Sponsored by..

Tuesday, 16 February 2016

Malware spam: fmis@oldham.gov.uk / Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530

This spam does not come from Oldham Council but is is instead a simple forgery with a malicious attachment. The timestamp in the subject line varies, probably generated by the infected computer sending the spam.

From:    fmis@oldham.gov.uk
Date:    16 February 2016 at 08:48
Subject:    Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530


**********************************************************************
Confidentiality: This email and its contents and any attachments are intended
only for the above named. As the email may contain confidential or legally privileged information,
if you are not, or suspect that you are not, the above named or the person responsible
for delivery of the message to the above named, please delete or destroy the
email and any attachments immediately.”

Security and Viruses: This note confirms that this email message has been
swept for the presence of computer viruses. However, we advise that in keeping
with good management practice, the recipient should ensure that the email together
with any attachments are virus free by running a virus scan themselves.
We cannot accept any responsibility for any damage or loss caused by software viruses.

Monitoring: The Council undertakes monitoring of both incoming and outgoing emails.
You should therefore be aware that if you send an email to a person within the Council
it may be subject to any monitoring deemed necessary by the organisation from time to time.
The views of the author may not necessarily reflect those of the Council.

Access as a public body: The Council may be required to disclose this email (or any response to it)
under the Freedom of Information Act, 2000, unless the information in it is covered
by one of the exemptions in the Act.

Legal documents: The Council does not accept service of legal documents by email.
**********************************************************************
I have only seen a single copy of this spam, with an attachment 201602_4_2218.docm which has a VirusTotal detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.

UPDATE

This spam is related to this one.  Automated analysis of the samples [1] [2] [3] [4] plus some private sources indicate download locations for this and other related campaigns today at:

labelleflowers.co.uk/09u8h76f/65fg67n
lepeigneur.power-heberg.com/09u8h76f/65fg67n
yurtdisiegitim.tv/09u8h76f/65fg67n
hg9.free.fr/09u8h76f/65fg67n
jtonimages.perso.sfr.fr/09u8h76f/65fg67n
test.blago.md/09u8h76f/65fg67n


This file has a detection rate of 3/54. According to those reports, it phones home to:

151.248.117.140 (Reg.ru, Russia)
87.229.86.20 (Znet Telekom, Hungary)
50.56.184.194 (Rackspace, US)


Recommended blocklist:
151.248.117.140
87.229.86.20
50.56.184.194


4 comments:

Rinke said...

ANy news on how to remove this?

Hobs said...

I also got this precisely on 16 Feb as well. I have application firewall on my Mac so I felt safe to opened the attachment in Word. Word warned me of macros so I disabled them and then went and took a look at some of the macros but didn't spend a lot of effort on what it may do or not. No obvious URLs in the macro itself.

I marked it as spam in Gmail and done deal.

KAL Floatograph said...

I received it today as well, 16th

Leaf :) said...

a little more info about the ips it hits.

Host Port Protocol Country
151.248.117.140 1743 TCP US
41.38.18.230 443 TCP EG
85.25.201.121 80 TCP DE
23.102.23.44 123 UDP US

method GET from yurtdisiegitim.tv/09u8h76f/65fg67n

DNS Queries:
Domain Name Query Type DNS Response
yurtdisiegitim.tv NS ns53.kebirhost.com
akadns.net NS a7-131.akadns.net
yurtdisiegitim.tv NS ns52.kebirhost.com
akadns.net NS a3-129.akadns.net
akadns.net NS a9-128.akadns.net
akadns.net NS a28-129.akadns.org
yurtdisiegitim.tv A 85.25.201.121
akadns.net NS a13-130.akadns.org
akadns.net NS a5-130.akadns.org
akadns.net NS a10-128.akadns.org
akadns.net NS a4-131.akadns.org
akadns.net NS a11-129.akadns.net
time.windows.com A 23.102.23.44
akadns.net NS a1-128.akadns.net