Malware spam: "Unpaid Invoice #350" / credit control [invoices@thistleremovals.co.uk]

This fake financial spam does not come from Thistle Removals but is instead a simple forgery with a malicious attachment.

From     credit control [invoices@thistleremovals.co.uk]
Date     Fri, 19 Feb 2016 17:52:49 +0200
Subject     Unpaid Invoice #350
Message text

Please see attached letter and a copy of the original invoice.

Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).

Third party analysis (thank you) indicates that this then phones home to the following locations:

91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)

The payload is the Locky ransomware.

Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106

Malware spam: "Rechnung Nr. 2016_131" / fueldner1A0@lfw-ludwigslust.de

This German language spam does not comes from LFW Ludwigsluster but is instead a simple forgery with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.

From:    fueldner1A0@lfw-ludwigslust.de
Date:    19 February 2016 at 09:10
Subject:    Rechnung Nr. 2016_131

Sehr geehrte Damen und Herren,

bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:

LFW Ludwigsluster Fleisch- und Wurstspezialitäten

GmbH & Co.KG

Vielen Dank!

Mit freundlichen Grüßen

Anke Füldner

Finanzbuchhaltung

Tel.: 03874-422038

Fax: 03874-4220844

E-Mail: fueldner@lfw-ludwigslust.de 

LFW Ludwigsluster Fleisch- und Wurstspezialitäten

GmbH & Co.KG, Bauernallee 9, 19288 Ludwigslust

HRA 1715, Amtsgericht Schwerin

Geschäftsführer: U.Müller, U.Warncke

USt.-IdNr. DE202820580, St.Nr. 08715803209

Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressant sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese E-Mail und alle Anhänge und Ausdrucke unverzüglich.

Das Gebrauchen, Publizieren, Kopieren oder Ausdrucken sowie die unbefugte Weitergabe des Inhalts dieser E-Mail ist nicht erlaubt.

This e-mail and any attached files may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with zero detection rates at VirusTotal [1] [2]. Malwr analysis of one of the samples shows that a binary is downloaded from:

mondero.ru/system/logs/56y4g45gh45h

Other samples probably have different download locations. This executable has a detection rate of 7/53 and it appears to drop another executable with a relatively high detection rate of 26/55. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.

The malware phones home to:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)

But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you block it.

Incidentally, full credit to the company involved in putting this massive banner on their website warning people about the fake email..

UPDATE

An additional analysis from a trusted source (thank you). Download locations are:

mondero.ru/system/logs/56y4g45gh45h
tcpos.com.vn/system/logs/56y4g45gh45h
www.bag-online.com/system/logs/56y4g45gh45h

The malware phones home to:

46.4.239.76/main.php
94.242.57.45/main.php
wblejsfob.pw/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php

The active C2s (some may be sinkholes) appear to be:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)

Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70

Malware spam: "Payment" / Laurence Cottle [lcottle60@gmail.com]

This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appeneded to it

From:    Laurence Cottle [lcottle60@gmail.com]
Date:    18 February 2016 at 13:35
Subject:    Payment

Hi

Any chance of getting this invoice paid, please?

Many thanks

Laurence

Attached is a file unnamed document.docm which comes in several different versions.

Third-party analysis (thank you!) reveals that there are download locations at:

acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43.exe
alkofuror.com/system/engine/7647gd7b43f43.exe
merichome.com/system/logs/7647gd7b43f43.exe
organichorsesupplements.co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo.com/image/templates/7647gd7b43f43.exe
tutikutyu.hu/system/logs/7647gd7b43f43.exe
vipkalyan.com.ua/system/logs/7647gd7b43f43.exe

This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.

MD5s:
a40d4d655cd638e7d52f7a6cdedc5a8e  
9f622033cfe7234645c3c2d922ed5279

The malware phones home to:

195.154.241.208/main.php
46.4.239.76/main.php
94.242.57.45/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
wblejsfob.pw/main.php

Out of those, the most supect IPs are:

195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)

Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70

Malware spam: "Rechnung 2016-11365" / mpsmobile GmbH [info@mpsmobile.de]

This bilingual spam does not come from mpsmobile but is instead a simple forgery with a malicious attachment.

From:    mpsmobile GmbH [info@mpsmobile.de]
Date:    17 February 2016 at 12:23
Subject:    Rechnung 2016-11365

Sehr geehrte Damen und Herren,

anbei erhalten Sie das Dokument 'Rechnung 2016-11365' im DOC-Format. Um es betrachten und ausdrucken zu können, ist der DOC Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren.

Mit freundlichen Grüssen
mpsmobile Team

______________________________

_____

Dear Ladies and Gentlemen,

please find attached document ''Rechnung 2016-11365' im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.

Best regards
mpsmobile GmbH

mpsmobile GmbH
Brühlstrasse 42
88416 Ochsenhausen
Tel: +49 7352 923 23 0
Fax: +49 7352 923 23-29
Email: info@mpsmobile.de

Handelsregister Amstgericht ULM HRB 727290
Sitz der Gesellschaft: Ochsenhausen
UStIDNr: DE 281079008

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

In the sample I saw, the attachment was named 19875_Rechnung_2016-11365_20160215.docm and has a VirusTotal detection rate of 5/54.

According to this Malwr report  the binary attempts to download the Locky ransomware (seemingly a product of those behind the Dridex banking trojan). It attempts to download a binary from:

feestineendoos.nl/system/logs/7623dh3f.exe?.7055475

This dropped file has a detection rate of 3/53.  Analysis of the file is pending, but overall this has been made more complicated because the Locky installer calls out to a number of domains, many of which actually appear to have been sinkholed.

Machines infected with Locky will display a message similar to this:

Unfortunately, the only known way to recover from this is to restore files from offline backup once the infection has been removed from the PC.

UPDATE

Another version plopped into my inbox, VT 7/54  and according to this Malwr report, it downloads from:

nadeenk.sa/system/logs/7623dh3f.exe?.7055475

This variant POSTs to a server at:

46.4.239.76 (Myidealhost.com  / Hetzner, Germany)

It is likely that the C2 server (identified in the previous report) is:

85.25.149.246 (PlusServer AG, Germany)

Recommended blocklist:
85.25.149.246
46.4.239.76

Malware spam: Emailing: MX62EDO 10.02.2016 / documents@dmb-ltd.co.uk

This spam has a malicious attachment:

From     documents@dmb-ltd.co.uk
Date     Wed, 10 Feb 2016 11:12:41 +0200
Subject     Emailing: MX62EDO 10.02.2016

Your message is ready to be sent with the following file or link
attachments:

MX62EDO  10.02.2016 SERVICE SHEET


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.

Attached is a malicious document named MX62EDO 10.02.2016.doc. I haven't had time to analyse these myself, but a trusted source (thank you) says that there are three different variants of documents, downloading a malicious executable from the following locations:

calflytech.com/09u8h76f/65fg67n
g-t-c.co.uk/09u8h76f/65fg67n
opoai.com/09u8h76f/65fg67n

This drops an executable with a VirusTotal detection rate of 6/55.  This malware calls back to the following IPs:

87.229.86.20 (ZNET Telekom Zrt, Hungary)
50.56.184.194 (Rackspace, US)
144.76.73.3 (Hetzner, Germany)

The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.

Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3
 

Malware spam: "Despatch Note FFGDES34309" / Foyle Food Group Limited [accounts@foylefoodgroup.com]

This fake financial spam is not from Foyle Food Group Limited but is instead a simple forgery with a malicious attachment:

From     Foyle Food Group Limited [accounts@foylefoodgroup.com]
Date     Fri, 29 Jan 2016 17:58:37 +0700
Subject     Despatch Note FFGDES34309

Please find attached Despatch Note FFGDES34309

I haven't had the chance to do the analysis myself, so I am relying on the analysis of a contact (thank you). The attachment is FFGDES34309.doc which comes in three different variants, downloading from:

jjcoll.in/56gf/g545.exe
romana.fi/56gf/g545.exe
clickchiropractic.com/56gf/g545.exe

This has an MD5 of d88c2bed761c7384d0e8657477af9da7 and a detection rate of 6/49. According to my contact, this phones home to:

85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)

This drops the Dridex banking trojan. The behaviour is consistent with botnet 220.

Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3

Malware spam: "Your order #7738326 From The Safety Supply Company" / Orders - TSSC [Orders@thesafetysupplycompany.co.uk]

This fake financial spam does not come from The Safety Supply Company but is instead a simple forgery with a malicious attachment:

From:    Orders - TSSC [Orders@thesafetysupplycompany.co.uk]
Date:    15 January 2016 at 09:06
Subject:    Your order #7738326 From The Safety Supply Company

Dear Customerl

Thank you for your recent purchase.

Please find the details of your order through The Safety Supply Company attached to this email.

Regards,

The Sales Team

So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.

UPDATE 1

This Hybrid Analysis on the first sample shows it downloading from:

149.156.208.41/~s159928/786585d/08g7g6r56r.exe

That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:

216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)

I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.

Dropped file MD5:
9138e36d70ab94349558c61e92ab9ae2

Attachment MD5s:
d5a25f10cb91e0afd00f970cee7c5f01
985bb69a8c292d90a5bd51b3dbec76ac

UPDATE 2

This related spam run gives some additional download locations:

nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe

Sources also tell me that there is one at:

204.197.242.166/~topbun1/786585d/08g7g6r56r.exe

Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41

Malware spam: "Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB"

This fake financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.

From:    Hoyt Fowler
Date:    8 January 2016 at 10:49
Subject:    Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7

Total Amount:   GBP 60,00

Due Date:               28.01.2016

If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.


Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House
Parkeston, Harwich
Essex, CO12 4QG No.3874882

Tel: 01255 242242
Registered in England
VAT No. GB759894254
Global Transport and Logistics

I have only seen a single sample of this email at present, but if consistent with other similar emails then details such as the sender's name and reference numbers will vary. In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55.

According to this Malwr report, the sample attempts to download a further component:

194.28.84.79/softparade/spanish.php

There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too.

A file named hram.exe is dropped onto to target system with a detection rate of 4/54. The Malwr report indicates that this communicates with:

78.47.119.93 (Hetzner, Germany)

This is a critical IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan.

UPDATE 1

A contact (thank you) let me know of two other download locations:

176.103.62.14/softparade/spanish.php
51.254.51.178/softparade/spanish.php

These are:

176.103.62.14 (PE Ivanov Vitaliy Sergeevich, Ukraine)
51.254.51.178 (OVH, France / Dmitry Shestakov, Russia)

Both those are pretty well-known providers of malware.  I recommend that you block the entire /20 in the first instance and the blocks referenced here in the second.

MD5s:
5ab2a67268b3362802a13594edafbd2e
7d60996dd9293df5eecd07f33207aca8

Recommended blocklist:
78.47.119.93
194.28.84.79
176.103.48.0/20
51.254.51.176/30

UPDATE 2

An updated version of the payload is currently being spammed out as on 11.01.16, with a payload identical to this spam run.

Malware spam: "Invoice 01147665 19/12 £4024.80" / "Ibstock Group"

This fake financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam which was sent out earlier today.

From:    Amber Smith
Date:    7 January 2016 at 10:38
Subject:    Invoice 01147665 19/12 £4024.80

Hi,

Happy New Year to you !

Hope you had a lovely break.

Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.

Its invoice  01147665  19/12  £4024.80  P/O ETCPO 35094

Can you have a look at it for me please?

Thank-you !

Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group
Supporting Ibstock, Ibstock-Kevington & Forticrete
-----------------------------------------------
( +44 (0)1530 257371
( VPN: 700 2371
6  +44 (0)1530 257379

The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far (there are probably more) with VirusTotal detection rates of 2/54 [1] [2] [3] and the Malwr reports [4] [5] [6] show these documents communicating with:

193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php

IPs are allocated to:

176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)

As before, a binary geroin.exe is dropped which communicates with:

78.47.119.93 (Hetzner, Germany)

The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post.

Malware spam: "Your Latest Documents from Angel Springs Ltd [1F101177]"

This fake financial spam comes with a malicious attachment. The name of the sender varies, as does the reference number in the subject field that matches the attachment name.

From:    Leonor Stevens
Date:    7 January 2016 at 10:13
Subject:    Your Latest Documents from Angel Springs Ltd [1F101177]

Dear Customer,

Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.

Here's a few ways we've made it easier for you:

    Your new documents are now attached to your email. You don't have to follow a link now to get to your documents.

    Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.

    You can simply and easily raise any queries you may have through the customer portal.

Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.

If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on 0845 230 9555 and we will be more than happy to assist you. Please do not reply to this email.

To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document

With Kind Regards,

Angel Springs Ltd

Yesterday I saw several spam runs similar to this coming from Dridex botnet 120. There are many, many variations of the attachment although I do not believe that they are uniquely-generated.

The three samples I have sent for analysis so far has VirusTotal detection rates of 2/55 [1] [2] [3] and the Malwr reports [4] [5] [6] show an initial communication with:

193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
These IPs belong to:

176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)

I note that 91.223.88.204 also hosts some bad things.. and the entire 176.103.48.0/20 block has a history of evil-ness [1] [2] [3].

Note that there are probably other download locations. Check back later if you are interested.

These malicious documents drop a binary geroin.exe which has a detection rate of 3/54. The Malwr report for this shows it phoning home to:

78.47.119.93 (Hetzner, Germany)

Binary MD5:
088724715613ff48edf090a74c8b6413

Attachment MD5s:
53521464ee6d70ec6c93f2e038e92651
3dfef23d2f6846133f1758dca675afd2
9bfadfe1c8dd23a0358c5ae4a6f7f465
a1c601351f865e5d9f8315ecc867971d
939aa6ebf02a338fab864690467909fa
1021f12f47d1d68e12d3e81ad6f44a92
30097bc5a0903db248252f3e01344b8b
25ae775c96146b4bfba1a88f755ccc20
c225905d94f1b3a0a1dae86109c80e51
617d676e09a74fa0fb099509a2f57ac8
fbb83ab6ae5a3ef2bac5f5ff549713b5
7d5b9851c8bc682ff621568cc648c9e6
3a4cb5fa7aa75afc72cef5709576f441
0b60bad71222d1fb091efeef6fa3524a
ed8f764742a827d23a56c439a0393448
1b93d2fcbe94d9a6e248ddf964078406
f37cfbead3e52549c7490a4aaf20e423
2ef9a2bb6e59c75cef3643700e054385
d167d52dfd4d69c7cf336abff6b71280
d1038a983442ce25535d707e9568b03b


Recommended blocklist:
176.103.48.0/20
91.223.88.204/30
78.47.119.93
193.201.227.12

Malware spam "Invoice-205611-49934798-CROSSHILL SF"

This fake financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:

From:    Bertha Sherman
Date:    6 January 2016 at 09:29
Subject:    Invoice-205611-49934798-CROSSHILL SF

Dear Customer,

Please find attached Invoice 02276770 for your attention.

Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

I have seen at least four different attachments with names in a format similar to invoice40201976.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show that the malware contained within POSTs to:

37.46.130.53/jasmin/authentication.php
179.60.144.21/jasmin/authentication.php
195.191.25.138/jasmin/authentication.php

Those reports also show communication to other suspect IPs, giving:

94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)

This Hybrid Analysis also shows similar characteristics.

The macro drops a file tsx3.exe with a detection rate of 7/55. The Malwr report doesn't give any particlar insight as to what this is, but it is likely to be a banking trojan or ransomware. UPDATE: this is Dridex (botnet 120 apparently), and thos the dropped file has been updated to this one.

There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost.RU IP in Russia:

109.234.34.224/jasmin/authentication.php

MD5s (dropped EXE):
fdd95b4cc10b536934486c7d3fdee04f
613f5e4139e8006e9d47cb562450bc4a


MD5s (attachments):
06afdf7eaa3aa0d07b74c87c2c4bcede
11efa97e6091fa608596b463c9a20718
1574669aae13badc47b5c32927d22fb9
1988f8c864689bfd725e659e0815f032
27f891f6b0c0820492408022a860accc
37cc9d15f4eb5173e30ebff8ae6d44f6
37dd4e12541994d719d669ef7408b042
41faea2d8d7334a1e645cedf2a297344
42694176858ef65ababe87c8eee3679d
430eb4d6bc75b3743169aba0b5c368b9
5a5e5ac6d0e12215d79d2d321ac7a303
60cb6167675a908e9bba8957ece0947b
63abdef9d973b820f656642831ef6e07
7d190049c2354c18bd850d086d8c43c8
81697ef360e4abd09d96cd58bb1c7f01
82e06ae650e81e77879c5a33dba058b6
840b0d424b541d3649c33e8264632ba7
933f50bd87c02b67e122520022677aa6
a17b2fc61c64381ba5a2a154085ee6e7
a1958f55febde3b0fac15490f5e0ac6e
a43490f4c09e519d72296898343ab04f
ab41e3d7fa1e3d98a0bdec1e4086058a
b614c2f6f07620e53375c35efc692596
bc3142ce5e20814e98e582fa9b258501
cda4ba15eebc6ae3a9ab54610b38db04
d44c6490ab1c86adf9a99da1d173fc2f
d86f5160a0ea91bee70972e2bbf2c86d
e8bd65668d68410adacee9463eb1489e
ee70b032f96fb8f484019396aa130a55
ef4fd29b806675346661aec4907a14f7
f39fcd49bdbd7f100047594d8d7875b4
f65d8b3310f758c5d9c0f156d859125f
ff5f8da0f0d4c7e851dbf5c6d94fa0dc
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224

Malware spam: "INVOICE" / "Brenda Howcroft [accounts@swaledalefoods.co.uk]"

This fake financial spam does not come from Swaledale Foods but is instead a simple forgery with a malicious attachment.

From:    Brenda Howcroft [accounts@swaledalefoods.co.uk]
Date:    21 December 2015 at 10:46
Subject:    INVOICE

Your report is attached in DOC format. To load the report, you will need the free Microsoft® Word® reader, available to download at http://www.microsoft.com/

Many thanks,

Brenda Howcroft

Office Manager

t 01756 793335 sales

t 01756 790160 accounts

e accounts@swaledalefoods.co.uk

w www.swaledalefoods.co.uk

This email transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please delete it immediately and notify the sender, Any disclosure including copying or distribution of the information contained herein is strictly prohibited. Any opinions, instructions or advice contained in this email may not necessarily be those of the company. Although this email and any attachments are believed to be free of any virus or other defects, which might affect any computer or system it is the responsibility of the recipient to ensure they are virus free. E&OE.

Invoice 14702.doc 83K

Attached is a file Invoice 14702.doc which comes in at least 9 different versions (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8] [9]). I haven't had the chance to analyse them, but my sources say that at least some versions download from the following locations:

110.164.184.28/jh45wf/98i76u6h.exe
getmooresuccess.com/jh45wf/98i76u6h.exe
rahayu-homespa.com/jh45wf/98i76u6h.exe

This dropped file has a detection rate of 6/54. The Hybrid Analysis report plus some other sources indicate network traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)

The payload is the Dridex banking trojan.

MD5s:
6932A004CE3AD1AD5EA30F43A31B0285
49CF8C70BC4E94F6887ED0CBC426F08C
92B1F1B4BBD864411FA75C951D28EC5D
E4CB705754C93645D3F86F8AF9307769
D409889F92DA9B8D855C0037894A46CC
87CA159B9AEB127F698D2AA28A5BAAC5
C770760C66298301D1BE29E85ECBE971
F2FF5FCE2836025E97691937D6DF579E
6617EAB5B4DD17247DFF1819CA444674
EE57F929672651C1AE238EB7C7A0D734

Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169

Malware spam: "Invoice 14 12 15" / "THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]"

This terse fake financial spam is not from the awesomely-named Thunderbolts Limited but is instead a simple forgery with a malicious attachment:

From:    THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]
Date:    14 December 2015 at 11:15
Subject:    Invoice 14 12 15

This message contains 2 pages in PDF format.

Curiously, the bad guys have gone as far as to include a fake header to make it look like a fax:

X-Mailer: ActiveFax 3.92

 
Attached is a file fax00163721.xls which is fairly obviously not a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:

exfabrica.org/437g8/43s5d6f7g.exe
test-cms.reactive.by/437g8/43s5d6f7g.exe

This binary has a detection rate of 0/54. That VirusTotal report and this Hybrid Analysis both show traffic to:

199.7.136.84 (Megawire, Canada)

This malware is likely to be Dridex. Given that it is similar to the one found here,  I would recommend blocking network traffic to:

199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169

MD5s:
a0de2560362cc6dfc53d1cd5ff50559b
bd22c4b0b6996a8405b2d33696e1e71e
b1fff594a8877042efd0ed4d67f6feb6

Malware spam: "Scan from a Samsung MFP" / "Gareth Evans [gareth@cardiffgalvanizers.co.uk]"

This fake scanned document does not come from Cardiff Galvanizers but is instead a simple forgery with a malicious attachment.

From:    Gareth Evans [gareth@cardiffgalvanizers.co.uk]
Date:    14 December 2015 at 10:43
Subject:    FW: Scan from a Samsung MFP

Regards

Gareth

-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.


This message has been scanned for malware by Websense. www.websense.com

I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:

test1.darmo.biz/437g8/43s5d6f7g.exe

There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs:

199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)

The payload is likely to be the Dridex banking trojan.

MD5s:
dcb019624fb8e92eb26adf2bef77d46c
21781d7e2969bd9676492c407a3da1cc

Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169

Malware spam: "Updated Statement - 2323191" / "David Lawale [David.Lawale@buildbase.co.uk]"

This fake financial spam does not come from Buildbase but is instead a simple forgery with a malicious attachment.

From:    David Lawale [David.Lawale@buildbase.co.uk]
Date:    8 December 2015 at 10:58
Subject:    Updated Statement - 2323191

Hi,

Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?

Kind Regards

David

David Lawale | Credit Controller | Buildbase

Harvey Road, Basildon, Essex, SS13 1QJ

tel: +44(0)1268 590718 | fax: +44(0)1268 590077 

www.buildbase.co.uk

Attached is a file 151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.

UPDATE 1
Automated analysis is inconclusive [1] [2] [3] [4] [5] [6]. It is possible that there is an error in the macro.

UPDATE 2
According to the comments in this post and also some other sources, the the macros download from:

gulteknoofis.com/76re459/98uy76t.exe
kinderdeszorns.de/76re459/98uy76t.exe
agencjareklamowalodz.com/76re459/98uy76t.exe

This has a detection rate of 4/55. According to these reports [1] [2] [3] and other sources, the malware phones home to:

216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)

MD5s:
0316dbd20fbfd5a098cd8af384ca950f
1b4283c8531653a5156911be1e6535
5a2140f864d98949d44945500a7d18
6ce6e2b915688f2b474e65813dc361

Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169

Malware spam: "Invoice from DATANET the Private Cloud Solutions Company" / "Holly Humphreys [Holly.Humphreys@datanet.co.uk]"

This fake financial email does not come from Datanet but is instead a simple forgery with a malicious attachment:

From:    Holly Humphreys [Holly.Humphreys@datanet.co.uk]
Date:    3 December 2015 at 08:57
Subject:    Invoice from DATANET the Private Cloud Solutions Company

Dear Accounts Dept  :

Your invoice is attached, thank you for your business.

If you have any queries please do not hesitate to contact us.

Regards

DATANET.CO.UK
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday

Please reply to Accounts@datanet.co.uk
________________________________
 Holly Humphreys
Operations
Datanet - Hosting & Connectivity
E:

Holly.Humphreys@datanet.co.uk

W:

www.datanet.co.uk

T:

01252 810010

F:

01252 813391

S:

01252 813396 - Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24x7


DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of "CIA" - "Confidentiality, Integrity and Availability" at the heart of our private cloud solutions.

Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.

Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England - No. 03214053

I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro [pastebin] and has a VirusTotal detection rate of 3/55.

According to this Malwr report and this Hybrid Analysis the XLS file downloads a malicious binary from :

encre.ie/u5y432/h54f3.exe

There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55 and that report plus this Malwr report  indicate malicious network traffic to:

162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)

The payload is almost definitely the Dridex banking trojan.

MD5s:
1bfd7cdc2731ec85617555f63473e3c9
0dcb805a3efa215bde97aa1f32559b77

Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169

UPDATE

I have seen another version of the document with an MD5 of c7fa6a1f345aec2f1db349a80257f459 and a VirusTotal result of 3/54. According to this Malwr report it downloads from:

parentsmattertoo.org/u5y432/h54f3.exe

Malware spam: "DoT Payment Receipt" / "donotreply@transport.gov.uk"

This fake financial spam has a malicious attachment:

From: donotreply@transport.gov.uk [mailto:donotreply@transport.gov.uk]
Sent: Monday, November 16, 2015 12:10 PM
To: redacted
Subject: DoT Payment Receipt

[Automated message. Do not reply]

Thank you for your payment.  It is important that you print this receipt and record the receipt number as proof of your payment. You may be asked to provide your receipt details should you have an enquiry regarding this payment.

DISCLAIMER

This email and any attachments are confidential and may contain legally privileged and/or copyright material.  You should not read, copy, use or disclose any of the information contained in this email without authorisation.  If you have received it in error please contact us at once by return email and then delete both emails.  There is no warranty that this email is error or virus free.

I haven't seen this myself, but some contacts (thank you!) have. Attached is a file PaymentReceipt.xls which comes in several different versions, the sample I saw contained this malicious macro and had a VirusTotal detection rate of 5/54. According to my sources, the different versions download a malicious binary from one of the following:

gospi.eu/~gospi/45yfqfwg/6ugesgsg.exe
piotrektest.cba.pl/45yfqfwg/6ugesgsg.exe
wmdrewniana8.cba.pl/45yfqfwg/6ugesgsg.exe
www.kolumbus.fi/~kf0963/45yfqfwg/6ugesgsg.exe

This binary has a detection rate of 3/53 and that VirusTotal report and this Malwr report indicates malicious traffic to:

182.93.220.146 (Ministry Of Education, Thailand)
78.47.66.169 (Hetzner, Germany)
89.108.71.148 (Agava, Ltd)
221.132.35.56 (Post And Telecom Company, Vietnam)

The payload is the Dridex banking trojan.

MD5s:

e25a05d3fecceb14667048c07494d65f 
32f3495cb945448a9868c5fe653b8d7e
a5dd075bd48d16a3ad13c06651b0af10
ef3805be4797271a2a9c8552f77866c1
f2b78be5e8b52976f69b076338757146

Recommended blocklist:
cba.pl
182.93.220.146
78.47.66.169
89.108.71.148
221.132.35.56

Malware spam: "Your order 10232 from Create Blinds Online: Paid" / "orders@createblindsonline.co.uk"

This fake invoice does not come from Create Blinds Online but is instead a simple forgery with a malicious attachment.

From:    orders@createblindsonline.co.uk
Reply-To:    orders@createblindsonline.co.uk
Date:    10 August 2015 at 07:59
Subject:    Your order 10232 from Create Blinds Online: Paid

We would like to thank you for your recent order.

Order Status updated on: 10/08/2015
Your Customer ID: 1761
Your Order ID: 10232
Invoice Number: 10232
Delivery Note:

We received your order and payment on Aug/102015

Your order details are attached:

Kind regards
Create Blinds Online Team

---

This electronic message contains information from  Create Blinds Online which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.

Attached is a file invoice-10232.doc which comes in at least two different variants [1] [2] containing a macro that looks like this [pastebin]. This attempts to download a malicious binary from one of the following locations:

mbmomti.com.br/435rg4/3245rd2.exe
j-choi.asia/435rg4/3245rd2.exe

The VirusTotal detection rate for this is 3/55. The Malwr report and Hybrid Analysis reports show that it generates traffic to 78.47.119.85 (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan.

MD5s:
0864bc6951795b86d435176c3320a8bc
e3f30c2195c565e88a8534b15c7b942e
ba4ec70aa2179be4387a4aef10a8cd4f

Malware spam: "Document Order 534-550719-84513074/1" / "web-filing@companies-house.gov.uk"

This spam email is not from Companies House but is instead a simple forgery with a malicious attachment.

From     web-filing@companies-house.gov.uk
Date     Wed, 01 Jul 2015 10:49:12 +0300
Subject     Document Order 534-550719-84513074/1


Order: 534-550719-84513074  29/06/2015 09:35:46

Companies House WebFiling order 534-550719-84513074/1 is attached.

Thank you for using the Companies House WebFiling service.

--
Email: enquiries@companies-house.gov.uk    Telephone +44 (0)303 1234 500
Note: This email was sent from a notification-only email address which cannot accept
incoming email.  Please do not reply directly to this message.

In the same I saw, the attachment was named compinfo_534-550719-84513074_1.doc [VT 2/55] which contained this malicious macro [pastebin] which downloads a file from:

http://demaiffe.be/75/85.exe

This is then saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of just 1/55. Automated analysis tools [1] [2] [3] indicates malicious traffic to:

78.47.139.58 (Hetzner, Germany)

This IP has been seen a few time recently. Blocking traffic to it is probably a good idea.

The payload is probably the Dridex banking trojan which usually drops via a DLL, although I have not been able to obtain a sample.

MD5s:
7e634a4d8eaad8643d5828b1606c709f
847aa0e22b419316a2e82c813d5ca690

Malware spam: "Donna Vipond" / "donna.vipond@ev-ent.co.uk" / "Payment due - 75805"

This fake invoice does not come from Event Furniture Ltd but is instead a simple forgery with a malicious attachment:

From     "Donna Vipond" [donna.vipond@ev-ent.co.uk]
Date     Tue, 30 Jun 2015 13:13:28 +0100
Subject     Payment due - 75805

Please advise when we can expect to receive payment of the attached
invoice now due?  I await to hear from  you.

Kind Regards

Donna Vipond

Accounts

Event Furniture Ltd T/A Event Hire

Tel: 01922 628961 x 201

Attached is a file 75805.doc which comes in two (or more) different versions (Hybrid Analysis report [1] [2]). The samples I saw downloaded a file from either:

www.medisinskyogaterapi.no/59/56.exe
www.carpstory.de/59/56.exe

This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55. The various analyses including this Malwr report and this Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany).

The payload is probably the Dridex banking trojan.

Recommended blocklist:
78.47.139.58

MD5s:
e704ff948e791ad67d2c46238629335d
b93dfe419fd9c2638fb4afce85efa3f2
25871a5bbeb85b0fbc07531cfc6193ce