Sponsored by..

Thursday 10 December 2015

Malware spam: "Foreman&Clark Ltd" / "Last Payment Notice" leads to Teslacrypt

This fake financial spam does not come from the long-defunct Foreman & Clark, but instead it comes with a malicious attachment that leads to ransomware.
From:    Harlan Gardner
Date:    10 December 2015 at 08:48
Subject:    Reference Number #20419955, Last Payment Notice

Dear Client,

This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $8,151.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.

Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.

Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.

Sincerely,
Harlan Gardner
Sales Manager

Foreman&Clark Ltd.
256 Raccoon RunSeattle,
WA 98101

In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:

46.151.52.196/86.exe?1
softextrain64.com/86.exe?1


This pattern is the same as the spam run yesterday. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55 and the Malwr report indicates that it pulls data from the following domains:

graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
gjesdalbrass.no


The characteristics of this malware indicate the Teslacrypt ransomware.

Recommended blocklist:
46.151.52.196
softextrain64.com
gjesdalbrass.no
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com

21 comments:

Unknown said...

Just got this email last night. thanks for this page :)

Anonymous said...

I just received it also. I tried to open the attached "invoice" but luckily was blocked, recognizing it as malicious. Thank you very much for this helpful information!

heyjude915 said...

I only owe $6,129!
LOL

Anonymous said...

I also received a bunch of these over the past few days. Thanks for confirming my suspicions that this is b.s.

Unknown said...

Thanks for the heads up!

Unknown said...

Yes received this today. Thanks for confirming it to be malicious. I was able to alert our whole business network.

Markos Lindsey said...

If you don't have a contract with Foreman & Clark, why would you open the attachment? Classic malware propaganda.

Markos Lindsey said...

If you don't have a contract with Foreman & Clark, why would you open the attachment? Classic malware propaganda.

Anonymous said...

Wow I am doing good. I only owe $2196. LOL Thanks for the heads up

Unknown said...

Never open an attachment you are unfamiliar with. Especially zip files. If you owe them money, they will call you!!!

Unknown said...

Thanks for the information. You saved my marriage!

Unknown said...

a friend opened it and it put some documents on his desktop. how does he correct this.

Dad said...

Apparently I owe $7,228. I never open any attached files like this.

J Dougherty said...

Suckers! I paid them promptly so I didn't get an email.

Unknown said...

Well, I allegedly owe $5,295!

Unknown said...

I cottoned on to this as soon as I read it, and sent the lady who signed it a very fulsome letter remembering the marvellous time she had given me at her flat six months ago, and offering her a place in the brothel my wife and I are currently running in Sydney Australia - though I thought the fee she was attempting to claim was a lit
tle on the large side!

Susan Lester said...

WOW thank you SO MUCH for this information. I also received the e-mail and I owe 7,165 dollars. Wondering if anyone knows what this could do to my computer? Yes I did try to open it but it says there is no program available to open the file?

thanks again for the information- lesson learned I thought this stuff was a thing of the past.

Unknown said...

Thanks so much, just received this email. Thank you for posting this information

Unknown said...

Reformat the hard drive. Best left to your local tech shop.

Unknown said...

Take it to a tech shop most likely contains a key stroke loger

angelica said...

Hallo, ben woonachtig in Belgie en heb een paar dagen geleden ook deze mail ontvangen, dus als ik het goed begrijp mag ik hier niet op ingaan? Groetjes