Sponsored by..

Showing posts with label Norway. Show all posts
Showing posts with label Norway. Show all posts

Thursday 27 April 2017

Malware spam: Scotiabank / "Secure email communication" / Secure.Mail@scotiabankmail.com

This fake financial spam leads to malware:

From:    ScotiaBank [Secure.Mail@scotiabankmail.com]
Date:    27 April 2017 at 14:13
Subject:    Secure email communication
Signed by:    scotiabankmail.com


Scotia Secure Email Logo
Secure mail waiting: (Secure)
Scotiabank has sent you a secure, encrypted e-mail message. To view this e-mail, please visit "Scotiabank Secure Email Service" or check attach file. For further information on how to use this service please reffer to "the Secure Email User Guide".
The email you receive from Scotiabank, including any attachments, may contain confidential and/or privileged information for the intended recipient(s) only and the sender does not waive any related legal rights or privilege. Any use or disclosure of the information by an unintended recipient is unauthorized and prohibited. If you have received an email message in error, please delete the entire message, including attachments if any, and inform us by return email. 

Opening the attached document SecureMail.doc leads to a simple page that tries to get you to enable Active Content (not recommended!).

Hybrid Analysis shows a download from elevationstairs.ca/fonts/dde60c5776c175c54d23d2b0c.png [70.33.246.140 - Host Papa, US] leading to a dropped file Pscou.exe which has a detection rate of 11/61 and appears to be Upatre.

Malwr Analysis of the downloaded file shows attempted communications to:

82.146.94.86 (Ringnett, Norway)
8.254.243.46 (Level 3, US)
217.31.111.153 (Ringnett, Norway)


scotiabankmail.com has been registered specifically for this attack, or you can block the sending IP of 89.40.216.186 (City Network Hosting AB, Sweden)

Recommended blocklist:
scotiabankmail.com [email]
89.40.216.186 [email]
70.33.246.140
82.146.94.86
8.254.243.46
217.31.111.153

Friday 22 April 2016

Malware spam: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

This fake Amazon email leads to malware. On some mail clients there may be no body text:

From: auto-shipping@amazon.co.uk Amazon.co.uk
To
Date: Fri, 22 Apr 2016 10:50:56 +0100
Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #525-2814418-9619799 (received April 22, 2016)


Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  Occasionally though, we know you may want to return items. Read more about our Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have the right to cancel the contract for the purchase of any of these items within a period of 7 working days, beginning with the day after the day on which the item is delivered. This applies to all of our products. However, we regret that we cannot accept cancellations of contracts for the purchase of video, DVD, audio, video games and software products where the item has been unsealed. Please note that we are unable to accept cancellation of, or returns for, digital items once downloading has commenced. Otherwise, we can accept returns of complete product, which is unused and in an "as new" condition.

Our Returns Support Centre will guide you through our Returns Policy and, where relevant, provide you with a printable personalised return label.  Please go to http://www.amazon.co.uk/returns-support to use our Returns Support Centre.

To cancel this contract, please pack the relevant item securely, attach your personalised return label and send it to us with the delivery slip so that we receive it within 7 working days after the day of the date that the item was delivered to you or, in the case of large items delivered by our specialist couriers, contact Amazon.co.uk customer services using the link below within 7 working days after the date that the item was delivered to you to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend that you use a recorded-delivery service. Please note that you will be responsible for the costs of returning the goods to us unless we delivered the item to you in error or the item is faulty. If we do not receive the item back from you, we may arrange for collection of the item from your residence at your cost. You should be aware that, once we begin the delivery process, you will not be able to cancel any contract you have with us for services carried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection in the event that our specialist courier service collect a large item from you to return to us.

As soon as we receive notice of your cancellation of this order, we will refund the relevant part of the purchase price for that item.

Should you have any questions, feel free to visit our online Help Desk at:
http://www.amazon.co.uk/help

If you've explored the above links but still need to get in touch with us, you will find more contact details at the online Help Desk.

Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail. Please do not reply to this message.

Thank you for shopping at Amazon.co.uk

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------

Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:

www.smileybins.com.au/0u8ggf5f5
kpmanish.com/0u8ggf5f5
neoventtechnologies.com/0u8ggf5f5
itronsecurity.com/0u8ggf5f5
bnacoffees.com/0u8ggf5f5
ambikaonline.com/0u8ggf5f5
usacarsimportsac.com/0u8ggf5f5
giftsandbaskets.co.th/0u8ggf5f5


This dropped executable has a detection rate of 6/56. The Hybrid Analysis and DeepViz Analysis plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs:

186.250.48.10 (Redfox Telecomunicações Ltda., Brazil)
193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload here appears to be the Dridex banking trojan.

Recommended blocklist:
186.250.48.10
193.90.12.221
194.116.73.71
200.159.128.144


UPDATE 2016-04-26

Another identical round of this spam is being sent out, complete with the formatting error that prevents the body text being displayed on some email clients. VirusTotal detection rates for the two samples I have seen are 5/57 [1] [2]. Hybrid Analysis of the attachments [3] [4] shows download locations at:

shagunproperty.com/987gby8nn8
aysanatorganizasyon.com/987gby8nn8


A trusted source tells me there are other download locations at:

cubasedersi.com/987gby8nn8
denizlikinaorganizasyon.com/987gby8nn8
factumtech.com/987gby8nn8
kurudomatesci.com/987gby8nn8
nuevomomento.com/987gby8nn8
seahawkexports.com/987gby8nn8
solucionhumana.mx/987gby8nn8
tipsforall.in/987gby8nn8


From here a binary is dropped on the system with a detection rate of 3/56. Those Hybrid analyses plus this DeepViz report show network traffic to:

176.9.113.216 (Hetzner, Germany)

Apparently there are C2 servers here:

186.250.48.10 (Redfox Telecomunicações Ltda, Brazil)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload still appears to be Dridex.

Recommended blocklist:
176.9.113.216
186.250.48.10
200.159.128.144


Thursday 21 April 2016

Malware spam: "BalanceUK_INVOICE_X002380_1127878" / adminservices@grouphomesafe.com

This fake financial spam does not come from BalanceUK Limited but is instead a simple forgery with a malicious attachment:

From:    adminservices@grouphomesafe.com
Date:    21 April 2016 at 10:33
Subject:    "BalanceUK_INVOICE_X002380_1127878"

Thank you for placing your order with BalanceUK Ltd

Please find attached your document.

BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
Martock,
Somerset,
TA12 6HB

Email: Balanceuk.orders@erahomesecurity.com
Tel: 01935 826 960
Fax: 01935 829 215


***  Please do not reply to this email address  ***

Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56.

This malicious script [pastebin] downloads an executable from:

dd.ub.ac.id/9uhg5vd3

There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56. The Hybrid Analysis of the dropped binary shows network traffic to:

193.90.12.221 (MultiNet AS, Norway)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload is not clear, but is probably the Dridex banking trojan.

Recommeded blocklist:
193.90.12.221
200.159.128.144


Wednesday 20 April 2016

Malware spam: "Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]" / "Document No™2958719"

This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:

From:    Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]
Date:    20 April 2016 at 11:01
Subject:    Document No™2958719

Thanks for using electronic billing

Please find your document attached

Regards


Beerhouse Self Drive
In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:

bi.pushthetraffic.com/87ty8hbvcr44

There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers:

193.90.12.221 (MultiNet AS, Norway)
212.126.59.41 (Letshost / Digiweb, Ireland)
93.104.211.103 (Contabo GmbH, Germany)
155.133.82.82 (FUFO Studio Agata Grabowska, Poland)
212.50.14.39 (Computers Equipnemt, Bulgaria)
91.194.251.204 (TOV Dream Line Holding, Ukraine)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)


Recommended blocklist:
193.90.12.221
212.126.59.41
93.104.211.103
155.133.82.82
212.50.14.39
91.194.251.204
194.116.73.71
64.76.19.251