Sponsored by..

Showing posts with label Mexico. Show all posts
Showing posts with label Mexico. Show all posts

Friday 12 February 2016

Malware spam: "DVSA RECEIPT" / FPO.CC.15@vosa.gsi.gov.uk

This spam email does not come from a UK government agency, but is instead a simple forgery with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi.gov.uk.

From     FPO.CC.15@vosa.gsi.gov.uk
Date     Fri, 12 Feb 2016 12:47:20 +0300
Subject     DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.
*********************************************************************


The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.
Attached is a file Fixed Penalty Receipt.docm which comes in at least ten different variants with the following MD5s:



1cb27d23f9999d9d196a5d20c28fbd4e
68225ddcb35694eff28a2300e8d60399
a99d6c25218add7ece55b2503666b664
57ab4224e7d2274d341020767a6609fd
51f5960ae726906a50b5db4e9253c3c2
7a43a911e0ad208adf4e492345349269
4aae160341b6d96adc2c911ddc941222
f34460da1e77ae4a3b178532800300a2
58a01b254b9d7b90d1d0f80c14f5a089
50e1c94e43f05f593babddb488f1a2f9


I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:

raysoft.de/09u8h76f/65fg67n
xenianet.org/09u8h76f/65fg67n
steinleitner-online.net/09u8h76f/65fg67n [reported here]

This dropped file has a detection rate of 5/54 (MD5 7bf7df5e630242182fa95adff4963921). This Hybrid Analysis report indicates subsequent traffic to:

192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)


The payload is the Dridex banking trojan.

Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231



Wednesday 8 July 2015

Malware spam: "Strange bank account operation" / "Unauthorised bank account activity" / "Illegal bank account transfer" etc

This fake financial spam comes with a malicious payload. It appears to be randomly generated in part, here are some examples:
Date:    8 July 2015 at 18:02
Subject:    Strange bank account operation

Kindly be informed that bank did noticed suspect attempt of money withdrawal relating to Your debit card.
Please find enclosed bank e-mail sent by financial department on Monday.
As well attached are security details for Your review.
Michael Morgan
Senior Manager

==========

Date:    1 January 1970 at 00:00
Subject:    Suspicious bank account operation

Kindly be acknowledged that bank had found unauthorised attempt of amounts withdrawal from Your credit card.
Please find enclosed bank warning provided by bank manager earlier.
Also enclosed are security details for Your affirmation.
Robin Owen
Chief accountant

==========

Date:    8 July 2015 at 17:59
Subject:    Illegal bank account transfer

Kindly be informed that bank security department has found illegal attempt of money withdrawal from Your Mastercard account.
Please check the enclosed bank publication provided by banking department today.
As well attached are security details for Your approval.
Clive Adams
Tax Consultant

=========

Date:    8 July 2015 at 16:55
Subject:    Strange bank account transfer

Kindly note that bank did noticed suspect attempt of amounts withdrawal related to Your Mastercard.
Please examine the enclosed bank statement sent by manager on Monday.
Furthermore attached are personal details for Your confirmation.
Martin Morgan
Tax authority

==========

Date:    8 July 2015 at 17:51
Subject:    Unauthorised bank account activity

Kindly be acknowledged that bank security department had detected suspect attempt of money withdrawal related to Your debit card.
Please check the enclosed bank statement forwarded by banking department today.
In addition attached are security details for Your control.
Robin Willis
Senior Manager

Attached is a Word document [VT 6/55]with various filenames:

extract_of_bank_document.doc
fragment_of_bank_fax.doc
original_of_bank_report.doc
scan-copy_of_bank_document.doc
transcript_of_bank_statement.doc


All the samples I have seen have an identical document with different names, containing this malicious macro which then goes off and downloads various other components according to the Hybrid Analysis report, using the following URLs:

midwestlabradoodle.com/wp-content/plugins/really-simple-captcha/6727156315273.txt
artyouneed.com/wp-includes/theme-compat/6727156315273.txt
artyouneed.com/wp-includes/theme-compat/kaka.txt

These appear to download as a set of malicious scripts [1] [2] [3] which then download a further component from:

bluemagicwarranty.com/wp-includes/theme-compat/getrichtoday.exe

This binary has a detection rate of 3/55. The Malwr report shows that it drops two other files, named as Zlatowef.exe [VT 3/55] and redtytme4.exe [VT 9/55] and it also downloads components from:

38.65.142.12:12551/ON12/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
38.65.142.12:12551/ON12/HOME/41/5/4/ELHBEDIBEHGBEHK


That IP is allocated to Cogent Communications in Mexico. The download is Upatre which means that the payload is almost definitely the Dyre banking trojan, even though the delivery mechanism of a Word document is unusual for Dyre.

Recommended blocklist:
38.65.142.12
midwestlabradoodle.com
artyouneed.com
bluemagicwarranty.com

MD5s:
8d547f5ef829d9033c3eb5d4ce1602c1
5cff4106fd4c393f4b935e8e97277351
21023e02a33ec1d924f489378d1f01d5
e8f2c4845008d3064948ed336c1a9852




Wednesday 17 December 2014

Spam: "Localizan a los 43 estudiantes desaparecidos en Ayotzinapa"

This Spanish-language malware spam comes with a malicious attachment.

From:    El Universal
Date:    16 December 2014 at 09:06
Subject:    Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Localizan a los 43 estudiantes desaparecidos en Ayotzinapa.

Hoy 16 de diciembre del 2014 por la madrugada, agentes de la Policía Ministerial de Guerrero
han localizado con vida a los 43 estudiantes, desaparecidos el dia 26 de septiembre del 2014.

Para ver imágenes exclusivas del reencuentro de los estudiantes con sus familias, y las condiciones en que
vivieron durante su secuestro, anexamos un documento en este correo electrónico en formato Microsoft Word.


El Universal © todos los Derechos Reservados  2014.
This translates roughly as:

Located at 43 students missing in Ayotzinapa.

Today December 16, 2014 at dawn, agents of the Ministerial Police Guerrero
have been located alive at 43 students, missing the day September 26, 2014.

To view exclusive footage of the reunion of students and their families, and the conditions under which
They lived during his abduction, we attach a document to this email in Microsoft Word format.


The Universal © All Rights Reserved 2014.
This email relates to the kidnapping and possible murder of 43 Mexican students which has been blamed by some on the Mexican Police.

The Word document contains a malicious macro, and detailed instructions for the victim on how to disable the inbuilt security to enable it to run.


Once this has been done, the malicious macro [pastebin] runs. This attempts to download a file from:

http://www.milusz.eu/templates/default/00/ss.exe

At the moment, this download location is coming up with a 404 error. If the download were to work, it would save the file as %TEMP%\ test00010.exe. The Word document has a moderate detection rate of 10/54.

This type of malicious spam has been around for a long time, and this particular technique seems to be exclusively in Spanish, I have never seen this attack in English or any other language.

Thursday 17 July 2014

"Notificación de transferencia de fondos a su favor" spam

This Spanish-language spam has a malicious Word document as an attachment.

From:     HSBC Transferencias [Mexico_contacto@hsbc.com.mx]
Reply-To:     respuesta@hsbc.com.mx
Date:     17 July 2014 11:01

¡BIENVENIDO A HSBC!

El motivo de este correo es informarle que el día de hoy recibió una transferencia SPEI la cual se encuentra retenida debido a anomalías en su cuenta. Para mas detalles sobre esta situación le adjuntamos un documento en formato Microsoft Word donde explicamos el motivo de la retención y los pasos a seguir.



Banco emisor: BBVA BANCOMER
Importe: $94,000.00
Fecha: 17/07/2014
Folio: 89413


Estatus: Retenida
Recomendamos seguir los pasos descritos en el documento adjunto en este correo.


Para cualquier duda o aclaración  nos ponemos a sus órdenes en contacto@hsbc.com.mx o si lo prefiere,  puede comunicarse a Banca por Internet en los siguientes teléfonos:
     México D.F. (55) 5721 1635
     Desde cualquier estado de la República al 01800 4722 638 LADA sin costo.

Con gusto le atenderemos

The attachment is essentially the same as the one mentioned here which tries to lure the victim into removing their Word security settings so that a malicious macro can run.

The VirusTotal detection rate is a pretty poor 4/54. You can see some of the text strings in the Malwr report which feature a reverse URL of exe.ss/pw/arc/lc.paip//:ptth which is reverse to try to download a file from http://piap.cl/cra/wp/ss.exe (currently 404ing). The VBA in the document can be found here [pastebin].

As mentioned before, this is a long-running campaign apparently targeting users in Mexico, and as yet I have not seen this in any language except Spanish.

Thursday 10 July 2014

"Estado de Cuenta Datallado en Línea (Statement Datallado Online)" spam contains a Macro virus

This Spanish-language spam comes with a Word document containing a Macro virus.

From:     Banco Santander [altacuentas_cash@santander.com.mx]
Reply-to:     noreply@santander.com.mx
Date:     10 July 2014 09:52
Subject:     Estado de Cuenta Datallado en Línea


Estimado Cliente:

Por este medio le enviamos el estado de su cuenta del día 08/Jul/2014.
Le recomendamos descargarlo y así mantener un registro de sus activos.

El estado de cuenta se encuentra adjunto en este correo en formato Microsoft Word.

Para cualquier duda o aclaración puede comunicarse a Súper Línea Empresarial.

Atentamente,
BANCO SANTANDER.

******************PRIVACIDAD DE ESTE MENSAJE**********************
Este mensaje esta dirigido exclusivamente a las personas que tienen las direcciones de correo electronico especificadas en los destinatarios dentro de su encabezado. Si por error usted ha recibido este mensaje, por ningun motivo debe revelar su contenido, copiarlo, distribuirlo o utilizarlo. Le solicitamos por favor elimine dicho mensaje junto con cualquier documento adjunto que pudiera contener. Los derechos de privacidad y confidencialidad de la informacion en este mensaje no deben perderse por el hecho de haberse trasmitido erroneamente o por causas de interferencias en el funcionamiento de los sistemas de correo y canales de comunicacion. Toda opinion que se expresa en este mensaje pertenece a la persona remitente por lo que no debe entenderse necesariamente como una opinion del Grupo Financiero Santander y/o de las entidades que lo integran, a menos que el remitente este autorizado para hacerlo o expresamente lo diga en el mismo mensaje. En consideracion a que los mensajes enviados de manera electronica pueden ser interceptados y manipulados, el Grupo Financiero Santander y las entidades que lo integran no se hacen responsables si los mensajes llegan con demora, incompletos, eliminados o con algun programa malicioso denominado como virus informatico. Este mensaje no debe interpretarse, por ningun motivo como una oferta de venta o de compra de valores ni de instrumentos financieros relacionados. Los acentos en la leyenda de confidencialidad se han suprimido para una mejor lectura
This translates roughly as:
I hereby send you the status of your account on 08/Jul/2014.
We recommend you download and keep track of your assets.

The statement is attached to this email in Microsoft Word format.

For any question you can contact Super Business Line.

Best regards,
BANCO SANTANDER. 
Attached is a file ESTADOCUENTA_2457.doc which contains a Word Macro virus. However, because most people's settings would stop a Macro virus running then it actually contains detailed instructions on how to remove your security settings.


The first page reads:
El contenido no puede ser mostrado.
Para poder ver el contenido de este documento debe habilitar los Macros de Microsoft Word, luego cerrar y abrir el documento.

Pruebe lo siguiente:
Habilite los Macros y luego vuelva a abrir el documento.
En este documento podrá encontrar una guía proporcionada por www.santander.com para poder habilitar los macros en su Microsoft Word.

Grupo Financiero Santander México - 2014
which roughly translates to:
The content can not be shown.
To view the content of this document should enable macros Microsoft Word, then close and reopen the document.

Try the following:
Enable Macros and then reopen the document.
In this document you will find a guide provided by www.santander.com to enable macros in your Microsoft Word.

Grupo Financiero Santander Mexico - 2014

There then follows several pages with screenshots on how to disable the security in Word and Excel.. doing which of course is a bad idea. Reloading the document will then execute the Macro virus. I have defanged the document and converted it to a PDF file here. A copy of the VBA code is here (thanks to @Techhelplistcom).


The VirusTotal analysis shows just 1/54 virus scanners detect it. The Malwr analysis gives some clues as to what is going on in the string dump, especially the reference to baulretro.cl/tienda/cache/wp/ss.exe (186.64.120.59 / Zam Ltda, Chile) which appears to be a malicious binary (at the moment the file is 404ing, but it was working recently).

The properties of the Word document don't give much of a clue:



Authors are "OFEyDV", last saved by "clein" which matches to a few other recent malicious Spanish-language documents [1] [2] [3] [4]. The creation date indicates that perhaps this started off life as a genuine document and has been adapted for evil purposes.

Originating IP for the spam is 124.42.127.221 (Langfang University, China) via 199.192.145.152 (web17.gohost.com).

It's a lot of hard work to get your computer infected, but it does also look quite convincing. Word Macros are very rarely used by anything and you should definitely not fiddle with them if you don't need to.