Sponsored by..

Friday 21 March 2014

"Companies House" spam and 50.116.4.71 (again)

This fake Companies House spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 8435407 - Companies House

The submission number is: 8435407

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49.

The Malwr analysis again shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij.biz.

The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below).

I would recommend that you the following blocklist in combination with this one.

50.116.4.71
aulbbiwslxpvvphxnjij.biz
rovlvhixgqcelzlxheonpfxy.info
hybytqwscguvowbbgwgxijdq.com
jryxtbujvdmceodbegyofrkkr.ru
lncuhmnvlytwsuceijaifaqjrpz.com
mrdlormvvotimfhecueminydrs.info
fytwsqkgindatoahtnbnrzhe.org
tqsdudemkfrcrcutdmvpbuzd.net
doskgacutmvbeztmrirlc.biz
rgolcuhgqsqkgivckfbud.ru
auldivpzxeahilvcyvckrzpbepv.com
hegersdihurwwsdqxkdatclbmryd.net
qwrgldhqtcifymnfyhimjhqdbmir.org
ljxaededaljnrytonhzkzsg.biz
wgtfauchlnhmvskblhiovxwpvh.com
ifwbxfylaimzuwgdyeqgiupl.ru
premiercrufinewine.co.uk

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)