Thursday, 30 October 2014

"Further Reminder" spam has a malicious Word document attached

Another round of malicious Word documents today, this time with the subject "Further Reminder" from random senders. For example:

From:     Milan Roach
Date:     30 October 2014 11:35
Subject:     Further Reminder SN4215796

Good afternoon,

Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.

Many Thanks & Kind Regards
Milan Roach

Senior Accounts Payable Clerk
Finance Department
Attached is a malicious Word document with the same name as the subject (e.g. CopySN4215796.doc). There are at least two different versions of this document [Version 1 VirusTotal / Malwr report, Version 2 VirusTotal / Malwr report]. If macros are enabled on the target machine then a malicious macro [pastebin] runs and downloads a futher component from one of the two following locations (there may be more):

http://81.7.3.101:8080/doc/6.exe
http://195.154.126.245:8080/doc/6.exe


This binary has a VirusTotal detection rate of 7/54 and the Malwr report shows it contacting the following URLs:

http://212.59.117.207/fJ5SAAWU%7EQh@T%7E/.c0ip%2D~wm&4iS$2%20/@sVAEx5n%2Dq2fhFR%2C2E3nTsY7CsJG
http://217.160.228.222/mqtGeOgnz/1%7EzXP@%20F~YhNF/tznfsAv2%2BWsXzjfHO2$0XGvz/eyWejESZTRrqx2vf/&


It also drops a file 2.tmp which is actually a DLL with a VirusTotal detection rate of 14/54 which identifies it clearly as a variant of  Cridex.

Recommended blocklist:
212.59.117.207
217.160.228.222
91.222.139.45
81.7.3.101
195.154.126.245

UPDATE: a contact tells me that this malware also connects to a config file at:
212.59.117.207:8080
91.222.139.45:8080
..so I have updated the blocklist above to include these.

Tuesday, 28 October 2014

"INVOICE 101760 from Power EC Ltd" spam

This spam supposedly comes from a company called Power EC Ltd, but it doesn't. Instead it come with a malicious Word document.

From:     soo.sutton77@powercentre.com
Date:     28 October 2014 11:01
Subject:     INVOICE 101760 from Power EC Ltd

Please find attached INVOICE number 224244 from Power EC Ltd

The invoice number varies, as does the name of the attachment but it will be similar to INVOICE101760.doc which has a VirusTotal detection rate of 5/53. This contains this malicious macro [pastebin] which attempts to download a file from http://Riccis.homepage.t-online.de/Testseite/js/bin.exe which is currently 404ing but I believe to be the same payload as this [virustotal].  The Malwr analysis for that file shows it communicating with the following URLs:

http://62.75.184.70/T.T0gVY%26&s/=oj%26JT/LmoN$TxJ/SR%2COCs@0%26
http://116.48.157.176/EZE31=/zUtYQwx7rN.1UZ%20~a=/xe_j%2DhYKg+l%20P
http://116.48.157.176/CYJ4/oh$MI$G%24%3D/p%2Bab8GlH03sF%3F$u
http://116.48.157.176/EWvGnaBBxO%240ikV=o0ERs/vZsGSv6BuW9AESTs9fsiSJC$so/V72C
http://116.48.157.176/vA8rtgvLo~p%20pspL%2C61%3F/1rq&%2BpubuB%7Ei.Sfci2Hxp8=A4xuF/b5m%3D%20HccnqS3/9

Recommended blocklist:
62.75.184.70
116.48.157.176

Monday, 27 October 2014

Randomly generated "invoice xxxxxx October" spam comes with a malicious Word document

There have been a lot of these today:

From:     Sandra Lynch
Date:     27 October 2014 12:29
Subject:     invoice 0544422 October

Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
Thanks very much

Kind Regards


Sandra Lynch
The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc).

The document itself is malicious and has a VirusTotal detection rate of 5/53. Inside the Word document is a macro [pastebin] that attempts to download an execute a malicious binary from http://centrumvooryoga.nl/docs/bin.exe which is currently 404ing which is a good sign.

There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments.

Friday, 24 October 2014

Do people really fall for this?

Here's a simple phishing spam..
From:     info@kythea.gr
Date:     24 October 2014 13:50
Subject:     payment

this mail is to inform you that the payment have been made
see the attached file for the payment slip

ANTON ARMAS
Attached is a file payment Slip (2).html which displays a popup alert:
You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information
The victim then gets send to a phishing page, in this case at uere.bplaced.net/blasted/tozaiboeki.webmail.html which looks like this..

Ummm... do people really fall for this? The frightening answer is.. probably, yes.


"You've received a new fax" spam.. again.

Another day, another fake fax spam.
From:     Fax [fax@victimdomain.com]
To:     luke.sanson@victimdomain.com
Date:     24 October 2014 10:54
Subject:     You've received a new fax

New fax at SCAN2383840 from EPSON by https://victimdomain.com
Scan date: Fri, 24 Oct 2014 15:24:22 +0530
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://galeriaslodkosci.pl/efax/document.php

(eFax Drive is a file hosting service operated by J2, Inc.)
The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54. The Malwr report shows the following URLs are contacted:

http://188.165.214.6:20306/2410uk1/HOME/0/51-SP3/0/
http://188.165.214.6:20306/2410uk1/HOME/1/0/0/
http://188.165.214.6:20306/2410uk1/HOME/41/5/1/
http://rodgersmith.com/css/2410uk1.oss

The malware also drops two executables on the system, kcotk.exe (VT 0/53, Malwr report) and ptoma.exe (VT 2/51, Malwr report).

Recommended blocklist:
188.165.214.6
rodgersmith.com

Bitstamp.net "New bank details" spam

This fake email pretending to be from Bitstamp.net (a Bitcoin exchange) is meant to have a malicious payload (probably a Word document) but in the sample I have seen that payload is missing. However, if you receive a similar email then wth an attachment then it is probably malicious.

From:     Bitstamp.net [no_reply@bitstamp.net]
Date:     23 October 2014 14:48
Subject:     New bank details

New banking details

Dear Bitstamp clients,

We would like to inform you that Bitstamp now has new bank details, please check attached file.

We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.

Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.

Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.

Best regards
CEO, Nejc Kodrič
Bitstamp LIMITED
Despite the hype, very few people actually deal with Bitcoins and I suspect even fewer use this particular exchange, so I assume that the attackers in this case are very interested in targeting Bitcoin owners specifically.

Thursday, 23 October 2014

"Voice Mail" (voicemail_sender@voicemail.com) spam

Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, don't open it.
From:  "Voice Mail" [voicemail_sender@voicemail.com]
Date:  Thu, 23 Oct 2014 14:31:22 +0200
Subject:  voice message from 598-978-8974 for mailbox 833

You have received a voice mail message from 598-978-8974
Message length is 00:00:33. Message size is 264 KB.

Download your voicemail message from dropbox service below (Google Disk
Drive Inc.):

http://itsallaboutrice.com/documents/doc.php
Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51.

The Malwr report for that binary shows it communicating with the following URLs:

http://188.165.214.6:18608/2310uk1/HOME/0/51-SP3/0/
http://188.165.214.6:18608/2310uk1/HOME/1/0/0/
http://188.165.214.6:18608/2310uk1/HOME/41/5/1/
http://inaturfag.com/files/2310uk1.oss

188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system, nlsio.exe (VT 4/48, Malwr report) and qhcjp.exe (VT 0/51, Malwr report).

Recommended blocklist:
188.165.214.6
inaturfag.com



Fake supertouch.com / Allied International Trading Limited "Order Confirmation spam"

This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a forgery originating from an organised crime ring, it does not originate from supertouch.com / Allied International Trading Limited nor habe their systems been compromised in any way.

From:     Elouise Massey [Elouise.Massey@supertouch.com]
Date:     23 October 2014 10:52
Subject:     Order Confirmation

Hello,

Thank you for your order, please check and confirm.

Kind Regards


Elouise

Allied International Trading Limited
Unit 1A
Hubert Road
Brentwood
Essex
CM14 4JE
United Kingdom
Telephone 0845 130 9922
Fax 0845 130 9933
In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:

87.106.84.226
84.40.9.34
jvsfiles.com

Wednesday, 22 October 2014

"This email contains an invoice file attachment" spam contains poorly-detected malware

This fake invoice spam has a malicious Word document attached.

From:     Brittney Spencer , Customer service [Fitzgerald.79f7@host-77-242-217-170.telecomitalia.sm]
Date:     22 October 2014 12:46
Subject:     Reference:ZHO904856SU

 This email contains an invoice file attachment ID:ZHO904856SU



Thanks!

Brittney Spencer .
In this case the attachment was ZHO904856SU.doc which contains a malicious macro, however at the moment the document is showing a VirusTotal detection rate of 0/54.

Attempting to open the document gives the following message:

You didn't enable macros.
Content cant be visible.

..along with an embedded image to tell you how to turn macros off.

If the victim does this, then this malicious macro [pastebin] runs and downloads an executable from http://162.243.234.167:8080/gr/4.exe which has a VirusTotal detection rate of just 1/53.

The Malwr analysis shows this binary posting data to: http://178.250.243.114/IArej7rcO/@HPZ8A5aPU_W/

The 178.250.243.114 IP address is allocated to MajorDomo LLC, Russia. The executable also drops a malicious DLL using the name 2.tmp which also has a VirusTotal detection rate of 0/54.





Tuesday, 21 October 2014

Fake "Humber Merchants Group / humbermerchants.co.uk" Industrial Invoices spam

This fake spam pretends to come from the legitimate firm Humber Merchants but doesn't. It's a forgery, Humber Merchants are not sending out this spam nor have they been hacked or compromised.

From:     ps7031112@humbermerchants.co.uk
Date:     21 October 2014 15:21
Subject:     Industrial Invoices

Attached are accounting documents from Humber Merchants

Humber Merchants Group

Head Office:
Parkinson Avenue
Scunthorpe
North Lincolnshire
DN15 7JX

Tel: 01724 860331
Fax: 01724 281326
Email: sales@humbermerchants.co.uk

--
Automated mail message produced by DbMail.
Registered to Humber Merchants Limited  , License MBS2008354.
Attached is a malicious Word document 15040BII3646501.doc which has a VirusTotal detection of 6/54. The Malwr report gives a little detail as to what it going on, but the crux of it is that if you have macros enabled then they will download and execute a malicious binary from http://gpsbah.com/images/1.exe which has a VirusTotal detection rate of 11/53 and which the Malwr report  indicates then connects to the following URLs:

http://62.75.182.94/eQ7j0+Z7/kfnmylxhl/%7EaEskub2Av7ZSh%20v@q%2Ct6W/@
http://62.75.182.94/CzUO1%20cxp%3DkLsR&/RTlIMuF1Wo/EWhm1z.ZuO8%2C2/sH@%3Fnqiakk_Tq/
http://62.75.182.94/X4mSfKkEhOPU%242cqi5W%3F%20&1Iql%20Byr/%2D588l0wY3w+=SsKQut1mgPzk%2C%24G+seO%3F
http://62.75.182.94/zms%3F@&JoTAN%2C/0C%20%2Bk+nCk_/p%20rxIqpUOyt%3FYR4W1g%2B
http://62.75.182.94/oX83KZqm@WZ%2BM%3F%20wQG@$24+/h5@RnK5~Y@7&mKGc%2C1%7E0/BhmOUE~Xf/_T_%20GSN

62.75.182.94 is a Serverloft / Intergenia IP address in Germany.

Recommended blocklist:
62.75.182.94
gpsbah.com

UPDATE 2014-10-23
Another version of the attachment is doing the rounds, this time the attachment has a detection rate of 0/54  (Malwr report) but in this case it downloads a file from http://jvsfiles.com/common/1.exe which has a detection rate of just 1/54.

According to the Malwr report, that binary contacts the following URLs:

http://84.40.9.34/kSIfRXSnEP25k76mz/9_oSoYWIoYi0/0%2B.tYWE05j%7EVA%24k/Jnt%26
http://87.106.84.226/SYh7Y+NbkSk74/mWbqM9m/L2o/%26hA%2DFG
http://87.106.84.226/QzteG3org5I%3Fa/@&e%7EfgonN%205ccf~qCi2/1_%2C%26A3QPq%3F/w56KC%2D4B0lFMbghLcFm
http://87.106.84.226/jooywueelxs/=+juqybp3sc/%2Db.mm01%24__s3/r1&iw2%20a+%3Dse%24%20@m1bpe%24%20ru/
http://87.106.84.226/pIQ%3FSS%3F%2DPC%207/%7E=jN%3Fh5e%3FP%20mB

87.106.84.226 is 1&1, Germany and 84.40.9.34 is Hostway, Belgium.

This executable drops a DLL on the system which is also poorly detected with a detection rate of 1/54.

Recommended blocklist:
87.106.84.226
84.40.9.34
jvsfiles.com