Sponsored by..

Monday, 12 October 2015

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk"

(Note, an updated version of this spam run happened on 22nd October)

This fake financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:

From     "UUSCOTLAND" <UUSCOTLAND@uuplc.co.uk>
Date     Mon, 12 Oct 2015 17:12:12 +0530
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
12 September 2015 to 12 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk<mailto:uuscotland@uuplc.co.uk>.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Melissa.lears@uuplc.co.uk<mailto:Melissa.lears@uuplc.co.uk>
Unitedutilitiesscotland.com


EMGateway3.uuplc.co.uk made the following annotations
---------------------------------------------------------------------
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020

www.unitedutilities.com
www.unitedutilities.com/subsidiaries

Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least four different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro that looks like this example. Download locations spotted so far are:

ukenterprisetours.com/877453tr/rebrb45t.exe
eventmobilecatering.co.uk/877453tr/rebrb45t.exe
thewimbledondentist.co.uk/877453tr/rebrb45t.exe
cardiffhairandbeauty.co.uk/877453tr/rebrb45t.exe


All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
46.20.120.64
109.108.129.21
213.171.218.221

This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56.  That VirusTotal report and this Malwr report indicate traffic to:

149.210.180.13 (TransIP BV, Netherlands)
86.105.33.102 (Data Net SRL, Romania)


I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.

Recommended blocklist:
149.210.180.13
86.105.33.102

MD5s:
6a95b030e91e804f73d14d14cb26e884
04e1476d464fafa559bd1bd8ea38749c
f7389b47c3dbe57f24dafb3b9a7818a2
b4b7a46938f9965169ca1dad29d2d8fc
40d4c1771caba32a2a25e4236f80b548





5 comments:

Riba Noor said...
This comment has been removed by a blog administrator.
Aaron Nobel said...
This comment has been removed by the author.
Ebel said...
This comment has been removed by a blog administrator.
Dominic said...

Goodness! Three deleted comments, makes me wonder what these people were saying.

Dominic said...

Oh, and thanks for the site.