Sponsored by..

Tuesday, 24 February 2015

Malware spam: "Berendsen UK Ltd Invoice 60020918 117" / "donotreply@berendsen.co.uk"

This fake invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.

From:    donotreply@berendsen.co.uk
Date:    24 February 2015 at 08:09
Subject:    Berendsen UK Ltd Invoice 60020918 117

Dear Sir/Madam,

Please find attached your invoice dated 21st February.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.


Thank you.

___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.

Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a zero detection rate. Contained within this is malicious Word macro which downloads a component from the following location:

http://heikehall.de/js/bin.exe

This binary has a VirusTotal detection rate of 2/57. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:

92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)


MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:

92.63.82.0/23
92.63.84.0/22
92.63.88.0/24

In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156

2 comments:

Robin Norris said...

Senders:
donotreply@berendsen.co.uk
andy@icotherm.co.uk
pachuckaizabela@arsenalltd.pl

Subjects:
Berendsen UK Ltd Invoice 60020918 117
Board Order - PO15028
document do confirm

Attachments:
IRN001549_60020918_I_01_01.xls
SCAN_20150224_100752437.xls
roexport.xls
RN001549_60020918_I_01_01.doc
SCAN_20150224_100752437.doc
roexport.doc

Delivery URLs:
schweisserei-fritzsch.homepage.t-online.de/js/bin.exe
francis.behague.free.fr/js/bin.exe
heikehall.de/js/bin.exe
dulcisinfundo.es/js/bin.exe

Robin Norris said...

Interesting HTTP traffic attempted right after exploit. Columns are Web_Method, URL, Response_Code, and Referrer:

'POST','http://gW9j6v8uU9R8QxDE biz/','403','https://pinterest.com/'
'POST','http://rTD6oBh biz/','403','https://aol.com/'
'POST','http://jbL7S61V net/','403','http://www.bing.com/'
'POST','http://72s6 biz/','403','https://facebook.com/'
'POST','http://X8cd eu/','403','http://www.msn.com/'
'POST','http://Spq9A8TddG net/','403','https://twitter.com/'
'POST','http://nlR8 it/','403','https://pinterest.com/'
'POST','http://9yBjTUDyaET in/','403','https://google.com/'
'POST','http://jKe2uFNWp09lioQh us/','403','https://aol.com/'
'POST','http://YwCGIKn edu/','403','https://pinterest.com/'
'POST','http://5rz7AWs eu/','403','https://aol.com/'
'POST','http://uSaz6Es9np4vdezA eu/','403','https://yahoo.com/'
'POST','http://T3cULa0HnrDGI13W us/','403','http://www.bing.com/'
'POST','http://BYGSZ6fZpjAjuQd77dv in/','403','http://youtube.com/'
'POST','http://sqdG9b in/','403','http://www.msn.com/'
'POST','http://YnMLbTVoWaVA19 us/','403','http://www.msn.com/'
'POST','http://YvL1W co/','403','https://pinterest.com/'
'POST','http://pNZQQnq3L us/','403','http://youtube.com/'
'POST','http://gaVwNtOBWbnwjzkc net/','403','https://pinterest.com/'
'POST','http://NzZPoaLeknifDp78O me/','403','https://yahoo.com/'
'POST','http://Q4dt com/','403','https://google.com/'
'POST','http://A4AgUmBs1CvpfUQZ2k me/','403','https://aol.com/'