Sponsored by..

Wednesday 16 December 2015

Malware spam: "Unpaid Invoice from Staples Inc., Ref. 09123456, Urgent Notice" leads to Teslacrypt

This fake financial spam is not from Staples or Realty Solutions but is instead a simple forgery with a malicious attachment.

From:    Virgilio Bradley
Date:    16 December 2015 at 14:37
Subject:    Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice

Dear Valued Customer,

This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.

Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.


Regards,
Virgilio Bradley
Customer Service Department
Realty Solutions
182 Shobe Lane
Denver, CO 80216

The names, amounts and reference numbers change from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55.

According to this Malwr report, the macro in the document downloads a binary from:

iamthewinnerhere.com/97.exe

This appears to be Teslacrypt ransomware and it has a detection rate of 5/53. Unlike some other malware, the domain iamthewinnerhere.com has been registered specifically to host this malware, and is located on:

185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
84.200.69.60 (Ideal-Hosting UG, Germany)


Nameservers are DNS1.SAYMYLANDGOODBYE.IN and DNS2.SAYMYLANDGOODBYE.IN. Other suspect sites on these IPs are:

dns2.auth-mail.ru
metiztransport.ru
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
dns2.mikymaus.in
dns2.dlhosting.in
dns2.donaldducks.in
dns2.saymylandgoodbye.in
dns1.gogodns.ru
dns2.gogodns.ru
gammus.com
testsfds.com
waschmaschinen.testsfds.com
miracleworld1.com
ifyougowegotoo.com
hellofromjamaica.com
www.hellofromjamaica.com
firstwetakemanhat.com
thewelltakeberlin.com
mixer.testsg.net
abfalleimer.testsg.net
buegeleisen.testsg.net
bodenwischer.testsg.net
wasserfilter.testsg.net
kuechenmaschinen.testsg.net
testzd.net
staubsauger.testzd.net
waschtrockner.testzd.net
kaffeevollautomat.testzd.net
izfrynscrek.net
ftp.lazur.info
aspirateurs.lazur.info

According to this Malwr report, it then phones back to these legitimate but hacked domains:

sofiehughesphotography.com
magaz.mdoy.pro
adamhughes.in
goedkoop-weekendjeweg.net
hotbizlist.com
coatesarchitecture.com

MD5s:
3999736909019a7e305bc435eb4168fd
8f4bd99c810d517fb2d2b89280759862

Recommended minimum blocklist:
iamthewinnerhere.com
185.69.152.145
84.200.69.60



3 comments:

Unknown said...

My mum got almost exactly the same email yesterday and got suspicions please do not open the attachments.

Unknown said...

I received this yesterday too.

EvilGirlfriend said...

Very similar. Good thing I don't open zip files from strangers. :)

Dear Valued Client,

The purpose of this e-mail is to follow up with you on a matter of your payment of invoice #12273352 with a Ref. nr: 92325011/2015.
As of today, your outstanding past due balance is -$5,239, as detailed on the statement and account report attached to this e-mail.

To keep your account active and avoid any additional charges for the late payment, please remit payment in full immediately.
In case you have already transferred the amount or feel that there can be any kind of error, don't hesitate to let us know.

Thank you for your time and attention. We are looking forward to hearing back from you on this urgent matter.

Regards,
William Perkins
Customer Service Department

Realty Solutions
182 Shobe Lane
Denver, CO 80216