Malware spam: "RB0081 INV2372039" / Sales invoice [salesinvoice@leathams.co.uk]

This fake financial spam does not come from Leathams but is instead a simple forgery with a malicious attachment.

From:    Sales invoice [salesinvoice@leathams.co.uk]
Reply-To:    "no-reply@leathams.co.uk" [no-reply@leathams.co.uk]
Date:    2 February 2016 at 13:15
Subject:    RB0081 INV2372039

Dear Sir/Madam,

Please find attached your sales invoice(s) for supplied goods.  Please process for payment as soon as possible.

In the event that you have a query - please direct your query as follows;

For the following please contact our Nottingham Office on 020 7635 3190 or email NottinghamTelesales@Leathams.co.uk:

                Incorrect items delivered
                Quality Complaint
                Goods Damaged in Transit
                Price query against goods

For the following please contact Credit Control on 020 7635 4049 or email creditcontrol@leathams.co.uk:

                Delivery Shortages

Please note that queries reported outside of our terms of business may not be accepted.

Many thanks and kind regards

Leathams Credit Control
2 Rollins Street, London, SE15 1EW
Tel: +44 (0)20 7635 4049
Email: creditcontrol@leathams.co.uk

DID YOU KNOW LEATHAMS IS GOING PAPERLES IN 2015 - Please note that Leathams will be emailing all invoices and staments in 2015.  Kindly confirm by return email what email address we should send your future invocies and statements to.

IMPORTANT TERMS OF BUSINESS - Please note the following time critical terms;

Delivery Queries - You must notifiy Leathams in writing of any defects within 2 working days stating precisly its reason(s) for rejection.  Failure to do so within this time frame will result in any claims being rejected.

From:    Sales invoice <salesinvoice@leathams.co.uk>
Reply-to:    "no-reply@leathams.co.uk" <no-reply@leathams.co.uk>
Date:    2 February 2016 at 13:15
Subject:    RB0081 INV2372039

Invoice Queries - You must notifiy Leathams in writing of any descrepancies within 7 working days.  If a query is not resolved in time then it is expected that you settle what you believe to be correct, queries should not hold up any payments to Leathams.

Late Payment Fees - Late payment of invoices will result in penalty interest of 8% above the bank of England base rate. We also reserve the right to apply a late payment fee in accordance with UK Late Payment Legislation.

Size of unpaid debt             Sum to be paid to the creditor

Up to ?999.99                        ?40.00

?1,000.00 to ?9,999.99          ?70.00

?10,000.00 or more               ?100.00


Follow us on Twitter <http://twitter.com/LeathamsLtd>
Connect on LinkedIn <http://www.linkedin.com/company/leathams-ltd/>


www.leathams.co.uk <http://www.leathams.co.uk/>


_____________________________________________________________________

This e-mail and any attachments are confidential and intended solely for the addressee. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free.

Leathams Ltd does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by Leathams Ltd for operational or business reasons.

Any opinion or other information in this e-mail or its attachments, that does not relate to the business of Leathams Ltd, is personal to the sender and is not given or endorsed by Leathams Ltd.

Leathams Ltd. Registered in England (registered no. 1689381).
Registered Office: 227-255 Ilderton Road, London SE15 1NS, United Kingdom

 -------------------------------------------------------------------------------------------------------------
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
_____________________________________________________________________

Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least two different versions (VirusTotal [1] [2]). The Malwr analysis for one of those samples shows a download from:

fillingsystem.com/5h4g/0oi545gfgf.exe

This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero (MD5 0d37099eaff9c507c782fd81c715255b). Analysis of this is pending. The payload is the Dridex banking trojan.

UPDATE 

Automated analysis [1] [2] shows the executable phoning home to:

91.239.232.145 (Hostpro Ltd, Ukraine)

I strongly recommend blocking traffic to that IP, or the whole /22 in which it resides.

Malware spam: "PURCHASE 02/02/2016 D1141" / sales@flowervision.co.uk

This spam does not come from Flower Vision but is instead a simple forgery with a malicious attachment:

From:    sales@flowervision.co.uk
Date:    2 February 2016 at 08:28
Subject:    PURCHASE 02/02/2016 D1141

FLOWERVISION
Internet Order Confirmation			Page	1/1

Colli		Quan	Total	Price	Product	S1	S2	S3	Del.Day	Total	Remark

1	x	25	25	0.32	Hyacinthus Or Delft Blue	30	0	22	160129	8.00	Flowers London
4	x	1	4	5.50	Oasis Spray Paint Voilet	0	0	0	160129	22.00	Sundries London
2	x	10	20	1.37	Syringa V Primrose	90	0	45	160129	27.40	Flowers London
1	x	50	50	0.25	Tulipa En Antarctica	40	46	33	160129	12.50	Flowers London
1	x	50	50	0.34	Veronica Clea Diana	60	0	44	160129	17.00	Flowers London

	149		86.90

Attached is a file SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of 1/50. This Hybrid Analysis shows the macro in the spreadsheet downloading from:

www.torinocity.it/5h4g/0oi545gfgf.exe

This binary has a detection rate of 5/51, and is the same payload as seen earlier.

Malware spam: "Order Dispatch: AA207241" / aalabels [customercare97125@aalabels.com]

This fake financial spam is not from aalabels.com but is instead a simple forgery with a malicious attachment.

From:    aalabels [customercare97125@aalabels.com]
Date:    2 February 2016 at 07:06
Subject:    Order Dispatch: AA207241

Order Dispatch Confirmation

Dear Customer,

This email is to confirm that your order number AA207241 has been dispatched from our warehouse today and your order will be with you the following working day.

Your order has been dispatched via DPD and your order tracking number is 1160173211.

A VAT invoice for your order has been attached in pdf format for your reference.

Code     Product Name     Qty     QS     QB     No of Packs
AAS021WTP     Matt White - Permanent A4 Sheet Labels - 21 Rectangle - 63.5 mm x 38.1 mm     1000     1000     0     10

QS: Quantity Shipped
QB: Quantity Backed

If you need to contact us about this order then please call our customer care team on 01733 588 390 or email customercare@aalabels.com

Thank you for your order.

Kind regards,

AA Labels

www.aalabels.com
23 Wainman Road
Woodston
Peterborough
PE2 7BU
United Kingdom
Phone:  01733 588390
Fax: 01733 425106

The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]). These Malwr reports [4] [5] [6] show the macro in the documents downloading from one of the folllowing locations:

timestyle.com.au/5h4g/0oi545gfgf.exe
hebenstreit.us.com/5h4g/0oi545gfgf.exe
fillingsystem.com/5h4g/0oi545gfgf.exe

This binary has a detection rate of 5/52. That VirusTotal result and those Malwr reports show it phoning home to:

91.239.232.145 (Hostpro Ltd, Ukraine)

I would strongly recommend blocking traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects.

Malware spam: Invoice 123456 from COMPANY NAME

This spam appears to originate from a variety of companies with different references. It comes with a malicious attachment.

From:    Marisol Barrett [BarrettMarisol04015@victimdomain.tld]
Date:    1 February 2016 at 08:39
Subject:    Invoice 48014 from JKX OIL & GAS

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Marisol Barrett

JKX OIL & GAS

=========================

From:    Oswaldo Browning [BrowningOswaldo507@victimdomain.tld]
Date:    1 February 2016 at 09:38
Subject:    Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Oswaldo Browning

J P MORGAN PRIVATE EQUITY LTD

=========================

From:    Pansy Haley [HaleyPansy95@victimdomain.tld]
Date:    1 February 2016 at 08:50
Subject:    Invoice 95101 from HWANGE COLLIERY CO

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Pansy Haley

HWANGE COLLIERY CO


=========================

From:    Ruth Martinez [MartinezRuth43950@victimdomain.tld]
Date:    1 February 2016 at 08:51
Subject:    Invoice 27051 from ESSENDEN PLC

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Ruth Martinez

ESSENDEN PLC

The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the fake reference number). There are at least three different versions (VirusTotal [1] [2] [3]).

Analysis is pending, however this is likely to be the Dridex banking trojan.

UPDATE 1

A different variant of the spam email is going on, which appears to have roughly the same payload:

From:    Heather Mcfadden [McfaddenHeather71@victimdomain.tld]
Date:    1 February 2016 at 10:09
Subject:    Transaction and Payment Confirmation from HAYWARD TYLER GROUP PLC

Hello,

The attached document is a transaction payment confirmation from HAYWARD TYLER GROUP PLC in the amount of GBP 1,879.86.

Your transaction reference number is A3546F.

Kind Regards,

Heather Mcfadden

HAYWARD TYLER GROUP PLC

UPDATE 2

The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:

31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php

These IPs can be considered as malicious, and belong to:

31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)

This drops a malicious binary with a detection rate of 2/53. This phones home to:

185.24.92.229 (System Projects, LLC, Russia)

 This spam appears to be the Dridex banking trojan (botnet 120 perhaps).

Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23

Malware spam: Remittance Advice For Invoice 40502329 From C-Tech

This fake financial spam is not from C-Tech but is instead a simple forgery with a malicious attachment.

From:    Mary Mathis
Date:    19 January 2016 at 12:21
Subject:    Remittance Advice For Invoice 40502329 From C-Tech

Dear Accounts

Please find attached our current remittance advice.

Kind Regards


Mary Mathis MAAT

Accounts Assistant

Tel: +44 (0)1903 268599

Fax: +44 (0)1903 795454

The sender's name, references and name of the attachment will vary, the attachment itself is named something similar to remittance_advice40502329.doc. So far I have seen two versions with detection rates of 3/54 [1] [2] and the Malwr reports [3] [4] indicate a download from the following locations:

http://46.17.100.209/aleksei/smertin.php
http://31.131.20.217/aleksei/smertin.php

These IPs can be considered to be malicious and are allocated to:

46.17.100.209 (Mir Telematiki Ltd, Netherlands)
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
 
The attack is very similar to this Dridex 120 spam run earlier today, except the download locations and dropped binary has changed to this one [VT] with an MD5 of c19959c2d372a7d40d4ba0f99745f114. According to this Malwr report, it phones home to the same evil IP address of 198.50.234.211 as before.

Malware spam: "Remittance Advice 1B859E37" / "Bellingham + Stanley"

This fake financial does not come from Bellingham + Stanley but is instead a simple forgery with a malicious attachment. Reference numbers and sender names will vary.

From:    Adeline Harrison [HarrisonAdeline20@granjacapital.com.br]
Date:    19 January 2016 at 09:45
Subject:    Remittance Advice 1B859E37

For the attention of Accounts Receivable,

We are attaching an up to date remittance advice detailing the latest payment on your account.

Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.


Kind regards,
Adeline Harrison

Best Regards,

Adeline Harrison
Senior Finance Assistant, Bellingham + Stanley

Bellingham + Stanley
Longfield Road
Tunbridge Wells
Kent, TN2 3EY
United Kingdom
Office: +44 (0) 1892 500406
Fax: +44 (0) 1892 543115
HarrisonAdeline20@granjacapital.com.br
www.bellinghamandstanley.com

I have seen at least four different variations of the attachment, named in the format remittance_advice14DDA974.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show those samples communicating with:

http://179.60.144.19/victor/onopko.php
http://5.34.183.127/victor/onopko.php

Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)

UPDATE 1:  this related spam run also downloads from:

91.223.88.206/victor/onopko.php

This is allocted to "Private Person Anton Malyi" in Ukraine.

A file aarab.exe is dropped (MD5 05219ea0aefedc873cecaa1f5100c617) [VT 4/53] which appears to communicate with:

198.50.234.211 (OVH, Canada)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.

UPDATE 2

This other Dridex 120 spam run uses different download locations:

46.17.100.209/aleksei/smertin.php
31.131.20.217/aleksei/smertin.php

The dropped "aarab.exe" file is also different, with an MD5 of c19959c2d372a7d40d4ba0f99745f114 and a detection rate of just 2/54.


Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217

Malware spam: "Your order #7738326 From The Safety Supply Company" / Orders - TSSC [Orders@thesafetysupplycompany.co.uk]

This fake financial spam does not come from The Safety Supply Company but is instead a simple forgery with a malicious attachment:

From:    Orders - TSSC [Orders@thesafetysupplycompany.co.uk]
Date:    15 January 2016 at 09:06
Subject:    Your order #7738326 From The Safety Supply Company

Dear Customerl

Thank you for your recent purchase.

Please find the details of your order through The Safety Supply Company attached to this email.

Regards,

The Sales Team

So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.

UPDATE 1

This Hybrid Analysis on the first sample shows it downloading from:

149.156.208.41/~s159928/786585d/08g7g6r56r.exe

That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:

216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)

I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.

Dropped file MD5:
9138e36d70ab94349558c61e92ab9ae2

Attachment MD5s:
d5a25f10cb91e0afd00f970cee7c5f01
985bb69a8c292d90a5bd51b3dbec76ac

UPDATE 2

This related spam run gives some additional download locations:

nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe

Sources also tell me that there is one at:

204.197.242.166/~topbun1/786585d/08g7g6r56r.exe

Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41

Malware spam: "Lattitude Global Volunteering - Invoice - 3FAAB65"

This fake financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple forgery with a malicious attachment.

From:    Darius Green
Date:    12 January 2016 at 09:33
Subject:    Lattitude Global Volunteering - Invoice - 3FAAB65

Dear customer,

Please find attached a copy of your final invoice for your placement in Canada.

This invoice needs to be paid by the 18th January 2016.

Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer  our bank details are.

You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.

Account Name:  Lattitude Global Volunteering
Bank:                        Barclays Bank
Sort Code:              20-71-03
Account No.           20047376
IBAN:                        GB13BARC20710320047376
SWIFBIC:                  BARCGB22


Kind regards

Luis Robayo
Accounts Department
Lattitude Global Volunteering
T: +44 (0) 118 956 2903
finance@lattitude.org.uk
WWW.lattitude.org.uk


 Visit us on Facebook
 Follow us on Twitter

Lattitude Global Volunteering is a UK registered international youth development charity (No. 272761), a company limited by guarantee (No. 01289296) and a member of BOND (British Overseas NGOs for Development).

I have personally only seen two samples so far with detection rates of 2/55 [1] [2] . These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:

31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php

This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be malicious and should be blocked.

31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)

A file kfc.exe is dropped onto the target system which has a detection rate of 6/52 and an MD5 of 8cfaf90bf572e528c2759f93c89b6986. Those previous Malwr reports indicate that it phones home to a familiar IP of:

78.47.119.93 (Hetzner, Germany)

Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84

Malware spam: "Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB"

This fake financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.

From:    Hoyt Fowler
Date:    8 January 2016 at 10:49
Subject:    Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7

Total Amount:   GBP 60,00

Due Date:               28.01.2016

If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.


Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House
Parkeston, Harwich
Essex, CO12 4QG No.3874882

Tel: 01255 242242
Registered in England
VAT No. GB759894254
Global Transport and Logistics

I have only seen a single sample of this email at present, but if consistent with other similar emails then details such as the sender's name and reference numbers will vary. In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55.

According to this Malwr report, the sample attempts to download a further component:

194.28.84.79/softparade/spanish.php

There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too.

A file named hram.exe is dropped onto to target system with a detection rate of 4/54. The Malwr report indicates that this communicates with:

78.47.119.93 (Hetzner, Germany)

This is a critical IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan.

UPDATE 1

A contact (thank you) let me know of two other download locations:

176.103.62.14/softparade/spanish.php
51.254.51.178/softparade/spanish.php

These are:

176.103.62.14 (PE Ivanov Vitaliy Sergeevich, Ukraine)
51.254.51.178 (OVH, France / Dmitry Shestakov, Russia)

Both those are pretty well-known providers of malware.  I recommend that you block the entire /20 in the first instance and the blocks referenced here in the second.

MD5s:
5ab2a67268b3362802a13594edafbd2e
7d60996dd9293df5eecd07f33207aca8

Recommended blocklist:
78.47.119.93
194.28.84.79
176.103.48.0/20
51.254.51.176/30

UPDATE 2

An updated version of the payload is currently being spammed out as on 11.01.16, with a payload identical to this spam run.

Malware spam: "Invoice 01147665 19/12 £4024.80" / "Ibstock Group"

This fake financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam which was sent out earlier today.

From:    Amber Smith
Date:    7 January 2016 at 10:38
Subject:    Invoice 01147665 19/12 £4024.80

Hi,

Happy New Year to you !

Hope you had a lovely break.

Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.

Its invoice  01147665  19/12  £4024.80  P/O ETCPO 35094

Can you have a look at it for me please?

Thank-you !

Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group
Supporting Ibstock, Ibstock-Kevington & Forticrete
-----------------------------------------------
( +44 (0)1530 257371
( VPN: 700 2371
6  +44 (0)1530 257379

The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far (there are probably more) with VirusTotal detection rates of 2/54 [1] [2] [3] and the Malwr reports [4] [5] [6] show these documents communicating with:

193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php

IPs are allocated to:

176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)

As before, a binary geroin.exe is dropped which communicates with:

78.47.119.93 (Hetzner, Germany)

The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post.

Malware spam: "Your Latest Documents from Angel Springs Ltd [1F101177]"

This fake financial spam comes with a malicious attachment. The name of the sender varies, as does the reference number in the subject field that matches the attachment name.

From:    Leonor Stevens
Date:    7 January 2016 at 10:13
Subject:    Your Latest Documents from Angel Springs Ltd [1F101177]

Dear Customer,

Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.

Here's a few ways we've made it easier for you:

    Your new documents are now attached to your email. You don't have to follow a link now to get to your documents.

    Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.

    You can simply and easily raise any queries you may have through the customer portal.

Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.

If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on 0845 230 9555 and we will be more than happy to assist you. Please do not reply to this email.

To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document

With Kind Regards,

Angel Springs Ltd

Yesterday I saw several spam runs similar to this coming from Dridex botnet 120. There are many, many variations of the attachment although I do not believe that they are uniquely-generated.

The three samples I have sent for analysis so far has VirusTotal detection rates of 2/55 [1] [2] [3] and the Malwr reports [4] [5] [6] show an initial communication with:

193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
These IPs belong to:

176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)

I note that 91.223.88.204 also hosts some bad things.. and the entire 176.103.48.0/20 block has a history of evil-ness [1] [2] [3].

Note that there are probably other download locations. Check back later if you are interested.

These malicious documents drop a binary geroin.exe which has a detection rate of 3/54. The Malwr report for this shows it phoning home to:

78.47.119.93 (Hetzner, Germany)

Binary MD5:
088724715613ff48edf090a74c8b6413

Attachment MD5s:
53521464ee6d70ec6c93f2e038e92651
3dfef23d2f6846133f1758dca675afd2
9bfadfe1c8dd23a0358c5ae4a6f7f465
a1c601351f865e5d9f8315ecc867971d
939aa6ebf02a338fab864690467909fa
1021f12f47d1d68e12d3e81ad6f44a92
30097bc5a0903db248252f3e01344b8b
25ae775c96146b4bfba1a88f755ccc20
c225905d94f1b3a0a1dae86109c80e51
617d676e09a74fa0fb099509a2f57ac8
fbb83ab6ae5a3ef2bac5f5ff549713b5
7d5b9851c8bc682ff621568cc648c9e6
3a4cb5fa7aa75afc72cef5709576f441
0b60bad71222d1fb091efeef6fa3524a
ed8f764742a827d23a56c439a0393448
1b93d2fcbe94d9a6e248ddf964078406
f37cfbead3e52549c7490a4aaf20e423
2ef9a2bb6e59c75cef3643700e054385
d167d52dfd4d69c7cf336abff6b71280
d1038a983442ce25535d707e9568b03b


Recommended blocklist:
176.103.48.0/20
91.223.88.204/30
78.47.119.93
193.201.227.12

Malware spam "Invoice-205611-49934798-CROSSHILL SF"

This fake financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:

From:    Bertha Sherman
Date:    6 January 2016 at 09:29
Subject:    Invoice-205611-49934798-CROSSHILL SF

Dear Customer,

Please find attached Invoice 02276770 for your attention.

Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

I have seen at least four different attachments with names in a format similar to invoice40201976.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show that the malware contained within POSTs to:

37.46.130.53/jasmin/authentication.php
179.60.144.21/jasmin/authentication.php
195.191.25.138/jasmin/authentication.php

Those reports also show communication to other suspect IPs, giving:

94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)

This Hybrid Analysis also shows similar characteristics.

The macro drops a file tsx3.exe with a detection rate of 7/55. The Malwr report doesn't give any particlar insight as to what this is, but it is likely to be a banking trojan or ransomware. UPDATE: this is Dridex (botnet 120 apparently), and thos the dropped file has been updated to this one.

There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost.RU IP in Russia:

109.234.34.224/jasmin/authentication.php

MD5s (dropped EXE):
fdd95b4cc10b536934486c7d3fdee04f
613f5e4139e8006e9d47cb562450bc4a


MD5s (attachments):
06afdf7eaa3aa0d07b74c87c2c4bcede
11efa97e6091fa608596b463c9a20718
1574669aae13badc47b5c32927d22fb9
1988f8c864689bfd725e659e0815f032
27f891f6b0c0820492408022a860accc
37cc9d15f4eb5173e30ebff8ae6d44f6
37dd4e12541994d719d669ef7408b042
41faea2d8d7334a1e645cedf2a297344
42694176858ef65ababe87c8eee3679d
430eb4d6bc75b3743169aba0b5c368b9
5a5e5ac6d0e12215d79d2d321ac7a303
60cb6167675a908e9bba8957ece0947b
63abdef9d973b820f656642831ef6e07
7d190049c2354c18bd850d086d8c43c8
81697ef360e4abd09d96cd58bb1c7f01
82e06ae650e81e77879c5a33dba058b6
840b0d424b541d3649c33e8264632ba7
933f50bd87c02b67e122520022677aa6
a17b2fc61c64381ba5a2a154085ee6e7
a1958f55febde3b0fac15490f5e0ac6e
a43490f4c09e519d72296898343ab04f
ab41e3d7fa1e3d98a0bdec1e4086058a
b614c2f6f07620e53375c35efc692596
bc3142ce5e20814e98e582fa9b258501
cda4ba15eebc6ae3a9ab54610b38db04
d44c6490ab1c86adf9a99da1d173fc2f
d86f5160a0ea91bee70972e2bbf2c86d
e8bd65668d68410adacee9463eb1489e
ee70b032f96fb8f484019396aa130a55
ef4fd29b806675346661aec4907a14f7
f39fcd49bdbd7f100047594d8d7875b4
f65d8b3310f758c5d9c0f156d859125f
ff5f8da0f0d4c7e851dbf5c6d94fa0dc
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224

Malware spam: "FW: Meridian (Acc. No. 51588088) - Professional Fee Invoice"

This fake financial spam comes with a malicious attachment. The sender's name and reference number is randomly generated.

From:    Josie Ruiz
Date:    23 December 2015 at 11:38
Subject:    FW: Meridian (Acc. No. 51588088) - Professional Fee Invoice

Dear Sir/Madam,

Re:  Meridian Professional Fees

Please find attached our fee note for services provided, which we trust meets with your approval.

Payment should be made to Meridian International VAT Consulting Ltd. within the agreed payment terms.

We look forward to your remittance in due course.

Yours sincerely
Josie Ruiz
Financial CEO

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
The information in this email and any attachments are the property ofALTAVIA or its affiliates and may contain proprietary and confidential information that is intended for the addressee(s) only. If you are not the intended recipient, please refrain from any disclosure, copying, distribution, retention or use of this information. You are hereby notified that such actions are prohibited and could be illegal. If you have received this e-mail in error, please immediately contact the sender and delete the e-mail. We appreciate your cooperation. Email transmissions being not guaranteed, ALTAVIA and its affiliates decline their liability due to this email transmission, specifically when altered, modified or falsified.
Les informations contenues dans cet e-mail ainsi que les fichiers joints sont la propriété d’ALTAVIA et / ou ses filiales et peuvent être des informations confidentielles et privées qui sont adressées à l’attention de leur destinataire uniquement. Si vous n’êtes pas le destinataire du message  merci de ne pas divulguer, copier, diffuser, conserver ou utiliser ces informations. Vous êtes par la présente notifié que ces agissements sont interdits et peuvent être illégaux. Si vous avez reçu cet e-mail par erreur, merci de prendre contact immédiatement avec l’expéditeur et de détruire cet e-mail. Nous vous remercions de votre coopération. La correspondance en ligne n’étant pas un moyen entièrement sécurisé, ALTAVIA et ses filiales déclinent toute responsabilité au titre de cette transmission, notamment si son contenu a été altéré, déformé ou falsifié.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

The attachment has the same reference number as the subject, and there are at least five different versions (VirusTotal results [1] [2] [3] [4] [5]).

Analysis of the documents is pending, but this is likely to be the Dridex banking trojan.

UPDATE 1

Hybrid Analysis of some of the samples [1] [2] shows some download locations:

146.120.89.92/volkswagen/bettle.php
109.234.34.164/volkswagen/bettle.php

Those IPs belong to:

146.120.89.92 (Ukrainian Internet Names Center LTD, Ukraine)
109.234.34.164 (McHost.Ru Inc, Russia)

This is actually an executable with a detection rate of 4/53. The purpose of this executable is unknown, but it is certainly malicious. Analysis is still pending.

UPDATE 2

This Threat Expert report and this Hybrid Analysis both report traffic to a presumably hacked server at:

104.131.59.185 (Digital Ocean, US)

Recommended blocklist:
104.131.59.185
146.120.89.92
109.234.34.164

Malware spam: "12/16 A Invoice"

This fake financial spam leads to malware:

From:    Kelley Small
Date:    17 December 2015 at 08:39
Subject:    12/16 A Invoice

Hi,
Please find attached a recharge invoice for your broadband.

Many thanks,
Kelley Small

The sender's name is randomly generated, for example:

Harris Page
Leonel Kramer
Gracie Fuentes
Earlene Aguirre
Jerri Whitfield
Art Keith
Freeman Gregory
Moses Larson
Leanna Fletcher

There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least six different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2] [3] [4] [5] [6] [7]). Detection rates are close to zero.

The Malwr reports for those documents is a mixed bag [1] [2] [3] [4] [5] [6] [7] is a mixed bag, but overall they spot data being POSTed to:

179.60.144.18/chicken/bacon.php
91.203.5.169/chicken/bacon.php

Sources tell me there is another download location of:

195.191.25.145/chicken/bacon.php

Those IPs are likely to be malicious and belong to:

179.60.144.18 (Veraton Projects Ltd, Netherlands)
91.203.5.169 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
195.191.25.145 (Hostpro Ltd, Ukraine)


They also GET from:

savepic.su/6786586.png

A file karp.exe  is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54. According to this Malwr report this communicates with:

80.96.150.201 (SC-Nextra Telecom SRL, Romania)

It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.

MD5s:
1FBF5BE463CE094A6F7AD345612EC1E7
69F7AFB14E0E6450C4D122C53365A048
1A4048FA8B910CE6620A91A630B32CF6
7034285D8AA1EC84CFDFF530069ECF77
E0019B311E0319AB3C79C5CDAF5A067D
D08BC2E90E6BB63FB4AEBA63C0E298F4
3ED7EDC00C2C62548B83BCDAAA43C47A
B9D135801A8008EA74584C3DEB1BE8D4

Recommended blocklist:
80.96.150.201
179.60.144.18
91.203.5.169
195.191.25.145
savepic.su

UPDATE 12/1/16 

The same message format is being used for another attack with a slightly different payload, which is the same as used in this spam run.

Malware spam: "Your account has a debt and is past due" leads to Teslacrypt

This fake financial spam comes with an interesting error in the part that is meant to randomly-generate the dollar amount:

From:    Frances Figueroa
Date:    16 December 2015 at 17:22
Subject:    Your account has a debt and is past due

Dear Customer,

Our records show that your account has a debt of $345.{rand(10,99)}}. Previous attempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.

The value, sender's name and attachment name are randomly generated. The attachment is named in the format SCAN_INVOICE_79608749.zip which contains a malicious script that attempts to download Teslacrypt ransomware from the following locations:

whatdidyaysay.com/80.exe?1
iamthewinnerhere.com/80.exe?1

This has a VirusTotal detection rate of 3/54 and an MD5 of 5c2a687f9235dd536834632c8185b32e. Those download locations have been registered specifically for this purpose (they are not hacked sites) and are hosted on:

176.99.12.87 (Global Telecommunications Ltd., Russia)
185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
5.178.71.10 (Serverius, Netherlands)

The following malicious sites are also hosted on those IPs:

dns1.ojwekhsdfs.in
dns2.ojwekhsdfs.in
whatdidyaysay.com
washawaydesctrucion.com
dns1.mikymaus.in
dns2.mikymaus.in
dns1.saymylandgoodbye.in
dns2.saymylandgoodbye.in
dns2.auth-mail.ru
gammus.com
ifyougowegotoo.com
iamthewinnerhere.com
thewelltakeberlin.com
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
ns2.directly-truimph.com

These automated reports [1] [2] [3] show that the malware calls home to these following legitimate but hacked domains:

sofiehughesphotography.com
goedkoop-weekendjeweg.net
coatesarchitecture.com
hotbizlist.com
adamhughes.in
magaz.mdoy.pro

Recommended minimum blocklist:
176.99.12.87
185.69.152.145
5.178.71.10
whatdidyaysay.com
iamthewinnerhere.com

Malware spam: "Unpaid Invoice from Staples Inc., Ref. 09123456, Urgent Notice" leads to Teslacrypt

This fake financial spam is not from Staples or Realty Solutions but is instead a simple forgery with a malicious attachment.

From:    Virgilio Bradley
Date:    16 December 2015 at 14:37
Subject:    Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice

Dear Valued Customer,

This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.

Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.


Regards,
Virgilio Bradley
Customer Service Department
Realty Solutions
182 Shobe Lane
Denver, CO 80216

The names, amounts and reference numbers change from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55.

According to this Malwr report, the macro in the document downloads a binary from:

iamthewinnerhere.com/97.exe

This appears to be Teslacrypt ransomware and it has a detection rate of 5/53. Unlike some other malware, the domain iamthewinnerhere.com has been registered specifically to host this malware, and is located on:

185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
84.200.69.60 (Ideal-Hosting UG, Germany)

Nameservers are DNS1.SAYMYLANDGOODBYE.IN and DNS2.SAYMYLANDGOODBYE.IN. Other suspect sites on these IPs are:

dns2.auth-mail.ru
metiztransport.ru
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
dns2.mikymaus.in
dns2.dlhosting.in
dns2.donaldducks.in
dns2.saymylandgoodbye.in
dns1.gogodns.ru
dns2.gogodns.ru
gammus.com
testsfds.com
waschmaschinen.testsfds.com
miracleworld1.com
ifyougowegotoo.com
hellofromjamaica.com
www.hellofromjamaica.com
firstwetakemanhat.com
thewelltakeberlin.com
mixer.testsg.net
abfalleimer.testsg.net
buegeleisen.testsg.net
bodenwischer.testsg.net
wasserfilter.testsg.net
kuechenmaschinen.testsg.net
testzd.net
staubsauger.testzd.net
waschtrockner.testzd.net
kaffeevollautomat.testzd.net
izfrynscrek.net
ftp.lazur.info
aspirateurs.lazur.info

According to this Malwr report, it then phones back to these legitimate but hacked domains:

sofiehughesphotography.com
magaz.mdoy.pro
adamhughes.in
goedkoop-weekendjeweg.net
hotbizlist.com
coatesarchitecture.com

MD5s:
3999736909019a7e305bc435eb4168fd
8f4bd99c810d517fb2d2b89280759862

Recommended minimum blocklist:
iamthewinnerhere.com
185.69.152.145
84.200.69.60

Malware sites and evil networks to block (2015-12-11)

This group of domains and IPs are related to this Teslacrypt attack, sharing infrastructure with some of the malicious domains in question. In addition to Teslacrypt, some of these are connected with PoSeidon, Pony and Gozi malware.

The analysis [csv] includes SURBL and Google ratings, ISP information and a recommended blocklist.

Malicious domains:
auth-mail.ru
blagooooossss.com
brostosoosossss.com
chromedoors.ru
debatelocator.ru
ggergregre.com
growthtoys.ru
hagurowrob.ru
hedtheresran.ru
listfares.ru
littmahedtbo.ru
mikymaus.in
mytorsmired.ru
poponkia.com
soft2webextrain.com
softextrain64.com
softextrain644.com
toftevenghertbet.ru
wordlease.ru
workcccbiz.in

Partly or wholly malicious IPs:
46.166.168.106
80.87.202.52
96.8.119.3
104.232.34.141
149.202.234.190
176.103.48.223
185.18.53.247
185.118.64.182

Recommended blocklist:
46.166.168.64/26 (Duomenu Centras, UA)
80.87.202.0/24 (JSC Server, RU)
96.8.119.0/27 (New Wave NetConnect, US)
104.232.34.128/27 (Net3 Inc, US)
149.202.234.188/30 (OVH / Dmitry Shestakov, BZ)
176.103.48.0/20 (PE Ivanov Vitaliy Sergeevich, UA)
185.18.53.247 (Fornex Hosting, NL)
185.118.64.176/28 (CloudSol LLC, Russia)

I've blocked traffic to 176.103.48.0/20 for two years with no ill-effects, it seems to be a particularly bad network. There may be a few legitimate sites hosted in these ranges, they would mostly be Russian.. so if you don't usually visit Russian websites then the collateral damage might be acceptable.

Malware spam: "Your Adler Invoice No. UK 314433178 IN" / "service@adlerglobal.com"

This fake financial spam does not come from Adler Manufacturing Limited but is instead a simple forgery, It is meant to have a malicious attachment, but all of the samples I have seen are malformed.

From:    service@adlerglobal.com
Date:    2 December 2015 at 11:36
Subject:    Your Adler Invoice No. UK 314433178 IN

Dear Customer,

Thank you very much for having placed your order with Adler.

Your goods have been shipped. Please see attached invoice for payment of
your order.

For your convenience, you will find several payment methods described on the
attached invoice (please be sure to include your Adler Order #).

If you have any questions, feel free to contact us.

Best Regards,
Your Adler Customer Service Team

Adler Manufacturing Limited
Eastgate House, 35-43 Newport Road
Cardiff CF24 0AB
Tel.: 0800 0087 555
Fax 0800 0087 666
www.adlerglobal.com

Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from:

vanoha.webzdarma.cz/4367yt/p0o6543f.exe
det-sad-89.ru/4367yt/p0o6543f.exe

These download locations were seen earlier, but the payload has changed to one with a detection rate of 4/55.  Those earlier Malwr reports indicate malicious traffic to:

193.238.97.98 (PJSC DATAGROUP, Ukraine)

I strongly recommend that you block traffic to that IP. The payload is likely to be the Dridex banking trojan.

MD5s:
a68b72fbfb76964261a3601daa270647
5bb6f5b6dcd693af4c13e73bc6b7ed48
e81b373b90b0124b31648aa3a50ae2e7

Malware spam: "Aline Payment Request" / "Bruce Sharpe [bruce@alinepumps.com]"

This fake financial spam is not from Aline Pumps but is instead a simple forgery with a malicious attachment. In any cases Aline are an Australian company, they would not be sending out invoices in UK pounds.

From:    Bruce Sharpe [bruce@alinepumps.com]
Date:    2 December 2015 at 09:44
Subject:    Aline Payment Request

ATTENTION: ACCOUNTS PAYABLE

Dear Sir/Madam,

Overdue Alert

Our records show that your current balance with us is £2795.50 of which £2795.50 is still overdue.

Your urgent attention and earliest remittance of this amount would be appreciated.

We value your business and we would like to resolves any issues as quickly as possible. I am personally available on (02) 8508 4900 or bruce@alinepumps.com

Sincerely,

Bruce Sharpe - Accounts Receivable

PO Box 694 Engadine NSW 2233 P. 02 9544 9999 F. 02 9544 8599 E. bruce@alinepumps.com

Attached is a file Statement_1973_1357257122414.doc which comes in at least three versions (although I have only seen two), with VirusTotal results of 4/55 [1] [2] and automated analysis [3] [4] shows download locations of:

pivarimb.wz.cz/4367yt/p0o6543f.exe
allfirdawhippet.com/4367yt/p0o6543f.exe

apparently there is another download location of

sebel.fr/4367yt/p0o6543f.exe

In any case, the downloaded binary is the same and has a detection rate of 3/55  The Malwr analysis and this Hybrid Analyis shows it phoning home to:

193.238.97.98 (PJSC DATAGROUP, Ukraine)

I strongly recommend that you block traffic to that IP.

MD5s:
4e87044b5566951e71c5b672ce416c7f
2b1ff4b456e926329a895be8ac136661
b99e4e57b0f319da4578cb957f910581