Sponsored by..

Tuesday 12 January 2016

Malware spam: "Lattitude Global Volunteering - Invoice - 3FAAB65"

This fake financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple forgery with a malicious attachment.

From:    Darius Green
Date:    12 January 2016 at 09:33
Subject:    Lattitude Global Volunteering - Invoice - 3FAAB65

Dear customer,

Please find attached a copy of your final invoice for your placement in Canada.

This invoice needs to be paid by the 18th January 2016.

Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer  our bank details are.

You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.

Account Name:  Lattitude Global Volunteering
Bank:                        Barclays Bank
Sort Code:              20-71-03
Account No.           20047376
IBAN:                        GB13BARC20710320047376
SWIFBIC:                  BARCGB22


Kind regards

Luis Robayo
Accounts Department
Lattitude Global Volunteering
T: +44 (0) 118 956 2903
finance@lattitude.org.uk
WWW.lattitude.org.uk


 Visit us on Facebook
 Follow us on Twitter

Lattitude Global Volunteering is a UK registered international youth development charity (No. 272761), a company limited by guarantee (No. 01289296) and a member of BOND (British Overseas NGOs for Development).
I have personally only seen two samples so far with detection rates of 2/55 [1] [2] . These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:

31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php


This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be malicious and should be blocked.

31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)


A file kfc.exe is dropped onto the target system which has a detection rate of 6/52 and an MD5 of 8cfaf90bf572e528c2759f93c89b6986. Those previous Malwr reports indicate that it phones home to a familiar IP of:

78.47.119.93 (Hetzner, Germany)

Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84


2 comments:

meccleshall said...

I received this same spam email today at 08.36 UK time. headers below (i've deleted references to my email address)

Received: from smtp-in-75.livemail.co.uk (213.171.216.76) by
exch4-ht01.email4.local (10.44.216.70) with Microsoft SMTP Server id
14.3.266.1; Tue, 12 Jan 2016 09:36:46 +0000
Received: from virus-20.livemail.co.uk (virus-cluster.livemail.co.uk
[213.171.216.10]) by smtp-in-75.livemail.co.uk (Postfix) with ESMTP id
6AA6865420D for ; Tue, 12 Jan 2016 09:36:46 +0000
(GMT)
Received: from Postfix-filter-42a77884ce2a0a03efc6bb50a6dcdb21
(localhost.localdomain [127.0.0.1]) by virus-20.livemail.co.uk (Postfix) with
SMTP id E2E232EF5A6 for <; Tue, 12 Jan 2016 09:36:45
+0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spam-216.livemail.co.uk
X-Spam-Level:
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,PYZOR_CHECK,
URIBL_BLOCKED shortcircuit=no autolearn=no version=3.3.1
Received: from by
smtp-in-77.livemail.co.uk (Postfix) with ESMTP id 11309D8238 for
; Tue, 12 Jan 2016 09:36:44 +0000 (GMT)
X-MDAV-Processed: , Tue, 12 Jan 2016 09:36:41 +0000
Received: from 95.9.66.234.static.ttnet.com.tr
(95.9.66.234.static.ttnet.com.tr [95.9.66.234])
(MDaemon PRO v12.0.4) with ESMTP id md50002771789.msg
for <>; Tue, 12 Jan 2016 09:36:38 +0000
Authentication-Results:
x-ip-helo=pass smtp.helo=95.9.66.234.static.ttnet.com.tr (ip=95.9.66.234);
x-ip-mail=hardfail smtp.mail=RiveraElroy30765@ttnet.com.tr (does not match 95.9.66.234)
X-MDOP-RefID: str=0001.0A0B0201.5694C924.036E,ss=2,vtr=str,vl=0,pt=R_F_19363275,fgs=0 (_st=2 _vt=0 _iwf=0)
X-MDHeloLookup-Result: pass smtp.helo=95.9.66.234.static.ttnet.com.tr (ip=95.9.66.234) (
X-MDMailLookup-Result: hardfail smtp.mail=RiveraElroy30765@ttnet.com.tr (does not match 95.9.66.234)
X-Rcpt-To:
X-MDRcpt-To:
X-MDRemoteIP: 95.9.66.234
X-Envelope-From: RiveraElroy30765@ttnet.com.tr
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_510738009996590069564"
Date: Tue, 12 Jan 2016 11:36:42 +0300
From: Elroy Rivera
To:
Subject: =?UTF-8?B?TGF0dGl0dWRlIEdsb2JhbCBWb2x1bnRlZXJpbmcgLSBJbnZvaWNlIC0gMDU3RjNERjI=?=
X-Mailer: MustangList [msg-7BD139506AE68.7DB581B8A25760E en-mail402AD978297A6D]
X-RPTags: List Type Content
X-MLlistcampaign: 653-4423340
X-rpcampaign: prime4461447
X-ML-Message-ID: <20161201113642.4F568BCD866@eccleshall.co.uk>
X-ML-Message-Source: <4390557DE4B>
X-ML-Message-Trk: <<87B4DB6754E>
Reply-To:
Message-ID:
X-MDRedirect: 1
X-MDRedirect_From:
X-Return-Path:
X-MDaemon-Deliver-To: <>
X-Original-To:
X-Virus-Scanned: ClamAV using ClamSMTP
Return-Path: RiveraElroy30765@ttnet.com.tr
X-MS-Exchange-Organization-AuthSource: exch4-ht01.email4.local
X-MS-Exchange-Organization-AuthAs: Anonymous
MIME-Version: 1.0

Rickc said...

I got this also Tue 12/01/2016 08:36

We keep getting lots of these from different addresses with similar content / invoices.

Received: from *******
Received: from 189-212-145-8.static.axtel.net ([189.212.145.8]) by
*******stage1 with esmtp (Exim MailCleaner) id
1aIvMH-0003kB-AC for *********** from
; Tue, 12 Jan 2016 09:35:21 +0000
X-MailCleaner-SPF: softfail
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_394159427896440504621"
Date: Tue, 12 Jan 2016 03:35:35 -0500
From: Earlene Rich
To: *****
Subject: =?UTF-8?B?TGF0dGl0dWRlIEdsb2JhbCBWb2x1bnRlZXJpbmcgLSBJbnZvaWNlIC0gMjk1NDM4?=
X-Mailer: MustangList [msg-C2988BED176.284E3B5AC67C en-mail7C747E22109A3ECEA]
X-RPTags: List Type Content
X-MLlistcampaign: 632-7329282
X-rpcampaign: prime2779249
X-ML-Message-ID: *******
X-ML-Message-Source: <278CA87BBB8>
X-ML-Message-Trk: <<562F903A300>
X-NiceBayes: disabled (no database ?)
X-MailCleaner-Information: Please contact for more information
X-MailCleaner-ID: 1aIvMI-0003kF-38
X-MailCleaner: Found to be clean
X-MailCleaner-SpamCheck: not spam
X-MailCleaner-ReportURL: https://mailcleaner/rs.php
Message-ID: <7d8e1d9a-b067-4ed8-b0c2-4bdfd33dda59@SEQLONAPP01.vcloud.local>
Return-Path: RichEarlene6223@axtel.net
X-MS-Exchange-Organization-AuthSource: SEQLONAPP01.vcloud.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: axtel.net
X-MS-Exchange-Organization-SenderIdResult: SoftFail
Received-SPF: SoftFail (**************: domain of transitioning
RichEarlene6223@axtel.net discourages use of 10.10.40.30 as permitted sender)
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.15426.898;SID:SenderIDStatus