Sponsored by..

Friday, 22 May 2015

Malware spam: "Your Invoice IN278577 from Out of Eden" / "sales@outofeden.co.uk"

This fake invoice does not come from Out of Eden Ltd but is instead a simple forgery leading to malware.

From: sales@outofeden.co.uk [mailto:sales@outofeden.co.uk]
Sent: 22 May 2015 10:50
Subject: Your Invoice IN278577 from Out of Eden

Dear customer,

Thank you for your order. Please find attached a DOC copy of your invoice IN278577 from sales order S391622.

Your order was despatched on 21/05/2015.  Please check the order on delivery and report any shortage, damage or discrepancy within 48 hours from of receipt of this invoice.

If you would prefer to receive a paper invoice or if this email has been sent to the wrong address, please email sales@outofeden.co.uk or call our Customer Service Team on 017683 72939.

Kind Regards,

Customer Services
Tel: 017683 72939
Please consider the environment before printing this email

Out of Eden Ltd
The UK's Most Popular One-Stop-Shop for Hospitality Products www.outofeden.co.uk

Home Farm Buildings, Kirkby Stephen.  CA17 4AP
Tel: 01768 372 939 Fax: 01768 372 636
Email: sales@outofeden.co.uk
VAT no: 621 2326 86
Reg. in England & Wales - Co. No. 3178081
The payload is very similar to the one found in this earlier spam run, the payload appears to be the Dridex banking trojan.

My contact who sent the information about this spam run (thanks!) also sent the following data about the attachments and download locations. I haven't had time to look into it any further.

hxxp://thepattersonco[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: b15ac324d13f8804959a81172317a4ba

hxxp://www[dot]footingclub[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: d89c0affa2c1b5eff1bfe55b011bbaa8

hxxp://hci-ca[.]com/85/20.exe/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: 98c3a42b0d958333a4108e04f10d441f

hxxp://www.seedsindaphne[.]org/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: 13dfb8bd543e77453cfd0ab3d586ba77 

hxxp://mercury.powerweave[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: cf5a5ec18a9031f998a1a3945ca10379


Malware spam: "This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc." / "Australian Taxation Office"

This spam doesn't seem to know if it's from Lloyds Bank or the Australian Tax Office.

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    22 May 2015 at 10:31
Subject:    Remittance Advisory Email


Monday 22 May 2014

This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.

Please review the details of the payment here.


Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
The link in the email goes to a download page at sharefile.com and leads to an archive file FAX_82APL932UN_772.zip containing a malicious executable FAX_82APL932UN_772.scr which has a date stamp of 01/01/2002 (presumably to make it harder to spot).

This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] show that it downloads another file from:

relianceproducts.com/js/p2105us77.exe

This is renamed to csrss_15.exe and has a detection rate of 3/54. It is most likely a component of the Dyre banking trojan.

In addition, this Hybrid Analysis report shows traffic to:

209.15.197.235 (Peer 1, Canada) [relianceproducts.com]
217.23.194.237 (BLICNET, Bosnia and Herzegovina)

Recommended blocklist:
209.15.197.235
217.23.194.237

MD5s:
eb26a6c56b7f85b3257980d0c273c3cf
178a4e3dfa0feea04079592d3113bd2e


Thursday, 21 May 2015

Malware spam: "Travel order confirmation 0300202959" / "overseastravel@caravanclub.co.uk"

This fake booking confirmation (received from a contact - thanks!) does not come from the Caravan Club, but is a simple forgery with a malicious attachment:

From: overseastravel@caravanclub.co.uk [mailto:overseastravel@caravanclub.co.uk]
Sent: 21 May 2015 12:34
Subject: Travel order confirmation 0300202959    
    
Dear Customer,

Thank you for your travel order.

Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.

Now you have booked your trip why not let The Club help you make the most of your stay?

Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?

Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.

If you ’’ ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .

Yours sincerely    

The Caravan Club
The file in this case is called Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run.

Malware spam: "Invoice# 2976361 Attached" / "PGOMEZ@polyair.co.uk"

So far I have only seen one sample of this. The sender and subject may vary.
From:    PGOMEZ@polyair.co.uk
Date:    21 May 2015 at 08:58
Subject:    Invoice# 2976361 Attached

Invoice Attached - please confirm..


This transmission may contain information that is privileged and strictly confidential.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.

If you received this transmission in error, please contact the sender and delete the material from any computer immediately.  Thank you.

Attached is a malicious file with the no-very-imaginative name 00001.doc [VT 4/56] which contains this malicious macro [pastebin] that downloads a component from the following location:

http://mercury.powerweave.com/72/11.exe

This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57.

Automated analysis tools [1] [2] [3] [4] show attempted communications with the following IPs:

78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)


The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195

MD5s:
f5aee45ce06f6d9f9210ae28545a14c6
56305283d26e66b81afcbcb6f0e9b9b4
015cc26b738d313e5e7aba0c9114670e

Wednesday, 20 May 2015

Malware spam: "Sky.com / Statement of Account" and "Voice Mail / You have a new voice" via volafile.io

These two spam runs attempt to download malware from volafile.io. To give the folks at Volafile credit, all the malware I have seen linked to has been taken down. I suspect that the payload is the Dyre banking trojan.

From:    Sky.com [statement@sky.com]
Date:    20 May 2015 at 12:30
Subject:    Statement of account

Afternoon,

Please find the statement of account, download and view from the link below:

https://dl4.volafile.io/download/8eFEP-cNVEX-Jg/statement_00429117.zip

We look forward to receiving payment for the September invoice as this is now due for payment.

Regards,
Elliot

This email, including attachments, is private and confidential. If you have received this email in error please notify the sender and delete it from your system. Emails are not secure and may contain viruses. No liability can be accepted for viruses that might be transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members: Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.


======================

From:    Voice Mail [Voice.Mail@victimdomain]
Date:    20 May 2015 at 12:11
Subject:    You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs5419167125_001

The transmission length was 41
Receiving machine ID : BA9R-DUQUC-TY7T

To download and listen your voice mail please follow the link below: https://dl3.volafile.io/download/rnTYPuYNVEX6Jw/statement_00429114.zip

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
volafile.io is a pretty uncommon place to share files, so it might be worth looking at your traffic to see if there have been any unexpected requests to that site.


Tuesday, 19 May 2015

Malware spam: "Australian Taxation Office [noreply@ato.gov.au]" / "eFax message - 2 page(s)"

Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    19 May 2015 at 12:48
Subject:    eFax message - 2 page(s)

Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.

* The reference number for this fax is
min2_did16-0884196800-3877504043-49.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile.com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr.

This executable has a detection rate of 5/57. Automated analysis tools [1] [2] [3] shows that it downloads a further component from:

http://employmentrisk.com/images/1405uk77.exe

In turn, this has a detection rate of 4/57 and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).

Recommended blocklist:
employmentrisk.com
194.28.190.183

MD5s:
a6aa82995f4cb2bd29cdddedd3572461
b3b483c10d4f7eacd7cfa42f604968f8

Monday, 18 May 2015

Malware spam: "Your reasoning stands in need" / "Have a need in your thought" / "In want of your concern"

This fake financial spam run is similar to this one last week, and comes with a malicious attachment.

From:    Aida Curry
Date:    18 May 2015 at 11:40
Subject:    Your reasoning stands in need

Good Afternoon,
We have attained a reimbursement from you for the draft of £ 2909. Please would you secure me with a remittance, in order for me to reconcile the statement.
I will be sending you a pronouncing of outstanding invoices tomorrow, the entire quantum of outstanding is £ 5893 less the 1 draft received making a whole outstanding of £ 2984. We would very much appreciate settlement of this.
As previously mentioned we reversed to a limited company on 1st December 2014. We are desire to conclude all the old checks down, for both tax and year end reasons. We would be very grateful in your assistance in eliciting the outstanding.
If you need any application of bills please do not hesitate to contact us
Regards,
Aida Curry

-------------------

From:    Cornelius Douglas
Date:    18 May 2015 at 11:39
Subject:    Your reasoning stands in need

Good morning
Please find attached   a remittance advice, relating to a outpayment made to you.
Many thanks
Regards,
Cornelius Douglas
Seniour Finance Assistant

-------------------

From:    Jewell Shepard
Date:    18 May 2015 at 11:37
Subject:    Have a need in your thought

Please, see the attached similar of the remittance.
Please, can you remit a revised pronouncing so we can settle any outstanding balances.
Kind Regards,
Jewell Shepard
Subjects spotted so far are:
In want of your concern
Your reasoning stands in need
Have a need in your thought
Vital announcement 561335
Your advertence stands in need
Grand advert 482209
Important notice 540897
In want of your regarding
In want of your concern
Your reasoning stands in need
Wish to know your thought
Your cognizance is in great necessity
Need your consideration

There seem to be several different attachments, but for the sake of simplicity I have looked at just one. The Hybrid Analysis report shows this this is a MIME attachment that downloads and executes a script from pastebin[.]com/download.php?i=C5KGsRX3 which in turn downloads a malicious executable from  193.26.217[.]220:80/bt/get3.php (Servachok LTD, Russia) which is saved as crypted.120.exe.

This executable has a VirusTotal detection rate of 4/57. The Malwr and Hybrid Analysis reports indicates traffic to 5.63.154.228 (Reg.Ru, Russia) and also shows a dropped Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
5.63.154.228
193.26.217.220

MD5s (executable):
af15ba558c07f8036612692122992aad
0074fdc06f8b1da04c71feb249e546dc

Wednesday, 13 May 2015

Malware spam: "Need your attention,''Important notice" / "Financial information" / "Important information"

This mix of spam messages come with a malicious attachment:

From:    Johnny Higgins [JohnnyHigginsyb@mail.whitsoncm.com]
To:    "it-dept@victimdomain"
Date:    13 May 2015 at 11:39
Subject:    Need your attention,''Important notice

Good Afternoon,

We have received a payment from you for the sum of £ 686.  Please would you provide me with a remittance, in order for me to reconcile the statement.

I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1564  less the £3254.00 received making a total outstanding of £ 878.  We would very much appreciate settlement of this.

As previously mentioned, we changed entity to a limited company on 1st December 2014.  We are keen to close all the old accounts down, for both tax and year end reasons.  We would be very grateful in your assistance in settling the outstanding.

If you need any copy invoices please do not hesitate to contact us

Regards,

Johnny Higgins

--------------------------

From:    Rowena Mcconnell [RowenaMcconnellev@telemar.it]
To:    tedwards@victimdomain
Date:    13 May 2015 at 11:38
Subject:    Financial information

Good Afternoon,

Please see attached the copy of the remittance.

Please can you send a revised statement so we can settle any outstanding balances.

Kind Regards,

Rowena Mcconnell

--------------------------

From:    Jimmie Cooley [JimmieCooleyzils@fsband.net]
To:    server@victimdomain
Date:    13 May 2015 at 11:34
Subject:    Important information

Good morning

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Jimmie Cooley
Seniour Finance Assistant

Each attachment is slightly different, but does contain the name of the recipient plus a random number (e.g. it-dept_0E78A3A5700B.doc). The payload is meant to be a multi-part MIME file, but many are corrupt and are either Base 64 encoded or are "404 Not Found" files.

If the file is correctly format, it should behave similarly to this Hybrid Analysis report, which says that it connects to several different IPs, but crucially also it downloads a malicious executable from 91.226.93[.]110/bt/get1.php (Sobis, Russia) and saves it as crypted.120.exe.

This malicious executable has a detection rate of 2/56 and the Malwr report says that it communicates with 46.36.217.227 (FastVPS, Estonia) and drops a Dridex DLL with a detection rate of 22/56.

Recommended blocklist:
46.36.217.227
91.226.93.110

MD5s:
9afecfaa484c66f2dd11f2d7e9dc4816
d2f825ecfb3d979950b9de92cbe29286



Tuesday, 12 May 2015

Malware spam: "ATTN: Outstanding Invoices - [4697E0] [April|May]"

This spam comes with random senders and reference numbers, but in all cases includes a malicious attachment:

From:    Debbie Barrett
Date:    12 May 2015 at 11:14
Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]

Dear anthony,

Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.

Kind regards
The attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.

First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu

Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.

This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.

There are several different attachments, so far I have seen the following MD5s:
110B42E097A7677A993CF1B3B24743D8
20AEB9ECEBC26B3CDE960728E890F904
33A8CBE7B75B20B5EA1069E3E2A13D80
3973E29F7BDC7903FFCB596B10F9FD54
7019D711AE0E2FEDEE25EAA3341CFB7F
949816F4DF724E690690B3C8AD3871D4
9CDEFFBAC7B79302D309404E6F3068C4
B5C2393D44D8E0C94D04E2D159AE8776
B84D52F59AEC53B8D7FA109D256FCB6B
CA5E8A531A8EE24B15FC7B2A66502042
E99216D829C632DF24ECAD9162AF654C
EC1AD4316DBA799EF2E2440E715CD5F5
F4B5B0AE85F27E0A475BD359F5BE76E8
F666682D638FE67607DD189705844AD5

The MD5s for the malware components are:
DD7ADC5B140835DC22F6C95694F9C015
9AFECFAA484C66F2DD11F2D7E9DC4816
838F0A8D3FCBD0DDB2F8E8D236D17957

Recommended blocklist:
92.63.88.0/24
46.36.217.227


Malware spam: "Copy of your 123-reg invoice ( 123-015309323 )" / "no-reply@123-reg.co.uk"

This fake invoice is not from 123-reg, but is instead a simple forgery with a malicious attachment:

From:    no-reply@123-reg.co.uk
Date:    12 May 2015 at 10:17
Subject:    Copy of your 123-reg invoice ( 123-015309323 )

Hi,

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.

https://www.123-reg.co.uk
About us | Privacy policy
© Copyright 123-reg - Part of Webfusion Ltd

Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.
Attached is a Word document 123-reg-invoice.doc which contains a malicious macro [pastebin] and has a detection rate of 5/57. There may be several different versions of this macro, but the sample I saw downloaded a file from:

http://fosteringmemories.com/432/77.exe

..which is saved as %TEMP%\ihmail4.1.0.exe and has a VirusTotal detection rate of 5/56. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs:

37.143.15.116 (Internet-Hosting Ltd, Russia)
62.152.36.90 (Host Telecom Net, Russia)
89.28.83.228 (StarNet SRL, Moldova)
185.15.185.201 (Colobridge gmbh, Germany)


According to this Malwr report it also drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
37.143.15.116
62.152.36.90
89.28.83.228
185.15.185.201

MD5s:
3fcc933847779784ece1c1f8ca0cb8e4
3540c517132a8a4cd543086270363447
0bb376ba96868461ffa04dd70dc41342


Monday, 11 May 2015

Malware spam: "Payment details and copy of purchase [TU9012PM-UKY]"

I haven't really had time to analyse this, so I am using the analysis of an anonymous source (thank you)..

From:    Kristina Preston [Kerry.df@qslp.com]
Date:    11 May 2015 at 12:56
Subject:    Payment details and copy of purchase [TU9012PM-UKY]

Dear [redacted]

On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Kristina Preston
Brewin Dolphin
The names and references change between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments.

My source has analysed that this downloads a VBS file from Pastebin at pastebin[.]com/download.php?i=FsYQqTaj which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia)

This binary has a detection rate of 2/56 and according to automated analysis tools [1] [2] it communicates with:

46.36.217.227 (FastVPS, Estonia)

It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56.

Recommended blocklist:
46.36.217.227
91.226.93.14

Wednesday, 6 May 2015

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This spam does not come from Transport for London, but is instead a simple forgery with a malicious attachment.

From:    noresponse@cclondon.com
Date:    6 May 2015 at 12:44
Subject:    Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Microsoft Word to
read or download this attachment.


Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.
______________________________________________________________________

So far I have seen four different versions of the malicious Word document AP0210780545.doc, all with low detection rates [1] [2] [3] [4] containing various macros [1] [2] [3] [4]. These attempt to download an executable from one of the following locations:

http://jkw-sc.com/111/46.exe
http://aimclickbang.com/111/46.exe
http://www.haunersdorf.de/111/46.exe
http://volpefurniture.com/111/46.exe


This file is saved as %TEMP%\wiley5.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show attempted network traffic to:


62.152.36.90 (Filanco Ltd, Russia)
89.28.83.228 (StarNet, Moldova)
185.12.95.191 (RuWeb CJSC, Russia)
185.15.185.201 (Colobridge, Germany)


This Malwr report shows that it drops a Dridex DLL with a detection rate of 4/56.

Recommended blocklist:
62.152.36.90
89.28.83.228
185.12.95.191
185.15.185.201


MD5s:
412ce577521a560459cd711f5966caf4
997bafa825426a3456625983878cb5df
bab231ddf87a24dd81638483f209d238
a49a337f1189dd139499a102b635c918
079f0c588769f6961d888614cf140812
03f9a963fefffc4b97b880a8c4ad208b