Sponsored by..

Wednesday, 19 July 2017

Necurs oddity II: avto111222@bigmir.net

Yesterday I saw a series spam emails from Necurs apparently attempting to collect replies to super.testtesttest2018@yahoo.com. Although that campaign is continuing today, a new spam run with similar characteristics has started this morning. For example:

From:    jKX Soto [ingmanz@redacted]
Reply-To:    jKX Soto [avto111222@bigmir.net]
Date:    19 July 2017 at 06:43
Subject:    CQJP

hDYNOX

TC
Subject, body text and vendor seem to be randomly generated. But in all cases, the Reply-To address is avto111222@bigmir.net (Bigmir is basically a Ukrainian version of Yahoo from what I can tell).

The purpose of this spam run is unclear, but spammers do sometimes launch probing attacks to see what kind of response they get from servers. This could be an attempt to clean up the Necurs email address database perhaps, perhaps for resale.

Tuesday, 18 July 2017

Necurs oddity: super.testtesttest2018@yahoo.com / "hi test"

This email is sent from the Necurs botnet and appears to be collecting automatic replies, using a Reply-To email address of super.testtesttest2018@yahoo.com.

From:    Randi Collier [zegrtocbjez@hometelco.net]
Reply-To:    Randi Collier [super.testtesttest2018@yahoo.com]
Date:    18 July 2017 at 10:08
Subject:    hi

hi test 

The name of the sender and the "From" email vary, however the "Reply-To" email is consistent, as is the subject and body text. The sending IP varies, but this does look like Necurs from the patterns I can see.

I can't see any particular purpose in harvesting bounce messages in this way. From Necurs samples I see, the bulk of the recipient addresses are invalid in any case.

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity
   
   
ACCOUNT NO
******969    
   
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

       
    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
   
       
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

   
Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.


In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)


Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95