Sponsored by..

Tuesday 28 April 2015

Malware spam: "INVOICE PD Will Comm" / "richard will [contactwill@hotmail.com]"

This malicious spam does not come from Will Communications but is instead a simple forgery with a malicious attachment.

From:    richard will [contactwill@hotmail.com]
Date:    28 April 2015 at 09:05
Subject:    INVOICE PD Will Comm

Thank-you for your payment!

Richard Will

Will Communications, Inc.
richard@willcommunications.com

The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56 and it contains this malicious macro [pastebin]. In this case, the macro downloads a component from:

http://massachusettsselfstorage.com/62/927.exe

..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53. There may well be other documents that download from other locations, but the binary will be the same in all cases.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with the following IP:

185.12.95.191 (RuWeb CJSC, Russia)

According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56.

MD5s:
67a5facf854a72382a8d8e308027baa3
f998950151c5922cd2c338290e78a420
59f03febb357e343f33937b9925b8846

Monday 27 April 2015

Malware spam: "[1138593] Booking.com Invoice 01/03/2015 - 31/03/2015" / "invoice@booking.com"

This fake invoice email does not come from Booking.com but is a simple forgery with a malicious attachment.
From:    invoice@booking.com
Date:    27 April 2015 at 08:55
Subject:    [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015

Dear customer,

Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.

If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail:  ).

Thank you for working with Booking.com.
The only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://voipconcerns.com/62/927.exe

There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] [3] show an attempted network connection to:

185.12.95.191 (RuWeb CJSC, Russia)

According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57.

MD5s:
6aa26f04b22b284dda148ce317f53de8
a92cdc17c74b1a008d3c239006fdf042
1c90c45e0bdfb91a8a73c1f6d1e738fe

Friday 24 April 2015

Malware spam: "Pidwell, Nigel [nigel.pidwell@ssecontracting.com]" / "Western Order"

The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:
From:    Pidwell, Nigel [nigel.pidwell@ssecontracting.com]
Date:    24 April 2015 at 08:47
Subject:    Western Order

Regards

Nigel Pidwell
Administrator
SSE Contracting Limited
T: +44 (0) 1637 889506
E: nigel.pidwell@ssecontracting.com
Unit 8, Hurling Way,
St Columb Major Business Park, St Columb Major, Cornwall
TR9 6SX
www.sseenterprise.co.uk



So far I have only seen one sample Western Order.doc [VT 4/57] which contains a malicious macro [pastebin] which is functionally identical to the one used in this spam run which was also happening this morning.

Malware spam: "Colin Fox [colin@nofss.co.uk]" / "Invoice 519658"

This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
From:    Colin Fox [colin@nofss.co.uk]
Date:    24 April 2015 at 09:40
Subject:    Invoice 519658

Please find Invoice 519658     attached 
The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].

There may be different versions of the macro, but in this case it downloads a component from:

http://bepminhchi.com/83/61.exe

..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to:

185.12.95.191 (RuWeb CJSC, Russia)
149.154.64.70 (TheFirst-RU, Russia)
78.24.218.186 (TheFirst-RU, Russia)
89.28.83.228 (StarNet SRL, Moldova)


In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228

Sample MD5s:
da26ed1b6fe69d15a400b3bc70001918
b37ea697df790121e4dda35d8ba172c3
0ea69ef635257be03043a3f70f013475
29471c1aabae10d205f474a3299486ec


Thursday 23 April 2015

Malware spam: "Refund on order 204-2374256-3787503" / "Amazon.co.uk [payments-messages@amazon.co.uk]"

This fake Amazon spam comes with a malicious attachment:

From:    Amazon.co.uk [payments-messages@amazon.co.uk]
Reply-To:    "Amazon.co.uk" [payments-messages@amazon.co.uk]
Date:    23 April 2015 at 09:58
Subject:    Refund on order 204-2374256-3787503

Dear Customer,

Greetings from Amazon.co.uk.

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1161010

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
it: http://get.adobe.com/reader/

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
refunds.

Thank you for shopping at Amazon.co.uk.

Sincerely,

Amazon.co.uk Customer Service
http://www.amazon.co.uk


Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again


Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:

http://qube.co.il/42/335.exe

..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs:

185.12.95.191 (RuWeb CJSC, Russia)
87.236.215.151 (OneGbits, Lithuania)
94.23.171.198 (OVH, Czech Republic)
185.35.77.250 (Corgi Tech, UK)
149.154.64.70 (TheFirst-RU, Russia)

The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.

Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70

MD5s:
e52a8d15ee08d7f8b4efca1b16daaefb
57b54e248588af284871c2076f05651c
ca5c5b79ce16d888ba2a6747b9d033d3


Wednesday 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia
I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez
RESTAURANT GROUP PLC

In this case, the link in the email goes to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC

..which includes the victim's email address in the URL. In turn, this redirects to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs  

As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

http://185.91.175.183/sas/evzxce.exe

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs:

144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)


According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18


MD5s:
1fc2abec9c754e8cc1726bf40e0b3533
af8ff1ea180d5c45b4bb8c8f17c6cddc
57b54e248588af284871c2076f05651c



Tuesday 21 April 2015

Malware spam: "Australian Taxation Office - Refund Notification" / "Australian Taxation Office [noreply@ato.gov.au]"

G'day mate. Despite not being an Aussie and never having paid a single Australian cent in tax, apparently I'm due a tax refund from the Australian Tax Office. Bonzer!

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    21 April 2015 at 21:36
Subject:    Australian Taxation Office - Refund Notification

IMPORTANT NOTIFICATION

Australian Taxation Office - 22/04/2015

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 218.21 AUD.

To view/download your tax notification please click here or follow the link below :
https://www.ato.gov.au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=report2104_4343697

Brett Newman, Tax Refund Department Australian Taxation Office 

Despite the "gov.au" site that apparently displays in the link, it actually leads to a download from i.nfil.es and it leads to a ZIP file called report2104.zip which in turn contains the malicious executable report2104.exe.

Currently this malware has a reasonable detection rate of 23/57. Out of various automated analysis tools, only the Payload Security Hybrid Analysis engine gave a decent result indicating that a connection was made to a legitimate but hacked site relianceproducts.com and then several versions of the same .EXE were downloaded, which this VirusTotal report indicates is the Dyre banking trojan. That same VirusTotal post also lists a number of C&C servers that you might want to block:

213.239.214.42
81.162.123.76
77.87.99.67
62.122.69.150
91.238.74.70
62.122.69.172
91.194.239.126
94.231.178.46
194.28.190.167
80.234.34.137
213.111.243.60
46.149.253.52
37.57.101.221
134.249.63.46
85.192.165.229
46.151.48.149
195.34.206.204
62.122.69.159
188.123.34.203
178.18.172.215
91.232.157.139
46.151.49.128
195.206.255.131
37.232.185.114
176.120.201.9
62.182.33.16
46.180.147.50
46.175.23.130
46.151.48.184
84.16.55.12
84.16.54.22
84.16.55.122
93.184.71.88
83.168.164.18
212.89.237.65
176.109.58.78
212.37.81.96
95.165.196.227
195.34.239.93
77.234.235.48
109.236.121.136
217.12.59.238
181.189.152.131
194.28.190.183
95.67.88.84
176.56.24.229
178.136.123.22

Malware spam: "LAG invoice I413136" / "Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]"

This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
From: Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136

Dear Accounts Payable,

Attached is a copy of invoice  I413136 .The items were shipped.  Please feel free to contact me if you have any questions or cannot read the attachment.
                 
Thank you for your business.

Sincerely,

Lichelle Ebner
L. A. Grinding Company
Ph. (818) 846-9134
FAX (818)846-1786
So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57 and which contains this malicious macro [pastebin], in turn this downloads a component from:

http://eternitymobiles.com/25/144.exe

..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with a familiar IP:

89.28.83.228 (StarNet SLR, Moldova)

According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56.

Recommended blocklist:
89.28.83.228

MD5s:
02492b954b48f13412a844d689d064f1
7f7f476e83a253794b36cb7a16c04902
155643eb342c5b65a6f5a1391fe2396b




Monday 20 April 2015

Malware spam: "Hector Malvido [handyman1181@hotmail.com]" / "Pending payment"

This spam comes with a malicious attachment:

From:    Hector Malvido [handyman1181@hotmail.com]
Date:    20 April 2015 at 10:51
Subject:    Pending payment

This invoice shows in my records that has not being pay can you review your records please
Attached is a file filename-1.doc (3/57 detection by AV vendors) which may come in many different versions, but the samples I have all have this malicious macro [pastebin] which downloads another component from the following location:

http://kafilahgroup.com/55/55.exe

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] [4] show it phoning home to:

89.28.83.228 (StarNet SLR, Moldova)

The Malwr report shows that it drops a Dridex DLL with a 3/57 detection rate.

Recommended blocklist:
89.28.83.228

MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e

Friday 17 April 2015

Malware spam: "Julie Mckenzie [julie0526@swift-cut.co.uk]" / "Credit Card Statement"

This spam does not come from Swift Cut, but is instead a simple forgery with a malicious attachment:

From:    Julie Mckenzie [julie0526@swift-cut.co.uk]
Date:    17 April 2015 at 12:24
Subject:    Credit Card Statement

Hi
Attached your credit card statement.
Can you return with receipts by Friday 17th April.
Thanks
Julie
 
Julie McKenzie
Sales Administrator
Tel +44 (0)1543 473300
E-mail julie@swift-cut.co.uk
Attached is a file C Swift Credit Card.doc which comes in at least four different versions, all of which are malicious and all of which have a macro similar to this one [pastebin].

These macros download a file from one of the following locations:

http://oolagives.com/24/733.exe
http://derekthedp.com/24/733.exe
http://sempersleep.com/24/733.exe

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54 (identified clearly as a Dridex component). Automated analysis [1] [2] [3] [4] shows that it attempts to communicate with:

46.36.219.32 (FastVPS, Estonia)


I recommend that you block traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53.

MD5s:
6c784bec892ce3ef849b1f34667dccac
ec35660657404295a78d8d1bcb1f1071
89b87b7c5c38039a4a46060f00a1ec37
40862ce3abb02d69ec31b8a1b62fef95
59fe482009fecc8761809a9c974a143e
f840f9075a178ab579ed2e4c622bc291


Scam: "Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK)," / "Royal Queens Hotel"

This spam email forms part of a Conference Scam:


From:    United Nations Summit [no_replytoold@live.com]
Reply-To:    unitednation.unt@gmail.com
Date:    16 April 2015 at 17:59
Subject:    Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),

Dear Invitee, Nonprofit/NGO Colleague,

UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.

Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.

The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel.

Venue: Queen Elizabeth II Conference Centre (QEIICC)
Date:5th-9th May, 2015.
Conference Theme:Impact and implications of the global financial and economic crisis on sustainable development & climate change proposals for an integrated global response to the crisis.

For further details about registration form,visa,flight ticket and other details, write an acceptance letter to be part of this event and send it directly via our Official e-mail together with your cellphone number for confirmation.

Send us e-mail:
unitednations_summit@secretary.net
unitednations.summit@aol.fr
or Call Dr. Pitt Thomas for more information +44703-597-1620.

We look forward to meeting you at the forthcoming Global Financial and Economic Crisis conference.

Register Now!!!!

Mrs.Kathleen Fitzpatrick
(Organizing Secretary)
Communication and Public Affairs.

United Nations-Nations Unites
Division for Social Policy and Economic Development Department of Economic
and Social Affairs Room UK2-1324, 2 United Nations Plaza, England, United
Kingdom.
What's the scam? Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." These is no hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then vanish with your money.


There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a fake hotel website to make the scam more credible.

Avoid.

Thursday 16 April 2015

Malware spam: "Decisive notification about your Automated Clearing House payment"

This fake ACH spam leads to malware:

From:    aileen.alberts@[redacted]
Date:    16 April 2015 at 15:55
Subject:    Decisive notification about your Automated Clearing House payment


The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.

Rejected ACH payment
Automated Clearing House transfer Case # L669461617
Transaction Total 27504.02 US Dollars
Email [redacted]
Reason of Termination Download full details

Please visit the link provided at the top to see more information about this problem.
The link in the email goes to a download location at dropbox.com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro [pastebin].

I haven't had the time to analyse it fully, but it is rather different from other offerings. From what I can tell, it downloads an encrypted file [pastebin] from:

sundsvallsrk.nu/tmp/1623782.txt or
hpg.se/tmp/1623782.txt

And some sort of executable from Dropbox with a detection rate of 3/57. Automated analysis tools are inconclusive at the moment [1] [2] although the Payload Security report does show several dropped files including two malicious scripts [pastebin].

Of note is that one of the scripts downloads what looks like a PNG from:

savepic.su/5540444.png

For now, I would recommend blocking traffic to
sundsvallsrk.nu
hpg.se
savepic.su

For researchers only, I have an archive of some of the files here, password is infected.

Wednesday 15 April 2015

pdatamc.org / publicdmc.cn domain scam

This email message is actually a spam promoting a long-running scam where an unscrupulous party is attempting to sell overpriced and worthless domains to their intended victim.

From: Bruce Lo [mailto:bruce@publicdmc.cn]
Date: 14:59 Wednesday 15th April 2015
Subject: [victimdomain] Registration
Priority: High

To whom it may concern:

We are the Registrars accredited by China Internet Network Information Center. We have something to confirm with you. On April 7, 2015, we received an application in which a company by the name Presg Group applied to register " victimdomain " as their Brand Name and some Asia domain names through our firm.

Now we are handling this registration. After our initial checking, we found that the name are identical to your company's. We need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If not, please let us know within 7 workdays, in which case we will dicuss the matter more thoroughly. If not otherwise advised within that time limit we will proceed with the registration for Presg Group . We will be waiting for your reply. Have a nice day!

Best Regards

Bruce Lo
Registration Dept.
Phone: +86.55165184482
Fax:    +86.55165128724
Website:http://www.pdatamc.org/
Address: No. 789, XiYou Road, Zhengwu District, HeFei City, AnHui Province, China  
I've explained this particular scam so many times that I made a video explaining it..

businessexecutives01.com / theexecutivesbrand.com scam

This is a grubby "Who's Who scam"

From:    Sterling Hudson
Date:    15 April 2015 at 14:12
Subject:    Re: you were chosen as a potential candidate...

Dear,

You were recently chosen as a potential candidate to represent 2015 Worldwide Branding Registry of Distinguished Professionals and Executives.
We are pleased to inform you that your candidacy was formally approved May 2nd. Congratulations. The Publishing Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals.
Given your background, the Director believes your profile makes a fitting addition to our publication. There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your registry listing within seven business days.
Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishments within their own geographical area.
To verify your profile and accept the candidacy, please visit here.

Our registration deadline for this year's candidates is May 28th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievement and look forward to welcoming you to our association.
Sincerely,

Benjamin Morisson
Editor in Chief
Worldwide Selection Committee 2015

If you don't want to receive emails any more, please Unsubscribe
The link in the email does to www.businessexecutives01.com:8133/wayne/ which is an anonymously registered domain hosted on a spam server at 123.249.39.89 in China. The links on businessexecutives01.com  website all lead to theexecutivesbrand.com which is basically a mirror of the content.

There are a number of this scammy spam sites on the same servers. I recommend that you block all the following sites as spam:

businessexecutives01.com
dirtyemojis.ru
foldemholdem.com
ironchampusa.ru
truepeptide.net
theexecutivesbrand.com




Malware spam: "Invoice from Living Water" / "Natalie [mailto:accounts@living-water.co.uk]"

This fake invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.
From: Natalie [mailto:accounts@living-water.co.uk]
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water

Dear Customer  :

Your invoice is attached.  Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Living Water
0203 139 9051
In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55. This contains a malicious macro [pastebin] which downloads a file from the following location:

http://adlitipcenaze.com/353/654.exe

There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:

89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)

According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100

MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328

Tuesday 14 April 2015

Digital Networks CJSC aka DINETHOSTING and 79.137.224.0/20

A few years ago Digital Networks CJSC (DINETHOSTING) was hosting a significant amount of toxic crap in the 79.137.224.0/20 range (examples: [1] [2] [3] [4]). Although they still host a significant amount of crap, this particular range now looks almost clean and does have quite a few legitimate (mostly Russian) customers on it.

I ran an analysis on 1672 sites [csv] in this range and only two were tagged as malicious by Google and none by SURBL, which is actually less than I would expect on a sample of this size. I note that many sites have reputational problems at WOT which seem to be because of an expired Spamhaus listing (see this example).

If you've blocked this /20 then I suggest that it is reasonably safe to unblock, although I would regard other DINETHOSTING ranges with caution.

Malware spam: "Kairen Varker [mailto:kvarker@notifications.kashflow.com]" / "Invoice from"

This fake invoice has a malicious attachment:
From: Kairen Varker [mailto:kvarker@notifications.kashflow.com] On Behalf Of Kairen Varker
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from

I have made the changes need and the site is now mobile ready . Invoice is attached
In this case the attachment is called Invoice-83230.xls which is currently undetected by AV vendors. It contains this malicious macro [pastebin] which downloads a component from the following location (although there are probably more than this):

http://925balibeads.com/94/053.exe

This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] [4] shows the malware phoning home to:

78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)

The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57.

Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228

MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995

Thursday 9 April 2015

Namailu.com spam

This spam has been appearing in my inbox for several days now:

From:    Shana Felton [9k7bf-2976014268@serv.craigslist.org]
Date:    9 April 2015 at 19:10
Subject:    New commitment invitation - [redacted]

Hi Namailu User,
You have a commitment invitation from Sarah Smith. To view your commitment invitation please follow this link:
Copyright © 2015, Namailu Online Ltd
|
|
|

I've never heard of Namailu so I assumed that it was a virus. I couldn't detect a malicious payload though, and further investigation indicates that this is a wannabe dating site that appears to be promoting itself through spam.

Clicking through the link leads to https://www.namailu.com/Smith.Sarah.206

Obviously we are lead to believe that the girl in the picture is sending the message.

Reverse image search comes up with no matches, unusually. Goodness knows how many people there are called "Sarah Smith" in New Zealand. Probably quite a lot.

The spam messages come from a range of IPs that are also used to spam out promotional material for a site called dirtyemojis.com (using a redirector of dirtyemojis.ru). The spam is sent from a range of Chinese IP addresses, including:

115.221.50.15
115.221.50.179
115.221.51.238
115.221.53.228
115.221.54.15
115.221.55.46
115.221.56.29
115.221.60.212
115.221.63.38

In each case the "From" address is fake, for example:

Shana Felton [9k7bf-2976014268@serv.craigslist.org]
Nestor Blackwell [orders@floristexpress.com.au]
Shirley Webb [rio@e-mail.com]
Mauricio Lundy [marilyndukacz@aol.com]
Edward Ybarra [v.wittke@schafmail.de]

A quick search of the body text of the message shows that it has been spammed out quite widely.

Although the site uses HTTPS, there is no ownership information. The WHOIS details are also anonymised, which is always a red flag for anything handling your personal data.

There are no contact details on the website, but the "User Agreement" page says that it is owned by Namailu Online Limited of New Zealand. It turns out that the New Zealand Companies Office offers very good information, and this is actually a real company.

The two directors listed are:

Philipp Rudolf RIPA
26 Whitehills Road, Rd 1, Silverdale, 0994 , New Zealand

Rudolf SAYEGH
111 Pilkington Road, Panmure, Auckland, 1072 , New Zealand

Incidentally, if you want to serve legal papers then the Pilkington Road address is the one to use. There aren't many people by the name of "Philipp Ripa" or "Rudolf Sayegh" in New Zealand, that is for sure.

A look at their Facebook page shows some information about the product being in development, but no other real details. Their spares Twitter page at @namailu shows they have four followers. I am one of them.


I'm going to be charitable and suggest that the people running Namailu have contracted another party to do the spamming and are possibly unaware of what is going on.

However, this clueless approach does not bode well for a site that deals in highly personal data and my personal opinion would be to give this particular outfit a very wide berth.

Malware spam: "Matthews, Tina [tina@royalcarson.com]" / "Credit card transaction" / "Royal Wholesale Electric"

This fake financial spam does not come from Royal Wholesale Electric but it is instead a simple forgery with a malicious attachment.
From:    Matthews, Tina [tina@royalcarson.com]
Date:    9 April 2015 at 10:48
Subject:    Credit card transaction

Here is the credit card transaction that you requested.

Tina Matthews
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
310-637-6377 Phone
310-603-9883 Fax
tina@royalcarson.com
Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.

The document is currently undetected by AV vendors and contains a malicious macro [pastebin] which downloads a binary from:

http://onemindgroup.com/366/114

This is saved as %TEMP%\ittext1.5.exe and has a VirusTotal detection rate of 3/49. Automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.230.60.219 (Docker Ltd, Russia)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
87.236.215.103 (OneGbits, Lithuania)
128.199.203.165 (DigitalOcean Cloud, Singapore)
128.135.197.30 (University Of Chicago, US)
185.35.77.160 (Corgi Tech Limited, UK)
46.101.38.178 (Digital Ocean, UK)
95.163.121.51 (Digital Networks CJSC aka DINETHOSTING, Russia)
92.41.107.253 (Hutchison 3G, UK)

According to the Malwr report  is also drops another variant of the downloader [VT 4/57] and a Dridex DLL [VT 4/57].

Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24

MD5s:
03ab12e578664290fa17a1a95abd71c4
48f39c245ec68bdbe6c0c93313bc8f74
90ebd79d1eac439c9c4ee1a056c9e879
62f33c7b850845cb66dcaa69e2af4443



Wednesday 8 April 2015

Malware spam: "Invoice from COMPANY NAME" / 31.24.30.12 / 46.30.43.102

This Dridex spam takes a slightly different approach from other recent ones. Instead of attaching a malicious Office document, it downloads it from a compromised server instead.

The example I saw read:
From:    Mitchel Levy
Date:    8 April 2015 at 13:45
Subject:    Invoice from MOTHERCARE

Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.

Download your invoice here.

Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.

Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:

http://victimbfe.afinanceei.com/victim@victim.domain/

This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:

I guess perhaps the bad guys didn't notice "Califonia Institute of Technology" written behind "Information Management Systems & Services". The link in the email downloads a file from:

http://31.24.30.12/api/Invoice.xls

At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://31.24.30.12/api/ shows a fake page pretending to be from Australian retailer Kogan.



As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:


That's pretty easy to decode, and it instructs the computer to download a malicious binary from:

http://46.30.43.102/cves/kase.jpg

This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC.

This binary has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] [4] show it communicating with the following IPs:

109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)

In addition there are some Akamai IPs which look benign:

184.25.56.212
184.25.56.205
2.22.234.90

According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.

Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12

MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478

UPDATE 1:

There is at least one other server at  95.163.121.22 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 95.163.121.0/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range

abiliingfinance.com
abilingffinance.com
abilingfienance.com
abilingfinaance.com
abilingfinancee.com
abilingfinancey.com
abilingfinnance.com
abilingggfinance.com
abilinngfinance.com
afinanccebifling.com
afinanccebiling.com
afinanceas.com
afinancebbi.com
afinancebill.com
afinancecc.com
afinanceebb.com
afinanceei.com
afinancei.com
afinanceobilhing.com
afinanceobiling.com
afinanceqbilzing.com
afinancesh.com
afinancewbidling.com
afinanceyer.com
afinancrebiling.com
afinancrebixling.com
afinandebiling.com
afinangebiling.com
afinangebilqing.com
afinanrebileing.com
afinanrebiling.com
afinansebiling.com
afinansebilling.com
afinanwebiling.com
afinanwebilsing.com
asfinancebbi.com
asfinancebill.com
asfinancecc.com
asfinancee.com
asfinanceebb.com
asfinanceei.com
asfinancei.com
asfinancesh.com
asfinanceyer.com
assfinanceas.com
bbbilingfinancee.com
bbiliingfinance.com
bbilingffinance.com
bbilingfienance.com
bbilingfinaance.com
bbilingfinancee.com
bbilingfinancey.com
bbilingfinnance.com
bbilingggfinance.com
bbilinngfinance.com
bbillingfinance.com
biliingfinance.com
bilingffinance.com
bilingfienance.com
bilingfinaance.com
bilingfinancee.com
bilingfinancey.com
bilingfinnance.com
bilingggfinance.com
bilinngfinance.com
cfinanccebifling.com
cfinanceobilhing.com
cfinanceqbilzing.com
cfinancewbidling.com
cfinancrebixling.com
cfinandebilping.com
cfinangebilqing.com
cfinansebilling.com
cfinanwebilsing.com
financcebifling.com
financcebiling.com
financeobilhing.com
financeobiling.com
financeqbilzing.com
financewbidling.com
financewbiling.com
financrebiling.com
financrebixling.com
finandebilping.com
finangebiling.com
finangebilqing.com
finanrebileing.com
finanrebiling.com
finansebiling.com
finansebilling.com
finanwebiling.com
finanwebilsing.com