Malware spam: "Rechnung Nr. 2016_131" / fueldner1A0@lfw-ludwigslust.de

This German language spam does not comes from LFW Ludwigsluster but is instead a simple forgery with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.

From:    fueldner1A0@lfw-ludwigslust.de
Date:    19 February 2016 at 09:10
Subject:    Rechnung Nr. 2016_131

Sehr geehrte Damen und Herren,

bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:

LFW Ludwigsluster Fleisch- und Wurstspezialitäten

GmbH & Co.KG

Vielen Dank!

Mit freundlichen Grüßen

Anke Füldner

Finanzbuchhaltung

Tel.: 03874-422038

Fax: 03874-4220844

E-Mail: fueldner@lfw-ludwigslust.de 

LFW Ludwigsluster Fleisch- und Wurstspezialitäten

GmbH & Co.KG, Bauernallee 9, 19288 Ludwigslust

HRA 1715, Amtsgericht Schwerin

Geschäftsführer: U.Müller, U.Warncke

USt.-IdNr. DE202820580, St.Nr. 08715803209

Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressant sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese E-Mail und alle Anhänge und Ausdrucke unverzüglich.

Das Gebrauchen, Publizieren, Kopieren oder Ausdrucken sowie die unbefugte Weitergabe des Inhalts dieser E-Mail ist nicht erlaubt.

This e-mail and any attached files may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with zero detection rates at VirusTotal [1] [2]. Malwr analysis of one of the samples shows that a binary is downloaded from:

mondero.ru/system/logs/56y4g45gh45h

Other samples probably have different download locations. This executable has a detection rate of 7/53 and it appears to drop another executable with a relatively high detection rate of 26/55. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.

The malware phones home to:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)

But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you block it.

Incidentally, full credit to the company involved in putting this massive banner on their website warning people about the fake email..

UPDATE

An additional analysis from a trusted source (thank you). Download locations are:

mondero.ru/system/logs/56y4g45gh45h
tcpos.com.vn/system/logs/56y4g45gh45h
www.bag-online.com/system/logs/56y4g45gh45h

The malware phones home to:

46.4.239.76/main.php
94.242.57.45/main.php
wblejsfob.pw/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php

The active C2s (some may be sinkholes) appear to be:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)

Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70

Malware spam: "Payment" / Laurence Cottle [lcottle60@gmail.com]

This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appeneded to it

From:    Laurence Cottle [lcottle60@gmail.com]
Date:    18 February 2016 at 13:35
Subject:    Payment

Hi

Any chance of getting this invoice paid, please?

Many thanks

Laurence

Attached is a file unnamed document.docm which comes in several different versions.

Third-party analysis (thank you!) reveals that there are download locations at:

acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43.exe
alkofuror.com/system/engine/7647gd7b43f43.exe
merichome.com/system/logs/7647gd7b43f43.exe
organichorsesupplements.co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo.com/image/templates/7647gd7b43f43.exe
tutikutyu.hu/system/logs/7647gd7b43f43.exe
vipkalyan.com.ua/system/logs/7647gd7b43f43.exe

This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.

MD5s:
a40d4d655cd638e7d52f7a6cdedc5a8e  
9f622033cfe7234645c3c2d922ed5279

The malware phones home to:

195.154.241.208/main.php
46.4.239.76/main.php
94.242.57.45/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
wblejsfob.pw/main.php

Out of those, the most supect IPs are:

195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)

Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70

Malware spam: "Rechnung 2016-11365" / mpsmobile GmbH [info@mpsmobile.de]

This bilingual spam does not come from mpsmobile but is instead a simple forgery with a malicious attachment.

From:    mpsmobile GmbH [info@mpsmobile.de]
Date:    17 February 2016 at 12:23
Subject:    Rechnung 2016-11365

Sehr geehrte Damen und Herren,

anbei erhalten Sie das Dokument 'Rechnung 2016-11365' im DOC-Format. Um es betrachten und ausdrucken zu können, ist der DOC Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren.

Mit freundlichen Grüssen
mpsmobile Team

______________________________

_____

Dear Ladies and Gentlemen,

please find attached document ''Rechnung 2016-11365' im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.

Best regards
mpsmobile GmbH

mpsmobile GmbH
Brühlstrasse 42
88416 Ochsenhausen
Tel: +49 7352 923 23 0
Fax: +49 7352 923 23-29
Email: info@mpsmobile.de

Handelsregister Amstgericht ULM HRB 727290
Sitz der Gesellschaft: Ochsenhausen
UStIDNr: DE 281079008

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

In the sample I saw, the attachment was named 19875_Rechnung_2016-11365_20160215.docm and has a VirusTotal detection rate of 5/54.

According to this Malwr report  the binary attempts to download the Locky ransomware (seemingly a product of those behind the Dridex banking trojan). It attempts to download a binary from:

feestineendoos.nl/system/logs/7623dh3f.exe?.7055475

This dropped file has a detection rate of 3/53.  Analysis of the file is pending, but overall this has been made more complicated because the Locky installer calls out to a number of domains, many of which actually appear to have been sinkholed.

Machines infected with Locky will display a message similar to this:

Unfortunately, the only known way to recover from this is to restore files from offline backup once the infection has been removed from the PC.

UPDATE

Another version plopped into my inbox, VT 7/54  and according to this Malwr report, it downloads from:

nadeenk.sa/system/logs/7623dh3f.exe?.7055475

This variant POSTs to a server at:

46.4.239.76 (Myidealhost.com  / Hetzner, Germany)

It is likely that the C2 server (identified in the previous report) is:

85.25.149.246 (PlusServer AG, Germany)

Recommended blocklist:
85.25.149.246
46.4.239.76

Malware spam: Overdue Invoice 012345 - COMPANY NAME

This malicious spam appears to come from many different senders and companies. It has a malicious attachment:

From:    Brandi Riley [BrandiRiley21849@horrod.com]
Date:    15 February 2016 at 12:20
Subject:    Overdue Invoice 089737 - COMS PLC

Dear Customer,

The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Brandi Riley

COMS PLC

Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis shows an attempted download from:

node1.beckerdrapkin.com/fiscal/auditreport.php

This is hosted on an IP that you can assume to be malicious:

193.32.68.40 (Veraton Projects, BZ / DE)

The dropped executable (detection rate 4/54) then phones home to:

194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)

The payload is the Dridex banking trojan.

Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229

Malware spam: "Invoice (w/e 070216)" / Kelly Pegg [kpegg@responserecruitment.co.uk]

This fake financial spam does not come from Response Recruitment but is instead a simple forgery with a malicious attachment:

From     Kelly Pegg [kpegg@responserecruitment.co.uk]
Date     Mon, 15 Feb 2016 13:15:37 +0200
Subject     Invoice (w/e 070216)

Good Afternoon

Please find attached invoice and timesheet.

Kind Regards

Kelly

Attached is a file SKM_C3350160212101601.docm which comes in several different variants. The macro in the document attempts to download a malicious executable from:

216.158.82.149/09u8h76f/65fg67n
sstv.go.ro/09u8h76f/65fg67n
www.profildigital.de/09u8h76f/65fg67n

This dropped a malicious executable with a detection rate of 6/54 which according to these automated analysis tools [1] [2] calls home to:

5.45.180.46 (B & K Verwaltungs GmbH, Germany)

I strongly recommend that you block traffic to that address. The payload is the Dridex banking trojan.

Malware spam: "DVSA RECEIPT" / FPO.CC.15@vosa.gsi.gov.uk

This spam email does not come from a UK government agency, but is instead a simple forgery with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi.gov.uk.

From     FPO.CC.15@vosa.gsi.gov.uk
Date     Fri, 12 Feb 2016 12:47:20 +0300
Subject     DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.
*********************************************************************


The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.

Attached is a file Fixed Penalty Receipt.docm which comes in at least ten different variants with the following MD5s:



1cb27d23f9999d9d196a5d20c28fbd4e
68225ddcb35694eff28a2300e8d60399
a99d6c25218add7ece55b2503666b664
57ab4224e7d2274d341020767a6609fd
51f5960ae726906a50b5db4e9253c3c2
7a43a911e0ad208adf4e492345349269
4aae160341b6d96adc2c911ddc941222
f34460da1e77ae4a3b178532800300a2
58a01b254b9d7b90d1d0f80c14f5a089
50e1c94e43f05f593babddb488f1a2f9

I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:

raysoft.de/09u8h76f/65fg67n
xenianet.org/09u8h76f/65fg67n
steinleitner-online.net/09u8h76f/65fg67n [reported here]

This dropped file has a detection rate of 5/54 (MD5 7bf7df5e630242182fa95adff4963921). This Hybrid Analysis report indicates subsequent traffic to:

192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)

The payload is the Dridex banking trojan.

Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231

Malware spam: "Your Sage Pay Invoice INV00318132" / Sagepay EU [accounts@sagepay.com]

This spam does not come from Sage Pay but is instead a simple forgery with a malicious attachment:

From:    Sagepay EU [accounts@sagepay.com]
Date:    11 February 2016 at 13:21
Subject:    Your Sage Pay Invoice INV00318132


Please find attached your invoice.

We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones.  You should have already received an email that outlined the changes, however if you have any questions please contact accounts@sagepay.com or call 0845 111 44 55.

Kind regards

Sage Pay
0845 111 44 55

Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least 11). The VirusTotal detection rate for a subset of these is 4/54 [1] [2] [3] [4] [5] [6]. Only a single Malwr report seemed to work, indicating the macro downloading from:

www.phraseculte.fr/09u8h76f/65fg67n

This dropped executable has a detection rate of 3/54. The Malwr report shows it phoning home to:

84.38.67.231 (ispOne business GmbH, Germany)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Malware spam: Emailing: MX62EDO 10.02.2016 / documents@dmb-ltd.co.uk

This spam has a malicious attachment:

From     documents@dmb-ltd.co.uk
Date     Wed, 10 Feb 2016 11:12:41 +0200
Subject     Emailing: MX62EDO 10.02.2016

Your message is ready to be sent with the following file or link
attachments:

MX62EDO  10.02.2016 SERVICE SHEET


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.

Attached is a malicious document named MX62EDO 10.02.2016.doc. I haven't had time to analyse these myself, but a trusted source (thank you) says that there are three different variants of documents, downloading a malicious executable from the following locations:

calflytech.com/09u8h76f/65fg67n
g-t-c.co.uk/09u8h76f/65fg67n
opoai.com/09u8h76f/65fg67n

This drops an executable with a VirusTotal detection rate of 6/55.  This malware calls back to the following IPs:

87.229.86.20 (ZNET Telekom Zrt, Hungary)
50.56.184.194 (Rackspace, US)
144.76.73.3 (Hetzner, Germany)

The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.

Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3
 

Malware spam: "Accounts Documentation - Invoices" / CreditControl@crosswater.co.uk

This fake financial spam does not come from Crosswater Holdings, but it is instead a simple forgery with a malicious attachment:

From:    CreditControl@crosswater.co.uk
Date:    8 February 2016 at 10:34
Subject:    Accounts Documentation - Invoices

Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.

If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
Alternatively if you do not know the name of the Credit Controller you can contact us at:

Accounts@crosswater-holdings.co.uk

or call us on 0845 873 8840

Please do not reply to this E-mail as this is a forwarding address only.

Attached is a malicious script ~13190.js which comes in at least two different variants (VirusTotal [1] [2]). According to automated analysis [3] [4] [5] [6] these scripts download from:

hydroxylapatites7.meximas.com/98876hg5/45gt454h
80.109.240.71/~l.pennings/98876hg5/45gt454h

This drops an executable with a detection rate of 3/53 which appears to phone home to:

188.40.224.73 (NoTag, Germany)

I strongly recommend that you block traffic to that IP address. The payload is likely to be the Dridex banking trojan.

Malware spam: "Despatch Note FFGDES34309" / Foyle Food Group Limited [accounts@foylefoodgroup.com]

This fake financial spam is not from Foyle Food Group Limited but is instead a simple forgery with a malicious attachment:

From     Foyle Food Group Limited [accounts@foylefoodgroup.com]
Date     Fri, 29 Jan 2016 17:58:37 +0700
Subject     Despatch Note FFGDES34309

Please find attached Despatch Note FFGDES34309

I haven't had the chance to do the analysis myself, so I am relying on the analysis of a contact (thank you). The attachment is FFGDES34309.doc which comes in three different variants, downloading from:

jjcoll.in/56gf/g545.exe
romana.fi/56gf/g545.exe
clickchiropractic.com/56gf/g545.exe

This has an MD5 of d88c2bed761c7384d0e8657477af9da7 and a detection rate of 6/49. According to my contact, this phones home to:

85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)

This drops the Dridex banking trojan. The behaviour is consistent with botnet 220.

Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3

Malware spam: "Your order #7738326 From The Safety Supply Company" / Orders - TSSC [Orders@thesafetysupplycompany.co.uk]

This fake financial spam does not come from The Safety Supply Company but is instead a simple forgery with a malicious attachment:

From:    Orders - TSSC [Orders@thesafetysupplycompany.co.uk]
Date:    15 January 2016 at 09:06
Subject:    Your order #7738326 From The Safety Supply Company

Dear Customerl

Thank you for your recent purchase.

Please find the details of your order through The Safety Supply Company attached to this email.

Regards,

The Sales Team

So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.

UPDATE 1

This Hybrid Analysis on the first sample shows it downloading from:

149.156.208.41/~s159928/786585d/08g7g6r56r.exe

That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:

216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)

I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.

Dropped file MD5:
9138e36d70ab94349558c61e92ab9ae2

Attachment MD5s:
d5a25f10cb91e0afd00f970cee7c5f01
985bb69a8c292d90a5bd51b3dbec76ac

UPDATE 2

This related spam run gives some additional download locations:

nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe

Sources also tell me that there is one at:

204.197.242.166/~topbun1/786585d/08g7g6r56r.exe

Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41

Malware spam: "Order 0046/033777 [Ref. MARKETHILL CHURCH]" / "JOHN RUSSELL [John.Russell@yesss.co.uk]"

This fake financial spam does not come from Yesss Electrical but is instead a simple forgery with a malicious attachment:

From     JOHN RUSSELL [John.Russell@yesss.co.uk]
Date     Wed, 13 Jan 2016 20:11:43 +0600
Subject     Order 0046/033777 [Ref. MARKETHILL CHURCH]

John Russell
Branch Manager

Yesss Electrical
44 Hilsborough Old Road
Lisburn
BT27 5EW

T: 02892 606 758
M: 07854362314
F: 02892 606 759
E: John.Russell@yesss.co.uk

[EW Award winner 2015]
[Electrical Times Award winner 2014]
[EW Award winner 2014]
[YESSS gains all three BSI industry standards]
[Order a YESSS Book NOW!]
[Our YESSS motto]
[Visit the YESSS website]      [Visit the YESSS Facebook
page]       [Visit the YESSS Twitter page]
  [Visit the YESSS Youtube page]
[Visit the YESSS Linkedin page]
[Visit the YESSS Pinterest page] 

There are at least five different versions of the attachment 033777 [Ref. MARKETHILL CHURCH].doc (VirusTotal results [1] [2] [3] [4] [5]). Analysis of these documents is pending, however it is likely to be the Dridex banking trojan.

UPDATE

These Malwr reports [1] [2] [3] [4] [5] indicate the macro in the document downloads from one of the following locations:

amyzingbooks.com/l9k7hg4/b4387kfd.exe
webdesignoshawa.ca/l9k7hg4/b4387kfd.exe
powerstarthosting.com/l9k7hg4/b4387kfd.exe

This binary has a detection rate of 4/53. The Hybrid Analysis shows the malware phoning home to:

85.25.200.103 (PlusServer AG, Germany)

I recommend that you block traffic to that IP.

Malware spam: "Invoice 01147665 19/12 £4024.80" / "Ibstock Group"

This fake financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam which was sent out earlier today.

From:    Amber Smith
Date:    7 January 2016 at 10:38
Subject:    Invoice 01147665 19/12 £4024.80

Hi,

Happy New Year to you !

Hope you had a lovely break.

Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.

Its invoice  01147665  19/12  £4024.80  P/O ETCPO 35094

Can you have a look at it for me please?

Thank-you !

Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group
Supporting Ibstock, Ibstock-Kevington & Forticrete
-----------------------------------------------
( +44 (0)1530 257371
( VPN: 700 2371
6  +44 (0)1530 257379

The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far (there are probably more) with VirusTotal detection rates of 2/54 [1] [2] [3] and the Malwr reports [4] [5] [6] show these documents communicating with:

193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php

IPs are allocated to:

176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)

As before, a binary geroin.exe is dropped which communicates with:

78.47.119.93 (Hetzner, Germany)

The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post.

Malware spam: "Your Latest Documents from Angel Springs Ltd [1F101177]"

This fake financial spam comes with a malicious attachment. The name of the sender varies, as does the reference number in the subject field that matches the attachment name.

From:    Leonor Stevens
Date:    7 January 2016 at 10:13
Subject:    Your Latest Documents from Angel Springs Ltd [1F101177]

Dear Customer,

Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.

Here's a few ways we've made it easier for you:

    Your new documents are now attached to your email. You don't have to follow a link now to get to your documents.

    Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.

    You can simply and easily raise any queries you may have through the customer portal.

Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.

If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on 0845 230 9555 and we will be more than happy to assist you. Please do not reply to this email.

To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document

With Kind Regards,

Angel Springs Ltd

Yesterday I saw several spam runs similar to this coming from Dridex botnet 120. There are many, many variations of the attachment although I do not believe that they are uniquely-generated.

The three samples I have sent for analysis so far has VirusTotal detection rates of 2/55 [1] [2] [3] and the Malwr reports [4] [5] [6] show an initial communication with:

193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
These IPs belong to:

176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)

I note that 91.223.88.204 also hosts some bad things.. and the entire 176.103.48.0/20 block has a history of evil-ness [1] [2] [3].

Note that there are probably other download locations. Check back later if you are interested.

These malicious documents drop a binary geroin.exe which has a detection rate of 3/54. The Malwr report for this shows it phoning home to:

78.47.119.93 (Hetzner, Germany)

Binary MD5:
088724715613ff48edf090a74c8b6413

Attachment MD5s:
53521464ee6d70ec6c93f2e038e92651
3dfef23d2f6846133f1758dca675afd2
9bfadfe1c8dd23a0358c5ae4a6f7f465
a1c601351f865e5d9f8315ecc867971d
939aa6ebf02a338fab864690467909fa
1021f12f47d1d68e12d3e81ad6f44a92
30097bc5a0903db248252f3e01344b8b
25ae775c96146b4bfba1a88f755ccc20
c225905d94f1b3a0a1dae86109c80e51
617d676e09a74fa0fb099509a2f57ac8
fbb83ab6ae5a3ef2bac5f5ff549713b5
7d5b9851c8bc682ff621568cc648c9e6
3a4cb5fa7aa75afc72cef5709576f441
0b60bad71222d1fb091efeef6fa3524a
ed8f764742a827d23a56c439a0393448
1b93d2fcbe94d9a6e248ddf964078406
f37cfbead3e52549c7490a4aaf20e423
2ef9a2bb6e59c75cef3643700e054385
d167d52dfd4d69c7cf336abff6b71280
d1038a983442ce25535d707e9568b03b


Recommended blocklist:
176.103.48.0/20
91.223.88.204/30
78.47.119.93
193.201.227.12

Malware spam "Invoice-205611-49934798-CROSSHILL SF"

This fake financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:

From:    Bertha Sherman
Date:    6 January 2016 at 09:29
Subject:    Invoice-205611-49934798-CROSSHILL SF

Dear Customer,

Please find attached Invoice 02276770 for your attention.

Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

I have seen at least four different attachments with names in a format similar to invoice40201976.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show that the malware contained within POSTs to:

37.46.130.53/jasmin/authentication.php
179.60.144.21/jasmin/authentication.php
195.191.25.138/jasmin/authentication.php

Those reports also show communication to other suspect IPs, giving:

94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)

This Hybrid Analysis also shows similar characteristics.

The macro drops a file tsx3.exe with a detection rate of 7/55. The Malwr report doesn't give any particlar insight as to what this is, but it is likely to be a banking trojan or ransomware. UPDATE: this is Dridex (botnet 120 apparently), and thos the dropped file has been updated to this one.

There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost.RU IP in Russia:

109.234.34.224/jasmin/authentication.php

MD5s (dropped EXE):
fdd95b4cc10b536934486c7d3fdee04f
613f5e4139e8006e9d47cb562450bc4a


MD5s (attachments):
06afdf7eaa3aa0d07b74c87c2c4bcede
11efa97e6091fa608596b463c9a20718
1574669aae13badc47b5c32927d22fb9
1988f8c864689bfd725e659e0815f032
27f891f6b0c0820492408022a860accc
37cc9d15f4eb5173e30ebff8ae6d44f6
37dd4e12541994d719d669ef7408b042
41faea2d8d7334a1e645cedf2a297344
42694176858ef65ababe87c8eee3679d
430eb4d6bc75b3743169aba0b5c368b9
5a5e5ac6d0e12215d79d2d321ac7a303
60cb6167675a908e9bba8957ece0947b
63abdef9d973b820f656642831ef6e07
7d190049c2354c18bd850d086d8c43c8
81697ef360e4abd09d96cd58bb1c7f01
82e06ae650e81e77879c5a33dba058b6
840b0d424b541d3649c33e8264632ba7
933f50bd87c02b67e122520022677aa6
a17b2fc61c64381ba5a2a154085ee6e7
a1958f55febde3b0fac15490f5e0ac6e
a43490f4c09e519d72296898343ab04f
ab41e3d7fa1e3d98a0bdec1e4086058a
b614c2f6f07620e53375c35efc692596
bc3142ce5e20814e98e582fa9b258501
cda4ba15eebc6ae3a9ab54610b38db04
d44c6490ab1c86adf9a99da1d173fc2f
d86f5160a0ea91bee70972e2bbf2c86d
e8bd65668d68410adacee9463eb1489e
ee70b032f96fb8f484019396aa130a55
ef4fd29b806675346661aec4907a14f7
f39fcd49bdbd7f100047594d8d7875b4
f65d8b3310f758c5d9c0f156d859125f
ff5f8da0f0d4c7e851dbf5c6d94fa0dc
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224

Malware spam: "INVOICE" / "Brenda Howcroft [accounts@swaledalefoods.co.uk]"

This fake financial spam does not come from Swaledale Foods but is instead a simple forgery with a malicious attachment.

From:    Brenda Howcroft [accounts@swaledalefoods.co.uk]
Date:    21 December 2015 at 10:46
Subject:    INVOICE

Your report is attached in DOC format. To load the report, you will need the free Microsoft® Word® reader, available to download at http://www.microsoft.com/

Many thanks,

Brenda Howcroft

Office Manager

t 01756 793335 sales

t 01756 790160 accounts

e accounts@swaledalefoods.co.uk

w www.swaledalefoods.co.uk

This email transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please delete it immediately and notify the sender, Any disclosure including copying or distribution of the information contained herein is strictly prohibited. Any opinions, instructions or advice contained in this email may not necessarily be those of the company. Although this email and any attachments are believed to be free of any virus or other defects, which might affect any computer or system it is the responsibility of the recipient to ensure they are virus free. E&OE.

Invoice 14702.doc 83K

Attached is a file Invoice 14702.doc which comes in at least 9 different versions (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8] [9]). I haven't had the chance to analyse them, but my sources say that at least some versions download from the following locations:

110.164.184.28/jh45wf/98i76u6h.exe
getmooresuccess.com/jh45wf/98i76u6h.exe
rahayu-homespa.com/jh45wf/98i76u6h.exe

This dropped file has a detection rate of 6/54. The Hybrid Analysis report plus some other sources indicate network traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)

The payload is the Dridex banking trojan.

MD5s:
6932A004CE3AD1AD5EA30F43A31B0285
49CF8C70BC4E94F6887ED0CBC426F08C
92B1F1B4BBD864411FA75C951D28EC5D
E4CB705754C93645D3F86F8AF9307769
D409889F92DA9B8D855C0037894A46CC
87CA159B9AEB127F698D2AA28A5BAAC5
C770760C66298301D1BE29E85ECBE971
F2FF5FCE2836025E97691937D6DF579E
6617EAB5B4DD17247DFF1819CA444674
EE57F929672651C1AE238EB7C7A0D734

Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169

Malware spam: "Unpaid Invoice from Staples Inc., Ref. 09123456, Urgent Notice" leads to Teslacrypt

This fake financial spam is not from Staples or Realty Solutions but is instead a simple forgery with a malicious attachment.

From:    Virgilio Bradley
Date:    16 December 2015 at 14:37
Subject:    Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice

Dear Valued Customer,

This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.

Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.


Regards,
Virgilio Bradley
Customer Service Department
Realty Solutions
182 Shobe Lane
Denver, CO 80216

The names, amounts and reference numbers change from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55.

According to this Malwr report, the macro in the document downloads a binary from:

iamthewinnerhere.com/97.exe

This appears to be Teslacrypt ransomware and it has a detection rate of 5/53. Unlike some other malware, the domain iamthewinnerhere.com has been registered specifically to host this malware, and is located on:

185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
84.200.69.60 (Ideal-Hosting UG, Germany)

Nameservers are DNS1.SAYMYLANDGOODBYE.IN and DNS2.SAYMYLANDGOODBYE.IN. Other suspect sites on these IPs are:

dns2.auth-mail.ru
metiztransport.ru
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
dns2.mikymaus.in
dns2.dlhosting.in
dns2.donaldducks.in
dns2.saymylandgoodbye.in
dns1.gogodns.ru
dns2.gogodns.ru
gammus.com
testsfds.com
waschmaschinen.testsfds.com
miracleworld1.com
ifyougowegotoo.com
hellofromjamaica.com
www.hellofromjamaica.com
firstwetakemanhat.com
thewelltakeberlin.com
mixer.testsg.net
abfalleimer.testsg.net
buegeleisen.testsg.net
bodenwischer.testsg.net
wasserfilter.testsg.net
kuechenmaschinen.testsg.net
testzd.net
staubsauger.testzd.net
waschtrockner.testzd.net
kaffeevollautomat.testzd.net
izfrynscrek.net
ftp.lazur.info
aspirateurs.lazur.info

According to this Malwr report, it then phones back to these legitimate but hacked domains:

sofiehughesphotography.com
magaz.mdoy.pro
adamhughes.in
goedkoop-weekendjeweg.net
hotbizlist.com
coatesarchitecture.com

MD5s:
3999736909019a7e305bc435eb4168fd
8f4bd99c810d517fb2d2b89280759862

Recommended minimum blocklist:
iamthewinnerhere.com
185.69.152.145
84.200.69.60

Malware spam: "Your order #12345678" / "11 Money Way, Pittsburgh, PA 15226"

This fake financial spam leads to malware:

From:    Giuseppe Sims
Date:    14 December 2015 at 14:19
Subject:    Your order #25333445

Dear Valued Customer,

This letter was sent to you as a formal notice that you are obligated to repay our company the sum of 2,760$ which was advanced to you from our company on October 16, 2015.
Please, find the invoice enclosed down below.

This amount must be repaid until the date of maturity to payment obligation, December 28, 2015 and you have failed to repay our company the same despite repeated requests for this payment.

Thank you in advance for your prompt attention to this matter. We look forward to your remittance. If you have any questions, please do not hesitate to contact us.

Sincerely,
Giuseppe Sims
11 Money Way
Pittsburgh, PA 15226

The sender's name is randomly-generated but is always female. Also random are the order number and value, and there is an attachment in the format invoice_12345678_scan.zip that matches the reference in the document.

Inside that ZIP file is a uniquely generated .JS file in the format invoice_XXXXXX.js or invoice_copy_XXXXXX.js which is highly obfuscated (like this) and deobfuscates to something like this.

The various versions of the macro attempts to download a binary from the following location:

miracleworld1.com/80.exe?1

I cannot get this to resolve at the moment, it turns out that the domain was only registered today.

Domain Name:miracleworld1.com
Registry Domain ID:
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: webnic.cc
Updated Date:2015-12-14 21:24:21
Creation Date:2015-12-14 21:21:12
Registrar Registration Expiration Date:2016-12-14 13:21:11
Registrar:WEBCC
Registrar IANA ID:460
Registrar Abuse Contact Email:compliance_abuse@webnic.cc
Registrar Abuse Contact Phone:+603 8996 6799
Domain Status:Active
Registry Registrant ID:
Registrant Name:Eliisa Laukkanen
Registrant Organization:Eliisa Laukkanen
Registrant Street:Etelaesplanadi 89
Registrant City:Ingermaninkyla
Registrant State/Province:Ingermaninkyla
Registrant Postal Code:07810
Registrant Country:FI
Registrant Phone:+358.0460879234
Registrant Phone Ext:
Registrant Fax:+358.0460879234
Registrant Fax Ext:
Registrant Email:bomb@miracleworld1.com

I think they started spamming before the domain records could be pushed out fully. Shame.

Nameservers are DNS1.DONALDDUCKS.IN and DNS2.DONALDDUCKS.IN on 93.189.42.21 (NTCOM, Russia) and 178.33.200.177 (Dmitry Shestakov, Belize / OVH, France) respectively.

Looking at the nameservers, I can see that the following malicious domains are part of the same cluster, and I recommend you block all of them:

gammus.com
miracleworld1.com
soft2webextrain.com

Although I have not been able to acquire the payload, it is almost definitely Teslacrypt.

UPDATE

An updated version of the script is being spammed out that looks like this when deobfuscated. This attempts to download Teslacrypt from the following URLs:

firstwetakemanhat.com/91.exe?1
miracleworld1.com/91.exe?1

This has a detection rate of 4/55. firstwetakemanhat.com was registered just today and is hosted on:


193.150.0.78 (PE Govoruhin Vitaliy Sergeevich, Russia)
84.200.69.60 (Ideal-Hosting UG, Germany)


Nameservers are DNS1.GOGODNS.RU and DNS2.GOGODNS.RU which are hosted on the same two IPs.

The Malwr report shows more details, however this is my recommended blocklist (updated):
193.150.0.78
84.200.69.60 
gammus.com
miracleworld1.com
soft2webextrain.com
firstwetakemanhat.com

Malware spam: "Scan from a Samsung MFP" / "Gareth Evans [gareth@cardiffgalvanizers.co.uk]"

This fake scanned document does not come from Cardiff Galvanizers but is instead a simple forgery with a malicious attachment.

From:    Gareth Evans [gareth@cardiffgalvanizers.co.uk]
Date:    14 December 2015 at 10:43
Subject:    FW: Scan from a Samsung MFP

Regards

Gareth

-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.


This message has been scanned for malware by Websense. www.websense.com

I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:

test1.darmo.biz/437g8/43s5d6f7g.exe

There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs:

199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)

The payload is likely to be the Dridex banking trojan.

MD5s:
dcb019624fb8e92eb26adf2bef77d46c
21781d7e2969bd9676492c407a3da1cc

Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169

Malware spam: "Updated Statement - 2323191" / "David Lawale [David.Lawale@buildbase.co.uk]"

This fake financial spam does not come from Buildbase but is instead a simple forgery with a malicious attachment.

From:    David Lawale [David.Lawale@buildbase.co.uk]
Date:    8 December 2015 at 10:58
Subject:    Updated Statement - 2323191

Hi,

Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?

Kind Regards

David

David Lawale | Credit Controller | Buildbase

Harvey Road, Basildon, Essex, SS13 1QJ

tel: +44(0)1268 590718 | fax: +44(0)1268 590077 

www.buildbase.co.uk

Attached is a file 151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.

UPDATE 1
Automated analysis is inconclusive [1] [2] [3] [4] [5] [6]. It is possible that there is an error in the macro.

UPDATE 2
According to the comments in this post and also some other sources, the the macros download from:

gulteknoofis.com/76re459/98uy76t.exe
kinderdeszorns.de/76re459/98uy76t.exe
agencjareklamowalodz.com/76re459/98uy76t.exe

This has a detection rate of 4/55. According to these reports [1] [2] [3] and other sources, the malware phones home to:

216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)

MD5s:
0316dbd20fbfd5a098cd8af384ca950f
1b4283c8531653a5156911be1e6535
5a2140f864d98949d44945500a7d18
6ce6e2b915688f2b474e65813dc361

Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169