Friday, 19 December 2014

Malware spam: "Blocked Transaction. Case No 970332"

This fake ACH spam leads to malware:

Date:    19 December 2014 at 16:06
Subject:    Blocked Transaction. Case No 970332

The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID     083520
Transaction Amount     1458.42 USD
Sender e-mail     info@victimdomain
Reason of Termination     See attached statement

Please open the word file enclosed with this email to get more info about this issue. 
In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54. Inside are a series of images detailing how to turn off macro security.. which is a very bad idea.











If you are daft enough to enable macros, then this macro [pastebin] will run which will download a malicious binary from http://nikolesy.com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51 as is identified as the Dridex banking trojan.

Malware spam: no-replay@my-fax.com / "Employee Documents - Internal Use"

This fake fax spam leads to malware:

From:    Fax [no-replay@my-fax.com]
Date:    19 December 2014 at 15:37
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://crematori.org/myfax/company.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
The download locations in the email vary, so far I have seen:

http://newsurveyresults.com/myfax/company.html
http://ChallengingDomesticAbuse.co.uk/myfax/company.html
http://crematori.org/myfax/company.html
http://gnrcorbus.com/myfax/company.html
http://sonata-arctica.wz.cz/myfax/company.html

Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55. Most automated analysis tools are inconclusive [1] [2] but the VT report shows network connections to the following locations:

http://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http://202.153.35.133:40542/1912uk22//1/0/0/
http://natural-anxiety-remedies.com/wp-includes/images/wlw/pack22.pne


Recommended blocklist:
202.153.35.133
natural-anxiety-remedies.com




Malware spam: "BACS payment Ref:901109RW"

This spam comes with a malicious attachment, in a format similar to the following:

From:    Fern
Date:    19 December 2014 at 10:09
Subject:    BACS payment Ref:901109RW


Please see below our payment confirmation for funds into your account on Tuesday re invoice 901109RW

Accounts Assistant
Tel:  01874 662 346
Fax: 01874 501 248

To add credibility, the attachment has the same name as the reference in the subject and body text (in this case it is 901109RW.xls). The reference is randomly generated.

So far, I have seen three different type of attachment, all undetected by AV vendors [1] [2] [3] containing a different malicious macro each [1] [2] [3] [pastebin]. These macros then try to download an executable from the following locations:

http://78.129.153.23/sstat/lldvs.php
http://5.9.253.183/sstat/lldvs.php
http://185.48.56.123/sstat/lldvs.php


The file is downloaded as test.exe and is then moved to %TEMP%\VMUYXWYSFXQ.exe. It has a VirusTotal detection rate of 2/54. VT also reports that it phones home to 194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

Additional analysis is pending.

UPDATE:
A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal and a different macro [pastebin], however it downloads the same binary from http://78.129.153.23/sstat/lldvs.php as the previous example does.

Thursday, 18 December 2014

Malware spam: aquaid.co.uk "Card Receipt"


This spam claims to be from the legitimate firm AquAid, but it isn't. Instead it comes with a malcious attachment. The email is a forgery, AquAid are not sending the spam, nor have their systems been compromised in any way.

From:    Tracey Smith [tracey.smith@aquaid.co.uk]
Date:    18 December 2014 at 07:24
Subject:    Card Receipt

Hi

Please find attached receipt of payment made to us today

Regards
Tracey


Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk
email_new_logo
AquAid really is the only drinks supplier you will ever need with our huge product range. With products ranging from bottled and mains fed coolers ranging up to coffee machines and bespoke individual one off units we truly have the right solution for all environments. We offer a refreshing ethical approach to drinks supply in that we support both Christian Aid and Pump Aid with a donation from all sales.  All this is done while still offering a highly focused local service and competitive pricing. A personalised sponsorship certificate is available for all clients showing how you are helping and we offer £25 for any referral that leads to business.
*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with registered number 3505477 and registered office at 51 Newnham Road, Cambridge, CB3 9EY, UK. This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify the sender and delete the message and any attachments accompanying it immediately. Neither AquAid nor any of its Affiliates accepts liability for any corruption, interception, amendment, tampering or viruses occurring to this message in transit or for any message sent by its employees which is not in compliance with AquAid corporate policy.

In the sample I have seen, the attachment is called CAR014 151239.doc which is malicious, but only has a VirusTotal detection rate of 2/54. This particular document (note that there are usually several different documents in the spam run) contains this malicious macro [pastebin]. This macro downloads a malware executable from:

http://sardiniarealestate.info/js/bin.exe

..which is saved as %TEMP%\YEWZMJFAHIB.exe - this has a marginally better detection rate of 3/53.

The ThreatExpert report shows connections to the following two IPs:

74.208.11.204 (1&1, US)
81.169.156.5 (Strato AG, Germany)

The Malwr report shows that it drops a DLL which is very poorly detected but is probably the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5

FOR RESEARCHERS ONLY: a copy of the malicious DOC attachment plus dropped files can be found here. Password is "infected". Only handle these if you know what you are doing.


Wednesday, 17 December 2014

"Blocked ACH Transfer" spam has a malicious DOC attachment

Another spam run pushing a malicious Word attachment..

Date:    17 December 2014 at 07:27
Subject:    Blocked ACH Transfer

The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.

Canceled transaction
ACH file Case ID     623742
Total Amount     2644.93 USD
Sender e-mail     info@mobilegazette.com
Reason for rejection     See attached word file
Please see the document provided below to have more details about this issue.


Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55.

Inside this is a malicious macro [pastebin] which downloads a file from:

http://www.lynxtech.com.hk/images/tn.exe

This has a VirusTotal detection rate of just 1/54. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.

Recommended blocklist:
5.187.1.78
209.208.62.36



"PL REMITTANCE DETAILS ref844127RH" malware spam

This fake remittance advice comes with a malicious Excel attachment.

From:    Briana
Date:    17 December 2014 at 08:42
Subject:    PL REMITTANCE DETAILS ref844127RH

The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros [1] [2] which then reach out to the following download locations:

http://23.226.229.112:8080/stat/lldv.php
http://38.96.175.139:8080/stat/lldv.php


The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55. The ThreatTrack report [pdf] shows it POSTing to the following IP:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

This IP has been used in several recent attacks and I strongly recommend blocking it.

The Malwr report also shows it dropping a malicious DLL identified as Dridex.

The ThreatExpert report gives some different IPs being contacted:

80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)


The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:

194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139

Spam: "Localizan a los 43 estudiantes desaparecidos en Ayotzinapa"

This Spanish-language malware spam comes with a malicious attachment.

From:    El Universal
Date:    16 December 2014 at 09:06
Subject:    Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Hoy 16 de diciembre del 2014 por la madrugada, agentes de la Policía Ministerial de Guerrero
han localizado con vida a los 43 estudiantes, desaparecidos el dia 26 de septiembre del 2014.

Para ver imágenes exclusivas del reencuentro de los estudiantes con sus familias, y las condiciones en que
vivieron durante su secuestro, anexamos un documento en este correo electrónico en formato Microsoft Word.


El Universal © todos los Derechos Reservados  2014.
This translates roughly as:

Located at 43 students missing in Ayotzinapa.

Today December 16, 2014 at dawn, agents of the Ministerial Police Guerrero
have been located alive at 43 students, missing the day September 26, 2014.

To view exclusive footage of the reunion of students and their families, and the conditions under which
They lived during his abduction, we attach a document to this email in Microsoft Word format.


The Universal © All Rights Reserved 2014.
This email relates to the kidnapping and possible murder of 43 Mexican students which has been blamed by some on the Mexican Police.

The Word document contains a malicious macro, and detailed instructions for the victim on how to disable the inbuilt security to enable it to run.


Once this has been done, the malicious macro [pastebin] runs. This attempts to download a file from:

http://www.milusz.eu/templates/default/00/ss.exe

At the moment, this download location is coming up with a 404 error. If the download were to work, it would save the file as %TEMP%\ test00010.exe. The Word document has a moderate detection rate of 10/54.

This type of malicious spam has been around for a long time, and this particular technique seems to be exclusively in Spanish, I have never seen this attack in English or any other language.

Malware spam: UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" [roughandtumble63@yahoo.co.uk]

This somewhat odd and terse spam comes with a malicious attachment.

From:    UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" <roughandtumble63@yahoo.co.uk>
Date:    17 December 2014 at 07:20
Subject:    Invoice as requested
There is no body text, but there is an malicious DOC attachment named 20140918_122519.doc which come in two slightly different versions with poor detection rates [1] [2]. The macros have been subtly changed from recent spam runs [1] [2] [pastebin] and download a second stage from one of the following locations:

http://openstacksg.com/js/bin.exe
http://worldinlens.net/js/bin.exe


This malicious executable is saved as %TEMP%\ADGYMSEKRJE.exe and has a detection rate of only 2/54.

Is is common with recent similar malware attempts, it attempts to phone home to 74.208.11.204 (1&1, US) as shown in the ThreatTrack report [pdf]. The Malwr report indicates a dropped file with an MD5 of ee826c184155a1fa1aea984f914e606a which is probably Dridex.

Monday, 15 December 2014

Malware spam: IFS Applications / vitacress.co.uk / DOC-file for report is ready

This fake payment advice spam is not from Vitacress but is a forgery with a malicious Word document attached.
From:    IFS Applications [Do_Not_Reply@vitacress.co.uk]
Date:    15 December 2014 at 07:49
Subject:    DOC-file for report is ready

The DOC-file for report Payment Advice is ready and is attached in this mail.
Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros [1] [2] [pastebin] that download a malware binary from one of the following locations:

http://gv-roth.de/js/bin.exe
http://notaxcig.com/js/bin.exe


This file is saved as %TEMP%\DYIATHUQLCW.exe  and is currently has a VirusTotal detection rate of just 1/52.

The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be blocked if you can:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)

The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet.

UPDATE 2014-12-16

A second wave of spam is in progress with a pair of new malicious Word documents with low detection rates [1] [2] containing new macros [1] [2] that download a malicious file from the following locations:

http://finepack.co.in/js/bin.exe
http://loneleaf.ca/js/bin.exe


This file is saved as %TEMP%\TQWTGECOROR.exe and it currently has a detection rate of just 1/54. The Malwr report shows it posting to 74.208.11.204 yet again, although it does not show the dropped Dridex binary that I would expect to see.


Friday, 12 December 2014

wavecable.com "Order - R58551" spam

This fake invoice comes with a malicious attachment.

From:    kaybd2@wavecable.com
Date:    12 December 2014 at 17:17
Subject:    Order - R58551

Thanks for placing order with us today! Your order is now on process.



Outright Purchase: 6949 US Dollars

Please click the word file provided below to see more details about your order.

BILLING DETAILS

Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@[redacted]

Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56 on VirusTotal. That contains this macro [pastebin] which downloads an executable from:

http://www.2fs.com.au/tmp/rkn.exe

That has a VirusTotal detection rate of 5/55. The Malwr report shows HTTP traffic to the following URLs:

hxxp://5.187.1.78/
hxxp://46.250.6.1/yQ0rNl=kQUO%2C/Uy.%20%206vPh/sGiK2LtSiX75BirV=%3DyaE%2D0jZ5/
hxxp://46.250.6.1/QO&KN@tZOvZ%2Ba/JW/wI%20%3FqZCSz&CH
hxxp://46.250.6.1/lgXM77$&N~/fn0R&OPvY/0%26EySg.2
hxxp://46.250.6.1/BJHWvUNBFb%7E8FS7%20/ku_%2CLOZC/%3DA%26S@R%2CRsl
hxxp://46.250.6.1/hjr5mo3/Jx%2C%3DKciOwsc0h.ICAQCFqbLFj6Q6bvtk&2/%3F%2DcG~k1R%2Cfu%2Djty&Kch2t~I
hxxp://46.250.6.1/1o26ZIXNlEyK/68G%2DvlteIkwiQ~WG%2C9/qFcRXJ9%24FHkr
hxxp://46.250.6.1/ISTfN%3D%2BpR6z/sV3sFy=/&rwxy/8
hxxp://46.250.6.1/fBuw/4%241PoLX5P=ThT4Hyzu/wbkj9q/zTt
hxxp://46.250.6.1/StKeINKIun6v$l0%2478bpb=1.8S%2B/q~S%2BcrS%24F%24y/@HA%2B7e%7EK%2Bp1HeQ3l_Qlc/L
hxxp://5.135.28.106/riBmIaB8bRi/sb1VvM/U=_=/PPa
hxxp://46.250.6.1/fCBz41ytqa.%2DjS8cj_rj=m%2Dzuxyr/lcvsbBxg%2Dsx%2DfS/%3D7lus%3F7e%3D%2D2.ou61s~
hxxp://46.250.6.1/zkzwh6f08q+e%2Dj%26rf.21/96ih%2D4.lhse8%20x8kgn%2B/59f3%7Ef+j%7Es%3D=w%2C+z91o
hxxp://46.250.6.1/yw1oy1pkp2+f%20au%26p@%2D/fmqyfl=zerhywesazsz2&s%2C%24%24%2Csv@k=+sqvs%3F%7Ep/

The ThreatExpert report shows POSTing to 209.208.62.36:8080

Combining some extra lookup in the Malwr report indicates that these following IPs are suspect:

209.208.62.36 (Atlantic.net, US)
5.187.1.78 (Fornex Hosting, Germany)
46.250.6.1 (Briz, Ukraine)
5.135.28.106 (OVH, France)
66.213.111.72 (Ohio Public Libraries, US)
95.211.188.129 (Leaseweb, Netherlands)

A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.

Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129


Thursday, 11 December 2014

"UK Fuels E-bill" (ebillinvoice.com) spam

This fake invoice comes with a malicious attachment:

From:     invoices@ebillinvoice.com
Date:     11 December 2014 at 08:06
Subject:     UK Fuels E-bill

Customer No :           35056
Email address :         [redacted]
Attached file name :    35056_49_2014.doc

Dear Customer

Please find attached your invoice for Week 49 2014.

In order to open the attached DOC file you will need
the software Microsoft Office Word.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely

Customer Services
UK Fuels Ltd



======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
This spam is not from UK Fuels Ltd or ebillinvoice.com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors. This downloads a file from the following location:

http://KAFILATRAVEL.COM/js/bin.exe

This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56 at VirusTotal.

The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you block this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55.

UPDATE 2014-12-12

Another spam run pushing this is in progress, with two different Word attachments seen so far (all called  35056_49_2014.doc. These are currently undetected by AV vendors [1] [2] and contains two slightly different macros [1] [2] [pastebin] that then attempt to download a binary from one of the following locations:

http://imperialenergy.ca/js/bin.exe
http://jnadvertising.com/js/bin.exe


This is then saved as %TEMP%\RPDWVRNDBGX.exe. This executable is malicious but has a VirusTotal detection rate of just 2/56. The ThreatExpert report shows connections to:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)

Both these IPs have been seen before and are definitely worth blocking. According to the Malwr report, this executable drops a DLL widely identified as the Dridex banking trojan.

Wednesday, 10 December 2014

Spam: "Remittance Advice from Anglia Engineering Solutions Ltd"

This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.

From:     Serena Dotson
Date:     10 December 2014 at 10:33
Subject:     Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]

Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.


Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd
Tel: 01469 520572

The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros [1] [2] [pastebin] which attempts to download an executable from the following locations:

http://217.174.240.46:8080/stat/lld.php
http://187.33.2.211:8080/stat/lld.php


This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows attempted connections to the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)

Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic.

The payload is most likely Dridex, a banking trojan.

I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201

217.174.240.46
187.33.2.211