Wednesday, 22 October 2014

"This email contains an invoice file attachment" spam contains poorly-detected malware

This fake invoice spam has a malicious Word document attached.

From:     Brittney Spencer , Customer service []
Date:     22 October 2014 12:46
Subject:     Reference:ZHO904856SU

 This email contains an invoice file attachment ID:ZHO904856SU


Brittney Spencer .
In this case the attachment was ZHO904856SU.doc which contains a malicious macro, however at the moment the document is showing a VirusTotal detection rate of 0/54.

Attempting to open the document gives the following message:

You didn't enable macros.
Content cant be visible.

..along with an embedded image to tell you how to turn macros off.

If the victim does this, then this malicious macro [pastebin] runs and downloads an executable from which has a VirusTotal detection rate of just 1/53.

The Malwr analysis shows this binary posting data to:

The IP address is allocated to MajorDomo LLC, Russia. The executable also drops a malicious DLL using the name 2.tmp which also has a VirusTotal detection rate of 0/54.

Tuesday, 21 October 2014

Fake "Humber Merchants Group /" Industrial Invoices spam

This fake spam pretends to come from the legitimate firm Humber Merchants but doesn't. It's a forgery, Humber Merchants are not sending out this spam nor have they been hacked or compromised.

Date:     21 October 2014 15:21
Subject:     Industrial Invoices

Attached are accounting documents from Humber Merchants

Humber Merchants Group

Head Office:
Parkinson Avenue
North Lincolnshire
DN15 7JX

Tel: 01724 860331
Fax: 01724 281326

Automated mail message produced by DbMail.
Registered to Humber Merchants Limited  , License MBS2008354.
Attached is a malicious Word document 15040BII3646501.doc which has a VirusTotal detection of 6/54. The Malwr report gives a little detail as to what it going on, but the crux of it is that if you have macros enabled then they will download and execute a malicious binary from which has a VirusTotal detection rate of 11/53 and which the Malwr report  indicates then connects to the following URLs:$24+/h5@RnK5~Y@7&mKGc%2C1%7E0/BhmOUE~Xf/_T_%20GSN is a Serverloft / Intergenia IP address in Germany.

Recommended blocklist:

Monday, 20 October 2014 hacked (again)

Earlier this year I looked at a hack attack on popular porn site (Alexa rank 429) which appeared to be something to do with a fake advertising agency that had bought ad space.

Well, it appear that has been hacked again (as of yesterday) [1] [2] [3] and has been serving up an exploit kit (which appears to have been cleaned up now).

What's interesting about this attack are the domains in use, all using .CF (Central African Republic), .GA (Gabon), .ML (Mali) plus the more commonly abused .TK and .UNI.ME. The domains detected are listed at the end of this post, but they all appear to be dead now.

All the domains in question use nameservers using the domain which uses an anonymous registration, but which itself uses nameservers which perhaps gives a clue as to the general origins of this attack.

The malicious hosts were based on the following IPs which might be worth blocking: (Continuum Data Centers, US) (Microglobe LLC, US) (Infolink / Serverpronto, US)

(plain list for copy-and-pasting)

The domains that seem to be associated with this attack are as follows:

Adobe Billing "Adobe Invoice" spam / adb-102288-invoice.doc

This fake Adobe spam has a malicious Word document attached.

From:     Adobe Billing []
Date:     20 October 2014 11:33
Subject:     Adobe Invoice

Adobe(R) logo    
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.

Attached is your copy of the invoice.
Thank you for your purchase.

Thank you,
The Adobe Team
Adobe Creative Cloud Service
Adobe and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners.

© 2014 Adobe Systems Incorporated. All rights reserved. 

Attached is a malicious Word document adb-102288-invoice.doc which has a VirusTotal detection rate of just 1/53, the Malwr report shows there are macros in the document then try to run when it is open. If macros are enabled, this then downloads and executes a malicious binary from which also has a pretty poor detection rate of 2/53.

According to the Malwr report, this binary then reaches out to the following URLs:$n=pS%3FgfE@%3Dx%7Efa/%24ysusij%2B%2C%2C%20kCbh2tc8ex%3Dnsgr_/%26$B6JR%2C+j3K2./%20SB$%2CIYA/9Y8STPqNxu/j2hfMb6S$%24zqFH.O%2BRg%20%20/T%2D

The IPs in question are (Virpus, US) and (Intergenia, Germany).

The Malware then drops another malicious binary 2.tmp (which looks like a DLL). The VirusTotal detection rate for this is only 1/54. The Malwr report is inconclusive.

Recommended blocklist:

Saturday, 18 October 2014

Evil network: (OVH / "Eldar Mahmudov" /

These domains are currently hosted or have recently been hosted on and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK (hat tip).

Domains that are currently hosted in the range are in listed below, domains flagged as malicious by Google are highlighted. I think it is safe to assume that all these domains are in fact malicious.

The following domains have recently been hosted in this space. Ones marked malicious by Google are highlighted, although I would again assume they are all malicious. is an OVH IP range allocated to what might be a ficticious customer:

organisation:   ORG-EM25-RIPE
org-name:       eldar mahmudov
org-type:       OTHER
address:        ishveran 9
address:        75003 paris
address:        FR
phone:          +33.919388845
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
changed: 20140621
source:         RIPE

There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you block traffic going to it.

Friday, 17 October 2014

"Final notification" malware spam uses a Google redirector and

This malware spam uses a Google redirector to retrieve malware hosted on

Date:     17 October 2014 17:04
Subject:     Final notification for
Purchase Notice
Thank you for buying at our store!
Processed on October 17th 2014

We are happy to let you know that the package is on its way to you. We also attached delivery terms to residential address.

Payment #: 507040420
Order total: 2088.11 USD
Shipping date: October 18 2014.

Please hit the link given at the bottom to get more details about your order.

 Order details 

The link in this particular email is which downloads a malicious executable ShippingLable_HSDAPDF.scr and this has a VirusTotal detection rate of 3/54.

The automated analysis tools that have given results used so far [1] [2] [3] are inconclusive.

eFax message from "02086160204" spam

This fake eFax spam leads to malware:
From:     eFax []
Date:     17 October 2014 11:36
Subject:     eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204

Fax Message [Caller-ID: 208-616-0204]

You have received a 1 page fax at 2014-10-17 09:34:48 GMT.

* The reference number for this fax is lon2_did11-4056638710-9363579926-02.

Please visit to  view  this message in full.

Thank you for using the eFax service!
 Home     Contact     Login
Powered by j2

© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.
The telephone number seems to very but is always in the 0208616xxxx format.

The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:

Then (if your user agent and referrer are correct) it goes to a fake eFax page at which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of

The download link goes to which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54.

The Malwr report is interesting because it contains many references to bacstel-ip which is the name of an online payment system used by UK businesses. The malware also contains the string
runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc
 If you are a sysadmin then you might recognise this as being the "Active Directory Users and Computers" admin tool. So, are the bad guys probing for sysadmins?

The malware connects to the following URLs:

I recommend blocking (Digital Ocean, US), (IO-Hosts Ltd, Russia) and (Arachnitec, US)

Recommended blocklist:

Sage "Outdated Invoice" spam spreads malware via

This fake Sage email spreads malware using a service called Cubby, whatever that is.

From:     Sage Account & Payroll []
Date:     17 October 2014 10:28
Subject:     Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Despite appearances, the link in the email (in this case) actually goes to and it downloads a file This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53. The Malwr report shows HTTP conversations with the following URLs: is not surprisingly allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54, Malwr report) which communicates with (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52, Malwr report).

Recommended blocklist:

Thursday, 16 October 2014

A bunch of .su and .ru domains leading to malware

These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know. I haven't had much time to poke at these properly though, but I'd recommend watching out for these:

Barclays Bank "Transaction not complete" spam

This fake Barclays spam leads to malware.

From:     Barclays Bank []
Date:     16 October 2014 12:48
Subject:     Transaction not complete

Unable to complete your most recent Transaction.

Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.

For more details please download payment receipt below:

Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register
No. 122702). Registered in England. Registered Number is 1026167 with registered
office at 1 Churchill Place, London E14 5HP.

Clicking on the link downloads a file containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of  4/54. The Malwr report shows that it reaches out to the following URLs:

In my opinion (OVH, France) is an excellent candidate to block or monitor.

It also drops two executables, bxqyy.exe (VT 5/54, Malwr report) and ldplh.exe (VT 1/51, Malwr report)

Wednesday, 15 October 2014

"Shipping Information for.." spam uses a Google redirector and to distribute malware

This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.

Date:     15 October 2014 15:09
Subject:     Shipping Information for [redacted]
Please see the shipping info
Processed on Oct 15/ 2014

This is to inform you that the package is being shipped to you. We also provided delivery terms to specified address.

Order number: 611541106
Order total: 3000.28 USD
Shipping date: Oct 16th 2014.

Please hit the button provided at the bottom to see more info about your package.

 Shipping Invoice

The link in the email goes to which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54.

The Malwr report indicates that the malware fails to install because of a bug in the code, a problem that also appears in all the other analysis tools that I tried.

What I think is meant to happen is that a malicious script [pastebin] that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it with the following command:
Gl.exe -pGlue1 -d%temp%
This executable has a VirusTotal detection rate of 2/53. It bombs out of automated analysis tools (see the Malwr report) possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.

If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been infected by the executable running in the background.

"Clean India" spam is an exercise in hypocrisy

"Clean India" is a meant to be a campaign to clean up Indian politics. But one of the biggest problems they have in India is spam (which lead to the long saga of Delhi minister Somnath Bharti's history of spam). So I think it is an act of sheer hypocrisy to promote this campaign through random spam.

From:     Ministry Of Urban Development []
Date:     15 October 2014 11:24
Subject:     Swachh Bharat invite by Ministry Of Urban Development
Signed by:

Invited to Circle: Swachh Bharat
Founder: Ministry Of Urban Development
Members: 189975
Description: This circle brings together all citizens who want a Clean India. Through this circle, citizens will be able to share cleanliness initiatives, challenges, successes at a National Level as well as learn about best practices from each other. Members will also be able to give collective inputs to Ministry of Urban Development on an ongoing basis. Soon, members of this circle will have access to their local constituency circle on Swachh Bharat connecting them with fellow local residents and enabling them to organize/participate in clean up drives in their neighborhood/city. Together, let us make it a SWACHH BHARAT!

About LocalCircles
LocalCircles takes Social Media to the next level and makes it about Communities, Governance and Utility. It enables citizens to connect with communities for most aspects of urban daily life like Neighborhood, Constituency, City, Government, Causes, Interests and Needs, seek information/assistance when needed, come together for various initiatives and improve their urban daily life. LocalCircles is free for citizens and always will be! 

The spam originates from an Amazon AWS IP of, the spamvertised site is also hosted on Amazon AWS. The registration details are:

Registry Registrant ID:
Registrant Name: LocalCircles India
Registrant Organization: LocalCircles India Pvt Ltd
Registrant Street: 1105, 11th Floor,
Registrant Street: Advant Navis Business Park, Sector 142
Registrant City: Noida
Registrant State/Province: Uttar Pradesh
Registrant Postal Code: 201301
Registrant Country: India
Registrant Phone: +91.1204263558
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:

Google sums up poor reputation nicely: We've found that lots of messages from are spam.

As long as India tolerates spam and other dishonest business practices then I don't think that there's much change of them cleaning up their act. I think whoever is sending out this spam needs to look much closer to home before criticising others.