{"id":940,"date":"2016-12-31T15:53:22","date_gmt":"2016-12-31T20:53:22","guid":{"rendered":"http:\/\/www.ccrepairservices.com\/blog\/?p=940"},"modified":"2016-12-31T15:53:22","modified_gmt":"2016-12-31T20:53:22","slug":"spoofed-fedex-and-usps-kovter-and-locky-sites-ransomeware-malware-keeps-spreading","status":"publish","type":"post","link":"https:\/\/www.ccrepairservices.com\/blog\/computer-news\/spoofed-fedex-and-usps-kovter-and-locky-sites-ransomeware-malware-keeps-spreading\/","title":{"rendered":"Spoofed FedEx and USPS Kovter and Locky sites Ransomeware Malware Keeps Spreading"},"content":{"rendered":"
\"www.ccrepairservices.com\"
Locky Ransomeware New CPRS CCRS Computer Repair Miami Fort Lauderdale Website<\/figcaption><\/figure>\n

Following on from these\u00a0 [\u00a0FEDEX<\/a> ] [\u00a0USPS<\/a>\u00a0]\u00a0 posts describing the Spoofed FedEx and USPS ( and other delivery services from time to time) I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new<\/strong> sites to the lists, but please remember that old sites are reused daily until taken down by their hosts. \u00a0All the sites used in this malware spreading campaign are hacked \/\u00a0compromised sites.<\/p>\n

 <\/p>\n

\n<\/div>\n

The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js by searching on your computer, that is run directly from temp internet files ) Counter.js then downloads\u00a0 a different variant of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn\u2019t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site\u00a0delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files ( apart from the original counter.js) pretend to be png ( image files). They are actually all renamed .exe files or\u00a0a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the second counter.js you need to change the &r=01<\/strong> at the end of the url to &m=01 ( or 02-05)<\/strong>. This second counter.js contains additional sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.<\/blockquote>\n

I only accidentally \u00a0found out about the second \/3rd \/4th \/5th \u00a0counter.js when I made a mistake in manually decoding the original wsf file ( and the original counter.js) and mistyped\/ miscopied \u00a0the &r=<\/strong> and used &m=<\/strong> instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim\u2019s computer when urls or sites are known about and blocked by an antivirus or web filter service.<\/p>\n

25 December 2016<\/strong>:\u00a0 ( Payload Security report<\/u><\/a> \u00a0)<\/p>\n

3spension.com
\nminebleue.com
\nchaitanyaimpex.org
\nbreak-first.com
\ngrancaffe.net
\nwww.meizumalaysia.com
\ndreamoutloudcenter.org
\nmegrelis-avocat.com<\/p>\n

\/counter\/?a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&m=9488599&i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ<\/p>\n

\/counter\/?i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ&a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&r=01<\/p>\n

27 December2016:\u00a0 ( Payload Security report<\/u><\/a> \u00a0) <\/strong><\/p>\n

lacasadeicuochi.it
\nboardedhallgreen.com
\nwww.memoodgetactive.det.nsw.edu.au
\nrebecook.fr
\npeachaid.com
\nkidsgalaxy.fr
\nbaltasmenulis.lt
\nartss.org<\/p>\n

\/counter\/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7\u00a0\u00a0<\/strong><\/p>\n

\/counter\/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01<\/p>\n

28 December 2016:\u00a0 <\/strong>( Payload Security report<\/a> \u00a0)<\/p>\n

thanepoliceschool.com
\nchimie.iset-liege.be
\npartnersforcleanstreams.org<\/p>\n

\/counter\/?a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&m=8429816&i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE<\/p>\n

\/counter\/?i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE&a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&r=01<\/p>\n

29 December 2016<\/strong>:\u00a0 ( payload Security report<\/a>)<\/p>\n

cobycaresfoundation.org
\ndev.zodia-q.com
\nshark1.idhost.kz
\nitalysfinestdesign.it
\nsalutgaudi.com
\nzodia-q.com<\/p>\n

\/counter\/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA<\/p>\n

\/counter\/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01<\/p>\n

2nd version today ( Payload Security Report<\/a> )<\/p>\n

\/counter\/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01<\/p>\n

\/counter\/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo<\/p>\n

31 December 2016<\/strong>: ( Payload Security Report<\/a>)<\/p>\n

www.iblasoni.com
\naventurarealestatedirectory.com
\nwww.apogeoform.net
\noytunidil.com
\nocentsinus.com
\nsonja.ostrovanka.cz
\ninstalaciondeairesplit.com<\/p>\n

\/counter\/?a=1J9cj5Z7UvwkR9Tp1qywXBq994MFZ6dCLn&i=Y5p7yaa6RhRlPVwtx_0twhfOcSziOus6gsFi-6WQ9cGftnod2TtjVWJvU-_2nroNgi-lT8j6sF6rzL02lqFLiuQ20RDPqOBkTCSmGjp6NQ
\n\/counter\/?i=Y5p7yaa6RhRlPVwtx_0twhfOcSziOus6gsFi-6WQ9cGftnod2TtjVWJvU-_2nroNgi-lT8j6sF6rzL02lqFLiuQ20RDPqOBkTCSmGjp6NQ&a=1J9cj5Z7UvwkR9Tp1qywXBq994MFZ6dCLn&r=01<\/p>\n

31 December 2016:\u00a0update 2<\/strong> ( Payload Security<\/a>)<\/p>\n

spiritdoula.net
\nwww.yabaojiuhe.com
\nwindycrestrental.com
\nmaggieellisbusinessconsulting.com
\npn-group.com
\ninflation.us<\/p>\n

\/counter\/?a=16ehyeR9Nhrtgk4z2BrKZVJcKTFYe9Z1Ap&i=Y5r71qa6RhRlpLdvFNp4Tyf0O3puCoDDA0TLPwt-ZnjyqdV140NpvPnVGT2KeqxNu7AHi0Gk1WT6yYGkb0YxpcGpOaMzrto7
\n\/counter\/?i=Y5r71qa6RhRlpLdvFNp4Tyf0O3puCoDDA0TLPwt-ZnjyqdV140NpvPnVGT2KeqxNu7AHi0Gk1WT6yYGkb0YxpcGpOaMzrto7&a=16ehyeR9Nhrtgk4z2BrKZVJcKTFYe9Z1Ap&r=0<\/p>\n","protected":false},"excerpt":{"rendered":"

Following on from these\u00a0 [\u00a0FEDEX ] [\u00a0USPS\u00a0]\u00a0 posts describing the Spoofed FedEx and USPS ( and other delivery services from time to time) I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are reused daily until taken down by their hosts. \u00a0All the sites used in this malware spreading campaign are hacked \/\u00a0compromised sites.   The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js by searching on your computer, that is run directly from temp internet files ) Counter.js then downloads\u00a0 a different variant of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn\u2019t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[1445,103,19,1446,1444,1335,1454,1450,1425,20,1449,1457,1448,1447,1459,156,1458,351,453,10,86,1455,1453,1008,1452,1456,1451],"class_list":["post-940","post","type-post","status-publish","format-standard","hentry","category-computer-news","category-virus-and-malware-threats","tag-ccrs-miami","tag-computer-news-2","tag-computer-repair","tag-cprs","tag-cprs-miami","tag-encrypted-files","tag-fake-emails","tag-fedex-ransomeware","tag-it-news","tag-laptop-repair","tag-locky-encryption","tag-locky-payload","tag-locky-ransomeware","tag-locky-virus","tag-m-fort-lauderdale-repairs","tag-malware","tag-malware-spreading","tag-miami-repairs","tag-new-malware","tag-new-virus","tag-news","tag-ransome-email","tag-ransome-spreading-ups-emails","tag-security-news","tag-spreading-fedex","tag-sucirity-payload","tag-ups-ransomeware"],"_links":{"self":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/comments?post=940"}],"version-history":[{"count":1,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/940\/revisions"}],"predecessor-version":[{"id":941,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/940\/revisions\/941"}],"wp:attachment":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/media?parent=940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/categories?post=940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/tags?post=940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}