Thursday, 12 September 2013

QuickBooks spam / Invoice_20130912.zip

This fake QuickBooks spam has a malicious attachment:

Date:      Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From:      QuickBooks Invoice [auto-invoice@quickbooks.com]
Subject:      Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Quentin Sprague

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 
The attachment is Invoice_20130912.zip which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46.

Automated analysis [1] [2] [3] [4] shows that amongst other things, the file attempt to communicate with the domain leightongriffiths.com on an apparently compromised server at 64.50.166.122 which has been seen before.

Given that there are now several domains serving malware on the same server [1] [2] it is probably safe to assume that all the domains on that server are malicious and should be blocked.

Recommended blocklist:
64.50.166.122
4-access.com
ashburnes.com
bevan-holdings.com
bevanholdings.com
biffberry.com
camelotdevelopments.com
cardiffpower.com
carterlaurenconstruction.com
celebrategoodtimes.com
churchgatetrading.com
ciderbrokers.com
creativehomeworker.com
dcmsservices.com
deserve.org.uk
dignifiedcelebrations.com
doaus.com
drippingstrawberry.com
eflengineering.com
fruityblue.com
goldhaven.co.uk
gwentpressurewashers.co.uk
gwentpressurewashers.com
gympiper.info
haveyougotone.com
ivelostmymarbles.com
janglesmacrame.com
joannehawkins.com
justnoodles.co.uk
kinggems.com
kingmarbles.com
kwaggle.com
leightongriffiths.com
leisuremaintenanceltd.com
lmpropertyinvestments.com
macaraya.com
manorbrick.com
manorbrickyards.co.uk
marbledelights.com
marbleicious.com
motorhomeparadise.com
mykidbrother.com
mypersonalname.co.uk
mywebsitegroup.com
newportairport.co.uk
pnoa.co.uk
properteye.com
rockthecasbah.eu
rpduk.com
squaremileinsurance.com
steveperrott.com
talonstamed.com
thedrippingstrawberry.com
theitalianjob.mobi
thisisyourwife.co.uk
zestimports.com

No comments: