Advertisement

Wednesday, 1 July 2015

Malware spam: "Notice of Underreported Income" / "noreply@hmrc.gov.uk"

The second HMRC spam run of the day..

From:    HM Revenue and Customs [noreply@hmrc.gov.uk]
Date:    1 July 2015 at 11:36
Subject:    Notice of Underreported Income

Taxpayer ID: ufwsd-000004152670UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form herc

In this case, the link goes to bahiasteel.com/secure_storage/get_document.html however, the payload is Upatre leading to the Dyre banking trojan, as seen in this other spam run today.

Malware spam: "HMRC taxes application with reference L4TI 2A0A UWSV WASP received" / "noreply@taxreg.hmrc.gov.uk"

This fake tax spam leads to malware:

From     "noreply@taxreg.hmrc.gov.uk" [noreply@taxreg.hmrc.gov.uk]
Date     Wed, 1 Jul 2015 11:20:37 +0000
Subject     HMRC taxes application with reference L4TI 2A0A UWSV WASP received

The application with reference number L4TI 2A0A UWSV WASP submitted by you or your
agent to register for HM Revenue & Customs (HMRC) taxes has been received and will
now be verified. HMRC will contact you if further information is needed.

Please download/view your HMRC documents here: http://quadroft.com/secure_storage/get_document.html

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.d

If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake 404 page will be generated.
The page then forwards to the real HMRC login page but attempts to dump a malicious ZIP from another source at the same time.

In this case, the ZIP file was Document_HM901417.zip which contains a malicious executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55 (identified as the Upatre downloader).

Automated analysis [1] [2] [3] shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55.

The payload is almost definitely the Dyre banking trojan.

Malware spam: "UK Storage Company Invoice" / "UK Storage Company - Gloucester [gloucester@ukstoragecompany.co.uk]"

This fake invoice does not come the the UK Storage Company but is instead a simple forgery with a malicious attachment.

From    UK Storage Company - Gloucester [gloucester@ukstoragecompany.co.uk]
Date     Wed, 01 Jul 2015 12:33:51 +0300
Subject     UK Storage Company Invoice

Dear Customer,

Please find attached your invoice from UK Storage Company.

Many thanks,

UK Storage Company (SW) Ltd
340-350 Bristol Road, Gloucester,
GL2 5DH
(01452) 502083

In the sample I examined, the attachment was GL_Invoice continuation(51741965)_(20150623).doc with a VirusTotal detection rate of 5/55. The payload appears to be the same as these two spam runs also happening today [1] [2].



Malware spam: "Phil" [phil@twococksbrewery.com] / "Statement JUL-2015"

This fake financial spam does not come from Two Cocks Brewery but is instead a simple forgery with a malicious attachment.

From     "Phil" [phil@twococksbrewery.com]
Date     Wed, 01 Jul 2015 15:48:24 +0530
Subject     Statement JUL-2015

Hi ,

Please find attached a copy of the statement for the month of JUL-2015.

Kind regards,

PHIL
Attached is a file Customer Statement.doc which is the same payload as used in this attack.

Malware spam: "Document Order 534-550719-84513074/1" / "web-filing@companies-house.gov.uk"

This spam email is not from Companies House but is instead a simple forgery with a malicious attachment.

From     web-filing@companies-house.gov.uk
Date     Wed, 01 Jul 2015 10:49:12 +0300
Subject     Document Order 534-550719-84513074/1


Order: 534-550719-84513074  29/06/2015 09:35:46

Companies House WebFiling order 534-550719-84513074/1 is attached.

Thank you for using the Companies House WebFiling service.

--
Email: enquiries@companies-house.gov.uk    Telephone +44 (0)303 1234 500
Note: This email was sent from a notification-only email address which cannot accept
incoming email.  Please do not reply directly to this message.

In the same I saw, the attachment was named compinfo_534-550719-84513074_1.doc [VT 2/55] which contained this malicious macro [pastebin] which downloads a file from:

http://demaiffe.be/75/85.exe

This is then saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of just 1/55. Automated analysis tools [1] [2] [3] indicates malicious traffic to:

78.47.139.58 (Hetzner, Germany)

This IP has been seen a few time recently. Blocking traffic to it is probably a good idea.

The payload is probably the Dridex banking trojan which usually drops via a DLL, although I have not been able to obtain a sample.

MD5s:
7e634a4d8eaad8643d5828b1606c709f
847aa0e22b419316a2e82c813d5ca690

Tuesday, 30 June 2015

Malware spam: "Donna Vipond" / "donna.vipond@ev-ent.co.uk" / "Payment due - 75805"

This fake invoice does not come from Event Furniture Ltd but is instead a simple forgery with a malicious attachment:

From     "Donna Vipond" [donna.vipond@ev-ent.co.uk]
Date     Tue, 30 Jun 2015 13:13:28 +0100
Subject     Payment due - 75805

Please advise when we can expect to receive payment of the attached
invoice now due?  I await to hear from  you.

Kind Regards

Donna Vipond

Accounts

Event Furniture Ltd T/A Event Hire

Tel: 01922 628961 x 201
Attached is a file 75805.doc which comes in two (or more) different versions (Hybrid Analysis report [1] [2]). The samples I saw downloaded a file from either:

www.medisinskyogaterapi.no/59/56.exe
www.carpstory.de/59/56.exe


This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55. The various analyses including this Malwr report and this Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany).

The payload is probably the Dridex banking trojan.

Recommended blocklist:
78.47.139.58

MD5s:
e704ff948e791ad67d2c46238629335d
b93dfe419fd9c2638fb4afce85efa3f2
25871a5bbeb85b0fbc07531cfc6193ce

Monday, 29 June 2015

Malware spam: "CEF Documents" / "Dawn.Sandel@cef.co.uk" / "Dawn Sandel"

This fake financial spam does not come from City Electrical Factors but is instead a simple forgery with a malicious attachment.

From: "Dawn.Sandel@cef.co.uk" [Dawn.Sandel@cef.co.uk]
Subject: CEF Documents
Date: Mon, 29 Jun 2015 13:48:27 +0300


Please find attached the following documents issued by City Electrical Factors:

Invoice - BLA/176035 - DUCHMAID

If you have any problems or questions about these documents then please do not hesitate to contact us.

Regards,
Dawn Sandel
Phone: 01282 698 112
Fax: 01282 696 818


Dawn Sandel
Group Office
Nelson & Northwest Region

City Electrical Factors Limited
Tel: 01282 698 112  Fax: 01282 696 818
11 Kenyon Road, Lomeshaye Industrial Estate, Nelson, BB9 5SPv

The attachment is BLA176035.doc which contains a malicious macro. So far I have seen two different versions (Analysed here by Payload Security's Hybrid Analysis [1] [2]) which download a binary from one of the following locations:

dev.seasonsbounty.com/543/786.exe
cbebay.com/543/786.exe


This executable has a detection rate of 11/55. Those analyses show the samples phoning home to the following IPs:

78.47.139.58 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
91.121.173.193 (OVH, France)
183.81.166.5 (IP ServerOne, Malaysia)

The payload is probably Dridex, but I was not able to get a copy of the DLL.

Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5

MD5s:
65520ecd513c8b8b75f601aa2e69aeef
6bb2b8dc2129ad62ba459797c8544ff3
1396d0cb86bd400f7e364d583958ac33

Malware spam: "Payslip for period end date 29/06/2015" / "noreply@fermanagh.gov.uk"

This fake financial spam comes with a malicious payload:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    29 June 2015 at 11:46
Subject:    Payslip for period end date 29/06/2015

Dear [redacted]

Please find attached your payslip for period end 29/06/2015

Payroll Section

Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:

http://audileon.com.mx/css/proxy_v29.exe

That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes:

69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is on this occassion.

Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242

MD5s:
71a42eaac6f432c8dc04465c065e48e1
4009cd042071c81ce9c1aaa13ac046f2


Friday, 26 June 2015

Malware spam: "Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)" / "directdebit@taxdisc.service.gov.uk"

This spam does not come from the UK government , but instead is a simple forgery with a malicious payload:

From: directdebit@taxdisc.service.gov.uk
Date: Fri, 26 Jun 2015 15:58:38 +0700
Subject: Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)

Important: Confirmation of your successful
Direct Debit instruction

Dear customer
Vehicle registration number: FG08OEE
Thank you for arranging to pay the vehicle tax by Direct Debit.
Please can you check that the details attached below, and your payment schedule are correct.
If any of the above financial details are incorrect please contact your bank as soon as possible.
However, if your details are correct you don’t need to do anything and your Direct Debit will be processed as normal. You have the right to cancel your Direct Debit at any time. A copy of the Direct Debit Guarantee is included with this letter.
For your information, the collection will be made using this reference, and this is how your payment will be detailed on your bank statements:
  • DVLA Identifier: 295402
  • Reference: FG08OEE
Your vehicle tax will automatically renew unless you notify us of any changes. We will send a new payment schedule at the time of renewal.
Yours sincerely

Rohan Gye
Vehicles Service Manager

Driver a& Vehicle Licencing Agency logo
www.gov.uk/browse/driving


Attached to the message is a file FG08OEE.doc with a VirusTotal detection rate of 2/55. The macro in it proved resistant to manual analysis, but the Hybrid Analysis does the job easily enough, spotting a download from:

werktuigmachines.be/708/346.exe

This file was also being used in another spam run earlier today.




cccccccccccccccccc

Malware spam: "Order Confirmation RET-385236 250615" / "donotreply@royal-canin.fr"

This fake financial spam comes with a malicious payload:

From: [1NAV PROD RCS] [mailto:donotreply@royal-canin.fr]
Subject: Order Confirmation RET-385236 250615

Please find attached your Sales Order Confirmation

Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.

In the sample I have seen, the attachment is called Order Confirmation RET-385236 250615.doc which contains this malicious macro [pastebin] which downloads a component from the following location:

http://colchester-institute.com/708/346.exe

Usually there are several different version of the macro, each one loading an identical binary but from different locations. This file is saved as %TEMP%\biksenpd.exe and has a VirusTotal detection rate of 7/55.

According to various automated analysis tools, the sample doesn't seem to run properly [1] [2] [3] [4] but it looks like it tries to send traffic to the following IPs:

68.169.49.213 (Strategic Systems Consulting, US)
87.236.215.151 (OneGbits, Lithuania)
2.185.181.155 (ASDL Subscriber, Iran)


Recommended blocklist:
68.169.49.213
87.236.215.151
2.185.181.155

Wednesday, 24 June 2015

Malware spam: "Considerable law alternations" / "excerptum_from_the_implemented_rule.zip" / "Pamela Adams"

This fake legal spam comes with a malicious payload:
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations

Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above  .
Pamela Adams
Chief accountant

In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.

Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs:

93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)

The Malwr report and Hybrid Analysis report indicate a couple of  dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.

Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35

MD5s:
a85849c45667805231f2093e2eabe89d
e91e0424ac23193461c57ac1046e7dc1

Tuesday, 23 June 2015

Malware spam: "Hope this e-mail finds You well" / "Stacey Grimly"

This spam comes with a malicious attachment:

Date:    23 June 2015 at 14:14
Subject:    Hope this e-mail finds You well

Good day!

Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.

Stacey Grimly,
Project Manager
Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:

check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717

The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.

Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations:

93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)

These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:

104.174.123.66 (Time Warner Cable, US)

The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.

Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66

 MD5s:
67f05372a34534c5892defb29ba8ead7
267e23f6430999f4b71a074835f19fb2
cebf89f088458f3e89599ae44d03cddf
cfdcb1cbe8983707287be4a03cdb88b4
880ba84222524510c9fe3b3d80429816

Monday, 22 June 2015

Malware spam: "Tax inspection notification" / "tax_663-20845-0479-435.zip size=18288.zipsize=18288"

This fake tax notification comes with a malicious payload.

Date:    22 June 2015 at 19:10
Subject:    Tax inspection notification

Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check  as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor

Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.

This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:

http://93.93.194.202:13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK

That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to 37.57.144.177 (Triolan, Ukraine).

Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.

Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177

MD5s:
394c56133b323ce3bf038cfc7a00562a
4e9fec8e532664672bd3a022f4f0b4ec
14b8a0f6a9258f9e73f63a4269641ca0


Malware spam: "Shareholder alert" / "instructions.zip size=21154.zipsize=21154"

This fake financial spam comes with a malicious attachment:

Date:    22 June 2015 at 13:07
Subject:    Shareholder alert

Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to resolution of the Board of Directors. Please see attached.     Glen McCoy, Partner
Attached is a mis-named ZIP file called instructions.zip size=21154.zipsize=21154 containing a malicious executable instructions_document.exe which has a VirusTotal detection rate of 1/56.

The Malwr report indicates network traffic to:

http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK

93.93.194.202 is Orion Telekom in Serbia.

It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.

The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.

Recommended blocklist:
64.111.36.35
93.93.194.202

MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3