Sponsored by..

Showing posts with label DOC. Show all posts
Showing posts with label DOC. Show all posts

Thursday 3 March 2016

Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]

This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:

From     Sally Webb [swebb@thekmgroup.co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535

--

regards,
Sally


*Sally Webb*
Recruitment Media Sales Executive
KM Media Group

DDI : 01622 794500
Email : swebb@thekmgroup.co.uk

*KM Media Group is Kent's only independent multimedia company*

*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*

*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*

Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:

coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe


The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:

188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234


Wednesday 2 March 2016

Malware spam: "Invoice" / "Payment Confirmation" lead to Locky

The fake financial spam emails lead to the Locky ransomware:

From:    Cedrick Burch
Date:    2 March 2016 at 10:31
Subject:    Payment Confirmation

Dear User,

The attached document is a transaction payment confirmation from USMarketing Ltd.

Thank you for your business - we appreciate it very much.

Sincerely,

Cedrick Burch
Project Manager

=============

From:    Alfredo Bauer
Date:    2 March 2016 at 10:24
Subject:    Invoice

Dear User,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Alfredo Bauer
Project Manager

I received only two samples (VT [1] [2]) of which only one worked in Malwr (this is the other). However, third-party analysis (thank you) shows download locations at:

cabanasestina.ro/num/5buybbtyu8
camberfam.de/num/5f6vtvrtv
ecofriend.co.jp/num/0ujinybvt
e-monalisa.ro/num/7yh5c44duyy
sumiden-e.co.jp/num/87hn8bv6r
leksvik.historielag.org/num/887hb56f
www.countrysaloonriki.sk/num/9987tg6v54


Each location has a different binary (VT [1] [2] [3] [4] [5] [6]) which between them phone home to the following IPs:

95.213.184.10 (Selectel, Russia)
192.71.213.69 (EDIS, Spain)
217.172.182.99 (PlusServer, Germany)


The payload is Locky ransomware.

Recommended blocklist:
95.213.184.10
192.71.213.69
217.172.182.99




Wednesday 24 February 2016

Malware spam: "VAT Invoice - Quote Ref: ES0142570" / CardiffC&MFinance@centrica.com

This fake financial spam is not from British Gas / Centrica but is instead a simple forgery with a malicious attachment.

From:    CardiffC&MFinance [CardiffC&MFinance@centrica.com]
Date:    24 February 2016 at 09:09
Subject:    VAT Invoice - Quote Ref: ES0142570


Good Afternoon,

Please find attached a copy of the VAT invoice as requested.

Regards
Tracy Whitehouse
Finance Team
British Gas Business| Floor 1| 4 Callaghan Square| Cardiff| CF10 5BT
http://intranet/C12/C12/Brand%20and%20communications%20toolk/Email%20signatures/British-Gas-Top-25-gptw.jpg




_____________________________________________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside England and Wales).

The views expressed in this email are not necessarily the views of Centrica plc, and the company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.

PH Jones is a trading name of British Gas Social Housing Limited. British Gas Social Housing Limited (company no: 01026007), British Gas Trading Limited (company no: 03078711), British Gas Services Limited (company no: 3141243), British Gas Insurance Limited (company no: 06608316), British Gas New Heating Limited (company no: 06723244), British Gas Services (Commercial) Limited (company no: 07385984) and Centrica Energy (Trading) Limited (company no: 02877397) are all wholly owned subsidiaries of Centrica plc (company no: 3033654). Each company is registered in England and Wales with a registered office at Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD.

British Gas Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. British Gas Services Limited and Centrica Energy (Trading) Limited are authorised and regulated by the Financial Conduct Authority. British Gas Trading Limited is an appointed representative of British Gas Services Limited which is authorised and regulated by the Financial Conduct Authority.

In the only sample I have seen before, there is an attached file named archive-0910001923884.docm which has a VirusTotal detection rate of 3/52. Analysis of this document is pending, but it is likely to drop either the Dridex banking trojan or Locky ransomware.

UPDATE 1

The Hybrid Analysis of the document plus the VirusTotal scan of the dropped EXE look like Dridex. The download location for that document was:

skropotov.ru/system/logs/87h754.exe

C2 to block:
80.86.91.232 (PlusServer, Germany)

UPDATE 2 

The comments on this VT report indicate other download locations:

school62.dp.ua/new_year/balls/87h754.exe
skropotov.ru/system/logs/87h754.exe
designis.com.ua/admin/images/87h754.exe
armo.sk/system/logs/87h754.exe
eyesquare.tn/system/logs/87h754.exe


Friday 19 February 2016

Malware spam: "Invoice FEB-23456789" from "Accounting Specialist"

This fake financial spam comes from random senders, the attachment is malicious and drops the Locky ransomware:

From:    Kenya Becker
Date:    19 February 2016 at 11:59
Subject:    Invoice FEB-92031923


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Kenya Becker
Accounting Specialist

==================

From:    Toni Jacobson
Date:    19 February 2016 at 12:10
Subject:    Invoice FEB-63396033


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Toni Jacobson
Accounting Specialist 
Attached is a file with a semirandom name similar to invoice_feb-92031923.doc (Sample VirusTotal report) which contains XML that looks like this [pastebin]. Malwr analysis of these samples [1] [2] shows it downloading a malicious executable from:

ratgeber-beziehung.de/5/5.exe
www.proteusnet.it/6/6.exe

If recent patterns are followed, there will be several different download locations with different versions of the file at each. I will let you know if I get these locations. The binaries has a detection rate of 7/55 and 6/54 and these Malwr reports [1] [2] [3] indicate that it phones home to:

85.25.138.187 (PlusServer AG, Germany)
31.41.47.3 (Relink Ltd, Russia)


Other samples are being analysed, but in the meantime I recommend that you block traffic to:

85.25.138.187
31.41.47.3


UPDATE 1

Some additional download locations from these Malwr reports [1] [2] [3]:

ecoledecorroy.be/1/1.exe
animar.net.pl/3/3.exe
luigicalabrese.it/7/7.exe


..stil working on those other locations!

UPDATE 2

Two other locations are revealed in these Malwr reports [1] [2]:

http://lasmak.pl/2/2.exe
http://suicast.de/4/4.exe





Thursday 18 February 2016

Malware spam: "Payment" / Laurence Cottle [lcottle60@gmail.com]

This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appeneded to it

From:    Laurence Cottle [lcottle60@gmail.com]
Date:    18 February 2016 at 13:35
Subject:    Payment

Hi

Any chance of getting this invoice paid, please?

Many thanks

Laurence

Attached is a file unnamed document.docm which comes in several different versions.

Third-party analysis (thank you!) reveals that there are download locations at:

acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43.exe
alkofuror.com/system/engine/7647gd7b43f43.exe
merichome.com/system/logs/7647gd7b43f43.exe
organichorsesupplements.co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo.com/image/templates/7647gd7b43f43.exe
tutikutyu.hu/system/logs/7647gd7b43f43.exe
vipkalyan.com.ua/system/logs/7647gd7b43f43.exe

This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.

MD5s:
a40d4d655cd638e7d52f7a6cdedc5a8e  
9f622033cfe7234645c3c2d922ed5279

The malware phones home to:

195.154.241.208/main.php
46.4.239.76/main.php
94.242.57.45/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
wblejsfob.pw/main.php


Out of those, the most supect IPs are:

195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)


Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70



Malware spam: Copy of Invoice 20161802-12345678 leads to Locky ransomware

This fake financial spam spoofs different senders and different companies, with a different reference number in each.

From:    Devon Vincent
Date:    18 February 2016 at 08:14
Subject:    Copy of Invoice 20161802-99813731

Dear [redacted],

Please find attached Invoice 20161802-99813731 for your attention.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Devon Vincent
Tenet Healthcare Corporation    www.tenethealth.com

=================

From:    Elvia Saunders
Date:    18 February 2016 at 09:19
Subject:    Copy of Invoice 20161802-48538491

Dear [redacted],

Please find attached Invoice 20161802-48538491 for your attention.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Elvia Saunders
The PNC Financial Services Group, Inc.  www.pnc.com

I have seen two variants of the document (VirusTotal [1] [2]). Analysis of the documents is pending, however it is likely to be the Dridex banking trojan.

UPDATE 1

There is a second variant of the spam with essentially the same (undefined) payload:

From:    Heather Ewing
Date:    18 February 2016 at 08:41
Subject:    Invoice

Dear Sir/Madam,

I trust this email finds you well,

Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.

Best Regards,

Heather Ewing
The Bank of New York Mellon Corporation www.bnymellon.com
In this case the attachment was named Invoice51633050.doc - automated analysis is inconclusive. An examination of the XML attachment [pastebin] indicates that it may be malformed.

UPDATE 2

A contact (thank you) analysed one of the samples and found that the document downloaded an executable from:

killerjeff.free.fr/2/2.exe

According to this Malwr report this is the Locky ransomware, and it phones home to:

95.181.171.58 (QWARTA LLC, Russia)
69.195.129.70 (Joes Data Center, US)


I suspect that the second one may be a sinkhole, but there should be no ill effects from blocking it.


UPDATE 3

A couple more samples have come to light [1] [2] one of which shows a new phone home location of:

185.14.30.97 (ITL Serverius, NL)

UPDATE 4

From user Ralf9000 at VirusTotal here are some more download locations:

onigirigohan.web.fc2.com/1/1.exe
killerjeff.free.fr/2/2.exe
uponor.otistores.com/3/3.exe
premium34.tmweb.ru/4/4.exe
bebikiask.bc00.info/5/5.exe
avp-mech.ru/7/7.exe

6.exe seems to be missing. Analysis of these is pending.

UPDATE 5

According to these Malwr reports on all the available samples [1] [2] [3] [4] [5] [6] the various versions of Locky seem to call back to:


95.181.171.58 (QWARTA LLC, Russia)
31.41.47.37 (Relink Ltd, Russia)
185.14.30.97 (ITL, Ukraine / Serverius, Netherlands)
69.195.129.70 (Joes Datacenter, US)

I have omitted what appear to be obvious sinkholes.

Recommended blocklist:
95.181.171.58
31.41.47.37
185.14.30.97
69.195.129.70


Wednesday 17 February 2016

Malware spam: tracking documents / cmsharpscan@gmail.com

This fake document scan spam has a malicious attachment:

From:    cmsharpscan3589@gmail.com
Date:    17 February 2016 at 14:32
Subject:    tracking documents

Reply to: cmsharpscan@gmail.com [cmsharpscan@gmail.com]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
I have only seen a single sample of this with an attachment cmsharpscan@gmail.com_20160217_132046.docm which has a VirusTotal detection rate of 7/54. According the the Malwr analysis of the document, the payload is the Locky ransomware and is identical to the earlier attach described here.

Malware spam: Fwd:Accumsan Neque LLC Updated Invoice / Please turn on the Edit mode and Macroses!

This malware spam may come from several different companies, but I have only a single sample. It is notable for the mis-spelling of "Macros" as "Macroses" in the document.

From:    Fletcher Oliver [angel@jiahuan.com.tw]
Date:    17 February 2016 at 06:23
Subject:    Fwd:Accumsan Neque LLC Updated Invoice

Good morning

Please check the bill in attachment. In order to avoid fine  you have to pay in 12 hours.

Best regards

Fletcher Oliver
Accumsan Neque LLC

Attached is a document Q7FX9ZH.doc with the distinctive text Attention! To view this document, please turn on the Edit mode and Macroses!

Needless to say, enabling Edit mode and Macroses is a Very Bad Idea. The VirusTotal detection rate for this file is just 2/54. Hybrid Analysis [1] [2] shows that the macro first downloads from:

www.design-i-do.com/mgs.jpg?OOUxs4smZLQtUBK=54

This looks to be an unremarkable JPEG file..

(Note that I have munged the JPEG slightly to stop virus scanners triggering). As far as I can tell, the JPEG actually contains data that is decrypted by the macro (a technique called steganography). A malicious VBS is created [pastebin] and a malicious EXE file is dropped with a VirusTotal result of 7/54.

Automated analysis of the dropped binary [1] [2] shows that it phones home to:

216.59.16.25 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)

I strongly recommend that you block traffic to that IP. Payload is uncertain, but possibly the Dridex banking trojan.

Tuesday 16 February 2016

Malware spam: ATTN: Invoice J-06593788 from random companies

This fake financial spam does not come from Apache Corporation but instead is a simple forgery with a malicious attachment.
From:    June Rojas [RojasJune95@myfairpoint.net]
Date:    16 February 2016 at 09:34
Subject:    ATTN: Invoice J-06593788

Dear nhardy,

Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

Let us know if you have any questions.

We greatly appreciate your business!

June Rojas
Apache Corporation      www.apachecorp.com
Other versions of this spam may come from other corporations. In the single sample I have seen there is an attached file invoice_J-06593788.doc which has a VirusTotal detection rate of 5/54. Analysis is pending, however this is likely to be the Dridex banking trojan.

UPDATE 1

This Dridex run exhibits a change in behaviour from previous ones. I acquired three samples of the spam run and ran the Hybrid Analysis report on them [1] [2] [3] and it shows that the macro dowloads from one of the following locations:

www.southlife.church/34gf5y/r34f3345g.exe
www.iglobali.com/34gf5y/r34f3345g.exe
www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe


Curiously, the binary downloaded from each location is different, with the following MD5s:

CBE75061EB46ADABC434EAD22F85B36E
B06D9DD17C69ED2AE75D9E40B2631B42
FB6CA1CD232151D667F6CD2484FEE8C8


Each one phones home to a different location, the ones I have identified are:

109.234.38.35 (McHost.ru, Russia)
86.104.134.144 (One Telecom SRL, Moldova)
195.64.154.14 (Ukrainian Internet Names Center, Ukraine)


There may be other samples with other behaviour.

UPDATE 2

It is possible that this is dropping ransomware, not Dridex. One other download location identified here:

www.villaggio.airwave.at/34gf5y/r34f3345g.exe

This one has an MD5 of:

1FD40A253BAB50AED41C285E982FCA9C

Detection rate is 5/53 but I do not yet know where this phones home to.

UPDATE 3

That last sample phones home to:

91.195.12.185 (PE Astakhov Pavel Viktorovich, Ukraine)

according to this Hybrid Analysis.

Recommended blocklist:
109.234.38.0/24
86.104.134.128/25
195.64.154.14

91.195.12.185 

UPDATE 4

It appears that this is dropping some ransomware called "Locky" apparently by the makers of Dridex, according to this.

Malware spam: "receipt" / "Accounts" [accounts@aacarpetsandfurniture.co.uk]

This fake financial spam does not come from AA Carpets and Furniture, but is instead a simple forgery with a malicious attachment:

From     "Accounts" [accounts@aacarpetsandfurniture.co.uk]
Date     Tue, 16 Feb 2016 02:15:52 -0700
Subject     receipt

Please find attached receipt

Kind Regards

Christine

Accounts

12-14 Leagrave Road
Luton
Beds
LU4 8HZ

T: 01582488449
F: 01582400866
W:www.aacfdirect.co.uk
E: accounts@aacarpetsandfurniture.co.uk
Attached is a file CCE06102015_00000.docm of which I have only seen a single sample, with a detection rate of 5/54. Analysis is pending, however this would appear to be the Dridex banking trojan.

Malware spam: fmis@oldham.gov.uk / Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530

This spam does not come from Oldham Council but is is instead a simple forgery with a malicious attachment. The timestamp in the subject line varies, probably generated by the infected computer sending the spam.

From:    fmis@oldham.gov.uk
Date:    16 February 2016 at 08:48
Subject:    Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530


**********************************************************************
Confidentiality: This email and its contents and any attachments are intended
only for the above named. As the email may contain confidential or legally privileged information,
if you are not, or suspect that you are not, the above named or the person responsible
for delivery of the message to the above named, please delete or destroy the
email and any attachments immediately.”

Security and Viruses: This note confirms that this email message has been
swept for the presence of computer viruses. However, we advise that in keeping
with good management practice, the recipient should ensure that the email together
with any attachments are virus free by running a virus scan themselves.
We cannot accept any responsibility for any damage or loss caused by software viruses.

Monitoring: The Council undertakes monitoring of both incoming and outgoing emails.
You should therefore be aware that if you send an email to a person within the Council
it may be subject to any monitoring deemed necessary by the organisation from time to time.
The views of the author may not necessarily reflect those of the Council.

Access as a public body: The Council may be required to disclose this email (or any response to it)
under the Freedom of Information Act, 2000, unless the information in it is covered
by one of the exemptions in the Act.

Legal documents: The Council does not accept service of legal documents by email.
**********************************************************************
I have only seen a single copy of this spam, with an attachment 201602_4_2218.docm which has a VirusTotal detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.

UPDATE

This spam is related to this one.  Automated analysis of the samples [1] [2] [3] [4] plus some private sources indicate download locations for this and other related campaigns today at:

labelleflowers.co.uk/09u8h76f/65fg67n
lepeigneur.power-heberg.com/09u8h76f/65fg67n
yurtdisiegitim.tv/09u8h76f/65fg67n
hg9.free.fr/09u8h76f/65fg67n
jtonimages.perso.sfr.fr/09u8h76f/65fg67n
test.blago.md/09u8h76f/65fg67n


This file has a detection rate of 3/54. According to those reports, it phones home to:

151.248.117.140 (Reg.ru, Russia)
87.229.86.20 (Znet Telekom, Hungary)
50.56.184.194 (Rackspace, US)


Recommended blocklist:
151.248.117.140
87.229.86.20
50.56.184.194


Monday 15 February 2016

Malware spam: Overdue Invoice 012345 - COMPANY NAME

This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
From:    Brandi Riley [BrandiRiley21849@horrod.com]
Date:    15 February 2016 at 12:20
Subject:    Overdue Invoice 089737 - COMS PLC

Dear Customer,

The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Brandi Riley

COMS PLC

Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis shows an attempted download from:

node1.beckerdrapkin.com/fiscal/auditreport.php

This is hosted on an IP that you can assume to be malicious:

193.32.68.40 (Veraton Projects, BZ / DE)

The dropped executable (detection rate 4/54) then phones home to:

194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)


The payload is the Dridex banking trojan.

Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229

Malware spam: "Invoice (w/e 070216)" / Kelly Pegg [kpegg@responserecruitment.co.uk]

This fake financial spam does not come from Response Recruitment but is instead a simple forgery with a malicious attachment:
From     Kelly Pegg [kpegg@responserecruitment.co.uk]
Date     Mon, 15 Feb 2016 13:15:37 +0200
Subject     Invoice (w/e 070216)

Good Afternoon

Please find attached invoice and timesheet.

Kind Regards

Kelly
Attached is a file SKM_C3350160212101601.docm which comes in several different variants. The macro in the document attempts to download a malicious executable from:

216.158.82.149/09u8h76f/65fg67n
sstv.go.ro/09u8h76f/65fg67n
www.profildigital.de/09u8h76f/65fg67n


This dropped a malicious executable with a detection rate of 6/54 which according to these automated analysis tools [1] [2] calls home to:

5.45.180.46 (B & K Verwaltungs GmbH, Germany)

I strongly recommend that you block traffic to that address. The payload is the Dridex banking trojan.

Friday 12 February 2016

Malware spam: "DVSA RECEIPT" / FPO.CC.15@vosa.gsi.gov.uk

This spam email does not come from a UK government agency, but is instead a simple forgery with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi.gov.uk.

From     FPO.CC.15@vosa.gsi.gov.uk
Date     Fri, 12 Feb 2016 12:47:20 +0300
Subject     DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.
*********************************************************************


The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.
Attached is a file Fixed Penalty Receipt.docm which comes in at least ten different variants with the following MD5s:



1cb27d23f9999d9d196a5d20c28fbd4e
68225ddcb35694eff28a2300e8d60399
a99d6c25218add7ece55b2503666b664
57ab4224e7d2274d341020767a6609fd
51f5960ae726906a50b5db4e9253c3c2
7a43a911e0ad208adf4e492345349269
4aae160341b6d96adc2c911ddc941222
f34460da1e77ae4a3b178532800300a2
58a01b254b9d7b90d1d0f80c14f5a089
50e1c94e43f05f593babddb488f1a2f9


I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:

raysoft.de/09u8h76f/65fg67n
xenianet.org/09u8h76f/65fg67n
steinleitner-online.net/09u8h76f/65fg67n [reported here]

This dropped file has a detection rate of 5/54 (MD5 7bf7df5e630242182fa95adff4963921). This Hybrid Analysis report indicates subsequent traffic to:

192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)


The payload is the Dridex banking trojan.

Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231



Thursday 11 February 2016

Malware spam: "Scan from KM1650" / "Please find attached your recent scan" / "scanner@victimdomain.tld"

This fake document scan leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.

From:    scanner@victimdomain.tld
Date:    11 February 2016 at 10:24
Subject:    Scan from KM1650

Please find attached your recent scan  
Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1] [2] [3]). The Malwr reports [4] [5] [6] indicate the the macro in the document downloads a malicious executable from:

maraf0n.vv.si/09u8h76f/65fg67n
www.sum-electronics.co.jp/09u8h76f/65fg6
7n

The dropped executable has a detection rate of 2/54. As with this earlier spam run it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

Block traffic to that IP. The payload is the Dridex banking trojan.



Wednesday 10 February 2016

Malware spam: "New Doc 115" / "Sent from Yahoo Mail on Android"

This rather terse spam has a malicious attachment:
From:    admin [ali73_2008949@yahoo.co.uk]
Date:    10 February 2016 at 10:16
Subject:    New Doc 115

Sent from Yahoo Mail on Android
The sender's email address varies from message to message. Attached is a file New Doc 115.doc which is reportedly identical to the one found in this spam campaign.

Malware spam: Emailing: MX62EDO 10.02.2016 / documents@dmb-ltd.co.uk

This spam has a malicious attachment:

From     documents@dmb-ltd.co.uk
Date     Wed, 10 Feb 2016 11:12:41 +0200
Subject     Emailing: MX62EDO 10.02.2016

Your message is ready to be sent with the following file or link
attachments:

MX62EDO  10.02.2016 SERVICE SHEET


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a malicious document named MX62EDO 10.02.2016.doc. I haven't had time to analyse these myself, but a trusted source (thank you) says that there are three different variants of documents, downloading a malicious executable from the following locations:

calflytech.com/09u8h76f/65fg67n
g-t-c.co.uk/09u8h76f/65fg67n
opoai.com/09u8h76f/65fg67n


This drops an executable with a VirusTotal detection rate of 6/55.  This malware calls back to the following IPs:

87.229.86.20 (ZNET Telekom Zrt, Hungary)
50.56.184.194 (Rackspace, US)
144.76.73.3 (Hetzner, Germany)


The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.

Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3
 






Tuesday 9 February 2016

Malware spam: "Accounts" / [accounts_do_not_reply@aldridgesecurity.co.uk]

This rather terse spam does not come from Aldridge Security but it is instead a simple forgery with a malicious attachment. There is no subject.

From     [accounts_do_not_reply@aldridgesecurity.co.uk]
Date     Tue, 09 Feb 2016 10:31:14 +0200
Subject    

Accounts
I have only seen a single sample with an attachment document2016-02-09-103153.doc which has a VirusTotal detection rate of 5/54. Automated analysis [1] [2] shows that it downloads a malicious executable from:

promo.clickencer.com/4wde34f/4gevfdg

This has a detection rate of 5/54. Those analyses indicates that the malware phones home to:

50.56.184.194 (Rackspace, US)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.


Wednesday 3 February 2016

Malware spam: "GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016"

This fake financial spam does not come from GS Toilet Hire but is instead a simple forgery with a malicious attachment. In other words, if you open it.. you will be in the sh*t.

From:    GS Toilet Hire [donotreply@sageone.com]
Date:    3 February 2016 at 09:12
Subject:    GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016

Good morning

Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.

Full details, including payment terms, are included.
If you have any questions, please don't hesitate to contact us.

Kind regards,

Linda Smith
Office, GS Toilet Hire

Direct enquiries
Glenn Johnson
07930 391 011
I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates [1] [2] containing some highly obfuscated scripts [3] [4] which according to these analyses [5] [6] [7] downloads a binary from one of the following locations:

obstipatie.nu/43rf3dw/34frgegrg.exe
bjhaggerty.com/43rf3dw/34frgegrg.exe

(also www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe from this related spam run)

This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro. The binary has a detection rate of 5/49 and this Hybrid Analysis shows the malware phoning home to:

91.239.232.145 (Hostpro Ltd, Ukraine)

I strongly recommend that you block all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.

UPDATE

The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:

xinchunge.com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband.com/43rf3dw/34frgegrg.exe

(also best-drum-set.com/43rf3dw/34frgegrg.exe from this later spam run)

This is a different binary from before, with a detection rate of 4/53. It still phones home to the same location.

Tuesday 2 February 2016

Malware spam: "RB0081 INV2372039" / Sales invoice [salesinvoice@leathams.co.uk]

This fake financial spam does not come from Leathams but is instead a simple forgery with a malicious attachment.

From:    Sales invoice [salesinvoice@leathams.co.uk]
Reply-To:    "no-reply@leathams.co.uk" [no-reply@leathams.co.uk]
Date:    2 February 2016 at 13:15
Subject:    RB0081 INV2372039

Dear Sir/Madam,

Please find attached your sales invoice(s) for supplied goods.  Please process for payment as soon as possible.

In the event that you have a query - please direct your query as follows;

For the following please contact our Nottingham Office on 020 7635 3190 or email NottinghamTelesales@Leathams.co.uk:

                Incorrect items delivered
                Quality Complaint
                Goods Damaged in Transit
                Price query against goods

For the following please contact Credit Control on 020 7635 4049 or email creditcontrol@leathams.co.uk:

                Delivery Shortages

Please note that queries reported outside of our terms of business may not be accepted.

Many thanks and kind regards

Leathams Credit Control
2 Rollins Street, London, SE15 1EW
Tel: +44 (0)20 7635 4049
Email: creditcontrol@leathams.co.uk

DID YOU KNOW LEATHAMS IS GOING PAPERLES IN 2015 - Please note that Leathams will be emailing all invoices and staments in 2015.  Kindly confirm by return email what email address we should send your future invocies and statements to.

IMPORTANT TERMS OF BUSINESS - Please note the following time critical terms;

Delivery Queries - You must notifiy Leathams in writing of any defects within 2 working days stating precisly its reason(s) for rejection.  Failure to do so within this time frame will result in any claims being rejected.

From:    Sales invoice <salesinvoice@leathams.co.uk>
Reply-to:    "no-reply@leathams.co.uk" <no-reply@leathams.co.uk>
Date:    2 February 2016 at 13:15
Subject:    RB0081 INV2372039

Invoice Queries - You must notifiy Leathams in writing of any descrepancies within 7 working days.  If a query is not resolved in time then it is expected that you settle what you believe to be correct, queries should not hold up any payments to Leathams.

Late Payment Fees - Late payment of invoices will result in penalty interest of 8% above the bank of England base rate. We also reserve the right to apply a late payment fee in accordance with UK Late Payment Legislation.

Size of unpaid debt             Sum to be paid to the creditor

Up to ?999.99                        ?40.00

?1,000.00 to ?9,999.99          ?70.00

?10,000.00 or more               ?100.00


Follow us on Twitter <http://twitter.com/LeathamsLtd>
Connect on LinkedIn <http://www.linkedin.com/company/leathams-ltd/>


www.leathams.co.uk <http://www.leathams.co.uk/>


_____________________________________________________________________

This e-mail and any attachments are confidential and intended solely for the addressee. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free.

Leathams Ltd does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by Leathams Ltd for operational or business reasons.

Any opinion or other information in this e-mail or its attachments, that does not relate to the business of Leathams Ltd, is personal to the sender and is not given or endorsed by Leathams Ltd.

Leathams Ltd. Registered in England (registered no. 1689381).
Registered Office: 227-255 Ilderton Road, London SE15 1NS, United Kingdom

 -------------------------------------------------------------------------------------------------------------
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
_____________________________________________________________________

Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least two different versions (VirusTotal [1] [2]). The Malwr analysis for one of those samples shows a download from:

fillingsystem.com/5h4g/0oi545gfgf.exe

This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero (MD5 0d37099eaff9c507c782fd81c715255b). Analysis of this is pending. The payload is the Dridex banking trojan.

UPDATE 

Automated analysis [1] [2] shows the executable phoning home to:

91.239.232.145 (Hostpro Ltd, Ukraine)

I strongly recommend blocking traffic to that IP, or the whole /22 in which it resides.