Sponsored by..

Friday, 30 October 2015

Malware spam: "Purchase Order 0000035394 customer 09221" / "Clare Harding" [purchasing@carterspackaging.com]

This fake financial spam does not come from Carters Packaging Ltd but is instead a simple forgery with a malicious attachment.

From     "Clare Harding" [purchasing@carterspackaging.com]
Date     Fri, 30 Oct 2015 16:42:26 +0530
Subject     Purchase Order 0000035394 customer 09221

Purchase Order 0000035394

Dear customer,

Please find attached a copy of our order (reference 0000035394), your
reference .

If you have any questions regarding the purchase order please contact us
using the details below.

CLARE HARDING

Purchasing Manager
Carters Packaging Ltd, Packaging House, Wilson Way, Pool, Redruth, Cornwall,
TR15 3RT
Fax: +44 (0) 1209 315 600
www.carterspackaging.com

purchasing@carterspackaging.com
Attached is a file Purchase Order 0000035394.doc which apparently comes in several different versions, although all the samples I saw had the same attachment with a VirusTotal detection rate of 5/55 and which contained this malicious macro [pastebin].

Download locations for all the document versions (h/t to my source) are:

malajsie.webzdarma.cz/45y3f34f/7jh4wqd.exe
fa31.linux-hosting.de/45y3f34f/7jh4wqd.exe
ankarasogukhavadepo.com/45y3f34f/7jh4wqd.exe
selimkaucuk.com/45y3f34f/7jh4wqd.exe


It looks like this is saved as %TEMP%\httsser.exe and it has a VirusTotal detection rate of 5/55. That VirusTotal report and this reverse.it report show that it generates network traffic to:

221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)

I strongly recommend that you block access to that IP. The payload appears to be the Dridex banking trojan.

MD5s:
a5c52bd47f7fdfd54a2584a669eabe59
337435ffd7a94ce05bea59c0d312e5b3
48dde939b402533d37065bc606ed45a1
d3b4f459d089e6afd52d5650c31aa25e
e70ae9099a5e6daef41fd8dc15191756

Carters Packaging are on the ball and have put a big notice on their site, which is nice work.


Thursday, 29 October 2015

Malware spam: "Domain [domain] Suspension Notice" / abuse@enom.com.org

There appear to be many versions of this spam, aimed at domain owners and apparently coming from the actual registrar of the domain. For added authenticity, the owner's name is included in the spam. Here is one example that I got.. it would have been very convincing, except that I had the heads up on this attack a couple of day ago.

From:    ENOM, INC. [abuse@enom.com.org]
Date:    30 October 2015 at 04:11
Subject:    Domain LAPTOP-MEMORY.COM Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:

Domain Name: LAPTOP-MEMORY.COM
Registrar: ENOM, INC.
Registrant Name: CONRAD LONGMORE

Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-406-7704
In this case, clicking on the link goes to edecisions.com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify any domain name and it gives a matching file.

Before we look at the analysis of the downloaded executable, let's look at the domain name edecisions.com. It looks like the sort of domain that might contain abuse reports, but in fact it is a hijacked GoDaddy domain hosted on 65.78.174.100 and a quick look at VirusTotal indicates that one of the other 4 sites on the same server was also compromised and was serving up malware in 2013. This is definitely a good candidate to block.

The downloaded file has a VirusTotal detection rate of 2/55. Automated analysis tools [1] [2] [3] indicate that whatever the hell this is, it tries to contact a LOT of other servers. We can see that the following domain names are accessed (mostly POST attempts):

0tv.co
abettertravelagent.com
agentclicktocall.com
airconditioning12601.com
all-inclusiveresortstravel.com
allgroupstravel.com
allreadytravel.com
ameliastyle.com
anabolicsteroidsrx.com
anunciamicasa.com
aprovechatudia.com
armangarzon.info
beachhouseplans.com
bigboattravel.com
biznal.com
bloccailmutuo.com
boilersandfurnaces.com
breakerhub.com
breathtakingsolutions.com
brindegenie.com
cameroonmarket.com
camirate.com
carltonchambers.co.uk
certifiedphytoceramides.com
chuckwhitlock.com
ciiapparelblog.com
circuitbreakerhub.com
colebar.com
cpasolutiononline.com
cruiseandtravel.agency
cruises-travelandmore.com
cruisetravelpros.com
cruisewithdawn.com
cruisingatdawn.com
cywellness.com
dallascircuitbreaker.co
dallascircuitbreaker.com
dallaselectricalsurplus.com
dallasreconditionedtransformers.com
dangerousgarciniacambogia.com
dawat-restaurant.com
designbrossard.com
designingartinstitute.com
designtravelagency.com
destinycruiseandtravel.com
enterrealtyny.com
superfunshoes.com
tarkshyainc.com

Note that almost everything is in the A-D range, which makes me suspect that this is only a fraction of the compromised domains. If we look at the IP addresses of those domains, then it gets even more interesting:

50.87.144.249 (Unified Layer, US)
50.87.151.145 (Unified Layer, US)
108.167.140.175 (WebSiteWelcome, US) [13 instances]
162.144.0.215 (Unified Layer, US)
162.144.12.115 (Unified Layer, US)
192.185.5.33 (WebSiteWelcome, US) [2 instances]
192.185.16.67 (WebSiteWelcome, US) [7 instances]
192.185.19.115 (WebSiteWelcome, US)
192.185.21.162 (WebSiteWelcome, US)
192.185.22.63 (WebSiteWelcome, US) [4 instances]
192.185.90.237 (WebSiteWelcome, US)
192.185.101.210 (WebSiteWelcome, US)
192.185.140.214 (WebSiteWelcome, US)
192.185.152.133 (WebSiteWelcome, US) [2 instances]
192.185.183.81 (WebSiteWelcome, US)
192.185.226.164 (WebSiteWelcome, US)
192.254.186.85 (WebSiteWelcome, US) [2 instances]
192.254.231.138 (WebSiteWelcome, US)
192.254.234.204 (WebSiteWelcome, US)
198.57.242.171 (Unified Layer, US) [4 instances]
198.57.244.38 (Unified Layer, US)
208.109.119.156 (GoDaddy, US)

A check of those WebSiteWelcome and Unified Layer IPs on VirusTotal (for example 192.185.226.164) indicates several compromised domains on the same server, indicating that the entire box has been popped.

It isn't clear what the payload is, but given the fact that it is aimed at domain owners and given the unusual characteristics of the malware, I can make a guess that it is some sort of password stealer, possibly harvesting domains or server admin credentials. If you are not using multi-factor authentication for your domains, then perhaps now would be a good time to choose to do so.

Recommended blocklist:
50.87.144.249
50.87.151.145
108.167.140.175
162.144.0.215
162.144.12.115
192.185.5.33
192.185.16.67
192.185.19.115
192.185.21.162
192.185.22.63
192.185.90.237
192.185.101.210
192.185.140.214
192.185.152.133
192.185.183.81
192.185.226.164
192.254.186.85
192.254.231.138
192.254.234.204
198.57.242.171
198.57.244.38
65.78.174.100

UPDATE:

The payload appears to be the Cryptowall ransomware.

Malware spam: "Documents for Review and Comments" / Pony / eyeseen.net

This fake document scan email has a malicious attachment:

From:    Sarah [johnson@jbrakes.com]
Date:    29 October 2015 at 08:27
Subject:    Documents for Review and Comments

Hi Morning,

Attached are the return documents.

Call me if you need anything.

See you soon. :)


Sarah
The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.

According to various automated analysis tools [1] [2] [3] it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:

eyeseen.net/swift/gate.php

This is hosted on a SoftLayer IP of 198.105.221.5 in Singapore. A quick look at VirusTotal indicates a lot of badness on this IP address, so it is probably one worth blocking.

The payload is Pony / Fareit, which is basically a password stealer.

MD5s:
25a322b9ea5c709c4376bf58527f198a
efc7210f7dbce441f74e3c9f07f28a2e
79ca99c3f751ae334d0340284242e4f6



Wednesday, 28 October 2015

Malware spam: "Don and Carol Racine" / "www.boatclinic.net" / "boatclinic@aol.com"

This fake financial spam is not from Racine Design Inc but is instead a simple forgery with a malicious attachment:

From     [random]
Date     Wed, 28 Oct 2015 10:39:26 +0100
Subject     [random]

 Dear :
Boat has been done a week now. I contacted you last week
The
Boat is ready to pick up,  I have had inquiries as to people wanting to
buy it,
the carb is in your possession and there is no way to run it,
The boat could
sell real easy at this time of year , Memorial day to 4th of
July most boats
are sold.
Please call me to arrange payment and pickup of the Boat ,
If you
need me to store the boat I can do that at the storage facility ,
they do
charge a fee for this 7.00 per day
The other Invoice for the embroidery will
follow , Balance is due now !
Thanks

Your invoice is attached.  Please
remit payment

Thank you for your business - we appreciate it very
much.


Sincerely,
Don and Carol Racine

Racine Design, Inc.
2036 Imeson
Rd
Jacksonville, Fl.  32220

E-Mail  
boatclinic@aol.com

www.boatclinic.net

phone    (904) 771-8170
fax       
(904) 771-0843
The subject of the email is some randomly-generated sentence, which matches the name of the attached ZIP file. I have seen two samples so far with a detection rate of 3/55 and 2/55 respectively.

Analysis of the binary is pending (please check back), but the payload here is Upatre/Dyre which commonly calls back to 197.149.90.166 (Cobranet, Nigeria), an IP I strongly recommended that you block.

UPDATE:

The reverse.it report shows that the malware does indeed call back to that Nigerian IP address.

Malware spam: eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200

This fake fax spam comes with a malicious attachment:

From:    eFax [message@inbound.efax.com]
Date:    28 October 2015 at 10:08
Subject:    eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200



eFax


Fax Message [Caller-ID: 031207944200]
You have received a 1 page fax at 2015-10-28 08:57:17 GMT.
* The reference number for this fax is lon1_did14-1445421403-1407880525-89.
View this fax using your Microsoft Word.
Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home     Contact     Login
Powered by j2
© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.



FAX_20151028_1445421437_89.doc
99K


The attachment FAX_20151028_1445421437_89.doc is the same as used in this spam run and the payload is the Dridex banking trojan.

Malware spam: "Thank you for your order" / "DoNotReply@ikea.com"

This fake order spam does not come from IKEA but is instead a simple forgery with a malicious attachment.

From:    DoNotReply@ikea.com
Date:    28 October 2015 at 08:57
Subject:    Thank you for your order


IKEA
IKEA UNITED KINGDOM

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
30-10-2015
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
30-10-2015
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.


Attached is a file IKEA receipt 607656390.doc which contains this malicious macro and which has a VirusTotal detection rate of 4/55.

Analysis of the document and whatever it downloads is pending, but this is likely to be the Dridex banking trojan.

UPDATE 1:

The reverse.it analysis  of the first sample shows a download from:

alvarezsantos.com/4f67g7/d6f7g8.exe

This dropped binary has a detection rate of just 2/55.

Two further samples have now been seen (VT results [1] [2]) and according to the analysis of one them, it downloads from:

experassistance.fr/4f67g7/d6f7g8.exe

Analysis of the dropped binary is pending. Please check back shortly.

UPDATE 2:

A further reverse.it analysis shows another download location of:

www.retrogame.de/4f67g7/d6f7g8.exe

The reverse.it analysis of the dropped binary is inconclusive.

UPDATE 3:

According to sources clever than I, this doesn't appear to be Dridex at all, but Neutrino Bot / Kasidet which downloads the Shifu banking trojan in the UK.

Tuesday, 27 October 2015

Malware spam: "ZFRSSE - CMS Collateral Report(s) as of 10/27/2015" / "frs-cms-mailer@olen.frb.org"

This fake financial email.. whatever the heck it is pretending to be.. is not from the Federal Reserve System, but is instead a simple forgery with a malicious attachment.

From:    frs-cms-mailer@olen.frb.org
Date:    27 October 2015 at 17:32
Subject:    ZFRSSE - CMS Collateral Report(s) as of 10/27/2015

You have received electronic delivery of the attached CMS Collateral Report(s) from the Federal Reserve System.
______________________________________________________________________

Note: This is an automated message and replies to this mailbox will not be answered.  Questions concerning this message can be directed to your Federal Reserve Bank contact.  This communication and all attachments hereto contain sensitive and confidential information.  As a result, this communication has been encrypted in transit.  This communication is intended solely for the use of the addressee and should be handled in accordance with applicable policies and procedures.  If you have received this communication in error please delete or destroy all copies of it.

This message was secured in transit.  ZFRSSE_20151027173233
-------------------------------------------------------------------------
This message was secured by ZixCorp(R).
This message center is strictly for use by current Federal Reserve System business partner and customer employees, any other use of this system is strictly prohibited.
The attachment in the sample I saw was named CMS Collateral Report_20151027173233.doc which has a VirusTotal detection rate of 4/55. The comments in that report point to another VirusTotal report indicating that it drops Upatre.. but unusually, this code appears to have a valid Comodo certificate.

In turn, this drops a version of the Dyre banking trojan with a detection rate of 5/56.

Malware spam: "id:9828_My_Resume"

This fake résumé spam comes with a malicious attachment. It seems that the names are randomly-generated from a list.

From:    Trinh [zhanxing1497kcuo@163.com]
Date:    27 October 2015 at 18:30
Subject:    id:9828_My_Resume
Signed by:    163.com

Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster
In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55, mostly detecting a generic macro downloader.

The macro looks like this [pastebin] and the Hybrid Analysis of the document shows traffic coming FROM 46.30.41.150 (EuroByte LLC, Russia) and being POSTED to the following:

all-inclusiveresortstravel.com
designtravelagency.com
bigboattravel.com
cpasolutiononline.com
ciiapparelblog.com

The first three are on 108.167.140.175 and the second two are on 192.185.101.210 which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely compromised.

The Hybrid Analysis report shows that the malware has some characteristics that make it look like ransomware.

Recommended blocklist:
46.30.41.150
108.167.140.175
192.185.101.210

UPDATE:
This Tweet indicates that the payload is Cryptowall.

BizSummits aka ExecSummits LLC whacks former employee with lawsuit

I've written about BizSummits aka ExecSummits LLC many times before, exposing their habit of sending spam (which I haven't seen any of lately to be fair) and other questionable business practices. By accident I discovered that in September, ExecSummits file a lawsuit [Techdirt] against former employee Michael Healy.

Techdirt does a reasonable job at bringing together various bits and pieces to explain what is occurring and the background to the story. Worth a read IMO.

PACER fees being what they are, I've uploaded the documents for 1:15-cv-03199-MHC here [zip] if you want to have look.

Malware spam: "RBS Cardholder Application Form" / "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]

This fake financial spam does not come from Sunderland City Council, but is instead a simple forgery with a malicious attachment:

From     "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]
Date     Tue, 27 Oct 2015 18:39:34 +0700
Subject     RBS Cardholder Application Form

Dear Customer,



We now have the go ahead from Corporate Procurement to apply to RBS for your Corporate
Purchase Card. Please find attached the RBS application form which requires your
signature as cardholder on page 2. Also please add the date. Once done can you scan
the document and email it back to me or alternatively post it back to me c/o Purchase
Card Administration Team, Transactional Finance, Room 1.34, Civic Centre, Sunderland
SR2 7DN.



Kind regards,

Wm.
Wm Palmer
Purchase Ordering Officer
Commercial and Corporate Services
Sunderland City Council

Tel: 0191 5617588
www.sunderland.gov.uk

Sunderland City Council: Sunderland Home Page

The Sunderland City Council website is for anyone living, working, visiting or wanting
to invest in Sunderland - a great city by the sea with a balanced way of life ...

Read more...

Attached is a file New_Cardholder_Application_Wm_Palmer.zip containing a malicious executable New_Cardholder_Application.scr - which is exactly the same malware as used in this other fake council spam run today.

Malware spam: "Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance" / credbills@denbighshire.gov.uk

I've never had malware spam in Welsh before.. this is not from Denbighsire County Council, but is instead a simple forgery with a malicious attachment:

From     "credbills@denbighshire.gov.uk" [credbills@denbighshire.gov.uk]
Date     Tue, 27 Oct 2015 17:46:01 +0530
Subject     Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance

Gweler manylion taliad BACS yn atodedig

Please see attached Bacs Remittance

Dilyn ni ar Twitter: http://twitter.com/cyngorsDd Follow us on Twitter: http://twitter.com/DenbighshireCC
Ymwelwch a ni ar-lein ar http://www.sirddinbych.gov.uk Visit us online at http://www.denbighshire.gov.uk
Mae'r wybodaeth a gynhwysir yn yr e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag
o wedi eu bwriadu yn unig ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Os ydych
wedi derbyn yr e-bost hwn drwy gamgymeriad, hysbyswch yr anfonwr ar unwaith os gwelwch
yn dda. Mae cynnwys yr e-bost yn cynrychioli barn yr unigolyn(ion) a enwir uchod
ac nid yw o angenrheidrwydd yn cynrychioli barn Cyngor Sir Ddinbych. Serch hynny,
fel Corff Cyhoeddus, efallai y bydd angen i Gyngor Sir Ddinbych ddatgelu'r e-bost
hwn [neu unrhyw ymateb iddo] dan ddarpariaethau deddfwriaethol. The information contained
in this e-mail message and any files transmitted with it is intended solely for the
use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender immediately. The contents of this e-mail
represents the views of the individual(s) named above and do not necessarily represent
the views of Denbighshire County Council. However, as a Public Body, Denbighshire
County Council may be required to disclose this e-mail [or any response to it] under
legislative provisions.
Attached is a file DenbighshireCC.zip which contains a malicious executable DenbighshireCC.scr. This has a VirusTotal detection rate of 5/55. The Hybrid Analysis report shows characterstics common to the Upatre/Dyre banking trojan. In particular it identifies traffic to a know bad IP:

197.149.90.166 (Cobranet, Nigeria)

I strongly recommend that you block traffic to that IP.



Monday, 26 October 2015

Fake seminar sites to avoid, registered to vravindhar@yahoo.com

A contact tipped me off to some fake financial seminar sites, all linked to the email address vravindhar@yahoo.com. They are promoted in spam emails similar to these:

From: rob.koster@fatcacomplianceinstitute.com [mailto:rob.koster@fatcacomplianceinstitute.com]
Sent: Wednesday, August 05, 2015 8:33 AM
To: redacted
Subject: FATCA Compliance - [redacted]
Importance: High

Dear Participants,

We are pleased to announce you that FATCA Compliance Institute is conducting a 2 day practical seminar on FATCA Compliance.

This seminar is going to be repeated and held thrice:
[redacted]

The seminar is open to all the Banking & Financial Professionals. The seminar particulars are attached with this mail.

Last date for enrolling your participation is [redacted], 2015.

Please contact for assistance.

Truly,
Rob Koster
Seminar Secretary
Tel:+31-800-020-0534(Netherlands and Other EU Countries) 
       +1-312-625-0112(All Other Countries)
FAX:+31-800-020-0534

And also..

 From: alfred@pacibankers.com [mailto:alfred@pacibankers.com]
Sent: Wednesday, February 11, 2015 11:50 AM
Subject: Asset Management Auditing and Internal Accounting Controls - [redacted]
Importance: High




Asset Management Auditing and Internal Accounting Controls - 2 Day Program

Dear Delegate
Pacific Standards (www.pacificstandards.com) would like to invite representatives from your organization to attend the above mentioned program scheduled for 2015. We are limiting the number of participants for each cluster to 20, as the courses are designed to be interactive and to encourage discussion and the exchange of ideas.

Program Dates:      Cluster I – February 25 - 26, 2015 
                                      Cluster II – March 9 - 10, 2015                                  
                                      Cluster III - March 18 - 19, 2015 
                                      Cluster IV- April 6 - 7, 2015
                                      Cluster V- April 15 - 16, 2015
                                 
Venue: {redacted}
We invite you to nominate individuals from your respective organization. It is also important to stress that all available slots will be filled on a first come first serve basis. Please advise your colleagues to attend and take advantage of this valuable and pivotal workshop.(Please see the attached brochure for complete course coverage).
Early Registration Deadline is February 15, 2015 
Last Date of Registration is February 17, 2015 


Looking forward for an early reply.

Thanks & Regards,
Alfred
Pacific Standards
Marketing Manager
Contact Number: +91-8801-990-204

Emails are sent from 159.253.145.90 (Softlayer, Netherlands). The registrant details look like this on most of the domains:
Registry Registrant ID:
Registrant Name: Ravindhar V
Registrant Organization:
Registrant Street: office:7, sushant lok , sushant estate
Registrant City: gugaon
Registrant State/Province: Haryana
Registrant Postal Code: 122002
Registrant Country: India
Registrant Phone: +91.9999960651
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: vravindhar@yahoo.com
Registry Admin ID:
The emails specifically target the finance sector with what appear to be relevant seminars and services, however once payment has been received there is reportedly no further communication and no seminars.

There are a large number of related sites, some using several different domains. There are virtually zero references to these "organisations" on Google, and a close examination of the sites shows several red flags.

Pacific Standards

Claiming to be in Singapore, but boasting an Indian phone number of +91-8801990204, this outfit claims to be part of "Grenoble Learning". Neither Pacific Standards nor Grenoble Learning actually appear to exist.


Domains used:
pacificstandards.com
pacibankers.com
pacific-compliance.com
pacificstan.cc
pacificstan.com
pacificstandards.org

Brown & Co

This claims to be based as 12 Flemington Street, Glasgow but quotes a US contact number of 1-800-BRO-CORP / 1-800-246-8115.  There are many, many companies in the UK with the name "Brown & Co", but where you would expect to see number 12 on that street.. there appears to be a car park.

Domains used:

beta-essentials.me
browncorpuk.org
browncorp.co
betaeventhub.org
betaeventhub.org
betaessentials.in

FATCA Compliance Institute

A quick Google search for "FATCA Compliance Institute" reveals exactly zero reliable references to this important-looking organisation, boasting contact details in both India and The Netherlands.
15-66 plot 101 Prabhu Nagar
Poranki 521137.
Tel:+31-800-020-0534(Netherlands and Other EU Countries)
FAX:+31-800-020-0534 (ONLY EU)
FAX: +31-20-524-1592 (ALL COUNTRIES)
USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Corporate Office:

Keizersgracht 209
1006 DT Amsterdam
The Netherlands
The Netherlands Toll-Free:
Tel:+31-800-020-0534
FAX:+31-800-020-0534

USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Domains used:

fatcacomplianceinstitute.org
fatcacomplianceinstitute.com
fatcacompliance.cc
fatcacompliance.net
fatcacompliance.org

Rightman Group

The web site here looks very slick. But if you Google for snippets of somewhat ungrammatical text (such as "But, one things remains unchanged – our dedication to doing the best work in the world.") you will find that there are hundreds of sites using the exact same template. Rightman Group has the following contact details listed:

Rightman Group
 United States
199 Scott Street
Suite 810
Buffalo, NY 14204
+1-716-217-2817
USA call charges apply.
---------
 Dreikönigstrasse 30
Zürich, Switzerland
----------
+41-43-508-1974 

The New York State Division of Corporations has no such company as "Rightman Group" listed.


Domains used:

rightmangroup.com
rightman.eu
rightman.cc
rightmangroup.net
rightmangroup.org

Swiss Dossier

I can only imagine that the name "Swiss Dossier" came about through an error in autotranslation. It lists several addresses:

info@swissdossier.com(General)
offices@swissdossier.com(Training Programs)

Tel:  +1-786-235-8424(USA)

Our Global offices are located at:
19th Floor, Prudential Towers(North Side)
Office no: 1901
Chulia Street
Singapore

Aeschenvorstadt, 405
Basel,
Switzerland

79 Thornall Street,
6th Floor, Edison, NJ 08837.
New Jersy
USA

70 Sheppard Avenue, Suite 301,
North York, Ontario M2N 3A4,
Canada

A Google search for "swissdossier.com" comes up with no independent and reliable references to this so-called company.


Domains used:

swissdossier.com
swissdossier.cc
swissdossier.com.co

Treasury Management Institute

According to Companies House in the UK, there is no company in the UK with the name "Treasury Management Institute". The contact details indicate that this is perhaps the workplace of John or Jane Doe:

Email : 
 jdoe@treasurymanagementinstitute.com
 jdoe@treasurymanagementinstitute.cc
Addresses:
01, Temple Quay, Temple Back East, Bristol, BS1 6DZ, UK
SWConsulting Group, Sec 42 Gurgaon, India(Institute operates under the licence of SWConsulting Group)
There are no independent references to this organisation existing in Bristol.


Domains used:

treasurymanagementinstitute.com
treasurymanagementinstitute.cc
treasurymanagementinstitute.org

Financial Models India

Sharing the same contact details as some of these other highly questionable sites, and hosted on the same infrastructure, Financial Models India would appear to fail the Duck Test.

79 Thornall Street,
6th Floor, Edison, NJ 08837,
New Jersy,
USA

19th Floor,
Prudential Towers (North Side),
Office no: 1901,
Chulia Street, Singapore

Aeschenvorstadt, 405,
Basel, Switzerland

70 Sheppard Avenue,
Suite 301, North York,
Ontario M2N 3A4,
Canada

DLF Square M Block,
Jacaranda Marg DLF City, Phase II,
Gurgaon 122002, INDIA  

Domains used:

financialmodelsindia.com
financialmodels.co.in
fmtsglobal.com
unitedcapital-financialmodels.com
unitedcapitalglobal.com

Virat World Wide

This appears to be the firm or individual behind these sites. The "About Us" page says:

Ravindhar.V - Managing Director

Mr. Ravindhar is an able administrator and change master. He has rich experience in thearea of Financial Information Technology(FIT). He has developed financial software products and Information Technology management solutions for financial institutions and banks in more than a fifty countries and for top global Banks and companies. His qualification is Master of Finance and Accounting with a track of computer applications in Finance and Accounting(MFA). Mr.Ravindhar comes from Business Family of Poranki Sugars and his family is a legacy of entrepreneurs based in India. Group is widely respected by the industry.
I'm guessing the the "V" stands for "Virat", making him "Ravindhar Virat". The contact details list an address in the... errr. UNITED KIGDOM.

Global Support
+919-618-921-876
customersupport@virat.consulting
120, CENTRAL STREET
CLERKENWELL
LONDON
UNITED KIGDOM
This address is actually a hotel. The +91 telephone number is a number in India, not the UK.


Domains used:

virat.consulting
virat-transitionalhunts.biz
virat-th.co.in

Other domains

The other domains (mostly now defunct or with no content) also appear to belong to the same operator:

financialmodelsglobal.net
fortunicia-munich.org

europiafintech.com
europiafintech.net

fisher-n-moreglobal.com
fishernmore-global.org
fmg-singapore.org

intrinsic-pulse.com
intrinsic-pulse.asia


baselknowledge.net
clarklc.com
luthanskane.in
panarab-consulting.in
porankisugars.org
profectuspartners-singapore.com
proximitycorp.org
rfb-research.net
sino-overseasholdings.org
stermarc-worldwide.com
vertasbar.net

If you have any experiences with any of these "companies", feel free to leave a comment.






Malware spam: "Your new PHS documents are attached" / "PHSOnline" [documents@phsonline.co.uk]

This spam does not come from PHSOnline, but is instead a simple forgery with a malicious attachment.

From     "PHSOnline" [documents@phsonline.co.uk]
Date     Mon, 26 Oct 2015 20:28:50 +0700
Subject     Your new PHS documents are attached
I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in three different versions (VT results [1] [2] [3]) containing a macro like this [pastebin] which downloads a malicious binary from one of the following locations:

tranquilosurf.com/~info/76r56e87y8/65df78.exe
masaze-rumburk.cz/76r56e87y8/65df78.exe
img1.buyersbestfriend.com/76r56e87y8/65df78.exe


The Hybrid Analysis reports those those documents are here: [1] [2] [3]. The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55. The Hybrid Analysis report for this binary shows it downloading from the following location:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the same as the one use in this earlier attack, but the payload has now changed.


Malware spam: "#NC-242455-Zmj Your Norwich Camping Order has shipped!" / sales@norwichcamping.co.uk

This fake financial spam does not come from Norwich Camping but is instead a simple forgery with a malicious attachment:

From     "Norwich Camping" [sales@norwichcamping.co.uk]
Date     Mon, 26 Oct 2015 13:43:14 +0430
Subject     #NC-242455-Zmj Your Norwich Camping Order has shipped!

You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
payment method has now been charged.

Kind regards,
The Norwich Camping & Leisure
Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55. The document contains this malicious macro [pastebin] which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe

Analysis of the document and the payload is pending (please check back later), it is most likely that it downloads the Dridex banking trojan.

UPDATE:

According to this Hybrid Analysis report version of the malicious document downloads an executable from:

img1.buyersbestfriend.com/76r56e87y8/65df78.exe

This has a VirusTotal detection rate of 5/55. That report indicates malicious traffic to:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

I recommend that you block traffic to that IP.

Friday, 23 October 2015

Malware spam: "Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)"

This fake financial spam has a malicious attachment:

From:    Accounts [message-service@post.xero.com]
Date:    23 October 2015 at 15:08
Subject:    Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)

Hi Mattie,

Attached is your credit note CN-06536 for 8954.41 GBP.

This has been allocated against invoice number

If you have any questions, please let us know.

Thanks,
Avnet, Inc.
The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc ..  but  it's actually a ZIP file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe  and has a VirusTotal detection rate of 4/55. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan.

Analysis is still pending for this malware (please check back later) but the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.

UPDATE:
The Hybrid Analysis report is here, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe




Malware spam: "DocuCentre-V C6675 T2" / "Scan Data from FX-D6DBE1"

This fake document scan appears to originate from within the victim's own organisation, but doesn't. Instead it comes with a malicious attachment.

From:    DocuCentre-V C6675 T2 [reception@victimdomain.com]
Reply-to:    reception@victimdomain.com
Date:    23 October 2015 at 09:23
Subject:    Scan Data from FX-D6DBE1

Number of Images: 1
Attachment File Type: DOC

Device Name: DocuCentre-V C6675 T2
Device Location:
Attached is a file 22102015160213-0001.doc which comes in a few different versions. The payload is Dridex and all the files and downloaded binaries are the same as used in this spam run.

Malware spam: "cleaning invoice" / "deborah Sherer" [thesherers@westnet.co.uk]

This fake financial spam comes with a malicious attachment:
From     "deborah Sherer" [thesherers@westnet.co.uk]
Date     Fri, 23 Oct 2015 17:03:19 +0700
Subject     cleaning invoice

Hello

attached is invoice for payment

thanks

Deborah Sherer

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro that looks like this [pastebin] and downloads a malicious binary from one of the following locations:

www.bhtfriends.org/tydfyyur54/43e67tko.exe
zomb.webzdarma.cz/tydfyyur54/43e67tko.exe
nisanyapi.com/tydfyyur54/43e67tko.exe

This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55 (that's just a generic detection by Kaspersky).

That VirusTotal report plus this Hybrid Analysis report show network traffic to:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

Private sources also identify these following IPs as part of the C2 infrastructure:

157.252.245.49 (Trinity College Hartford, US)
198.74.58.153 (Linode, US)
68.168.100.232 (Codero, US)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
195.154.251.123
157.252.245.49
198.74.58.153
68.168.100.232

MD5s:
d897c1cdab10a2c8cb5ce95bff03411f
a4bdc332d9cecafcc8381cd6e5ff4667
16fabe48278f84f8ae1bc682a3bd71d7
c08519230b49ad87bc6aa12933aa0cec


Thursday, 22 October 2015

Malware spam: "Notice to Appear" / Notice_to_Appear_00800614.zip

This fake legal spam comes with a malicious attachment:

From:    District Court
Date:    22 October 2015 at 19:03
Subject:    Notice to Appear

Notice to Appear,

This is to inform you to appear in the Court on the October 27 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Sincerely,
Michael Newell,
District Clerk.

Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js which looks like this [pastebin]. This obfuscated script translates into something a bit more understandable which clearly references the following domains:

www.flowarrior.com
www.abama.org
littlefacesofpanama-association.com

The Hybrid Analysis report  shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55 (possibly Cridex). It reference the following IPs as being highly suspect:

91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)

A large number of IPs are queried according to that report:

66.147.244.241 80 TCP United States
ASN: 46606 (Unified Layer)

Possibly Malicious (Details)
78.24.220.229 80 TCP Russian Federation
ASN: 29182 (ISPsystem, cjsc)
74.231.32.162 80 TCP United States
118.120.73.233 80 TCP China
29.225.112.86 80 TCP United States
100.73.14.38 80 TCP Reserved
58.101.131.47 80 TCP China
123.59.97.196 80 TCP China
166.32.216.239 80 TCP United States
149.91.92.120 80 TCP United States
24.216.168.199 80 TCP United States
105.140.148.131 80 TCP Morocco
163.58.44.144 80 TCP Japan
142.84.237.228 80 TCP Canada
15.108.255.248 80 TCP United States
220.168.3.242 80 TCP China
169.69.97.65 80 TCP United States
136.48.1.199 80 TCP United States
193.224.232.11 80 TCP Hungary
46.156.117.74 80 TCP Norway
15.73.25.4 8080 TCP United States
156.95.94.161 80 TCP United States
2.95.43.213 80 TCP Russian Federation
201.112.96.9 443 TCP Mexico
168.202.241.83 80 TCP Italy
126.200.226.38 80 TCP Japan
218.169.88.145 80 TCP Taiwan; Republic of China (ROC)
25.227.76.74 80 TCP United Kingdom
7.58.91.181 80 TCP United States
2.9.47.33 80 TCP France
82.64.212.187 80 TCP France
160.252.229.129 80 TCP Japan
3.19.211.174 80 TCP United States
206.36.90.112 80 TCP United States
70.162.95.85 80 TCP United States
179.74.44.184 80 TCP Brazil
27.60.28.101 80 TCP India
72.131.92.208 80 TCP United States
192.15.148.68 80 TCP United States
161.183.113.148 80 TCP United States
89.194.8.74 80 TCP United Kingdom
74.60.141.199 443 TCP United States
185.124.201.36 80 TCP Germany
57.254.22.27 80 TCP Belgium
223.212.109.175 443 TCP China
184.128.6.160 80 TCP United States
222.26.8.100 80 TCP China
201.80.124.250 80 TCP Brazil
28.245.107.140 8080 TCP United States
7.205.88.91 80 TCP United States
134.208.174.118 443 TCP Taiwan; Republic of China (ROC)
101.42.94.123 80 TCP China
89.184.155.55 8080 TCP Denmark
73.136.226.227 80 TCP United States
92.242.113.252 80 TCP Ukraine
183.80.180.237 80 TCP Viet Nam
189.217.246.252 80 TCP Mexico
162.124.240.218 80 TCP United States
169.244.37.32 80 TCP United States
121.213.170.136 8080 TCP Australia
91.121.108.77 80 TCP France
161.187.226.73 8080 TCP Canada
160.124.108.194 8080 TCP South Africa
132.201.159.171 80 TCP United States
36.136.60.81 80 TCP China
155.159.37.116 80 TCP South Africa
139.171.227.16 80 TCP United States
119.243.117.9 443 TCP Japan
42.199.100.99 80 TCP China
170.225.41.44 80 TCP United States
27.122.177.126 80 TCP Korea Republic of
151.75.83.209 80 TCP Italy
203.207.191.222 8080 TCP China
208.97.41.75 80 TCP United States
179.184.50.147 80 TCP Brazil
126.155.24.64 80 TCP Japan
86.14.23.181 80 TCP United Kingdom
182.162.87.90 80 TCP Korea Republic of
126.85.62.33 80 TCP Japan
96.60.99.19 80 TCP United States
118.123.163.35 80 TCP China
69.190.137.38 80 TCP United States
49.56.139.124 80 TCP Korea Republic of
135.35.59.201 80 TCP United States
57.25.34.69 80 TCP Belgium
174.190.210.89 80 TCP United States
206.91.83.240 80 TCP United States
16.143.86.194 80 TCP United States
99.212.19.159 80 TCP Canada
171.214.61.169 80 TCP China
194.184.155.135 80 TCP Italy
98.30.91.219 80 TCP United States
30.130.130.227 80 TCP United States
201.231.21.9 80 TCP Argentina
10.85.253.242 8080 TCP Reserved
41.70.25.98 80 TCP Malawi
2.239.93.99 80 TCP Italy
178.216.173.66 80 TCP Ukraine
102.239.48.12 80 TCP Indonesia
170.229.125.27 443 TCP United States
170.202.85.86 80 TCP United States
138.204.51.115 80 TCP Brazil
90.59.134.25 80 TCP France
179.105.47.26 80 TCP Brazil
190.128.247.9 80 TCP Paraguay
62.74.109.148 80 TCP Greece
39.6.23.63 80 TCP Korea Republic of
199.12.247.12 80 TCP United States
1.235.148.23 80 TCP Korea Republic of
128.166.232.112 80 TCP United States
198.12.245.130 80 TCP United States
180.59.204.28 80 TCP Japan
191.205.91.94 443 TCP Brazil
166.97.6.127 80 TCP United States
35.174.179.31 80 TCP United States
202.94.163.179 80 TCP Malaysia
199.2.172.193 80 TCP United States
36.4.249.54 80 TCP China
87.60.146.60 80 TCP Denmark
159.157.156.108 80 TCP United States
41.103.3.7 80 TCP Algeria
190.5.47.228 80 TCP Chile
102.197.139.86 8080 TCP Indonesia
79.181.62.136 80 TCP Israel
196.221.146.64 8080 TCP Egypt
45.215.43.254 80 TCP Zambia
133.50.67.191 443 TCP Japan
197.187.96.58 80 TCP Tanzania United Republic of
81.11.14.8 80 TCP European Union
165.216.148.197 80 TCP United States
26.159.93.175 80 TCP United States
55.192.224.240 80 TCP United States
99.183.118.77 8080 TCP United States
97.132.112.64 80 TCP United States
161.158.216.248 80 TCP Netherlands
171.36.6.24 80 TCP China
86.17.207.59 80 TCP United Kingdom
65.170.164.185 80 TCP United States
203.116.171.38 80 TCP Singapore
81.131.210.206 80 TCP United Kingdom
144.69.59.80 80 TCP United States
108.132.28.175 80 TCP United States
54.173.72.227 80 TCP United States
48.227.99.193 80 TCP United States
165.244.29.101 80 TCP Korea Republic of
61.163.159.70 80 TCP China
141.54.70.120 80 TCP Germany
22.6.129.165 80 TCP United States
16.65.24.201 80 TCP United States
107.66.193.112 80 TCP United States
113.185.128.185 80 TCP Viet Nam
185.242.98.255 80 TCP Germany
39.247.94.231 80 TCP Indonesia
1.136.195.240 80 TCP Australia
176.2.178.107 443 TCP Germany
211.57.175.126 80 TCP Korea Republic of
16.78.184.90 80 TCP United States
121.237.58.132 80 TCP China
45.115.246.94 80 TCP China
42.213.207.250 80 TCP China
202.217.115.34 80 TCP Japan
20.100.36.35 80 TCP United States
73.178.96.229 80 TCP United States
177.85.76.19 80 TCP Brazil
184.148.22.247 80 TCP Canada
153.228.8.191 80 TCP Japan
196.226.207.67 443 TCP Liberia
171.178.119.233 80 TCP United States
175.198.60.5 80 TCP Korea Republic of
196.9.179.56 80 TCP South Africa
20.163.126.33 443 TCP United States
152.223.8.195 80 TCP United States
12.51.242.168 80 TCP United States
197.169.155.191 80 TCP South Africa
95.198.239.136 8080 TCP Sweden
209.93.5.164 80 TCP United States
200.17.48.177 80 TCP Brazil
37.147.149.212 80 TCP Russian Federation
113.201.208.234 80 TCP China
157.219.20.253 80 TCP United States
45.72.49.98 80 TCP United States
87.196.69.215 80 TCP Portugal
141.251.31.43 80 TCP United States
30.28.29.139 8080 TCP United States
211.72.127.114 80 TCP Taiwan; Republic of China (ROC)
126.62.177.152 8080 TCP Japan
67.62.93.143 80 TCP United States
4.219.11.148 80 TCP United States
220.15.135.111 80 TCP Japan
6.193.44.176 80 TCP United States
88.18.235.212 80 TCP Spain
65.235.102.3 80 TCP United States
212.246.252.248 80 TCP Finland
65.44.223.34 80 TCP United States
67.147.184.3 443 TCP United States
218.100.198.67 8080 TCP China
183.74.253.72 443 TCP Japan
189.99.113.170 443 TCP Brazil
202.113.235.65 80 TCP China
78.193.245.197 80 TCP France
20.87.185.21 443 TCP United States
34.94.156.167 80 TCP United States
16.154.131.128 443 TCP United States
112.236.139.20 80 TCP China
37.217.232.246 80 TCP Saudi Arabia

I have not had the change to check those individual IP addresses, but I recommend that you block the following two at least:

91.121.108.77
78.24.220.229 


UPDATE 26/10/15:

A slightly revised version of this is circulating:


Notice to Appear,

This is to inform you to appear in the Court on the November 03 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Nathan Andrews,
District Clerk.
The attachment is Notice_to_Appear_000314661.zip which contains a file Notice_to_Appear_000314661.doc.js which has a VirusTotal detection rate of 14/55. According to this Hybrid Analysis report it contacts a LOT of IPs, but these in particular should be blocked:

67.199.5.184 (CrystalTech Web Hosting, US)
78.24.220.229 (TheFirst-RU, Russia)
189.131.94.156 (UniNet, Mexico)
74.10.19.66 (Knox Attorney Service Inc., US)


The following files are dropped (VT reports) [1] [2] [3]

Recommended blocklist:
67.199.5.184
78.24.220.229
189.131.94.156
74.10.19.66

  ssf