This spam pretends to be from a journalist called
Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.
Date: Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
From: Birminghammail [paul.fulford@birminghammail.co.uk]
Subject: Redirected message
Dear [redacted]!
Please find attached the original letter received by our system.
I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)
Poor Mr Fulford
thinks that his email has been hacked.. it hasn't, but I suspect that he has pissed off some Russian spammers somewhere.
Attached is an archive file
1.zip which contains a malicious executable
original_letter_234389_193.scr.exe which has a VirusTotal detection rate of
5/53. The
Malwr report shows that this part reaches out to the following IPs:
37.139.47.103
37.139.47.117
Both of these belong to Comfortel Ltd in Russia. From there another file
2.exe is download which has a VT detection rate of just
3/53. The Malwr report is
inconclusive.
I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least
37.139.47.0/24 or the whole
37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites.
inetnum: 37.139.40.0 - 37.139.47.255
netname: COMFORTEL-NET
descr: COMFORTEL ltd.
country: RU
admin-c: ME3174-RIPE
tech-c: RASS-RIPE
status: ASSIGNED PA
mnt-by: MNT-PIN
mnt-routes: MNT-PIN
mnt-domains: PIRIX-MNT
source: RIPE # Filtered
person: Mikhail Evdokimov
address: PIRIX
address: Obukhovskoy Oborony, 120-Z
address: 192012, St.Petersburg
address: Russia
phone: +7 812 3343610
fax-no: +7 812 6002014
nic-hdl: ME3174-RIPE
mnt-by: RUNNET-MNT
source: RIPE # Filtered
person: Dmitry Rassohin
address: 194156, St.Petersburg, Russia
address: Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone: +7 931 2700021
nic-hdl: RASS-RIPE
mnt-by: RASS-MNT
source: RIPE # Filtered
route: 37.139.40.0/21
descr: PIRIXROUTE
origin: AS56534
mnt-by: MNT-PIN
source: RIPE # Filtered
UPDATE: a slightly different version of the spam is doing the rounds today, with the fake senders being Allyson.Mays@birminghammail.co.uk and Troy.Short@birminghammail.co.uk (there seems to be nobody working for the Birmingham Mail with that name).
The attachment is in the format
letter_549588.zip and
letter_235708.zip and which unzips to a folder
original_letter_234389_193.eml containing a malicious executable
original_letter_234389_193.eml.exe which has a VirusTotal detection rate of
4/54.
The Malwr analysis shows that this reaches out to the following sites:
www.zag.com.ua
daisyblue.ru
37.139.47.117
This drops a further file called
mss3.exe with an MD5 of 8e5ea3a1805df3aea28c76adb13b3d9e which is still pending analysis.