Sponsored by..

Tuesday, 21 October 2014

Fake "Humber Merchants Group / humbermerchants.co.uk" Industrial Invoices spam

This fake spam pretends to come from the legitimate firm Humber Merchants but doesn't. It's a forgery, Humber Merchants are not sending out this spam nor have they been hacked or compromised.

From:     ps7031112@humbermerchants.co.uk
Date:     21 October 2014 15:21
Subject:     Industrial Invoices

Attached are accounting documents from Humber Merchants

Humber Merchants Group

Head Office:
Parkinson Avenue
Scunthorpe
North Lincolnshire
DN15 7JX

Tel: 01724 860331
Fax: 01724 281326
Email: sales@humbermerchants.co.uk

--
Automated mail message produced by DbMail.
Registered to Humber Merchants Limited  , License MBS2008354.
Attached is a malicious Word document 15040BII3646501.doc which has a VirusTotal detection of 6/54. The Malwr report gives a little detail as to what it going on, but the crux of it is that if you have macros enabled then they will download and execute a malicious binary from http://gpsbah.com/images/1.exe which has a VirusTotal detection rate of 11/53 and which the Malwr report  indicates then connects to the following URLs:

http://62.75.182.94/eQ7j0+Z7/kfnmylxhl/%7EaEskub2Av7ZSh%20v@q%2Ct6W/@
http://62.75.182.94/CzUO1%20cxp%3DkLsR&/RTlIMuF1Wo/EWhm1z.ZuO8%2C2/sH@%3Fnqiakk_Tq/
http://62.75.182.94/X4mSfKkEhOPU%242cqi5W%3F%20&1Iql%20Byr/%2D588l0wY3w+=SsKQut1mgPzk%2C%24G+seO%3F
http://62.75.182.94/zms%3F@&JoTAN%2C/0C%20%2Bk+nCk_/p%20rxIqpUOyt%3FYR4W1g%2B
http://62.75.182.94/oX83KZqm@WZ%2BM%3F%20wQG@$24+/h5@RnK5~Y@7&mKGc%2C1%7E0/BhmOUE~Xf/_T_%20GSN

62.75.182.94 is a Serverloft / Intergenia IP address in Germany.

Recommended blocklist:
62.75.182.94
gpsbah.com

UPDATE 2014-10-23

Another version of the attachment is doing the rounds, this time the attachment has a detection rate of 0/54  (Malwr report) but in this case it downloads a file from http://jvsfiles.com/common/1.exe which has a detection rate of just 1/54.

According to the Malwr report, that binary contacts the following URLs:

http://84.40.9.34/kSIfRXSnEP25k76mz/9_oSoYWIoYi0/0%2B.tYWE05j%7EVA%24k/Jnt%26
http://87.106.84.226/SYh7Y+NbkSk74/mWbqM9m/L2o/%26hA%2DFG
http://87.106.84.226/QzteG3org5I%3Fa/@&e%7EfgonN%205ccf~qCi2/1_%2C%26A3QPq%3F/w56KC%2D4B0lFMbghLcFm
http://87.106.84.226/jooywueelxs/=+juqybp3sc/%2Db.mm01%24__s3/r1&iw2%20a+%3Dse%24%20@m1bpe%24%20ru/
http://87.106.84.226/pIQ%3FSS%3F%2DPC%207/%7E=jN%3Fh5e%3FP%20mB

87.106.84.226 is 1&1, Germany and 84.40.9.34 is Hostway, Belgium.

This executable drops a DLL on the system which is also poorly detected with a detection rate of 1/54.

Recommended blocklist:
87.106.84.226
84.40.9.34
jvsfiles.com

UPDATE 2014-11-13

A fresh round of spam has started with the same template. So far I have seen two documents with low detection rates [1] [2] [Malwr report] that drop one of two malicious binaries [1] [2] [pastebin] from one of these locations:

http://body-fitness.net/js/bin.exe
http://live.znicz-pruszkow.cba.pl/mandoc/js/bin.exe

This is also poorly-detected according to VirusTotal. The Malwr report for this shows that it reaches out to the following URL (again):

http://84.40.9.34/Xe0RBsy6nU2qow&nr7pGA%3DTWw./%7EwosMJ_V46G3/5Cqmr+6S/1ZzUf

It also drops a DLL identified by VirusTotal as Dridex.

No comments: