Sponsored by..

Showing posts with label Dridex. Show all posts
Showing posts with label Dridex. Show all posts

Friday 4 March 2016

Malware spam: "Remittance" from random companies with .rtf attachment

This fake financial spam appears to come from random companies. The body text is similar in call cases.

Sample 1:
From:    Ignacio - Floris of London
Date:    4 March 2016 at 09:42
Subject:    Remittance


Dear Sir/Madam,

I hope you are well. I am writing you to let you know that total amount qualified in the contract has been sent to your bank account on the 3rd of March at 14 through BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Ignacio Knox
Accounts Payable

Sample 2:

From:    Audra - ECLECTIC BAR GRP PLC
Date:    4 March 2016 at 09:48
Subject:    Remittance

Dear Sir/Madam,

Hope you are OK. I am writing you to let you know that entire amount specified in the contract has been paid into your bank account on the 1st of March at 16 over BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Audra Pratt
Accounts Payable

Attached is a file named in a format similar to rem.advice-6430760513.rtf or invoice-9200564788.rtf. Detection rates are pretty low [1] [2] [3] and the Malwr reports are inconclusive [4] [5] [6] although I suspect the attachment itself may be malformed. Further analysis is pending.

UPDATE

These Hybrid Analysis reports  [1] [2] [3] show the file downloading a malicious binary from one of the following fruit-flavoured domains:

wildberry.markettimingintelligence.com/zalupa/kurva.php
raspberry.diversified-capital-management.com/zalupa/kurva.php

This file is dropped as %TEMP%\sdjgbcjkds.exe and both those sites are hosted on:

31.131.24.76 (PE Skurykhin Mukola Volodumurovuch, Ukraine)

Along with another domain of strawberry.reactionpointtimingindicator.com. All of these are hijacked GoDaddy domains.

The Malwr report for the executable shows it communicating with:

24.172.94.181 (Time Warner, US)

This is the same IP as seen here which Sophos identified as being Dridex.  

Recommended blocklist:
31.131.24.76
24.172.94.181 

Malware spam: "Closing bill" / "MyBill [mybill.central@affinitywater.co.uk]"

This fake financial spam does not come from Affinity Water but is instead a simple forgery with a malicious attachment.

From     MyBill [mybill.central@affinitywater.co.uk]
Date     Fri, 04 Mar 2016 14:50:57 +0530
Subject     Closing bill

Dear customer

Please find attached a copy of closing bill as requested.


Kind Regards

Natasha Hawkes
Customer Relations Advisor

affinitywater.co.uk

_________________________________________________________________________

This e-mail
(including any attachments) is confidential and may also be legally privileged or
otherwise protected from disclosure. If you are not the intended recipient of this
e-mail or any parts of it please notify us by reply e-mail or by telephone on 01707
268 111 immediately on receipt and then delete the message from your system. You
should not disclose the contents to any other person, nor take copies nor use it
for any purposes and to do so could be unlawful. The presence of this footnote indicates:
this email message has been tested for the presence of known computer viruses, unless
the email has been encrypted (in part or full) wherein the email will not be checked
for computer viruses. All incoming and outgoing emails may be monitored in line with
current legislation. Affinity Water Limited (Company Number 02546950) is registered
in England and Wales having their registered office, at Tamblin Way, Hatfield, Hertfordshire,
AL10 9EZ. www.affinitywater.co.uk

_____________________________________________________________________________

Attached is a partly randomly-named file, for exampple 081155545_1735494_18836.xls - the first two numbers are random, the third is always "18836". So far I have seen just two variants of this (there may be more) with detection rates of about 5/56 [1] [2] which according to the Malwr reports [3]  [4] download a binary from the following locations:

prettymom.ru/system/logs/vbry73f34f.exe
desean.com.sg/system/logs/vbry73f34f.exe


This binary has a detection rate of 6/56. Analysis is pending, however this looks like the Dridex banking trojan.

UPDATE 1

The comments in the VirusTotal scan give some more download locations:

2.casino-engine.ru/games/megajack/vbry73f34f.exe
shop-bedep.com/system/logs/vbry73f34f.exe
17.rent-shops.ru/system/logs/vbry73f34f.exe

Curiously "Bedep" is the name of a trojan. These Hybrid Analysis reports [1] [2] [3] show malicious traffic to:

188.165.215.180 (OVH, France)

I strongly recommend that you block traffic to that IP.

UPDATE2

Some additional download locations and C&C servers to block, from another source (thank you!)

jean-daniel.com.ua/system/logs/vbry73f34f.exe
namkeendelights.com/system/logs/vbry73f34f.exe


Overall, some of these download locations look like good candidates for blocking, especially:

81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)


These additional C&C servers have been seen before:

78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57



Thursday 3 March 2016

Malware spam: "FreePDF: 1922110025984.doc" / "Worrall, Antony" [Ant.Worrall@cmco.eu]

This fake financial spam has a malicious attachment.


From     "Worrall, Antony" [Ant.Worrall@cmco.eu]
Date     Thu, 03 Mar 2016 14:25:14 +0430
Subject     FreePDF: 1922110025984.doc


140 Years of Innovation. Lifting.
Positioning. Securing. Safely.

Atached is a randomly-named file that matches the reference in the subject. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run.

Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]

This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:

From     Sally Webb [swebb@thekmgroup.co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535

--

regards,
Sally


*Sally Webb*
Recruitment Media Sales Executive
KM Media Group

DDI : 01622 794500
Email : swebb@thekmgroup.co.uk

*KM Media Group is Kent's only independent multimedia company*

*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*

*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*

Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:

coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe


The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:

188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234


Wednesday 2 March 2016

Malware spam spoofing "Hillsong Church London"

This rather confused spam comes with a subject saying one thing.. for example:

GREKA ENGINEERING & TECHNOLOGY LTD March Invoice #2875
LIMITLESS EARTH PLC March Invoice #75913
FALKLAND ISLANDS HLDGS March Invoice #58093
MULTI UNITS FRANCE March Invoice #6689
SHORE CAPITAL GROUP LTD March Invoice #1612

But the body text is from a church..

Hi there,

Please find the remittance advice for the payment made on the 19th Feb 2015 from
Hillsong Church London.

Please let me know if there are any queries.

Kind regards,

Joan Terry

The material contained in this email may be confidential, and may also be the subject
of copyright and/ or privileged information. If you are not the intended recipient,
any use, disclosure or copying of this document is prohibited. If you have received
this document in error, please advise the sender and delete the document.

This email communication does not create or vary any contractual relationship between
Hillsong and you. Internet communications are not secure and accordingly Hillsong
does not accept any legal liability for the contents of this message.

Please note that neither Hillsong nor the sender accepts any responsibility for viruses
and it is your responsibility to scan the email and any attachments.

Hillsong Church London
www.hillsong.co.uk http://www.hillsong.co.uk
Attached is either an Excel spreadsheet named in a style similar to Hillsong-C2E24.xls (VT results [1] [2] [3]) or a ZIP file with a similar name to Hillchurch-03234D.zip containing a script TR7433029032016.js or TR913740032016.js (VT results [4] [5]).

The Malwr reports are a mixed bunch with only the first three giving any data [1] [2] [3] [4] [5] showing download locations at:

oimedoaeklmrf.giftcardnanny.ca/nu2o3mk4/c987ah8j9ei1.php
eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php
doaemdpmekd.securalive.eu/8fjvimkel1/c987ah8j9ei1.php


In fact, all these locations are on the same server (and are the same binary), hosted on:

193.201.227.90 (PE Tetyana Mysyk, Ukraine)

According to VirusTotal, there are a few hijacked GoDaddy subdomains on that IP. This method is a little unusual for this type of attack.

Those Malwr reports and this Hybrid Analysis show the malware phoning home to:

24.172.94.181 (Time Warner Cable, US)

It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.

Recommended blocklist:
193.201.227.90
24.172.94.181

Friday 26 February 2016

Malware spam: "Your Order has been despatched from Harrison" / warehouse@harrisonproducts.net

This spam does not come from Harrison Products but is instead a simple forgery with a malicious attachment:

From     warehouse | Harrison [warehouse@harrisonproducts.net]
Date     Fri, 26 Feb 2016 18:07:04 +0500
Subject     Your Order has been despatched from Harrison

Dear Customer

Thank you for your valued Order, your Despatch Confirmation is attached

If there are any queries relating to this delivery please contact our Customer Service
Team on 01451 830083 or email sales@harrisonproducts.net

Kind Regards

The Harrison Products Team


Harrison Products Co. Sterling House, Moreton Road, Longborough, Glos. GL56 0QJ
I have seen only one sample of this with an attachment named Order ref. 16173.xls  which has a VirusTotal detection rate of 6/55. This Malwr report plus this Hybrid Analysis for that sample shows a binary being downloaded from:

thetoyshop.by/system/logs/76tg654viun76b

There are probably other download locations too. This dropped file has a detection rate of 3/52. Those two reports indicate that this is the Dridex banking trojan. It phones home to:

203.162.141.13 (VietNam Data Communication Company, Vietnam)

I strongly recommend that you block traffic to that IP.



Wednesday 24 February 2016

Malware spam FAIL: "Thank you for your order!" / DoNotReply@ikea.com

This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.

From:    DoNotReply@ikea.com
Date:    24 February 2016 at 09:56
Subject:    Thank you for your order!
IKEA
IKEA UNITED KINGDOM

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
24-02-2016
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
24-02-2016
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.
The intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do not open it. The attachment is currently being analysed.

UPDATE

Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this.

Malware spam: "VAT Invoice - Quote Ref: ES0142570" / CardiffC&MFinance@centrica.com

This fake financial spam is not from British Gas / Centrica but is instead a simple forgery with a malicious attachment.

From:    CardiffC&MFinance [CardiffC&MFinance@centrica.com]
Date:    24 February 2016 at 09:09
Subject:    VAT Invoice - Quote Ref: ES0142570


Good Afternoon,

Please find attached a copy of the VAT invoice as requested.

Regards
Tracy Whitehouse
Finance Team
British Gas Business| Floor 1| 4 Callaghan Square| Cardiff| CF10 5BT
http://intranet/C12/C12/Brand%20and%20communications%20toolk/Email%20signatures/British-Gas-Top-25-gptw.jpg




_____________________________________________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside England and Wales).

The views expressed in this email are not necessarily the views of Centrica plc, and the company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.

PH Jones is a trading name of British Gas Social Housing Limited. British Gas Social Housing Limited (company no: 01026007), British Gas Trading Limited (company no: 03078711), British Gas Services Limited (company no: 3141243), British Gas Insurance Limited (company no: 06608316), British Gas New Heating Limited (company no: 06723244), British Gas Services (Commercial) Limited (company no: 07385984) and Centrica Energy (Trading) Limited (company no: 02877397) are all wholly owned subsidiaries of Centrica plc (company no: 3033654). Each company is registered in England and Wales with a registered office at Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD.

British Gas Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. British Gas Services Limited and Centrica Energy (Trading) Limited are authorised and regulated by the Financial Conduct Authority. British Gas Trading Limited is an appointed representative of British Gas Services Limited which is authorised and regulated by the Financial Conduct Authority.

In the only sample I have seen before, there is an attached file named archive-0910001923884.docm which has a VirusTotal detection rate of 3/52. Analysis of this document is pending, but it is likely to drop either the Dridex banking trojan or Locky ransomware.

UPDATE 1

The Hybrid Analysis of the document plus the VirusTotal scan of the dropped EXE look like Dridex. The download location for that document was:

skropotov.ru/system/logs/87h754.exe

C2 to block:
80.86.91.232 (PlusServer, Germany)

UPDATE 2 

The comments on this VT report indicate other download locations:

school62.dp.ua/new_year/balls/87h754.exe
skropotov.ru/system/logs/87h754.exe
designis.com.ua/admin/images/87h754.exe
armo.sk/system/logs/87h754.exe
eyesquare.tn/system/logs/87h754.exe


Wednesday 17 February 2016

Malware spam: "Rechnung 2016-11365" / mpsmobile GmbH [info@mpsmobile.de]

This bilingual spam does not come from mpsmobile but is instead a simple forgery with a malicious attachment.

From:    mpsmobile GmbH [info@mpsmobile.de]
Date:    17 February 2016 at 12:23
Subject:    Rechnung 2016-11365

Sehr geehrte Damen und Herren,

anbei erhalten Sie das Dokument 'Rechnung 2016-11365' im DOC-Format. Um es betrachten und ausdrucken zu können, ist der DOC Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren.

Mit freundlichen Grüssen
mpsmobile Team

______________________________
_____

Dear Ladies and Gentlemen,

please find attached document ''Rechnung 2016-11365' im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.

Best regards
mpsmobile GmbH
mpsmobile GmbH
Brühlstrasse 42
88416 Ochsenhausen
Tel: +49 7352 923 23 0
Fax: +49 7352 923 23-29
Email: info@mpsmobile.de
Handelsregister Amstgericht ULM HRB 727290
Sitz der Gesellschaft: Ochsenhausen
UStIDNr: DE 281079008
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

In the sample I saw, the attachment was named 19875_Rechnung_2016-11365_20160215.docm and has a VirusTotal detection rate of 5/54.

According to this Malwr report  the binary attempts to download the Locky ransomware (seemingly a product of those behind the Dridex banking trojan). It attempts to download a binary from:

feestineendoos.nl/system/logs/7623dh3f.exe?.7055475

This dropped file has a detection rate of 3/53.  Analysis of the file is pending, but overall this has been made more complicated because the Locky installer calls out to a number of domains, many of which actually appear to have been sinkholed.

Machines infected with Locky will display a message similar to this:


Unfortunately, the only known way to recover from this is to restore files from offline backup once the infection has been removed from the PC.

UPDATE

Another version plopped into my inbox, VT 7/54  and according to this Malwr report, it downloads from:

nadeenk.sa/system/logs/7623dh3f.exe?.7055475

This variant POSTs to a server at:

46.4.239.76 (Myidealhost.com  / Hetzner, Germany)

It is likely that the C2 server (identified in the previous report) is:

85.25.149.246 (PlusServer AG, Germany)

Recommended blocklist:
85.25.149.246
46.4.239.76


Malware spam: Fwd:Accumsan Neque LLC Updated Invoice / Please turn on the Edit mode and Macroses!

This malware spam may come from several different companies, but I have only a single sample. It is notable for the mis-spelling of "Macros" as "Macroses" in the document.

From:    Fletcher Oliver [angel@jiahuan.com.tw]
Date:    17 February 2016 at 06:23
Subject:    Fwd:Accumsan Neque LLC Updated Invoice

Good morning

Please check the bill in attachment. In order to avoid fine  you have to pay in 12 hours.

Best regards

Fletcher Oliver
Accumsan Neque LLC

Attached is a document Q7FX9ZH.doc with the distinctive text Attention! To view this document, please turn on the Edit mode and Macroses!

Needless to say, enabling Edit mode and Macroses is a Very Bad Idea. The VirusTotal detection rate for this file is just 2/54. Hybrid Analysis [1] [2] shows that the macro first downloads from:

www.design-i-do.com/mgs.jpg?OOUxs4smZLQtUBK=54

This looks to be an unremarkable JPEG file..

(Note that I have munged the JPEG slightly to stop virus scanners triggering). As far as I can tell, the JPEG actually contains data that is decrypted by the macro (a technique called steganography). A malicious VBS is created [pastebin] and a malicious EXE file is dropped with a VirusTotal result of 7/54.

Automated analysis of the dropped binary [1] [2] shows that it phones home to:

216.59.16.25 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)

I strongly recommend that you block traffic to that IP. Payload is uncertain, but possibly the Dridex banking trojan.

Tuesday 16 February 2016

Malware spam: ATTN: Invoice J-06593788 from random companies

This fake financial spam does not come from Apache Corporation but instead is a simple forgery with a malicious attachment.
From:    June Rojas [RojasJune95@myfairpoint.net]
Date:    16 February 2016 at 09:34
Subject:    ATTN: Invoice J-06593788

Dear nhardy,

Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

Let us know if you have any questions.

We greatly appreciate your business!

June Rojas
Apache Corporation      www.apachecorp.com
Other versions of this spam may come from other corporations. In the single sample I have seen there is an attached file invoice_J-06593788.doc which has a VirusTotal detection rate of 5/54. Analysis is pending, however this is likely to be the Dridex banking trojan.

UPDATE 1

This Dridex run exhibits a change in behaviour from previous ones. I acquired three samples of the spam run and ran the Hybrid Analysis report on them [1] [2] [3] and it shows that the macro dowloads from one of the following locations:

www.southlife.church/34gf5y/r34f3345g.exe
www.iglobali.com/34gf5y/r34f3345g.exe
www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe


Curiously, the binary downloaded from each location is different, with the following MD5s:

CBE75061EB46ADABC434EAD22F85B36E
B06D9DD17C69ED2AE75D9E40B2631B42
FB6CA1CD232151D667F6CD2484FEE8C8


Each one phones home to a different location, the ones I have identified are:

109.234.38.35 (McHost.ru, Russia)
86.104.134.144 (One Telecom SRL, Moldova)
195.64.154.14 (Ukrainian Internet Names Center, Ukraine)


There may be other samples with other behaviour.

UPDATE 2

It is possible that this is dropping ransomware, not Dridex. One other download location identified here:

www.villaggio.airwave.at/34gf5y/r34f3345g.exe

This one has an MD5 of:

1FD40A253BAB50AED41C285E982FCA9C

Detection rate is 5/53 but I do not yet know where this phones home to.

UPDATE 3

That last sample phones home to:

91.195.12.185 (PE Astakhov Pavel Viktorovich, Ukraine)

according to this Hybrid Analysis.

Recommended blocklist:
109.234.38.0/24
86.104.134.128/25
195.64.154.14

91.195.12.185 

UPDATE 4

It appears that this is dropping some ransomware called "Locky" apparently by the makers of Dridex, according to this.

Malware spam: "receipt" / "Accounts" [accounts@aacarpetsandfurniture.co.uk]

This fake financial spam does not come from AA Carpets and Furniture, but is instead a simple forgery with a malicious attachment:

From     "Accounts" [accounts@aacarpetsandfurniture.co.uk]
Date     Tue, 16 Feb 2016 02:15:52 -0700
Subject     receipt

Please find attached receipt

Kind Regards

Christine

Accounts

12-14 Leagrave Road
Luton
Beds
LU4 8HZ

T: 01582488449
F: 01582400866
W:www.aacfdirect.co.uk
E: accounts@aacarpetsandfurniture.co.uk
Attached is a file CCE06102015_00000.docm of which I have only seen a single sample, with a detection rate of 5/54. Analysis is pending, however this would appear to be the Dridex banking trojan.

Malware spam: fmis@oldham.gov.uk / Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530

This spam does not come from Oldham Council but is is instead a simple forgery with a malicious attachment. The timestamp in the subject line varies, probably generated by the infected computer sending the spam.

From:    fmis@oldham.gov.uk
Date:    16 February 2016 at 08:48
Subject:    Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530


**********************************************************************
Confidentiality: This email and its contents and any attachments are intended
only for the above named. As the email may contain confidential or legally privileged information,
if you are not, or suspect that you are not, the above named or the person responsible
for delivery of the message to the above named, please delete or destroy the
email and any attachments immediately.”

Security and Viruses: This note confirms that this email message has been
swept for the presence of computer viruses. However, we advise that in keeping
with good management practice, the recipient should ensure that the email together
with any attachments are virus free by running a virus scan themselves.
We cannot accept any responsibility for any damage or loss caused by software viruses.

Monitoring: The Council undertakes monitoring of both incoming and outgoing emails.
You should therefore be aware that if you send an email to a person within the Council
it may be subject to any monitoring deemed necessary by the organisation from time to time.
The views of the author may not necessarily reflect those of the Council.

Access as a public body: The Council may be required to disclose this email (or any response to it)
under the Freedom of Information Act, 2000, unless the information in it is covered
by one of the exemptions in the Act.

Legal documents: The Council does not accept service of legal documents by email.
**********************************************************************
I have only seen a single copy of this spam, with an attachment 201602_4_2218.docm which has a VirusTotal detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.

UPDATE

This spam is related to this one.  Automated analysis of the samples [1] [2] [3] [4] plus some private sources indicate download locations for this and other related campaigns today at:

labelleflowers.co.uk/09u8h76f/65fg67n
lepeigneur.power-heberg.com/09u8h76f/65fg67n
yurtdisiegitim.tv/09u8h76f/65fg67n
hg9.free.fr/09u8h76f/65fg67n
jtonimages.perso.sfr.fr/09u8h76f/65fg67n
test.blago.md/09u8h76f/65fg67n


This file has a detection rate of 3/54. According to those reports, it phones home to:

151.248.117.140 (Reg.ru, Russia)
87.229.86.20 (Znet Telekom, Hungary)
50.56.184.194 (Rackspace, US)


Recommended blocklist:
151.248.117.140
87.229.86.20
50.56.184.194


Monday 15 February 2016

Malware spam: Overdue Invoice 012345 - COMPANY NAME

This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
From:    Brandi Riley [BrandiRiley21849@horrod.com]
Date:    15 February 2016 at 12:20
Subject:    Overdue Invoice 089737 - COMS PLC

Dear Customer,

The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Brandi Riley

COMS PLC

Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis shows an attempted download from:

node1.beckerdrapkin.com/fiscal/auditreport.php

This is hosted on an IP that you can assume to be malicious:

193.32.68.40 (Veraton Projects, BZ / DE)

The dropped executable (detection rate 4/54) then phones home to:

194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)


The payload is the Dridex banking trojan.

Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229

Malware spam: "Invoice (w/e 070216)" / Kelly Pegg [kpegg@responserecruitment.co.uk]

This fake financial spam does not come from Response Recruitment but is instead a simple forgery with a malicious attachment:
From     Kelly Pegg [kpegg@responserecruitment.co.uk]
Date     Mon, 15 Feb 2016 13:15:37 +0200
Subject     Invoice (w/e 070216)

Good Afternoon

Please find attached invoice and timesheet.

Kind Regards

Kelly
Attached is a file SKM_C3350160212101601.docm which comes in several different variants. The macro in the document attempts to download a malicious executable from:

216.158.82.149/09u8h76f/65fg67n
sstv.go.ro/09u8h76f/65fg67n
www.profildigital.de/09u8h76f/65fg67n


This dropped a malicious executable with a detection rate of 6/54 which according to these automated analysis tools [1] [2] calls home to:

5.45.180.46 (B & K Verwaltungs GmbH, Germany)

I strongly recommend that you block traffic to that address. The payload is the Dridex banking trojan.

Friday 12 February 2016

Malware spam: "Your latest invoice from The Fuelcard Company UK Ltd" / customerservice@fuelcards.co.uk

This fake financial spam does not come from The Fuelcard Company UK Ltd but is instead a simple forgery with a malicious attachment. For some reason, fake fuel card spam is popular with the bad guys.
From:    customerservice@fuelcards.co.uk
Date:    12 February 2016 at 10:44
Subject:    Your latest invoice from The Fuelcard Company UK Ltd


Please find your latest invoice attached.

If you have any queries please do not hesitate to contact our Customer Service Team at customerservice@fuelcards.co.uk

Regards

The Fuelcard Compa

The Fuelcard Company UK Ltd
St James Business Park   Grimbald Crag Court   Knaresborough   HG5 8QB
Tel 0845 456 1400   Fax 0845 279 9877
http://www.thefuelcardcompany.co.uk

Please consider the environment before printing this email.
________________________________________
This email and any files transmitted with it are confidential, maybe legally privileged, and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the system administrator and then kindly delete the message. If you are not the intended recipient, any disclosure, copying, distribution or any other action taken is prohibited, and may be unlawful. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.  Please note that once signed,  The Fuelcard Company terms & conditions take precedence over all prior communications by any employee or agent of The Fuelcard Company. Once a client signs The Fuelcard Company terms & conditions, this will form the full extent of The Fuelcard Company’s agreed contract with the client.

E-mails may be corrupted, intercepted or amended and so we do not accept any liability for the contents received. We accept no responsibility for any loss caused by viruses. You should scan attachments (if any) for viruses.

Head Office: The Fuelcard Company UK Ltd, St James Business Park, Grimbald Crag Court, Knaresborough HG5 8QB

Registered number: 5939102

I have only seen a single sample with an attachment named invoice.xls with a detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.

UPDATE

This Hybrid Analysis shows that this particular sample downloads from:

legismar.com/09u8h76f/65fg67n

This is the same executable as found in this earlier spam run.

Malware spam: "DVSA RECEIPT" / FPO.CC.15@vosa.gsi.gov.uk

This spam email does not come from a UK government agency, but is instead a simple forgery with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi.gov.uk.

From     FPO.CC.15@vosa.gsi.gov.uk
Date     Fri, 12 Feb 2016 12:47:20 +0300
Subject     DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.
*********************************************************************


The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.
Attached is a file Fixed Penalty Receipt.docm which comes in at least ten different variants with the following MD5s:



1cb27d23f9999d9d196a5d20c28fbd4e
68225ddcb35694eff28a2300e8d60399
a99d6c25218add7ece55b2503666b664
57ab4224e7d2274d341020767a6609fd
51f5960ae726906a50b5db4e9253c3c2
7a43a911e0ad208adf4e492345349269
4aae160341b6d96adc2c911ddc941222
f34460da1e77ae4a3b178532800300a2
58a01b254b9d7b90d1d0f80c14f5a089
50e1c94e43f05f593babddb488f1a2f9


I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:

raysoft.de/09u8h76f/65fg67n
xenianet.org/09u8h76f/65fg67n
steinleitner-online.net/09u8h76f/65fg67n [reported here]

This dropped file has a detection rate of 5/54 (MD5 7bf7df5e630242182fa95adff4963921). This Hybrid Analysis report indicates subsequent traffic to:

192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)


The payload is the Dridex banking trojan.

Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231



Thursday 11 February 2016

Malware spam: "Your Sage Pay Invoice INV00318132" / Sagepay EU [accounts@sagepay.com]

This spam does not come from Sage Pay but is instead a simple forgery with a malicious attachment:

From:    Sagepay EU [accounts@sagepay.com]
Date:    11 February 2016 at 13:21
Subject:    Your Sage Pay Invoice INV00318132


Please find attached your invoice.

We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones.  You should have already received an email that outlined the changes, however if you have any questions please contact accounts@sagepay.com or call 0845 111 44 55.

Kind regards

Sage Pay
0845 111 44 55
Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least 11). The VirusTotal detection rate for a subset of these is 4/54 [1] [2] [3] [4] [5] [6]. Only a single Malwr report seemed to work, indicating the macro downloading from:

www.phraseculte.fr/09u8h76f/65fg67n

This dropped executable has a detection rate of 3/54. The Malwr report shows it phoning home to:

84.38.67.231 (ispOne business GmbH, Germany)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Malware spam: "Scan from KM1650" / "Please find attached your recent scan" / "scanner@victimdomain.tld"

This fake document scan leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.

From:    scanner@victimdomain.tld
Date:    11 February 2016 at 10:24
Subject:    Scan from KM1650

Please find attached your recent scan  
Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1] [2] [3]). The Malwr reports [4] [5] [6] indicate the the macro in the document downloads a malicious executable from:

maraf0n.vv.si/09u8h76f/65fg67n
www.sum-electronics.co.jp/09u8h76f/65fg6
7n

The dropped executable has a detection rate of 2/54. As with this earlier spam run it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

Block traffic to that IP. The payload is the Dridex banking trojan.



Malware spam: "INT242343 Unpaid Invoice - Your Services May Be Suspended" / payments@wavenetuk.com

This spam does not come from Wavenet Group but is instead a simple forgery with a malicious attachment:

From     payments [payments@wavenetuk.com]
Date     Thu, 11 Feb 2016 15:14:59 +0530
Subject     INT242343 Unpaid Invoice - Your Services May Be Suspended

PLEASE NOTE:  THIS IS A NO REPLY EMAIL ACCOUNT

Dear Customer
        Please find attached to this email your statement
You can view the invoices listed on our e-billing site at www.netbills.co.uk
If you have any queries regarding use of the e-billing site or this statement please
call us on 08444 12 7777.


Accounts Department
Wavenet Group
Incorporating - Titan Technology, Centralcom and S1 Network Services
Tel 08444127777


This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. Wavenet
Ltd Registered in England No 3919664. Registered address: Friars Gate 2, 1011 Stratford
Road, Shirley, Solihull, West Midlands, B90 4BN. If you are not the intended recipient
of this email and its attachments, you must take no action based upon them, nor must
you copy or show them to anyone. Please contact the sender if you believe you have
received this email in error. Wavenet Ltd reserves the right to monitor email communications
through its networks.

This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. If you
are not the intended recipient of this email and its attachments, you must take no
action based upon them, nor must you copy or show them to anyone. Please contact
the sender if you believe you have received this email in error. Wavenet Ltd reserves
the right to monitor email communications through its networks
I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53. The Malwr analysis shows that this script downloads an executable from:

gp-training.net/09u8h76f/65fg67n

There are probably a few other download locations. This binary has a detection rate of 2/54.  The Malwr report also indicates that it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.