Malware spam: "Compensation - Reference Number #368380" leads to Locky

This fake financial spam comes with a malicious attachment:

From:    Orval Burgess
Date:    8 March 2016 at 11:10
Subject:    Compensation - Reference Number #368380

Dear Customer,

The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.


Sincerely,
Orval Burgess
Account Manager

Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:

ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf

Those same reports indicate the malware attempts to phone home to the following IPs:

89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)

Those automated reports all indicate that this is the Locky ransomware.

UPDATE

A trusted source also informs me of these additional download locations;

51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4

In addition, there is another IP address the malware phones home to:

212.47.223.19 (Web Hosting Solutions Oy, Estonia)



Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196
212.47.223.19

Malware spam: "Receipt - Order No 173535" / Sally Webb [swebb@thekmgroup.co.uk]

This spam does not come from KM Media Group but it is instead a simple forgery with a malicious attachment:

From     Sally Webb [swebb@thekmgroup.co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535

--

regards,
Sally


*Sally Webb*
Recruitment Media Sales Executive
KM Media Group

DDI : 01622 794500
Email : swebb@thekmgroup.co.uk

*KM Media Group is Kent's only independent multimedia company*

*433,751 readers*, 166,800 listeners** and 1,668,973 monthly unique
browsers*** Together we make a difference*

*Sources: * JICREG Apr 2015 / ** RAJAR Q1 2015 / *** ABC Jul - Dec 2014
Get local news direct to your inbox by subscribing to daily KM News Alerts
and the Kent Business newsletter and our weekly What's On round-up.*

Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detectin rates around 3/55. Analysis from another source (thank you) gives download locations at:

coolsellers4u.com/catalog/controller/98yh87b564f.exe
corsian.com/system/logs/98yh87b564f.exe
demo.rent-shops.ru/foto/26/98yh87b564f.exe
dremasleep.by/system/logs/98yh87b564f.exe
euro-basket.ru/wp-content/upgrade/98yh87b564f.exe
isgim.com/system/logs/98yh87b564f.exe
jmc-thai.com/system/logs/98yh87b564f.exe
mevabekhuongnhi.com/system/logs/98yh87b564f.exe
msco.com.vn/system/logs/98yh87b564f.exe
myfabbfinds.com/system/logs/98yh87b564f.exe
partiduragi.com/system/logs/98yh87b564f.exe
paslanmazmobilya.org/system/logs/98yh87b564f.exe
vmagazin55.ru/system/logs/98yh87b564f.exe

The initial payload has a detection rate of 4/55 which has now been updated with a new payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:

188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)

Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234

Malware spam: "March Invoice" / "Balkan Dream Properties"

This fake financial spam can't make up its mind which month it is for.

From:    Caitlin Velez
Date:    1 March 2016 at 11:50
Subject:    March Invoice

Hi,

Attached is the November invoice.

Thanks!

Caitlin Velez
Customer Service
Balkan Dream Properties
090-157-5969

So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero.

This Malwr report shows that it is the Locky ransomware, download a binary from:

intuit.bitdefenderdistributor.info/intrabmw/get.php

This is hosted on a bad webserver at..

93.95.100.141 (Mediasoft ekspert, Russia)

..and it then phones home to..

5.34.183.195 (ITL / UA Servers, Ukraine)

There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..

31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)

Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment:

From:    admin [ands21@victimdomain.tld]
Date:    29 February 2016 at 19:05
Subject:    Scanned image

Image data in PDF format has been attached to this email.

The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js  I have seen three different versions of the attached scripts with detection rates of around 1/55 [1] [2] [3]. The Malwr reports for those [4] [5] [6] show download locations at:

www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe
svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution.in.th/system/logs/7ygvtyvb7niim.exe

This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:

51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)

Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to:

51.254.19.227
185.14.29.188

Malware spam: "Unpaid Invoice #350" / credit control [invoices@thistleremovals.co.uk]

This fake financial spam does not come from Thistle Removals but is instead a simple forgery with a malicious attachment.

From     credit control [invoices@thistleremovals.co.uk]
Date     Fri, 19 Feb 2016 17:52:49 +0200
Subject     Unpaid Invoice #350
Message text

Please see attached letter and a copy of the original invoice.

Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).

Third party analysis (thank you) indicates that this then phones home to the following locations:

91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)

The payload is the Locky ransomware.

Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106

Malware spam: "Invoice FEB-23456789" from "Accounting Specialist"

This fake financial spam comes from random senders, the attachment is malicious and drops the Locky ransomware:

From:    Kenya Becker
Date:    19 February 2016 at 11:59
Subject:    Invoice FEB-92031923


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Kenya Becker
Accounting Specialist

==================

From:    Toni Jacobson
Date:    19 February 2016 at 12:10
Subject:    Invoice FEB-63396033


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Toni Jacobson
Accounting Specialist 

Attached is a file with a semirandom name similar to invoice_feb-92031923.doc (Sample VirusTotal report) which contains XML that looks like this [pastebin]. Malwr analysis of these samples [1] [2] shows it downloading a malicious executable from:

ratgeber-beziehung.de/5/5.exe
www.proteusnet.it/6/6.exe

If recent patterns are followed, there will be several different download locations with different versions of the file at each. I will let you know if I get these locations. The binaries has a detection rate of 7/55 and 6/54 and these Malwr reports [1] [2] [3] indicate that it phones home to:

85.25.138.187 (PlusServer AG, Germany)
31.41.47.3 (Relink Ltd, Russia)

Other samples are being analysed, but in the meantime I recommend that you block traffic to:

85.25.138.187
31.41.47.3

UPDATE 1

Some additional download locations from these Malwr reports [1] [2] [3]:

ecoledecorroy.be/1/1.exe
animar.net.pl/3/3.exe
luigicalabrese.it/7/7.exe

..stil working on those other locations!

UPDATE 2

Two other locations are revealed in these Malwr reports [1] [2]:

http://lasmak.pl/2/2.exe
http://suicast.de/4/4.exe

Malware spam: "Rechnung Nr. 2016_131" / fueldner1A0@lfw-ludwigslust.de

This German language spam does not comes from LFW Ludwigsluster but is instead a simple forgery with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.

From:    fueldner1A0@lfw-ludwigslust.de
Date:    19 February 2016 at 09:10
Subject:    Rechnung Nr. 2016_131

Sehr geehrte Damen und Herren,

bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:

LFW Ludwigsluster Fleisch- und Wurstspezialitäten

GmbH & Co.KG

Vielen Dank!

Mit freundlichen Grüßen

Anke Füldner

Finanzbuchhaltung

Tel.: 03874-422038

Fax: 03874-4220844

E-Mail: fueldner@lfw-ludwigslust.de 

LFW Ludwigsluster Fleisch- und Wurstspezialitäten

GmbH & Co.KG, Bauernallee 9, 19288 Ludwigslust

HRA 1715, Amtsgericht Schwerin

Geschäftsführer: U.Müller, U.Warncke

USt.-IdNr. DE202820580, St.Nr. 08715803209

Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressant sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese E-Mail und alle Anhänge und Ausdrucke unverzüglich.

Das Gebrauchen, Publizieren, Kopieren oder Ausdrucken sowie die unbefugte Weitergabe des Inhalts dieser E-Mail ist nicht erlaubt.

This e-mail and any attached files may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with zero detection rates at VirusTotal [1] [2]. Malwr analysis of one of the samples shows that a binary is downloaded from:

mondero.ru/system/logs/56y4g45gh45h

Other samples probably have different download locations. This executable has a detection rate of 7/53 and it appears to drop another executable with a relatively high detection rate of 26/55. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.

The malware phones home to:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)

But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you block it.

Incidentally, full credit to the company involved in putting this massive banner on their website warning people about the fake email..

UPDATE

An additional analysis from a trusted source (thank you). Download locations are:

mondero.ru/system/logs/56y4g45gh45h
tcpos.com.vn/system/logs/56y4g45gh45h
www.bag-online.com/system/logs/56y4g45gh45h

The malware phones home to:

46.4.239.76/main.php
94.242.57.45/main.php
wblejsfob.pw/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php

The active C2s (some may be sinkholes) appear to be:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)

Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70

Malware spam: "Payment" / Laurence Cottle [lcottle60@gmail.com]

This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appeneded to it

From:    Laurence Cottle [lcottle60@gmail.com]
Date:    18 February 2016 at 13:35
Subject:    Payment

Hi

Any chance of getting this invoice paid, please?

Many thanks

Laurence

Attached is a file unnamed document.docm which comes in several different versions.

Third-party analysis (thank you!) reveals that there are download locations at:

acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43.exe
alkofuror.com/system/engine/7647gd7b43f43.exe
merichome.com/system/logs/7647gd7b43f43.exe
organichorsesupplements.co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo.com/image/templates/7647gd7b43f43.exe
tutikutyu.hu/system/logs/7647gd7b43f43.exe
vipkalyan.com.ua/system/logs/7647gd7b43f43.exe

This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.

MD5s:
a40d4d655cd638e7d52f7a6cdedc5a8e  
9f622033cfe7234645c3c2d922ed5279

The malware phones home to:

195.154.241.208/main.php
46.4.239.76/main.php
94.242.57.45/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
wblejsfob.pw/main.php

Out of those, the most supect IPs are:

195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)

Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70

Malware spam: Copy of Invoice 20161802-12345678 leads to Locky ransomware

This fake financial spam spoofs different senders and different companies, with a different reference number in each.

From:    Devon Vincent
Date:    18 February 2016 at 08:14
Subject:    Copy of Invoice 20161802-99813731

Dear [redacted],

Please find attached Invoice 20161802-99813731 for your attention.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Devon Vincent
Tenet Healthcare Corporation    www.tenethealth.com

=================

From:    Elvia Saunders
Date:    18 February 2016 at 09:19
Subject:    Copy of Invoice 20161802-48538491

Dear [redacted],

Please find attached Invoice 20161802-48538491 for your attention.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Elvia Saunders
The PNC Financial Services Group, Inc.  www.pnc.com

I have seen two variants of the document (VirusTotal [1] [2]). Analysis of the documents is pending, however it is likely to be the Dridex banking trojan.

UPDATE 1

There is a second variant of the spam with essentially the same (undefined) payload:

From:    Heather Ewing
Date:    18 February 2016 at 08:41
Subject:    Invoice

Dear Sir/Madam,

I trust this email finds you well,

Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.

Best Regards,

Heather Ewing
The Bank of New York Mellon Corporation www.bnymellon.com

In this case the attachment was named Invoice51633050.doc - automated analysis is inconclusive. An examination of the XML attachment [pastebin] indicates that it may be malformed.

UPDATE 2

A contact (thank you) analysed one of the samples and found that the document downloaded an executable from:

killerjeff.free.fr/2/2.exe

According to this Malwr report this is the Locky ransomware, and it phones home to:

95.181.171.58 (QWARTA LLC, Russia)
69.195.129.70 (Joes Data Center, US)

I suspect that the second one may be a sinkhole, but there should be no ill effects from blocking it.


UPDATE 3

A couple more samples have come to light [1] [2] one of which shows a new phone home location of:

185.14.30.97 (ITL Serverius, NL)

UPDATE 4

From user Ralf9000 at VirusTotal here are some more download locations:

onigirigohan.web.fc2.com/1/1.exe
killerjeff.free.fr/2/2.exe
uponor.otistores.com/3/3.exe
premium34.tmweb.ru/4/4.exe
bebikiask.bc00.info/5/5.exe
avp-mech.ru/7/7.exe

6.exe seems to be missing. Analysis of these is pending.

UPDATE 5

According to these Malwr reports on all the available samples [1] [2] [3] [4] [5] [6] the various versions of Locky seem to call back to:


95.181.171.58 (QWARTA LLC, Russia)
31.41.47.37 (Relink Ltd, Russia)
185.14.30.97 (ITL, Ukraine / Serverius, Netherlands)
69.195.129.70 (Joes Datacenter, US)

I have omitted what appear to be obvious sinkholes.

Recommended blocklist:
95.181.171.58
31.41.47.37
185.14.30.97
69.195.129.70

Malware spam: fmis@oldham.gov.uk / Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530

This spam does not come from Oldham Council but is is instead a simple forgery with a malicious attachment. The timestamp in the subject line varies, probably generated by the infected computer sending the spam.

From:    fmis@oldham.gov.uk
Date:    16 February 2016 at 08:48
Subject:    Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530


**********************************************************************
Confidentiality: This email and its contents and any attachments are intended
only for the above named. As the email may contain confidential or legally privileged information,
if you are not, or suspect that you are not, the above named or the person responsible
for delivery of the message to the above named, please delete or destroy the
email and any attachments immediately.”

Security and Viruses: This note confirms that this email message has been
swept for the presence of computer viruses. However, we advise that in keeping
with good management practice, the recipient should ensure that the email together
with any attachments are virus free by running a virus scan themselves.
We cannot accept any responsibility for any damage or loss caused by software viruses.

Monitoring: The Council undertakes monitoring of both incoming and outgoing emails.
You should therefore be aware that if you send an email to a person within the Council
it may be subject to any monitoring deemed necessary by the organisation from time to time.
The views of the author may not necessarily reflect those of the Council.

Access as a public body: The Council may be required to disclose this email (or any response to it)
under the Freedom of Information Act, 2000, unless the information in it is covered
by one of the exemptions in the Act.

Legal documents: The Council does not accept service of legal documents by email.
**********************************************************************

I have only seen a single copy of this spam, with an attachment 201602_4_2218.docm which has a VirusTotal detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.

UPDATE

This spam is related to this one.  Automated analysis of the samples [1] [2] [3] [4] plus some private sources indicate download locations for this and other related campaigns today at:

labelleflowers.co.uk/09u8h76f/65fg67n
lepeigneur.power-heberg.com/09u8h76f/65fg67n
yurtdisiegitim.tv/09u8h76f/65fg67n
hg9.free.fr/09u8h76f/65fg67n
jtonimages.perso.sfr.fr/09u8h76f/65fg67n
test.blago.md/09u8h76f/65fg67n

This file has a detection rate of 3/54. According to those reports, it phones home to:

151.248.117.140 (Reg.ru, Russia)
87.229.86.20 (Znet Telekom, Hungary)
50.56.184.194 (Rackspace, US)

Recommended blocklist:
151.248.117.140
87.229.86.20
50.56.184.194

Malware spam: Overdue Invoice 012345 - COMPANY NAME

This malicious spam appears to come from many different senders and companies. It has a malicious attachment:

From:    Brandi Riley [BrandiRiley21849@horrod.com]
Date:    15 February 2016 at 12:20
Subject:    Overdue Invoice 089737 - COMS PLC

Dear Customer,

The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Brandi Riley

COMS PLC

Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis shows an attempted download from:

node1.beckerdrapkin.com/fiscal/auditreport.php

This is hosted on an IP that you can assume to be malicious:

193.32.68.40 (Veraton Projects, BZ / DE)

The dropped executable (detection rate 4/54) then phones home to:

194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)

The payload is the Dridex banking trojan.

Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229

Malware spam: "BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016" / "Fuel Card Services" [adminbur@fuelcardgroup.com]

This fake financial spam does not come from Fuel Card Services Ltd but is instead a simple forgery with a malicious attachment:

From     "Fuel Card Services" [adminbur@fuelcardgroup.com]
Date     Thu, 04 Feb 2016 04:29:24 -0700
Subject     BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
support@fuelcardservices.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail
info@fuelcardservices.com.


E-billing
-

From: adminbur@fuelcardservices.com

Sent: Thu, 04 Feb 2016 04:29:24 -0700
To: [redacted]
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016

Account: B216552

Please find your e-bill 0200442 for 31/01/2016 attached.

To manage you account online please click
http://eservices.fuelcardservices.com

If you would like to order more fuel cards please click
http://www.fuelcard-group.com/cardorder/bp-burnley.pdf

If you have any queries, please do not hesitate to contact us.

Regards

Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com


Supplied according to our terms and conditions. (see
http://www.fuelcardservices.com/ebill.pdf).


Please also note that if you cannot open this attachment and are using
Outlook Express
 to view your mail you should select Tools / Options / Security Tab and
deselect the
option marked "Do not allow attachments to be opened that potentially
may be a virus".
 All of our outgoing mail is fully virus scanned but we recommend this
facility is
re-enabled if you do not use virus scanning software.

I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro [pastebin] which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:

www.trulygreen.net/43543r34r/843tf.exe

also reported is as a download location is:

www.mraguas.com/43543r34r/843tf.exe

If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52 and according to this Hybrid Analysis shows that it phones home to:

62.76.191.108 (Clodo-Cloud / IT-House, Russia)

This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too.

Malware spam: "January balance £785" / Alison Smith [ASmith056@jtcp.co.uk]

This fake financial spam does not come from J. Thomson Colour Printers, but is instead a simple forgery with a malicious attachment:

From     Alison Smith [ASmith056@jtcp.co.uk]
Date     Thu, 04 Feb 2016 10:52:21 +0300
Subject "January balance £785"

Hi,

Thank you for your recent payment of £672.

It appears the attached January invoice has been missed off of your payment. Could
you please advise when this will be paid or if there is a query with the invoice?

Regards

Alison Smith
Assistant Accountant

  Registered in Scotland 29216
  14 Carnoustie Place
  Glasgow G5 8PB
  Tel: 0141 429 1094
  www.jtcp.co.uk

 P Save Paper - Do you really need to print this e-mail?

The poor company being spoofed has already been hit by this attack recently [1] [2]. The email address of the sender varies from message to message.

Attached is a file IN161561-201601.js which comes in at least five different versions (VirusTotal [1] [2] [3] [4] [5]). This is a highly obfuscated script that looks like this [pastebin] and automated analysis of the various scripts [6] [7] [8] [9] [10] [11] [12] [13] shows that the macro downloads from the following locations (there may be more):

ejanla.co/43543r34r/843tf.exe
cafecl.1pworks.com/43543r34r/843tf.exe

This binary has a detection rate of 2/52 and phones home to:

62.76.191.108 (Clodo-Cloud / IT-House, Russia)

Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220.

Malware spam: Scanned image from copier@victimdomain.tld

This fake document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple forgery with a malicious attachment.

From:    copier@victimdomain.tld
Date:    1 February 2016 at 12:11
Subject:    Scanned image from copier@victimdomain.tld

Reply to: copier@victimdomain.tld [copier@victimdomain.tld]
Device Name: COPIER
Device Model: MX-2310U

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned document in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.

I have seen two different versions of the attached document, named in a format copier@victimdomain.tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report for one of them shows the macro downloading from:

dulichando.org/u56gf2d/k76j5hg.exe

This executable has a detection rate of 4/53 and the Hybrid Analysis reports that it phones home to:

185.24.92.236 (System Projects LLC, Russia)

I strongly recommend that you block traffic to that IP. The payload is Dridex, as seen here.

Malware spam: "Order Processed." / NoReply-Duration Windows [noreply@duration.co.uk]

This fake financial spam does not come from Duration Windows but is instead a simple forgery with a malicious attachment:

From     NoReply-Duration Windows [noreply@duration.co.uk]
Date     Mon, 01 Feb 2016 04:21:03 -0500
Subject     Order Processed.

Dear Customer,

Please find details for your order attached as a PDF to this e-mail.

Regards,
Duration Windows
Sales Department

___________________________________________________________

This email has been scanned by FilterCloud Email Security.
For more information please visit http://filtercloud.co.uk

I have only seen a single sample of this spam with an attachment V9568HW.doc which has a detection rate of 5/54.

Analysis of the attachment is pending, however this is likely to be the Dridex banking trojan.

UPDATE

The Malwr analysis shows that the document downloads a malicious executable from:

www.peopleond-clan.de/u56gf2d/k76j5hg.exe

This has a VirusTotal detection rate of 4/54 and those reports plus this Hybrid Analysis show it phoning home to:

185.24.92.236 (System Projects LLC, Russia)

I strongly recommend that you block traffic to that IP.

Malware spam: Invoice 123456 from COMPANY NAME

This spam appears to originate from a variety of companies with different references. It comes with a malicious attachment.

From:    Marisol Barrett [BarrettMarisol04015@victimdomain.tld]
Date:    1 February 2016 at 08:39
Subject:    Invoice 48014 from JKX OIL & GAS

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Marisol Barrett

JKX OIL & GAS

=========================

From:    Oswaldo Browning [BrowningOswaldo507@victimdomain.tld]
Date:    1 February 2016 at 09:38
Subject:    Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Oswaldo Browning

J P MORGAN PRIVATE EQUITY LTD

=========================

From:    Pansy Haley [HaleyPansy95@victimdomain.tld]
Date:    1 February 2016 at 08:50
Subject:    Invoice 95101 from HWANGE COLLIERY CO

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Pansy Haley

HWANGE COLLIERY CO


=========================

From:    Ruth Martinez [MartinezRuth43950@victimdomain.tld]
Date:    1 February 2016 at 08:51
Subject:    Invoice 27051 from ESSENDEN PLC

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Ruth Martinez

ESSENDEN PLC

The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the fake reference number). There are at least three different versions (VirusTotal [1] [2] [3]).

Analysis is pending, however this is likely to be the Dridex banking trojan.

UPDATE 1

A different variant of the spam email is going on, which appears to have roughly the same payload:

From:    Heather Mcfadden [McfaddenHeather71@victimdomain.tld]
Date:    1 February 2016 at 10:09
Subject:    Transaction and Payment Confirmation from HAYWARD TYLER GROUP PLC

Hello,

The attached document is a transaction payment confirmation from HAYWARD TYLER GROUP PLC in the amount of GBP 1,879.86.

Your transaction reference number is A3546F.

Kind Regards,

Heather Mcfadden

HAYWARD TYLER GROUP PLC

UPDATE 2

The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:

31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php

These IPs can be considered as malicious, and belong to:

31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)

This drops a malicious binary with a detection rate of 2/53. This phones home to:

185.24.92.229 (System Projects, LLC, Russia)

 This spam appears to be the Dridex banking trojan (botnet 120 perhaps).

Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23

Malware spam: "Despatch Note FFGDES34309" / Foyle Food Group Limited [accounts@foylefoodgroup.com]

This fake financial spam is not from Foyle Food Group Limited but is instead a simple forgery with a malicious attachment:

From     Foyle Food Group Limited [accounts@foylefoodgroup.com]
Date     Fri, 29 Jan 2016 17:58:37 +0700
Subject     Despatch Note FFGDES34309

Please find attached Despatch Note FFGDES34309

I haven't had the chance to do the analysis myself, so I am relying on the analysis of a contact (thank you). The attachment is FFGDES34309.doc which comes in three different variants, downloading from:

jjcoll.in/56gf/g545.exe
romana.fi/56gf/g545.exe
clickchiropractic.com/56gf/g545.exe

This has an MD5 of d88c2bed761c7384d0e8657477af9da7 and a detection rate of 6/49. According to my contact, this phones home to:

85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)

This drops the Dridex banking trojan. The behaviour is consistent with botnet 220.

Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3

Malware spam: "Kaseya Invoice - 1ED0C068"

This fake financial email has a malicious attachment:

From:    Terry Cherry
Date:    11 January 2016 at 10:48
Subject:    Kaseya Invoice - 1ED0C068

Dear Accounts Payable,

Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.

Our bank details for wire transfer are included on the attached invoice.

Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@kaseya.com) for assistance with adding card details through our portal.


Please do not hesitate to let us know if you have any questions.

Thanks again for your patronage.

Sincerely,
Terry Cherry
Kaseya Customer Invoicing

Corporate: +1.415.694.5700 X4946
Email: CherryTerry66644@nyoda.com

The sender's name, references and attachments may vary. This appears to be a spam from Dridex 120, and it is a characteristic that there is a very large number of variants of the attachments. In this case, I analysed three different attachments with detection rate of about 2/55 [1] [2] [3] and which according to these Malwr reports [4] [5] [6], downloads a binary from the following locations:

5.189.216.10/montana/login.php
77.246.159.154/montana/login.php
109.234.39.40/montana/login.php

All of these IPs should be considered to be malicious:

5.189.216.10 (LLHost Inc, Netherlands)
77.246.159.154 (JSC Server, Russia)
109.234.39.40 (McHost.ru, Russia)

A binary named trap.exe with an MD5 of aab74722020e631147836fc009f9419d and a detection rate of 5/54 is downloaded. According to this Malwr report the executable phones home to:

78.47.119.93 (Hetzner, Germany)


The payload is the Dridex banking trojan.

Recommended blocklist:
78.47.119.93
5.189.216.10
77.246.159.154
109.234.39.0/24

Malware spam: "Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB"

This fake financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.

From:    Hoyt Fowler
Date:    8 January 2016 at 10:49
Subject:    Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7

Total Amount:   GBP 60,00

Due Date:               28.01.2016

If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.


Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House
Parkeston, Harwich
Essex, CO12 4QG No.3874882

Tel: 01255 242242
Registered in England
VAT No. GB759894254
Global Transport and Logistics

I have only seen a single sample of this email at present, but if consistent with other similar emails then details such as the sender's name and reference numbers will vary. In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55.

According to this Malwr report, the sample attempts to download a further component:

194.28.84.79/softparade/spanish.php

There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too.

A file named hram.exe is dropped onto to target system with a detection rate of 4/54. The Malwr report indicates that this communicates with:

78.47.119.93 (Hetzner, Germany)

This is a critical IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan.

UPDATE 1

A contact (thank you) let me know of two other download locations:

176.103.62.14/softparade/spanish.php
51.254.51.178/softparade/spanish.php

These are:

176.103.62.14 (PE Ivanov Vitaliy Sergeevich, Ukraine)
51.254.51.178 (OVH, France / Dmitry Shestakov, Russia)

Both those are pretty well-known providers of malware.  I recommend that you block the entire /20 in the first instance and the blocks referenced here in the second.

MD5s:
5ab2a67268b3362802a13594edafbd2e
7d60996dd9293df5eecd07f33207aca8

Recommended blocklist:
78.47.119.93
194.28.84.79
176.103.48.0/20
51.254.51.176/30

UPDATE 2

An updated version of the payload is currently being spammed out as on 11.01.16, with a payload identical to this spam run.

Malware spam: "Payment notification from Third Energy Services Limited"

This fake financial email comes with a malicious attachment.

From:    Addie Caldwell
Date:    6 January 2016 at 10:31
Subject:    Payment notification from Third Energy Services Limited

Payment notification from Third Energy Services Limited

Third Energy Services Limited

Registered in England & Wales. Registered number: 85752524.
Registered office: 7th Floor. Portland House, Bressenden Place, London, UK, SW1E 5BH
Tel: 01944 759904 ot 0207 0420 800
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Third Energy. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in error.

Addie

The sender's name varies. So far I have seen three different versions of the attachment (in the format remit85752524.doc or similar) with VirusTotal detection rates in the range of 2/54 [1] [2] [3] and the Malwr reports [4] [5] [6] show similar characteristics to this spam run plus this additional URL:

109.234.34.224/jasmin/authentication.php

This IP is allocated to McHost.RU in Russia and can be considered as malicious. The payload is unknown, but is possible Dridex.

Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224