Advertisement

Friday, 24 April 2015

Malware spam: "Pidwell, Nigel [nigel.pidwell@ssecontracting.com]" / "Western Order"

The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:
From:    Pidwell, Nigel [nigel.pidwell@ssecontracting.com]
Date:    24 April 2015 at 08:47
Subject:    Western Order

Regards

Nigel Pidwell
Administrator
SSE Contracting Limited
T: +44 (0) 1637 889506
E: nigel.pidwell@ssecontracting.com
Unit 8, Hurling Way,
St Columb Major Business Park, St Columb Major, Cornwall
TR9 6SX
www.sseenterprise.co.uk



So far I have only seen one sample Western Order.doc [VT 4/57] which contains a malicious macro [pastebin] which is functionally identical to the one used in this spam run which was also happening this morning.

Malware spam: "Colin Fox [colin@nofss.co.uk]" / "Invoice 519658"

This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
From:    Colin Fox [colin@nofss.co.uk]
Date:    24 April 2015 at 09:40
Subject:    Invoice 519658

Please find Invoice 519658     attached 
The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].

There may be different versions of the macro, but in this case it downloads a component from:

http://bepminhchi.com/83/61.exe

..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to:

185.12.95.191 (RuWeb CJSC, Russia)
149.154.64.70 (TheFirst-RU, Russia)
78.24.218.186 (TheFirst-RU, Russia)
89.28.83.228 (StarNet SRL, Moldova)


In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228

Sample MD5s:
da26ed1b6fe69d15a400b3bc70001918
b37ea697df790121e4dda35d8ba172c3
0ea69ef635257be03043a3f70f013475
29471c1aabae10d205f474a3299486ec


Thursday, 23 April 2015

Malware spam: "Refund on order 204-2374256-3787503" / "Amazon.co.uk [payments-messages@amazon.co.uk]"

This fake Amazon spam comes with a malicious attachment:

From:    Amazon.co.uk [payments-messages@amazon.co.uk]
Reply-To:    "Amazon.co.uk" [payments-messages@amazon.co.uk]
Date:    23 April 2015 at 09:58
Subject:    Refund on order 204-2374256-3787503

Dear Customer,

Greetings from Amazon.co.uk.

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1161010

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
it: http://get.adobe.com/reader/

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
refunds.

Thank you for shopping at Amazon.co.uk.

Sincerely,

Amazon.co.uk Customer Service
http://www.amazon.co.uk


Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again


Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:

http://qube.co.il/42/335.exe

..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs:

185.12.95.191 (RuWeb CJSC, Russia)
87.236.215.151 (OneGbits, Lithuania)
94.23.171.198 (OVH, Czech Republic)
185.35.77.250 (Corgi Tech, UK)
149.154.64.70 (TheFirst-RU, Russia)

The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.

Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70

MD5s:
e52a8d15ee08d7f8b4efca1b16daaefb
57b54e248588af284871c2076f05651c
ca5c5b79ce16d888ba2a6747b9d033d3


Wednesday, 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia
I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez
RESTAURANT GROUP PLC

In this case, the link in the email goes to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC

..which includes the victim's email address in the URL. In turn, this redirects to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs  

As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

http://185.91.175.183/sas/evzxce.exe

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs:

144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)


According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18


MD5s:
1fc2abec9c754e8cc1726bf40e0b3533
af8ff1ea180d5c45b4bb8c8f17c6cddc
57b54e248588af284871c2076f05651c



Tuesday, 21 April 2015

Malware spam: "Australian Taxation Office - Refund Notification" / "Australian Taxation Office [noreply@ato.gov.au]"

G'day mate. Despite not being an Aussie and never having paid a single Australian cent in tax, apparently I'm due a tax refund from the Australian Tax Office. Bonzer!

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    21 April 2015 at 21:36
Subject:    Australian Taxation Office - Refund Notification

IMPORTANT NOTIFICATION

Australian Taxation Office - 22/04/2015

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 218.21 AUD.

To view/download your tax notification please click here or follow the link below :
https://www.ato.gov.au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=report2104_4343697

Brett Newman, Tax Refund Department Australian Taxation Office 

Despite the "gov.au" site that apparently displays in the link, it actually leads to a download from i.nfil.es and it leads to a ZIP file called report2104.zip which in turn contains the malicious executable report2104.exe.

Currently this malware has a reasonable detection rate of 23/57. Out of various automated analysis tools, only the Payload Security Hybrid Analysis engine gave a decent result indicating that a connection was made to a legitimate but hacked site relianceproducts.com and then several versions of the same .EXE were downloaded, which this VirusTotal report indicates is the Dyre banking trojan. That same VirusTotal post also lists a number of C&C servers that you might want to block:

213.239.214.42
81.162.123.76
77.87.99.67
62.122.69.150
91.238.74.70
62.122.69.172
91.194.239.126
94.231.178.46
194.28.190.167
80.234.34.137
213.111.243.60
46.149.253.52
37.57.101.221
134.249.63.46
85.192.165.229
46.151.48.149
195.34.206.204
62.122.69.159
188.123.34.203
178.18.172.215
91.232.157.139
46.151.49.128
195.206.255.131
37.232.185.114
176.120.201.9
62.182.33.16
46.180.147.50
46.175.23.130
46.151.48.184
84.16.55.12
84.16.54.22
84.16.55.122
93.184.71.88
83.168.164.18
212.89.237.65
176.109.58.78
212.37.81.96
95.165.196.227
195.34.239.93
77.234.235.48
109.236.121.136
217.12.59.238
181.189.152.131
194.28.190.183
95.67.88.84
176.56.24.229
178.136.123.22

Malware spam: "LAG invoice I413136" / "Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]"

This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
From: Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136

Dear Accounts Payable,

Attached is a copy of invoice  I413136 .The items were shipped.  Please feel free to contact me if you have any questions or cannot read the attachment.
                 
Thank you for your business.

Sincerely,

Lichelle Ebner
L. A. Grinding Company
Ph. (818) 846-9134
FAX (818)846-1786
So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57 and which contains this malicious macro [pastebin], in turn this downloads a component from:

http://eternitymobiles.com/25/144.exe

..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with a familiar IP:

89.28.83.228 (StarNet SLR, Moldova)

According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56.

Recommended blocklist:
89.28.83.228

MD5s:
02492b954b48f13412a844d689d064f1
7f7f476e83a253794b36cb7a16c04902
155643eb342c5b65a6f5a1391fe2396b




Monday, 20 April 2015

Malware spam: "Hector Malvido [handyman1181@hotmail.com]" / "Pending payment"

This spam comes with a malicious attachment:

From:    Hector Malvido [handyman1181@hotmail.com]
Date:    20 April 2015 at 10:51
Subject:    Pending payment

This invoice shows in my records that has not being pay can you review your records please
Attached is a file filename-1.doc (3/57 detection by AV vendors) which may come in many different versions, but the samples I have all have this malicious macro [pastebin] which downloads another component from the following location:

http://kafilahgroup.com/55/55.exe

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] [4] show it phoning home to:

89.28.83.228 (StarNet SLR, Moldova)

The Malwr report shows that it drops a Dridex DLL with a 3/57 detection rate.

Recommended blocklist:
89.28.83.228

MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e

Friday, 17 April 2015

Malware spam: "Julie Mckenzie [julie0526@swift-cut.co.uk]" / "Credit Card Statement"

This spam does not come from Swift Cut, but is instead a simple forgery with a malicious attachment:

From:    Julie Mckenzie [julie0526@swift-cut.co.uk]
Date:    17 April 2015 at 12:24
Subject:    Credit Card Statement

Hi
Attached your credit card statement.
Can you return with receipts by Friday 17th April.
Thanks
Julie
 
Julie McKenzie
Sales Administrator
Tel +44 (0)1543 473300
E-mail julie@swift-cut.co.uk
Attached is a file C Swift Credit Card.doc which comes in at least four different versions, all of which are malicious and all of which have a macro similar to this one [pastebin].

These macros download a file from one of the following locations:

http://oolagives.com/24/733.exe
http://derekthedp.com/24/733.exe
http://sempersleep.com/24/733.exe

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54 (identified clearly as a Dridex component). Automated analysis [1] [2] [3] [4] shows that it attempts to communicate with:

46.36.219.32 (FastVPS, Estonia)


I recommend that you block traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53.

MD5s:
6c784bec892ce3ef849b1f34667dccac
ec35660657404295a78d8d1bcb1f1071
89b87b7c5c38039a4a46060f00a1ec37
40862ce3abb02d69ec31b8a1b62fef95
59fe482009fecc8761809a9c974a143e
f840f9075a178ab579ed2e4c622bc291


Scam: "Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK)," / "Royal Queens Hotel"

This spam email forms part of a Conference Scam:


From:    United Nations Summit [no_replytoold@live.com]
Reply-To:    unitednation.unt@gmail.com
Date:    16 April 2015 at 17:59
Subject:    Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),

Dear Invitee, Nonprofit/NGO Colleague,

UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.

Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.

The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel.

Venue: Queen Elizabeth II Conference Centre (QEIICC)
Date:5th-9th May, 2015.
Conference Theme:Impact and implications of the global financial and economic crisis on sustainable development & climate change proposals for an integrated global response to the crisis.

For further details about registration form,visa,flight ticket and other details, write an acceptance letter to be part of this event and send it directly via our Official e-mail together with your cellphone number for confirmation.

Send us e-mail:
unitednations_summit@secretary.net
unitednations.summit@aol.fr
or Call Dr. Pitt Thomas for more information +44703-597-1620.

We look forward to meeting you at the forthcoming Global Financial and Economic Crisis conference.

Register Now!!!!

Mrs.Kathleen Fitzpatrick
(Organizing Secretary)
Communication and Public Affairs.

United Nations-Nations Unites
Division for Social Policy and Economic Development Department of Economic
and Social Affairs Room UK2-1324, 2 United Nations Plaza, England, United
Kingdom.
What's the scam? Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." These is no hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then vanish with your money.


There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a fake hotel website to make the scam more credible.

Avoid.

Thursday, 16 April 2015

Malware spam: "Decisive notification about your Automated Clearing House payment"

This fake ACH spam leads to malware:

From:    aileen.alberts@[redacted]
Date:    16 April 2015 at 15:55
Subject:    Decisive notification about your Automated Clearing House payment


The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.

Rejected ACH payment
Automated Clearing House transfer Case # L669461617
Transaction Total 27504.02 US Dollars
Email [redacted]
Reason of Termination Download full details

Please visit the link provided at the top to see more information about this problem.
The link in the email goes to a download location at dropbox.com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro [pastebin].

I haven't had the time to analyse it fully, but it is rather different from other offerings. From what I can tell, it downloads an encrypted file [pastebin] from:

sundsvallsrk.nu/tmp/1623782.txt or
hpg.se/tmp/1623782.txt

And some sort of executable from Dropbox with a detection rate of 3/57. Automated analysis tools are inconclusive at the moment [1] [2] although the Payload Security report does show several dropped files including two malicious scripts [pastebin].

Of note is that one of the scripts downloads what looks like a PNG from:

savepic.su/5540444.png

For now, I would recommend blocking traffic to
sundsvallsrk.nu
hpg.se
savepic.su

For researchers only, I have an archive of some of the files here, password is infected.