Thursday, 5 March 2015

Malware spam: "Credit Control [cc@pentafoods.com]"/ "Penta invoice I0026098"

This spam email does not come from Penta Foods, instead it is a simple forgery with a malicious attachment.
From:    Credit Control [cc@pentafoods.com]
Date:    5 March 2015 at 11:10
Subject:    Penta invoice I0026098

Please find attached your invoice I0026098

Regards,

Finance Team
Attached is a document I0026098.doc which comes in at least two versions with low detection rates [1] [2] which contain some macros [1] [2] that attempt to download a component from the following locations:

http://maloja.se/js/bin.exe
http://campusnut.com/js/bin.exe

This is the same payload as used in this earlier spam run. It currently has a VirusTotal detection rate of 12/56.


Malware spam: "Bobby Drell [rob@abbottpainting.com]" / "Brochure2.doc"

This spam does not come from Bobby Drell or Abbott Painting, instead it is a simple forgery with a malicious attachment.
From:    Bobby Drell [rob@abbottpainting.com]
Date:    5 March 2015 at 10:27
Subject:    Brochure2.doc

Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell
Attached is a file Brochure2.doc which has a low detection rate which contains this malicious macro [pastebin] which downloads a component from the following location:

http://data.gmsllp.com/js/bin.exe

This is saved as %TEMP%\324235235.exe. Note that there may be different versions of this document that download files from different locations, but the payload should be identical. In this case the executable has a detection rate of 4/57.

Automated analysis tools [1] [2] show it phoning home to the following IPs:

92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks aka DINETHOSTING, Russia)

Usually this will drop a malicious Dridex DLL, although I was not able to obtain a sample.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24


Wednesday, 4 March 2015

"Remittance advice" spam has a mystery XML attachment

I haven't worked this out yet, but this appears to be a malware spam run using an XML document that contains an ActiveX element.

From:    Trudy Trevino
Date:    4 March 2015 at 09:29
Subject:    Remittance advice [Rem_0559ZX.xml]

Good morning

You can find remittance advice [Rem_0559ZX.xml] in the attachment

Kind Regards
Trudy Trevino
ROSNEFT OJSC
Other example fake senders are:
Georgette Whitfield
DELTEX MEDICAL GROUP

Jasmine Hansen
ACER INC

Jodi Cooper
JOHNSON SERVICE GROUP PLC

Rebekah Dodson
VICTREX

Edmund Molina
600 GROUP

Callie Brewer
BIOQUELL

Harriett Ferguson
BRISTOL & WEST PLC

Gabrielle Alvarado
JPMORGAN US SMALLER CO INV TST PLC

The name of the XML file in the attachment (and also the body text and subject) varies but is always in the format Rem_1234AB.xml. So far I have seen three different versions (clicking the MD5 leads to a Pastebin with the XML attachment):
The XML attachment contains a Base 64 encoded section which starts with the string "ActiveMime" which indicates that it is some sort of ActiveX element. I haven't been able to deduce the purpose of this, and the Malwr report is inconclusive but does show a command prompt being opened. The payload is most likely the Dridex banking given the other characteristics of the spam.

There's probably little reason to accept XML documents by email. Blocking these at your email gateway might be a good idea.

UPDATE 1

An analysis from another party indicates the following download locations:

http://92.63.87.12:8080/azvxjdfr31k/abs5ajsu.exe
http://178.32.184.11:8080/azvxjdfr31k/abs5ajsu.exe
http://46.30.42.90:8080/azvxjdfr31k/abs5ajsu.exe

The following are the servers the malware phones home to, I recommend blocking them:

62.76.176.203
46.30.42.171
74.208.68.243
37.139.47.111

More analysis to follow..

Malware spam: "John Donald [john@kingfishermanagement.uk.com]" / "Document1"

This rather terse email comes with a malicious attachment:
From:    John Donald [john@kingfishermanagement.uk.com]
Date:    4 March 2015 at 09:09
Subject:    Document1
There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors, in turn it contains this malicious macro [pastebin] which downloads another component from the following location:

http://retro-moto.cba.pl/js/bin.exe

Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] show attempted network traffic to the following IPs:

92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)

According to the Malwr report it also drops another version of itself with a detection rate of just 1/57 plus a DLL with a detection rate of 7/56.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33

Sunday, 1 March 2015

Fake job offer: "ukhomejob.com" and many others

This spam email for a fake (and illegal) job is soliciting replies to ukhomejob.com. It is part of a nework of fraudulent domains, attempting to recruit victims into money laundering and other illegal activities.

From:    Victim
To:    Victim
Date:    1 March 2015 at 22:09
Subject:    Advice

Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.

We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.

Part-time employment is currently important.
We offer a wage from 3500 GBP per month.

If you are interested in our offer, mail to us your answer on hermie@ukhomejob.com and
we will send you an extensive information as soon as possible.
Respectively submitted

Personnel department

This is related to this scam. Now though the IP used to receive emails is a Comcast IP of 98.221.25.74. The following domains are also related and are all fraudulent:

globbalpresence.com
recognizettrauma.net
gbearn.com
comercioes.com
eurohomejob.com
fastestrades.com
usaearns.com
idhomejob.com
ukhomejob.com
eurhomejob.com


The most likely "job" is money laundering, typically moving money out of stolen bank accounts and then passing on to someone in Eastern Europe. This activity is illegal, and there is a chance that you'll end up in jail at worst, or having to repay back the stolen money at best. Avoid.

Saturday, 28 February 2015

Fake job offer: tradeconstruction.co.uk, spoofing the legitimate Trade Construction Company LLC

This fake job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction.co.uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are not involved in this scam at all.

From:    JOB ALERT [klakogroups@gmail.com]
Reply-To:    klakogroups@gmail.com
To:    Recipients [klakogroups@gmail.com]
Date:    27 February 2015 at 18:37
Subject:    NEW JOB VACANCIES IN LONDON.

Trade Construction Company,
L.L.C,
70 Gracechurch Street.
EC3V 0XL, London. UK

We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.


Available Positions

QUANTITY SURVEY, HEALTH EDUCATOR,CIVIL ENGINEER, FIELD SURVEY SUPERVISION, WELDER,MACHINES SUPERVISOR, MECHINARY OPERATOR,
CHEMICAL ENGINEER, AUTOMOTIVE MECHANIC, DESK OFFICER, ELECTRICAL ENGINEER, CONFERENCE & BANQUETING OPERATIONS MANAGER,
STORE KEEPER,ACCOUNT MANAGER, CASHIER, ASSISTANT MANAGER OF FRONT OFFICE, RECEPTIONIST, CLEANER, FOREIGN/INTERNATIONAL LANGUAGE INTERPRETERS,
MARKETING ASSISTANT, COMPUTER OPERATOR, INTERNET SERVICE EXPERT, SECURITY PERSONNEL, HR ASSISTANT,

The Company Management would be responsible to pay for your Flight Ticket and Accommodation.

All other information about benefits which would be received by new employees would be given in their application process.

So if interested, kindly send your CV/Resume via email to recruitment@tradeconstruction.co.uk



You can also apply directly at.

http://www.tradeconstruction.co.uk/apply_online.html
website: http://www.tradeconstruction.co.uk
Phone: +447990402584
   
The tradeconstruction.co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction.com website.

The difference in content is minimal, but the fake site contains the following contact details:

Office Address:
TRADE Company House
70 Gracechurch Street London
EC3V 0XL
United Kingdom
Phone: +447990402584

Shop Addresses:
Office 208
3 Brindley Place
Birmingham, West Midlands
B1 2JB
United Kingdom
Fax: 225-658-8067 
These are actually the contact details for XL Insurance, who are obviously completely unconnected to this scam.

The fax number is invalid for the UK, and is actually just copied-and-pasted from the genuine site. The telephone number +447990402584  (07990 402584) is valid for the UK but it's a mobile phone number (possibly an untraceable prepay handset) so it could be anywhere.

As I said before, there is no company in the UK called Trade Construction Company and "LLC" is not a recognised type of UK company (typically they would be "Ltd", "PLC" or "LLP").

The WHOIS details for the domain are incomplete and unverified:

Domain name:
        tradeconstruction.co.uk

    Registrant:
        tradeconstruction

    Registrant type:
        Unknown

    Registrant's address:
        SOUTH ROAD
        ERDINTON
        BIRMINGHAM
        Birmingham
        B23 6EL
        United Kingdom

    Data validation:
        Registrant name and address awaiting validation


This is a residential area of Birmingham in the UK, but there is no house number and "Erdington" is spelled incorrectly. It certainly doesn't match the other contact addresses given.

Let's have a look at the mail headers to see if we can determine where this email actually came from.

Received: from mx.giki.edu.pk (mx.giki.edu.pk [121.52.146.229])
    by [redacted] (Postfix) with ESMTP id 91B60ED199
    for [redacted]; Sat, 28 Feb 2015 06:29:19 +0000 (UTC)
X-ASG-Debug-ID: 1425104952-04b09a633509b40001-Ozk3QL
Received: from mail.giki.edu.pk (mail.giki.edu.pk [121.52.146.226]) by mx.giki.edu.pk with ESMTP id 6NnzvLRyt5l62CxM; Sat, 28 Feb 2015 11:29:12 +0500 (PKT)
X-Barracuda-Envelope-From: klakogroups@gmail.com
X-Barracuda-Apparent-Source-IP: 121.52.146.226
Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.giki.edu.pk (Postfix) with ESMTP id 1127A11414ED;
    Sat, 28 Feb 2015 06:42:31 +0500 (PKT)
Received: from mail.giki.edu.pk ([127.0.0.1])
    by localhost (mail.giki.edu.pk [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id m27tNjcw-XxF; Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.giki.edu.pk (Postfix) with ESMTP id 9E5A111414D7;
    Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
X-Virus-Scanned: amavisd-new at mail.giki.edu.pk
Received: from mail.giki.edu.pk ([127.0.0.1])
    by localhost (mail.giki.edu.pk [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id n3YhjtqX2niQ; Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
Received: from [172.245.45.23] (unknown [172.245.45.23])
    by mail.giki.edu.pk (Postfix) with ESMTPSA id 214E611414ED;
    Sat, 28 Feb 2015 06:42:23 +0500 (PKT)
We can definitely say that this email spent a while bouncing around the Ghulam Ishaq Khan Institute of Engineering Sciences and Technology in Pakistan. It appears that it originated from a server at 172.245.45.23 which is a ColoCrossing IP suballocated to:

NetRange:       172.245.45.0 - 172.245.45.31
CIDR:           172.245.45.0/27
NetName:        CC-172-245-45-0-27
NetHandle:      NET-172-245-45-0-1
Parent:         CC-14 (NET-172-245-0-0-1)
NetType:        Reallocated
OriginAS:       AS36352
Organization:   naa (NAA-21)
RegDate:        2013-06-07
Updated:        2013-06-07
Ref:            http://whois.arin.net/rest/net/NET-172-245-45-0-1

OrgName:        naa
OrgId:          NAA-21
Address:        530 W. 6th Street Suite 901
City:           Los Angeles
StateProv:      CA
PostalCode:     90014
Country:        US
RegDate:        2013-06-07
Updated:        2013-06-07
Ref:            http://whois.arin.net/rest/org/NAA-21

OrgAbuseHandle: BRBA-ARIN
OrgAbuseName:   Baker, Rusdi bin abu
OrgAbusePhone:  +1-940-238-5499
OrgAbuseEmail:  rusdi.bin.abu.bakar@gmail.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/BRBA-ARIN

OrgTechHandle: BRBA-ARIN
OrgTechName:   Baker, Rusdi bin abu
OrgTechPhone:  +1-940-238-5499
OrgTechEmail:  rusdi.bin.abu.bakar@gmail.com
OrgTechRef:    http://whois.arin.net/rest/poc/BRBA-ARIN


Note that this isn't saying that this "Rusdi bin abu Bakar" is sending the email, but a customer of theirs is.

Nothing about this job offer is legitimate. It does not come from who it appears to come from and should be considered to be a scam, and avoided.







Friday, 27 February 2015

Malware spam: "Dennys Invoice INV650988" / "accounts@dennys.co.uk"

This fake invoice email is not from Dennys but is a simple forgery with a malicious attachment. Dennys are not sending the spam, and their systems have not been compromised in any way.
From:    accounts@dennys.co.uk
Date:    27 February 2015 at 09:14
Subject:    Dennys Invoice INV650988

To view the attached document, you will need the Microsoft Word installed on your system.
So far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero. This contains this malicious macro [pastebin] which downloads another component from the following location:

http://hew.homepage.t-online.de/js/bin.exe

This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57.

According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:

http://apartmentprofile.su/conlib.php
http://paczuje.cba.pl/java/bin.exe


It drops several files, KB2896~1.EXE [VT 3/57], edg2.exe [VT 3/57] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday). (If you have a Malwr account you can download a copy of everthing from here)

Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:

198.52.200.15 (Centarra Networks, US)
95.211.144.65 (Leaseweb, Netherlands)
195.114.0.64 (SuperHost.pl, Poland)
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
59.97.137.171 (Broadband Multiplay Project, India)
104.232.32.119 (Net 3, US)

Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
198.52.200.15
78.140.164.160
59.97.137.171
104.232.32.119

Thursday, 26 February 2015

Malware spam: "Chris Christou [chris.christou@greysimmonds.co.uk]" / "Copy invoices"

This fake invoice spam comes with a malicious attachment:

From:    Chris Christou [chris.christou@greysimmonds.co.uk]
Date:    26 February 2015 at 10:45
Subject:    Copy invoices

Hello ,

Please find copy invoices attached as per our telephone conversation.

Kind regards,

Chris

Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel:  0845 130 9070
Fax: 0845 370 9071
Email:  chris.christou@greysimmonds.co.uk
Web: www.greysimmonds.com

P  “Think before you Print” - Please consider the environment before printing this e-mail

It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.

I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:

http://xomma.net/js/bin.exe

This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools [1] [2] show it attempting to phone home to the following IPs:

92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)

This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119

Wednesday, 25 February 2015

Malware spam: "Your LogMeIn Pro payment has been processed!"

This fake financial email does not come from LogMeIn, instead it has a malicious attachment:

From:    LogMeIn.com [no_reply@logmein.com]
Date:    25 February 2015 at 08:52
Subject:    Your LogMeIn Pro payment has been processed!

Dear client,

Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.

Date : 25/2/2015
Amount : $999 ( you saved $749.75)



The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.


Thank you for choosing LogMeIn!
Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:

http://junidesign.de/js/bin.exe

This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show this calling home to the following IPs:

92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
I outlined some of the problems with MVTW in this post. The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57] and a malicious DLL which is probably a Dridex component [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104

UPDATE:  a different version of the attachment [VT] uses this macro to download from:

http://jacekhondel.w.interia.pl/js/bin.exe

The payload is identical to the other variant.

Malware spam: 'Info Chemicals shared "MT 103_PO_NO!014.zip" with you' uses Dropbox

This spam leads to a malware download via Dropbox.

From:    Info via Dropbox
Reply-To:    hcm0366@gmail.com
Date:    25 February 2015 at 05:38
Subject:    Info Chemicals shared "MT 103_PO_NO!014.zip" with you
Signed by:    dropbox.com

From Info:

"Good day ,

How are you today
pls check attached, my manager had requested I email you our new order details together with TT copy of balance payment. Kindly confirm in return.

regards,

Frank Manner

Broad Oak Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602

Disclaimer :
This electronic mail transmission may contain material that is legally privileged and confidential for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient or the employee or agent responsible for delivery of this message to the intended recipient, you are hereby notified that any disclosure, copying, dissemination, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately by responding to this electronic mail and then delete all copies including any attachments thereto from your computer, disk drive, diskette, or other storage device or media.

Maritim Barito Perkasa does not accept any liability in respect of communication made by its employee that is contrary to company policy or outside the scope of employment of the individual concerned."

Click here to view

(Info shared these files using Dropbox. Enjoy!)
The email has been digitally signed by Dropbox (which means exactly nothing) and is spoofing the wholly legitimate Broad Oak Ltd who have been a target of this sort of thing several times before.

In this case, the link in the email goes to:

https://www.dropbox.com/l/dFxVxjuDRo3j2oANVURy2v
and then to
https://www.dropbox.com/s/fnsprei93c45ts6/MT%20103_PO_NO!014.zip

Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57. According to the Malwr report it drops another executable with a detection rate of 9/57. The payload looks similar to the Zeus trojan.

Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at

mmc65z4xsgbcbazl.onion.am

onion.am is hosted on 37.220.35.39 (YISP Colo, Netherlands) and I suggest this isn't the sort of thing that you want on your corporate network regardless of its legitimate uses.

Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com who are normally quite good at dealing with this sort of thing.