Sponsored by..

Friday, 12 February 2016

Malware spam: "Your latest invoice from The Fuelcard Company UK Ltd" / customerservice@fuelcards.co.uk

This fake financial spam does not come from The Fuelcard Company UK Ltd but is instead a simple forgery with a malicious attachment. For some reason, fake fuel card spam is popular with the bad guys.
From:    customerservice@fuelcards.co.uk
Date:    12 February 2016 at 10:44
Subject:    Your latest invoice from The Fuelcard Company UK Ltd


Please find your latest invoice attached.

If you have any queries please do not hesitate to contact our Customer Service Team at customerservice@fuelcards.co.uk

Regards

The Fuelcard Compa

The Fuelcard Company UK Ltd
St James Business Park   Grimbald Crag Court   Knaresborough   HG5 8QB
Tel 0845 456 1400   Fax 0845 279 9877
http://www.thefuelcardcompany.co.uk

Please consider the environment before printing this email.
________________________________________
This email and any files transmitted with it are confidential, maybe legally privileged, and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the system administrator and then kindly delete the message. If you are not the intended recipient, any disclosure, copying, distribution or any other action taken is prohibited, and may be unlawful. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.  Please note that once signed,  The Fuelcard Company terms & conditions take precedence over all prior communications by any employee or agent of The Fuelcard Company. Once a client signs The Fuelcard Company terms & conditions, this will form the full extent of The Fuelcard Company’s agreed contract with the client.

E-mails may be corrupted, intercepted or amended and so we do not accept any liability for the contents received. We accept no responsibility for any loss caused by viruses. You should scan attachments (if any) for viruses.

Head Office: The Fuelcard Company UK Ltd, St James Business Park, Grimbald Crag Court, Knaresborough HG5 8QB

Registered number: 5939102

I have only seen a single sample with an attachment named invoice.xls with a detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.

UPDATE

This Hybrid Analysis shows that this particular sample downloads from:

legismar.com/09u8h76f/65fg67n

This is the same executable as found in this earlier spam run.

Malware spam: "DVSA RECEIPT" / FPO.CC.15@vosa.gsi.gov.uk

This spam email does not come from a UK government agency, but is instead a simple forgery with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi.gov.uk.

From     FPO.CC.15@vosa.gsi.gov.uk
Date     Fri, 12 Feb 2016 12:47:20 +0300
Subject     DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.
*********************************************************************


The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.
Attached is a file Fixed Penalty Receipt.docm which comes in at least ten different variants with the following MD5s:



1cb27d23f9999d9d196a5d20c28fbd4e
68225ddcb35694eff28a2300e8d60399
a99d6c25218add7ece55b2503666b664
57ab4224e7d2274d341020767a6609fd
51f5960ae726906a50b5db4e9253c3c2
7a43a911e0ad208adf4e492345349269
4aae160341b6d96adc2c911ddc941222
f34460da1e77ae4a3b178532800300a2
58a01b254b9d7b90d1d0f80c14f5a089
50e1c94e43f05f593babddb488f1a2f9


I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:

raysoft.de/09u8h76f/65fg67n
xenianet.org/09u8h76f/65fg67n
steinleitner-online.net/09u8h76f/65fg67n [reported here]

This dropped file has a detection rate of 5/54 (MD5 7bf7df5e630242182fa95adff4963921). This Hybrid Analysis report indicates subsequent traffic to:

192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)


The payload is the Dridex banking trojan.

Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231



Thursday, 11 February 2016

Malware spam: "Your Sage Pay Invoice INV00318132" / Sagepay EU [accounts@sagepay.com]

This spam does not come from Sage Pay but is instead a simple forgery with a malicious attachment:

From:    Sagepay EU [accounts@sagepay.com]
Date:    11 February 2016 at 13:21
Subject:    Your Sage Pay Invoice INV00318132


Please find attached your invoice.

We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones.  You should have already received an email that outlined the changes, however if you have any questions please contact accounts@sagepay.com or call 0845 111 44 55.

Kind regards

Sage Pay
0845 111 44 55
Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least 11). The VirusTotal detection rate for a subset of these is 4/54 [1] [2] [3] [4] [5] [6]. Only a single Malwr report seemed to work, indicating the macro downloading from:

www.phraseculte.fr/09u8h76f/65fg67n

This dropped executable has a detection rate of 3/54. The Malwr report shows it phoning home to:

84.38.67.231 (ispOne business GmbH, Germany)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Malware spam: "Scan from KM1650" / "Please find attached your recent scan" / "scanner@victimdomain.tld"

This fake document scan leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.

From:    scanner@victimdomain.tld
Date:    11 February 2016 at 10:24
Subject:    Scan from KM1650

Please find attached your recent scan  
Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1] [2] [3]). The Malwr reports [4] [5] [6] indicate the the macro in the document downloads a malicious executable from:

maraf0n.vv.si/09u8h76f/65fg67n
www.sum-electronics.co.jp/09u8h76f/65fg6
7n

The dropped executable has a detection rate of 2/54. As with this earlier spam run it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

Block traffic to that IP. The payload is the Dridex banking trojan.



Malware spam: "INT242343 Unpaid Invoice - Your Services May Be Suspended" / payments@wavenetuk.com

This spam does not come from Wavenet Group but is instead a simple forgery with a malicious attachment:

From     payments [payments@wavenetuk.com]
Date     Thu, 11 Feb 2016 15:14:59 +0530
Subject     INT242343 Unpaid Invoice - Your Services May Be Suspended

PLEASE NOTE:  THIS IS A NO REPLY EMAIL ACCOUNT

Dear Customer
        Please find attached to this email your statement
You can view the invoices listed on our e-billing site at www.netbills.co.uk
If you have any queries regarding use of the e-billing site or this statement please
call us on 08444 12 7777.


Accounts Department
Wavenet Group
Incorporating - Titan Technology, Centralcom and S1 Network Services
Tel 08444127777


This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. Wavenet
Ltd Registered in England No 3919664. Registered address: Friars Gate 2, 1011 Stratford
Road, Shirley, Solihull, West Midlands, B90 4BN. If you are not the intended recipient
of this email and its attachments, you must take no action based upon them, nor must
you copy or show them to anyone. Please contact the sender if you believe you have
received this email in error. Wavenet Ltd reserves the right to monitor email communications
through its networks.

This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. If you
are not the intended recipient of this email and its attachments, you must take no
action based upon them, nor must you copy or show them to anyone. Please contact
the sender if you believe you have received this email in error. Wavenet Ltd reserves
the right to monitor email communications through its networks
I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53. The Malwr analysis shows that this script downloads an executable from:

gp-training.net/09u8h76f/65fg67n

There are probably a few other download locations. This binary has a detection rate of 2/54.  The Malwr report also indicates that it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Wednesday, 10 February 2016

Malware spam: "New Doc 115" / "Sent from Yahoo Mail on Android"

This rather terse spam has a malicious attachment:
From:    admin [ali73_2008949@yahoo.co.uk]
Date:    10 February 2016 at 10:16
Subject:    New Doc 115

Sent from Yahoo Mail on Android
The sender's email address varies from message to message. Attached is a file New Doc 115.doc which is reportedly identical to the one found in this spam campaign.

Malware spam: Emailing: MX62EDO 10.02.2016 / documents@dmb-ltd.co.uk

This spam has a malicious attachment:

From     documents@dmb-ltd.co.uk
Date     Wed, 10 Feb 2016 11:12:41 +0200
Subject     Emailing: MX62EDO 10.02.2016

Your message is ready to be sent with the following file or link
attachments:

MX62EDO  10.02.2016 SERVICE SHEET


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a malicious document named MX62EDO 10.02.2016.doc. I haven't had time to analyse these myself, but a trusted source (thank you) says that there are three different variants of documents, downloading a malicious executable from the following locations:

calflytech.com/09u8h76f/65fg67n
g-t-c.co.uk/09u8h76f/65fg67n
opoai.com/09u8h76f/65fg67n


This drops an executable with a VirusTotal detection rate of 6/55.  This malware calls back to the following IPs:

87.229.86.20 (ZNET Telekom Zrt, Hungary)
50.56.184.194 (Rackspace, US)
144.76.73.3 (Hetzner, Germany)


The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.

Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3
 






Tuesday, 9 February 2016

Malware spam: "Accounts" / [accounts_do_not_reply@aldridgesecurity.co.uk]

This rather terse spam does not come from Aldridge Security but it is instead a simple forgery with a malicious attachment. There is no subject.

From     [accounts_do_not_reply@aldridgesecurity.co.uk]
Date     Tue, 09 Feb 2016 10:31:14 +0200
Subject    

Accounts
I have only seen a single sample with an attachment document2016-02-09-103153.doc which has a VirusTotal detection rate of 5/54. Automated analysis [1] [2] shows that it downloads a malicious executable from:

promo.clickencer.com/4wde34f/4gevfdg

This has a detection rate of 5/54. Those analyses indicates that the malware phones home to:

50.56.184.194 (Rackspace, US)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.


Monday, 8 February 2016

Malware spam: "Accounts Documentation - Invoices" / CreditControl@crosswater.co.uk

This fake financial spam does not come from Crosswater Holdings, but it is instead a simple forgery with a malicious attachment:
From:    CreditControl@crosswater.co.uk
Date:    8 February 2016 at 10:34
Subject:    Accounts Documentation - Invoices

Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.

If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
Alternatively if you do not know the name of the Credit Controller you can contact us at:

Accounts@crosswater-holdings.co.uk

or call us on 0845 873 8840

Please do not reply to this E-mail as this is a forwarding address only.
Attached is a malicious script ~13190.js which comes in at least two different variants (VirusTotal [1] [2]). According to automated analysis [3] [4] [5] [6] these scripts download from:

hydroxylapatites7.meximas.com/98876hg5/45gt454h
80.109.240.71/~l.pennings/98876hg5/45gt454h


This drops an executable with a detection rate of 3/53 which appears to phone home to:

188.40.224.73 (NoTag, Germany)

I strongly recommend that you block traffic to that IP address. The payload is likely to be the Dridex banking trojan.



Thursday, 4 February 2016

Malware spam: "BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016" / "Fuel Card Services" [adminbur@fuelcardgroup.com]

This fake financial spam does not come from Fuel Card Services Ltd but is instead a simple forgery with a malicious attachment:

From     "Fuel Card Services" [adminbur@fuelcardgroup.com]
Date     Thu, 04 Feb 2016 04:29:24 -0700
Subject     BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
support@fuelcardservices.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail
info@fuelcardservices.com.


E-billing
-

From: adminbur@fuelcardservices.com

Sent: Thu, 04 Feb 2016 04:29:24 -0700
To: [redacted]
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Account: B216552

Please find your e-bill 0200442 for 31/01/2016 attached.

To manage you account online please click
http://eservices.fuelcardservices.com

If you would like to order more fuel cards please click
http://www.fuelcard-group.com/cardorder/bp-burnley.pdf

If you have any queries, please do not hesitate to contact us.

Regards

Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com


Supplied according to our terms and conditions. (see
http://www.fuelcardservices.com/ebill.pdf).


Please also note that if you cannot open this attachment and are using
Outlook Express
 to view your mail you should select Tools / Options / Security Tab and
deselect the
option marked "Do not allow attachments to be opened that potentially
may be a virus".
 All of our outgoing mail is fully virus scanned but we recommend this
facility is
re-enabled if you do not use virus scanning software.
I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro [pastebin] which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:

www.trulygreen.net/43543r34r/843tf.exe

also reported is as a download location is:

www.mraguas.com/43543r34r/843tf.exe

If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52 and according to this Hybrid Analysis shows that it phones home to:

62.76.191.108 (Clodo-Cloud / IT-House, Russia)

This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too.






Malware spam: "More scans" / admin@victimdomain.tld / DOC201114-201114-001.js

This terse spam appears to originate from within the victim's own organisation, but it does not. Instead it is a simple forgery with a malicious attachment:

From:    admin [admin@victimdomain.tld]
Date
:    4 February 2016 at 08:17
Subject:    More scans
Attached is a file DOC201114-201114-001.js which comes in a variety of different variants. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run.

Malware spam: "January balance £785" / Alison Smith [ASmith056@jtcp.co.uk]

This fake financial spam does not come from J. Thomson Colour Printers, but is instead a simple forgery with a malicious attachment:

From     Alison Smith [ASmith056@jtcp.co.uk]
Date     Thu, 04 Feb 2016 10:52:21 +0300
Subject "January balance £785"

Hi,

Thank you for your recent payment of £672.

It appears the attached January invoice has been missed off of your payment. Could
you please advise when this will be paid or if there is a query with the invoice?

Regards

Alison Smith
Assistant Accountant

  Registered in Scotland 29216
  14 Carnoustie Place
  Glasgow G5 8PB
  Tel: 0141 429 1094
  www.jtcp.co.uk

 P Save Paper - Do you really need to print this e-mail?

The poor company being spoofed has already been hit by this attack recently [1] [2]. The email address of the sender varies from message to message.

Attached is a file IN161561-201601.js which comes in at least five different versions (VirusTotal [1] [2] [3] [4] [5]). This is a highly obfuscated script that looks like this [pastebin] and automated analysis of the various scripts [6] [7] [8] [9] [10] [11] [12] [13] shows that the macro downloads from the following locations (there may be more):

ejanla.co/43543r34r/843tf.exe
cafecl.1pworks.com/43543r34r/843tf.exe


This binary has a detection rate of 2/52 and phones home to:

62.76.191.108 (Clodo-Cloud / IT-House, Russia)

Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220.

Wednesday, 3 February 2016

Malware spam: "Attached Image" from canon@ the recipient's own domain

This spam pretends to come from the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.
From:    canon@victimdomain.tld
Date:    3 February 2016 at 12:09
Subject:    Attached Image
There is no body text. Attached is a file 1690_001.xls of which I have seen a single variant with a detection rate of 9/54. The Hybrid Analysis shows it downloading an executable from:


best-drum-set.com/43rf3dw/34frgegrg.exe

This has a detection rate of 6/51 and is the same binary as used in this other spam attack today.

Malware spam: "Invoice MOJU-0939" / Accounts [message-service@post.xero.com]

This fake financial spam comes with a malicious attachment. It does not come from Moju Ltd but is instead a simple forgery with a malicious attachment:

From:    Accounts [message-service@post.xero.com]
Date:    3 February 2016 at 09:04
Subject:    Invoice MOJU-0939

Hi,

Here's invoice MOJU-0939 for 47.52 GBP. For last weeks delivery.

The amount outstanding of 47.52 GBP is due on 25 Feb 2016.

If you have any questions, please let us know.

Thanks,
Moju Ltd
I have only seen one sample of this, with an attachment named Invoice MOJU-0939.zip containing a malicious script invoice_id4050638124.js that has detection rate of 2/53 and which according to this Malwr report downloads a binary from:

www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe

This payload is the same as seen in this concurrent spam run.

Malware spam: "GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016"

This fake financial spam does not come from GS Toilet Hire but is instead a simple forgery with a malicious attachment. In other words, if you open it.. you will be in the sh*t.

From:    GS Toilet Hire [donotreply@sageone.com]
Date:    3 February 2016 at 09:12
Subject:    GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016

Good morning

Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.

Full details, including payment terms, are included.
If you have any questions, please don't hesitate to contact us.

Kind regards,

Linda Smith
Office, GS Toilet Hire

Direct enquiries
Glenn Johnson
07930 391 011
I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates [1] [2] containing some highly obfuscated scripts [3] [4] which according to these analyses [5] [6] [7] downloads a binary from one of the following locations:

obstipatie.nu/43rf3dw/34frgegrg.exe
bjhaggerty.com/43rf3dw/34frgegrg.exe

(also www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe from this related spam run)

This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro. The binary has a detection rate of 5/49 and this Hybrid Analysis shows the malware phoning home to:

91.239.232.145 (Hostpro Ltd, Ukraine)

I strongly recommend that you block all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.

UPDATE

The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:

xinchunge.com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband.com/43rf3dw/34frgegrg.exe

(also best-drum-set.com/43rf3dw/34frgegrg.exe from this later spam run)

This is a different binary from before, with a detection rate of 4/53. It still phones home to the same location.