Sponsored by..

Monday, 17 November 2014

Interfax "Failed Fax Transmission" spam comes with malicious .DOCM file

This fake fax spam comes with a malicious attachment

From:     Interfax [uk@interfax.net]
Date:     13 November 2014 20:29
Subject:     Failed Fax Transmission to 01616133969@fax.tc<00441616133969>

Transmission Results
Destination Fax:  00441616133969
Contact Name:  01616133969@fax.tc
Start Time:  2014/11/13 20:05:27
End Time:  2014/11/13 20:29:00
Transmission Result:  3220 - Communication error
Pages sent:  0
Subject:  140186561.XLS
CSID:
Duration (In Seconds):  103
Message ID:  485646629

Thank you for using Interfax
E-mail: uk@interfax.net
Home page: http://www.interfax.net


Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe

This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:

http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E

It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53

If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.

Friday, 14 November 2014

Dear spammers.. alotbqobutarkwqechsdovmzfwa to you too.

Dear spammers,

Sending links out like this to drive people to your fake meds site does not work.

From: Tudu [tudu@tin.it]
Sent: 15 November 2014 03:42
To: bernie@nternet.net
Subject:

https://www.google.com/#&q=alotbqobutarkwqechsdovmzfwa&btnI=qysawyt

Even if you stuff your page with what you think are unique keywords such as:



njhzxtfnpvcqgoyuayuhvtsi
dcyfwfcuiahjrifjmpxwlshj
crulbvxcm
ejerwja
uxsiyulmkggsnwjdsujrq
srpxkpnrzupqgfwzlkqonlhhrsk
fcgfsrlomywpykhasppybuen
svsoyteg
yuezkbmsqyhpsicqslrwhvcru
scveevyvstumdryosftulvn
ocwpikfchbarwqinqdrorqiufsqp
alotbqobutarkwqechsdovmzfwa
esbmoulaj
xfshvrgaeckuzhosymxzccjplpcwg
ywifvjeikl
qfwtytmfeeqzf
aaosxoqtdcduwycjhyannf
ybyqgfztbadtwbrvwhypbdjs
xiitpggczmb
nsjgtbsklpwpldu
zvgpumys
pthnpdo
xaorfzpfgviomnbrcbasmfoormsr
gxascwhwfbjdmpcgdey
ykqlnxzt
tdcgedlfvlleuyqn
mgoozaxm
mlrbtiyhpqdwthpdiqgvwkq
uhcjljmguohkmywgylmin
coxmfzumeftmqfczjvnols
sitlhrcwzueprwfyxv
ntxaawsgvdinzyhiylfdgd
nvhwjvqwcxkovoitkxfkjbttfvr
yimclbkcepmqhiec
ebhnypr
oezgaikkapwzthzkfbrtrowmu
xyejkdaxhc
iixpkiijdgrkvqrkngpmxrfwohwvr
amgfgmedyl
cqqbjakpkepaje
hmibwgcdexsm
rjmiavdxujexjktnmtp
kvqthzutebojwnzpzvzhzbrfcb
saeelzoemfcahrlzyllnugbwze
jvnfagrti
lvdycqtozmiwphqmpa
pufhpiotdvdimlsp
cimbmhkagoxnbaxngvxyfcrtlcnxc
qbnuhspjgqawxrf
jbhbhyqkurdqgktvvs
frcmtegacgvxqshruzeakhxfzxq
dtctnrkgwwvdg
ajtnchnawtnrtnlvkxho
yjyhzpenvqmgibef
masyqrwqslofd
khcldmiexfrrruq
fvqadsbhetodzgqvywuxtowhwa
ungrhogqrabqwzrajtjpomvcirxkfp
nncneijcvcwwnyxxgowjvvm
olwdtxqggnsudjtzhyt
mhxmtdnkzseiiizpzmwjnpwtppp
sihsozhgbpybvanyfrfttlk
tkbjkzpdpyvylkon
mmgaklau
jtenvfqsybmghjcabaeetj
fmjcfqmjzstssznbgdpqwaoc
lhedbliildq
qivwguigzmcwkdpezdds
wllbbhjyrditsxzlunskabhqiedg
niazkntdfyoncfgyzq
ndwbqjjtbaoqgegxo
ahjznanwpcmcpvrnsbmtxrssavfv
gmgxhwptdawtd
abwwkrykctoaywhhwrjofirpjfss
oaxhwkodgnvmtmd
dkligclavpa
nsrquhibivbijwvgutozsh
zhwsicrhehejyxggffcsebodxtpgtf
ckrsugdugtefqlebtixupguhdcnmlx
hitsfbk
dilvysgqresg
uqeguta
xuivhwgnruxgnnyrilaxwkqnfv
xuafdrsacr
rkwxzzrmerkcyllbw
qtvzkfzcfzukksxfnrmp
xhkldsr
clavwtpoujkmtbvmrhvqn
oqszjgojzeqfijbpgvnhuqfck
cuszgksdz
czgukflpmspirlhvejmwwojwzgfhh
zafgbpytcoehgeyfhwktqcwhpk
zboupfxmctek
upmihrmqu
odtiuxpysrcozahkrvcr
rkqfakqcwjwrks
ycxkfqyydheisfwydapfrkraur
wzunqlutibfsrrgxmnlqtevs
vlsealvrrvboe
asglyylkuscbammxtkdxornguidnd
ytkcijrfpvj
qaqjzhlprprjivzyrhpvhmenkzj
ojgtgpajla
lbccjwlyrwxd
rolpcaytfijigoogljgzow
zvclpenmm
owitfuirvwlzz
mitjvykqxhkkxirgzegyiddtj
oabwjyjkrcbqxzzp
auzidohkvsthbpduiakqn
rvthoowlmrpkyvpijbidoamdaonie
rybberhm
rybuxcxehxiardpehok
xwisbggcwxopkjyhpjq
dhnebpfvpmpktdm
nuowacsgolfcqvoohuasktwnyw
ovxzcmcf
ueqakehjhnpdajljlxn
lehmezqstjowkzzykxgnvqzli
kkiwyqlemxuksrbodhnyglijwcoml
yduzveynpyktsewzrpqblaw
flnxsjbelopudwaiuxod
lbpwduzwwcoipfxqsgccnxjaoukgua
rktlnsorbpfjgjqhq
xnyezxt
nqkqmewjrjiqckuaf
vvbmbwfovoff
iogxxkdqq
ftcndjjdx
glbhxwhj
fxjocyuhsedsntabgoo
uokhkuqvwrxrpijbdxfw
 
..it isn't going to stop awkward bastards like me from hijacking your search results.

[FYI.. I did not send out the spam you clicked. Somebody sent out a spam advertising a fake meds site healthshdweb.com - I am merely hijacking their attempts to direct people to the site through superiour search engine optimisation]

Thursday, 13 November 2014

"Test mesage" / "hi there" spam

Here's an unusual spam run coming through right now.. it doesn't seem to have a payload at all..

From:     Bryon Jimenez [Eunice.f2a@simaya.net.id]
Date:     13 November 2014 12:09
Subject:     Test mesage 612985B

hi there

Where the valley narrows into the cleft of the mountains, a lake lies surrounded by lush grasses. Putting another image may not reflect the article's subject logo.
Genesee and Flushing Townships where split off on March 6, 1838. French missionary and philosopher.
We did a lot of shows to 20 people in a bar who were more interested in cheap drinks than they were the band. Camps and social works.
Commented out because it's imprecise and contains false information. It is given to those who do not actively seek it. After the transfer period ended, Guerreiro apologised to Bajevic and was given another chance and is now a member of the squad.

================

From:     Ruben Randall [Josef.e9@business.telecomitalia.it]
Date:     13 November 2014 11:06
Subject:     Test mesage 3144664L

hi there

Player 1 then presses any one of the top red phrase buttons and listens to the beginning half of a phrase. Peter Murray on Debrett's website.
Asopus had twenty daughters but he provides no list. It supports a 240 MW power station.
Profilo di architettura italiana del Novecento, Marsilio, Venezia, 1999, pp. Then the teacher posts the assignment.
American born electronic music producer and DJ now residing in Berlin, Germany. The role of Cio Cio San like most other characters she has portrayed is quickly becoming a signature for her. Williamson, Garner and Musgrove Company, and the Cagli and Paoli Opera Company.

================

From:     Selma Carter [Lloyd.525@raisetherock.com]
Date:     13 November 2014 12:11
Subject:     Test mesage 0254082S

hi there

It was Federer's 3rd title of the year and the 3rd of his career. EL to see if your link meets the Wikipedia style guide.
Squadron Leader Pentland in New Guinea, c. Users can stream music directly from ZumoDrive to iPhone, iPod Touch, Android and WebOS devices.
The work received little critical attention. Saura also attempts to strengthen autobiographical themes found in the original story.
Methodists, in the area. Today it is not uncommon to find early Corgi models with such additions still intact. Edmund Sebastian Joseph van der Straeten.
In all cases "Test mesage" is spelled incorrectly and the body is just "hi there". Because there is no malicious payload (such as an attachment or link) and the message lacks the sort of trigger words that might get it blocked then there is a high probability that at least some of these will get through your spam filter/

Vodafone D2 "Ihre Festnetz-Rechnung für November 2014" spam

This fake Vodafone spam seems to be widely distributed, even though it is obviously targeted at German speakers.

From:     Vodafone D2 [2942-MU31406aBM0@kundenservice.vodafone.de] [pm2053em1]
Date:     13 November 2014 09:13
Subject:     Ihre Festnetz-Rechnung für November 2014


Ihre Kundennummer: 883286157

Sehr geehrte Damen und Herren,

anbei erhalten Sie Ihre Rechnung vom 13.11.2014.

13.11.2014_09:11:07_Rechnung_Kundennr_861570000883286157.pdf

Der Rechnungsbetrag in Höhe von 357,26 EUR wird am 23.11.2014 von Ihrem Konto abgebucht.

Ihre Rechnung ist im PDF-Format erstellt worden. Um sich Ihre Rechnung anschauen zu können, klicken Sie auf den Anhang und es öffnet sich automatisch der Acrobat Reader.


Freundliche Grüße
Ihr Vodafone Team

In this case, the link in the email goes to studiarte.com/gFlEyLcSo where it downloads a file 2014_11vodafone_onlinerechnung.zip which contains a malicious binary 2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

This file has a very low detection rate at VirusTotal of 1/53. Most automated analysis tools [1] [2] [3]  don't say much, however the ThreatTrack report [pdf] is more details and apparently shows the malware phoning home to:

46.183.219.78 (DataClub, Latvia)
178.210.167.213 (Markum Bilisim Teknolojileri, Turkey)

Additionally, the following IPs and active domains are queried:

64.27.101.155 (Ken Thomas, US)
109.74.3.6 (GleSYS Internet Services, Sweden)
144.76.59.84 (Hetzner, Germany)
177.73.233.170 (WDI Solucoes Ltda, Brazil)
212.19.62.76 (ANW GmbH, Germany)

5.199.167.197 (Balticservers, Lithunia)
86.124.164.25 (RCS & RDS Business, Romania)
66.172.27.44 (Cyberverse, US)
141.255.165.152 (Privatelayer, Switzerland)
141.255.165.155 (Privatelayer, Switzerland)
173.193.106.11 (Softlayer, US)

qgajlouuhqbikgbd.eu
qrbroaiyynlqluld.eu
tadhvhvdhgtaxnpd.eu
bcqikqgkbiwccmpj.eu
ciomywfqliwtvjft.eu
vgekmcvfuiwrepmm.eu
xqnaiuvgctjdtnmj.eu
eaelgqsjqukhenaq.eu
tejohjlxraqmamnx.eu

Some of these DGA domains have been sinkholed, I have removed obvious ones but not that some of these IP addresses may not actually be malicious. However, if you are a network administrator there is no harm in blocking or monitoring sinkholes from your network, so I would recommend the following blocklist:

46.183.219.78
178.210.167.213

109.74.3.6

177.73.233.170

5.199.167.197
86.124.164.25
66.172.27.44
141.255.165.152
141.255.165.155
173.193.106.11

UPDATE 2014-11-20
I previously recommended blocking the following IPs which it turns out are legitimate, possible added by the malware authors to create false positives. If you have blocked them then I recommend unblocking them.

64.27.101.155
144.76.59.84
212.19.62.76

Wednesday, 12 November 2014

"ADP Past Due Invoice#39911564" spam

I haven't seen ADP-themed spam for a very long time, mostly because it gets filtered into a deep dark hole that even I can't see into.

From: billing.address.updates@ADP.com [mailto:billing.address.updates@ADP.com]
Sent: 12 November 2014 16:28
Subject: ADP Past Due Invoice#39911564

 Your ADP past due invoice is ready for your review at ADP Online Invoice Management .

 If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

 Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.

 Important: Please do not respond to this message. It comes from an unattended mailbox.
Most of the ones that I have seen are malformed and instead of a link they just say <html> which is one reason that it is getting through the spam filter. I have seen one live one, leading to [donotclick]www.bingemann-buerosysteme.de/services/invoice1211.php

This downloads a ZIP file invoice1211_pdf28.zip which in turn contains a malicious executable invoice1211_pdf.exe which has a VirusTotal detection rate of 6/54.

It then contacts the following URLs according to the Malwr report:
http://188.165.206.208:30083/1211uk1/HOME/0/51-SP3/0/
http://188.165.206.208:30083/1211uk1/HOME/1/0/0/
http://shahlart.com/miniuk1.pmg
http://mboaqpweuhs.com/mhninqiiifrd3ku
http://mboaqpweuhs.com/nt09kq47fv6k0

Recommended blocklist:
188.165.206.208
shahlart.com
mboaqpweuhs.com

Exchange House Fraud (Police Headquaters) / omaniex@investigtion.com spam

I got a lot of these yesterday that I've only just noticed..

From:     omaniex@investigtion.com
Subject:     Exchange House Fraud (Police Headquaters)


please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.

Note: come along with your report as it will be needed

regards,
Police headquarters.
Investigtion dept. 

Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:

7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar

This is some sort of malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably don't need it). It has a VirusTotal detection rate of 7/55 and the Malwr report has some screenshots of something odd happening, but not much more data.

Tuesday, 11 November 2014

"Duplicate Payment Received" spam has a malicious Word DOC attached

This email comes with a malicious Word document attached:

From:     Margery George
Date:     11 November 2014 11:50
Subject:     INV634746Q Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £689.75 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks 
The reference number in the subject is randomly generated and is reflected in the filename (in this case De_634746Q.doc. There are two different variants I have seen with low detection rates at VirusTotal [1] [2]. These contain two slightly different malicious macros [1] [2] [pastebin] which download a file test.exe from one of the following locations:

http://62.76.180.133/get/get.php
http://62.76.189.108/get/get.php


Note that the IPs are very close, and both belong to Clodo-Cloud / IT House Ltd in Russia. The file is then copied to %TEMP%\NYHEFLJDPZR.exe which has a VirusTotal detection rate of just 1/53.

According to the Malwr report this malicious binary then connects to the following URLs:

http://178.254.57.146/6e@YL/Pjys_~ik/XTuG_XcFEWZpmmB%2C
http://213.140.115.29/G7uwLNQS7fpyGnLHM6qt.HlqA%7Ekp/$O%20FlsN%2C9%3FnC52/wmk.ka.JM%3D%7EpuQ8.I5.4S5
http://213.140.115.29/tUoRAgJ%3DK9V/iwrsseF9oo+z%2DO%2BpbMS/ZY%2BuPUzJI6
http://213.140.115.29/uf432orqHmh&ihs/%24p2z7El%3Fe6ea%2D%2Cxg8_zbu2$zF7t%26j$73sS%2B/%2B%3F3w%2Dh%3D


It also drops a malicious DLL identified which has some generic VirusTotal detection only, but is probably Cridex or Dridex.

Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108


nazarethcare.com / Accounts Finchley "Bank Payments" has a malicious attachment

This fake invoice spam pretending to be from a care home in the UK comes with a malicious attachment.

From:     Accounts Finchley [accounts.finchley@nazarethcare.com]
Date:     11 November 2014 10:34
Subject:     Bank Payments

Good Afternoon,

Paying in sheet attached

Regards

Sandra Whitmore
Care Home Administrator
Nazareth House
162 East End Road
East Finchley
London
N2 ORU
Tel:02088831104
Fax:02084443691
Nazareth Care Charitable Trust- Registered Office – Larmenier Centre, 162 East End Road, London N2 ORU
Registered Charity – England & Wales – 1113666, Scotland – SCO42374
Registered Company registered in England & Wales – Company Number 05518564

The contents of this message are for the attention and use of the named addressee(s) only.  It, and any files transmitted with it, may be legally privileged or prohibited from disclosure or unauthorised use.  If you are not an intended recipient or addressee, any form of reproduction, dissemination, copying, disclosure, modification, distribution or publication is prohibited and may be unlawful and the sender will accept no liability for any action taken or omitted to be taken in reliance upon this message or its attachments.
Whilst all efforts are made to safeguard inbound and outbound e-mails, no guarantee can be given that attachments are virus-free or compatible with your systems, and we do not accept any liability in respect of viruses or computer problems experienced.
Any views expressed in this message are those of the individual sender, and do not necessarily represent those of the Sisters of Nazareth.
The domain nazarethcare.com forwards to the Sisters of Nazereth. None of these organisations is actually sending the spam, their systems have not been compromised in any way. The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox.

Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros [1] [2] [pastebin] which then downloads a file from one of the following locations:

http://www.grafichepilia.it/js/bin.exe
http://dhanophan.co.th/js/bin.exe


This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53. The Malwr report shows it phoning home to:

http://84.40.9.34/kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/

It also drops a DLL identified by VirusTotal as Dridex.

Monday, 10 November 2014

"Kate Williams" / "invoice 8798556 November" spam has a malicious DOC attachment

This fake invoice spam comes with a malicious Word document attached:

From:     Kate Williams
Date:     10 November 2014 09:40
Subject:     invoice 8798556 November

Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8798556 Account No 5608798556.
Thanks very much

The number of the invoice is random and is consistent between the subject and attachment (in this case invoice_8798556.doc). There are two different attachments, both poorly-detected at VirusTotal [1] [2] each containing a malicious macro [1] [2].

I haven't been able to analyse it myself yet, but according to this comment it downloads a binary from adeline.de/js/bin.exe which has a low VirusTotal detection rate and for which the comments from user borromini say:

#malware #dridex

Downloaded by malicious word doc with macro (f9d6161e1b26cf6faab4ac0eecde3a7d).

POST requests to

84.40.9.34:8080

87.106.84.226

Also tried 37.139.23.200:8080 and 213.143.97.18:8080  
UPDATE
The macros I mentioned download from the following locations:

http://adeline.de/js/bin.exe
http://antjegoerner.de/dokumente/bin.exe


The executable is then copied to %TEMP%\CQRZKMIESEX.exe and the ThreatTrack report [pdf] shows the malware connecting to 84.40.9.34 (Hostway, UK) where it POSTS to /hCsYvpW%26lZaTGPBgK$W%264P49%24%2BNU&Y/H%26%20@Kg
5SvSh8+unz%7Eg6f%24G on that server.

Friday, 7 November 2014

"Sue Morckage" / "This email contains an invoice file attachment" spam

This fake invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
From:     Sue Morckage
Date:     7 November 2014 13:10
Subject:     inovice 9232088 November

This email contains an invoice file attachment
The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2] [Malwr report] which contains one of two malicious macros [1] [2] which then go and download a binary from one of the following locations:

http://ksiadzrobak.cba.pl/bin.exe
http://heartgate.de/bin.exe

This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54, but so far automated analysis tools [1] [2] [3] are inconclusive as to what this does, however the payload is likely to be Cridex.


No, I do not want to go to your spammy disco

I've seen some odd spam in the past. I've never been spammed by an Essex disco operator before:

From:     ronnie-s-dj Professional Entertainment [info@ronnie-s-dj.co.uk]
Date:     7 November 2014 06:24
Subject:     Christmas New Year 2014! Disco & Karaoke Party Time

The spamvertised domains are karaoke-dj.co.uk and ronnie-s-dj.co.uk and the same owner also operates ronwindsor.co.uk. I'll spare him the embarrassment of listing his address.

I assume that Ron bought a cheap mailing list in good faith without realising that it was worthless, and then proceeded to spam out from his BT IP of 109.154.39.151 via Outlook.com with abandon. Unfortunately, this sort of thing gets both your web hosting suspended and internet access revoked.

Hopefully Ron has a better idea of how to run a disco than how he promotes his business. But I don't fancy a trip down to Essex to find out.

europejobdays.com and other fake job sites to avoid 7/11/14

This tip from @peterkruse about a spam run pushing fake jobs using the domain europejobdays.com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain.

These fake job sites tend not to go alone, and a look a the other domains using  the same namesevers comes up with a whole list of related fake sites that you should also avoid:

europejobdays.com
bamfde.com
myjobuk.com
usajobid.com
jobsiniteu.com
mycareerau.com
trabajoses.com
infopracapl.com
itjobrapido.com
jobstreetmy.com
jobstreetus.com
myjobromania.com
trabajospain.com
profesiaczech.com
careersprocanada.com
subitoit.net
stemcellcounseling.net

You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below.

Tuesday, 4 November 2014

DUCO "Remittance Advice November" spam

This fake remittance advice spam does pretends to come from a company called DUCO (it does not) and comes with a malicious Word document.

From:     Therese Holden
Date:     4 November 2014 13:59
Subject:     Remittance Advice November FO1864232P

Dear Sir/Madam

Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP

Regards,
Therese Holden
Accounts Payable Department DUCO
The attachment is a Word document with a randomly-generated filename that matches the subject of the email, it contains a malicious macro [pastebin] with a VirusTotal detection rate of 0/52 (you can see the Malwr report here, it doesn't say much). In this case the macro downloads a file from http://144.76.153.36:8080/doc/9.exe and saves it as %TEMP%\DCITXEKBIRG.exe, this is also poorly detected with a detection rate of just 3/52.

The Malwr report shows that the malware reaches out to the following URLs:

http://91.222.139.45/%26RNB2/hs3SILqWzl1%24x%20/rI9sI
http://213.140.115.29/9m0/xvgsH.jTg@/NsY/75/0b50
http://213.140.115.29/1u1mS$%3D=cVE%3DUPI%7EVe94/L&%3D%20yqWbqmNh$oP/
http://213.140.115.29/ktp6rp3vnx/x%7Egxlkki%20%2D56g%7E%20=&%3Fg%3Fx4j/r+~f6j%7Efwin%2Bcywc/%24yxvmo


It also drops a DLL on the system identified by VirusTotal as Cridex.

Recommended blocklist:
91.222.139.45
213.140.115.29
144.76.153.36

Monday, 3 November 2014

TM Group "A new invoice AB1234567C has been created for You" spam

This fake invoice is meant to come from a company called TM Group (but it doesn't). It comes with a malicious Word document attached.

From:     Taylor Slater
Date:     3 November 2014 09:32
Subject:     A new invoice FM0509816M has been created for You

Dear Client,

A new invoice, FM0509816M  has been created. Please find it attached.

Kind regards, Taylor Slater
TM Group
Helpdesk Billing

--------------------

From:     Winfred Chapman
Date:     3 November 2014 10:34
Subject:     A new invoice MP4729736L has been created for You

Dear Client,

A new invoice, MP4729736L  has been created. Please find it attached.

Kind regards, Winfred Chapman
TM Group
Helpdesk Billing

--------------------

From:     Lionel Lowery
Date:     3 November 2014 11:05
Subject:     A new invoice LB7236759Y has been created for You

Dear Client,

A new invoice, LB7236759Y  has been created. Please find it attached.

Kind regards, Lionel Lowery
TM Group
Helpdesk Billing
--------------------

From:     Trey Leonard
Date:     3 November 2014 11:05
Subject:     A new invoice LM839596Q has been created for You

Dear Client,

A new invoice, LM839596Q  has been created. Please find it attached.

Kind regards, Trey Leonard
TM Group
Helpdesk Billing
------------------
From:     Helga Wilkinson
Date:     3 November 2014 12:16
Subject:     A new invoice NT9263036Z has been created for You

Dear Client,

A new invoice, NT9263036Z  has been created. Please find it attached.

Kind regards, Helga Wilkinson
TM Group
Helpdesk Billing

------------------

From:     Carol Day
Date:     3 November 2014 11:44
Subject:     A new invoice DQ8914435K has been created for You

Dear Client,

A new invoice, DQ8914435K  has been created. Please find it attached.

Kind regards, Carol Day
TM Group
Helpdesk Billing

------------------

From:     Corey Graham
Date:     3 November 2014 11:42
Subject:     A new invoice TQ022815G has been created for You

Dear Client,

A new invoice, TQ022815G  has been created. Please find it attached.

Kind regards, Corey Graham
TM Group
Helpdesk Billing

------------------

From:     Josefina Deleon
Date:     3 November 2014 11:34
Subject:     A new invoice KZ561472B has been created for You

Dear Client,

A new invoice, KZ561472B  has been created. Please find it attached.

Kind regards, Josefina Deleon
TM Group
Helpdesk Billing

Attached is a Word document with the same filename as the supposed invoice number. So far I have seen three variations:
The macros download a further malicious file from one of the following locations:


http://149.62.168.210:8080/doc/8.exe
http://111.125.170.132:8080/doc/8.exe
http://121.78.88.208:8080/doc/8.exe


This binary has a detection rate of just 2/54. The Malwr report shows this binary reaches out to the following locations:

http://91.222.139.45/4gA6Cw%2CuZ%265%2B7/TvPKRfz@/tpm=MCPSixTbfs6%2B
http://213.140.115.29/gfffgwtmjg6_w+8j+$%26icb%3D_f2=%2Dj66/@c3qrn=b%7E%2C+1tg026.i%24w./x%2Dlq5e%2D
http://213.140.115.29/uziFUA/wE0ArLF~2K%2DuQjXh3ak/7IvEHrPuf
http://213.140.115.29/hIR%3D7nkeM%2CgV/%2C@fN0iWI/+arv9NF%24F


The malware also drops a malicious DLL with a VirusTotal detection rate of 9/54 which is identified as Cridex.

Recommended blocklist:
91.222.139.45
213.140.115.29
149.62.168.210
111.125.170.132
121.78.88.208

Friday, 31 October 2014

"Your Amazon.co.uk order has dispatched" spam has a malicious DOC attachment

This fake Amazon email comes with a malicious Word document attached:

From:     Amazon.co.uk [auto-shipping@amazon.co.uk]
Reply-To:     "auto-shipping@amazon.co.uk" [auto-shipping@amazon.co.uk]
Date:     31 October 2014 09:12
Subject:     Your Amazon.co.uk order has dispatched (#203-2083868-0173124)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #203-2083868-0173124 (received October 30, 2014)


Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
 video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
 accept returns of complete product, which is unused and in an "as new" con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label.  Ple=
ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.co.uk customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20
http://www.amazon.co.uk/help

If you've explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.co.uk

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------
The Word document contains a malicious macro [pastebin] but is currently undetected at VirusTotal (the Malwr report doesn't say much but is here).

The macro then downloads http://ctmail.me/1.exe and executes it. This malicious binary has a a detection rate of 4/52, and according to the Malwr report it contacts the following URLs:

http://84.40.9.34/Xl37yRuH5LS6Nqk/~yNk%2C2IO.1Jw9/wm@OF0fR%2BPvics%2CR8H/br~%262O%2Cu3k%3FI~i7%2D
http://213.143.97.18/wPfG2lK%24F/ET0~4%3De$4UsZiwg@/fJ_6E%24
http://213.143.97.18/iXxTuXI@6s1/NzJ%2CbsSmuQsl/n3
http://213.143.97.18/Yug4oQ83$~J%249BH/y93%266@@L3%3DL%26b88UmM/%24%24
http://213.143.97.18/Pizz.%2D%2CksZ@1&T/bYNr%2B9%2CK%2D1i%2BCGqLi%2Bw
http://213.143.97.18/vh/esx5rBQsLNKRJ%7E+$%2C_5KQk%2BeQpaGr/&4b0ERginAuG/zx$.G6K%3F
http://213.143.97.18/sxvxyZOihv%2C=@3v/%2BSb@9E9blzBnL7k0~TGg.OGq51%2BE5/&wru.x/%24


84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54.

Recommended blocklist 1:
213.143.97.18
84.40.9.34
ctmail.me

UPDATE 1 - 2014-11-03

A very similar email is doing the rounds this morning with a different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54 and contains this malicious macro [pastebin]. This downloads a file from http://hilfecenter-harz.de/1.exe which also has zero detections at VirusTotal. According the the Malwr report this binary connects to the following URLs:

http://84.40.9.34/E8Zf43JY1/8/wXw4M%26H~J%7EQ5/./
http://37.139.23.200/NQwFPhXiqAw/i27%24Yz~M%2CS_/x$%2DKWssW9Yh/L3
http://37.139.23.200/jrsw4wgnsT4I2/p%3F%3FZ@BCiUhaO9FYoN~/JAkmQ+Z@1
http://37.139.23.200/unu0q1vzg3~tmww%3Fkp/ayf0u%24&l$%2Cqc%3F3@2+f.=hcf_c+vyqly%2Co.7/l%20nloj%7E%3F
http://37.139.23.200/RqCGVww2Sup3iH5rZ/h=abyF$sO%3DheysYSV/n5%3Fs/

It also downloads a malicious DLL which has a VirusTotal detection rate of 7/54 which identifies this as a version of Cridex.

Recommended blocklist 2:
84.40.9.34
37.139.23.200
hilfecenter-harz.de
garfield67.de

UPDATE 2  - 2014-11-03

A second version of the attachment is also being circulated, this time with a slightly different macro [pastebin] which downloads the same binary as before from http://garfield67.de/1.exe. I have updated blocklist 2.

UPDATE 3 - 2014-11-06

The spam has been updated with a new date and there are now three new malicious Word documents [1] [2] [3] [Malwr report] which contains one of two macros [1] [2] that download a malware binary from one of the two following locations:

http://castours.com/js/bin.exe
http://www.irming.hr/js/bin.exe


This file is saved as %TEMP%\LNZMTDCWLZX.exe and has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to:

http://84.40.9.34/NjTrZuSH2&rb/@&RT/aATv%2BqGe%2C

It also drops a DLL which has a VirusTotal detection rate of 8/53 which is identified as Cridex.