmentId=100
:fear::fear: :mad: