From: admin [admin@victimdomain.tld]I have seen just a single sample with a document named DOC201114-201114-001.DOC which has a detection rate of 4/53 and which according to this Malwr report downloads from:
Date: 19 January 2016 at 09:42
Subject: More scans
From: Adeline Harrison [HarrisonAdeline20@granjacapital.com.br]I have seen at least four different variations of the attachment, named in the format remittance_advice14DDA974.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show those samples communicating with:
Date: 19 January 2016 at 09:45
Subject: Remittance Advice 1B859E37
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Kind regards,
Adeline Harrison
Best Regards,
Adeline Harrison
Senior Finance Assistant, Bellingham + Stanley
Bellingham + Stanley
Longfield Road
Tunbridge Wells
Kent, TN2 3EY
United Kingdom
Office: +44 (0) 1892 500406
Fax: +44 (0) 1892 543115
HarrisonAdeline20@granjacapital.com.br
www.bellinghamandstanley.com
UPDATE 1: this related spam run also downloads from:
91.223.88.206/victor/onopko.php
This is allocted to "Private Person Anton Malyi" in Ukraine.
From Raashida Sufi [Raashida.Sufii@dmgmedia.co.uk]I have seen three different versions of the malicious attachment Invoice.doc (VirusTotal results [1] [2] [3]). The Malwr analysis of these documents [4] [5] [6] shows that the payload is identical to the Dridex banking trojan described here.
Date Tue, 19 Jan 2016 11:40:37 +0300
Subject Daily Mail - Payment overdue
Hi,
I have currently taken over from my colleague Jenine so will be your new POC going
forward.
I have attached an invoice that is currently overdue for £360.00. Kindly email me
payment confirmation today so we can bring your account up to date?
Kind Regards
Rash Sufi
Credit Controller, dmg media Finance Services
Telephone: +44(0)203 615 5083 Email: Raashida.Sufi@dmgmedia.co.uk
Shared Values: Customer Focus, Excellence, Innovation, Integrity, Teamwork, Accountability,
Learning
P.O. Box 6795, St. George Street, Leicester, LE1 1ZP
______________________________________________________________________
This e-mail and any attached files are intended for the named addressee only. It
contains information, which may be confidential and legally privileged and also protected
by copyright. Unless you are the named addressee (or authorised to receive for the
addressee) you may not copy or use it, or disclose it to anyone else. If you received
it in error please notify the sender immediately and then delete it from your system.
Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington,
London, W8 5TT. Registered No 84121 England.
From info17@Resellers.insureandgo.comThe sender appears to be from info[some-random-number]@Resellers.insureandgo.com, but it is just a simple forgery. Attached is a malicious Word document that I have seen five different versions of (VirusTotal results [1] [2] [3] [4] [5]).
Date Tue, 19 Jan 2016 14:27:06 +0530
Subject Thank you for purchasing from Cheaper Travel Insurance - 14068156
Your policy number: MF/CP/205121/14068156Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156
Insurance is arranged by Insure & Go Insurance Services Ltd who are authorised and regulated by the Financial Conduct Authority. Insure & Go Insurance Services Ltd Registered Address: 10th Floor Maitland House, Warrior Square, Southend-on-Sea, Essex SS1 2JY. Registered in England and Wales (Company Number: 04056769). Calls may be recorded and monitored.
From Alison Smith [ASmith@jtcp.co.uk]Attached is a file S-STA-SBP CRE (0036).xls which is actually corrupt, due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since Friday the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one, also spoofing the same company.
Date Mon, 18 Jan 2016 18:27:36 +0530
Subject Statements
Sent 12 JAN 16 15:36
J Thomson Colour Printers
14 Carnoustie Place
Glasgow
G5 8PB
Telephone 0141 4291094
Fax 0141 4295638
From =?iso-8859-1?B?IlRvbSBUaG9tc29uIFdhdGVyIENvb2xlciBXb3JsZCI=?= [tom.thomson@watercoolerworld.com]Attached is a file INVOICE_F-160003834.doc which will appear to be corrupt because the MIME attachment is malformed (it will either appear to be zero length or it will be garbage). This is the second corrupt spam run today, it was meant to be delivering the Dridex banking trojan. A fuller analysis of the attempted payload can be found here.
Date Mon, 18 Jan 2016 18:35:14 +0700
Subject Water Cooler World Invoice
From "A . Baird" [ABaird@jtcp.co.uk]Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday [1] [2] [3]. The payload is meant to be the Dridex banking trojan.
Date Mon, 18 Jan 2016 16:17:20 +0530
Subject Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as
outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller
[cid:image001.png@01CEE6A0.2D48E1B0]
Registered in Scotland 29216
14 Carnoustie Place
Glasgow G5 8PB
Direct Dial: 0141 418 5303
Tel: 0141 429 1094
www.jtcp.co.uk
P Save Paper - Do you really need to print this e-mail?
From Kelly Pollard [kelly.pollard@carecorner.co.uk]The attachment is named Statement 012016.doc but due to an error in the email it is corrupt, and is either zero length or will produce garbage. If it were to work, it would produce a payload similar to that found here and here, namely the Dridex banking trojan. This is the third corrupt Dridex run today. Shame.
Date Fri, 15 Jan 2016 13:56:01 +0200
Subject Statement
Your report is attached in DOC format.
Kelly Pollard
Marketing Manager
Tel: 01204 89 54 10 Fax: 01204 89 54 11
[final care corner logo]
From [reservations@draytonmanorhotel.co.uk]The attachments (in the format uk_conf_email_2012_dmh562810.xls) appear to be corrupt because of an error in the MIME attachment in the email, so they will either be zero length or appear to be garbage. I haven't seen any non-corrupt versions of the attachment at all. This is the second corrupt Dridex spam run today (this is the other one).
Date Fri, 15 Jan 2016 16:21:55 +0530
Subject Reservation Confirmation Number79501
We are pleased to confirm the attached booking at Drayton Manor Hotel.
Should you have any queries, please do not hesitate to contact us. We look
forward to welcoming you to Drayton Manor Hotel.
Kind Regards
Harry Ashbolt
Reservations
From: cm_sharpscan@yahoo.co.ukThe attachment is meant to be in the format username@domain.tld_201601151152_097144.doc but due to an apparent error in the MIME formatting, saving it results in a file in the format _username@domain.tld_201601151152_097144.doc_ 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA.doc_0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA instead
Date: 15 January 2016 at 10:12
Subject: Scanned image from MX-2640N
Reply to: cm_sharpscan@yahoo.co.uk [cm_sharpscan@yahoo.co.uk]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned image in Microsoft Word format.
From: Orders - TSSC [Orders@thesafetysupplycompany.co.uk]So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.
Date: 15 January 2016 at 09:06
Subject: Your order #7738326 From The Safety Supply Company
Dear Customerl
Thank you for your recent purchase.
Please find the details of your order through The Safety Supply Company attached to this email.
Regards,
The Sales Team
From: jpaoscanner@victimdomain.tldThere is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery.
Date: 14 January 2016 at 10:45
Subject: Message from local network scanner
From JOHN RUSSELL [John.Russell@yesss.co.uk]There are at least five different versions of the attachment 033777 [Ref. MARKETHILL CHURCH].doc (VirusTotal results [1] [2] [3] [4] [5]). Analysis of these documents is pending, however it is likely to be the Dridex banking trojan.
Date Wed, 13 Jan 2016 20:11:43 +0600
Subject Order 0046/033777 [Ref. MARKETHILL CHURCH]
John Russell
Branch Manager
Yesss Electrical
44 Hilsborough Old Road
Lisburn
BT27 5EW
T: 02892 606 758
M: 07854362314
F: 02892 606 759
E: John.Russell@yesss.co.uk
[EW Award winner 2015]
[Electrical Times Award winner 2014]
[EW Award winner 2014]
[YESSS gains all three BSI industry standards]
[Order a YESSS Book NOW!]
[Our YESSS motto]
[Visit the YESSS website] [Visit the YESSS Facebook
page] [Visit the YESSS Twitter page]
[Visit the YESSS Youtube page]
[Visit the YESSS Linkedin page]
[Visit the YESSS Pinterest page]
From: Clare ClementsSo far I have seen just one sample of this spam, and it was malformed so it was not possible to open the attachment without decoding it first. When done, this gave a file FILENAME.DOC with a detection rate of 3/54. The Malwr report for the document is inconclusive, but it most likely attempts to load the Dridex banking trojan.
Date: 13 January 2016 at 15:05
Subject: EDI Remittance Alert (BACS-E18020)
Hi!
Please find attached EDI BACS Remittance NO. E18020
Regards,
Clare Clements
From: Martine Hill [mhill@riverford.co.uk]Attached is a file ROV_Report.doc which I have seen just a single variant of, this a VirusTotal detection rate of 2/55. The Malwr report indicates that the payload is identical to the one found in this spam run.
Date: 13 January 2016 at 09:17
Subject: INV 30/12/15
Kind regards
Martine Hill
Finance Assistant
Bank details
Sort code 30 98 69
Account no 00849096
Riverford Organic Farms
01803 227323
image001
Riverford Organic Farms Ltd, Wash Barn, Buckfastleigh, TQ11 0JU
Registered in England No. 3731570
From: Color @ MRH Solicitors [color58@yahoo.co.uk]The attached file is named ScannedDocs122151.xls which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The Malwr reports for these documents [6] [7] [8] [9] [10] show the malicious macro contained within downloading a malware executable from:
Date: 13 January 2016 at 07:53
Subject: Scanned Document
Find the attachment for the scanned Document
From: Corinne Young [corinne.young@charbonnel.co.uk]
Date: 12 January 2016 at 10:42
Subject: Sales Invoice SIN040281. From Charbonnel et Walker Limited
Kind Regards
Corinne Young
Assistant Accountant
Charbonnel et Walker Ltd, Medway Road, Tunbridge Wells, TN1 2FD
Tel: +44 (0)1892 559019 Fax: +44 (0)1892 559015
From: SANTAN [sfernandes@simplesimon.co.uk]Both the "From" and "To" fields are fake. Attached is a document fax00065189.doc that I have seen two versions of (VirusTotal results [1] [2]). The Malwr reports for those two files [3] [4] show that this is trying to deliver the Dridex banking trojan, as described here.
To: POLLY [olga@bayley-sage.co.uk]
Date: 12 January 2016 at 10:55
Subject: Copy of our CREDIT NOTE number 00000962064
This message contains 1 pages in Microsoft Word format.
From: Bhavani Gullolla [bhavani.gullolla1@wipro.com]The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54 [1] [2], and according to the Malwr reports [3] [4] they both download a malicious binary from:
Date: 12 January 2016 at 09:51
Subject: Payment Advice - 0002014343
Dear Sir/Madam,
This is to inform you that we have initiated the electronic payment through our Bank.
Please find attached payment advice which includes invoice reference and TDS deductions if any.
Transaction Reference :
Vendor Code :9189171523
Company Code :WT01
Payer/Remitters Reference No :63104335
Beneficiary Details :43668548/090666
Paymet Method : Electronic Fund Transfer
Payment Amount :1032.00
Currency :GBP
Processing Date :11/01/2016
For any clarifications on the payment advice please mail us at wipro.vendorhelpdesk@wipro.com OR
call Toll Free in India 1800-200-3199 between 9:00 am to 5:00 pm IST (Mon-Fri) OR contact person indicated in the purchase order.
Regards,
VHD Signature
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
