Sponsored by..

Showing posts with label Shifu. Show all posts
Showing posts with label Shifu. Show all posts

Wednesday 28 October 2015

Malware spam: "Thank you for your order" / "DoNotReply@ikea.com"

This fake order spam does not come from IKEA but is instead a simple forgery with a malicious attachment.

From:    DoNotReply@ikea.com
Date:    28 October 2015 at 08:57
Subject:    Thank you for your order


IKEA
IKEA UNITED KINGDOM

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
30-10-2015
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
30-10-2015
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.


Attached is a file IKEA receipt 607656390.doc which contains this malicious macro and which has a VirusTotal detection rate of 4/55.

Analysis of the document and whatever it downloads is pending, but this is likely to be the Dridex banking trojan.

UPDATE 1:

The reverse.it analysis  of the first sample shows a download from:

alvarezsantos.com/4f67g7/d6f7g8.exe

This dropped binary has a detection rate of just 2/55.

Two further samples have now been seen (VT results [1] [2]) and according to the analysis of one them, it downloads from:

experassistance.fr/4f67g7/d6f7g8.exe

Analysis of the dropped binary is pending. Please check back shortly.

UPDATE 2:

A further reverse.it analysis shows another download location of:

www.retrogame.de/4f67g7/d6f7g8.exe

The reverse.it analysis of the dropped binary is inconclusive.

UPDATE 3:

According to sources clever than I, this doesn't appear to be Dridex at all, but Neutrino Bot / Kasidet which downloads the Shifu banking trojan in the UK.

Wednesday 21 October 2015

Malware spam: "INVOICE FOR PAYMENT - 7500005791" / "Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]"

This fake financial spam is not from Lancashire Police but is a simply forgery with what appears to be a malicious attachment.

From:    Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]
Date:    21 October 2015 at 10:15
Subject:    INVOICE FOR PAYMENT - 7500005791

Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)
Business Support Department - Headquarters

Email: Lyn.Whitehead@lancashire.pnn.police.uk

********************************************************************************************

This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.

Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.

This e-mail has been scanned for the presence of computer viruses.

******************************************************************************************** 
The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.

The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.

Other analysis is pending please check back.

UPDATE 1:
Another version of this is in circulation, also with zero detections at VirusTotal.  The Hybrid Analysis for both samples in inconclusive [1] [2].

UPDATE 2:
An analysis of the documents shows an HTTP request to:

ip1.dynupdate.no-ip.com:8245

All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.

UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:

Source: Malwr.com
..then you are not infected. Incidentally, this only infects Windows PCs anyway.

The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.

UPDATE 4:
The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:

www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe

At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs:

89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)


The payload is probably the Shifu banking trojan.

Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49

Tuesday 20 October 2015

Malware spam: "Shaun Buzzard [shaunb@hubbardproducts.com]" / "Order"

This fake financial spam does not come from Hubbard Products but is instead a simple forgery with a malicious attachment:

From     Shaun Buzzard [shaunb@hubbardproducts.com]
Date     Tue, 20 Oct 2015 16:05:55 +0530
Subject     Order

Hi ,
Please find attached order.

Kind regards.
Shaun Buzzard

Hubbard Products Limited
Hillview, Church Road, Otley, Suffolk. IP69NP
Registered in England No. 6217134

Email: shaunb@hubbardproducts.com
DDI: 01473892216

Fax: 01473890687


Important Email Information :
The information contained in this email is confidential and may be legally privileged.
This email is intended to be viewed initially only by the named individual or legal
entity. If the reader of this email is not the intended recipient or a representative
of the intended recipient, you are hereby notified that any reading, dissemination
or copying of this email or of the information contained herein is prohibited. If
you have received this email in error please immediately notify the sender by return,
delete this email and destroy any hard copies immediately. Thank you

The attachment is named lp22_20151013_164535.doc and I have seen the following MD5s:

608D1733D6E47C7BEE187C1EE890D6E3
C6CD52B59FC772EDDE4DF5D4058524FE
001415839B511361BC429C379892065D


The payload is the Dridex Shifu banking trojan, as seen in this spam run earlier today.

Malware spam: "Purchase Order No: 48847" / "Harminder Saund"

This fake financial spam comes with a malicious payload:

From     Harminder Saund [MinSaund77@secureone.co.uk]
Date     Tue, 20 Oct 2015 16:08:53 +0700
Subject     Purchase Order No: 48847

Attached is a copy of our Purchase Order number 48847

==============
Harminder Saund

Secure One
==============

The sender's email address varies slightly, for example:

MinSaund77@secureone.co.uk
MinSaund92@secureone.co.uk
MinSaund94@secureone.co.uk
MinSaund013@secureone.co.uk

Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro [1] [2]. There are probably different versions of the document with different macros.

Automated analysis is pending, however the payload is most likely the Dridex banking trojan. Please check back for updates.

MD5s:
c6cd52b59fc772edde4df5d4058524fe
001415839b511361bc429c379892065d

UPDATE:
So far, three download location have been identified..

ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe

This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:

fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)

I recommend that you block traffic to that IP.

The payload has been reported to be Shifu, not Dridex.