Sponsored by..

Tuesday 1 December 2015

Malware spam: "Request for payment (PGS/73329)" / "PGS Services Limited [rebecca@pgs-services.co.uk]"

This spam email is confused. It's either about a watch repair or property maintenance. In any case, it has a malicious attachment:

From: PGS Services Limited [rebecca@pgs-services.co.uk]
Date: 1 December 2015 at 12:06
Subject: Request for payment (PGS/73329)


Dear Customer,
We are contacting you because there is an invoice on your account that is overdue for payment and although we have contacted you already our system is still showing that the invoice remains unpaid.

RST Support Services Limited
Rotary Watches Ltd
2 Fouberts Place
London

W1F 7PA
Full details are attached to this email in DOC format.
If there is any reason why payment should not be made or if you are experiencing difficulties with making the payment please get in touch so that we can discuss the matter and stop the recovery process.
Kind regards,
Rebecca Hughes
Customer services team
PGS Services | Expert Property Care
Direct dial: 0203 819 7054
Email: rebecca@pgs-services.co.uk
Visit our website: www.pgs-services.co.uk
10 quick questions - tell us what you think!
http://www.pgs-services.co.uk/feedback/
PGS Property Services

Attached is a file 3-6555-73329-1435806061-3.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]) and these Malwr reports [4] [5] [6] indicate that it downloads a malicious binary from the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
cru3lblow.xf.cz/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe


This binary has a detection rate of 2/55. According to this Malwr report and this Hybrid Analysis report, it phones home to some familiar and very bad IPs:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
157.252.245.29 (Trinity College Hatford, US)


The payload is probably the Dridex banking trojan.

MD5s:
6171b6272b724e8c19079b5b76bcc100
00312e3379db83bcf9008dd92dc72c2f
d1a401e07f3cab9488d41d509444309f
a4dcd843f545e02ce664157b61cb6191


Recommended blocklist:
94.73.155.8/29
89.32.145.12
221.132.35.56
157.252.245.29


3 comments:

Rawan said...

Hi,
you can not imagine how much I am thankful as I got this email today and I was sooooo confused as the sender email and domain is belong to a real company. As well as, yesterday I got a similar email asking for payment with same convincing information and a real company and real domain (Kidd.uk). The thing is that I've tried to contact the kidd.uk company but an automatic reply told me to send it to another email which made me sure that there is something wrong! as how a company would make their customer service contact replied like that ! and bothe emails contain an attachment that both hotmail and gmail could not viewed it online!

But I've noticed some thing, even that I did not download or open the attachment, when I tried to open some webpages that asking for my login info, the firefox browser denied my access and said that the connection is not safe as there is some one who is trying to hack me or something like that.

Could you please tell me what should I do as I have MAC Air.



Regards,
Rawan

Conrad Longmore said...

@Rawan, this malware only impacts Windows PCs, so you should be OK :)

Savita Kalhan said...

Thanks for this. I wish I had read this before opening the malicious email! I have Windows, but I didn't open the attachment, although I did try to view it (I know, stupid!). Will I be okay?
Thanks.