Sponsored by..

Showing posts with label Linode. Show all posts
Showing posts with label Linode. Show all posts

Tuesday 11 April 2017

Malware spam: "Sprawdź stan przesylki DHL"

This spam targeting Polish victims seems quite widespread. It leads to malware. The email is personalised with the victim's real name which has been harvested from somewhere.

From: DHL Express (Poland) [mailto:biuro@nawigatorxxi.pl]
Sent: Monday, April 10, 2017 7:09 PM
To: [redacted]
Subject: Sprawdź stan przesylki DHL

Sprawdź stan przesylki DHL
Szanowny Kliencie, [redacted]

Informujemy, że w serwisie DHL24 zostało zarejestrowane zlecenie realizacji przesyłki, której jesteś odbiorcą.

Dane zlecenia:
- numer zlecenia:
9653788657

- data złożenia zlecenia:
poniedziałek, 10. kwietnia

Informacje o aktualnym statusie przesyłki znajdziesz na http://dhl24.com.pl/report.html&report=JavaScript&email=[redacted]. (JavaScript Raport)

Niniejsza wiadomość została wygenerowana automatycznie.

Dziękujemy za skorzystanie z naszych usług i aplikacji DHL24.

DHL Parcel (Poland)

UWAGA: Wiadomość ta została wygenerowana automatycznie. Prosimy nie odpowiadać funkcją Reply/Odpowiedz 

The link goes to a malicious Javascript [example here] [Malwr report] which downloads a binary from:

freight.eu.com/download3696 (159.100.181.107 - World Wide Web Hosting LLC, Netherlands)

..this has a detection rate of 10/60. This Malwr report plus observed activity show traffic to the following IPs and ports:

5.196.73.150:443 (OVH, France)
31.220.44.11:8080 (HostHatch, Netherlands)
46.165.212.76:8080 (Leaseweb, Germany)
109.228.13.169:443 (Fasthosts, UK)
119.82.27.246:8080 (Tsukaeru.net, Japan)
173.230.137.155:8080 (Linode, US)
173.255.229.121:443 (Linode, US)
203.121.145.40:8080 (Pacific Internet, Thailand)
206.214.220.79:8080 (ServInt, US)


There may be other phone home locations not observed.

Recommended blocklist:
5.196.73.150
31.220.44.11
46.165.212.76
109.228.13.169
119.82.27.246
159.100.181.107
173.230.137.155
173.255.229.121
203.121.145.40
206.214.220.79





Tuesday 3 November 2015

Malware spam: "Delivery Confirmation: 0068352929" / "ACUVUE_DEL [ship-confirm@acuvue.com]"

This fake financial spam does not comes from Acuvue, but is instead a simple forgery with a malicious attachment:

From     ACUVUE_DEL [ship-confirm@acuvue.com]
Date     Tue, 03 Nov 2015 12:26:17 +0200
Subject     Delivery Confirmation: 0068352929

PLEASE DO NOT REPLY TO THIS E-MAIL.  IT IS A SYSTEM GENERATED MESSAGE.

Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide
Attached is a file Advance Shipping Notification 0068352929.DOC which my sources (thank you, btw) say comes in four different versions, although I have only seen three (VirusTotal results [1] [2] [3], Hybrid Analysis results [4] [5] [6])  containing a macro that looks like this [pastebin]. The download locations are:

builders-solutions.com/45gce333/097j6h5d.exe
goalaskatours.com/45gce333/097j6h5d.exe
www.frontiernet.net/~propertiespricedtosell/45gce333/097j6h5d.exe
www.prolococopparo.it/45gce333/097j6h5d.exe


This malicious binary has a VirusTotal detection rate of 6/54. That VT report and this Hybrid Analysis report show network communications to the following IPs:

128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
198.74.58.153 (Linode, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)


The payload is most likely to be the Dridex banking trojan.

Recommended blocklist:
128.199.122.196
75.99.13.123
198.74.58.153
221.132.35.56

MD5s:
c6cefd2923164aa14a3bbaf0dfbea669
8de322b1fb6a2cc3cbe237baa8d5f277
110d5fde265cd25842b63b9ec4e57b3c
dcf4314773c61d3dde6226a2d67424e8
274695746758801bfb68f46f79bfb638






Friday 23 October 2015

Malware spam: "cleaning invoice" / "deborah Sherer" [thesherers@westnet.co.uk]

This fake financial spam comes with a malicious attachment:
From     "deborah Sherer" [thesherers@westnet.co.uk]
Date     Fri, 23 Oct 2015 17:03:19 +0700
Subject     cleaning invoice

Hello

attached is invoice for payment

thanks

Deborah Sherer

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro that looks like this [pastebin] and downloads a malicious binary from one of the following locations:

www.bhtfriends.org/tydfyyur54/43e67tko.exe
zomb.webzdarma.cz/tydfyyur54/43e67tko.exe
nisanyapi.com/tydfyyur54/43e67tko.exe

This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55 (that's just a generic detection by Kaspersky).

That VirusTotal report plus this Hybrid Analysis report show network traffic to:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

Private sources also identify these following IPs as part of the C2 infrastructure:

157.252.245.49 (Trinity College Hartford, US)
198.74.58.153 (Linode, US)
68.168.100.232 (Codero, US)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
195.154.251.123
157.252.245.49
198.74.58.153
68.168.100.232

MD5s:
d897c1cdab10a2c8cb5ce95bff03411f
a4bdc332d9cecafcc8381cd6e5ff4667
16fabe48278f84f8ae1bc682a3bd71d7
c08519230b49ad87bc6aa12933aa0cec


Thursday 22 October 2015

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk" (again)

This fake invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment. It is very similar to this spam sent a few days ago.

From     "UUSCOTLAND" [UUSCOTLAND@uuplc.co.uk]
Date     Thu, 22 Oct 2015 19:30:13 +0700
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Melissa.lears@uuplc.co.uk
Unitedutilitiesscotland.com


EMGateway3.uuplc.co.uk made the following annotations
---------------------------------------------------------------------
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020

www.unitedutilities.com
www.unitedutilities.com/subsidiaries
So far I have seen three different versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing one of these malicious macros [1] [2] [3].

Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates.

UPDATE 1:
This VirusTotal report also identifies the following download locations:

beauty.maplewindows.co.uk/t67t868/nibrd65.exe
dtmscomputers.co.uk/t67t868/nibrd65.exe
namastetravel.co.uk/t67t868/nibrd65.exe 


This file has a VirusTotal detection rate of 2/54 and that report indicates network traffic to:

198.74.58.153 (Linode, US)

Further analysis is pending, in the meantime I suggest that you block traffic to the above IP.

MD5s:
782a72da42da3fe9bd9e652dd08b968a
5dad04118f9f26e1d5fcc457c52aeebb
6c7e84f91bd27b7252e0eccfb00b896d
7be71a7317add5bff876a9e5a04fcba1

Monday 15 June 2015

Malware spam: "Payment Confirmation 29172230" / "reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]"

This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:

From: reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230

Dear Sirs,

Many thanks for your card payment. Please find payment confirmation attached below.

Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.

Kind Regards

Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@reed.co.uk
The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:

http://www.freewebstuff.be/34/44.exe

This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools [1] [2] [3] show traffoc to the following IPs:

136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)


According the this Malwr report, it also drops a Dridex DLL with a detection rate of 18/57.

Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10

MD5s:
4270bcfa447d96ccb41e486c74dd3d16
724683fa48c498a793d70161d46c811c
ff0f01d7da2ab9a6cf5df80db7cc508a

Wednesday 10 June 2015

Malware spam: "Hayley Sweeney [admins@bttcomms.com]" / "Your monthly BTT telephone bill"

This spam does not come from BTT Communications, but is instead a simple forgery with a malicious attachment:

From:    Hayley Sweeney [admins@bttcomms.com]
Date:    10 June 2015 at 11:20
Subject:    Your monthly BTT telephone bill

Please find attached your telephone bill for last month.
This message was sent automatically.

For any queries relating to this bill, please contact Customer Services on 01536 211100. 
So far I have only seen one sample with an attachment Invoice_68362.doc which contains this malicious macro [pastebin] which downloads a malicious executable from:

http://www.jimaimracing.co.uk/64/11.exe

This is saved as %TEMP%\birsafpc.exe and it has a VirusTotal detection rate of 6/57. Automated analysis tools show traffic to the following IPs:

173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)


This Malwr report also indicates that it drops a Dridex DLL with a detection rate of 7/57.

Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10

MD5s:
80e51715a4242d0d25668d499796b733
10e4291882e2d45a1a7a52e7d93a5579
53f8addb0e1734be13735e51332b2e90

Tuesday 9 June 2015

Malware spam: "Password Confirmation [490192125626] T82"

This spam email message comes with a malicious attachment:
From:    steve.tasker9791@thomashiggins.com
Date:    9 June 2015 at 10:41
Subject:    Password Confirmation [490192125626] T82

Full document is attached
So far I have seen only a single example of this. Attached is a malicious Word document named 1913.doc [VT 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:

http://oakwindowsanddoors.com/42/11.exe

Incidentally, the macro contains a LOT of junk that appears to have been harvested from a Microsoft tutorial or something. The downloaded executable has a VirusTotal detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] indicate traffic to the following IPs:

173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
31.186.99.250 (Selectel, Russia)


The Malwr report shows that it downloads a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250

MD5s:
3a39074dd9095e0b436dcc9513a0408a
1994c977a4e6e6386e0ba17c0cffe5c9
2e5c33d8fdf22053cb3f49b200b35dc8

Thursday 9 October 2014

Nuclear EK active on 178.79.182.106

It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can fee the following sites active on that IP:

fuhloizle.tryzub-it.co.uk
fuhloizle.pgaof39.com
fuhloizle.cusssa.org


"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea.

Friday 28 March 2014

Sky.com "Statement of account" spam leads to Gameover Zeus

This fake Sky spam has a malicious attachment:

Date:      Fri, 28 Mar 2014 07:16:43 -0300 [06:16:43 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Darrel

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
The attachment is a ZIP file which contains an exectable Statement_03282014.exe (note that the date is encoded into the file). This has a VirusTotal detection rate of 8/51.

The Malwr analysis shows several attempted network connections. Firstly there's a download of a configration file from [donotclick]igsoa.net/Book/2803UKd.wer and then subsequently an attempted connection aulbbiwslxpvvphxnjij.biz on 50.116.4.71 (a Linode IP which has been seen before) and a number of other autogenerated domains.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
lpuoztsdsnvyxdyvwpnlzwg.com
pmneyqgaifcmxwwgbagewkpzsin.info
wgsmbxtphamhahbyjnjrydfe.org
eapqolveqsorwfehvkuojnojyluwk.biz
pbpnylskojlaufmmjfiaih.com
knrtdyypwonzljyzhfyyijknzof.ru
womrofxylirlwgcqzxsgjrfqzttm.com
binrpfdeequwrgydmrovzhkjongcnz.net
igsoa.net

Tuesday 25 March 2014

"You have received new messages from HMRC" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson
The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51.

According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca.com.au/directions/2503UKp.tis
[donotclick]www.sandsca.com.au/directions/2503UKp.tis

Subsequent communications are made with aulbbiwslxpvvphxnjij.biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq.biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf.org which does not resolve.

One odd thing in the Anubis report is this dialog box entititled "seconddial" and containing the word "diminutiveness".


I don't know what that is.. it reminds me of Hatefulness/Hatefulness though :)

Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca.com
aulbbiwslxpvvphxnjij.biz
qkdapcqinizsczxrwaelaimznfbqq.biz
hzdmjjneyeuxkpzkrunrgyqgcukf.org

Sunday 23 March 2014

Malware sites to block 23/3/14 (P2P/Gameover Zeus)

These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie. I recommend that you block the IPs and/or domains listed as they are all malicious:

50.116.4.71 (Linode, US) [also mentioned here, here and here]
178.79.178.243 (Linode, UK)
212.71.235.232 (Linode, UK)
23.239.140.156 (Root Level Technology, US)

50.116.4.71
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
kblfxnrltorstolxcgqugbyyl.com
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
tceeaaetvgcypqfysqctam.com
twdepffvwpxxnbqyhgmtcx.org
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
yxmfpffqhdyfyydcmpnifusrckjrkby.biz

178.79.178.243
aefaeamofemugdieddphebijb.org
aemfyldumrlithbaayzhib.com
auldivpzxeahilvcyvckrzpbepv.com
bjnovqmbkfqodiqiuwsqst.biz
jnhqtodhhgakndacuvojizdm.org
krwklrffanjydbimvbmgadmfydei.info
qkdapcqinizsczxrwaelaimznfbqq.biz
qkljydlcikfqktsunraynji.org
swsmjuseadpmrozdljofpddx.biz
tltdhasweiuorolzqweydmtdjr.biz
towohjnpxozxqwvbyxgayvc.info
usrgwobmqsxmruscudtgvwuccqvgwg.biz
vclytzcizhtyplbkrmfayburc.org
vwojamfqcipjnbobeafelvqprjzgacu.org
wceydihqmjexgtkvtqkdeh.com
yhzpojvizpbiztkjdaxzib.org
zxjzaypibnjayfmpzpalkbaunzl.com

212.71.235.232
ambaorbynbjrxwdeumvqohiytp.com
amxgeaehmpirsczhtdebunsc.info
fuambuvktwcnfddadytzrccmrsg.info
gajbceobcpvnvjbxomrnfgqlcu.org
hapeysdqhpjntcwcmrpqtcu.biz
hayzscyddatgfeyvwxgcuxifcy.org
izsodajzhrsingdygyvsvcmzlhyx.com
ldmbcqwsfuhebqlrfqmjpjtbm.net
lnipjrijfamnxkgenzypusztpnxhi.org
mbdaaywcbikbnzdiaebnzgaph.biz
peucehqxsgmzhgujfsoeihmpvhiz.info
pnfxwvsgqvctqkypwghlbnbiz.biz
qwlamzprordqxcyltgbqxqctgkfq.biz
rougorsxgeeiaqqclrmnxcnbdig.com
swhyijskpdxkzdfqeqlduydaet.org
uzhoxeuukrgprcxwjbdymbir.info
wcrydrkgzhqoeunduhttayh.biz
wsauqohqevirkreaocyzh.info
yfamzskpcikveahhynrztfa.org
ytsgugkfgadtkpjhmxsmjlkrnv.com
yxmfpffqhdyfyydcmpnifusrckjrkby.biz

23.239.140.156
cedivwojozpjnmzphdmgscrkcqgq.info
dmeiljtpjfnrwolrucyppbqnjmn.biz
dqdycmfqbuxabufqhehejngapcy.biz
dtuwswgunvgayzpxolvclzaiw.com
hguvmrrgljldtkfcuuwmfhda.com
hqzdwauwkrvcpifdontobbat.org
hywkvojryttvwvkxccehmbadtcepz.biz
jnhqtodhhgakndacuvojizdm.org
lduemshmhceamlflrvoehrw.org
ltmbcqyheqjnrcuucwbipqsjnbe.biz
ojdqolcirkamyhursqozxin.com
pfceceprcxzhqstcyvodepzx.info
qcejrvgsydqpzzdixonvugysktk.com
qkfeutkgmfqxrwmbxgxcdymz.biz
tcvkwsbqnjhjobgyttklnfxo.com
udewxdqkxtwqwjvhvgbuzhx.org
vclytzcizhtyplbkrmfayburc.org
vxwdtkfjfqotkdaivkfqgaedx.biz
wslhrwfmwkhmozhambvwhuzpnb.net
xcvshidqgwotvfetvcydfajnof.com
zludaswlfrwphijtkknya.info

Friday 21 March 2014

"Companies House" spam and 50.116.4.71 (again)

This fake Companies House spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 8435407 - Companies House

The submission number is: 8435407

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49.

The Malwr analysis again shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij.biz.

The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below).

I would recommend that you the following blocklist in combination with this one.

50.116.4.71
aulbbiwslxpvvphxnjij.biz
rovlvhixgqcelzlxheonpfxy.info
hybytqwscguvowbbgwgxijdq.com
jryxtbujvdmceodbegyofrkkr.ru
lncuhmnvlytwsuceijaifaqjrpz.com
mrdlormvvotimfhecueminydrs.info
fytwsqkgindatoahtnbnrzhe.org
tqsdudemkfrcrcutdmvpbuzd.net
doskgacutmvbeztmrirlc.biz
rgolcuhgqsqkgivckfbud.ru
auldivpzxeahilvcyvckrzpbepv.com
hegersdihurwwsdqxkdatclbmryd.net
qwrgldhqtcifymnfyhimjhqdbmir.org
ljxaededaljnrytonhzkzsg.biz
wgtfauchlnhmvskblhiovxwpvh.com
ifwbxfylaimzuwgdyeqgiupl.ru
premiercrufinewine.co.uk

Amazon.co.uk spam, something evil on 50.116.4.71

This fake Amazon.co.uk spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Cc:      ; Fri, 21 Mar 2014 13:40:05 +0530
Subject:      Your Amazon.co.uk order ID841-6379889-7781077

Hello,  Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
Order Details
Order #799-5059801-3688207  Placed on March 21, 2014 Order details and invoice in attached file.
  
Need to make changes to your order? Visit our Help page for more information and video guides.  
  
We hope to see you again soon.   Amazon.co.uk 

There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51.

The Malwr analysisis the most comprehensive, and shows that it attempts to phone home to the following domains:

aulbbiwslxpvvphxnjij.biz
hxlbjvgmfzwcbyijzxojcugizd.info
mneudhugiorkbhtpaiuoemydzll.org
mfcyqgeupknhqrwljrprotufm.net
jzfetwydrfachqwgnylbu.com
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
pbzdofdxwokbnrvodiirzqshaem.net
hyvoydfadyxfmjnhmzjbxkgurcbu.org
dacahylpzylydlbgujruzxxrseyt.info
knpzqcaygabuxkcynjaidudceu.biz
soinlzhxohtcazlqkgegtcvxkr.ru
fuzllbxkzhqgrbaonivkzjjzdmjn.com
thicazjzxtxhknyeusx.info
afaxdlrnjdevgddqrcvkdmvemwo.org
kfmfpxtcmrnjgeusirylhrcqfe.biz
hmbcyromzibkpuxfiaetx.com
qoluciztogagugergdqqclxwkaekr.ru
payypdmhxcxxvgvsojdqs.com
pscxwztdudidivhixksrrduda.net
wgpztgpxgonhalcjrpxkau.biz
nrdiqotuoxcbaxokrfqcilcal.info
fycquworzhlmhqthixphq.com
uqgheqtozhrsjqfiaizci.ru
zdeiswsdqnvhleijfzltvwdxc.com

Out of these, aulbbiwslxpvvphxnjij.biz seems to be active on 50.116.4.71 (Linode, US)

Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo.org
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dacahylpzylydlbgujruzxxrseyt.info
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
fuzllbxkzhqgrbaonivkzjjzdmjn.com
fycquworzhlmhqthixphq.com
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
hmbcyromzibkpuxfiaetx.com
hxlbjvgmfzwcbyijzxojcugizd.info
hyvoydfadyxfmjnhmzjbxkgurcbu.org
jzfetwydrfachqwgnylbu.com
kblfxnrltorstolxcgqugbyyl.com
kfmfpxtcmrnjgeusirylhrcqfe.biz
knpzqcaygabuxkcynjaidudceu.biz
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
mfcyqgeupknhqrwljrprotufm.net
mneudhugiorkbhtpaiuoemydzll.org
nrdiqotuoxcbaxokrfqcilcal.info
payypdmhxcxxvgvsojdqs.com
pbzdofdxwokbnrvodiirzqshaem.net
pscxwztdudidivhixksrrduda.net
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
qoluciztogagugergdqqclxwkaekr.ru
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
soinlzhxohtcazlqkgegtcvxkr.ru
tceeaaetvgcypqfysqctam.com
thicazjzxtxhknyeusx.info
twdepffvwpxxnbqyhgmtcx.org
uqgheqtozhrsjqfiaizci.ru
wgpztgpxgonhalcjrpxkau.biz
www.aulbbiwslxpvvphxnjij.biz
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
zdeiswsdqnvhleijfzltvwdxc.com


Wednesday 19 March 2014

NatWest "You have received a secure message" spam

This fake NatWest spam has a malicious attachment:

Date:      Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
From:      NatWest [secure.message@natwest.co.uk]
Subject:      You have received a secure message

You have received a secure message

Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment.

About Email Encryption - http://www.natwest.com/content/global_options/terms/Email_Encryption.pdf
Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51.

Automated analysis tools [1] [2] [3] show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.

199.193.115.111 (NOC4Hosts, US)
droidroots.com
development.pboxhost.com

184.107.149.74 (iWeb, Canada)
2m-it.com
3houd.com

50.116.4.71 (Linode, US)
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com    
ugfmnjojpinembyyprkoptjbtij.info    
nrhpfongapozhpfwkprxohofhq.biz    
byeqdaufqeujvugwczrocihqb.net    
geugypibqsfqirsogeovqwovvgqsfucm.com    
nvyxbmdfiguizcexgluoyxkjsw.ru    
xcvshidqgwotvfetvcydfajnof.com


Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71
droidroots.com
development.pboxhost.com
2m-it.com
3houd.com
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com    
ugfmnjojpinembyyprkoptjbtij.info    
nrhpfongapozhpfwkprxohofhq.biz    
byeqdaufqeujvugwczrocihqb.net    
geugypibqsfqirsogeovqwovvgqsfucm.com    
nvyxbmdfiguizcexgluoyxkjsw.ru    
xcvshidqgwotvfetvcydfajnof.com




Thursday 27 February 2014

"Royal Mail Shipping Advisory" spam

This fake Royal Mail spam has a malicious payload:

From:     Royal Mail noreply@royalmail.com
Date:     27 February 2014 14:50
Subject:     Royal Mail Shipping Advisory, Thu, 27 Feb 2014

Royal Mail Group Shipment Advisory

The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE

For more details please follow the link below - http://www.royalmail.com/track-trace?=GB36187692IE   

SHIPMENT CONTENTS: Insurance Form

SHIPPER REFERENCE: Please refer to the Royal Mail Shipping Services

ADDITIONAL MESSAGE FROM SHIPPER: Please refer to the Royal Mail Shipping Services

Royal Mail Group Ltd 2014. All rights reserved

This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns.com/concern/index.html 
and it then runs one or more of the following scripts:
[donotclick]billigast-el.nu/margarita/garlicky.js
[donotclick]ftp.arearealestate.com/telecasted/earners.js
[donotclick]tattitude.co.uk/combines/cartooning.js

in this case the payload site is at
[donotclick]northwesternfoods.com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites (listed below in italics). The payload appears to be an Angler Exploit Kit (see this example).

Recommended blocklist:
23.239.12.68
billigast-el.nu
ftp.arearealestate.com
tattitude.co.uk
n2ocompanies.com
northerningredients.com
northwesternfoods.com
oziama.com
oziama.net

Monday 28 October 2013

American Express "Fraud Alert" spam / steelhorsecomputers.net

This fake Amex spam leads to malware on steelhorsecomputers.net:

       
From:     American Express [fraud@aexp.com]
Date:     28 October 2013 14:14
Subject:     Fraud Alert : Irregular Card Activity


Irregular Card Activity
                   
               
Dear Customer,

We detected irregular card activity on your American Express

Check Card on 28th October, 2013.

As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.

To review your account as soon as possible please.

Please click on the link below to verify your information with us:

https://www.americanexpress.com/

If you account information is not updated within 24 hours then your ability
to access your account will be restricted.

We appreciate your prompt attention to this important matter.


© 2013 American Express Company. All rights reserved.        

AMEX Fraud Department


The link in the email goes through a legitimate but hacked site and then runs of of the following three scripts:
[donotclick]kaindustries.comcastbiz.net/imaginable/emulsion.js
[donotclick]naturesfinest.eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse.com/handmade/analects.js

From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers.net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too, listed below in italics.

Recommended blocklist:
96.126.102.8
8353333.com
chrisfrillman.com
steelhorsecomputers.net
steelhorsecomputers.com

kaindustries.comcastbiz.net
naturesfinest.eu
winklersmagicwarehouse.com

           
                   
       

Thursday 3 October 2013

Fake Amazon spam uses email address harvested from Comparethemarket.com

This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket.com.

From:     Amazon.com [ship-confirm@amazon.com]
Reply-To:     "Amazon.com" [ship-confirm@amazon.com]
Date:     3 October 2013 15:43
Subject:     Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!

 Amazon.com        
Kindle Store
     |  Your Account  |  Amazon.com
Order Confirmation
Order #159-2060285-0376154
[redacted]

Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Thursday, Oct 3, 2013 -
Friday, Oct 4, 2013

Your shipping speed:
Next Day Air
Your Orders    

Your order was sent to:
Evan Young
1235 Sunset Dr
San Paolo, NE 69700-0290
United States
Order Details
Order #159-2060285-0376154
Placed on Wensday, May 29, 2013
    Canon EOS 60D DSLR 22.3 MP Full Frame CMOS with 1080p Full-HD Video Mode Digital SLR Camera (Body)
Electronics
In Stock
Sold by Electronic Express, Inc.
    Facebook     Twitter     Pinterest
    $1,397.99
Item Subtotal:     $1,397.99
Shipping & Handling:     $0.00

Total Before Tax:     $1,397.99
Estimated Tax:     $0.00

Order Total:     $1,397.99

To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.

Thank you for shopping with us.
Amazon.com
DVD
   
Books

Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message. 

How the email address was extracted from Comparethemarket.com is not known.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:

[donotclick]berkahabadi.de/unclear/unsettle.js
[donotclick]sigmarho.zxq.net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online.de/creel/eccentrically.js


This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.

Recommended blocklist:
96.126.103.252
globalrealty-nyc.info
berkahabadi.de
sigmarho.zxq.net
wni9e7311.homepage.t-online.de

Wednesday 2 October 2013

Fake Staples spam leads to malware on tootle.us

This fake Staples spam leads to malware on a site called tootle.us:

Date:      Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]
From:      support@orders.staples.com
Subject:      Staples order #: 1353083565
           

Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
   
Customer No.:1278823232     Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135    
           
    Item1     Qty.     Subtotal
    DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS     2     $125.26
    Item2     Qty.     Subtotal
    DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS     2     $124.03
       
Subtotal::     $243.59    
Delivery:     FREE    
Tax:     $17.66    
Total:     $250.35    

    Your order is subject to review and the expected delivery date(s) noted above are pending credit or check approval.
    Won't be there to sign for your order from 9 am to 5 pm, Monday - Friday. Print ourDriver Release. Some residential orders may be delivered by UPS as late as 7 pm.
    Questions about your order? Call us at 1-800-3STAPLE (1-800-378-2753) or email us atsupport@orders.staples.com. You can also fax us at 1-800-333-3199.
    See our return policy.
    Our prices vary from store prices. Not responsible for typographical errors. Not all items are available. We reserve the right to limit quantities, including the right to prohibit sales to resellers.
    Thanks for shopping Staples.

[snip]
The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
[donotclick]algmediation.org/inventory/symphony.js
[donotclick]apptechgroups.net/katharine/bluejacket.js
[donotclick]ctwebdesignshop.com/marquetry/bucket.js


From there the victim is redirected to a malware landing page at [donotclick]tootle.us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another hijacked GoDaddy domain (there are some more on this server, listed below in italics).


Recommended blocklist:
23.92.22.75
tootle.us
tungstenrents.com
tweetbyte.com

algmediation.org
apptechgroups.net
ctwebdesignshop.com

Friday 27 September 2013

Facebook "You have new notifications" spam / directgrid.org

This fake Facebook spam leads to malware on directgrid.org:

Date:      Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From:      Facebook [notification+W85BNFWX@facebookmail.com]
Subject:      You have 21 friend suggestions, 11 friend requests and 14 photo tags

facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
3 messages

11 friend requests

21 friend suggestions

14 photo tags

View Notifications

Go to Facebook

This message was sent to [redacted]. If you don't want to receive these emails
from Facebook in the future, please unsubscribe.Facebook, Inc., Attention: Department
415, PO Box 10005, Palo Alto, CA 94303


The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes.com/starker/manipulator.js
[donotclick]dtwassociates.com/marry/sullies.js
[donotclick]repairtouch.co.za/lollypops/aquariuses.js

This leads to a malware landing page hosted on a hijacked GoDaddy domain at [donotclick]directgrid.org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains (listed below in italics)

Recommended blocklist:
50.116.10.71
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
taxipunjab.com
taxisamritsar.com
watttrack.com

3dbrandscapes.com
dtwassociates.com
repairtouch.co.za

Monday 16 September 2013

eFax spam / rockims.com

This fake eFax spam leads to malware on rockims.com:

Date:      Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message - 1 pages

Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.


Fax Message [Caller-ID: 854-349-9584]

You have received a 1 pages fax at 2013-16-09 01:11:11 CST.

* The reference number for this fax is latf1_did11-1237910785-2497583013-24.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online.de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools.ac.cy/initials/casanovas.js
[donotclick]ade-data.com/exuded/midyear.js

These then lead to a malware payload at [donotclick]rockims.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains (listed in italics below).

Recommended blocklist:
192.81.133.143
dim-kalogeras-ka-lar.schools.ac.cy
die-web-familie.homepage.t-online.de
ade-data.com
actorbell.com
facebookfansincrease.com
fillmaka.com
fillmmaka.com
filmaka.biz
filmaka.co.uk
filmaka.info
filmaka.org
filmaka.us
filmmaka.com
filmpunjab.com
fimaka.com
journeyacrossthesky.com
journeyacrossthesky.org
luckyemily.com
manpreetsidhu.com
ogaps.com
oshaughnessyfam.com
reliable661.com
rockcet.com
rockims.com