Sponsored by..

Wednesday 2 November 2016

Malware spam: "Companies House - new company complaint" / noreply@companies-house.me.uk / noreply@companieshouses.co.uk leads to TrickBot

This fake Companies House spam leads to TrickBot malware:

From:    Companies House [noreply@companieshouses.co.uk]
Date:    2 November 2016 at 11:51
Subject:    Companies House - new company complaint
Signed by:    companieshouses.co.uk

Investigations and Enforcement Services

This message has been auto-generated in response to the company complaint submitted to our WebFiling  service.

The submission number is ID109202DLK02911

Please find the attached document for your review.

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500

The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday) 
Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.


The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:

    Registrant:
        Camell Williams

    Registrant type:
        Unknown

    Registrant's address:
        550 HOLTS LAKE CT STE 101
        Suite 101
        Apopka
        Florida
        32703
        United States


Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.

All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.

Attached is a Word document Complaint.doc  (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:

futuras.com/img/dododocdoc.exe

This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.

The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:

78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)


The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.

Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117


No comments: