Sponsored by..

Wednesday, 22 July 2015

Malware spam: "Payment Receipt" / "donotreply@dart-charge.co.uk"

This fake financial email is a simple forgery with a malicious attachment.

From     [donotreply@dart-charge.co.uk]
Date     Wed, 22 Jul 2015 19:26:51 +0700
Subject     Payment Receipt
The samples I saw had no body text and an attachment PaymentReceipt.xml [VT 5/55] which is an XML file [pastebin] with a Base64 encoded section which magically transforms into a malicious Word macro.

This macro downloads a malicious binary from:

http://puerta.fr/sandra/write.exe

Other versions of the attachment may download the same binary from different locations. This is saved as %TEMP%\mikapolne.exe and has a VirusTotal detection rate of 26/55. Automated analysis [1] [2] [3] shows it communicating with:

194.58.96.45 (Reg.Ru, Russia)

This IP has been in use in this other campaign today and is well worth blocking.

MD5s:
89e93a926de9c212a2b148722c938ba3
38f9913a89f00badb2a78c6f19c33544





6 comments:

Unknown said...

I got about 10 of these today. but weird thing is I went over Dart a few months ago and was sent a penalty notice in post. I then went of the official Gov website and paid about 2 weeks ago.

So question is. Is this just a coincidence? As how have the spammers got my address? Has Gov system been hacked? As I used my work email. No viruses or malware on my PC as have checked.

Just seems a bit too coincidental to me.

Richy

Conrad Longmore said...

@Richard, yes it really is just a coincidence. There's some basic targeting on email addresses by country, but nothing more sinister than that..

Muchty22 said...

Is this really a coincidence? We live in Scotland, but were on a rare visit to Kent, using the Dartford Tunnel for the first time in many years, paying the full charge over the phone within 24 hours, in early June. Received a penalty notice by post several weeks ago claiming £5 was still due for a one way travel, although this had in fact already been paid. We sent off a letter immediately replying on the given form, enclosing proof of payment from bank etc. along with details of the phone call made at the time pf payment. We felt then that a member of staff was possibly skimming money from the Dart Charge. Then funnily enough, we receive today the 'receipt' as a .xml file attachment. Fortunately we have a Mac and also anti-virus protection, so no harm done. However I feel this perhaps should be looked into by the Gov system!

Isi B said...

I live in Devon and have never visited Kent nor the Dartford tunnel. So it must be a spam email.

I too, today received this odd email with no text just the payment receipt attachment and will delete it without opening it.

Just thought I ought to share it as this site has been very helpful.

Conrad Longmore said...

@Muchyt22.. this has been spammed out very widely, targeting UK email addresses. Tens of thousands of people use the crossing every day, so the spammers are hoping that they will be more likely to click through. These spam runs happen most days and pretend to be from a variety of sources, including water cooler companies and carpet shops.

I'm interested that the genuine attachment was an XML file. It appears that the spammers use REAL emails from hacked accounts to base these spam messages on. That makes them look very convincing indeed!

Alta said...

This is interesting. I have received this particular "receipt" e-mail with virus attached and I do not live in the UK, but I do have clients in the UK. Am not very computer savvy, but if you look at the header of the e-mail - pasted in below - and the Whois query, also pasted in below, could it actually have come from Poland?

Header:
Received: (qmail 17228 invoked by uid 30297); 22 Jul 2015 12:00:05 -0000
Received: from unknown (HELO p3plibsmtp01-10.prod.phx3.secureserver.net) ([72.167.238.226])
(envelope-sender )
by p3plsmtp11-06.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for ; 22 Jul 2015 12:00:05 -0000
Received: from 80-94-25-114.tarniny.pl ([80.94.25.114])
by p3plibsmtp01-10.prod.phx3.secureserver.net with bizsmtp
id vQ021q01c2TiLKU01Q0325; Wed, 22 Jul 2015 05:00:05 -0700
X-IP-SPAM: Suspect
MIME-Version: 1.0
From:
To:
Date: Wed, 22 Jul 2015 14:00:00 +0200
Subject: Payment Receipt
Content-Type: multipart/mixed;
boundary="--boundary_18697_253da96f-74b2-450e-ac92-314876121e5b"
Message-ID: <483087cf-1281-4de3-a57f-f809d1756ef2@DF-PC-EXC02.Sanef-uk.local>
X-Nonspam: None
X-SpamFlt-Status: Not Detected
X-KASFlt-Status: Lua profiles 81339 [Jul 24 2015]
X-KASFlt-Status: LuaCore: 247 247 0f230692cc659e1df3de876bc53ded5d9efb6d98
X-KASFlt-Status: Version: 5.3.8
X-KASFlt-Status: {RECEIVED: dynamic ip detected}
X-KASFlt-Status: Rate: 5
X-KASFlt-Status: Status: not_detected
X-KASFlt-Status: Method: none
X-SpamFlt-Phishing: Not Detected


Whois:
http://en.utrace.de/whois/80.94.25.114

Details on IP address 80.94.25.114

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '80.94.25.0 - 80.94.26.255'

% Abuse contact for '80.94.25.0 - 80.94.26.255' is 'abuse@man.szczecin.pl'

inetnum: 80.94.25.0 - 80.94.26.255
netname: Gambit-Fieldorfa
descr: F.H.U. "GAMBIT" Miroslaw Prochenka
descr: Fieldorfa 16/32
descr: 71-075 Szczecin
country: PL
admin-c: MP5861-RIPE
tech-c: MP5861-RIPE
status: