Malware spam: "Payslip for period end date 27/08/2015" / "noreply@fermanagh.gov.uk"

This spam does not come from Fermanagh District Council. Of course it doesn't. It is instead a simple forgery with a malicious attachment:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    27 August 2015 at 12:28
Subject:    Payslip for period end date 27/08/2015

Dear administrator

Please find attached your payslip for period end 27/08/2015

Payroll Section

Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.

This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.

MD5:
fdea30868df48bff9e7c2b2605431d23

Fake fax spam spoofs multiple senders, has malicious payload

This fake fax spam comes from random senders - company names and attachment names vary from spam to spam.

From: "Heaney, Vandervort and Hilll"
Subject: Fax #AhnxlQ8 from Donny Kub
Date: Wed, 26 Aug 2015 14:02:30 +0000

You have a fax.
Data sent: Wed, 26 Aug 2015 14:03:30 +0000
TO: info@victimdomain.com

*********************************
We are a new fax delivery service - Heaney, Vandervort and Hilll.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: "Fast. Cheap. Best quality."
*********************************

Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56 detection rate at VirusTotal.

The Hybrid Analysis report shows it phoning home to:

197.149.90.166/260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166/260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM

This pattern marks the malware out as being Upatre/Dyre.  197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.

Malware spam: "Message from scanner" / "scanner.coventrycitycentre@brianholt.co.uk"

I don't have the body text for this particular message, but I can tell you this is not from Brian Holt (a property agent in Coventry, UK) but is instead a simple forgery with a malicious attachment.

Subject     Message from scanner
From     scanner.coventrycitycentre@brianholt.co.uk
X-Mailer     KONICA MINOLTA bizhub C360
Date     Wed, 12 Aug 2015 08:19:28 +0000
Message-Id     [55CB0190.015.00206B68D2CD.scanner.coventrycitycentre@brianholt.co.uk]
MIME-Version     1.0
Content-Type     multipart/mixed; boundary="KONICA_MINOLTA_Internet_Fax_Boundary"
Content-Transfer-Encoding     7bit

To show the level of detail the bad guys go to, they have even included extra mail headers (usually hidden) to attempt to identify the sender as a Konica MFD. It's a strange thing to do, considering that anyone skilled enough to examine the mail headers should also notice the malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54.

The Hybrid Analysis report shows the malware POSTing to:

smboy.su/mu/tasks.php

.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The  network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to block the whole range to be on the safe side.

The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware.

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This fake TfL spam comes with a malicious attachment:

From     "Transport for London" [noresponse@cclondon.com]
Date     Thu, 20 Aug 2015 17:04:26 +0530
Subject     Email from Transport for London

Dear Customer

Please open the attached file(7887775.zip) to view correspondence from Transport
for London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative



______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.

The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56 and 1/57. These two Hybrid Analysis reports [1] [2]  show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:

93.185.4.90:12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90:12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM

These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you block it.

Those Hybrid Analysis reports also identify some botnet IPs and dropped files, which I suggest that you study if interested.

Malware spam: "SHIPMENT NOTICE" / "serviceuk@safilo.com"

This fake financial spam does not come from Safilo UK Ltd but is instead a simple forgery with a malicious attachment:

From     serviceuk@safilo.com
Date     Wed, 19 Aug 2015 17:47:46 +0700
Subject     SHIPMENT NOTICE

Dear Customer,

 please be informed that on Aug 19, 2015 we sent you the following items:

1    pieces from order 1I5005729
1    pieces from order 1I5005841


IMPORTANT

To find out all details concerning your orders and shipments open the file here attached
or go to the Order status page of the site.

Safilo UK Ltd.
serviceuk@safilo.com
-------

Attached is a file ship20150817.zip which in turn contains a malicious executable ship20150817.exe which has a detection rate of 4/56. According to these automated analysis tools [1] [2] the malware attempts to phone home to:

megapolisss006.su/go/gate.php

.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to all of them. This domain is hosted on the following IPs:

195.2.88.196 (Zenon N.S.P., Russia)
94.229.22.39 (Bashrtcomm LIR, Russia)
94.229.22.42 (Bashrtcomm LIR, Russia)

You might want to consider blocking:

195.2.88.0/24
94.229.16.0/21

This though is the recommended minimum blocklist:
195.2.88.196
94.229.22.39
94.229.22.42

I am not entirely certain of the payload as the download locations seem to be unreliable.

Malware spam: "Sleek Granite Computer" / "saepe 422-091-2468.zip" / "nulla.exe"

What the heck is a Sleek Granite Computer? As clickbait it is kind of weird.. but perhaps interesting enough to get people to click on the malicious attachment is comes with.

From:    mafecoandohob [mafecoandohob@bawhhorur.com]
To:    Karley Pollich
Date:    7 August 2015 at 13:17
Subject:    Sleek Granite Computer

Good day!

If you remember earlier this week we discussed with You our new project which we intend to start next month.
For Your kind review we enclose here the business plan and all the related documents.
Please send us an e-mail in case You have any comments or proposed changes.
According to our calculations the project will start bringing profit in 6 months.
Thanks in advance.


Karley Pollich
Dynamic Response Strategist
Pagac and Sons
Toys, Games & Jewelery
422-091-2468

The only sample of this I had was malformed and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe.

This has a VirusTotal detection rate of 4/55 with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre / Dyre traffic pattern to:

195.154.241.208:12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208:12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM

This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom.eu. Traffic is also spotted to:

37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)

There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.

Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50

MD5:
9520d04a140c7ca00e3c4e75dd9ccd9f

Malware spam: "Voice message from 07773403290" / ""tel: 07773403290" [non-mail-user@voiplicity.co.uk]"

This fake voicemail spam comes with a malicious attachment:

From     "tel: 07773403290" [non-mail-user@voiplicity.co.uk]
Date     Thu, 06 Aug 2015 11:54:43 +0300
Subject     RE: Voice message from 07773403290

I was not able to determine if there was any body text from my sample collector, however each sample had an identical attachment message_01983527496.wav.zip which contains a malicious executable message_01983527496.exe. This has a VirusTotal detection rate of 5/55 and automated analysis tools [1] [2] show it POSTing to:

wedspa.su/go/gate.php

This is hosted on a RU-Center IP address of 185.26.113.229 in Russia. Furthmore, a malicious executable is downloaded from the following locations:

globalconspiracy.hj.cx/1.exe
mastiksoul.org/1.exe

In turn, this has a detection rate of 2/55 and automated analysis of this [1] [2] show that it phones home to 212.47.196.149 (Web Hosting Solutions, Estonia).

The payload is unclear at this point, but you can guarantee that it will be nothing good.

Recommended blocklist:
185.26.113.229
212.47.196.149

MD5s:
da575b916f419b9e8bfea12168fa9902
f3ede4ebcd4b6debf15646a3d1a8bbd1

Malware spam: "Invoice reminder" / "morgan-motor.co.uk"

Nope, you haven't ordered an esoteric British sports car. This malware spam is not from the Morgan Motor Company, but is instead a simple forgery with a malicious attachment.

From     "Marie Atkins" [Marie.Atkins@morgan-motor.co.uk]
Date     Fri, 10 Jul 2015 12:50:54 +0200
Subject     Invoice reminder

Please note that so far we had not received the outstanding amounts in accordance
with the invoice enclosed below.
Unfortunately, we cannot wait another week for amounts to be settled. Kindly ask
You to arrange the payment in the nearest future (2 days).
In case the funds are not received in two days we reserve the right to use legal
approaches in order to resolve this issue.
We hope You will duly react to this notification and save good business relationships
with us.

Other senders spotted are Effie.Henry@morgan-motor.co.uk and Carmine.Randolph@morgan-motor.co.uk although there are probably others. Attached is a ZIP file named invoice-ITK709415.zip [VT 13/54] which contains a malicious executable invoice-ITK709415.scr, this has a VirusTotal detection rate of 3/55.

The Malwr report shows that this is the Upatre downloader, which always leads to the Dyre banking trojan. The characteristic callback pattern can be seen in the network traffic:

http://38.65.142.12:12569/RT77/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://38.65.142.12:12569/RT77/HOME/41/5/1/ELHBEDIBEHGBEHK

We've seen that IP before. Another characteristic bit of traffic (but not malicious) is a HTTP request to icanhazip.com. Although this is a legitimate service to determine the IP address of the client, it is also a pretty good indicate of Upatre/Dyre infection and is worth looking out for on your network.

The downloader seems to drop a modified version of itself, in this case called aloyzan.exe and also having a 3/55 detection rate. In additional, a file named whicalous.exe [VT 1/55] is dropped.

Recommended blocklist:
38.65.142.12

MD5s:
ef068f3b4e1927de34273d98c88d3abc
cd90c812c9e8a1168ecd89fb8f64ea05
99960df0cddf89e2e8eac54f371da63b
1f8e40aa49e9c3e633e450e85a888ba2

Malware spam: "Payslip for period end date 29/06/2015" / "noreply@fermanagh.gov.uk"

This fake financial spam comes with a malicious payload:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    29 June 2015 at 11:46
Subject:    Payslip for period end date 29/06/2015

Dear [redacted]

Please find attached your payslip for period end 29/06/2015

Payroll Section

Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:

http://audileon.com.mx/css/proxy_v29.exe

That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes:

69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is on this occassion.

Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242

MD5s:
71a42eaac6f432c8dc04465c065e48e1
4009cd042071c81ce9c1aaa13ac046f2

Malware spam: "Considerable law alternations" / "excerptum_from_the_implemented_rule.zip" / "Pamela Adams"

This fake legal spam comes with a malicious payload:

Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations

Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above  .
Pamela Adams
Chief accountant

In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.

Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs:

93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)

The Malwr report and Hybrid Analysis report indicate a couple of  dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.

Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35

MD5s:
a85849c45667805231f2093e2eabe89d
e91e0424ac23193461c57ac1046e7dc1

Malware spam: "Hope this e-mail finds You well" / "Stacey Grimly"

This spam comes with a malicious attachment:

Date:    23 June 2015 at 14:14
Subject:    Hope this e-mail finds You well

Good day!

Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.

Stacey Grimly,
Project Manager

Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:

check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717

The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.

Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations:

93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)

These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:

104.174.123.66 (Time Warner Cable, US)

The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.

Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66

 MD5s:
67f05372a34534c5892defb29ba8ead7
267e23f6430999f4b71a074835f19fb2
cebf89f088458f3e89599ae44d03cddf
cfdcb1cbe8983707287be4a03cdb88b4
880ba84222524510c9fe3b3d80429816

Malware spam: "Tax inspection notification" / "tax_663-20845-0479-435.zip size=18288.zipsize=18288"

This fake tax notification comes with a malicious payload.

Date:    22 June 2015 at 19:10
Subject:    Tax inspection notification

Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check  as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor

Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.

This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:

http://93.93.194.202:13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK

That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to 37.57.144.177 (Triolan, Ukraine).

Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.

Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177

MD5s:
394c56133b323ce3bf038cfc7a00562a
4e9fec8e532664672bd3a022f4f0b4ec
14b8a0f6a9258f9e73f63a4269641ca0

Malware spam: "Shareholder alert" / "instructions.zip size=21154.zipsize=21154"

This fake financial spam comes with a malicious attachment:

Date:    22 June 2015 at 13:07
Subject:    Shareholder alert

Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to resolution of the Board of Directors. Please see attached.     Glen McCoy, Partner

Attached is a mis-named ZIP file called instructions.zip size=21154.zipsize=21154 containing a malicious executable instructions_document.exe which has a VirusTotal detection rate of 1/56.

The Malwr report indicates network traffic to:

http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK

93.93.194.202 is Orion Telekom in Serbia.

It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.

The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.

Recommended blocklist:
64.111.36.35
93.93.194.202

MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3

Malware spam: "New instructions" / "instructions_document.exe"

This rather terse spam comes with a malicious payload:

From:    tim [tim@thramb.com]
Date:    19 June 2015 at 16:40
Subject:    New instructions

New instructions payment of US banks, ask to read

Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe.

The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57]. Automated analysis tools [1] [2] [3] [4] show traffic to:

93.93.194.202:13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID

which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33:443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection.

In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.

Recommended blocklist:
93.93.194.202
66.196.63.33

MD5s:
329a2254cf4c110f3097aafdaa50c82a

Malware spam: "Australian Taxation Office [noreply@ato.gov.au]" / "eFax message - 2 page(s)"

Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    19 May 2015 at 12:48
Subject:    eFax message - 2 page(s)

Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.

* The reference number for this fax is
min2_did16-0884196800-3877504043-49.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile.com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr.

This executable has a detection rate of 5/57. Automated analysis tools [1] [2] [3] shows that it downloads a further component from:

http://employmentrisk.com/images/1405uk77.exe

In turn, this has a detection rate of 4/57 and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).

Recommended blocklist:
employmentrisk.com
194.28.190.183

MD5s:
a6aa82995f4cb2bd29cdddedd3572461
b3b483c10d4f7eacd7cfa42f604968f8

Malware spam: "Your online Gateway.gov.uk Submission"

This spam leads to a malicious ZIP file hosted either on Dropbox or Cubby.

From:    Gateway.gov.uk
Date:    18 March 2015 at 13:19
Subject:    Your online Gateway.gov.uk Submission

Electronic Submission Gateway

Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.

To view/download your form to the Government Gateway please visit http://www.gateway.gov.uk/file/s/gdvzk7toum8ghnc/SecureDocument.zip?dl=1

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.

gov.uk - the best place to find government services and information - Opens in new window

The best place to find government services and information

The link leads to an archive file Avis_De_Paiement.zip which in turn contains a malicious binary Avis_De_Paiement.scr which has a VirusTotal detection rate of 16/57. ThreatExpert and Comodo CAMAS report that it downloads components from the following locations:

canabrake.com.mx/css/doc11.rtf
straphael.org.uk/youth2000_files/doc11.rtf

My sources indicate that this most likely phones home to 109.230.131.95 (Vsevnet Ltd. Russia) which is a known bad IP that I recommend blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan.

Malware spam: "Voicemail Message (07813297716) From:07813297716"

When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.

From:     Voicemail admin@victimdomain
Date:     11/03/2015 11:48
Subject:     Voicemail Message (07813297716) From:07813297716

IP Office Voicemail redirected message

Attachment: MSG00311.WAV.ZIP

The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:

http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php

This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.

The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:

http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe

This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.

Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:

31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159

Malware spam: "HP Digital Device" / "Scanned Image"

This spam comes with a malicious attachment:

From:    HP Digital Device [HP_Printer@victimdomain.com]
Date:    26 January 2015 at 13:04
Subject:    Scanned Image


Please open the attached document.
This document was digitally sent to you using an HP Digital Sending device.

-------------------------------------------------------------------------------
This email has been scanned for viruses and spam.
-------------------------------------------------------------------------------

Attached is a file ScannedImage.zip which contains a malicious executable ScannedImage.scr which has a VirusTotal detection rate of 5/56, you can see various automated analyses here: [1] [2] [3]

Lena Michalczyk STE LTD "documents" spam

This spam message does not come from STE UK Ltd or any company of a similar name, not does it come from anyone called Lena Michalczyk. In the sample I received, it actually originated from a hacked machine located in the Federated States of Micronesia.

From:     lena michalczyk [michalczyklena@gmail.com]
Date:     22 September 2014 10:01
Subject:     documents

--
Regards Lena Michalczyk STE LTD.
office no. 07999258583

--
Regards Lena Michalczyk STE LTD.
office no. 07999258583

In the same I saw, the attached file was block20140915_16321753.pdf.zip but the attachment itself was corrupt, however there's a good chance that the spammers will fix this and send it out with a working payload.

If you receive a message like this, simply delete it and do not open the attachment.

"Kifilwe Shakong" "Copied invoices" spam

Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is  not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.

From:     Kifilwe Shakong [kshakong@cashbuild.co.za]
Date:     16 September 2014 12:17
Subject:     Copied invoices

The attached invoices are copies. We will not be able to pay them. Please send clear invoices
______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
______________________________________________________________________

The attached invoices are copies. We will not be able to pay them. Please send clear invoices
______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za

Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54.

The ThreatTrack report [pdf] shows that the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro.com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231

The payload seems to be very similar to this spam run yesterday.


UPDATE: The ThreatExpert report also indicates that the malware downloads components from the following locations:

musicacademymadras.in/333
ethostraining.es/333.cab
acfnet.com.br/333.jpg
vistabuys.com/333.exe

The malware attempts to phone home to cosjesgame.su as well as golklopro.com.

The ThreatTrack report [pdf] for the second component shows the malware attempting to POST to
37.59.136.101 (OVH, France alloced to "Varts Hosting GB") and 184.106.64.151 (Rackspace, US).

Recommended blocklist:
golklopro.com
cosjesgame.su
musicacademymadras.in
ethostraining.es
acfnet.com.br
vistabuys.com
31.134.29.175
37.59.136.101
46.98.234.76
46.98.122.183
46.119.126.141
46.185.88.110
46.211.198.56
77.121.236.75
78.56.92.46
85.237.34.129
91.221.29.181
93.78.145.22
93.183.242.24
94.100.95.109
107.23.255.195
109.165.101.8
176.8.72.4
176.53.209.231
176.99.191.49
176.193.54.38
176.213.10.114
178.74.216.27
178.137.18.149
184.106.64.151
195.114.159.232
195.138.84.68
195.225.147.101