Sponsored by..

Monday, 7 September 2015

Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]

This spam does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From     "Companies House" [WebFiling@companieshouse.gov.uk]
Date     Mon, 7 Sep 2015 12:40:01 +0100
Subject     RE: Case 0676414

The submission number is: 0676414

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500  

The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.

This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.

MD5:
f1d62047d22f352a14fe6dc0934be3bb

No comments: