"Balance Scheet" spam

This terse spam has a malicious attachment:

Date:      Thu, 24 Apr 2014 12:80:56 GMT [08:08:00 EDT]
From:      Admin@victimdomain
Subject:      FW: Balance Scheet

Please save the attached file to your hard drive before deleting this message. Thank you.

The mail headers in the email have been faked to make it look like it originated inside the victim's own internal network. Attached to the email is an archive file Balance-Sheet.zip which in turn contains a malicious executable Balance-Sheet.exe which has a VirusTotal detection rate of just 3/51.

Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar

"Broad Oak Toiletries Ltd" fake invoice spam

UPDATE 2014-05-06:  there is a new version of this with a malicious .PDF attachment, please scroll down for more details.

This spam purports to be from a legitimate company called Broad Oak Toiletries Ltd, but in fact it is a fake with a malicious payload and it does not come from Broad Oak Toiletries at all (some other reports say their email has been hacked, it has not.. this is a forgery)

Date:      Wed, 23 Apr 2014 08:13:19 +0000 [04:13:19 EDT]
From:      Sue Mockridge [smockridges2@Broad-oak.co.uk]
Subject:      Invoice 739545

Hello,

Please can you let me have a payment date for the attached March Invoice?

Kind Regards

Sue Mockridge
Accounts Administrator

' (Main) 01884 242626  ' (Direct Dial) 01884 250764

Please consider the environment before printing

Broad Oak Toiletries Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602


CONFIDENTIALITY:
The information in this email and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). The unauthorised copying, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information is prohibited. Unless explicitly stated otherwise, the contents of this message are strictly subject to contract; any views expressed may be personal and shall not create a binding legal contract or other commitment on the part of Broad Oak Toiletries Ltd.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

The attachment is Invoice 493234 March 2014.zip which in turn contains a malicious executable Invoice 288910 March 2014.exe which has a VirusTotal detection rate of just 2/51.

Automated analysis tools [1] [2] show attempted connections to the following URLs:
72.34.47.163/11
91.99.102.154/11
yourmedialinkonline.com/11
dframirez.com/11
duvarikapla.com/11
duvallet.eu/11
24hr-ro.com/11
edwardalba.com/11
ekodin.rs/11
exorcist.go.ro/11
kuikencareercoaching.nl/11
sic-choppers.goracer.de/11
chriswolf.be/11
colorcopysite.com/11
mashhadsir.com/11
akirkpatrick.com/11
www.amelias-decoration.nl/11
netvietpro.com/11
guaempresas.com/11
hayatreklam.net/11
acenber.sbkml.k12.tr/11
how-hayonwye.com/11
iconservices.biz/11
idede.sbkml.k12.tr/11
www.tcrwharen.homepage.t-online.de/11
ec2-107-20-241-193.compute-1.amazonaws.com/11
www.derileq.com.mx/11
iaimrich.com/11
joyscenter.com/11
josip-stadler.org/11
www.kalkantzakos.com/11
files.karamellasa.gr/11
krptb.org.tr/11
legraff.com.tr/11
jieyi.com.ar/11
m.pcdbd.info/11
maestroevent.com/11
www2.makefur.co.jp/11
marcin_dybek.fm.interia.pl/11
marzenamaks.eu.interia.pl/11
mehmetunal.ztml.k12.tr/11
job.yesyo.com/11
mofilms.com/11
multimarge.ph/11
nbd.xon.pl/11
netset.ir/11
allforlove.de/11
ncapkur.sbkml.k12.tr/11
neumandina.com/11
209.217.235.25/~nanakram/11
home.planet.nl/~monst021/11
masterdiskeurope.com/~mooch/11
members.aon.at/~mredsche/11

Recommended blocklist:
72.34.47.163
91.99.102.154
yourmedialinkonline.com
dframirez.com
duvarikapla.com
duvallet.eu
24hr-ro.com
edwardalba.com
ekodin.rs
exorcist.go.ro
kuikencareercoaching.nl
sic-choppers.goracer.de
chriswolf.be
colorcopysite.com
mashhadsir.com
akirkpatrick.com
www.amelias-decoration.nl
netvietpro.com
guaempresas.com
hayatreklam.net
acenber.sbkml.k12.tr
how-hayonwye.com
iconservices.biz
idede.sbkml.k12.tr
www.tcrwharen.homepage.t-online.de
ec2-107-20-241-193.compute-1.amazonaws.com
www.derileq.com.mx
iaimrich.com
joyscenter.com
josip-stadler.org
www.kalkantzakos.com
files.karamellasa.gr
krptb.org.tr
legraff.com.tr
jieyi.com.ar
m.pcdbd.info
maestroevent.com
www2.makefur.co.jp
marcin_dybek.fm.interia.pl
marzenamaks.eu.interia.pl
mehmetunal.ztml.k12.tr
job.yesyo.com
mofilms.com
multimarge.ph
nbd.xon.pl
netset.ir
allforlove.de
ncapkur.sbkml.k12.tr
neumandina.com

UPDATE 2014-05-06:
A new version of this is circulating with a malicious .PDF attachment April invoice 914254.pdf although this time the body text is "Please can you let me have a payment date for the attached April Invoice?" and subject is "Invoice 396038 April". Email addresses spotted so far include

The VirusTotal detection rate for this is 7/51. Automated analysis is somewhat inconclusive. There are some indications that this might be using an Acrobat flaw CVE-2010-0188 which was patched a long time ago, so if have an up-to-date version of Acrobat Reader you may be protected. Also, if you opened the email in Gmail and used Google's PDF viewer you should be OK too.

Remember though that .PDF files and other document types can also spread malware, so exercise caution when dealing with emails from unknown sources.

UPDATE 2014-05-06 II:
A contact analysed the PDF (thanks) and determined that it then downloaded an executable from [donotclick]dr-gottlob-institut.de/11.exe (I guess "11" is a Spinal Tap reference) which has a VirusTotal detection rate of just 4/51.

Automated analysis tools [1] [2] [3] show that this in turn downloads components from the following locations:

pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111

This is very similar to the previous infection, although this time "11" has been dialed up to "111". This file (111.exe) has a VirusTotal detection rate of only 2/52 which does various bad things [1] [2] [3].

Because detection rates are still low, you might want to consider blocking the following domains:
dr-gottlob-institut.de
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com

UPDATE 2014-05-06 III: 
Another downloaded file is:
[donotclick]files.karamellasa.gr/tvcs_russia/2.exe

This has a VirusTotal detection rate of just 1/51 which makes it almost invisible. Automated analysis [1] [2] [3] [4] shows that it creates fake svchost.exe and csrss.exe, and sends a DNS query for smtp.gmail.com among other things.

Payload appears to be Gameover / P2P Zeus.

(btw, thanks to the #MalwareMustDie team for help!)

UPDATE 2014-05-12:
Another spam run is in progress, with yet another malicious PDF attachment, this time with a VirusTotal detection rate of  8/50.

The PDF downloads a file from:
[donotclick]infodream.eu/images/1.exe
..which has a VirusTotal detection rate of just 3/52. The Malwr analysis shows an attempted download from:

[donotclick]www.freshanswer.com/b70.exe
[donotclick]files.karamellasa.gr/tvcs_russia/2.exe
[donotclick]park-laedchen.de/illustrate/offending

Out of these only the first download appears to be working, the binary has a detection rate of 27/52. Automated analysis of this binary [1] [2] [3] shows that it attempts to connect to various legitimate services plus these suspect IPs in Russia:
217.174.105.92
93.171.173.34
91.221.36.184
37.143.15.103
146.255.194.173

Thanks again to the #MalwareMustDie team for assistance!

Sage "Please see attached copy of the original invoice" spam

This fake Sage spam comes with a malicious attachment:

Date:      Tue, 8 Apr 2014 08:65:82 GMT
From:      Sage [Merrill.Sterling@sage-mail.com]
Subject:      RE: BACs #3421309

Please see attached copy of the original invoice. 

Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51.

The Malwr analysis shows that it attempts to download a configuration file from [donotclick]hemblecreations.com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
twplfztldagaydcacebqpypm.net
aidyhnzrkqomndihmttglrcmpf.com
jnojswlbzdxondfahwgbmluyl.ru
wcaebnfwljamemlzhqwqsovzlfq.com
skirtrslbtjrjfphemnnjqowuus.biz
uobihirghyscvswgwolneuscyamh.org
hvchqgyzfitaiugmbmifdwclrk.info
hemblecreations.com

rbs.com "RE: Copy" spam

This very terse spam has a malicious attachment:

Date:      1 Apr 2014 14:25:39 GMT [10:25:39 EDT]
From:      Kathryn Daley [Kathryn.Daley@rbs.com]
Subject:      RE: Copy

(Copy-01042014) 

The attachment is Copy-04012014.zip which in turn contains a malicious executable Copy-04012014.scr which has a VirusTotal detection rate of just 3/50.

The Malwr analysis shows that is has the characteristics of P2P/Gameover Zeus and it makes several network connections starting with a download of a configuration file from: [donotclick]photovolt.ro/script/0104UKd.bis

The malware then tries to contact a number of other domains. I recommend using the following blocklist:
50.116.4.71
photovolt.ro
aulbbiwslxpvvphxnjij.biz
wcdmfdujnfmsdbatgqguxkkr.com    
kjcuyddisgrmzfqfirwjzqglqdq.ru    
gavwnvhaknbytkvcojeifeyhcizxof.biz    
ysnvydeyswzjbxsofchsctsg.net    
cprhxsjukhuemfqrsdqhvo.org    
zdlaupvpfmwotcxcxfedrwfq.info    
ovxwwgvoupfuxhuibqwkwcjzqci.com    
knpfmvdpbljfgecidpfyovjzpz.ru    
xkzqwhyaixguhqrwskbqqcpz.com

Sky.com "Statement of account" spam leads to Gameover Zeus

This fake Sky spam has a malicious attachment:

Date:      Fri, 28 Mar 2014 07:16:43 -0300 [06:16:43 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Darrel

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 

The attachment is a ZIP file which contains an exectable Statement_03282014.exe (note that the date is encoded into the file). This has a VirusTotal detection rate of 8/51.

The Malwr analysis shows several attempted network connections. Firstly there's a download of a configration file from [donotclick]igsoa.net/Book/2803UKd.wer and then subsequently an attempted connection aulbbiwslxpvvphxnjij.biz on 50.116.4.71 (a Linode IP which has been seen before) and a number of other autogenerated domains.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
lpuoztsdsnvyxdyvwpnlzwg.com
pmneyqgaifcmxwwgbagewkpzsin.info
wgsmbxtphamhahbyjnjrydfe.org
eapqolveqsorwfehvkuojnojyluwk.biz
pbpnylskojlaufmmjfiaih.com
knrtdyypwonzljyzhfyyijknzof.ru
womrofxylirlwgcqzxsgjrfqzttm.com
binrpfdeequwrgydmrovzhkjongcnz.net
igsoa.net

"You have received new messages from HMRC" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson

The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51.

According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca.com.au/directions/2503UKp.tis
[donotclick]www.sandsca.com.au/directions/2503UKp.tis

Subsequent communications are made with aulbbiwslxpvvphxnjij.biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq.biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf.org which does not resolve.

One odd thing in the Anubis report is this dialog box entititled "seconddial" and containing the word "diminutiveness".

I don't know what that is.. it reminds me of Hatefulness/Hatefulness though :)

Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca.com
aulbbiwslxpvvphxnjij.biz
qkdapcqinizsczxrwaelaimznfbqq.biz
hzdmjjneyeuxkpzkrunrgyqgcukf.org

"Companies House" spam and 50.116.4.71 (again)

This fake Companies House spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 8435407 - Companies House

The submission number is: 8435407

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49.

The Malwr analysis again shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij.biz.

The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below).

I would recommend that you the following blocklist in combination with this one.

50.116.4.71
aulbbiwslxpvvphxnjij.biz
rovlvhixgqcelzlxheonpfxy.info
hybytqwscguvowbbgwgxijdq.com
jryxtbujvdmceodbegyofrkkr.ru
lncuhmnvlytwsuceijaifaqjrpz.com
mrdlormvvotimfhecueminydrs.info
fytwsqkgindatoahtnbnrzhe.org
tqsdudemkfrcrcutdmvpbuzd.net
doskgacutmvbeztmrirlc.biz
rgolcuhgqsqkgivckfbud.ru
auldivpzxeahilvcyvckrzpbepv.com
hegersdihurwwsdqxkdatclbmryd.net
qwrgldhqtcifymnfyhimjhqdbmir.org
ljxaededaljnrytonhzkzsg.biz
wgtfauchlnhmvskblhiovxwpvh.com
ifwbxfylaimzuwgdyeqgiupl.ru
premiercrufinewine.co.uk

Amazon.co.uk spam, something evil on 50.116.4.71

This fake Amazon.co.uk spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Cc:      ; Fri, 21 Mar 2014 13:40:05 +0530
Subject:      Your Amazon.co.uk order ID841-6379889-7781077

Hello,  Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
Order Details
Order #799-5059801-3688207  Placed on March 21, 2014 Order details and invoice in attached file.
  
Need to make changes to your order? Visit our Help page for more information and video guides.  
  
We hope to see you again soon.   Amazon.co.uk 

There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51.

The Malwr analysisis the most comprehensive, and shows that it attempts to phone home to the following domains:

aulbbiwslxpvvphxnjij.biz
hxlbjvgmfzwcbyijzxojcugizd.info
mneudhugiorkbhtpaiuoemydzll.org
mfcyqgeupknhqrwljrprotufm.net
jzfetwydrfachqwgnylbu.com
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
pbzdofdxwokbnrvodiirzqshaem.net
hyvoydfadyxfmjnhmzjbxkgurcbu.org
dacahylpzylydlbgujruzxxrseyt.info
knpzqcaygabuxkcynjaidudceu.biz
soinlzhxohtcazlqkgegtcvxkr.ru
fuzllbxkzhqgrbaonivkzjjzdmjn.com
thicazjzxtxhknyeusx.info
afaxdlrnjdevgddqrcvkdmvemwo.org
kfmfpxtcmrnjgeusirylhrcqfe.biz
hmbcyromzibkpuxfiaetx.com
qoluciztogagugergdqqclxwkaekr.ru
payypdmhxcxxvgvsojdqs.com
pscxwztdudidivhixksrrduda.net
wgpztgpxgonhalcjrpxkau.biz
nrdiqotuoxcbaxokrfqcilcal.info
fycquworzhlmhqthixphq.com
uqgheqtozhrsjqfiaizci.ru
zdeiswsdqnvhleijfzltvwdxc.com

Out of these, aulbbiwslxpvvphxnjij.biz seems to be active on 50.116.4.71 (Linode, US)

Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo.org
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dacahylpzylydlbgujruzxxrseyt.info
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
fuzllbxkzhqgrbaonivkzjjzdmjn.com
fycquworzhlmhqthixphq.com
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
hmbcyromzibkpuxfiaetx.com
hxlbjvgmfzwcbyijzxojcugizd.info
hyvoydfadyxfmjnhmzjbxkgurcbu.org
jzfetwydrfachqwgnylbu.com
kblfxnrltorstolxcgqugbyyl.com
kfmfpxtcmrnjgeusirylhrcqfe.biz
knpzqcaygabuxkcynjaidudceu.biz
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
mfcyqgeupknhqrwljrprotufm.net
mneudhugiorkbhtpaiuoemydzll.org
nrdiqotuoxcbaxokrfqcilcal.info
payypdmhxcxxvgvsojdqs.com
pbzdofdxwokbnrvodiirzqshaem.net
pscxwztdudidivhixksrrduda.net
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
qoluciztogagugergdqqclxwkaekr.ru
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
soinlzhxohtcazlqkgegtcvxkr.ru
tceeaaetvgcypqfysqctam.com
thicazjzxtxhknyeusx.info
twdepffvwpxxnbqyhgmtcx.org
uqgheqtozhrsjqfiaizci.ru
wgpztgpxgonhalcjrpxkau.biz
www.aulbbiwslxpvvphxnjij.biz
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
zdeiswsdqnvhleijfzltvwdxc.com

NatWest "You have received a secure message" spam

This fake NatWest spam has a malicious attachment:

Date:      Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
From:      NatWest [secure.message@natwest.co.uk]
Subject:      You have received a secure message

You have received a secure message

Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment.

About Email Encryption - http://www.natwest.com/content/global_options/terms/Email_Encryption.pdf

Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51.

Automated analysis tools [1] [2] [3] show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.

199.193.115.111 (NOC4Hosts, US)
droidroots.com
development.pboxhost.com

184.107.149.74 (iWeb, Canada)
2m-it.com
3houd.com

50.116.4.71 (Linode, US)
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com    
ugfmnjojpinembyyprkoptjbtij.info    
nrhpfongapozhpfwkprxohofhq.biz    
byeqdaufqeujvugwczrocihqb.net    
geugypibqsfqirsogeovqwovvgqsfucm.com    
nvyxbmdfiguizcexgluoyxkjsw.ru    
xcvshidqgwotvfetvcydfajnof.com


Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71
droidroots.com
development.pboxhost.com
2m-it.com
3houd.com
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com    
ugfmnjojpinembyyprkoptjbtij.info    
nrhpfongapozhpfwkprxohofhq.biz    
byeqdaufqeujvugwczrocihqb.net    
geugypibqsfqirsogeovqwovvgqsfucm.com    
nvyxbmdfiguizcexgluoyxkjsw.ru    
xcvshidqgwotvfetvcydfajnof.com

Salesforce.com "Please respond - overdue payment" spam

This fake Salesforce spam comes with a malicious attachment. Well, actually two malicious attachments..

Date:      Mon, 17 Mar 2014 16:12:20 +0100 [11:12:20 EDT]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Please respond - overdue payment
Priority:      High Priority 2

Please find attached your invoices for the past months. Remit the payment by 01/9/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Alvaro Rocha

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 

Attached are two archive files quickbook_invoice_89853654.rar and quickbook_invoice_8988561346654.zip which in turn contain the same malicious executable quickbook_invoice.scr which has a VirusTotal detection rate of 8/49. Automated analysis tools [1] [2] [3] don't give much of a clue as to what is going on here, although you can assume that it is nothing good..

"Your private photos are there for anyone to see. why??" spam

This spam email has a malicious attachment:

Date:      Mon, 17 Mar 2014 13:08:42 +0100 [08:08:42 EDT]
Subject:      Your private photos are there for anyone to see. why??

Sorry to disturb you.Someone sent me thee pictures they seem to be from you and your
boyfriend I'm really troubled by this why do you send your private naked photos around??
this is beyound my understanding. It's in attachment 

The attachment is IMG000003342.zip which somewhat predictably has a malicious executable inside, IMG000003342.exe which has a VirusTotal detection rate of 12/48. Automated analysis tools [1] [2] show that it makes various changes to the system but do not detect any remote hosts contacted.

Sky.com "Statement of account" spam

This fake Sky.com email comes with a malicious attachment:

Date:      Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the December invoice as this is now due for
payment.

Regards,
Carmela

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.

Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50. Automated analysis tools [1] [2] [3] show attempted connections to the following domains and IPs:

188.247.130.190 (Prime Telecom SRL, Romania)
gobemall.com
gobehost.info

184.154.11.228 (Singlehop, US)
terenceteo.com

184.154.11.233 (Singlehop, US)
quarkspark.org

The two Singlehop IPs appear to belong to Host The Name (hostthename.com) which perhaps indicates a problem at that reseller.

Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall.com
gobehost.info
terenceteo.com
quarkspark.org

gateway.confirmation@gateway.gov.uk spam

This fake spam from the UK Government Gateway comes with a malicious payload:

Date:      Mon, 10 Mar 2014 12:04:21 +0100 [07:04:21 EDT]
From:      gateway.confirmation@gateway.gov.uk
Subject:      Your Online Submission for Reference 485/GB3283519 Could not process
Priority:      High

The submission for reference 485/GB3283519 was successfully received and was not
processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail. 

Attached is a file GB3283519.zip which in turn contains a malicious executable GB10032014.pdf.scr which has an icon that makes it look like a PDF file. This has a VirusTotal detection rate of 7/50.

Automated analysis tools [1] [2] [3] show attempted downloads from i-softinc.com on 192.206.6.82 (MegaVelocity, Canada) and icamschat.com on 69.64.39.215 (Hosting Solutions International, US). I would recommend that you block traffic to the following IPs and domains:
192.206.6.82
i-softinc.com
icamschat.com

mms.Orange.co.uk "IMAGE Id 889195266-PicFFY2C TYPE=MMS" spam

A horribly managed spam turned up in my inbox, claiming to be an MMS message from Orange UK. Well, at least that's what it looked like when I got the HTML to render properly enough to make it readable..

Date:      Wed, 5 Mar 2014 09:14:13 +0000 [04:14:13 EST]
From:      mms.service3694@mms.Orange.co.uk
Subject:      IMAGE Id 889195266-PicFFY2C TYPE=MMS

Description: Orange

Received from: 447457714595 | TYPE=MMS

There's meant to be an embedded image, but it is completely corrupt. Not that it makes much difference..

Attached is a file called bulger,jpg which is actually a ZIP file, so you have to rename it from .jpg to .zip in order to infect yourself. Some assembly is required in this case..

Anyway, once you have done all that and unzipped it, you get a malicious file IMG0000002993.exe  which has  a VirusTotal detection rate of 17/50. The Malwr report shows that the malware attempts to connect with a bunch of IPs that mostly look like dynamic ADSL subscribers. This sort of behaviour looks like P2P/Gameover Zeus or something similar.

"Please look my CV" spam

This spam comes with a malicious payload:

Date:      Mon, 17 Feb 2014 13:31:32 -0500 [02/17/14 13:31:32 EST]
From:      My CV [arina6720@rvyleater.com]
Subject:      Please look my CV

Hello,

Let me introduce myself.
I am the winner of various beauty contests
and the most beautiful girl on the coast.

And I really want to get a job from you.
I attach my CV where you can find links to my accounts
in social networks and see my photos.

Kisses,
Alena Tailor

Attached is a ZIP file My_CV_document_social networks_ photos_6103.zip which in my sample was corrupt. A bit of work with a Base64 decoder revealed that the payload file is My_CV_document________________________.exe which would be malicious if it actually worked.

"Authorization to Use Privately Owned Vehicle on State Business" spam

We've seen this particular type of malware-laden spam before..

Date:      Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]
From:      Callie Figueroa [Callie@victimdomain]
Subject:      Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached).  The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.

Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file.  Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim. 

The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51.

Anubis reports an attempted connection to faneema.com on 198.38.82.223 (Mochahost, US). I recommend blocking both the domain and IP address in this case.

rbs.co.uk "Important Docs" spam

This fake spam claiming to be from the Royal Bank of Scotland has a malicious attachment:

Date:      Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]
From:      Doris Clay [Doris@rbs.co.uk]
Subject:      Important Docs

Account report.

Tel:  01322 589422
Fax: 01322 296116
email: Doris@rbs.co.uk

This information is classified as Confidential unless otherwise stated.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50.

Automated analysis tools [1] [2] show a downlad of en encrypted file from the following locations:
[donotclick]professionalonlineediting.com/theme/cc/images/07UKex.enc
[donotclick]mararu.ro/Media/07UKex.enc

Both those sites are hosted by Mochanin Corp in the US, indicating perhaps a wider problem with that host.

Recommended blocklist:
204.93.165.33
50.31.147.54
professionalonlineediting.com
mararu.ro

Fake HMRC "VAT Return" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 3608005

Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.

I love the "certified virus-free" bit, because of course this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50.

Automated analysis tools [1] [2] [3] [4] show an encrypted file being downloaded from:
[donotclick]wahidexpress.com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc

Recommended blocklist:
182.18.188.191
wahidexpress.com
bsitacademy.com

Update:
A second version of the email is circulating with the following body text:

The submission for reference 485/GB1392709 was successfully received and was not
processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.

Fake "TNT UK Limited " spam with zero detections

This fake TNT spam comes with a malicious attachment that is currently not detected by any AV vendors.

Date:      Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]
From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject:      TNT UK Limited - Package tracking 798950432737

Your package have been picked up and is ready for dispatch.

Connote #    :    798950432737
Service Type    :    Export Non Documents - Intl
Shipped on    :    05 Feb 14 00:00
Order No            :    2819122
Status            :       Driver's Return Description      :       Wrong Address
Service Options: You are required to select a service option below.

TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.

DETAILS OF PACKAGE
Reg order no: 798950432737

The options, together with their associated conditions

Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41.

Despite the zero detection rate, there is plenty of badness going on [1] [2] [3] [4] including downloads of an encrypted file from the following locations:

[donotclick]newz24x.com/wp-content/uploads/2014/02/pdf.enc
[donotclick]oilwellme.com/images/banners/pdf.enc

The Malwr report indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x.com is hosted. Take care with these if you are thinking about blocking them.

Recommended blocklist:
182.18.151.160
newz24x.com
oilwellme.com

"LloydsLink reference" spam comes with a malicious attachment

This fake Lloyds TSB spam comes with a malicous payload:

Date:      Wed, 5 Feb 2014 20:38:29 +0100 [14:38:29 EST]
From:      GRP Lloydslink Tech [GRPLloydslinkTech@LLOYDSBANKING.COM]
Subject:      LloydsLink reference: 8255820 follow up email and actions to be taken


Lloyds TSB    
    Help

(New users may need to verify their email address)

If you do not see or cannot click / tap the Download attachment button:
Desktop Users:
   

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Mobile Users:
   

Install the mobile application.

Protected by the Voltage SecureMail Cloud

SecureMail has a NEW LOOK to better support mobile devices!

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Voltage IBE™

Copyright 2002-2014 Voltage Security, Inc. All rights reserved.

Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500

Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000.  Telephone: 08457 21 31 41

Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales  2299428. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it  (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.

Telephone calls may be monitored or recorded.

The attachment is SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has an icon that looks like Internet Explorer. Despire the .scr suffix, this file is a plain old .exe file and will execute if you double-click it (don't!).

VirusTotal detections are 11/51, and automated analysis between ThreatExpert, Malwr and Anubis show an attempted download from [donotclick]asianfarm.org/images/pdf.enc and [donotclick]ideasempurna.com.my/wp-content/uploads/2014/02/pdf.enc with the following IPs being involved:

108.90.186.161 (AT&T, US)
111.90.133.246 (Piradius Net, Malaysia)
121.117.209.51 (NTT, Japan)
124.217.241.34 (Piradius Net, Malaysia)
174.103.25.199 (Time Warner Cable, US)

The .enc file is an encoded executable, explained in detail here. I haven't tried to decode it but obviously that too will be malicious.

Recommended blocklist:
asianfarm.org
ideasempurna.com.my
108.90.186.161
111.90.133.246
121.117.209.51
124.217.241.34
174.103.25.199