Thursday 10 December 2015

Malware spam: "Foreman&Clark Ltd" / "Last Payment Notice" leads to Teslacrypt

This fake financial spam does not come from the long-defunct Foreman & Clark, but instead it comes with a malicious attachment that leads to ransomware.
From:    Harlan Gardner
Date:    10 December 2015 at 08:48
Subject:    Reference Number #20419955, Last Payment Notice

Dear Client,

This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $8,151.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.

Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.

Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.

Sincerely,
Harlan Gardner
Sales Manager

Foreman&Clark Ltd.
256 Raccoon RunSeattle,
WA 98101

In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:

46.151.52.196/86.exe?1
softextrain64.com/86.exe?1

This pattern is the same as the spam run yesterday. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55 and the Malwr report indicates that it pulls data from the following domains:

graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
gjesdalbrass.no

The characteristics of this malware indicate the Teslacrypt ransomware.

Recommended blocklist:
46.151.52.196
softextrain64.com
gjesdalbrass.no
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com

at

21 comments:

  1. Unknown10 December 2015 at 13:12

    Just got this email last night. thanks for this page :)

    ReplyDelete
  2. Anonymous10 December 2015 at 13:32

    I just received it also. I tried to open the attached "invoice" but luckily was blocked, recognizing it as malicious. Thank you very much for this helpful information!

    ReplyDelete
  3. heyjude91510 December 2015 at 13:52

    I only owe $6,129!
    LOL

    ReplyDelete
  4. Anonymous10 December 2015 at 13:58

    I also received a bunch of these over the past few days. Thanks for confirming my suspicions that this is b.s.

    ReplyDelete
  5. Unknown10 December 2015 at 14:16

    Thanks for the heads up!

    ReplyDelete
  6. Unknown10 December 2015 at 14:57

    Yes received this today. Thanks for confirming it to be malicious. I was able to alert our whole business network.

    ReplyDelete
  7. Markos Lindsey10 December 2015 at 15:07

    If you don't have a contract with Foreman & Clark, why would you open the attachment? Classic malware propaganda.

    ReplyDelete
  8. Markos Lindsey10 December 2015 at 15:08

    If you don't have a contract with Foreman & Clark, why would you open the attachment? Classic malware propaganda.

    ReplyDelete
  9. Anonymous10 December 2015 at 15:17

    Wow I am doing good. I only owe $2196. LOL Thanks for the heads up

    ReplyDelete
  10. Unknown10 December 2015 at 17:25

    Never open an attachment you are unfamiliar with. Especially zip files. If you owe them money, they will call you!!!

    ReplyDelete
  11. Unknown10 December 2015 at 17:44

    Thanks for the information. You saved my marriage!

    ReplyDelete
  12. Unknown10 December 2015 at 17:48

    a friend opened it and it put some documents on his desktop. how does he correct this.

    ReplyDelete
    Replies
    1. Unknown11 December 2015 at 05:38

      Reformat the hard drive. Best left to your local tech shop.

      Delete
  13. Dad10 December 2015 at 18:57

    Apparently I owe $7,228. I never open any attached files like this.

    ReplyDelete
  14. J Dougherty10 December 2015 at 20:01

    Suckers! I paid them promptly so I didn't get an email.

    ReplyDelete
  15. Unknown10 December 2015 at 22:18

    Well, I allegedly owe $5,295!

    ReplyDelete
  16. Unknown10 December 2015 at 23:34

    I cottoned on to this as soon as I read it, and sent the lady who signed it a very fulsome letter remembering the marvellous time she had given me at her flat six months ago, and offering her a place in the brothel my wife and I are currently running in Sydney Australia - though I thought the fee she was attempting to claim was a lit
    tle on the large side!

    ReplyDelete
  17. Susan Lester11 December 2015 at 01:34

    WOW thank you SO MUCH for this information. I also received the e-mail and I owe 7,165 dollars. Wondering if anyone knows what this could do to my computer? Yes I did try to open it but it says there is no program available to open the file?

    thanks again for the information- lesson learned I thought this stuff was a thing of the past.

    ReplyDelete
    Replies
    1. Unknown11 December 2015 at 05:41

      Take it to a tech shop most likely contains a key stroke loger

      Delete
  18. Unknown11 December 2015 at 05:10

    Thanks so much, just received this email. Thank you for posting this information

    ReplyDelete
  19. angelica14 December 2015 at 06:26

    Hallo, ben woonachtig in Belgie en heb een paar dagen geleden ook deze mail ontvangen, dus als ik het goed begrijp mag ik hier niet op ingaan? Groetjes

    ReplyDelete