Malware spam: "Payment" / Laurence Cottle [lcottle60@gmail.com]

This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appeneded to it

From:    Laurence Cottle [lcottle60@gmail.com]
Date:    18 February 2016 at 13:35
Subject:    Payment

Hi

Any chance of getting this invoice paid, please?

Many thanks

Laurence

Attached is a file unnamed document.docm which comes in several different versions.

Third-party analysis (thank you!) reveals that there are download locations at:

acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43.exe
alkofuror.com/system/engine/7647gd7b43f43.exe
merichome.com/system/logs/7647gd7b43f43.exe
organichorsesupplements.co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo.com/image/templates/7647gd7b43f43.exe
tutikutyu.hu/system/logs/7647gd7b43f43.exe
vipkalyan.com.ua/system/logs/7647gd7b43f43.exe

This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.

MD5s:
a40d4d655cd638e7d52f7a6cdedc5a8e  
9f622033cfe7234645c3c2d922ed5279

The malware phones home to:

195.154.241.208/main.php
46.4.239.76/main.php
94.242.57.45/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
wblejsfob.pw/main.php

Out of those, the most supect IPs are:

195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)

Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70

Malware spam: "Message from local network scanner" / Scann16011310150.docf

This fake document scan comes with a malicious attachment.

From:    jpaoscanner@victimdomain.tld
Date:    14 January 2016 at 10:45
Subject:    Message from local network scanner

There is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery.

Attached is a file Scann16011310150.docf which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The file is a Word document, despite the extension.. I don't think anything opens DOCF files by default. This is maybe an error, or perhaps some sort of social engineering, or perhaps simply a way to bypass security filters.

Analysis of these documents is pending (check back later), however this is likely to be the Dridex banking trojan. Please check back.

UPDATE 1

Analysis is running slowing this morning, however this Hybrid Analysis shows one of the samples in action, downloading a binary from:

www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe

This has a detection rate of 3/55. That same analysis reports that it phones home to:

188.138.88.14 (PlusServer AG, France)

I strongly recommend that you block traffic to that IP.

UPDATE 2

These two Malwr reports [1] [2] reveal some additional download locations:

www.gooutsidethebox.net/786h5g4/9787g4fr4.exe
199.59.58.162/~admin1/786h5g4/9787g4fr4.exe

Malware spam: "Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB"

This fake financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.

From:    Hoyt Fowler
Date:    8 January 2016 at 10:49
Subject:    Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7

Total Amount:   GBP 60,00

Due Date:               28.01.2016

If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.


Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House
Parkeston, Harwich
Essex, CO12 4QG No.3874882

Tel: 01255 242242
Registered in England
VAT No. GB759894254
Global Transport and Logistics

I have only seen a single sample of this email at present, but if consistent with other similar emails then details such as the sender's name and reference numbers will vary. In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55.

According to this Malwr report, the sample attempts to download a further component:

194.28.84.79/softparade/spanish.php

There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too.

A file named hram.exe is dropped onto to target system with a detection rate of 4/54. The Malwr report indicates that this communicates with:

78.47.119.93 (Hetzner, Germany)

This is a critical IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan.

UPDATE 1

A contact (thank you) let me know of two other download locations:

176.103.62.14/softparade/spanish.php
51.254.51.178/softparade/spanish.php

These are:

176.103.62.14 (PE Ivanov Vitaliy Sergeevich, Ukraine)
51.254.51.178 (OVH, France / Dmitry Shestakov, Russia)

Both those are pretty well-known providers of malware.  I recommend that you block the entire /20 in the first instance and the blocks referenced here in the second.

MD5s:
5ab2a67268b3362802a13594edafbd2e
7d60996dd9293df5eecd07f33207aca8

Recommended blocklist:
78.47.119.93
194.28.84.79
176.103.48.0/20
51.254.51.176/30

UPDATE 2

An updated version of the payload is currently being spammed out as on 11.01.16, with a payload identical to this spam run.

Malware spam: "British Gas - A/c No. 602131633 - New Account" / trinity [trinity@topsource.co.uk]

This fake financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple forgery with a malicious attachment.

From:    trinity [trinity@topsource.co.uk]
Date:    22 December 2015 at 10:36
Subject:    British Gas - A/c No. 602131633 - New Account

Hi ,

Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.

Thanks & Regards,

Pallavi Parvatkar

Trinity Restaurants Accounts Team | TopSource Global Solutions | 020 3002 6203
4th Floor | Marlborough House | 10 Earlham Street | London WC2H 9LN | www.topsource.co.uk

                                                                  
                                                                                               

---

Disclaimer:
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. TopSource does not accept liability for any errors or omissions.

"SAVE PAPER - THINK BEFORE YOU PRINT!"

---

British Gas.doc 92K

Attached is a file British Gas.doc with an MD5 a VirusTotal detection rate of 2/54. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.

UPDATE

These automated analyses [1] [2] show that the malicious document downloads from:

weddingme.net/786h8yh/87t5fv.exe

This has a VirusTotal detection rate of 3/54.  All those reports indicate malicious traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)

The payload looks like Dridex.

MD5s:
cacb79e05cf54490a7067aa1544083fa
c8694f1573a01b8b2cb7b1b502eb9372

Recommended blocklist:
199.7.136.88
151.80.142.33

Malware spam: "INVOICE" / "Brenda Howcroft [accounts@swaledalefoods.co.uk]"

This fake financial spam does not come from Swaledale Foods but is instead a simple forgery with a malicious attachment.

From:    Brenda Howcroft [accounts@swaledalefoods.co.uk]
Date:    21 December 2015 at 10:46
Subject:    INVOICE

Your report is attached in DOC format. To load the report, you will need the free Microsoft® Word® reader, available to download at http://www.microsoft.com/

Many thanks,

Brenda Howcroft

Office Manager

t 01756 793335 sales

t 01756 790160 accounts

e accounts@swaledalefoods.co.uk

w www.swaledalefoods.co.uk

This email transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please delete it immediately and notify the sender, Any disclosure including copying or distribution of the information contained herein is strictly prohibited. Any opinions, instructions or advice contained in this email may not necessarily be those of the company. Although this email and any attachments are believed to be free of any virus or other defects, which might affect any computer or system it is the responsibility of the recipient to ensure they are virus free. E&OE.

Invoice 14702.doc 83K

Attached is a file Invoice 14702.doc which comes in at least 9 different versions (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8] [9]). I haven't had the chance to analyse them, but my sources say that at least some versions download from the following locations:

110.164.184.28/jh45wf/98i76u6h.exe
getmooresuccess.com/jh45wf/98i76u6h.exe
rahayu-homespa.com/jh45wf/98i76u6h.exe

This dropped file has a detection rate of 6/54. The Hybrid Analysis report plus some other sources indicate network traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)

The payload is the Dridex banking trojan.

MD5s:
6932A004CE3AD1AD5EA30F43A31B0285
49CF8C70BC4E94F6887ED0CBC426F08C
92B1F1B4BBD864411FA75C951D28EC5D
E4CB705754C93645D3F86F8AF9307769
D409889F92DA9B8D855C0037894A46CC
87CA159B9AEB127F698D2AA28A5BAAC5
C770760C66298301D1BE29E85ECBE971
F2FF5FCE2836025E97691937D6DF579E
6617EAB5B4DD17247DFF1819CA444674
EE57F929672651C1AE238EB7C7A0D734

Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169

Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake TfL spam is meant to have a malicious attachment, but is malformed.

From:    noresponse@cclondon.com
Date:    17 December 2015 at 08:54
Subject:    Email from Transport for London

Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to
read or download this attachment.

If you require Adobe Acrobat Reader this is available at no cost from
the Adobe Website http://www.adobe.com

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________

The attachment is not properly formatted and appears as a Base 64 section of the email. What it should be is a malicious document named FR7000609906.doc which has a VirusTotal detection rate of 4/54.

The Malwr analysis of the document indicates that it downloads from:

www.riucreatives.com/65dfg77/kmn653.exe

This has a detection rate of 3/54 and an MD5 of d5e717617400b3c479228fa756277be1. The Malwr report and Hybrid Analysis  indicate network traffic to:

151.80.142.33 (OVH, France)
117.239.73.244 (Marian International Institute Of Management, India)

The payload is likely to be the Dridex banking trojan.

Recommended blocklist:
151.80.142.33
117.239.73.244

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 

The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update. 

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)

The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)

These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212
mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw

Malware spam: "Your new PHS documents are attached" / "PHSOnline" [documents@phsonline.co.uk]

This spam does not come from PHSOnline, but is instead a simple forgery with a malicious attachment.

From     "PHSOnline" [documents@phsonline.co.uk]
Date     Mon, 26 Oct 2015 20:28:50 +0700
Subject     Your new PHS documents are attached

I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in three different versions (VT results [1] [2] [3]) containing a macro like this [pastebin] which downloads a malicious binary from one of the following locations:

tranquilosurf.com/~info/76r56e87y8/65df78.exe
masaze-rumburk.cz/76r56e87y8/65df78.exe
img1.buyersbestfriend.com/76r56e87y8/65df78.exe

The Hybrid Analysis reports those those documents are here: [1] [2] [3]. The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55. The Hybrid Analysis report for this binary shows it downloading from the following location:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the same as the one use in this earlier attack, but the payload has now changed.

Malware spam: "INVOICE FOR PAYMENT - 7500005791" / "Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]"

This fake financial spam is not from Lancashire Police but is a simply forgery with what appears to be a malicious attachment.

From:    Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]
Date:    21 October 2015 at 10:15
Subject:    INVOICE FOR PAYMENT - 7500005791

Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)
Business Support Department - Headquarters

Email: Lyn.Whitehead@lancashire.pnn.police.uk

********************************************************************************************

This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.

Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.

This e-mail has been scanned for the presence of computer viruses.

******************************************************************************************** 

The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.

The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.

Other analysis is pending please check back.

UPDATE 1:
Another version of this is in circulation, also with zero detections at VirusTotal.  The Hybrid Analysis for both samples in inconclusive [1] [2].

UPDATE 2:
An analysis of the documents shows an HTTP request to:

ip1.dynupdate.no-ip.com:8245

All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.

UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:

Source: Malwr.com

..then you are not infected. Incidentally, this only infects Windows PCs anyway.

The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.

UPDATE 4:
The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:

www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe

At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs:

89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)

The payload is probably the Shifu banking trojan.

Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49

Malware spam: "[Scan] 2015-10-14 5:29:54 p.m." / "Ray White [rw@raylian.co.uk]"

This rather terse spam email has a malicious attachment. It does not come from Raylian but is instead a simple forgery.

From     Ray White [rw@raylian.co.uk]
Date     Thu, 15 Oct 2015 10:56:35 +0200
Subject     [Scan] 2015-10-14 5:29:54 p.m.

Amanda's attached.

In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro [pastebin] . The Hybrid Analysis report shows this particular version (there will be others) downloading a binary from:

sdhstribrnalhota.xf.cz/86575765/6757645.exe

Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56 and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report for this indicates connections to:

89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.

Recommended blocklist:
89.32.145.12
195.154.251.123

MD5s:
30e1ad13b091ec24935724ed0abf62ca
bc571b3cfa8902da248420ba5e765a40

Malware spam: "Scanned document from MX-2600N"

This fake scanned document has a malicious payload attached.:

From:    xerox@victimdomain.tld
Reply-To:    xerox@victimdomain.tld
Date:    7 October 2015 at 10:08
Subject:    Scanned document from MX-2600N


Reply to: xerox@victimdomain.tld victimdomain.tld

>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: XLS MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned document in XLS format.
Use Microsoft(R)Excel(R) to view the document.Attached is a file in the format xerox@victimdomain.tld_20151007_160214.xls (where victimdomain.tld is the victim's own domain), which has a VirusTotal detection rate of 3/56. This Excel file contains a malicious macro [pastebin] which in THIS case downloads a binary from the following location:

alarmtechcentral.com/fw43t2d/98kj6.exe

There will be other versions of the XLS file which will download components from other locations, however the payload will be the same, and it currently has a detection rate of 2/56. The VirusTotal report indicates traffic to:

84.246.226.211 (ELB Multimedia, France)

Blocking traffic to and from that IP is recommended.

Automated analysis is pending, please check back later. The payload is probably the Dridex banking trojan.

UPDATE
Here are the Hybrid Analysis reports for the XLS file and executable.

Malware spam: "Copy of Invoice(s)" / "Anny Beckley [Anny@hammondsofknutsford.co.uk]"

This fake financial spam does not come from Hammonds of Knutsford but is instead a simple forgery with a malicious attachment:

From     Anny Beckley [Anny@hammondsofknutsford.co.uk]
Date     Tue, 06 Oct 2015 12:29:23 +0430
Subject     Copy of Invoice(s)

Please find attached a copy of Invoice Number(s) 82105

In the two samples that I have seen, the attached file was named Q_46Q0VWHU4.DOC with a VirusTotal detection rate of 7/56. This document contains a malicious macro [pastebin] which downloads a further component from the following location:

rothschiller.net/~medicbt9/65yg3f3/43g5few.exe

This currently has a detection rate of just 1/56 and it appears to be saved as %TEMP%\rrdDhhm.exe.  Note that there are usually several different document versions spammed out with different download locations, but the payload is the same in every case.

Automated analysis is pending, but the payload is almost definitely the Dridex banking trojan.

UPDATE: 
The Hybrid Analysis report for the document is here and the analysis of the dropped executable is here showing the malware phoning home to 84.246.226.211 (ELB Multimedia, France)

Malware spam: "Your Invoices - Incident Support Group Ltd" / "repairs@isgfleet.co.uk"

This fake financial spam is not from Incident Support Group Ltd but is instead a simple forgery with a malicious attachment:

From     repairs@isgfleet.co.uk
Date     Mon, 05 Oct 2015 15:47:11 +0700
Subject     Your Invoices - Incident Support Group Ltd

Please find attached your invoices from Incident Support Group Ltd. If you wish to
change the email address we have used please email repairs@isgfleet.co.uk with the
correct details.

In the sample I saw, the attached file was 216116.xls which has a VirusTotal detection rate of 6/56 and contains this malicious macro [pastebin] which then downloads a compenent from the following location:

agridiotiko.com/432/4535.exe

Note that at the time of writing, I only have one sample of this. There are usually several versions of the attachment in these spam runs, with different download locations. The malicious binary has a detection rate of 4/56.

The VirusTotal report and this Hybrid Analysis report indicate traffic to:

84.246.226.211 (ELB Multimedia, France)

Blocking or monitoring traffic to and from the port would probably be prudent. The payload is most likely the Dridex banking trojan.

UPDATES:
Other download locations spotted so far:

www.poncho-zwerfkatten.be/432/4535.exe
conserpa.vtrbandaanchanet/432/4535.exe
www3.telusnet/~a7a78529/432/4535.exe
216.119.122167/432/4535.exe

MD5s:
87b01608b8170029816df5eed11cd9c5
2c78ee663f0e0f6a4f651e92afaf243e
75d87be2b43a61d35e938393be0633d5
ce94c036dac774b3cb8c7a07ff333c7f
29b56ddfab41f92b0447783e1ef6ccd8
896b4edc333dba1bb533b9ca18549fe7

Malware spam: "Sleek Granite Computer" / "saepe 422-091-2468.zip" / "nulla.exe"

What the heck is a Sleek Granite Computer? As clickbait it is kind of weird.. but perhaps interesting enough to get people to click on the malicious attachment is comes with.

From:    mafecoandohob [mafecoandohob@bawhhorur.com]
To:    Karley Pollich
Date:    7 August 2015 at 13:17
Subject:    Sleek Granite Computer

Good day!

If you remember earlier this week we discussed with You our new project which we intend to start next month.
For Your kind review we enclose here the business plan and all the related documents.
Please send us an e-mail in case You have any comments or proposed changes.
According to our calculations the project will start bringing profit in 6 months.
Thanks in advance.


Karley Pollich
Dynamic Response Strategist
Pagac and Sons
Toys, Games & Jewelery
422-091-2468

The only sample of this I had was malformed and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe.

This has a VirusTotal detection rate of 4/55 with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre / Dyre traffic pattern to:

195.154.241.208:12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208:12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM

This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom.eu. Traffic is also spotted to:

37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)

There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.

Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50

MD5:
9520d04a140c7ca00e3c4e75dd9ccd9f

Malware spam: "Need your attention"

A variety of malicious spam messages are in circulation, each with "Need your attention" in the subject. Each message has a different sender, attachment name and reference number in the subject along with some other variations. Here is an example:

From:    Hilda Buckner
Date:    4 August 2015 at 13:29
Subject:    Need your attention: OO-6212/863282


Greetings
Hope you are well

Please find attached the statement that matches back to your invoices.

Can you please sign and return.

In that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro [pastebin].

What that macro does (other ones may be slightly different) is download a VBS script from pastebin.com/download.php?i=0rYd5TK3 [link here, safe to click] which is then saved as %TEMP%\nnjBHccs.vbs.

That VBS then downloads a file from 5.196.241.204/bt/bt/ched.php which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero (MD5 = 00dca835bb93708797a053a3b540db16).

The Malwr report indicates that this phones home to 80.247.233.18 (NFrance Conseil, France). The payload is probably the Dridex banking trojan.

Note that the malware also sends apparantly non-malicious traffic to itmages.ru , for example:
itmages.ru/image/view/2815551/2b6f1599
itmages.ru/image/view/2815537/2b6f1599

Therefore I would suggest that monitoring for traffic to itmages.ru is a fairly good indicator of compromise.

Malware spam: "INVOICE HH / 114954" / "haywardsheath@hpsmerchant.co.uk"

This fake invoice is not from Heating & Plumbing Supplies but is instead a simple forgery with a malicious attachment:

From     [haywardsheath@hpsmerchant.co.uk]
Date     Tue, 04 Aug 2015 12:19:56 +0200
Subject     INVOICE HH / 114954

Please find attached INVOICE HH / 114954
--
Automated mail message produced by DbMail.
Registered to Heating & Plumbing Supplies, License MBS2009358.

Attached is a file R-20787.doc which contains a malicious macro like this one [pastebin] that comes in at least two different versions, downloading from the following URLs:

mszpdorog.hu/45g33/34t2d3.exe
cvaglobal.com/45g33/34t2d3.exe

The Hybrid Analysis reports [1] [2] give some insight as the the characteristics of the malicious document. The downloaded file has a VirusTotal detection rate of 3/55. Automated analysis [1] [2] shows traffic to the following IPs:

194.58.111.157 (Reg.RU, Russia)
62.210.214.106 (Iliad / Online S.A.S., France)
31.131.251.33 (Selectel, Russia)

The payload is the Dridex banking trojan.

Recommended blocklist:
194.58.111.157
62.210.214.106
31.131.251.33

MD5s:
8f3063ef8032799f71507b8f88f8a1c5
64011582b5dfa8fd79d823957a569b5f
3303a507e6584136c39c354085760987

Malware spam: "E-bill : 6200228913 - 31.07.2015 - 0018" / "noreply.UK.ebiller@lyrecobusinessmail.com"

This fake financial spam does not come from Lyreco but is instead a simple forgery with a malicious attachment:

From:    noreply.UK.ebiller@lyrecobusinessmail.com
Date:    2 August 2015 at 03:00
Subject:    E-bill : 6200228913 - 31.07.2015 - 0018

Dear customer,

Please find enclosed your new Lyreco invoicing document nA^° 6200228913 for a total amount of 43.20 GBP, and
due on 31.08.2015

We would like to remind you that all of your invoices are archived electronically free of charge and can be reviewed by

you at any time.

For any questions or queries regarding your invoices, please contact Customer Service on Tel : 0845 7676999*.

Your Lyreco Customer Service

*** Please do not reply to the sender of this email.
This e-mail, including any attachments to it, may contain company confidential and/or personal information.
If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the
information contained within it.

Please notify immediately by return e-mail of the error and then delete the original e-mail by replying to
wise.cs.iqt@lyreco.com ***

The attachment is named 0018_6200228913.docm which contains a malicious macro like this one [pastebin]. So far I have seen three different variants (Hybrid Analysis reports [1] [2] [3]) which then go and download a malicious binary from one of the following locations:

orpigagny.com/w45r3/8l6mk.exe
audiobienentendre.fr/w45r3/8l6mk.exe
immobilier-roissyenbrie.com/w45r3/8l6mk.exe

All of these sites are hosted on 94.23.55.169 (OVH, France). The binary has a detection rate of 4/55. This Malwr report shows it phoning home to 46.36.219.141 (FastVPS, Estonia). The payload is probably the Dridex banking trojan.

Recommended blocklist:
46.36.219.141
94.23.55.169

MD5s:
939EE3B203B79F6422EF4A96FDE11393
1C76B4A8CFA4227DCFCF0FD2C2C4BA37
D0EC5C08C0A7F744C620CFA28F96521E
147D2E6E2D5903FE694DDC59BCB55DD0

Malware spam: "Please Find Attached - Report form London Heart Centre" / "lhc.reception@heart.org.uk"

This spam is not from the London Heart Centre, but is instead a simple forgery with a malicious attachment:

From     lhc.reception@heart.org.uk
Date     Tue, 28 Jul 2015 14:15:05 +0700
Subject     Please Find Attached - Report form London Heart Centre

(See attached file: calaidzis, hermione.doc)

Attached is a file calaidzis, hermione.docm which comes in at least three different versions [1] [2] [3] which download a malicious binary from one of the following locations:

http://laperleblanche.fr/345/wrw.exe (94.23.1.145 / OVH, France)
http://chloedesign.fr/345/wrw.exe (85.236.156.24 / Barizco Inc., France)
http://ce-jeffdebruges.com/345/wrw.exe (94.23.1.145 / OVH, France)

This is saved as %TEMP%\treviof.exe  and has a detection rate of 4/55. Automated analysis tools [1] [2] [3] report that it phones home to:

93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)

I recommend that you block that IP. The malware is the Dridex banking trojan.

MD5s:
5be14022a092eec9855e28c2498f5ada
04e3ab669c516b04f92a631aa1498ba9
550599ad64385497110f8bdb28164be2
5c8aa48a831675fa2b8e09821d37671a

Malware spam: "Order Form for Job Number 2968347" / "steve.champion@printing.com"

This fake financial spam does not comes from printing.com but is instead a simple forgery with a malicious attachment.

From     "steve.champion@printing.com" [steve.champion@printing.com]
Date     Thu, 23 Jul 2015 18:23:44 +0700
Subject     Order Form for Job Number 2968347

Hello ,

Thanks for your order, job reference 2968347. Please open the attached order form,
read it and check it.

To Accept your order:
- Visit http://www.printing.com/uk/
- Sign in (see below if you don't have a username or you've forgotten your password);
- In the "My Orders" section, click on job 2968347;
- Click the "Accept" button at the bottom of the screen;

If you have any queries about the order please call me before you accept it.

Thanks again for your order!

Kind Regards,

Steve Champion

printing.com Middlesbrough
Cargo Fleet Offices
Middlesbrough Rd
Middlesbrough
TS6 6XH
Tel: 01642 205649
Fax:
Email: steve.champion@printing.com

Franchises are independently owned and operated under licence. Dan James Limited.
Registered in England No. 5164910 Registered Address: Rede House, 69-71 Corporation
Road, Middlesbrough, TS1 1LY VAT Registration No.: GB 847 8229 85

Attached is a file OrderForm2968347.docm which I have seen in three different versions (there are maybe more) with various detection rates [1] [2] [3]. They contain a malicious macro like this one [pastebin].

The macro downloads a malicious binary from one of the following locations:

solution-acouphene.fr/mini/mppy.exe
surflinkmobile.fr/mini/mppy.exe
verger-etoile.fr/mini/mppy.exe

All of these are on the same compromised OVH France server of 94.23.1.145. The binary has a detection rate of just 2/54 and it is saved as %TEMP%\ihhadnic.exe. Automated analysis [1] [2] [3] shows attempted network traffic to:

85.25.199.246 (PlusServer AG, Germany)
194.58.96.45 (Reg.Ru, Russia)
31.131.251.33 (Selectel, Russia)

The payload appears to be the Dridex banking trojan.

Recommended blocklist:
85.25.199.246
194.58.96.45
31.131.251.33
94.23.1.145

MD5s:
74fca464697b5816acfe9140ee387ecd
fd8291e5147abef45654f3da6d5cfc28
a32eb507c674d82c6161bb606f594782
a3e64d3f4fa2168315428e573746caf4

Malware spam: "Your order No. 3269637 has been despatched" / "info@123print.co.uk"

This fake financial spam does not come from 123Print but is instead a simple forgery with a malicious attachment.

From     "info@123print" <[nfo@123print.co.uk]
Date     Thu, 09 Jul 2015 12:09:12 +0200
Subject     Your order No. 3269637 has been despatched

Dear customer

Your order 3269637 has been despatched.

Please see attachment for details.

Attached is a file 4077774.doc for which I have seen three variants [1] [2] [3] [Hybrid Analysis] which downloads a malicious executable from one of the following locations:

robindesdroits.com/43/82.exe
illustramusic.com/43/82.exe
prodasynth.com/43/82.exe

Those sites are hosted on 213.186.33.19 and 213.186.33.87 which are OVH parking IPs.

That executable has a detection rate of 8/54 and automated analysis tools [1] [2] [3] show traffic to 62.210.214.106 (OVH, France). The payload is the Dridex banking trojan.

Recommended blocklist:
62.210.214.106

MD5s:
17cfe88703b471940c22aa01a367a2a3
404b61075c9b5cb7b8ecf107b4b4ccb0
53d0ee49815c7f9740b80fdbb50f599d
0488144945839b1a8cdf5ab6f37c471d