Tuesday, 12 January 2016

Malware spam: "Lattitude Global Volunteering - Invoice - 3FAAB65"

This fake financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple forgery with a malicious attachment.

From:    Darius Green
Date:    12 January 2016 at 09:33
Subject:    Lattitude Global Volunteering - Invoice - 3FAAB65

Dear customer,

Please find attached a copy of your final invoice for your placement in Canada.

This invoice needs to be paid by the 18th January 2016.

Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer  our bank details are.

You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.

Account Name:  Lattitude Global Volunteering
Bank:                        Barclays Bank
Sort Code:              20-71-03
Account No.           20047376
IBAN:                        GB13BARC20710320047376
SWIFBIC:                  BARCGB22


Kind regards

Luis Robayo
Accounts Department
Lattitude Global Volunteering
T: +44 (0) 118 956 2903
finance@lattitude.org.uk
WWW.lattitude.org.uk


 Visit us on Facebook
 Follow us on Twitter

Lattitude Global Volunteering is a UK registered international youth development charity (No. 272761), a company limited by guarantee (No. 01289296) and a member of BOND (British Overseas NGOs for Development).
I have personally only seen two samples so far with detection rates of 2/55 [1] [2] . These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:

31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php

This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be malicious and should be blocked.

31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)

A file kfc.exe is dropped onto the target system which has a detection rate of 6/52 and an MD5 of 8cfaf90bf572e528c2759f93c89b6986. Those previous Malwr reports indicate that it phones home to a familiar IP of:

78.47.119.93 (Hetzner, Germany)

Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84

at

2 comments:

  1. meccleshall12 January 2016 at 12:04

    I received this same spam email today at 08.36 UK time. headers below (i've deleted references to my email address)

    Received: from smtp-in-75.livemail.co.uk (213.171.216.76) by
    exch4-ht01.email4.local (10.44.216.70) with Microsoft SMTP Server id
    14.3.266.1; Tue, 12 Jan 2016 09:36:46 +0000
    Received: from virus-20.livemail.co.uk (virus-cluster.livemail.co.uk
    [213.171.216.10]) by smtp-in-75.livemail.co.uk (Postfix) with ESMTP id
    6AA6865420D for ; Tue, 12 Jan 2016 09:36:46 +0000
    (GMT)
    Received: from Postfix-filter-42a77884ce2a0a03efc6bb50a6dcdb21
    (localhost.localdomain [127.0.0.1]) by virus-20.livemail.co.uk (Postfix) with
    SMTP id E2E232EF5A6 for <; Tue, 12 Jan 2016 09:36:45
    +0000 (GMT)
    X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
    spam-216.livemail.co.uk
    X-Spam-Level:
    X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,PYZOR_CHECK,
    URIBL_BLOCKED shortcircuit=no autolearn=no version=3.3.1
    Received: from by
    smtp-in-77.livemail.co.uk (Postfix) with ESMTP id 11309D8238 for
    ; Tue, 12 Jan 2016 09:36:44 +0000 (GMT)
    X-MDAV-Processed: , Tue, 12 Jan 2016 09:36:41 +0000
    Received: from 95.9.66.234.static.ttnet.com.tr
    (95.9.66.234.static.ttnet.com.tr [95.9.66.234])
    (MDaemon PRO v12.0.4) with ESMTP id md50002771789.msg
    for <>; Tue, 12 Jan 2016 09:36:38 +0000
    Authentication-Results:
    x-ip-helo=pass smtp.helo=95.9.66.234.static.ttnet.com.tr (ip=95.9.66.234);
    x-ip-mail=hardfail smtp.mail=RiveraElroy30765@ttnet.com.tr (does not match 95.9.66.234)
    X-MDOP-RefID: str=0001.0A0B0201.5694C924.036E,ss=2,vtr=str,vl=0,pt=R_F_19363275,fgs=0 (_st=2 _vt=0 _iwf=0)
    X-MDHeloLookup-Result: pass smtp.helo=95.9.66.234.static.ttnet.com.tr (ip=95.9.66.234) (
    X-MDMailLookup-Result: hardfail smtp.mail=RiveraElroy30765@ttnet.com.tr (does not match 95.9.66.234)
    X-Rcpt-To:
    X-MDRcpt-To:
    X-MDRemoteIP: 95.9.66.234
    X-Envelope-From: RiveraElroy30765@ttnet.com.tr
    Content-Transfer-Encoding: 7bit
    Content-Type: multipart/mixed; boundary="_----------=_510738009996590069564"
    Date: Tue, 12 Jan 2016 11:36:42 +0300
    From: Elroy Rivera
    To:
    Subject: =?UTF-8?B?TGF0dGl0dWRlIEdsb2JhbCBWb2x1bnRlZXJpbmcgLSBJbnZvaWNlIC0gMDU3RjNERjI=?=
    X-Mailer: MustangList [msg-7BD139506AE68.7DB581B8A25760E en-mail402AD978297A6D]
    X-RPTags: List Type Content
    X-MLlistcampaign: 653-4423340
    X-rpcampaign: prime4461447
    X-ML-Message-ID: <20161201113642.4F568BCD866@eccleshall.co.uk>
    X-ML-Message-Source: <4390557DE4B>
    X-ML-Message-Trk: <<87B4DB6754E>
    Reply-To:
    Message-ID:
    X-MDRedirect: 1
    X-MDRedirect_From:
    X-Return-Path:
    X-MDaemon-Deliver-To: <>
    X-Original-To:
    X-Virus-Scanned: ClamAV using ClamSMTP
    Return-Path: RiveraElroy30765@ttnet.com.tr
    X-MS-Exchange-Organization-AuthSource: exch4-ht01.email4.local
    X-MS-Exchange-Organization-AuthAs: Anonymous
    MIME-Version: 1.0

    ReplyDelete
  2. Rickc12 January 2016 at 18:19

    I got this also Tue 12/01/2016 08:36

    We keep getting lots of these from different addresses with similar content / invoices.

    Received: from *******
    Received: from 189-212-145-8.static.axtel.net ([189.212.145.8]) by
    *******stage1 with esmtp (Exim MailCleaner) id
    1aIvMH-0003kB-AC for *********** from
    ; Tue, 12 Jan 2016 09:35:21 +0000
    X-MailCleaner-SPF: softfail
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Type: multipart/mixed; boundary="_----------=_394159427896440504621"
    Date: Tue, 12 Jan 2016 03:35:35 -0500
    From: Earlene Rich
    To: *****
    Subject: =?UTF-8?B?TGF0dGl0dWRlIEdsb2JhbCBWb2x1bnRlZXJpbmcgLSBJbnZvaWNlIC0gMjk1NDM4?=
    X-Mailer: MustangList [msg-C2988BED176.284E3B5AC67C en-mail7C747E22109A3ECEA]
    X-RPTags: List Type Content
    X-MLlistcampaign: 632-7329282
    X-rpcampaign: prime2779249
    X-ML-Message-ID: *******
    X-ML-Message-Source: <278CA87BBB8>
    X-ML-Message-Trk: <<562F903A300>
    X-NiceBayes: disabled (no database ?)
    X-MailCleaner-Information: Please contact for more information
    X-MailCleaner-ID: 1aIvMI-0003kF-38
    X-MailCleaner: Found to be clean
    X-MailCleaner-SpamCheck: not spam
    X-MailCleaner-ReportURL: https://mailcleaner/rs.php
    Message-ID: <7d8e1d9a-b067-4ed8-b0c2-4bdfd33dda59@SEQLONAPP01.vcloud.local>
    Return-Path: RichEarlene6223@axtel.net
    X-MS-Exchange-Organization-AuthSource: SEQLONAPP01.vcloud.local
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-PRD: axtel.net
    X-MS-Exchange-Organization-SenderIdResult: SoftFail
    Received-SPF: SoftFail (**************: domain of transitioning
    RichEarlene6223@axtel.net discourages use of 10.10.40.30 as permitted sender)
    X-MS-Exchange-Organization-SCL: 0
    X-MS-Exchange-Organization-PCL: 2
    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.15426.898;SID:SenderIDStatus


    ReplyDelete