"Scanned Image from a Xerox WorkCentre" spam

This is a thoroughly old school spam with a malicious attachment.

Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From:      Local Scan [scan.614@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

You have a received a new image from Xerox WorkCentre.

Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: victimdomain

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.

The Comodo CAMAS report shows that the malware downloads components from the following locations:

94.23.247.202/3107us2/SANDBOXA/0/51-SP2/0/
94.23.247.202/3107us2/SANDBOXA/1/0/0/
94.23.247.202/3107h2/SANDBOXA/1/0/0/
94.23.247.202/3107op2/SANDBOXA/1/0/0/
globe-runners.com/fichier_pdf/31u2.zip
lucantaru.it/docs/31u2.zip
mediamaster-2000.de/img/heap.zip
ig-engenharia.com/wp-content/uploads/2014/02/heap.zip
upscalebeauty.com/img/colors/teal/opened.zip
lagrimas.tuars.com/css/opened.zip

There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before.

Recommended blocklist:
94.23.247.202
globe-runners.com
lucantaru.it
mediamaster-2000.de
ig-engenharia.com
upscalebeauty.com
lagrimas.tuars.com

"Important - BT Digital File" spam

This fake BT spam has a malicious attachment:

Date:      Mon, 4 Aug 2014 08:48:51 -0430 [09:18:51 EDT]
From:      Marci Tobin
Subject:      Important - BT Digital File


BT Digital Vault     BT

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 7221* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000

The attachment is BT_Digital_Vault_File.zip which contains a malicious executable BT_Digital_Vault_File.exe which has a VirusTotal detection rate of 5/54. According to the Comodo CAMAS report the malware reaches out to the following URLs:

94.23.247.202/0408choUK2/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408choUK2/SANDBOXB/1/0/0/
94.23.247.202/0408heap/SANDBOXB/1/0/0/
94.23.247.202/0408preb04/SANDBOXB/1/0/0/
amhzconsultancy.com/wordpress/48u2.zip
sintesismark.com/images/48u2.zip
bianconeandwilinsky.com/wp-content/uploads/2013/02/h8i3.zip
osteoarthritisblog.com/wp-content/uploads/2010/02/h8i3.zip
hopeisnull.comuf.com/wp-content/uploads/2014/03/pre.zip
grenzland-classic.de/css/pre.zip

Recommended blocklist:
94.23.247.202
amhzconsultancy.com
sintesismark.com
bianconeandwilinsky.com
osteoarthritisblog.com
hopeisnull.comuf.com
grenzland-classic.de


UPDATE: the following spam also has the same payload..

Date:      Mon, 4 Aug 2014 11:41:18 +0000 [07:41:18 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 7132163 - Companies House

The submission number is: 7132163

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500 

NatWest "You have a new Secure Message" spam uses goo.gl links to spread malware

This fake NatWest bank message uses the Goo.gl URL shortener to spread malware:

From:     NatWest [secure.message@natwest.com]
Date:     24 July 2014 10:39
Subject:     You have a new Secure Message

You have received a secure message from NatWest Bank

To read your secure message please click here. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.natwest.com/websafe/ml/help?topic=RegEnvelope

The link in the email goes to goo.gl/dGDi7l and the downloads a ZIP file from berkleyequine.com/wp-includes/images/Documents-43632.zip, containing a malicious executable Documents-43632.scr which has a VirusTotal detection rate of  just 1/54. The CAMAS report shows that the malware calls out to the following URLs;

94.23.247.202/0108uk1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108uk1/SANDBOXA/1/0/0/
94.23.247.202/0108hk1/SANDBOXA/1/0/0/
94.23.247.202/0108ok1/SANDBOXA/1/0/0/
acanthe.be/css/01u1.rar
dirbeen.com/misc/01u1.rar
porfintengoweb.com/css/heap_61_id3.rar
sso-unidadfinanzas.com/images/heap_61_id3.rar
theothersmag.com/covers/opened.rar
firstfiresystems.com/css/slimbox/opened.rar

The characteristics of this malware are very similar to this one seen yesterday, and you can be assured that there are other goo.gl URLs and download locations in addition to the one listed here.

Because you can see the stats for any goo.gl URL just by adding a "+" on the end, it is possible to see who is clicking through. Oddly, there is not a single clickthrough from the UK where the NatWest bank is actually based.

Google don't make it easy to report spammy links and they are awfully slow to respond to reports, but their reporting form is at goo.gl/spam-report if you want to try it (I would recommend giving it a go).

Recommended blocklist:
94.23.247.202
acanthe.be
dirbeen.com
porfintengoweb.com
sso-unidadfinanzas.com
theothersmag.com
firstfiresystems.com
berkleyequine.com

Bank of America "Important Documents" spam leads to Cryptowall

This fake BofA spam has a malicious payload:

Date:      Mon, 4 Aug 2014 19:57:07 +0800 [07:57:07 EDT]
From:      Andrea Talbot [Andrea.Talbot@bofa.com]
Subject:      RE: Important Documents

Please check attached documents regarding your Bofa account.

Andrea Talbot
Bank Of America
817-298-4679 office
817-180-2340 cell Andrea.Talbot@bofa.com

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached 

Attached to the message is an archive AccountDocuments.zip which in turn contains the malicious executable AccountDocuments.scr which has a VirusTotal detection rate of 6/54 and the comments indicate that this is a variant of Cryptowall. The Comodo CAMAS report shows that it phones home to the following URLs:

94.23.247.202/0408cnet28/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408cnet28/SANDBOXB/1/0/0/
dirbeen.com/khalid53/cnet28.zip
ibuildchoppers.com/wp-content/gallery/choppers/cnet28.zip

Recommended blocklist:
94.23.247.202
dirbeen.com
ibuildchoppers.com

"You've received a new fax" / "You have a new Secure Message" spam

This pair of spam messages leads to a malicious ZIP file downloaded via goo.gl (and not Dropbox as the spam says)

From:     Fax [fax@victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax

New fax at SCAN7905518 from EPSON by https://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800

Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/8AanL9

(Dropbox is a file hosting service operated by Dropbox, Inc.)

-------------

From:     NatWest [secure.message@natwest.com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message

You have received a encrypted message from NatWest Customer Support

In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )

Please download your ecnrypted message at:

https://goo.gl/8AanL9


(Dropbox is a file hosting service operated by Dropbox, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4612.

I have seen three goo.gl URLs leading to three different download locations, as follows

https://goo.gl/1dlcL3 leads to
http://webbedenterprisesinc.com/message/Document-6936124.zip

https://goo.gl/8AanL9 leads to
http://rollermodena.it/Document-2816409172.zip

https://goo.gl/pwgQID leads to
http://www.vetsaudeanimal.net/Document-9879091.zip

In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54. The Malwr report shows that this then downloads components form the following locations (hosted by OVH France):
http://94.23.247.202/1607h/HOME/0/51Service%20Pack%203/0/
http://94.23.247.202/1607h/HOME/1/0/0/

An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54. The Malwr report for that is inconclusive.

Recommended blocklist:
94.23.247.202
vetsaudeanimal.net
rollermodena.it
webbedenterprisesinc.com

RBS "RE: Incident IM03393549" spam

This fake RBS spam has a malicious attachment:

Date:      Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
From:      Annie Wallace[Annie.Wallace@rbs.co.uk]
Subject:      RE: Incident IM03393549

Good Afternoon ,

Attached are more details regarding your account incident. Please extract the attached
content and check the details.

Please be advised we have raised this as a high priority incident and will endeavour to
resolve it as soon as possible. The incident reference for this is IM03393549.

We would let you know once this issue has been resolved, but with any further questions
or issues, please let me know.

Kind Regards,

Annie Wallace Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th
Floor, 1 Hardman Boulevard | Manchester | M3 3AQ | Depot code: 049
Tel: 0845 300 4108 |Email: Annie.Wallace@rbs.co.uk The content of this e-mail is
CONFIDENTIAL unless stated otherwise 

The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42. The CAMAS report shows that the malware connects to the following locations to download additional components:

94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia.com/Scripts/n0808uk.zip
energysavingproductsinfo.com/wp-content/uploads/2014/08/n0808uk.zip

The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.

Recommended blocklist:
94.23.247.202
quesoslaespecialdechia.com
energysavingproductsinfo.com

"FW: Resume" spam has a malicious attachment

This terse spam is malicious:

Date:      Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
From:      Janette Sheehan [Janette.Sheehan@linkedin.com]
Subject:      FW: Resume

Attached is my resume, let me know if its ok.

Thanks,
Janette Sheehan 

Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54. The CAMAS report shows that the malware attempts to phone home to the following locations:

94.23.247.202/0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202/0708stat/SANDBOXA/1/0/0/
hngdecor.com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind.com/underconst/css/cw2800.zip

Recommended blocklist:
94.23.247.202
hngdecor.com
welfareofmankind.com

"Corporate eFax message from "unknown" - 3 page(s)" spam

This somewhat mangled spam has a malicious attachment:

Date:      Fri, 1 Aug 2014 09:45:45 -0700 [12:45:45 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "unknown" - 3 page(s)

You have received a 3 page fax             at 2014-08-01 10:55:05. * The
reference number for this fax is p2_did1-4724072401-8195088665-159.       Thank you for
using the eFax Corporate service!        2014 j2 Global, Inc. All rights reserved. eFax
Corporate is a registered trademark of j2 Global, Inc. This account is subject to the
terms listed in the         eFax Corporate Customer Agreement.  

Attached is an archive file Fax_912_391233111_941.zip which in turn contains a malicious executable Fax_912_391233111_941.scr which has a VirusTotal detection rate of 10/54.

The Comodo CAMAS report shows the malware reaching out to the following locations:

94.23.247.202/0108us1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108us1/SANDBOXA/1/0/0/
theyungdrungbon.com/wp-includes/images/0108us1.zip
101romanticcheapdates.com/wp-includes/images/0108us1.zip

Recommended blocklist:
94.23.247.202
theyungdrungbon.com
101romanticcheapdates.com

"Payroll Received by Intuit" spam / Cryptowall

I haven't seen any fake Intuit spam for a while. This one comes with a malicious attachment:

Date:      Fri, 1 Aug 2014 07:59:12 -0600 [09:59:12 EDT]
From:      Intuit Payroll Services [IntuitPayrollServices@payrollservices.intuit.com]
Subject:      Payroll Received by Intuit

Dear, [redacted]
We received your payroll on August 01, 2014 at 09:01 AM EST.

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later.  If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later.  YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time.  Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services



IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2014 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706

The attachment in this case is called Remittance.zip and it contains a malicious executable Remittance.exe which has a VirusTotal detection rate of 9/53.

According to the evidence of this very detailed ThreatTrack report [pdf], this is a version of Cryptowall. It makes network connections to various sites including the now-familiar 94.23.247.202.

I recommend that you block the following domains and IPs:
94.23.247.202
theothersmag.com
poroshenkogitler.com
kpai7ycr7jxqkilp.onion2web.com

Companies House "Case 4620571" spam

This fake Companies House spam has a malicious attachment:

Date:      Wed, 6 Aug 2014 19:45:59 +0700 [08:45:59 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      RE: Case 4620571

The submission number is: 4620571

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500 

Attached is a file Case_4620571.zip which in turn contains a malicious executable Case_4620571.scr which has a VirusTotal detection rate of 11/53. Automated analysis tools [1] [2] show that the malware reaches out to the following locations which are good candidates for blocking:

64.191.43.150
94.23.247.202
feelgoodframesstore.com
beeprana.com
upscalebeauty.com