Bomb Threat E-mails

Bomb Threat E-mails

A developing story where a wave of e-mails around the United States has caused mass hysteria and evacuations. I’ve obtained two domains from a trusted source who manages hundreds of clients. Below I provide an example of the e-mail, and move on to start investigating the domains. As always I’m asking for others to independently look into these domains. I will be updating the blog as I obtain information about this issue.

Data for domains came from various sources but are relatively self-evident as the headers will match the From: address in this instance. I have a list of domains below with corresponding IP addresses that all point to the same provider’s network. In some cases, the key seems to be what the domain was doing before it moved over to the new Russian host. One approach is that I’ve found most of the were pointing to GoDaddy just prior to changing over to REG.RU. I couldn’t find many that had a frontpage or legitimate use. See below for a deep dive on 11 different domains/IPs sending these messages.

Example:

“Subject: Do not waste your time

Hello. My man hid an explosive device (Hexogen) in the building where your business is conducted. My mercenary assembled the explosive device according to my guide. It has small dimensions and it is covered up very carefully, it is impossible to damage the building structure by my bomb, but in the case of its detonation there will be many victims.

My recruited person keeps the area under the control. If any unusual behavioror cop is noticed he will power the bomb.

I can call off my man if you make a transfer. 20.000 dollars is the cost for your life and business. Pay it to me in BTC and I warrant that I will withdraw my man and the device won’t detonate. But do not try to cheat- my guarantee will become valid only after 3 confirmations in blockchain network.

My payment details (Bitcoin address): (REMOVED)

You must solve problems with the transaction by the end of the workday, if you are late with the money the device will detonate.

Nothing personal this is just a business, if you don’t transfer me the bitcoins and a bomb explodes, next time other companies will send me more money, because this is not a one-time action.

For my safety, I will no longer log into this email. I check my address every forty min and if I receive the payment I will order my person to get away.

If the explosive device detonates and the authorities see this letter:

We are not terrorists and dont assume any liability for explosions in other places.

Deeper Investigation

I’ve accumulated a total of 11 Domains/IPs that were actively sending as a part of this campaign. They all have working SPF records and are hosted in netblocks starting with 194.58.x.x in ORG-nrRL1-RIPE as the host out of Russia called REG.RU. I’m not saying Russia is behind it as that would be a very simple solution – and at this point we can’t attribute anything. I opened a ticket w/ the host Thu 12/13/2018 5:38 PM PST as the services were still up and running with no takedown requests, not surprisingly. They responded Fri 12/14/2018 4:31 AM PST that ‘Service is blocked’. Despite all of the media coverage, and expert analysis not one person contacted the source of the e-mails to prevent further activity. Infact, as you’ll see below this is the same host/subnet used on the most recent sextortion emails.

Note: The e-mail below is a Sextortion threat from back in late Oct of this year using the domain albionstudios_com. That domain still resolves to ISP where threats came from. This strongly implicates the same individuals have recently run sextortion spam jobs from the same source network.

Here is an example header from the bomb threats:

Network Map (2 of the 11 below)

VirusTotal Graph

Godaddy IPs that some of these domains had before the A records changed over to REG.RU based on passive DNS from DomainTools + VirusTotal records:

50.63.202.48
184.168.221.57
184.168.221.9
103.1.175.1
50.63.202.62
50.63.202.82
91.195.240.82
50.63.202.46

Domain #1: yinnyang.com (194.58.103.231) (Previously: 
50.63.202.46)

SPF record checks out for both hosts during the campaign:

Search shows that the IP for this domain was changed today after being stuck on another address for several years:

Current IP:

Current IP address search on VirusTotal shows a number of other domains associated with the IP

Looking at the previous IP address right before it switched:


Previous IP this domain was pointing to is regularly communicating Files on this address is off the charts. It’s obviously a Command & Control point for Malware communication. Probably a throwaway at GoDaddy that’s still being used. The key here is checking the other domains (many of which have no legitimate front page) for these kinds of connections as the largest majority suddenly made the DNS switch today for this campaign.

Malware Families associated with previous IP of the domain


Domain #2: armiracles.com (194.58.61.73)

Domain #3 – Tiedeman.com (194.58.58.207) (Previously 95.170.70.225)

Domain #4 – wedgeze.com (194.58.58.54)

Domain #5 – weimd.com (194.58.58.23

Domain #6 – whathappensatdeath.com (194.58.61.134

Domain #7 – vinight.com (194.58.58.82) (Previously: 
184.168.221.9)

Domain #8 – theweightlossarea.com (194.58.58.125)

Domain #9 – worldfused.com (194.58.61.67) (Previous: 50.63.202.62)

Domain #10 – tvlgbt.com (194.58.58.123)

Domain #11 – truockhichet.com (194.58.58.106)