Sponsored by..

Showing posts with label Vawtrak. Show all posts
Showing posts with label Vawtrak. Show all posts

Monday 5 December 2016

Malware spam: "Shipping status changed for your parcel # 1996466" / ups@ups-service.com

This fake UPS spam has a malicious attachment:

From:    UPS Quantum View [ups@ups-service.com]
Date:    5 December 2016 at 17:38
Subject:    Shipping status changed for your parcel # 1996466

Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.

There must be someone present at the destination address, on the delivery day, to receive the parcel.

Shipping type: UPS 3 Day Select
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.

The delivery invoice  can be downloaded from our website :

Thank you for shipping with UPS

Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.
The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:


Those two locations are legitimate hacked sites. This has a detection rate of 7/56 plus a DLL with a detetion rate of 37/56. The malware appears to be Hancitor / Pony / Vawtrak, phoning home to:


Both of these are hosted on the same IP address of (Planetahost, Russia). The following malicious domains are also hosted on the same IP:


Recommended blocklist:

Wednesday 23 November 2016

Malware spam: "financial records subpoena" / lawfirmofoklahoma.com

This spam purports to come from Michael T Diver who is a real Oklahoma attorney, but it doesn't really and is jut a simple forgery:

From:    MICHAEL T. DIVER [michael -at- lawfirmofoklahoma.com]
Date:    23 November 2016 at 15:24
Subject:    RE:RE: financial records subpoena

See you in court !!!

Subpoena for server

Thank you,


T (405) 608-4990

F (405) 608-4991
The telephone number and also potentially the email address are genuine, but they are certainly not being sent from this law firm.

The link in the email goes to a legitimate but hacked Vietnamese site at techsmart.vn/backup2/get.php?id=[base64-encoded-part] (the last bit is a Base 64 representation of the victim's email address).

In testing the payload site was down, but previous emails of this type have lead to the Vawtrak banking trojan.

Monday 21 November 2016

Malware spam: "Your LogMein.com subscription has expired!" / billing@secure-lgm.com

This fake financial spam leads to malware:

From:    billing@secure-lgm.com
Date:    21 November 2016 at 18:35
Subject:    Your LogMein.com subscription has expired!

Dear client,

You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.

You can download the bill directly from the LogMeIn website:

Please use another credit card or payment method in order to avoid complete service interruption.
Event type: Credit Card Declined
Account email: [redacted].com
At: 21/11/2016

If you need more help, visit LogMeIn Support at:
http://solutions.logmein. com/SalesContactUs

Important Security Notice:
LogMeIn will never for your password or other sensitive information by email. 

(Please don't reply to this email, as it's sent from an address that's not monitored.)

© LogMeIn Inc      
The link in the email actually goes to a page at reg.vn/en/view_bill.php?id=encoded-email-address  (where the last part is the email address in Base 64 encoding). It downloads a malicious document lgm_bill69290.doc with a current detection rate of 8/55

Automated analysis [1] [2] shows malicious network traffic to and from:


A malicious executable is dropped with a detection rate of 7/57. The payload appears to be Hancitor / Vawtrak.

The domain secure-lgm.com appears to have been created for the purposes of sending the email. The probably fake WHOIS details are:

Registrant Name: Nikolay Vazov
Registrant Organization: NA
Registrant Street: 106 Vitosha Blvd.
Registrant City: Sofia
Registrant State/Province: Sofia
Registrant Postal Code: 1463
Registrant Country: bg
Registrant Phone: +359.28058181
Registrant Phone Ext:
Registrant Fax: +359.28058787
Registrant Fax Ext:
Registrant Email: nokolay.vazov@mail.bg

Recommended blocklist: