Date: Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]Perhaps the spammers were as irritated by the overblown mail footer as I was. Anyway, there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47.
From: "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson
Automated analysis tools [1] [2] show that it attempts to communicate with alibra.co.uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:
[donotclick]synchawards.com/a1.exe
[donotclick]itcbadnera.org/images/dot.exe
a1.exe has a detection rate of 16/47, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23/forum/viewtopic.php
[donotclick]new.data.valinformatique.net/5GmVjT.exe
[donotclick]hargobindtravels.com/38emc.exe
[donotclick]bonway-onza.com/d9c9.exe
[donotclick]friseur-freisinger.at/t5krH.exe
dot.exe has a much lower detection rate of 6/47, ThreatExpert, ThreatTrack [pdf] and Malwr report various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.
a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus.
Recommended blocklist:
59.106.185.23
new.data.valinformatique.net
hargobindtravels.com
bonway-onza.com
friseur-freisinger.at
synchawards.com
itcbadnera.org
alibra.co.uk