Sponsored by..

Thursday 21 September 2017

Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment:

Subject:       Invoice RE-2017-09-21-00794
From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date:       Thu, September 21, 2017 9:21 am
Priority:       Normal

------------- Begin message -------------

Dear customer,

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace

==



[commMgrHmdToken:EVDOOCETFBECA]

------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid
for through our Amazon Payments system via our Shopping Cart or 1-Click. Our
Guarantee does not cover any payments that occur off Amazon.co.uk including wire
transfers, money orders, cash, check, or off-site credit card transactions.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=3149571).



[commMgrTok:EVDOOCETFBECA]
Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:

ahlbrandt.eu/IUGiwe8?
fulcar.info/p66/IUGiwe8
accuflowfloors.com/IUGiwe8?
aetozi.gr/IUGiwe8?
agricom.it/IUGiwe8?


An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1] [2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

UPDATE - additional download locations:
81552.com/IUGiwe8
adr-werbetechnik.de/IUGiwe8
afmance.it/IUGiwe8
afradem.com/IUGiwe8
agriturismobellaria.net/IUGiwe8
agro-kerler.de/IUGiwe8
moonmusic.com.au/IUGiwe8

4 comments:

naszfranio said...

SPF test on the email gateway will block these no bother.


-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 21/09/2017 10:04:33 GMT+0100 GMT Daylight Time
Sender Email: ZYvSEQFNDqZUNSJ@marketplace.amazon.co.uk
Recipient Email: [EDITED]
Related IP: 115.79.66.123
Action: Rejected
Email Subject: (not available)

-- EVENT MESSAGE --
Blacklisted by the SPF Test (sender forged per policy of "marketplace.amazon.co.uk", SPF result: "softfail").


-------------------------------------------------------------------------------

naszfranio said...

In the last hour 1 has 100 attempts like that - all to majority to valid email addresses and all coming from different IPs.

110.225.27.74
115.79.66.123
203.210.244.147
58.84.60.183
113.161.25.6
121.52.158.182
117.7.92.165
93.137.23.127
14.174.171.236
92.53.53.124
27.78.211.5
113.175.22.171
122.177.43.116
115.76.240.205
14.162.105.43
109.92.23.251
109.92.23.251
113.161.144.216
113.169.82.145
103.38.4.238
37.6.1.194
14.186.82.170
182.64.131.226
123.16.2.55
27.64.25.11
183.87.89.163
122.178.120.197
94.112.254.74
14.171.234.18
121.243.95.190
58.187.4.118
115.73.24.192
123.16.228.193
160.202.159.244
103.247.109.49
122.180.185.38
118.136.161.196
195.120.34.49
14.175.89.197
116.74.52.44
27.68.41.194
187.162.106.231
85.155.154.203
14.187.168.136
85.111.77.173
200.94.47.86
122.163.25.81
14.234.233.140
202.83.57.93
122.180.9.202
116.206.29.112
14.97.48.159
59.90.152.130
82.208.162.136
195.175.55.106
82.208.162.136
213.14.244.28
82.208.162.136
117.1.189.212
113.160.165.72
122.167.219.80
14.237.153.241
103.232.238.244
175.107.20.227
117.4.250.205
1.186.46.26
122.171.24.66
117.4.250.205
14.185.222.115
88.255.168.165
209.88.90.24
151.237.104.18
122.177.196.6
122.165.119.97
181.124.114.84
122.160.116.12
94.183.237.243
192.140.8.21
105.146.188.117
118.70.128.93
105.146.188.117
113.160.101.57
14.161.15.60
113.190.146.121
85.105.225.239
115.79.82.202
14.187.219.146
113.161.212.118
94.183.21.38
1.186.177.203
175.107.20.17
14.162.142.55
27.147.217.58
94.183.216.184
80.21.191.130
122.174.167.212
113.161.58.71
117.1.182.244
14.162.114.130
202.51.190.186
182.64.173.185
27.72.3.95
125.22.105.170
14.177.68.56
197.237.12.150
118.71.172.246
113.186.121.208
188.158.252.37
188.158.252.37
114.69.253.4
113.170.235.241
219.92.20.28
59.177.104.199
111.94.45.103

Conrad Longmore said...

@naszfranio This will be the Necurs botnet. IPs will be all over the place.

Yes, checking SPF records should block it. Also, blocking .7z files would probably not cause much a problem, these are commonly used for Locky right at the moment.

Jan said...

The SPF softfail mechanism (in my experience by far the most widely used SPF configuration) does not actually assert a failing message is a spoof.

The specification reads:

8.5. Softfail

A "softfail" result ought to be treated as somewhere between "fail"
and "neutral"/"none". The ADMD believes the host is not authorized
but is not willing to make a strong policy statement. Receiving
software SHOULD NOT reject the message based solely on this result,
but MAY subject the message to closer scrutiny than normal.

If you pass an SPF check with the hardfail or softfail mechanism - you are considered a legitimate sender
if you fail an SPF check with the softfail mechanism - you might be a legitimate sender
if you fail an SPF check with the hardfail mechanism - you are not a legitimate sender


It would be better for companies like Amazon to use the hardfail mechanism for this reason to protect their brand as the softfail mechanism does not adequately do so.