Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com] invoice spam has a malicious attachment

Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simple be deleted.

From:     Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com]
Date:     10 September 2014 10:35
Subject:     FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid


Dear Sir.

The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.

Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm


Postboks 154 Leirdal
NO-1009 OSLO
NORWAY

Direct line:        + 47 90 95 58 26
Fax:                  + 47 64 00 71 87
Mobile:             + 47 90 78 52 44

Dear Sir.

The attached invoice from Villmarksmessen 2014 has still not been settled.

Please advise as soon as possible.

Thank you and regards,

Geir

Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events

DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm


Postboks 154 Leirdal
NO-1009 OSLO
NORWAY

Direct line:        + 47 90 95 58 26
Fax:                  + 47 64 00 71 87
Mobile:             + 47 90 78 52 44

Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54.

The Comodo CAMAS report  shows an attempted connection to voladora.com/Imagenes/qaws.cab  which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending, I will update the post if I find more information.

UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53. The ThreatTrack report [pdf] and Anubis report shows the malware performing lookups for a variety of domain names [pastebin] which are not currently resolving, but might be worth blocking.

"PAYMENT SLIP" spam comes with an encrypted .7z archive

This spam comes with a malicious attachment:

From:     daniel mo [danielweiche002@gmail.com]
Subject:     PAYMENT SLIP
Signed by:     gmail.com

Thanks for your last message,

We remitted 30% prepayment today amounting to 51,300USD against your invoice INV332831 as was agreed with you by our purchasing agent. Please check the attached invoice and the payment slip and correspond your account information. You will receive payment in your account after a few days.

Please confirm the receipt  below,
kindly use this password {121212} to view attachment for our payment slip;
Thanks,
Daniel
Accounts Assistant
67752222
64472801
Zenia Singapore Pte Ltd

In order to deal with the attachment new order.7z, you'll need something capable of dealing with .7z files (e.g. 7-Zip). Inside the archive is a malicious executable new order.scr which has a VirusTotal detection rate of 5/54. I have not been able to analyse the malware any further than this.

RBS "Important Docs" spam doing the rounds again

The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.

Date:      Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From:      Vicente Mcneill [Vicente@rbs.co.uk]
Subject:      Important Docs

Please review attached documents regarding your account.

Tel:  01322 929655
Fax: 01322 499190
email: Vicente@rbs.co.uk

This information is classified as Confidential unless otherwise stated. 

Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53. The ThreatTrack analysis [pdf] shows that it attempts to download components from the following locations:

95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip

95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood.com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).

Recommended blocklist:
bullethood.com
95.141.37.158
94.23.250.88

BH Live Tickets "Peter Pan" spam (bhlive.co.uk / bhlivetickets.co.uk)

I have seen a very large quantity of these spam emails, purporting to be from

From:     bhlivetickets@bhlive.co.uk
Date:     8 September 2014 08:43
Subject:     Confirmation of Order Number 484914

ORDER CONFIRMATION Order Number Order Date 484914 07-09-2014 13:00

YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event. The attachment requires that you have the Adobe Acrobat Reader installed on your computer. If you do not have Adobe Acrobat Reader installed, please click HERE to download and install this program. TICKETS QTY TICKET TYPE PRICE EACH TOTAL Peter Pan Bournemouth Pavilion Theatre Tue 23 Dec 2014 - 7:00 PM 3 Early Bird - Price A 18.00 54.00 6 Early Bird Child Under 16 - Price A 15.00 90.00 Ticket Information Circle/A 35-30 (6) , Circle/B 33-31 (3) DELIVERY METHOD AMOUNT Print At Home - E-Ticket(s) are attached to this order confirmation (You must be able to open and print a PDF file) 1.00 PAYMENTS TYPE # DATE AMOUNT Mastercard Sale ************7006 03-09-2014 13:00 145.00

Please keep this confirmation in a safe place. THIS IS NOT YOUR TICKET YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL Please call 0844 576 3000 if there are any errors in your order, if you have not received your tickets as expected, or if you have any questions. BH Live Tickets Exeter Road, Bournemouth, BH2 5BH Tel: 0844 576 3000 bhlivetickets@bhlive.co.uk http://www.bhlivetickets.co.uk VAT Reg: 108 2248 37 TICKETS: 144.00 CHARGES: 1.00 TOTAL: 145.00 PAYMENTS RECEIVED: 145.00

These emails are not from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe).

The VirusTotal detection rate for this malware is just 3/55. Comodo CAMAS reports that this downloads an additional component from tiptrans.com.tr/333 which has a VirusTotal detection rate of 4/51.

According to ThreatExpert, This second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).

Recommended blocklist: (updates in italics)
tiptrans.com.tr
plancomunicacion.net
92.222.46.165
80.94.160.129

Added: there is at least one other version of the malicious binary, for example this one.  I have seen some reports that there are more.

UPDATE 2014-09-09:
A second spam run is in progress, essentially the same as the first one except some now have a subject in the form "Confirmation of E-Tickets Order Number 0088658".

There are two new binaries, well detected by anti-virus products with a VirusTotal score of 27/55 and 25/54.

In one case the binary downloaded an additional component from plancomunicacion.net/333  which has a detection rate of 25/54 and according to the ThreatExpert report has the same characteristics as before.

Also, the people operating BH Live have put a notice on their website.:

Concerns raised over emails purporting to be from BH Live Tickets
Published on 8 September 2014

Bournemouth, UK, 8 September – At approximately 7.30 this morning BH Live started to receive a high-volume of calls from members of the public in connection with an email purporting to come from BH Live Tickets. The email contains attachment(s) and hyperlinks relating to a booking for Peter Pan.

BH Live's Information Security teams together with information technology professionals and suppliers have investigated the matter and confirm that its internal systems have not been breached and that the emails were sent from known SPAM IP addresses. The emails are not genuine and do not originate from BH Live. A number of precautionary measures have been taken to ensure data, systems and networks continue to be protected.

The public is advised to delete these emails, to not open any attachments or links; ensure they are running the most up-to-date security products and that the operating system has been updated to the latest version. It is recommended that anyone receiving these emails update their passwords over the coming days.

BH Live continues to monitor the situation and is posting updates via websites and social media channels.

Sky.com "Statement of account" spam.. again.

These fake Sky emails are pretty common and have a malicious attachment:

Date:      Wed, 3 Sep 2014 09:17:22 +0200 [03:17:22 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for August, invoice as this is now due for payment.

Regards,
Clark

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 

The attachment is Statement.zip which contains a malicious executable Statement.scr which has a reasonable VirusTotal detection rate of 18/55. The Anubis report indicates that the binary phones home to the following domains which may be worth blocking:

notarioschiapas.com
faviles.com

Fake westlothian.gov.uk "NDR Bill" email

Sometimes spammers come up with weird approaches. This one is a bill from West Lothian Council in the UK.. well, actually it isn't a bill but it comes with a malicious attachment.

From:     Ebilling [Ebilling@westlothian.gov.uk]
Date:     3 September 2014 09:20
Subject:     NDR Bill

Please find attached your Non Domestic Rates bill.

If your account is in credit you are due a refund unless you have any other debt due to the Council.

To allow your credit to be processed please confirm:

- If you want the credit transferred to another account you have with us. Please confirm the account details.
- If you want the credit refunded by cheque, please confirm who it should be sent to and the address.

Links to Non Domestic Rates information are detailed below.

Important Note:
If you access these links using a mobile phone the network provider may charge for this service.

Yours sincerely
Scott Reid
Revenues Manager

 http://www.westlothian.gov.uk/media/downloaddoc/1799465/1851216/2395547

* PDF Viewer required.

This message, together with any attachments, is sent subject to the
following statements:

1.    It is sent in confidence for the addressee only.  It may
    contain legally privileged information.  The contents are
    not to be disclosed to anyone other than the addressee.
    Unauthorised recipients are requested to preserve this
    confidentiality and to advise the sender immediately.
2.    It does not constitute a representation which is legally
    binding on the Council or which is capable of constituting
    a contract and may not be founded upon in any proceedings
    following hereon unless specifically indicated otherwise.

http://www.westlothian.gov.uk

Attached is a file 00056468.pdf.zip which contains a malicious executable D0110109.PDF.exe (which has an icon to make it look like a PDF file). This has a low detection rate at VirusTotal of 4/55.

The Comodo CAMAS report shows that it downloads an additional component from the following locations:

paodeler.com/333
awat.ugu.pl/333
twigsite.org/333
chico-assen.nl/333
beckerseguros.com.br/333
vacacionescosta.com.ar/333
frere-bros.com/333
kaituforumas.lt/333
www.van-der-leest.nl/333
lavetrinadeimotori.it/333
uj.spexx.hu/333
hamalabeachresort.com/333
voladora.com/333
ccemanpower.com/333
tiptrans.com.tr/333
areteeventos.com.br/333
ochodiez.com.ar/333
www.alabiimoveis.com/333
www.tbdistributors.co.nz/333
itspecialist.ro/333
groupgraphic.dk/333

This second component has a VT detection rate of just 3/55. The Anubis report shows an attempted phone home to 80.94.160.129 (National Academy of Sciences of Belarus) and 92.222.46.165 (OVH, France)

Recommended blocklist:
80.94.160.129
92.222.46.165
paodeler.com
awat.ugu.pl
twigsite.org
chico-assen.nl
beckerseguros.com.br
vacacionescosta.com.ar
frere-bros.com
kaituforumas.lt
van-der-leest.nl
lavetrinadeimotori.it
uj.spexx.hu
hamalabeachresort.com
voladora.com
ccemanpower.com
tiptrans.com.tr
areteeventos.com.br
ochodiez.com.ar
alabiimoveis.com
tbdistributors.co.nz
itspecialist.ro
groupgraphic.dk

Vodafone MMS service malware spam

This fake Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:

From:     Vodafone MMS service [mms813562@vodafone.co.uk]
Date:     26 August 2014 12:00
Subject:     IMG Id 813562-PictQbmR TYPE--MMS

The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe

This .EXE file has a VirusTotal detection rate of 3/55. The malware then attempts to download additional components from the following locations:

lovina.co.id/333
swfilms.co.nz/333
terria.ch/333
everlandvn.vn/333
custy.org/333
applnw.com/333
bodypro.co.nz/333
trafacs.com/333
pocketapps.co/333
opencart.guru/333
btw.co.il/~btwcoil/333
panaceamediacorp.com/333
trijayadi.net/333
muabandiaoc.vn/333
yamahamatsakti.com/333
smk-assaabiq.sch.id/333
vinamex.com/333
lindy.co.id/333
webpixsolutions.com/333
tnk-sat.com/333
vinaconexmec.vn/333
192.254.186.106/333
diennhest.vn/333
shiftgears.com.au/333
datrix-news.com/333
localnewshost.com/333
dp37198306.lolipop.jp/333
kampungnasi.com/333
www.devdemoz.com/333

This second component has a VirusTotal detection rate of 3/53. The CAMAS report for that component is here.

If you can block your network perimeter by pattern, then the "/333" string might be good to look for. Else I would recommend the following blocklist:

192.254.186.106
lovina.co.id
swfilms.co.nz
terria.ch
everlandvn.vn
custy.org
applnw.com
bodypro.co.nz
trafacs.com
pocketapps.co
opencart.guru
btw.co.il
panaceamediacorp.com
trijayadi.net
muabandiaoc.vn
yamahamatsakti.com
smk-assaabiq.sch.id
vinamex.com
lindy.co.id
webpixsolutions.com
tnk-sat.com
vinaconexmec.vn
diennhest.vn
shiftgears.com.au
datrix-news.com
localnewshost.com
dp37198306.lolipop.jp
kampungnasi.com
devdemoz.com

"FW: Resume" spam has a malicious attachment

This terse spam is malicious:

Date:      Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
From:      Janette Sheehan [Janette.Sheehan@linkedin.com]
Subject:      FW: Resume

Attached is my resume, let me know if its ok.

Thanks,
Janette Sheehan 

Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54. The CAMAS report shows that the malware attempts to phone home to the following locations:

94.23.247.202/0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202/0708stat/SANDBOXA/1/0/0/
hngdecor.com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind.com/underconst/css/cw2800.zip

Recommended blocklist:
94.23.247.202
hngdecor.com
welfareofmankind.com

RBS "RE: Incident IM03393549" spam

This fake RBS spam has a malicious attachment:

Date:      Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
From:      Annie Wallace[Annie.Wallace@rbs.co.uk]
Subject:      RE: Incident IM03393549

Good Afternoon ,

Attached are more details regarding your account incident. Please extract the attached
content and check the details.

Please be advised we have raised this as a high priority incident and will endeavour to
resolve it as soon as possible. The incident reference for this is IM03393549.

We would let you know once this issue has been resolved, but with any further questions
or issues, please let me know.

Kind Regards,

Annie Wallace Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th
Floor, 1 Hardman Boulevard | Manchester | M3 3AQ | Depot code: 049
Tel: 0845 300 4108 |Email: Annie.Wallace@rbs.co.uk The content of this e-mail is
CONFIDENTIAL unless stated otherwise 

The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42. The CAMAS report shows that the malware connects to the following locations to download additional components:

94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia.com/Scripts/n0808uk.zip
energysavingproductsinfo.com/wp-content/uploads/2014/08/n0808uk.zip

The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.

Recommended blocklist:
94.23.247.202
quesoslaespecialdechia.com
energysavingproductsinfo.com

CDS Group (cdsgroup.co.uk) fake invoice spam

This spam email pretends to be from the CDS Group. CDS are a wholly legitimate company and are NOT sending these emails, and their computer systems have NOT been compromised. However, the emails do contain a malicious attachment and should be deleted.

It is trivially easy to fake who an email is "From". That is what is happening in this case. CDS are an innocent victim of whoever is perpetrating this spam run. Please do not take your frustrations out on CDS. CDS have a notice about these emails on their site.

This is a sample email:

Date:      Thu, 07 Aug 2014 10:41:48 +0100 [05:41:48 EDT]
From:      Nancy Tyler CDS Group [accounts@cdsgroup.co.uk]
Subject:      CDS Invoice: 241-28195

CDS Group


Dear client,

Please find attached your invoice number 241-28195

If you have any queries with this invoice, please email us at accounts@cdsgroup.co.uk or call us on 020 8752 8040



The CDS Group of Companies, Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International



Tel: 020 8752 8040
Email: accounts@cdsgroup.co.uk



Please consider the environment before printing this email.

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.

If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. This e-mail or any attachments are for information purpose only and does not form any part of an agreement, contract or fact.

The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. Whilst The CDS Group has taken every reasonable precaution to minimise the risk, we do not accept liability for any damage, which you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment to this e-mail.

This email has been scanned by iomartcloud.
http://www.iomartcloud.com

Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54.

Automated analysis tools are inconclusive at the moment [1] [2] but I will add more details if I find them.

Companies House "Case 4620571" spam

This fake Companies House spam has a malicious attachment:

Date:      Wed, 6 Aug 2014 19:45:59 +0700 [08:45:59 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      RE: Case 4620571

The submission number is: 4620571

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500 

Attached is a file Case_4620571.zip which in turn contains a malicious executable Case_4620571.scr which has a VirusTotal detection rate of 11/53. Automated analysis tools [1] [2] show that the malware reaches out to the following locations which are good candidates for blocking:

64.191.43.150
94.23.247.202
feelgoodframesstore.com
beeprana.com
upscalebeauty.com

"Invoice 20146308660 June 2014 - July 2014" spam

This summary is not available. Please click here to view the post.

Bank of America "Important Documents" spam leads to Cryptowall

This fake BofA spam has a malicious payload:

Date:      Mon, 4 Aug 2014 19:57:07 +0800 [07:57:07 EDT]
From:      Andrea Talbot [Andrea.Talbot@bofa.com]
Subject:      RE: Important Documents

Please check attached documents regarding your Bofa account.

Andrea Talbot
Bank Of America
817-298-4679 office
817-180-2340 cell Andrea.Talbot@bofa.com

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached 

Attached to the message is an archive AccountDocuments.zip which in turn contains the malicious executable AccountDocuments.scr which has a VirusTotal detection rate of 6/54 and the comments indicate that this is a variant of Cryptowall. The Comodo CAMAS report shows that it phones home to the following URLs:

94.23.247.202/0408cnet28/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408cnet28/SANDBOXB/1/0/0/
dirbeen.com/khalid53/cnet28.zip
ibuildchoppers.com/wp-content/gallery/choppers/cnet28.zip

Recommended blocklist:
94.23.247.202
dirbeen.com
ibuildchoppers.com

"Invoice 2014080420" spam

This spam has a malicious attachment:

Date:      Mon, 04 Aug 2014 20:29:43 +0900 [07:29:43 EDT]
From:      Accounts Dept [tolvan.rover@btinternet.com]
Subject:      Invoice 2014080420 dynamoo

This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us.

There is an attachment INV_2014080420.zip containing a folder invoice_june2014-july2014.xls which in turn contains a malicious executable invoice_june2014-july2014.xls.scr which has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] about what it does.

UPDATE: 
The first part downloads a copy of Cridex from 23.92.84.52:8080/ord/1.exe which currently has a VT detection rate of 9/54. Blocking 23.92.84.52 may offer some protection.

"Important - BT Digital File" spam

This fake BT spam has a malicious attachment:

Date:      Mon, 4 Aug 2014 08:48:51 -0430 [09:18:51 EDT]
From:      Marci Tobin
Subject:      Important - BT Digital File


BT Digital Vault     BT

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 7221* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000

The attachment is BT_Digital_Vault_File.zip which contains a malicious executable BT_Digital_Vault_File.exe which has a VirusTotal detection rate of 5/54. According to the Comodo CAMAS report the malware reaches out to the following URLs:

94.23.247.202/0408choUK2/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408choUK2/SANDBOXB/1/0/0/
94.23.247.202/0408heap/SANDBOXB/1/0/0/
94.23.247.202/0408preb04/SANDBOXB/1/0/0/
amhzconsultancy.com/wordpress/48u2.zip
sintesismark.com/images/48u2.zip
bianconeandwilinsky.com/wp-content/uploads/2013/02/h8i3.zip
osteoarthritisblog.com/wp-content/uploads/2010/02/h8i3.zip
hopeisnull.comuf.com/wp-content/uploads/2014/03/pre.zip
grenzland-classic.de/css/pre.zip

Recommended blocklist:
94.23.247.202
amhzconsultancy.com
sintesismark.com
bianconeandwilinsky.com
osteoarthritisblog.com
hopeisnull.comuf.com
grenzland-classic.de


UPDATE: the following spam also has the same payload..

Date:      Mon, 4 Aug 2014 11:41:18 +0000 [07:41:18 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 7132163 - Companies House

The submission number is: 7132163

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500 

"Corporate eFax message from "unknown" - 3 page(s)" spam

This somewhat mangled spam has a malicious attachment:

Date:      Fri, 1 Aug 2014 09:45:45 -0700 [12:45:45 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "unknown" - 3 page(s)

You have received a 3 page fax             at 2014-08-01 10:55:05. * The
reference number for this fax is p2_did1-4724072401-8195088665-159.       Thank you for
using the eFax Corporate service!        2014 j2 Global, Inc. All rights reserved. eFax
Corporate is a registered trademark of j2 Global, Inc. This account is subject to the
terms listed in the         eFax Corporate Customer Agreement.  

Attached is an archive file Fax_912_391233111_941.zip which in turn contains a malicious executable Fax_912_391233111_941.scr which has a VirusTotal detection rate of 10/54.

The Comodo CAMAS report shows the malware reaching out to the following locations:

94.23.247.202/0108us1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108us1/SANDBOXA/1/0/0/
theyungdrungbon.com/wp-includes/images/0108us1.zip
101romanticcheapdates.com/wp-includes/images/0108us1.zip

Recommended blocklist:
94.23.247.202
theyungdrungbon.com
101romanticcheapdates.com

"Payroll Received by Intuit" spam / Cryptowall

I haven't seen any fake Intuit spam for a while. This one comes with a malicious attachment:

Date:      Fri, 1 Aug 2014 07:59:12 -0600 [09:59:12 EDT]
From:      Intuit Payroll Services [IntuitPayrollServices@payrollservices.intuit.com]
Subject:      Payroll Received by Intuit

Dear, [redacted]
We received your payroll on August 01, 2014 at 09:01 AM EST.

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later.  If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later.  YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time.  Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services



IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2014 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706

The attachment in this case is called Remittance.zip and it contains a malicious executable Remittance.exe which has a VirusTotal detection rate of 9/53.

According to the evidence of this very detailed ThreatTrack report [pdf], this is a version of Cryptowall. It makes network connections to various sites including the now-familiar 94.23.247.202.

I recommend that you block the following domains and IPs:
94.23.247.202
theothersmag.com
poroshenkogitler.com
kpai7ycr7jxqkilp.onion2web.com

"Scanned Image from a Xerox WorkCentre" spam

This is a thoroughly old school spam with a malicious attachment.

Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From:      Local Scan [scan.614@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

You have a received a new image from Xerox WorkCentre.

Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: victimdomain

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.

The Comodo CAMAS report shows that the malware downloads components from the following locations:

94.23.247.202/3107us2/SANDBOXA/0/51-SP2/0/
94.23.247.202/3107us2/SANDBOXA/1/0/0/
94.23.247.202/3107h2/SANDBOXA/1/0/0/
94.23.247.202/3107op2/SANDBOXA/1/0/0/
globe-runners.com/fichier_pdf/31u2.zip
lucantaru.it/docs/31u2.zip
mediamaster-2000.de/img/heap.zip
ig-engenharia.com/wp-content/uploads/2014/02/heap.zip
upscalebeauty.com/img/colors/teal/opened.zip
lagrimas.tuars.com/css/opened.zip

There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before.

Recommended blocklist:
94.23.247.202
globe-runners.com
lucantaru.it
mediamaster-2000.de
ig-engenharia.com
upscalebeauty.com
lagrimas.tuars.com

Evernote "File has been sent" spam

I've never understood Evernote. Something to do with elephants I think. But this spam isn't from them anyway..

Date:      Thu, 31 Jul 2014 12:26:53 +0200 [06:26:53 EDT]
From:      EVERNOTE [lcresknpwz@business.telecomitalia.it]
Subject:      File has been sent [redacted]

DSC_9426679.jpg attached to the letter
Copyright 2014 Evernote Corporation. All rights reserved

The file attached is actually DSC_9426679.zip and not .jpg, containing a malicious executable DSC_8832966.exe with a VirusTotal detection rate of 7/53. The CAMAS report shows that the malware attempts to download an additional component from the following locations:

utilatas.com/333
sdi-ppe.com/333
shahlon.com/333
croydonsog.org/333
pc2print.co.uk/333
geo.num.edu.mn/333
hendredestate.co.uk/333
kelias.com/~anonimas/333
168.144.179.82/333
alperacarli.com/333
thecolabnetwork.com/333
www.deltaplus.com.sg/333
george-bergsig.co.za/333
qatthailand.com/333
deltaplus.com.sg/333
elegantscreens.com/333
drkeithrix.co.uk/333
w3stest.webuda.com/333
www.divine-paradise.com/333
www.langrace.com/333
avengingarden.com/333

These download locations are the same as yesterday's Amazon spam run. The downloaded file has a VT detection rate of 3/53.

The recommended blocklist is the same as yesterday.

"AMAZON.CO.UK - Your Amazon order" spam

Another fake Amazon spam with a malicious payload:

Date:      Wed, 30 Jul 2014 18:08:43 +0800 [06:08:43 EDT]
From:      "AMAZON.CO.UK" [ckggzphqu@Amazon.co.uk]
Subject:      Your Amazon order #853-9908013-4362599

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details

Order #853-9908013-4362599 Placed on July 26, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.co.uk

 There's a ZIP file attached (in this case Order-853-9908013-4362599.zip) which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53. The Comodo CAMAS report shows that it downloads a further component from these following locations:

utilatas.com/333
sdi-ppe.com/333
shahlon.com/333
croydonsog.org/333
pc2print.co.uk/333
geo.num.edu.mn/333
hendredestate.co.uk/333
kelias.com/~anonimas/333
168.144.179.82/333
alperacarli.com/333
thecolabnetwork.com/333
www.deltaplus.com.sg/333
george-bergsig.co.za/333
qatthailand.com/333
deltaplus.com.sg/333
elegantscreens.com/333
drkeithrix.co.uk/333
w3stest.webuda.com/333
www.divine-paradise.com/333
www.langrace.com/333
avengingarden.com/333

This second executable has a VT detection rate of 5/54. I recommend blocking the following sites:
utilatas.com
sdi-ppe.com
shahlon.com
croydonsog.org
pc2print.co.uk
geo.num.edu.mn
hendredestate.co.uk
alperacarli.com
thecolabnetwork.com
deltaplus.com.sg
george-bergsig.co.za
qatthailand.com
deltaplus.com.sg
elegantscreens.com
drkeithrix.co.uk
w3stest.webuda.com
divine-paradise.com
langrace.com
avengingarden.com