Date: Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51.
From: "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson
According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca.com.au/directions/2503UKp.tis
[donotclick]www.sandsca.com.au/directions/2503UKp.tis
Subsequent communications are made with aulbbiwslxpvvphxnjij.biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq.biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf.org which does not resolve.
One odd thing in the Anubis report is this dialog box entititled "seconddial" and containing the word "diminutiveness".
I don't know what that is.. it reminds me of Hatefulness/Hatefulness though :)
Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca.com
aulbbiwslxpvvphxnjij.biz
qkdapcqinizsczxrwaelaimznfbqq.biz
hzdmjjneyeuxkpzkrunrgyqgcukf.org