Sponsored by..

Thursday, 10 March 2016

Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"

This fake financial spam comes with a malicious attachment:

From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833

Dear Client!

For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994


Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:

http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1


These sites are hosted on:

142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)


This Malwr report and this Hybrid Analysis shows communications with:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)


The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.

These domains are also associated with some of the IPs. Consider them all to be evil:

t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146



5 comments:

HaroldC said...

I've gotten three of these this morning. Obviously phishing so I haven't clicked on the attachment. I'm on a Mac any way but no reason to open them.

Mike O'Donnell said...

I got this earlier, didnt open the attachment. I did send a reply email to see what happened and instantly received that reply sent from myself. Does this mean that there is some kind of virus/software already in my computer or gmail account that generated the original malicious email. As you will gather, I am not very IT savvy!

Unknown said...

I am getting of these a day! Does anyone know how to block this?

Jessica Octaviani said...

I got this mail too. They had sent 3 emails for me. Those mails are automatically in my junk. Fortunately I found this website. Thank you.

Unknown said...

I must have about 50 of these or similar emails in my junk folder, not to mention the half dozen that continue to arrive in my inbox every week. (Do they ever give up?) Some of the names they are sent under are quite outlandish; Pansy Rives, Titus Bampfylde, Hallie Tidball, Horacio Bohannon, for example. Requesting payments past due for things such as fictitious services rendered, delinquent electric bills, taxes due on suspended bank account, etc. The dollar amount claimed to be owed is always written incorrectly, like so; 163,77 USD, 107,53 USD with the comma in the wrong place.