Sponsored by..

Thursday, 18 December 2014

Malware spam: aquaid.co.uk "Card Receipt"

[UPDATE: as of December 2015, there is a new version of the spam doing the rounds]

This spam claims to be from the legitimate firm AquAid, but it isn't. Instead it comes with a malcious attachment. The email is a forgery, AquAid are not sending the spam, nor have their systems been compromised in any way.

From:    Tracey Smith [tracey.smith@aquaid.co.uk]
Date:    18 December 2014 at 07:24
Subject:    Card Receipt

Hi

Please find attached receipt of payment made to us today

Regards
Tracey


Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk
email_new_logo
AquAid really is the only drinks supplier you will ever need with our huge product range. With products ranging from bottled and mains fed coolers ranging up to coffee machines and bespoke individual one off units we truly have the right solution for all environments. We offer a refreshing ethical approach to drinks supply in that we support both Christian Aid and Pump Aid with a donation from all sales.  All this is done while still offering a highly focused local service and competitive pricing. A personalised sponsorship certificate is available for all clients showing how you are helping and we offer £25 for any referral that leads to business.
*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with registered number 3505477 and registered office at 51 Newnham Road, Cambridge, CB3 9EY, UK. This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify the sender and delete the message and any attachments accompanying it immediately. Neither AquAid nor any of its Affiliates accepts liability for any corruption, interception, amendment, tampering or viruses occurring to this message in transit or for any message sent by its employees which is not in compliance with AquAid corporate policy.

In the sample I have seen, the attachment is called CAR014 151239.doc which is malicious, but only has a VirusTotal detection rate of 2/54. This particular document (note that there are usually several different documents in the spam run) contains this malicious macro [pastebin]. This macro downloads a malware executable from:

http://sardiniarealestate.info/js/bin.exe

..which is saved as %TEMP%\YEWZMJFAHIB.exe - this has a marginally better detection rate of 3/53.

The ThreatExpert report shows connections to the following two IPs:

74.208.11.204 (1&1, US)
81.169.156.5 (Strato AG, Germany)

The Malwr report shows that it drops a DLL which is very poorly detected but is probably the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5

FOR RESEARCHERS ONLY: a copy of the malicious DOC attachment plus dropped files can be found here. Password is "infected". Only handle these if you know what you are doing.

UPDATE 2015-01-13

This spam keeps coming back every few days or so. This time the attachment has a VirusTotal detection rate of 3/57 and the malicious macro it contains [pastebin] downloads from:

http://forpetsonly.cz/js/bin.exe

This file has a VirusTotal detection rate of 2/57. The Malwr report shows it phoning home to:

59.148.196.153
74.208.11.204

It also drops a DLL with a detection rate of 2/57.

UPDATE 2015-02-25

Another version of this spam run is in progress, with these malicious macros [1] [2] downloading from the following locations:

http://junidesign.de/js/bin.exe
http://jacekhondel.w.interia.pl/js/bin.exe

This malware is the same as used in this spam run.

11 comments:

peter said...

so how do we extract the macro from a document? would you please instruct me in doing that? I want to analyze this activities too.

Unknown said...

@ peter,

use officemalscanner with the 'info' parameter to extract the macro. tool found here: http://www.reconstructer.org/code.html

Cheers,

Conrad Longmore said...

Yes, OfficeMalscanner will extract the VBA macro. But the code is obfuscated, so it needs more work. If you CAREFULLY deconstruct the macro to remove the dangerous bits then you can use the macro to decode itself. (It might be worth doing that on a throwaway machine not connected to the internet).

naszfranio said...

We have been hammered with these emails ... not just 2-3 IPS but 1000!
here's the list
http://pastebin.com/xnYELwSM

Unknown said...

The macros in today’s versions download from progresser-en-photo.com/js/bin.exe or curie-hennebont.fr/js/bin.exe whichwhich is saved as %TEMP%\EXXQJIULSJO.exe and has a virus Total detection rate of 6/54

Unknown said...

Another run of these today to go with all the other macro malware. Today’s version of this malware downloads from phaluzan.net.amis.hr/js/bin.exe which is saved as %temp%\1V2MUY2XWYSFXQ.exe and has a current Virus total detection rate of 7/56.

naszfranio said...

I've been getting it today as well Derek.

Unknown said...

I've just opened that attachment thinking it was the legit company .... what do I do will it effect me in anyway?

Conrad Longmore said...

@Rachael Roberts: if you have a PC and have Microsoft Office with Macros enabled, then yes. But macros are only enabled by default on really old versions.

A quick indicator of infection is to check your TEMP folder for a randomly-named file (something like YEWZMJFAHIB.exe). You can do this in a number of ways, but perhaps the easiest is to open up a Command Prompt in Windows and then type:
DIR %TEMP%\*.EXE
..followed by the Enter key. If you can see such a file with a recent date and time, then you are infected. If you can't, then I think you will be clean.

naszfranio said...

They started sending it out again today. 400 emails has hit my server so far.

Elisabeth said...

Seen it today, this time sent from
REED TODD-NAYLOR
With a file name of CARD564 628779.docm