Sponsored by..

Showing posts with label Mexico. Show all posts
Showing posts with label Mexico. Show all posts

Friday, 12 February 2016

Malware spam: "DVSA RECEIPT" / FPO.CC.15@vosa.gsi.gov.uk

This spam email does not come from a UK government agency, but is instead a simple forgery with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi.gov.uk.

From     FPO.CC.15@vosa.gsi.gov.uk
Date     Fri, 12 Feb 2016 12:47:20 +0300
Subject     DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
Phone: 0300 123 9000

Find out more about government services at www.gov.uk/dvsa

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.
Attached is a file Fixed Penalty Receipt.docm which comes in at least ten different variants with the following MD5s:


I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:

steinleitner-online.net/09u8h76f/65fg67n [reported here]

This dropped file has a detection rate of 5/54 (MD5 7bf7df5e630242182fa95adff4963921). This Hybrid Analysis report indicates subsequent traffic to: (Universidad Tecnologica de la Mixteca, Mexico) (ZNET Telekom Zrt, Hungary) (ispOne business GmbH, Germany)

The payload is the Dridex banking trojan.

Recommended blocklist:

Wednesday, 8 July 2015

Malware spam: "Strange bank account operation" / "Unauthorised bank account activity" / "Illegal bank account transfer" etc

This fake financial spam comes with a malicious payload. It appears to be randomly generated in part, here are some examples:
Date:    8 July 2015 at 18:02
Subject:    Strange bank account operation

Kindly be informed that bank did noticed suspect attempt of money withdrawal relating to Your debit card.
Please find enclosed bank e-mail sent by financial department on Monday.
As well attached are security details for Your review.
Michael Morgan
Senior Manager


Date:    1 January 1970 at 00:00
Subject:    Suspicious bank account operation

Kindly be acknowledged that bank had found unauthorised attempt of amounts withdrawal from Your credit card.
Please find enclosed bank warning provided by bank manager earlier.
Also enclosed are security details for Your affirmation.
Robin Owen
Chief accountant


Date:    8 July 2015 at 17:59
Subject:    Illegal bank account transfer

Kindly be informed that bank security department has found illegal attempt of money withdrawal from Your Mastercard account.
Please check the enclosed bank publication provided by banking department today.
As well attached are security details for Your approval.
Clive Adams
Tax Consultant


Date:    8 July 2015 at 16:55
Subject:    Strange bank account transfer

Kindly note that bank did noticed suspect attempt of amounts withdrawal related to Your Mastercard.
Please examine the enclosed bank statement sent by manager on Monday.
Furthermore attached are personal details for Your confirmation.
Martin Morgan
Tax authority


Date:    8 July 2015 at 17:51
Subject:    Unauthorised bank account activity

Kindly be acknowledged that bank security department had detected suspect attempt of money withdrawal related to Your debit card.
Please check the enclosed bank statement forwarded by banking department today.
In addition attached are security details for Your control.
Robin Willis
Senior Manager

Attached is a Word document [VT 6/55]with various filenames:


All the samples I have seen have an identical document with different names, containing this malicious macro which then goes off and downloads various other components according to the Hybrid Analysis report, using the following URLs:


These appear to download as a set of malicious scripts [1] [2] [3] which then download a further component from:


This binary has a detection rate of 3/55. The Malwr report shows that it drops two other files, named as Zlatowef.exe [VT 3/55] and redtytme4.exe [VT 9/55] and it also downloads components from:

That IP is allocated to Cogent Communications in Mexico. The download is Upatre which means that the payload is almost definitely the Dyre banking trojan, even though the delivery mechanism of a Word document is unusual for Dyre.

Recommended blocklist:


Wednesday, 17 December 2014

Spam: "Localizan a los 43 estudiantes desaparecidos en Ayotzinapa"

This Spanish-language malware spam comes with a malicious attachment.

From:    El Universal
Date:    16 December 2014 at 09:06
Subject:    Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Hoy 16 de diciembre del 2014 por la madrugada, agentes de la Policía Ministerial de Guerrero
han localizado con vida a los 43 estudiantes, desaparecidos el dia 26 de septiembre del 2014.

Para ver imágenes exclusivas del reencuentro de los estudiantes con sus familias, y las condiciones en que
vivieron durante su secuestro, anexamos un documento en este correo electrónico en formato Microsoft Word.

El Universal © todos los Derechos Reservados  2014.
This translates roughly as:

Located at 43 students missing in Ayotzinapa.

Today December 16, 2014 at dawn, agents of the Ministerial Police Guerrero
have been located alive at 43 students, missing the day September 26, 2014.

To view exclusive footage of the reunion of students and their families, and the conditions under which
They lived during his abduction, we attach a document to this email in Microsoft Word format.

The Universal © All Rights Reserved 2014.
This email relates to the kidnapping and possible murder of 43 Mexican students which has been blamed by some on the Mexican Police.

The Word document contains a malicious macro, and detailed instructions for the victim on how to disable the inbuilt security to enable it to run.

Once this has been done, the malicious macro [pastebin] runs. This attempts to download a file from:


At the moment, this download location is coming up with a 404 error. If the download were to work, it would save the file as %TEMP%\ test00010.exe. The Word document has a moderate detection rate of 10/54.

This type of malicious spam has been around for a long time, and this particular technique seems to be exclusively in Spanish, I have never seen this attack in English or any other language.

Thursday, 17 July 2014

"Notificación de transferencia de fondos a su favor" spam

This Spanish-language spam has a malicious Word document as an attachment.

From:     HSBC Transferencias [Mexico_contacto@hsbc.com.mx]
Reply-To:     respuesta@hsbc.com.mx
Date:     17 July 2014 11:01


El motivo de este correo es informarle que el día de hoy recibió una transferencia SPEI la cual se encuentra retenida debido a anomalías en su cuenta. Para mas detalles sobre esta situación le adjuntamos un documento en formato Microsoft Word donde explicamos el motivo de la retención y los pasos a seguir.

Banco emisor: BBVA BANCOMER
Importe: $94,000.00
Fecha: 17/07/2014
Folio: 89413

Estatus: Retenida
Recomendamos seguir los pasos descritos en el documento adjunto en este correo.

Para cualquier duda o aclaración  nos ponemos a sus órdenes en contacto@hsbc.com.mx o si lo prefiere,  puede comunicarse a Banca por Internet en los siguientes teléfonos:
     México D.F. (55) 5721 1635
     Desde cualquier estado de la República al 01800 4722 638 LADA sin costo.

Con gusto le atenderemos

The attachment is essentially the same as the one mentioned here which tries to lure the victim into removing their Word security settings so that a malicious macro can run.

The VirusTotal detection rate is a pretty poor 4/54. You can see some of the text strings in the Malwr report which feature a reverse URL of exe.ss/pw/arc/lc.paip//:ptth which is reverse to try to download a file from http://piap.cl/cra/wp/ss.exe (currently 404ing). The VBA in the document can be found here [pastebin].

As mentioned before, this is a long-running campaign apparently targeting users in Mexico, and as yet I have not seen this in any language except Spanish.

Thursday, 10 July 2014

"Estado de Cuenta Datallado en Línea (Statement Datallado Online)" spam contains a Macro virus

This Spanish-language spam comes with a Word document containing a Macro virus.

From:     Banco Santander [altacuentas_cash@santander.com.mx]
Reply-to:     noreply@santander.com.mx
Date:     10 July 2014 09:52
Subject:     Estado de Cuenta Datallado en Línea

Estimado Cliente:

Por este medio le enviamos el estado de su cuenta del día 08/Jul/2014.
Le recomendamos descargarlo y así mantener un registro de sus activos.

El estado de cuenta se encuentra adjunto en este correo en formato Microsoft Word.

Para cualquier duda o aclaración puede comunicarse a Súper Línea Empresarial.


******************PRIVACIDAD DE ESTE MENSAJE**********************
Este mensaje esta dirigido exclusivamente a las personas que tienen las direcciones de correo electronico especificadas en los destinatarios dentro de su encabezado. Si por error usted ha recibido este mensaje, por ningun motivo debe revelar su contenido, copiarlo, distribuirlo o utilizarlo. Le solicitamos por favor elimine dicho mensaje junto con cualquier documento adjunto que pudiera contener. Los derechos de privacidad y confidencialidad de la informacion en este mensaje no deben perderse por el hecho de haberse trasmitido erroneamente o por causas de interferencias en el funcionamiento de los sistemas de correo y canales de comunicacion. Toda opinion que se expresa en este mensaje pertenece a la persona remitente por lo que no debe entenderse necesariamente como una opinion del Grupo Financiero Santander y/o de las entidades que lo integran, a menos que el remitente este autorizado para hacerlo o expresamente lo diga en el mismo mensaje. En consideracion a que los mensajes enviados de manera electronica pueden ser interceptados y manipulados, el Grupo Financiero Santander y las entidades que lo integran no se hacen responsables si los mensajes llegan con demora, incompletos, eliminados o con algun programa malicioso denominado como virus informatico. Este mensaje no debe interpretarse, por ningun motivo como una oferta de venta o de compra de valores ni de instrumentos financieros relacionados. Los acentos en la leyenda de confidencialidad se han suprimido para una mejor lectura
This translates roughly as:
I hereby send you the status of your account on 08/Jul/2014.
We recommend you download and keep track of your assets.

The statement is attached to this email in Microsoft Word format.

For any question you can contact Super Business Line.

Best regards,
Attached is a file ESTADOCUENTA_2457.doc which contains a Word Macro virus. However, because most people's settings would stop a Macro virus running then it actually contains detailed instructions on how to remove your security settings.

The first page reads:
El contenido no puede ser mostrado.
Para poder ver el contenido de este documento debe habilitar los Macros de Microsoft Word, luego cerrar y abrir el documento.

Pruebe lo siguiente:
Habilite los Macros y luego vuelva a abrir el documento.
En este documento podrá encontrar una guía proporcionada por www.santander.com para poder habilitar los macros en su Microsoft Word.

Grupo Financiero Santander México - 2014
which roughly translates to:
The content can not be shown.
To view the content of this document should enable macros Microsoft Word, then close and reopen the document.

Try the following:
Enable Macros and then reopen the document.
In this document you will find a guide provided by www.santander.com to enable macros in your Microsoft Word.

Grupo Financiero Santander Mexico - 2014

There then follows several pages with screenshots on how to disable the security in Word and Excel.. doing which of course is a bad idea. Reloading the document will then execute the Macro virus. I have defanged the document and converted it to a PDF file here. A copy of the VBA code is here (thanks to @Techhelplistcom).

The VirusTotal analysis shows just 1/54 virus scanners detect it. The Malwr analysis gives some clues as to what is going on in the string dump, especially the reference to baulretro.cl/tienda/cache/wp/ss.exe ( / Zam Ltda, Chile) which appears to be a malicious binary (at the moment the file is 404ing, but it was working recently).

The properties of the Word document don't give much of a clue:

Authors are "OFEyDV", last saved by "clein" which matches to a few other recent malicious Spanish-language documents [1] [2] [3] [4]. The creation date indicates that perhaps this started off life as a genuine document and has been adapted for evil purposes.

Originating IP for the spam is (Langfang University, China) via (web17.gohost.com).

It's a lot of hard work to get your computer infected, but it does also look quite convincing. Word Macros are very rarely used by anything and you should definitely not fiddle with them if you don't need to.