Sponsored by..

Showing posts with label Uzbekistan. Show all posts
Showing posts with label Uzbekistan. Show all posts

Monday 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:
From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )
I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.


I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:


This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to: (Cizgi Telekomunikasyon Anonim Sirketi, Turkey) (PT. Drupadi Prima, Indonesia) (Agava Ltd, Russia) (Elive Ltd, Ireland) (Mauritius Telecom, Mauritius) (Choopa LLC, Netherlands) (FPT Telecom Company, Vietnam) (Szkola Glowna Gospodarstwa Wiejskiego, Poland) (Memset Ltd, UK) (Etihad Atheeb Telecom Company, Saudi Arabia) (TE Data, Egypt) (Sibirskie Seti Novokuznetsk, Russia) (M2 Telecommunications Group Ltd, Australia) (Marosnet Telecommunication Company LLC, Russia) (NWT a.s., Czech Republic) (Wireless Business Solutions, South Africa) (Uzinfocom, Uzbekistan)


Recommended blocklist:

Friday 27 November 2015

Malware spam: "Invoice" / "Ivan Jarman [IJarman@sportsafeuk.com]"

This fake invoice does not come from Sportsafe UK Ltd but is instead a simple forgery with a malicious attachment.

From     Ivan Jarman [IJarman@sportsafeuk.com]
Date     Fri, 27 Nov 2015 17:21:27 +0530
Subject     Invoice

Sent 27 NOV 15 09:35

Sportsafe UK Ltd
Unit 2 Moorside

Telephone 01206 795265
Fax 01206 795284 
I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54 and which contains this malicious macro [pastebin].

This Malwr report shows the macro downloads from:


The executable has a detection rate of 3/55. The Hybrid Analysis report shows network traffic to: (Unified Layer, US) (Telekomunikasyon Anonim Sirketi, Turkey) (ZAO National Communications / Infobox.ru, Russia) (Memset, UK) (Etihad Atheeb Telecom Company, Saudi Arabia) (1&1, Germany) (Linknet, Indonesia) (Uzinfocom, Uzbekistan)

The payload is probably the Dridex banking trojan.


Recommended blocklist:

Thursday 26 November 2015

Malware spam: "Invoice Document SI528880" / "Lucie Newlove [lucie@hiderfoods.co.uk]"

This fake invoice does not come from Hider Food Imports Ltd but is instead a simple forgery with a malicious attachment.

From     Lucie Newlove [lucie@hiderfoods.co.uk]
Date     Thu, 26 Nov 2015 16:03:04 +0500
Subject     Invoice Document SI528880

Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.

Please contact our Sales Department for details.

Hider Food Imports Ltd

Wiltshire Road,
East Yorkshire

Registered in England  Number : 842813

Main Tel: +44 (0)1482 561137
Sales Tel :+44 (0)1482 504333
Fax: +44 (0)1482 565668

E-Mail: mail@hiderfoods.co.uk
Website: http://www.hiderfoods.co.uk

DISCLAIMER: This e-mail and any attachments are private and confidential and are
intended solely for the use of the intended recipient(s).  If you are not the intended
recipient, you must not use, disclose, distribute, copy, print, or rely on this e-mail.
If you have received this e-mail in error, please advise the sender by return e-mail
immediately and delete all copies of this message and any attachments from your systems.
All prices quoted are subject to final confirmation. This e-mail and any other arrangements
between us will be subject to our terms and conditions of business, a copy of which
can be found at our website or available upon request.

ANTIVIRUS: Hider Food Imports Ltd regularly update and utilise current anti-virus
products.  Hider Food Imports Ltd however accept no liability for any damage which
may be caused by any virus transmitted by this e-mail or any attachments.  Recipients
should check this e-mail is free of Viruses.

The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54, and it contains this malicious macro [pastebin] which according to this Hybrid Analysis report downloads a malicious component from:


This executable has a detection rate of just 1/54 and automated analysis [1] [2] [3] [4] [5] shows network traffic to the following IPs: (Telekomunikasyon Anonim Sirketi, Turkey) (Level 3, US) (Memset, UK) (Uzinfocom, Uzbekistan) (Marosnet, Russia) (FPT Telecom Company, Vietnam) (Jyvaskylan Yliopisto, Finland) (Szkola Glowna Gospodarstwa Wiejskiego, Poland) (Centr, Kazahkstan)

The payload is probably the Dridex banking trojan.


Recommended blocklist:

I accidentally included in a previous version of the blocklist. This IP is for Windows Update (I deleted it from the first list, not the second one!). If you have blocked this IP then I recommend that you unblock it.