This spam email does not come from Companies House, but is instead a simple forgery with a malicious attachment:
From: Companies House [WebFilling@companieshousemail.co.uk]
Date: 13 April 2017 at 11:10
Subject: Company Documents
Signed by: companieshousemail.co.uk
|
|
|
|
This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
Please note: all forms must be answered or the form will be returned.
Service Desk tel +44 (0)303 8097 432 or email enquiries@companieshouse.gov.uk
Note: This email was sent from a notification-only email address which
cannot accept incoming email. Please do not reply directly to this
message.
|
|
|
|
|
|
|
|
 |
| Documents.doc
48K |
|
---
I observed the email coming from the fake domains
companieshousemail.co.uk and
companieshouseemail.co.uk but it looks like there may be more. Email is being send from servers in the
94.237.36.0/24 range (Upcloud Ltd, Finland) and I can see other servers set up to do the same thing:
companieshouseemail.co.uk 94.237.36.104
companieshouseemail.co.uk 94.237.36.145
companieshousemail.co.uk 94.237.36.146
companieshousemail.co.uk 94.237.36.147
companieshousesecure.co.uk 94.237.36.150
companieshousesecure.co.uk 94.237.36.151
Blocking email from the entire
94.237.36.0/24 range at least temporarily might be prudent.
The WHOIS details for these indicate they were registered today with presumably fake details, but that the registrar Nominet have somehow "verified".
Registrant:
Charlene hogg
Registrant type:
Unknown
Registrant's address:
37 Maberley Road
London
SE19 2JA
United Kingdom
Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 13-Apr-2017
Registrar:
GoDaddy.com, LLP. [Tag = GODADDY]
URL: http://uk.godaddy.com
Relevant dates:
Registered on: 13-Apr-2017
Expiry date: 13-Apr-2019
Last updated: 13-Apr-2017
Registration status:
Registered until expiry date.
Name servers:
ns29.domaincontrol.com
ns30.domaincontrol.com
All the attachments I have seen are the same with a current detection rate of
6/55.
Hybrid Analysis of the document shows it downloading a component from
shuswapcomputer.ca/images/banners/bannerlogo.png and a malicious executable
%APPDATA%\pnwshqr.exe is dropped with a detection rate of
14/62.
Automated analysis of the binary
[1] [2] show potentially malicious traffic going to:
107.181.161.221 (Total Server Solutions, US)
185.25.51.118 (Informacines sistemos ir technologijos UAB aka bacloud,com, Lithuania)
There are probably other destinations too. The payload appears to be Dyre / Dyreza.
Recommended blocklist:
94.237.36.0/24 (temporary email block only)
shuswapcomputer.ca
185.25.51.118
107.181.161.221
No comments:
Post a Comment