Sponsored by..

Thursday, 13 April 2017

Malware spam: "Company Documents" / WebFilling@companieshousemail.co.uk and companieshouseemail.co.uk plus others

This spam email does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From:    Companies House [WebFilling@companieshousemail.co.uk]
Date:    13 April 2017 at 11:10
Subject:    Company Documents
Signed by:    companieshousemail.co.uk

CH Logo

Company Documents

This message has been generated in response to the company complaint submitted to Companies House WebFiling service.

Please note: all forms must be answered or the form will be returned.

Service Desk tel +44 (0)303 8097 432 or email enquiries@companieshouse.gov.uk

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
Companies House 
Crown way
CF14 3UZ
Crown Logo



I observed the email coming from the fake domains companieshousemail.co.uk and companieshouseemail.co.uk  but it looks like there may be more. Email is being send from servers in the range (Upcloud Ltd, Finland) and I can see other servers set up to do the same thing:


Blocking email from the entire range at least temporarily might be prudent.

The WHOIS details for these indicate they were registered today with presumably fake details, but that the registrar Nominet have somehow "verified".

Charlene hogg

Registrant type:

Registrant's address:
37 Maberley Road
SE19 2JA
United Kingdom

Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 13-Apr-2017

GoDaddy.com, LLP. [Tag = GODADDY]
URL: http://uk.godaddy.com

Relevant dates:
Registered on: 13-Apr-2017
Expiry date:  13-Apr-2019
Last updated:  13-Apr-2017

Registration status:
Registered until expiry date.

Name servers:
All the attachments I have seen are the same with a current detection rate of 6/55. Hybrid Analysis of the document shows it downloading a component from shuswapcomputer.ca/images/banners/bannerlogo.png and a malicious executable %APPDATA%\pnwshqr.exe is dropped with a detection rate of 14/62.

Automated analysis of the binary [1] [2] show potentially malicious traffic going to: (Total Server Solutions, US) (Informacines sistemos ir technologijos UAB aka bacloud,com, Lithuania)

There are probably other destinations too. The payload appears to be Dyre / Dyreza.

Recommended blocklist: (temporary email block only)

No comments: