"Order status -950533 30.07.2014.xls" spam

This body-text-less spam comes with a malicious attachment.

Date:      Wed, 30 Jul 2014 17:06:27 +0530 [07:36:27 EDT]
From:      Twila Garner [3f418d9@consolacionburriana.com]
Subject:      Order status -950533 30.07.2014.xls

Actually the body text isn't completely blank but does contain some bits of HTML.

<html>
  <head>

    <XSSCleaned_taghttp-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
  </

But the payload is the thing, in this case there is an archivecalled 950533-30.07.2014.zip containing a folder order-8301138-30.07.2014.xls which in turn contains a malicious executable order-8301138-30.07.2014.xls.exe which has a VirusTotal detection rate of 6/54.

The Comodo CAMAS report shows attempted downloads from the following connections:

jobengine.in/333
legusadvantage.com/333
davidtaylorartist.com/333
asustabletservisi.com/333
mycustomkidsbooks.com/333
redhorsesolutions.com/333
tencoolthings.com/333
wwwtokiodesign.com/333
extreme-bdsm-comics.com/333

A second file is downloaded from these locations with a VT detection rate of just 2/54. The CAMAS report is inconclusive.

I recommend the following blocklist:
jobengine.in
legusadvantage.com
davidtaylorartist.com
asustabletservisi.com
mycustomkidsbooks.com
redhorsesolutions.com
tencoolthings.com
wwwtokiodesign.com
extreme-bdsm-comics.com

amazon.co.uk "Your Amazon order" spam

This fake Amazon spam comes with a malicious attachment:

Date:      Mon, 28 Jul 2014 13:15:57 +0200 [07:15:57 EDT]
From:      "AMAZON.CO.UK" [egljlyzqv@Amazon.co.uk]
Subject:      Your Amazon order #239-1744919-1697181

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details

Order #239-1744919-1697181 Placed on July 26, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.co.uk

Attached is a file Order-239-1744919-1697181.zip which in turn contains a malicious executable Order details 001-8821901-992107.exe which has a VirusTotal detection rate of 18/54.

The Comodo CAMAS analysis shows that the malware reaches out to a familiar set of URLs to download further components:

www.zag.com.ua/333
daisyblue.ru/333
www.ricebox.biz/333
brandsalted.com/333
fbcashmethod.ru/333
expositoresrollup.es/333
madrasahhusainiyahkl.com/333
sexyfoxy.ts6.ru/333
www.huework.com/333
siliconharbourng.com/333
www.martijnvanhout.nl/333

I would recommend blocking the following domains:
zag.com.ua
daisyblue.ru
ricebox.biz
brandsalted.com
fbcashmethod.ru
expositoresrollup.es
madrasahhusainiyahkl.com
sexyfoxy.ts6.ru
huework.com
siliconharbourng.com
martijnvanhout.nl

"PLEASE SEND PI" spam / something evil on 198.27.110.192/26

"PI" in this case seems to refer to a Proforma Invoice rather than Π - but in fact the attachment is malware.

Date:      Fri, 25 Jul 2014 22:50:14 -0700 [01:50:14 EDT]
From:      OLINMETALS TRADING CO
Subject:      PLEASE SEND PI

Greetings,

Regarding our previous conversation about our urgent purchase, kindly
find attached PI and let us know if the quantity can fit in 40ft
container.
kindly revise the Proforma invoice so that we can proceed with an
advance payment as agreed.


We look forward to your urgent response with revised proforma invoice.


Thks & Rgds,
OLINMETALS TRADING CO., LTD
Tel : 0097143205171
Fax : 0097143377150 

It sounds like a fiendish maths question from an obscure exam. How much Π can you fit in a 40ft container? Anyway, the attachment Order.zip contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53. The ThreatExpert report [pdf] and ThreatTrack report [pdf] show that the malware phones home to walex2.ddob.us/sddob/gate.php on 198.27.110.200 (OVH Canada reassigned to Big Kesh, LLC, US).

Looking at the domains registered on 198.27.110.200 and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs:

frank.ddob.us	198.27.110.196
walex.ddob.us	198.27.110.196	[1]
dino.ddob.us	198.27.110.197	[2] [3]
mrson.ddob.us	198.27.110.200
walex2.ddob.us	198.27.110.200	[4]
robert.xiga.us	198.27.110.200	[5]
daniel.ddob.us	198.27.110.201	[6]
robert.ddob.us	198.27.110.201	[7]
326.xiga.us	198.27.110.203
frannky.ddob.us	198.27.110.210	[9]
janet.ddob.us	198.27.110.211
sayee.ddob.us	198.27.110.211	[10]
dino.ddob.us	198.27.110.213	[11] [12]
biolo.xiga.us	198.27.110.216

I think this is enough evidence to block the entire 198.27.110.192/26 as a precaution (although there do appear to be a small number of legitimate sites too). For the record, this is suballocated to:

NetRange:       198.27.110.192 - 198.27.110.255
CIDR:           198.27.110.192/26
OriginAS:       AS16276
NetName:        OVH-CUST-445017
NetHandle:      NET-198-27-110-192-1
Parent:         NET-198-27-64-0-1
NetType:        Reassigned
RegDate:        2014-03-07
Updated:        2014-03-07
Ref:            http://whois.arin.net/rest/net/NET-198-27-110-192-1

CustName:       Big Kesh, LLC
Address:        1077 Jearsey ln ne
City:           Palm Bay
StateProv:      FL
PostalCode:     32905
Country:        US
RegDate:        2014-03-07
Updated:        2014-03-07
Ref:            http://whois.arin.net/rest/customer/C04889220

In the case of Big Kesh LLC I will be charitable and assume that this behaviour is happening without their consent.

The domains xiga.us and ddob.us appear to be used for purely malicious purposes, so I recommend that you block them. The registrant details are probably fake but here they are:

xiga.us
Registrant ID:                               06BFAFB5641FA567
Registrant Name:                             Xieng Hyua
Registrant Address1:                         Red Bulevard
Registrant City:                             North Bergen
Registrant State/Province:                   NJ
Registrant Postal Code:                      07047
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.6874598745
Registrant Email:                            xiga@fbi.al
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

ddob.us
Registrant ID:                               0121C76442E2ED55
Registrant Name:                             Jackson Togan
Registrant Address1:                         Zhongzeng District 100
Registrant City:                             Zhongzeng District
Registrant State/Province:                   Zhongzeng District
Registrant Postal Code:                      100
Registrant Country:                          TAIWAN, PROVINCE OF CHINA
Registrant Country Code:                     TW
Registrant Phone Number:                     +92.68974568
Registrant Email:                            jackson.togan@yahoo.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

Recommended blocklist:
198.27.110.192/26
xiga.us
ddob.us

Tiffany & Co "invoice 0625859 July" spam

This fake Tiffany & Co email has a malicious attachment:

Date:      Fri, 25 Jul 2014 17:32:38 +0800 [05:32:38 EDT]
From:      "J.Parker" [rcaukomti@tiffany.co.uk]
Subject:      invoice 0625859 July

Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.
Thanks


J.parker
Tiffany & Co.

Attached to the message is an archive invoice copy.zip which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51. The CAMAS report shows that the malware downloads components from the following locations:

brandsalted.com/333
daisyblue.ru/333
expositoresrollup.es/333
fbcashmethod.ru/333
madrasahhusainiyahkl.com/333
sexyfoxy.ts6.ru/333
siliconharbourng.com/333
www.huework.com/333
www.martijnvanhout.nl/333
www.ricebox.biz/333
www.zag.com.ua/333

Those sites are similar to the one found in the recent "Birmingham Mail" spam run. I recommend that you block the following domains on your network:

brandsalted.com
daisyblue.ru
expositoresrollup.es
fbcashmethod.ru
madrasahhusainiyahkl.com
sexyfoxy.ts6.ru
siliconharbourng.com
huework.com
martijnvanhout.nl
ricebox.biz
zag.com.ua

"Help & Advice - Virgin Media Business" / Virginmedia Business spam

A bit of a malspam tsunami today, this fake email claims to be from Virgin Media Business.

Date:      Fri, 25 Jul 2014 19:57:24 +0700 [08:57:24 EDT]
From:      Virginmedia Business [services@virginmediabusiness.co.uk]
Reply-To:      Legal Aid Agency [re-LU-VTRBH-APSYPL@virginmediabusiness.co.uk]

Virgin Media Automated Billing Reminder

Date 25th July 2014

This e-mail has been sent you by Virgin Media to inform you that we were
unable to process your most recent payment of bill. This might be due to
one of the following reasons:

    A recent change in your personal information such as Name or address.
    Your Credit or Debit card has expired.
    Insufficient funds in your account.
    Cancellation of Direct Debit agreement.
    Your Card issuer did not authorize this transaction.

To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.

Please fulfill attached form and send it back to our email adress.

Please ensure all address and contact details are up to date, once submitted your account details will automatically be updated within 24 Hours.

Kind Regards,

Virgin Media

Customer Services Team

Ellis Willis

Attached is an archive file form_27429-070.zip which in turn contains a folder billing_form91_4352-2105.pdf which in turn contains a malicious executable billing_form91_4352-2105.pdf.scr which has a VirusTotal detection rate of 3/53. The Comodo CAMAS report indicates that is is largely the same in behaviour as this HMRC malware from earlier today.

Birminghammail / Paul Fulford "Redirected message" spam

This spam pretends to be from a journalist called Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.

Date:      Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
From:      Birminghammail [paul.fulford@birminghammail.co.uk]
Subject:      Redirected message

Dear [redacted]!

Please find attached the original letter received by our system.

I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)

Poor Mr Fulford thinks that his email has been hacked.. it hasn't, but I suspect that he has pissed off some Russian spammers somewhere.

Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe which has a VirusTotal detection rate of 5/53. The Malwr report shows that this part reaches out to the following IPs:

37.139.47.103
37.139.47.117

Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53. The Malwr report is inconclusive.

I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites.

inetnum:        37.139.40.0 - 37.139.47.255
netname:        COMFORTEL-NET
descr:          COMFORTEL ltd.
country:        RU
admin-c:        ME3174-RIPE
tech-c:         RASS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     MNT-PIN
mnt-domains:    PIRIX-MNT
source:         RIPE # Filtered

person:         Mikhail Evdokimov
address:        PIRIX
address:        Obukhovskoy Oborony, 120-Z
address:        192012, St.Petersburg
address:        Russia
phone:          +7 812 3343610
fax-no:         +7 812 6002014
nic-hdl:        ME3174-RIPE
mnt-by:         RUNNET-MNT
source:         RIPE # Filtered

person:         Dmitry Rassohin
address:        194156, St.Petersburg, Russia
address:        Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone:          +7 931 2700021
nic-hdl:        RASS-RIPE
mnt-by:         RASS-MNT
source:         RIPE # Filtered

route:          37.139.40.0/21
descr:          PIRIXROUTE
origin:         AS56534
mnt-by:         MNT-PIN
source:         RIPE # Filtered

UPDATE: a slightly different version of the spam is doing the rounds today, with the fake senders being Allyson.Mays@birminghammail.co.uk and Troy.Short@birminghammail.co.uk (there seems to be nobody working for the Birmingham Mail with that name).

The attachment is in the format letter_549588.zip and letter_235708.zip and which unzips to a folder original_letter_234389_193.eml containing a malicious executable original_letter_234389_193.eml.exe which has a VirusTotal detection rate of 4/54.

The Malwr analysis shows that this reaches out to the following sites:

www.zag.com.ua
daisyblue.ru
37.139.47.117

This drops a further file called mss3.exe with an MD5 of 8e5ea3a1805df3aea28c76adb13b3d9e which is still pending analysis.

"Important - Internal Only" spam

This spam comes with a malicious payload:

Date:      Mon, 14 Jul 2014 16:12:49 +0000 [12:12:49 EDT]
From:      Administrator [Administrator@victimdomain]
Subject:      Important - Internal Only

File Validity: 07/14/2014
Company : http://victimdomain
File Format: Office - Excel ,PDF
Name: Internal Only
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: Internal Only.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the
person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by
intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any
dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and
may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this
e-mail and any printouts immediately from
your system and destroy all copies of it. 

Attached to the message is an archive file Internal Only - victimdomain which in turn contains a malicious executable Internal Only.scr which has a VirusTotal detection rate of 9/54 which indicates that this is a variant of Upatre. The Malwr analysis shows that it contacts the following URLs:

http://renovarweb.com/comprar/css/404.tar
http://vivatsaultppc.com/421w52q4ok9
http://vivatsaultppc.com/tv8m80f8d8d0

This drops a few files, including mkird.exe which has a VirusTotal detection rate of 6/54 (Malwr analysis here) and an encoded file 404[1].tar which only McAfee spots as being suspect (Upatre-Enc.b).

Blocking the following domains may give some protection:
renovarweb.com
vivatsaultppc.com

"TT PAYMENT COPY" spam

We've seen spam like this before. It comes with a malicious attachment.

Date:      Thu, 10 Jul 2014 00:09:28 -0700 [03:09:28 EDT]
From:      "PGS Global Express Co, Ltd." [pgsglobal1960@gmail.com]
Subject:      Re TT PAYMENT COPY

ATTN:

Good day sir,here is the copy of the transfer slip ,kindly find the attach copy and please check with your bank to confirm the receipt of the payment and do the needful by dispatching the material as early as possible.

We hope you will do the needful and let us know the dispatch details.

(purchase) Manager.
                   ------sent from my iphone5s-------

 It comes with an attachment TT PAYMENT COPY.ZIP containing the malicious executable TT PAYMENT COPY.exe which has a VirusTotal detection rate of 19/54. According to Malwr this appears to be a self-extractive archive file which then drops (inter alia) a file iyKwmsYRtDlN.com which has a very low detection rate of 1/52. It isn't clear what this file does according to the report.

Amazon Local "Order Details" spam / order_id.zip

This fake Amazon spam has a malicious attachment:

Date:      Wed, 2 Jul 2014 03:33:39 -0800 [07:33:39 EDT]
From:      "Amazon.com"
Subject:      Order Details

National     AmazonLocal.com
Good day,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order R:121218 Placed on May 28, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com

Attached is a file order_id.zip which in turn contains the malicious executable order_id_467832647826378462387462837.exe which is detected as malicious by 5/54 engines of VirusTotal. Automated analysis tools are inconclusive about what this malware does. [1] [2]

Amazon.com spam / order.zip

This fake Amazon spam has a malicious attachment:

Date:      Wed, 04 Jun 2014 11:55:10 +0200 [05:55:10 EDT]
From:      "Amazon.com"
Subject:      Shipping Confirmation : Order #002-1301707075-0206502025

Amazon
Your Recommendations
     |      Your Orders      |      Amazon.com
Shipping Confirmation
Order #002-1660680038-7011611870
Hello ,
Thank you for shopping with us. We'd like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order report is attached here.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51.

Automated analysis tools [1] [2] [3] shows the malware altering system files and creating a fake csrss.exe and svhost.exe to run at startup.

The malware also attempts to phone home to two IP addresses at 91.226.212.32 and 193.203.48.37 hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following:

91.226.212.0/23
193.203.48.0/22

Fake Sage Invoice spam leads to malware

This fake Sage spam leads to malware:

Date:      Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
From:      Sage [Wilbur.Contreras@sage-mail.com]
Subject:      FW: Invoice_6895366

Please see attached copy of the original invoice (Invoice_6895366). 

Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52.

The Malwr analysis shows that it then goes on to download further components from [donotclick]protecca.com/fonts/2005UKdp.zip some of which are:

• esli.exe (VT 6/52, Malwr report)
• uptoday.exe (VT 7/52, Malwr report)
• upsec.exe (VT 9/51, Malwr report)

 These appear to be part of a peer-to-peer Zbot infection.

"TT PAYMENT COPY" spam

This spam has a malicious attachment:

Date:      Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
Subject:      Re TT PAYMENT COPY

please confirm the attachment payment Copy and get back to me?

Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53. Automated analysis tools (such as this one) don't reveal what is happening, but you can guarantee it is nothing good.

citibank.com "Important - Commercial Form" spam

This fake Citibank spam comes with a malicious attachment:

Date:      Wed, 14 May 2014 11:56:34 -0500 [12:56:34 EDT]
From:      Nola Painter [Nola.Painter@citibank.com]
Subject:      FW: Important - Commercial Form

citibank.com
Commercial Banking Form

To: [redacted]

Case: C1957115
Please scan attached document and fax it to +1 800-285-1110 .

All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is... For enquiries, please telephone the Service Desk on +1 800-285-4794 or email enquiries@citibank.com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .

Yours faithfully

Nola Painter
Commercial Banking
Citibank N.A
Nola.Painter@citibank.com

Copyright © 2014 Citigroup Inc.                                                                    
Citibank 

Other senders spotted include:
Lavonne Bermudez [Lavonne.Bermudez@citibank.com]
Gabriel Britton [Gabriel.Britton@citibank.com]

Attached to the message is an archive file CommercialForm.zip which in turn contains a malicious executable CommercialForm.exe which has a VirusTotal detection rate of 19/52. Automated analysis tools [1] [2] [3] show that it downloads an encrypted file from [donotclick]desktopcrafts.com/wp-content/uploads/2014/05/Targ-1405USdp.enc although what that does is currently unclear.

HMRC spam / VAT0781569.zip

This fake HMRC spam comes with a malicious attachment:

Date:      Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 0781569


Thank you for sending your VAT Return online. The submission for reference 0781569 was
successfully received on Fri, 9 May 2014 12:47:49 +0530  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes. 

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52.


This is part one of the infection chain. Automated analysis [1] [2] [3] shows that components are then downloaded from the following locations:

[donotclick]bmclines.com/0905UKdp.rar
[donotclick]gamesofwar.net/img/icons/0905UKdp.rar
[donotclick]entslc.com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas.com/css/b01.exe

The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52. Automated analysis [1] [2] shows that this makes a connection to a server at 94.23.32.170 (OVH, France).

The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52. Analysis of this shows [1] [2] that it attempts to connect to several different email services, presumably to send out spam.

"TNT UK Limited" spam

This fake TNT spam has a malicious attachment:

Date:      Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject:      TNT UK Limited - Package tracking 236406937389

TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.

DETAILS OF PACKAGE
Reg order no: GB5766211

Your package have been picked up and is ready for dispatch. Please print attached form
and pick up at the nearest office.

Connote #        :        236406937389
Service Type        :        Export Non Documents - Intl
Shipped on        :        07 Apr 13 00:00
Order No                :        5766211
Status                :       Driver's Return Description      :       Wrong Postcode
Service Options: You are required to select a service option below.

The options, together with their associated conditions 

The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52.

Automated analysis tools [1] [2] [3] show a UDP connection to wavetmc.com and a further binary download from demo.providenthousing.com/wp-content/uploads/2014/05/b01.exe

This second executable has a VirusTotal detection rate of 20/51. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).

Recommended blocklist:
83.172.8.59
wavetmc.com
demo.providenthousing.com

"This email contains an invoice file attachment" spam

Another case of a very terse spam with a malicious email attachment:

Date:      Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
From:      Accounts Dept [menopausaln54@jaygee.co.uk]
Subject:      Email invoice: 1888443

This email contains an invoice file attachment 

I guess the psychology here is that if you can't tell a convincing lie, then tell a short one. The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52.

Automated analysis tools of this binary [1] [2] [3] shows that it downloads a further component from one of the following locations:

pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
lefos.net/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111

This "111.exe" binary has an even lower VirusTotal detection rate of 3/51. Automated analysis of this shows [1] [2] [3] shows the malware installs itself deeply into the target system.

There is a further dowload of a malicious binary from files.karamellasa.gr/tvcs_russia/2.exe which has a detection rate of 5/50 and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system [1] [2] [3].

Recommended blocklist:
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
lefos.net
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com
files.karamellasa.gr

"Important - BT Digital File" spam

This fake BT spam comes with a malicious attachment:

Date:      Tue, 6 May 2014 15:18:15 +0700 [04:18:15 EDT]
From:      Santiago Biggs [Santiago.Biggs@bt.com]
Subject:      Important - BT Digital File

BT Digital Vault     BT

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000 

Attached to the message is an archive file BT_Digital_Vault_File.zip which in turn contains a malicious executable BT_Digital_File.scr which has a VirusTotal detection rate of 11/52.

Automated analysis tools [1] [2] [3] show that this malware downloads additional components from the following locations:

[donotclick]realtech-international.com/css/0605UKdp.rar
[donotclick]biz-ventures.net/scripts/0605UKdp.rar

Blocking those URLs or monitoring for them may help to prevent further infection.

Sinister spam from "Agent Feather"

This sinister spam comes with a malicious payload..

From:     Agent Feather [afgeathe32322323@gmail.com]
Reply-To:     afgeathe32323323@gmail.com
Date:     6 May 2014 02:12
Subject:     Do something before it's too late!


My Friend,

Someone close to you wants you to spend at least the next five years of your life behind bars. He has reported you to our organization and I am the one assigned to follow you up to gather more evidences against you. Attached to this email is a copy of the person's audio recording against you. Your name was mentioned eleven times in this recorded conversation, check if you can recognise the person's voice.

What I require is that you create a new email address which will be used for our further correspondence. Use your mobile phone number to text me your newly created email address on this number: +66928711125. The phone line is secured and cannot be traced by our organization or any other law enforcement agent. I know my reason for disclosing this important information to you at this time. Upon receiving your text, I will tell you who I am, our organization and what next you are to do.

You are to note the following and observe them, contrary to these, you will never hear from me again.

1. You are not to reply me on this email address.
2. You are not to call me on the above given number for any reason.
3. You are to text only your newly created email address to me.
4. The newly created email address must be used just for the both of us alone
4. If you know the voice in the recorded message, never approach the person until I tell you to.
5. You must not disclose anything relating to this information to another person.

Having read and understood what I have said, you are to now create a new email address and send it to me by text through your mobile phone number. I am waiting.

Yours sincerely,
Agent Feather.

Attached is a file His Voice.zip which unzips to another file called Voice Conversation without any extension at all. In fact, this file is a malicious executable (you would have to rename it to Voice Conversation.exe manually if you want to infect yourself) which has a VirusTotal detection rate of 13/49.

Most of the automated tools I have thrown at it seem to error out, but the ThreatExpert report does show the malware installing itself onto the test system and making some system changes to prevent removal. It also enumerates the IP address, detects proxy settings and attempts to connect to Google's Gmail SMTP server.

"This email contains an invoice file attachment" spam

This very terse spam comes with a malicious attachment:

Date:      Mon, 28 Apr 2014 17:23:58 +0900 [04:23:58 EDT]
From:      Accounts Dept [shortchanges2@morgan-bros.co.uk]
Subject:      Email invoice: 2552266

This email contains an invoice file attachment

Attached is a file emailinvoice.8630595.zip which in turn contains a malicious executable emailinvoice.197291101.exe which has a VirusTotal detection rate of 5/51.

Automated analysis tools [1] [2] [3] show various system changes being made, but make no record of network activity.

"Unity Messaging System - Internal Payroll" spam

This fake payroll spam comes with a malicious attachment:

Date:      Fri, 25 Apr 2014 12:36:43 +0900 [04/24/14 23:36:43 EDT]
From:      Unity Messaging System [Unity_UNITY9@victimdomain.com]
Subject:      Internal Payroll

File Validity: 24/04/2014
Company : http://victimdomain.com
File Format: Office - Excel
Internal Name: Payroll
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Payroll.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

The email appears to be from the victim's own domain and references it in the body of the email. A look at the mail headers shows that this deception runs more deeply..

Received:     
    (qmail 19966 invoked from network); 25 Apr 2014 03:36:45 -0000
    from unknown (192.168.1.88) by [redacted] with QMQP; 25 Apr 2014 03:36:45 -0000
    from kctv1142.ccnw.ne.jp (218.216.224.142) by [redacted] with SMTP; 25 Apr 2014 03:36:45 -0000
    from voice533.victimdomain.com (10.0.0.41) by victimdomain.com (10.0.0.11) with Microsoft SMTP Server (TLS) id KFA60IPJ; Fri, 25 Apr 2014 12:36:43 +0900
    from message7154.victimdomain.com (10.31.162.90) by smtp.victimdomain.com (10.0.0.88) with Microsoft SMTP Server id C9PH5LWA; Fri, 25 Apr 2014 12:36:43 +0900

The actual origin of the spam is 218.216.224.142 in Japan. The lines before that are all fake and are attempting to make it look like the email originated from inside the victim's own network (using a 10.x.x.x address). Quite why they bother with this level of detail is a mystery, because anyone technically savvy should spot that it comes with a malicious payload.

The attachment is Payroll.zip which in turn contains a malicious executable Payroll.scr which has an icon that makes it look like an Excel file (which it isn't). If you are hiding file extensions (which is the insecure default setting for Windows then you might be fooled.

If you haven't already done it.. when you have a folder open in Windows, go into Organize -> Folder and search options -> View and then untick Hide extensions for known file types.

Then it will become clear that this isn't an Excel spreadsheet at all (ending in .xlsx or .xls) but it something more sinister.

Yes, .scr is actually an executable file (a more typical one would be .exe). In this case the file is definitely malicious and has a VirusTotal detection rate of 26/51.

Automated analysis tools [1] [2] [3] show an attempted download from:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar

These download locations are the same as used in this "Balance Scheet" spam from yesterday and I recommend that you block the domains in question.