Sponsored by..

Showing posts with label Dyre. Show all posts
Showing posts with label Dyre. Show all posts

Thursday 13 April 2017

Malware spam: "Company Documents" / WebFilling@companieshousemail.co.uk and companieshouseemail.co.uk plus others

This spam email does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From:    Companies House [WebFilling@companieshousemail.co.uk]
Date:    13 April 2017 at 11:10
Subject:    Company Documents
Signed by:    companieshousemail.co.uk



CH Logo

Company Documents

This message has been generated in response to the company complaint submitted to Companies House WebFiling service.

Please note: all forms must be answered or the form will be returned.

Service Desk tel +44 (0)303 8097 432 or email enquiries@companieshouse.gov.uk

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
 
Companies House 
Crown way
Maindy
Cardiff
CF14 3UZ
Crown Logo



Documents.doc
48K



---

I observed the email coming from the fake domains companieshousemail.co.uk and companieshouseemail.co.uk  but it looks like there may be more. Email is being send from servers in the 94.237.36.0/24 range (Upcloud Ltd, Finland) and I can see other servers set up to do the same thing:

companieshouseemail.co.uk  94.237.36.104
companieshouseemail.co.uk  94.237.36.145
companieshousemail.co.uk  94.237.36.146
companieshousemail.co.uk  94.237.36.147
companieshousesecure.co.uk  94.237.36.150
companieshousesecure.co.uk  94.237.36.151


Blocking email from the entire 94.237.36.0/24 range at least temporarily might be prudent.

The WHOIS details for these indicate they were registered today with presumably fake details, but that the registrar Nominet have somehow "verified".

Registrant:
Charlene hogg

Registrant type:
Unknown

Registrant's address:
37 Maberley Road
London
SE19 2JA
United Kingdom

Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 13-Apr-2017

Registrar:
GoDaddy.com, LLP. [Tag = GODADDY]
URL: http://uk.godaddy.com

Relevant dates:
Registered on: 13-Apr-2017
Expiry date:  13-Apr-2019
Last updated:  13-Apr-2017

Registration status:
Registered until expiry date.

Name servers:
ns29.domaincontrol.com
ns30.domaincontrol.com
All the attachments I have seen are the same with a current detection rate of 6/55. Hybrid Analysis of the document shows it downloading a component from shuswapcomputer.ca/images/banners/bannerlogo.png and a malicious executable %APPDATA%\pnwshqr.exe is dropped with a detection rate of 14/62.

Automated analysis of the binary [1] [2] show potentially malicious traffic going to:

107.181.161.221 (Total Server Solutions, US)
185.25.51.118 (Informacines sistemos ir technologijos UAB aka bacloud,com, Lithuania)


There are probably other destinations too. The payload appears to be Dyre / Dyreza.

Recommended blocklist:
94.237.36.0/24 (temporary email block only)
shuswapcomputer.ca
185.25.51.118
107.181.161.221





Tuesday 1 November 2016

Malware spam: "New Fax Message" / administrator@local-fax.com leads to TrickBot

This fake fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

From:    Administrator [administrator@local-fax.com]
To:    annie@[redacted]
Date:    1 November 2016 at 13:28
Subject:    New Fax Message
Signed by:    local-fax.com

Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.

[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]

Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.



Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54. Both the Malwr report and Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:

www.tessaban.com/img/safafaasfasdddd.exe

This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr and Hybrid Analysis reports give the following suspect traffic:

91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)

I can match all those IPs except the last to this ThreatGeek report, those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (highlighted):

5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)
37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)
68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


3NT Solutions (aka Inferno Solutions / inferno.name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit. FLP Kochenov Aleksej Vladislavovich aka uadomen.com has appeared here so many times [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] that really I have to categorise that as an Evil Network too.

If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a recommended blocklist of:

37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24


However, there's more to this too. The original email message is actually signed by local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.

All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..


Monday 14 December 2015

Malware spam: "Israel Burke" / "BCP Transportation, Inc."

This fake invoice comes with a malicious attachment:
From:    Israel Burke [BurkeIsrael850@business.telecomitalia.it]
Date:    14 December 2015 at 15:00
Subject:    Israel Burke

Dear Customer:

Attached please find an invoice(s) for payment.  Please let us know if you have any questions.

We greatly appreciate your business!

Israel Burke
BCP Transportation, Inc.
I have only seen one sample of this, it is possible that the company name and sender names are randomly generated. The attachment in this case was named invoice_scan_76926455.doc and has a detection rate of 3/55.

Despite the name, this is not a Word document but is an XML document [pastebin] containing ActiveMIME data. The Malwr report for this indicates network traffic to:

109.234.34.224 (McHost.Ru, Russia)
80.96.150.201 (SC-Nextra Telecom SRL, Romania)


That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55.

I am not certain of the payload, but I suspect that this Word document is dropping Upatre leading to the Dyre banking trojan.

MD5s:
a81a19478dbe13778f06191cf39c8143
5b1db9050cc44db3a99b50a5ba9d902a


Recommended blocklist:
109.234.34.224
80.96.150.201


Thursday 12 November 2015

Malware spam: "FYI: INTERAC e-Transfer to Guillaume Davis accepted" / "Bank of Montreal [notify@payments.interac.ca]"

This fake financial spam leads to malware:

From:    Bank of Montreal [notify@payments.interac.ca]
Date:    30 September 2015 at 13:34
Subject:    FYI: INTERAC e-Transfer to Guillaume Davis accepted

Dear Customer

The INTERAC e-Transfer for $2997.60 (CAD) you sent to Guillaume Davis was accepted. The transfer is now complete.

Recipient's message:  A message was not provided

Thank you for using Bank of Montreal INTERAC e-Transfer Service.

Please follow the link below to download the transaction details:

https://storage-usw-11.sharefile.com/download.ashx?dt=dt7c26b2a7994b4070a947e9cd285718bb&h=u4fdqSy4IS59j0nzAr6RzZtYbrne3JpDFwd4YfEKKM0%3d
The link in the email downloads a file INTERAC e-Transfer transaction details.doc which has a VirusTotal detection rate of just 1/53. Analysis of the malicious code within the downloaded document is pending, however the use of sharefile.com is consistent with the delivery of the Dyre banking trojan.

Wednesday 11 November 2015

Malware spam: "Refund from Bowater Incorporated" / PayPal

This fake PayPal email leads to malware:

From:    service@paypal.co.uk
Date:    11 November 2015 at 16:27
Subject:    Refund from Bowater Incorporated

PayPal

Bowater Incorporated has just sent you a refund

Wed, 11 Nov 2015 17:27:26 +0100
Transaction ID: 47E30904DC4145388
Dear Customer,
Bowater Incorporated has just sent you a full refund of £7849.90 GBP for your purchase.
If you have any questions about this refund, please contact Bowater Incorporated
The refund will go to your PayPal account. It may take a few moments for this transaction to appear in your account.
To see all the transaction details, please download and view from the link below.
https://www.paypal.com/uk/cgi-bin/webscr?cmd=view-a-trans&id=47E30904DC4145388
Merchant information
Bowater Incorporated
Note from merchant
None provided




Original transaction details
Description Unit price Qty Amount
Purchase from Bowater Incorporated £7849.90 GBP 1 £7849.90 GBP
Insurance: ----
Total: £7849.90 GBP
Refund to PayPal Balance: £7849.90 GBP
Invoice Number: 59266315
Yours sincerely,
PayPal
Please do not reply to this email because we are not monitoring this inbox. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright Å  1999-2015 PayPal. All rights reserved.

PayPal (Europe) S.a.r.l. et Cie, S.C.A.
Societe en Commandite par Actions
Registered office: 64-75 Boulevard Royal, L-3369 Luxemburg
RCS Luxemburg B 205 162
PayPal Email ID PP1479 - nsjwiqin1ob5c

The link in the email goes to a download location at sharefile.com which leads to a file transaction details.zip containing a malicious executable transaction details.scr.

This binary has a VirusTotal detection rate of just 1/55. The Hybrid Analysis report shows network traffic consistent with Upatre download the Dyre banking trojan. One key IP address in 197.149.90.166 (Cobranet, Nigeria) which is well worth blocking.

MD5:
28989811c6b498910637847d538e43bf

Monday 9 November 2015

Malware spam: Random Name shared "Amendment or the Agreement_09-11-2015.zip" with you

This fake Dropbox spam appears to come from randomly-generated people..

From:    Sandy Schmitt via Dropbox [no-reply@dropbox.com]
Date:    9 November 2015 at 11:41
Subject:    Sandy Schmitt shared "Amendment or the Agreement_09-11-2015.zip" with you
   
Sandy used Dropbox to share a file with you!

Click here to view.

The link in the email actually goes to sharefile.com where it downloads a file Amendment or the Agreement_09-11-2015.zip containing a malicious execitable Amendment or the Agreement_09-11-2015.scr which has a VirusTotal detection rate of 2/54.

Automated analysis is inconclusive [1] [2] but you can guarantee that this is nothing good. Because of the low detection rates, it might be worth temporarily blocking sharefile.com.

MD5s:
386426E5633B120C3A0E2F605AF42433
2E12D164F40C95284DE13D175DB9BDE2

UPDATE:

My sources (thank you!) say that this is Upatre dropping the Dyre banking trojan, dropping a DLL with a 2/55 detection rate. The comments in that report also contain a list of IP address that you might want to block.


Friday 6 November 2015

Malware spam: "Your latest e-invoice from TNT 4677602495 2722813" / "eInvoicing" [groupadminstubbinsDONOTREPLY@tnt.com]

This fake financial invoice does not come from TNT but is instead a simple forgery with a malicious attachment:

From     "eInvoicing" [groupadminstubbinsDONOTREPLY@tnt.com]
Date     Fri, 6 Nov 2015 12:53:01 +0200
Subject     Your latest e-invoice from TNT 4677602495 2722813

PLEASE DO NOT RESPOND - Emails to this address are not monitored or responded to.

Please find attached your TNT Invoice. Please note that our standard payment terms
require cleared funds in our account by the 15th of the month following the month
of invoice.

IMPORTANT CONTACT DETAILS

To register an invoice query please contact us at ukinvoicequeries@tnt.co.uk

To forward a remittance advice or confirm payment please contact us at tntuk.cash.allocation@tnt.com

To set up a Direct Debit plan please contact us at tntdirectdebit@tnt.co.uk

For quick and easy access to your invoices simply log in using your user name and
password to https://express.tnt.com/eInvoicing and you'll be able to view and download
your electronic invoices immediately.

If you have forgotten your user name or password please follow the above link where
you will be able to reset your log-in details. If you are experiencing any technical
issues with your e-Invoicing account please contact us at ukeinvoice@tnt.co.uk

Rest assured, we operate a secure system, so we can confirm that the invoice PDF
originates from TNT and is authenticated with a digital signature. Thank you for
using e-invoicing with TNT the smarter, faster, greener way of processing invoices.

---------------------------------------------------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise
protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete
this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment
or disclose the contents to any other person.
Please consider the environmental impact before printing this document and its attachment(s).
Print black and white and double-sided where possible.
----------------------------------------------------------------------------------
The attached file is inv6219014291_0519182.zip, although I don't have a sample of that at the moment. The payload is likely to be the Upatre downloader leading to the Dyre banking trojan.

Wednesday 4 November 2015

Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake Transport for London spam is a variation of something used before. It does not actually come from TfL, but is a simple forgery with a malicious attachment:

From     "Transport for London" [noresponse@cclondon.com]
Date     Wed, 4 Nov 2015 14:33:44 +0100
Subject     Email from Transport for London

Dear Customer

Please open the attached file to view correspondence from Transport for London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.

Attached is a file 6305093.zip of which I have seen just one sample, containing a malicious executable 6305093.scr (MD5 6a4cce90ba28720fa9e6813f681b1f75) which has a VirusTotal detection rate of 7/54. This Hybrid Analysis report shows it communicating with the well-known malicious IP address of 197.149.90.166 (Cobranet, Nigeria) which I recommend you block.

The payload here seems to be Upatre dropping the Dyre banking trojan.

Wednesday 28 October 2015

Malware spam: "Don and Carol Racine" / "www.boatclinic.net" / "boatclinic@aol.com"

This fake financial spam is not from Racine Design Inc but is instead a simple forgery with a malicious attachment:

From     [random]
Date     Wed, 28 Oct 2015 10:39:26 +0100
Subject     [random]

 Dear :
Boat has been done a week now. I contacted you last week
The
Boat is ready to pick up,  I have had inquiries as to people wanting to
buy it,
the carb is in your possession and there is no way to run it,
The boat could
sell real easy at this time of year , Memorial day to 4th of
July most boats
are sold.
Please call me to arrange payment and pickup of the Boat ,
If you
need me to store the boat I can do that at the storage facility ,
they do
charge a fee for this 7.00 per day
The other Invoice for the embroidery will
follow , Balance is due now !
Thanks

Your invoice is attached.  Please
remit payment

Thank you for your business - we appreciate it very
much.


Sincerely,
Don and Carol Racine

Racine Design, Inc.
2036 Imeson
Rd
Jacksonville, Fl.  32220

E-Mail  
boatclinic@aol.com

www.boatclinic.net

phone    (904) 771-8170
fax       
(904) 771-0843
The subject of the email is some randomly-generated sentence, which matches the name of the attached ZIP file. I have seen two samples so far with a detection rate of 3/55 and 2/55 respectively.

Analysis of the binary is pending (please check back), but the payload here is Upatre/Dyre which commonly calls back to 197.149.90.166 (Cobranet, Nigeria), an IP I strongly recommended that you block.

UPDATE:

The reverse.it report shows that the malware does indeed call back to that Nigerian IP address.

Tuesday 27 October 2015

Malware spam: "ZFRSSE - CMS Collateral Report(s) as of 10/27/2015" / "frs-cms-mailer@olen.frb.org"

This fake financial email.. whatever the heck it is pretending to be.. is not from the Federal Reserve System, but is instead a simple forgery with a malicious attachment.

From:    frs-cms-mailer@olen.frb.org
Date:    27 October 2015 at 17:32
Subject:    ZFRSSE - CMS Collateral Report(s) as of 10/27/2015

You have received electronic delivery of the attached CMS Collateral Report(s) from the Federal Reserve System.
______________________________________________________________________

Note: This is an automated message and replies to this mailbox will not be answered.  Questions concerning this message can be directed to your Federal Reserve Bank contact.  This communication and all attachments hereto contain sensitive and confidential information.  As a result, this communication has been encrypted in transit.  This communication is intended solely for the use of the addressee and should be handled in accordance with applicable policies and procedures.  If you have received this communication in error please delete or destroy all copies of it.

This message was secured in transit.  ZFRSSE_20151027173233
-------------------------------------------------------------------------
This message was secured by ZixCorp(R).
This message center is strictly for use by current Federal Reserve System business partner and customer employees, any other use of this system is strictly prohibited.
The attachment in the sample I saw was named CMS Collateral Report_20151027173233.doc which has a VirusTotal detection rate of 4/55. The comments in that report point to another VirusTotal report indicating that it drops Upatre.. but unusually, this code appears to have a valid Comodo certificate.

In turn, this drops a version of the Dyre banking trojan with a detection rate of 5/56.

Malware spam: "RBS Cardholder Application Form" / "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]

This fake financial spam does not come from Sunderland City Council, but is instead a simple forgery with a malicious attachment:

From     "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]
Date     Tue, 27 Oct 2015 18:39:34 +0700
Subject     RBS Cardholder Application Form

Dear Customer,



We now have the go ahead from Corporate Procurement to apply to RBS for your Corporate
Purchase Card. Please find attached the RBS application form which requires your
signature as cardholder on page 2. Also please add the date. Once done can you scan
the document and email it back to me or alternatively post it back to me c/o Purchase
Card Administration Team, Transactional Finance, Room 1.34, Civic Centre, Sunderland
SR2 7DN.



Kind regards,

Wm.
Wm Palmer
Purchase Ordering Officer
Commercial and Corporate Services
Sunderland City Council

Tel: 0191 5617588
www.sunderland.gov.uk

Sunderland City Council: Sunderland Home Page

The Sunderland City Council website is for anyone living, working, visiting or wanting
to invest in Sunderland - a great city by the sea with a balanced way of life ...

Read more...

Attached is a file New_Cardholder_Application_Wm_Palmer.zip containing a malicious executable New_Cardholder_Application.scr - which is exactly the same malware as used in this other fake council spam run today.

Friday 23 October 2015

Malware spam: "Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)"

This fake financial spam has a malicious attachment:

From:    Accounts [message-service@post.xero.com]
Date:    23 October 2015 at 15:08
Subject:    Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)

Hi Mattie,

Attached is your credit note CN-06536 for 8954.41 GBP.

This has been allocated against invoice number

If you have any questions, please let us know.

Thanks,
Avnet, Inc.
The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc ..  but  it's actually a ZIP file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe  and has a VirusTotal detection rate of 4/55. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan.

Analysis is still pending for this malware (please check back later) but the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.

UPDATE:
The Hybrid Analysis report is here, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe




Wednesday 30 September 2015

Malware spam: "FW : Incoming SWIFT" / "Clyde Medina" [Clyde.Medina@swift.com]

This fake banking email comes with a malicious attachment:

From     "Clyde Medina" [Clyde.Medina@swift.com]
Date     Wed, 30 Sep 2015 12:35:56 GMT
Subject     FW : Incoming SWIFT

We have received this documents from your bank regarding an incoming SWIFT transfer.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom
the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of
this message is strictly prohibited. If you received this message in error, please
notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.

Attached is a file SWIFT_transfer.zip which contains a malicious executable SWIFT_transfer.scr which currently has a detection rate of 2/56.

Automated analysis is pending, although the payload is almost definitely Upatre/Dyre. Please check back later.

UPDATE:
The Hybrid Analysis report shows Upatre/Dyre activity, including the malware phoning home to a familiar IP address of 197.149.90.166 in Nigeria which I recommend you block or monitor.

Tuesday 29 September 2015

Malware spam "Info from SantanderBillpayment.co.uk" / "Santanderbillpayment-noreply@SantanderBillPayment.co.uk"

This fake financial spam comes with a malicious attachment:

From     "Santanderbillpayment-noreply@SantanderBillPayment.co.uk" [Santanderbillpayment-noreply@SantanderBillPayment.co.uk]
Date     Tue, 29 Sep 2015 12:33:56 GMT
Subject     Info from SantanderBillpayment.co.uk

Thank you for using BillPay. Please keep this email for your records.

The following transaction was received on 29 September 2015 at 09:11:36.

Payment type:          VAT
Customer reference no: 0343884
Card type:            Visa Debit
Amount:                GBP 4,683.00

For more details please check attached payment slip.

Your transaction reference number for this payment is IR0343884.

Please quote this reference number in any future communication regarding this payment.

Yours sincerely,

Banking Operations

This message is intended for the named person above and may be confidential, privileged
or otherwise protected from disclosure. If it has reached you by mistake please contact
the sender on 0300 200 3601 and delete the message immediately.


**PLEASE DO NOT REPLY TO THIS E-MAIL, AS WE WILL NOT BE ABLE TO RESPOND**
Emails aren't always secure, and they may be intercepted or changed after they've
been sent. Santander doesn't accept liability if this happens. If you think someone
may have interfered with this email, please get in touch with the sender another
way.
This message doesn't create or change any contract. Santander doesn't accept responsibility
for damage caused by any viruses contained in this email or its attachments. Emails
may be monitored. If you've received this email by mistake, please let the sender
know at once that it's gone to the wrong person and then destroy it without copying,
using, or telling anyone about its contents.

Santander Corporate Banking is the brand name of Santander UK plc, Abbey National
Treasury Services plc (which also uses the brand name of Santander Global Banking
and Markets) and Santander Asset Finance plc, all (with the exception of Santander
Asset Finance plc) authorised and regulated by the Financial Services Authority,
except in respect of consumer credit products which are regulated by the Office of
Fair Trading. FSA registration numbers: 106054, 146003 and 423530 respectively.
Registered offices: 2 Triton Square, Regent's Place, London NW1 3AN and Carlton Park,
Narborough LE19 0AL. Company numbers: 2294747, 2338548 and 1533123 respectively.

Registered in England. Santander and the flame logo are registered trademarks.
The attachment is named SantanderBillPayment_Slip0343884.zip although I have not been able to get a working copy. The payload is most likely the Upatre/Dyre banking trojan. My sources tell me that the current wave of this is phoning home to 197.149.90.166 in Nigeria which is worth blocking or monitoring.

Wednesday 23 September 2015

Malware spam: "Bankline ROI - Password Re-activation Form" / "secure.message@rbs.co.uk"

This fake banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:

From     "RBS" [secure.message@rbs.co.uk]
Date     Wed, 23 Sep 2015 11:28:48 GMT
Subject     Bankline ROI - Password Re-activation Form

Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3.  A signatory on the bank mandate must sign the form.

Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk

On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.

<>

Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered. 

Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different
details.

If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.

Regards
Bankline Product Support

This e-mail message is confidential and for use by the intended recipient only. If
the message is received by anyone other than the intended recipient, please return
the message to the sender by replying to it and then delete the message from your
computer. Internet e-mails are not necessarily secure. Ulster Bank Limited and Ulster
Bank Ireland Limited (\"Bankline Bank Group\")/ Royal Bank of Scotland Group plc
does not accept responsibility for changes made to this message after it was sent.
Ulster Bank Group / Royal Bank of Scotland Group plc may monitor e-mails for business
and operational purposes. By replying to this message you give your consent to our
monitoring of your email communications with us. Whilst all reasonable care has been
taken to avoid the transmission of viruses, it is the responsibility of the recipient
to ensure that the onward transmission, opening or use of this message and any attachments
will not adversely affect its systems or data. No responsibility is accepted by any
member of Ulster Bank Group / Royal Bank of Scotland Group plc in this regard and
the recipient should carry out such virus and other checks as it considers appropriate.

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56. The Hybrid Analysis report shows behaviour consistent with Upatre / Dyre and shows that the malware communicates with a known bad IP of 197.149.90.166 (Cobranet, Nigeria) which I definitely recommend blocking or monitoring.

Monday 21 September 2015

Malware spam: "Your Sage subscription invoice is ready" / "noreply@sage.com"

This fake Sage email contains a malicious attachment.

From:    noreply@sage.com [noreply@sage.com]
Date:    21 September 2015 at 11:30
Subject:    Your Sage subscription invoice is ready

Dear Ralph Spivey

Account number: 45877254

Your Sage subscription invoice is now online and ready to view.

Sage One subscriptions

    Please follow the link bellow to view/download your account invoice: http://www.sageone.co.uk/

Got a question about your invoice?

Call us on 1890 88 5045

If you're an Accountant, please call 1890 92 21 06
If you're a Business Partner, please call 1890 94 53 85

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.

The link in the email actually goes to a download location at Cubby rather than sageone.co.uk, this downloads a file invoice.zip which in turn contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56. The Hybrid Analysis report shows that this is Upatre dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria.

Friday 18 September 2015

Malware spam: "Transaction confirmation" / "donotreply@lloydsbank.co.uk"

This fake banking spam comes with a malicious attachment:

From     donotreply@lloydsbank.co.uk
Date     Fri, 18 Sep 2015 11:52:36 +0100
Subject     Transaction confirmation

Dear Customer,

Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.

Best regards,
Your personal Manager

Thora Blanda

tel: 0345 300 0000

LLOYDS BANK. 
Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria.

Thursday 17 September 2015

Malware spam: hrwfmailerprod@lancashire.gov.uk / REFURBISHMENT

This fake financial spam (presumably) comes in several different variants (I saw two):

From     "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]
To     hp_printer@victimdomain.com
Date     Thu, 17 Sep 2015 12:16:26 GMT
Subject     FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)


From             Mabel Winter
To             hp_printer@victimdomain.com
Sent             Thu, 17 Sep 2015 12:12:26 GMT
ID             7216378
Number             6767609,1
Title             Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT

Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment. 
The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.

The payload appears to be Upatre/Dyre as seen earlier today.

Malware spam: "Shell E-Bill for Week 38 2015"

This fake financial spam comes with a malicious attachment:

From     [invoices@ebillinvoice.com]
To     administrator@victimdomain.com
Date     Thu, 17 Sep 2015 11:10:15 GMT
Subject     Shell E-Bill for Week 38 2015

Customer No         : 28834
Email address       : administrator@victimdomain.com
Attached file name  : 28834_wk38_2015.PDF

Dear Customer,

Please find attached your invoice for Week 38 2015.

In order to open the attached PDF file you will need
the software Adobe Acrobat Reader.

For instructions of how to download and install this
software onto your computer please visit
http://www.adobe.com/products/acrobat/readstep2.html

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.

Yours sincerely

Customer Services

======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================

Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.

MD5:
0d9c66ffedce257ea346d2c7567310ac

Wednesday 16 September 2015

Malware spam: "Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/"

This fake Lloyds Bank spam comes with a malicious payload:

From:    RSTNAME} Crabtree [Chang.Crabtree@lloydsbankcommercial.com]
Date:    15 September 2015 at 13:18
Subject:    Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/

Please find attached our document pack for the above customer. Once completed please return via email to the below address.

If you have any queries relating to the above feel free to contact us at

MN2Lloydsbanking@lloydsbankcommercial.com
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 7117152. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC453043.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.

In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:

thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt

A further download  then takes place from:

vandestaak.com/css/libary.exe

This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).

Recommended blocklist:
197.149.90.166
vandestaak.com
thebackpack.fr
obiectivhouse.ro

MD5s:
4b944c5e668ea9236ac9ab3b1192243a
1939eba53a1289d68d1fb265d80e60a1