Sponsored by..

Showing posts with label Nigeria. Show all posts
Showing posts with label Nigeria. Show all posts

Tuesday, 29 March 2016

Malware spam: "Re: New Order P2016280375" / Rose Lu [salesdeinnovative@technologist.com]

This fake financial spam comes with a malicious attachment:


From:    Rose Lu [salesdeinnovative@technologist.com]
Date:    29 March 2016 at 02:30
Subject:    Re: New Order P2016280375

Good Day,
Please find enclosed our new order P2016280375 for your kind attention and prompt execution.
I look forward to receiving your order acknowledgement in due course.
 
Best regards
Rose Lu
Office Manager
Suzhou  Eagle Electric Vehicle Manufacturing Co., Ltd.
Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China
Skype:rose.lu22
Email:luyi@eg-ev.com
Web: http://www.eagle-ev.com
        http://www.eg-ev.com
       http://szeagle.en.alibaba.com
        http://www.chinaelectricvehicle.com
        http://szeagle-golfcar.en.made-in-china.com

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58. The Malwr report is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..

Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe


So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn.no-ip.biz hosted on:

105.112.39.114 (Airtel, Nigeria)

I strongly recommend that you block traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before) so you might want to consider blocking those too.

Wednesday, 11 November 2015

Malware spam: "Refund from Bowater Incorporated" / PayPal

This fake PayPal email leads to malware:

From:    service@paypal.co.uk
Date:    11 November 2015 at 16:27
Subject:    Refund from Bowater Incorporated

PayPal

Bowater Incorporated has just sent you a refund

Wed, 11 Nov 2015 17:27:26 +0100
Transaction ID: 47E30904DC4145388
Dear Customer,
Bowater Incorporated has just sent you a full refund of £7849.90 GBP for your purchase.
If you have any questions about this refund, please contact Bowater Incorporated
The refund will go to your PayPal account. It may take a few moments for this transaction to appear in your account.
To see all the transaction details, please download and view from the link below.
https://www.paypal.com/uk/cgi-bin/webscr?cmd=view-a-trans&id=47E30904DC4145388
Merchant information
Bowater Incorporated
Note from merchant
None provided




Original transaction details
Description Unit price Qty Amount
Purchase from Bowater Incorporated £7849.90 GBP 1 £7849.90 GBP
Insurance: ----
Total: £7849.90 GBP
Refund to PayPal Balance: £7849.90 GBP
Invoice Number: 59266315
Yours sincerely,
PayPal
Please do not reply to this email because we are not monitoring this inbox. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright Š 1999-2015 PayPal. All rights reserved.

PayPal (Europe) S.a.r.l. et Cie, S.C.A.
Societe en Commandite par Actions
Registered office: 64-75 Boulevard Royal, L-3369 Luxemburg
RCS Luxemburg B 205 162
PayPal Email ID PP1479 - nsjwiqin1ob5c

The link in the email goes to a download location at sharefile.com which leads to a file transaction details.zip containing a malicious executable transaction details.scr.

This binary has a VirusTotal detection rate of just 1/55. The Hybrid Analysis report shows network traffic consistent with Upatre download the Dyre banking trojan. One key IP address in 197.149.90.166 (Cobranet, Nigeria) which is well worth blocking.

MD5:
28989811c6b498910637847d538e43bf

Wednesday, 4 November 2015

Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake Transport for London spam is a variation of something used before. It does not actually come from TfL, but is a simple forgery with a malicious attachment:

From     "Transport for London" [noresponse@cclondon.com]
Date     Wed, 4 Nov 2015 14:33:44 +0100
Subject     Email from Transport for London

Dear Customer

Please open the attached file to view correspondence from Transport for London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.

Attached is a file 6305093.zip of which I have seen just one sample, containing a malicious executable 6305093.scr (MD5 6a4cce90ba28720fa9e6813f681b1f75) which has a VirusTotal detection rate of 7/54. This Hybrid Analysis report shows it communicating with the well-known malicious IP address of 197.149.90.166 (Cobranet, Nigeria) which I recommend you block.

The payload here seems to be Upatre dropping the Dyre banking trojan.

Wednesday, 28 October 2015

Malware spam: "Don and Carol Racine" / "www.boatclinic.net" / "boatclinic@aol.com"

This fake financial spam is not from Racine Design Inc but is instead a simple forgery with a malicious attachment:

From     [random]
Date     Wed, 28 Oct 2015 10:39:26 +0100
Subject     [random]

 Dear :
Boat has been done a week now. I contacted you last week
The
Boat is ready to pick up,  I have had inquiries as to people wanting to
buy it,
the carb is in your possession and there is no way to run it,
The boat could
sell real easy at this time of year , Memorial day to 4th of
July most boats
are sold.
Please call me to arrange payment and pickup of the Boat ,
If you
need me to store the boat I can do that at the storage facility ,
they do
charge a fee for this 7.00 per day
The other Invoice for the embroidery will
follow , Balance is due now !
Thanks

Your invoice is attached.  Please
remit payment

Thank you for your business - we appreciate it very
much.


Sincerely,
Don and Carol Racine

Racine Design, Inc.
2036 Imeson
Rd
Jacksonville, Fl.  32220

E-Mail  
boatclinic@aol.com

www.boatclinic.net

phone    (904) 771-8170
fax       
(904) 771-0843
The subject of the email is some randomly-generated sentence, which matches the name of the attached ZIP file. I have seen two samples so far with a detection rate of 3/55 and 2/55 respectively.

Analysis of the binary is pending (please check back), but the payload here is Upatre/Dyre which commonly calls back to 197.149.90.166 (Cobranet, Nigeria), an IP I strongly recommended that you block.

UPDATE:

The reverse.it report shows that the malware does indeed call back to that Nigerian IP address.

Tuesday, 27 October 2015

Malware spam: "RBS Cardholder Application Form" / "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]

This fake financial spam does not come from Sunderland City Council, but is instead a simple forgery with a malicious attachment:

From     "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]
Date     Tue, 27 Oct 2015 18:39:34 +0700
Subject     RBS Cardholder Application Form

Dear Customer,



We now have the go ahead from Corporate Procurement to apply to RBS for your Corporate
Purchase Card. Please find attached the RBS application form which requires your
signature as cardholder on page 2. Also please add the date. Once done can you scan
the document and email it back to me or alternatively post it back to me c/o Purchase
Card Administration Team, Transactional Finance, Room 1.34, Civic Centre, Sunderland
SR2 7DN.



Kind regards,

Wm.
Wm Palmer
Purchase Ordering Officer
Commercial and Corporate Services
Sunderland City Council

Tel: 0191 5617588
www.sunderland.gov.uk

Sunderland City Council: Sunderland Home Page

The Sunderland City Council website is for anyone living, working, visiting or wanting
to invest in Sunderland - a great city by the sea with a balanced way of life ...

Read more...

Attached is a file New_Cardholder_Application_Wm_Palmer.zip containing a malicious executable New_Cardholder_Application.scr - which is exactly the same malware as used in this other fake council spam run today.

Malware spam: "Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance" / credbills@denbighshire.gov.uk

I've never had malware spam in Welsh before.. this is not from Denbighsire County Council, but is instead a simple forgery with a malicious attachment:

From     "credbills@denbighshire.gov.uk" [credbills@denbighshire.gov.uk]
Date     Tue, 27 Oct 2015 17:46:01 +0530
Subject     Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance

Gweler manylion taliad BACS yn atodedig

Please see attached Bacs Remittance

Dilyn ni ar Twitter: http://twitter.com/cyngorsDd Follow us on Twitter: http://twitter.com/DenbighshireCC
Ymwelwch a ni ar-lein ar http://www.sirddinbych.gov.uk Visit us online at http://www.denbighshire.gov.uk
Mae'r wybodaeth a gynhwysir yn yr e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag
o wedi eu bwriadu yn unig ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Os ydych
wedi derbyn yr e-bost hwn drwy gamgymeriad, hysbyswch yr anfonwr ar unwaith os gwelwch
yn dda. Mae cynnwys yr e-bost yn cynrychioli barn yr unigolyn(ion) a enwir uchod
ac nid yw o angenrheidrwydd yn cynrychioli barn Cyngor Sir Ddinbych. Serch hynny,
fel Corff Cyhoeddus, efallai y bydd angen i Gyngor Sir Ddinbych ddatgelu'r e-bost
hwn [neu unrhyw ymateb iddo] dan ddarpariaethau deddfwriaethol. The information contained
in this e-mail message and any files transmitted with it is intended solely for the
use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender immediately. The contents of this e-mail
represents the views of the individual(s) named above and do not necessarily represent
the views of Denbighshire County Council. However, as a Public Body, Denbighshire
County Council may be required to disclose this e-mail [or any response to it] under
legislative provisions.
Attached is a file DenbighshireCC.zip which contains a malicious executable DenbighshireCC.scr. This has a VirusTotal detection rate of 5/55. The Hybrid Analysis report shows characterstics common to the Upatre/Dyre banking trojan. In particular it identifies traffic to a know bad IP:

197.149.90.166 (Cobranet, Nigeria)

I strongly recommend that you block traffic to that IP.



Friday, 23 October 2015

Malware spam: "Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)"

This fake financial spam has a malicious attachment:

From:    Accounts [message-service@post.xero.com]
Date:    23 October 2015 at 15:08
Subject:    Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)

Hi Mattie,

Attached is your credit note CN-06536 for 8954.41 GBP.

This has been allocated against invoice number

If you have any questions, please let us know.

Thanks,
Avnet, Inc.
The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc ..  but  it's actually a ZIP file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe  and has a VirusTotal detection rate of 4/55. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan.

Analysis is still pending for this malware (please check back later) but the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.

UPDATE:
The Hybrid Analysis report is here, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe




Wednesday, 23 September 2015

Malware spam: "Bankline ROI - Password Re-activation Form" / "secure.message@rbs.co.uk"

This fake banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:

From     "RBS" [secure.message@rbs.co.uk]
Date     Wed, 23 Sep 2015 11:28:48 GMT
Subject     Bankline ROI - Password Re-activation Form

Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3.  A signatory on the bank mandate must sign the form.

Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk

On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.

<>

Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered. 

Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different
details.

If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.

Regards
Bankline Product Support

This e-mail message is confidential and for use by the intended recipient only. If
the message is received by anyone other than the intended recipient, please return
the message to the sender by replying to it and then delete the message from your
computer. Internet e-mails are not necessarily secure. Ulster Bank Limited and Ulster
Bank Ireland Limited (\"Bankline Bank Group\")/ Royal Bank of Scotland Group plc
does not accept responsibility for changes made to this message after it was sent.
Ulster Bank Group / Royal Bank of Scotland Group plc may monitor e-mails for business
and operational purposes. By replying to this message you give your consent to our
monitoring of your email communications with us. Whilst all reasonable care has been
taken to avoid the transmission of viruses, it is the responsibility of the recipient
to ensure that the onward transmission, opening or use of this message and any attachments
will not adversely affect its systems or data. No responsibility is accepted by any
member of Ulster Bank Group / Royal Bank of Scotland Group plc in this regard and
the recipient should carry out such virus and other checks as it considers appropriate.

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56. The Hybrid Analysis report shows behaviour consistent with Upatre / Dyre and shows that the malware communicates with a known bad IP of 197.149.90.166 (Cobranet, Nigeria) which I definitely recommend blocking or monitoring.

Monday, 21 September 2015

Malware spam: "Your Sage subscription invoice is ready" / "noreply@sage.com"

This fake Sage email contains a malicious attachment.

From:    noreply@sage.com [noreply@sage.com]
Date:    21 September 2015 at 11:30
Subject:    Your Sage subscription invoice is ready

Dear Ralph Spivey

Account number: 45877254

Your Sage subscription invoice is now online and ready to view.

Sage One subscriptions

    Please follow the link bellow to view/download your account invoice: http://www.sageone.co.uk/

Got a question about your invoice?

Call us on 1890 88 5045

If you're an Accountant, please call 1890 92 21 06
If you're a Business Partner, please call 1890 94 53 85

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.

The link in the email actually goes to a download location at Cubby rather than sageone.co.uk, this downloads a file invoice.zip which in turn contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56. The Hybrid Analysis report shows that this is Upatre dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria.

Friday, 18 September 2015

Malware spam: "Transaction confirmation" / "donotreply@lloydsbank.co.uk"

This fake banking spam comes with a malicious attachment:

From     donotreply@lloydsbank.co.uk
Date     Fri, 18 Sep 2015 11:52:36 +0100
Subject     Transaction confirmation

Dear Customer,

Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.

Best regards,
Your personal Manager

Thora Blanda

tel: 0345 300 0000

LLOYDS BANK. 
Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria.

Thursday, 17 September 2015

Malware spam: hrwfmailerprod@lancashire.gov.uk / REFURBISHMENT

This fake financial spam (presumably) comes in several different variants (I saw two):

From     "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]
To     hp_printer@victimdomain.com
Date     Thu, 17 Sep 2015 12:16:26 GMT
Subject     FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)


From             Mabel Winter
To             hp_printer@victimdomain.com
Sent             Thu, 17 Sep 2015 12:12:26 GMT
ID             7216378
Number             6767609,1
Title             Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT

Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment. 
The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.

The payload appears to be Upatre/Dyre as seen earlier today.

Malware spam: "Shell E-Bill for Week 38 2015"

This fake financial spam comes with a malicious attachment:

From     [invoices@ebillinvoice.com]
To     administrator@victimdomain.com
Date     Thu, 17 Sep 2015 11:10:15 GMT
Subject     Shell E-Bill for Week 38 2015

Customer No         : 28834
Email address       : administrator@victimdomain.com
Attached file name  : 28834_wk38_2015.PDF

Dear Customer,

Please find attached your invoice for Week 38 2015.

In order to open the attached PDF file you will need
the software Adobe Acrobat Reader.

For instructions of how to download and install this
software onto your computer please visit
http://www.adobe.com/products/acrobat/readstep2.html

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.

Yours sincerely

Customer Services

======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================

Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.

MD5:
0d9c66ffedce257ea346d2c7567310ac

Wednesday, 16 September 2015

Malware spam: "Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/"

This fake Lloyds Bank spam comes with a malicious payload:

From:    RSTNAME} Crabtree [Chang.Crabtree@lloydsbankcommercial.com]
Date:    15 September 2015 at 13:18
Subject:    Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/

Please find attached our document pack for the above customer. Once completed please return via email to the below address.

If you have any queries relating to the above feel free to contact us at

MN2Lloydsbanking@lloydsbankcommercial.com
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 7117152. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC453043.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.

In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:

thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt

A further download  then takes place from:

vandestaak.com/css/libary.exe

This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).

Recommended blocklist:
197.149.90.166
vandestaak.com
thebackpack.fr
obiectivhouse.ro

MD5s:
4b944c5e668ea9236ac9ab3b1192243a
1939eba53a1289d68d1fb265d80e60a1

Malware spam: "HSBC SecureMail" / "You have received a secure message"

This fake HSBC email message has a malicious payload:


From:    HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@hsbc.co.uk]
Date:    16 September 2015 at 13:13
Subject:    You have received a secure message


You have received a secure message
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.hsbc.co.uk/secureemail


HSBC_Payment_87441653
16K
Attacked is a file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56.

UPDATE: The Hybrid Analysis report shows network traffic to a familiar Nigerian IP of 197.149.90.166 which I strongly recommend you block. The traffic pattern is indicative of Upatre dropping the Dyre banking trojan.

MD5:
359f0c584d718f44e9777e259f013031

Friday, 11 September 2015

Malware spam: "Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva" / reports@officeteam.co.uk

This fake financial spam comes with a malicious payload:
From     "reports@officeteam.co.uk" [reports@officeteam.co.uk]
Date     Fri, 11 Sep 2015 10:39:32 GMT
Subject     Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva

Please find attached your sales order acknowledgement

Order No: EF150085
Account: PFM895
Your Reference: 14 /Geneva
Web Reference:
Kind Regards
Office Team
In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet).

In this case, the payload is Upatre downloading the Dyre banking trojan.

MD5:
0a7e68a84765d639210b77575c2373bd

Thursday, 10 September 2015

Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]

This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:

From     "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
Date     Thu, 10 Sep 2015 06:32:37 -0500
Subject     Payroll Received by Intuit

Dear, petrol
We received your payroll on Sep 10, 2015 at 09:01.

Attached is a copy of your Remittance. Please click on the attachment in order to
view it.

Please note the deadlines and status instructions below:

If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
paid two (2) banking days from the date received or on your paycheck date, whichever
is later. 

If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
days from the date received or on your paycheck date, whichever is later. 

YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.

Funds are typically withdrawn before normal banking hours so please make sure you
have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.

Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
date or your employees will not be paid on time. 

Intuit does not process payrolls on weekends or federal banking holidays. A list
of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Sincerely,

Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software.

If you have any questions or comments about this email, please DO NOT REPLY to this
email. If you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect
is a phishing email, please forward it to immediately to spoof@intuit.com.

© 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
trademarks and/or registered service marks of Intuit Inc. in the United States and
other countries. All other marks are the property of their respective owners, should
be treated as such, and may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706 
Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.

In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.

MD5:
4dbdf9e73db481b001774b8b9b522ebe

Monday, 7 September 2015

Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]

This spam does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From     "Companies House" [WebFiling@companieshouse.gov.uk]
Date     Mon, 7 Sep 2015 12:40:01 +0100
Subject     RE: Case 0676414

The submission number is: 0676414

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500  

The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.

This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.

MD5:
f1d62047d22f352a14fe6dc0934be3bb

Tuesday, 1 September 2015

Malware spam: "Complaint of your Internet activity"

This spam comes with a malicious attachment:

From:    Margret Kuhic
Date:    1 September 2015 at 16:10
Subject:    Complaint of your Internet activity

This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.

Margret Kuhic
Dynamic Communications Agent
T: 1-679-732-5379
F: 100.173.9045
All the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a valid attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56.

This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor:

197.149.90.166 (Cobranet, Nigeria)

Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494


Malware spam: "Private message notification 41447" / "Adrien Abbott"

This spam comes with a malicious attachment:
From:    Adrien Abbott
Date:    1 September 2015 at 12:34
Subject:    Private message notification 41447

You've received a private message. Please open the attached to view it.

Adrien Abbott
Chief Tactics Executive
home: 1-583-761-3793
work: 380.022.2492
twitter: @nicole
skype: nicole
messenger: nicole
I have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other variants could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56, the Hybrid Analysis report shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to:

197.149.90.166 (Cobranet, Nigeria)

..which is an IP that has been used several time for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor.

MD5:
7c94abe2e3b60f8a72b7358d50d04ee0

Thursday, 27 August 2015

Malware spam: "Payslip for period end date 27/08/2015" / "noreply@fermanagh.gov.uk"

This spam does not come from Fermanagh District Council. Of course it doesn't. It is instead a simple forgery with a malicious attachment:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    27 August 2015 at 12:28
Subject:    Payslip for period end date 27/08/2015

Dear administrator

Please find attached your payslip for period end 27/08/2015

Payroll Section

Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.

This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.

MD5:
fdea30868df48bff9e7c2b2605431d23